CyberScotland Bulletin

Technical Bulletin October 2021

The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.

Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.

Section Microsoft Patch Tuesday

Microsoft Patch Tuesday

Microsoft released its monthly security update Tuesday 12th October 2021, disclosing 71 vulnerabilities across its suite of products.

This Patch Tuesday, 4 zero-days were mentioned, the first of which Microsoft has detected active exploitation:

  • CVE-2021-40449 – Win32k Elevation of Privilege Vulnerability
  • CVE-2021-41338 – Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
  • CVE-2021-40469 – Windows DNS Server Remote Code Execution Vulnerability
  • CVE-2021-41335 – Windows Kernel Elevation of Privilege Vulnerability

One of the zero-day vulnerabilities is being actively exploited. CVE-2021-40449, which was originally reported to Microsoft by Boris Lorin with Kaspersky, uses a previously unknown vulnerability, and impacts the Win32k Kernel driver. The remaining zero-days involve a Windows AppContainer Firewall issue which allows attackers to bypass security features, a remote code execution in Windows DNS Server, and an elevation of privilege vulnerability in the Windows Kernel.

As reported by zdnet.com, the products affected by these vulnerabilities are Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge Browser.

Section Apple Urgent Zero-Day Fix

Apple Urgent Zero-Day Fix

Apple has pushed a security update to iOS 15.0.2 and iPadOS 15.0.2 in response to a remote code execution vulnerability being actively exploited.

With a memory-corruption bug in the IOMobileFrameBuffer Kernel extension, used for managing the screen framebuffer, it may be possible for an application to execute arbitrary code with Kernel privileges and gain full control of an iOS device. This exploit has been tracked as CVE-2021-30883.

As reported by threatpost.com, within hours a security researcher was able to pick apart the bug and publish a proof-of-concept code alongside an explanation of the vulnerability. The proof-of-concept was confirmed to work on iOS 15 and 14.7.1. The researcher noted the flaw can be used for jailbreaks and local privilege escalation.

Apple users are being urged to apply the necessary updates to their devices as soon as possible.

Section New Ransomware Threatens to Launch DDoS Attacks as well as Encrypting Data

New Ransomware Threatens to Launch DDoS Attacks as well as Encrypting Data

A new ransomware variant, known as Yanluowang, also makes threats of launching distributed denial of service attacks (DDoS) if ransoms aren’t paid.

Zdnet.com has reported that the ransomware first leaves a note to tell the victim they’ve been infected with ransomware, and a warning to not contact the authorities or a cybersecurity company. The threats seem to go further, with the cybercriminals suggesting that if the victim calls for help, DDoS attacks would be launched against them.

Yanluowang ransomware was discovered by cybersecurity researchers during an investigation of an attempted cyber-attack against a large organisation. The attack was unsuccessful and provided insight into this ransomware variant. It appears to not yet be fully developed, meaning it could become more effective in the future.

Guidance for mitigating ransomware attacks can be found on the NCSC website.

Section Ransomware Group Targeting Healthcare Networks

Ransomware Group Targeting Healthcare Networks

A hacker group known as FIN12 have been found to be targeting healthcare organisations across North America, Europe, and the Asia Pacific.

Thehackernews.com reports that hacker group FIN12 have been attributed to a string of RYUK ransomware attacks since October 2018. The group seem to have a focus on healthcare organisations, among others. Unlike many intrusion threat actors, FIN12 have been found to rarely engage in data theft extortion. This is when stolen data is leaked after victims refuse to pay the ransom. Mandiant, a cybersecurity firm, note that this is likely due to FIN12’s desire to strike quickly with minimal negotiation. This factor could explain the group’s interest in healthcare networks.

The hacker group are known to use publicly available tools, like Cobalt Strike Beacon, to carry out their attacks and interact with their victim’s networks.

CiSP – The Cyber Security Information Sharing Partnership

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK […]

Read more CiSP – The Cyber Security Information Sharing Partnership in modal dialog

Scottish Information Sharing Network (SciNET Group)

SciNet is a community for Scottish Buisnesses to engage on CiSP. The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and […]

Read more Scottish Information Sharing Network (SciNET Group) in modal dialog

Early Warning Service

The NCSC provides a free service to organisations to inform them of threats against their network. This service will notify you on all cyber attacks detected by the feed suppliers against your organisation and is designed to compliment your existing […]

Read more Early Warning Service in modal dialog
Scottish Business Resilience Centre
Back to top of the page