CyberScotland Bulletin

Microsoft released its monthly security update on Tuesday the 9^th of November 2021, remediating 55 vulnerabilities across its products. Six of the vulnerabilities are considered to be critical, but in particular, Microsoft have reported that they have seen active exploitation of two vulnerabilities addressed within this rollup. The remaining vulnerabilities have been rated as important.

CVE-2021-42321 relates to a remote code execution (RCE) vulnerability in Exchange Server. In order for an attacker to exploit the vulnerability, they need to need to be able to authenticate with the service, so these are not as severe as the very commonly exploited ‘ProxyShell’ and ‘ProxyLogon’ vulnerabilities. See the reference provided for identifying whether the vulnerability has been exploited, which can be performed after installing the update.

The other vulnerability that has been observed to be exploited in the wild is CVE-2021-42292, which correlates to a security bypass in Microsoft Excel that allows remote code execution on both Windows and MacOS operating systems. A patch does not appear to be available for MacOS at this time.

The update also includes four hotfixes for Active Directory, one of which (KB5008380) has been highlighted to potentially cause issues in June 2022 if inconsistent patching is in effect across Domain Controllers.

See list for breakdown of all vulnerabilities identified in this security update: Microsoft November 2021 Patch Tuesday (sans.edu)

In September, vxunderground reported that the source code of the Babuk ransomware was leaked by one of the developers. As the Babuk source code included decryption keys, Avast released a decryptor for this ransomware in October. Avast has also released decryptors for AtomSilo and LockBit.

In October, Conti group, known for their “double extortion” ransomware, appeared to have deviated from their current business model in that they were attempting to broker access to victims. Digital Shadows suggest that this may be due the issues associated with hosting exfiltrated data either on dark web or file-sharing sites.

Apple released security updates across their products between the 25^th and 27^th of October 2021. Namely iOS (22 vulnerabilities), iOS 15.1, macOS Big Sur (24 vulnerabilities), 11.6.1 and macOS Monterey (40 vulnerabilities), 12.0.1. Four vulnerabilities were also addressed within the latest Safari security update.

iOS 14.8.1 is also available to users that do not wish to upgrade to iOS 15. The 14.8.1 update fixes 12 vulnerabilities.

The security updates for both Big Sur and Monterey address a vulnerability identified in macOS System Integrity Protection (SIP), dubbed ‘Shrootless’. The mechanism intends to protect the system by prohibiting changes to files and folders, even if attempted by the root user. The flaw could allow an attacker to bypass the mitigation allowing them to install rootkits.

Palo Alto networks has issued a security advisory regarding a critical vulnerability identified in older versions of its products.

Organisations that have PAN-OS firewalls with versions between 8.1 < 8.1.17 are vulnerable to a remote code execution vulnerability which would allow complete control over the device, could be exploited by an unauthenticated attacker, provident the GlobalProtect portal and gateways are enabled.

At this point in time, there is no publicly available exploit code, nor has there been any evidence to suggest this has been exploited in the wild. Given the prevalence of exploitation in network device vulnerabilities in 2019, this could change.

Also this month, Microsoft released Sysmon for Linux, an enhanced monitoring and logging tool for collecting system activity useful for SIEM ingestion. Microsoft also announced ‘Microsoft Defender for Business’ for public preview, which offers some of the same enterprise grade features found in its EDR product, but at a price point that may be more accessible for SMBs.