Thursday, October 14, 2021

Threat Source newsletter (Oct. 14, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's still Cybersecurity Awareness Month, and what better way to celebrate by patching and then patching some more? 

This week was Microsoft Patch Tuesday, which only included two critical vulnerabilities, but still requires patching diligence. Here's our full breakdown of this month's security updates for Microsoft products, and some additional details on a code execution vulnerability we discovered in Excel.

If you're looking for other ways to celebrate this month of security awareness, you can also listen to our latest special edition of Talos Takes reflecting on ransomware in 2021. The Cisco newsroom also wrote up a profile on one of our researchers, Vanja Svajcer, if you want to find out what a day in the life of a threat researcher is like. 

Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at

Upcoming Talos public engagements

Speaker: Brad Garnett
Date: Oct. 18 at 9:30 a.m. ET
Location: Livestream on all Talos social media accounts
Description: Join Cisco Talos Incident Response as we go live to celebrate National Cybersecurity Awareness Month. Brad Garnett, CTIR's general management, will be live to answer your questions, talk about the trends he's seeing on the threat landscape, and the growing threat of ransomware. Please use this page to drop us any questions ahead of time, or join us in the chat live. A recording will be made available shortly after on our YouTube page at

Speaker: Brad Garnett
Date: Oct. 22 at 8:30 a.m. ET
Location: Virtual
Description: In this session, Brad Garnett, the general manager of Cisco Talos Incident Response, will discuss practical incident response strategies that every CISO and business leader faces with a hybrid workforce. Brad will share his insights from the front lines in the fight against ransomware and why organizations need to re-evaluate existing incident response plans and share how Talos is fighting the good fight against evolving adversaries.

Cybersecurity week in review

  • The attackers behind the massive SolarWinds supply chain attack stole sensitive U.S. government information. Breaches at federal agencies led to the theft of information on potential sanctions against international threat actors and the country's plans to respond to COVID-19.
  • A new report found that one in 15 organizations is still using a version of the SolarWinds software that could be actively exploited. Other "tempting" assets identified in the report for potential attackers include Microsoft IIS, which 15 percent of the organizations surveyed are running.
  • Windows 11 is now available to the public. And it comes with several new tools users can enable to fend off ransomware attacks.
  • U.S. Federal Agencies have roughly 90 days as of this week to provide the Cybersecurity and Infrastructure Security Agency with access to their endpoint detection solutions. This is part of a new monitoring program to ensure federal agencies meet President Joe Biden's updated cybersecurity standards.
  • Google removed several ads for "stalkerware" apps from its sites that allow users to quietly install spyware onto users' mobile devices. The ads specifically targeted suspicious spouses who may want to monitor their partner's actions. 
  • Apple released an update for iOS and iPad OS that fixed an actively exploited vulnerability. While there are few details available regarding the exact nature of the vulnerability, Apple warned it could allow some apps to "execute arbitrary code with kernel privileges."
  • A well-known ethical hacker in the security community recently unveiled themselves as being part of a massive fake news operation that influenced the outcome of the 2016 presidential election. The previously undercover "Hacker X" detailed how a company recruited him into developing a large operation to spread disinformation on Facebook and other social media platforms.
  • Someone hacked the Facebook page of a destroyer-class Naval warship to stream the video game "Age of Empires." It took the Navy several days to regain control of the page after several other streams were posted.
  • A new study from VirusTotal found that there were 130 different ransomware strains on the threat landscape between 2020 and mid-2021. The GandCrab family was the most popular one deployed by attackers.

Notable recent security issues

Microsoft patches two 9.9-severity vulnerabilities as part of monthly security updates

Microsoft released its monthly security update Tuesday, disclosing 77 vulnerabilities in the company’s various software, hardware and firmware offerings. This month’s release is particularly notable because there are only two critical vulnerabilities included, with the rest being important. This is the fewest number of critical vulnerabilities disclosed as part of a Patch Tuesday in at least a year. CVE-2021-40461 is one of the critical vulnerabilities — a flaw in the Network Virtualization Service Provider that could allow an attacker to execute remote code on the target machine. This vulnerability has a severity rating of 9.9 out of a possible 10, virtually the highest severity rating seen in Patch Tuesdays. The other critical vulnerability, CVE-2021-38672, exists in Windows Hyper-V. This vulnerability could also lead to remote code execution and has the same severity score as CVE-2021-40461.  
Snort SIDs: 58286 - 58289, 58294, 58295 and 58303 - 58319 

Apache HTTP Server contains zero-day vulnerability exploited in the wild

A recently discovered vulnerability in Apache HTTP Server (CVE-2021-41733) is being actively exploited in the wild. This vulnerability is a path traversal and file disclosure vulnerability that could allow an attacker to map URLs outside of the document root. It could also result in the exposure of the source of interpreted files like CGI scripts. The exploitation of this vulnerability is of very low complexity and poses a critical threat to all users of this open-source software. This vulnerability was introduced in a recent version of Apache (2.4.49). Users running older versions of Apache are not currently affected. The fix for CVE-2021-41733 in 2.4.50 was found to be insufficient, leading to a second, new vulnerability (CVE-2021-42013) that Apache is now reporting. As a result, version 2.4.51 was released to fully address the issue. Users are recommended to upgrade to 2.4.51 as soon as possible.  
Snort SID: 58276 (Snort 3 SID 300053)

Most prevalent malware files this week

MD5: 34560233e751b7e95f155b6f61e7419a  
Typical Filename: SAntivirusService.exe  
Claimed Product: A n t i v i r u s S e r v i c e  
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: 9f4303d51b3ceffb74c5cc9c887fc05e 
Typical Filename: 9f4303d51b3ceffb74c5cc9c887fc05e.file 
Claimed Product: N/A 
Detection Name: W32.50604F47E8-95.SBX.TG 

MD5: fe3659119e683e1aa07b2346c1f215af
Typical Filename: SqlBase.exe
Claimed Product:  SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG

MD5: af581caf268f7ad9def31b477f8349a3 
Typical Filename: NNV.exe 
Claimed Product: WindowsApp8 
Detection Name: W32.BEC6578284-95.SBX.TG 

MD5: 84452e3633c40030e72c9375c8a3cacb 
Typical Filename: sqhost.exe 
Claimed Product: sqhost.exe 
Detection Name: W32.Auto:f0a5b257f1.in03.Talos 

Keep up with all things Talos by following us on TwitterSnort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.