Good afternoon, Talos readers.

It's still Cybersecurity Awareness Month, and what better way to celebrate by patching and then patching some more?

This week was Microsoft Patch Tuesday, which only included two critical vulnerabilities, but still requires patching diligence. Here's our full breakdown of this month's security updates for Microsoft products, and some additional details on a code execution vulnerability we discovered in Excel.

If you're looking for other ways to celebrate this month of security awareness, you can also listen to our latest special edition of Talos Takes reflecting on ransomware in 2021. The Cisco newsroom also wrote up a profile on one of our researchers, Vanja Svajcer, if you want to find out what a day in the life of a threat researcher is like.

Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at

Upcoming Talos public engagements

National Cybersecurity Awareness Month with Cisco Talos Incident Response

Speaker: Brad Garnett

Date: Oct. 18 at 9:30 a.m. ET

Location: Livestream on all Talos social media accounts

Description: Join Cisco Talos Incident Response as we go live to celebrate National Cybersecurity Awareness Month. Brad Garnett, CTIR's general management, will be live to answer your questions, talk about the trends he's seeing on the threat landscape, and the growing threat of ransomware. Please use this page to drop us any questions ahead of time, or join us in the chat live. A recording will be made available shortly after on our YouTube page at

Resilient Incident Response: Effective strategies for blocking ransomware attacks at SANS Cyber Solutions Fest

Speaker: Brad Garnett

Date: Oct. 22 at 8:30 a.m. ET

Location: Virtual

Description: In this session, Brad Garnett, the general manager of Cisco Talos Incident Response, will discuss practical incident response strategies that every CISO and business leader faces with a hybrid workforce. Brad will share his insights from the front lines in the fight against ransomware and why organizations need to re-evaluate existing incident response plans and share how Talos is fighting the good fight against evolving adversaries.

Cybersecurity week in review

  • The attackers behind the massive SolarWinds supply chain attack stole sensitive U.S. government information. Breaches at federal agencies led to the theft of information on potential sanctions against international threat actors and the country's plans to respond to COVID-19.
  • A new report found that one in 15 organizations is still using a version of the SolarWinds software that could be actively exploited. Other "tempting" assets identified in the report for potential attackers include Microsoft IIS, which 15 percent of the organizations surveyed are running.
  • Windows 11 is now available to the public. And it comes with several new tools users can enable to fend off ransomware attacks.
  • U.S. Federal Agencies have roughly 90 days as of this week to provide the Cybersecurity and Infrastructure Security Agency with access to their endpoint detection solutions. This is part of a new monitoring program to ensure federal agencies meet President Joe Biden's updated cybersecurity standards.
  • Google removed several ads for "stalkerware" apps from its sites that allow users to quietly install spyware onto users' mobile devices. The ads specifically targeted suspicious spouses who may want to monitor their partner's actions.
  • Apple released an update for iOS and iPad OS that fixed an actively exploited vulnerability. While there are few details available regarding the exact nature of the vulnerability, Apple warned it could allow some apps to "execute arbitrary code with kernel privileges."
  • A well-known ethical hacker in the security community recently unveiled themselves as being part of a massive fake news operation that influenced the outcome of the 2016 presidential election. The previously undercover "Hacker X" detailed how a company recruited him into developing a large operation to spread disinformation on Facebook and other social media platforms.
  • Someone hacked the Facebook page of a destroyer-class Naval warship to stream the video game "Age of Empires." It took the Navy several days to regain control of the page after several other streams were posted.
  • A new study from VirusTotal found that there were 130 different ransomware strains on the threat landscape between 2020 and mid-2021. The GandCrab family was the most popular one deployed by attackers.

Notable recent security issues

Microsoft patches two 9.9-severity vulnerabilities as part of monthly security updates

Microsoft released its monthly security update Tuesday, disclosing 77 vulnerabilities in the company’s various software, hardware and firmware offerings. This month’s release is particularly notable because there are only two critical vulnerabilities included, with the rest being important. This is the fewest number of critical vulnerabilities disclosed as part of a Patch Tuesday in at least a year. CVE-2021-40461 is one of the critical vulnerabilities — a flaw in the Network Virtualization Service Provider that could allow an attacker to execute remote code on the target machine. This vulnerability has a severity rating of 9.9 out of a possible 10, virtually the highest severity rating seen in Patch Tuesdays. The other critical vulnerability, CVE-2021-38672, exists in Windows Hyper-V. This vulnerability could also lead to remote code execution and has the same severity score as CVE-2021-40461.

Snort SIDs: 58286 - 58289, 58294, 58295 and 58303 - 58319

Apache HTTP Server contains zero-day vulnerability exploited in the wild

A recently discovered vulnerability in Apache HTTP Server (CVE-2021-41733) is being actively exploited in the wild. This vulnerability is a path traversal and file disclosure vulnerability that could allow an attacker to map URLs outside of the document root. It could also result in the exposure of the source of interpreted files like CGI scripts. The exploitation of this vulnerability is of very low complexity and poses a critical threat to all users of this open-source software. This vulnerability was introduced in a recent version of Apache (2.4.49). Users running older versions of Apache are not currently affected. The fix for CVE-2021-41733 in 2.4.50 was found to be insufficient, leading to a second, new vulnerability (CVE-2021-42013) that Apache is now reporting. As a result, version 2.4.51 was released to fully address the issue. Users are recommended to upgrade to 2.4.51 as soon as possible.

Snort SID: 58276 (Snort 3 SID 300053)

Most prevalent malware files this week

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 50604f47e8d7822aa29325e41546138db99c7002d776c510ac3bd620e75c801f

MD5: 9f4303d51b3ceffb74c5cc9c887fc05e

Typical Filename: 9f4303d51b3ceffb74c5cc9c887fc05e.file

Claimed Product: N/A

Detection Name: W32.50604F47E8-95.SBX.TG

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2

MD5: fe3659119e683e1aa07b2346c1f215af

Typical Filename: SqlBase.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.8639FD3EF8-95.SBX.TG

SHA 256: bec65782844355875f88723419b44dc543ba07b83c8a339036f79e39364493c6

MD5: af581caf268f7ad9def31b477f8349a3

Typical Filename: NNV.exe

Claimed Product: WindowsApp8

Detection Name: W32.BEC6578284-95.SBX.TG

SHA 256: f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4

MD5: 84452e3633c40030e72c9375c8a3cacb

Typical Filename: sqhost.exe

Claimed Product: sqhost.exe

Detection Name: W32.Auto:f0a5b257f1.in03.Talos

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.