CyberScotland Bulletin

Microsoft’s most recent round of its monthly security updates included fixes for a record 141 security vulnerabilities, including another Zero-Day in the Microsoft Support Diagnostics Tool (MSDT). This latest bug, tracked as CVE-2022-34713 with a CVSS of 7.8, could be exploited by a malicious hacker to remotely execute arbitrary code on a user’s system. The attack vector involves the victim opening a malicious office file, probably sent over email.

Microsft also released a security update for Exchange Server, fixing a trio of CVEs (1, 2, 3) found in the 2013, 2016, and 2019 versions of the software. Although no in-the-wild exploitation has been identified, Microsoft recommends immediately updating the affected systems. The tech giant has highlighted that administrators are required to enable Windows Extended Protection on affected servers as part of the fix for this patch. These vulnerabilities affect only the local versions of Exchange Server, with no action required from Exchange Online customers.

Workspace provider Slack has reset the passwords for around 0.5% of its users, after a flaw was discovered which may have disclosed users’ hashed passwords. An unnamed security researcher reported.

Slack explained in a blog that whenever a user created or revoked a workspace invite link, a hashed version of their password was transmitted to other users in their workspace. However, the transmitted hash was not visible to Slack clients, and so to exploit this flaw an attacker would need to be intercepting and reading encrypted network traffic to retrieve the hashed password. Slack reports that due to this they have no reason to believe any plaintext passwords were obtained, and have reset the passwords of approximately 60,000 users as a precaution.

Tech giant Cisco has reported that they fell victim to a sophisticated cyber-attack on 24 May 2022, after attackers compromised the personal Google account of one of their employees.

The employee had stored their Cisco credentials in their browser, which had then automatically synced the credentials to their Google account. When this account was compromised, attackers were able to extract the Cisco credentials and log in as this user. This disclosure demonstrates the importance of separating work and personal accounts to prevent these lateral-movement attacks. Also noteworthy is that Cisco did have Multi-factor authentication enabled for this user, however the attackers were able to phish the user’s MFA code to successfully authenticate. 2.8GB of data alleged obtained from this breach has been leaked online.

Networking equipment manufacturer DrayTek has released a firmware update to fix an unauthenticated remote code execution vulnerability in its routers’ Web UI login page.

If the login page is exposed to the internet, an attacker could exploit this vulnerability to completely take over the router’s operating system and pivot to the rest of the internal network, and as a result, this has the maximum CVSS score of 10. This vulnerability may affect up to 29 different models of DrayTek routers. DrayTek recommends applying the firmware patches as soon as possible.