CyberScotland Bulletin

On Tuesday Microsoft released its monthly round of patches, addressing a total of 56 flaws, including the actively exploited critical vulnerability dubbed Follina (CVE-2022-30190).

A zero-day bug in the Windows Support Diagnostic Tool (MSDT), an attacker could exploit the Follina vulnerability to remotely execute code by loading a malicious HTML file through Microsoft Word’s remote template feature. Follina is unique in that it does not require Office macros, and so will run as soon as a malicious Office file is opened rather than requiring the user to enable them. Various threat actors have been observed exploiting Follina to spread malware as far back at 12 April 2022.

Also fixed in this round of patches was CVE-2022-30147, a privilege escalation vulnerability in Windows Installer. This could be leveraged in particular by ransomware operators to encrypt more sensitive data normally only accessible to users with higher privileges.

New research has found a novel way for attackers to hijack online accounts and steal sensitive data, by exploiting flaws in account creation processes.

The research identified a total of 5 related “pre-hijacking” techniques in which an attacker pre-registers an account for their target on a new service, using the target’s username or email address. The attacker implements one of several techniques to ensure they can regain access to the account – even after the real user has reset the password and begun using the service, often adding their personal and financial details. The attacker can then steal this sensitive data, or abuse their access to the account in other ways, for example by making fraudulent purchases.

On 14 June, Firefox rolled out Total Cookie Protection by default to all users.

These protections ensure that when a website you are visiting creates a cookie in your browser, that cookie can only be accessed by the site which created it. This prevents tracking cookies which collect data on your web activities from following you between sites, effectively rendering these tracking cookies obsolete, and greatly improving the privacy of users. The data gathered by third-party tracking cookies are typically sold to advertising agencies and used to generate targeted ads and content.

After 27 years of Internet Explorer being used across the world and coming pre-installed on many Windows machines, it was officially retired* on the 15^th June 2022.

In an article in Security Weekly, it was highlighted that Microsoft’s latest ‘Edge Browser’ was more secure, faster, provided a better browsing experience but was also compatible with legacy websites and applications, a concern that some businesses may have had who had been slower to transition to the newer browser.

• Note: This retirement does not affect in-market Windows 10 LTSC or Server Internet Explorer 11 desktop applications. It also does not affect the MSHTML (Trident) engine. For a full list of what is in scope for this announcement, and for other technical questions, please see these FAQ.

Hacker News have reported that a new Golang-based peer-to-peer botnet has been identified which appears to be targeting Linux server primarily within the education sector.  This was reported earlier in the year across various forums.

Dubbed Panchan by Akamai Security Research, the malware “utilizes its built-in concurrency features to maximize spreadability and execute malware modules” and “harvests SSH keys to perform lateral movement.”

More details on the attack vectors and the original article can be found at here