CyberScotland Bulletin

Microsoft released its monthly security update Tuesday 14th September 2021, disclosing 66 vulnerabilities across its suite of products.

This Patch Tuesday, the breakdown of vulnerabilities includes 3 “critical” ratings, 1 “moderate”, with the remaining labelled as “important”. Also in this month’s Patch Tuesday, 1 zero-day was mentioned:

CVE-2021-40444 – Microsoft MSHTML Remote Code Execution (RCE) Vulnerability

One notable vulnerability with a “critical” rating relates to the Open Management Infrastructure (OMI) Remote Code Execution vulnerability and is the most severe CVE on the September list.

According to Lansweeper.com, the vulnerability poses a risk to Azure products like Configuration Management. The products expose a HTTP/s port for interacting with OMI and this exposure allows malicious actors to perform RCE attacks without authentication by specially crafting malicious messages via HTTPS to port 5986.

As reported by zdnet.com, the products affected by these vulnerabilities are Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software.

A full list of Microsoft’s September 2021 Patches, their CVE’s severities, scores, exploits, and disclosure can be found here: SANS Internet Storm Centre

A universal decryptor key has been produced for the REvil/Sodinokibi ransomware which is being distributed freely to those affected by the ransomware.

The group which operates as a Ransomware-As-A-Service or ‘RaaS’ for short has been operating since 2019 before disappearing earlier this year, not long after the Kaseya attack. The reason behind their disappearance is still unconfirmed, though many speculations and rumours are floating around their disappearance. Interestingly, in recent weeks, REvil has seemingly resurfaced by making its presence known online. However, this should be taken with a pinch of salt as there is currently no confirmation that the resurfaced group contains the same people behind the original REvil.

The decryptor key, produced by Bitdefender functions as a universal key for REvil ransomware. As reported by threatpost.com, this key can operate as a universal key due to the key hierarchy used by the ransomware group. To explain key hierarchy an example of a hotel can be used; when you check into a hotel, you are given your room key which can only be used to unlock your room door and nothing else. The hotel, however, has a master key that can be used to unlock any room door. The master key produced by Bitdefender works in the same function as the hotel master key.

The publishing of the decryptor keys arrives with a warm welcome as many organisations affected by the ransomware were left high and dry when REvil shut down. You can find the decryptor here.

Google Chrome users are urged to update to the latest version of Chrome (93.0.4577.82), to mitigate Zero-Day vulnerabilities discovered in September.

According to thehackernews.com, vulnerabilities “CVE-2021-30632” and “CVE-2021-30633” relate to an out of bounds write in V8 JavaScript engine, and use after free flaw in Indexed DB API. Google confirmed that both Zero-Day vulnerabilities “exist in the wild” without specifying where exploits could have occurred.

These latest discoveries and patches are the 10th and 11th Chrome Zero-Days that Google has produced since the start of the year.

As well as these two issues, Google’s September security update for Chrome addressed 11 security issues in total.

Apple has pushed a security update to both iOS 14.8 and iPadOS 14.8 in response to the Zero-Click, Zero-Day vulnerability discovered on the previous version.

The vulnerability known as ‘FORCEDENTRY’ is a concern due to the fact it can allow a malicious actor to install Pegasus Spyware with no initial interaction from the victim. This exploit is carried out by sending the victim a message with a malicious link, which as previously mentioned, requires no interaction from the victim.

‘FORCEDENTRY’ otherwise known as CVE-2021-30860 (CoreGraphics), is feared to have already been exploited in the wild, as stated in Apple’s own advisory. The quote for this is as follows “Apple is aware of a report that this issue may have been actively exploited.”

Arstechnica.com delves on this further by explaining the ‘NSO Group’ has exploited this vulnerability as far back as February 2021, being used on activists.