CyberScotland Bulletin

Technical Bulletin September 2021


The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.

Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.

Microsoft Patch Tuesday

Microsoft released its monthly security update Tuesday 14th September 2021, disclosing 66 vulnerabilities across its suite of products.

This Patch Tuesday, the breakdown of vulnerabilities includes 3 “critical” ratings, 1 “moderate”, with the remaining labelled as “important”. Also in this month’s Patch Tuesday, 1 zero-day was mentioned:

CVE-2021-40444 – Microsoft MSHTML Remote Code Execution (RCE) Vulnerability

One notable vulnerability with a “critical” rating relates to the Open Management Infrastructure (OMI) Remote Code Execution vulnerability and is the most severe CVE on the September list.

According to Lansweeper.com, the vulnerability poses a risk to Azure products like Configuration Management. The products expose a HTTP/s port for interacting with OMI and this exposure allows malicious actors to perform RCE attacks without authentication by specially crafting malicious messages via HTTPS to port 5986.

As reported by zdnet.com, the products affected by these vulnerabilities are Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software.

A full list of Microsoft’s September 2021 Patches, their CVE’s severities, scores, exploits, and disclosure can be found here: SANS Internet Storm Centre

Decryptor for REvil/Sodinokibi Ransomware Released

A universal decryptor key has been produced for the REvil/Sodinokibi ransomware which is being distributed freely to those affected by the ransomware.

The group which operates as a Ransomware-As-A-Service or ‘RaaS’ for short has been operating since 2019 before disappearing earlier this year, not long after the Kaseya attack. The reason behind their disappearance is still unconfirmed, though many speculations and rumours are floating around their disappearance. Interestingly, in recent weeks, REvil has seemingly resurfaced by making its presence known online. However, this should be taken with a pinch of salt as there is currently no confirmation that the resurfaced group contains the same people behind the original REvil.

The decryptor key, produced by Bitdefender functions as a universal key for REvil ransomware. As reported by threatpost.com, this key can operate as a universal key due to the key hierarchy used by the ransomware group. To explain key hierarchy an example of a hotel can be used; when you check into a hotel, you are given your room key which can only be used to unlock your room door and nothing else. The hotel, however, has a master key that can be used to unlock any room door. The master key produced by Bitdefender works in the same function as the hotel master key.

The publishing of the decryptor keys arrives with a warm welcome as many organisations affected by the ransomware were left high and dry when REvil shut down. You can find the decryptor here.

Google Chrome Urgent Updates for Two Exploited Zero-Days

Google Chrome users are urged to update to the latest version of Chrome (93.0.4577.82), to mitigate Zero-Day vulnerabilities discovered in September.

According to thehackernews.com, vulnerabilities “CVE-2021-30632” and “CVE-2021-30633” relate to an out of bounds write in V8 JavaScript engine, and use after free flaw in Indexed DB API. Google confirmed that both Zero-Day vulnerabilities “exist in the wild” without specifying where exploits could have occurred.

These latest discoveries and patches are the 10th and 11th Chrome Zero-Days that Google has produced since the start of the year.

As well as these two issues, Google’s September security update for Chrome addressed 11 security issues in total.

Apple Urgent Zero-Day Fix

Apple has pushed a security update to both iOS 14.8 and iPadOS 14.8 in response to the Zero-Click, Zero-Day vulnerability discovered on the previous version.

The vulnerability known as ‘FORCEDENTRY’ is a concern due to the fact it can allow a malicious actor to install Pegasus Spyware with no initial interaction from the victim. This exploit is carried out by sending the victim a message with a malicious link, which as previously mentioned, requires no interaction from the victim.

‘FORCEDENTRY’ otherwise known as CVE-2021-30860 (CoreGraphics), is feared to have already been exploited in the wild, as stated in Apple’s own advisory. The quote for this is as follows “Apple is aware of a report that this issue may have been actively exploited.”

Arstechnica.com delves on this further by explaining the ‘NSO Group’ has exploited this vulnerability as far back as February 2021, being used on activists.

CiSP – The Cyber Security Information Sharing Partnership

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK […]

Read more

Scottish Information Sharing Network (SciNET Group)

SciNet is a community for Scottish Buisnesses to engage on CiSP. The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and […]

Read more
Scottish Business Resilience Centre

Related content

Technical Bulletin – June 2021

The CyberScotland Technical Bulletin will provide you with information about the latest cyber threats, scams, news and updates.

This month’s topics include:

• Microsoft Patch Tuesday
• Apple Zero-Day Urgent Patches
• Google Chrome Urgent Update for Exploited Zero-Day
• Linux Users Urged To Update After Root Level Security Flaw Found

Technical Bulletin – May 2021

The CyberScotland Technical Bulletin will provide you with information about the latest cyber threats, scams, news and updates.

This month’s topics include:

• Microsoft Patch Tuesday

• Adobe Patches

• AutoHotKey Malware Attacks

• Android Patching Zero-Day Exploits

Technical Bulletin – August 2021

The CyberScotland Technical Bulletin will provide you with information about the latest cyber threats, scams, news and updates.
This month’s topics include:
• Microsoft Patch Tuesday
• Cisco Patches Critical Vulnerabilities
• Realtek Warns of Vulnerabilities
• Diavol Ransomware Linked to TrickBot Gang

Technical Bulletin – July 2021

The CyberScotland Technical Bulletin will provide you with information about the latest cyber threats, scams, news and updates.

This month’s topics include:

• Microsoft Patch Tuesday
• NSO Group’s Pegasus Spyware
• Oracle Issues Patch for Critical Vulnerabilities
• Microsoft Advises On Vulnerability Affecting Windows 10 And The Upcoming Windows 11

Technical Bulletin October 2021

The CyberScotland Technical Bulletin will provide you with information about the latest cyber threats, scams, news and updates.

This month’s topics include:

• Microsoft Patch Tuesday

• Apple Urgent Zero-Day Fix

• New Ransomware Threatens to Launch DDoS Attacks as well as Encrypt Data

• Ransomware Group Targeting Healthcare Networks

Back to top of the page