CyberScotland Bulletin

Microsoft released its monthly security update Tuesday 12^th October 2021, disclosing 71 vulnerabilities across its suite of products.

This Patch Tuesday, 4 zero-days were mentioned, the first of which Microsoft has detected active exploitation:

• CVE-2021-40449 – Win32k Elevation of Privilege Vulnerability
• CVE-2021-41338 – Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
• CVE-2021-40469 – Windows DNS Server Remote Code Execution Vulnerability
• CVE-2021-41335 – Windows Kernel Elevation of Privilege Vulnerability

One of the zero-day vulnerabilities is being actively exploited. CVE-2021-40449, which was originally reported to Microsoft by Boris Lorin with Kaspersky, uses a previously unknown vulnerability, and impacts the Win32k Kernel driver. The remaining zero-days involve a Windows AppContainer Firewall issue which allows attackers to bypass security features, a remote code execution in Windows DNS Server, and an elevation of privilege vulnerability in the Windows Kernel.

As reported by zdnet.com, the products affected by these vulnerabilities are Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge Browser.

Apple has pushed a security update to iOS 15.0.2 and iPadOS 15.0.2 in response to a remote code execution vulnerability being actively exploited.

With a memory-corruption bug in the IOMobileFrameBuffer Kernel extension, used for managing the screen framebuffer, it may be possible for an application to execute arbitrary code with Kernel privileges and gain full control of an iOS device. This exploit has been tracked as CVE-2021-30883.

As reported by threatpost.com, within hours a security researcher was able to pick apart the bug and publish a proof-of-concept code alongside an explanation of the vulnerability. The proof-of-concept was confirmed to work on iOS 15 and 14.7.1. The researcher noted the flaw can be used for jailbreaks and local privilege escalation.

Apple users are being urged to apply the necessary updates to their devices as soon as possible.

A new ransomware variant, known as Yanluowang, also makes threats of launching distributed denial of service attacks (DDoS) if ransoms aren’t paid.

Zdnet.com has reported that the ransomware first leaves a note to tell the victim they’ve been infected with ransomware, and a warning to not contact the authorities or a cybersecurity company. The threats seem to go further, with the cybercriminals suggesting that if the victim calls for help, DDoS attacks would be launched against them.

Yanluowang ransomware was discovered by cybersecurity researchers during an investigation of an attempted cyber-attack against a large organisation. The attack was unsuccessful and provided insight into this ransomware variant. It appears to not yet be fully developed, meaning it could become more effective in the future.

Guidance for mitigating ransomware attacks can be found on the NCSC website.

A hacker group known as FIN12 have been found to be targeting healthcare organisations across North America, Europe, and the Asia Pacific.

Thehackernews.com reports that hacker group FIN12 have been attributed to a string of RYUK ransomware attacks since October 2018. The group seem to have a focus on healthcare organisations, among others. Unlike many intrusion threat actors, FIN12 have been found to rarely engage in data theft extortion. This is when stolen data is leaked after victims refuse to pay the ransom. Mandiant, a cybersecurity firm, note that this is likely due to FIN12’s desire to strike quickly with minimal negotiation. This factor could explain the group’s interest in healthcare networks.

The hacker group are known to use publicly available tools, like Cobalt Strike Beacon, to carry out their attacks and interact with their victim’s networks.