The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
In the November 2023 Microsoft Patch Tuesday update, 58 vulnerabilities were addressed, including five zero-day issues. Of these, 14 are remote code execution (RCE) bugs, with one deemed critical. The critical issues fixed include an Azure information disclosure bug, a remote code execution problem in Windows Internet Connection Sharing (ICS), and a Hyper-V escape flaw allowing executions with SYSTEM privileges on the host.
This patch also fixed five zero-day vulnerabilities, three of which were actively exploited. The actively exploited vulnerabilities addressed include CVE-2023-36036 in the Windows Cloud Files Mini Filter Driver, CVE-2023-36033 in the Windows DWM Core Library, and CVE-2023-36025, a security feature bypass in Windows SmartScreen. Both CVE-2023-36036 and CVE-2023-36033 allow for elevation of privileges to SYSTEM upon successful exploitation. CVE-2023-36025 enables attackers to bypass Windows Defender SmartScreen checks through a malicious Internet Shortcut.
Additionally, Microsoft has fixed two other publicly disclosed zero-day vulnerabilities: CVE-2023-36413, a Microsoft Office Security Feature Bypass, and CVE-2023-36038, an ASP.NET Core Denial of Service issue. These vulnerabilities, while disclosed, were not actively exploited in attacks.
It is recommended users promptly apply these security updates. Given the severity of the vulnerabilities, especially the actively exploited zero-days, updating to the latest version is essential for maintaining strong security.
Google Calendar ‘RAT’ Exploit
Google Calendar, widely used for scheduling events, has recently emerged as a target. In June 2023, Valerio Alessandroni unveiled a proof-of-concept exploit, dubbed “Google Calendar RAT”, which utilises Google Calendar events to establish a command-and-control (C2) channel.
This exploit involves creating a calendar event with a harmful description. The infected machine periodically checks this description for commands. Upon finding a command, the machine executes it and updates the event description with the results. This cycle enables hackers to stealthily manipulate the infected machine, leveraging the legitimate infrastructure of Google Calendar, which complicates detection efforts.
By November 2023, Google alerted that cybercriminals were circulating the Google Calendar RAT PoC online and actively employing it in attacks. Although Google has issued a fix for this security flaw, heightened vigilance is recommended.
Users must ensure their Google Calendar is current. With the release of a patch addressing this vulnerability, prompt installation is essential for maintaining security.
Malvertisers Using Google Ads
In a recent malvertising (malicious advertising) campaign, cybercriminals have utilised the Google Ads platform to precisely target users searching for specific software, notably Notepad++ and PDF converters. This sophisticated technique involves the placement of counterfeit ads within Google’s search results. These ads are meticulously crafted to mimic legitimate advertisements, making them more deceptive and effective.
Upon clicking these ads, users are redirected to fraudulent websites. These websites are intricately designed as part of the attackers’ strategy, not just to mimic legitimate software providers, but also to conduct a detailed analysis (fingerprinting) of the visitors’ systems. System fingerprinting involves collecting information about the user’s device, such as operating system, browser type and version, IP address, and even checking if the system is a virtual machine. This data helps attackers identify and select the most vulnerable targets for their malware.
Once a user’s system is identified as a viable target, the fraudulent website triggers a download of malicious software, ingeniously disguised as legitimate applications. One such example of the deployed malware is the FakeBat loader. This type of malware is particularly insidious, as it not only infects the user’s device but also paves the way for additional malicious payloads. These can include ransomware, spyware, or remote access trojans, enabling attackers to perform a variety of harmful activities ranging from data theft to system damage.
To mitigate the risk of falling victim to such campaigns, users should exercise caution when clicking on ads, especially those that appear in search results and seem to offer software downloads. Always ensure to download software from official and trusted sources.