CyberScotland Bulletin

On 12 July Microsoft released a patch for a privilege escalation zero-day vulnerability in its Client Server Runtime Sub-System (CSRSS).

This vulnerability, tracked as CVE-2022-22047, affects all versions of Microsoft Windows and was fixed in July’s Patch Tuesday security updates. Attackers have already been detected exploiting this vulnerability to gain SYSTEM privileges, effectively allowing them the same privileges and access as the Windows Operating System, higher even than an Administrator account. This vulnerability does however require the attacker to gain an initial foothold on the victim’s system before it can be exploited.

The Windows RCE vulnerability dubbed Follina continues to be exploited by threat actors as a malware installation vector.

Fixed in June’s Patch Tuesday, this vulnerability has recently been spotted being used to download next-stage payloads from the Discord Content Delivery Network (CDN). This vulnerability is first exploited from an HTML file downloaded from the same CDN space by a malicious Microsoft Office document.

Just 5 months after Microsoft announced plans to disable Office VBA (Visual Basic for Applications) macros by default, the tech-giant has temporarily rolled back the changes to allow for “additional changes to enhance usability”.

Office macros are a common attack vector for Windows systems which attackers often leverage to deliver malicious payloads. Disabling macros by default for Office files downloaded from the internet is thought to be an effective method for preventing many common attacks. Without macros disabled by default, an attacker can social-engineer a victim into clicking the “Enable Content” button when opening an Office document, which allows any embedded VBA macros to execute.

Microsoft has released details of a phishing campaign targeting more than 10,000 organisations, using fake landing pages to bypass the Office 365 authentication process.

These fake landing pages, dubbed “Adversary-in-the-middle” (AiTM) attacks, stole both the user’s credentials and their session cookies, then exploited the victims accounts to launch further Business Email Compromise (BEC) attacks against other organisations. These attacks also bypass certain forms of Multi-Factor Authentication (MFA) by directly hijacking the user’s session. Microsoft recommends using “phish-resistant” MFA with certificate based authentication to defend against this style of attack.