The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
For this month’s Patch Tuesday, Microsoft has rolled out a comprehensive update fixing 103 vulnerabilities, two of which are already being exploited. Of the entire batch, 13 have been tagged as ‘Critical’, while the remaining 90 are categorised as ‘Important’. Notably, this doesn’t include the 18 issues sorted in their Chromium-based Edge browser since the last Patch Tuesday in September.
The two zero-day vulnerabilities you should keep an eye on are:
- CVE-2023-36563: This flaw is an information disclosure vulnerability in Microsoft WordPad that could lead to the exposure of NTLM hashes. It’s got a CVSS score of 6.5.
- CVE-2023-41763: This is a privilege escalation issue in Skype for Business. It could lead to the exposure of sensitive details such as IP addresses and port numbers, thereby opening doors for threat actors to infiltrate internal networks. It has a CVSS score of 5.3.
To exploit the WordPad vulnerability (CVE-2023-36563), an attacker needs to be logged into the system first and then execute a specially crafted application to take control.
The update also tackles multiple vulnerabilities in Microsoft Message Queuing (MSMQ) and the Layer 2 Tunneling Protocol, which could allow remote code execution and denial-of-service (DoS) attacks. Furthermore, a severe privilege escalation vulnerability in Windows IIS Server (CVE-2023-36434) with a CVSS score of 9.8 has been addressed. This could allow an attacker to impersonate another user through a brute-force attack.
Additionally, an update for CVE-2023-44487, known as the HTTP/2 Rapid Reset attack, has been released. This vulnerability has been exploited to carry out high-volume DDoS attacks.
It recommended users update systems with the latest patch as soon as possible. For more details on this month’s security updates, click here.
Apple Patch Actively Exploted Zero Day
Recently, Apple released updates to fix a zero-day vulnerability in iOS and iPadOS, which is currently being exploited. Identified as CVE-2023-42824, this kernel-level flaw allows local attackers to escalate their system privileges. Apple claims to have mitigated this issue through enhanced security measures.
As of now, specifics regarding the nature of these attacks or the identities of the hackers responsible remain undisclosed. However, successful exploitation seems to depend on the attacker already having some level of access to the device.
The new security patches, labelled as iOS 17.0.3 and iPadOS 17.0.3, are compatible with the following devices:
- iPhone XS and newer
- iPad Pro 12.9-inch (2nd generation and up), iPad Pro 10.5-inch, iPad Pro 11-inch (1st generation and up), iPad Air (3rd generation and up), iPad (6th generation and up), and iPad mini (5th generation and up).
PEACHPIT: A Huge Ad Fraud Botnet
The PEACHPIT botnet, operating as part of a larger China-based initiative known as BADBOX, has orchestrated a wide-reaching network of Android and iOS devices to carry out ad fraud. This operation doesn’t solely focus on botnets; it also encompasses the sale of unofficial mobile and connected TV devices riddled with a type of Android malware named Triada.
The issue initially came to attention when a security researcher found pre-installed malware on an Android TV streaming box, labelled as T95. Subsequently, Human Security divulged the scope of the device infections and how these compromised items fit into a grander malevolent agenda.
According to Human Security, Bandbox operates as a global network of consumer products, compromised with firmware backdoors and circulated through standard hardware supply chains. Upon activation, these tampered devices connect to a command-and-control server to receive additional malevolent commands. In conjunction with Bandbox, the PEACHPIT botnet partakes in a variety of illicit actions, including ad fraud, provisioning of residential proxy services, creating fake email and messaging accounts, and executing unauthorised remote code installations.
The research suggests that around 200 distinct models of Android devices could be compromised, putting roughly 74,000 Android devices worldwide at risk. The list of compromised hardware includes seven specific Android TV boxes—T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G—as well as an Android tablet dubbed J5-W. These devices are manufactured in China and somewhere within their production process, a firmware backdoor is covertly implemented.
Given these findings, it is advised users to be cautious, recommending the avoidance of unofficial devices and vigilance regarding the potential hazards posed by cloned apps.