CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES August 5-12, 2021
TOP VULNERABILITY THIS WEEK: Patch Tuesday includes two highly critical vulnerabilities

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft discloses 44 vulnerabilities as part of Patch Tuesday, lowest in two years
Description: Microsoft released its monthly security update Tuesday, disclosing 44 vulnerabilities in the company’s firmware and software. This is the fewest amount of vulnerabilities Microsoft has patched in a month in more than two years. There are only nine critical vulnerabilities included in this release, and the remainder is “important.” The most serious of the issues is CVE-2021-26424 a remote code executing vulnerability which exists in the Windows TCP/IP protocol implementation. An attacker could remotely trigger this vulnerability from a Hyper-V guest by sending a specially crafted TCP/IP packet to a host utilizing the TCP/IP protocol stack. This raises the possibility of a malicious program running in a virtual machine compromising the host environment.
Reference: https://blog.talosintelligence.com/2021/08/microsoft-patch-tuesday-for-august-2021.html
Snort SIDs: 57997 – 57999, 58003

Title: Multiple vulnerabilities in AT&T Labs’ Xmill utility
Description: Cisco Talos recently discovered multiple vulnerabilities in AT&T Labs’ Xmill utility. An attacker could take advantage of these issues to carry out a variety of malicious actions, including corrupting the application’s memory and gaining the ability to execute remote code. Xmill and Xdemill are utilities that are purpose-built for XML compression and decompression, respectively. These utilities claim to be roughly two times more efficient at compressing XML than other compression methods. As of publishing, AT&T Labs is no longer supporting this software and, therefore, will not be issuing any patches. The software, released in 1999, can still be found in modern software suites, such as Schneider Electric’s EcoStruxure Control Expert. Schneider is working to fix issues directly affecting their products.
Reference: https://blog.talosintelligence.com/2021/08/vuln-spotlight-att.html
Snort SIDs: 57503 - 57508

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Apple said it will begin scanning iCloud accounts for potential photos or videos of child abuse.
https://www.reuters.com/technology/apple-says-photos-icloud-will-be-checked-by-child-abuse-detection-system-2021-08-09/

A disgruntled member of the Conti ransomware network leaked the malware’s manuals and technical guides.
https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/

A vulnerability in Cobalt Strike could allow anyone to disrupt botnets running the popular penetration-testing software.
https://arstechnica.com/gadgets/2021/08/critical-cobalt-strike-bug-leaves-botnet-servers-vulnerable-to-takedown/

Congress continues to advance a massive infrastructure spending bill that would allocate millions toward the U.S.’s cybersecurity, including new investments in the security of the electric grid.
https://www.cnbc.com/2021/08/10/how-the-1-trillion-infrastructure-bill-will-direct-billions-toward-tech-spending.html

Security researchers found that some AI programs can write more convincing phishing emails than humans.
https://www.wired.com/story/ai-phishing-emails/

Australia’s government warned local businesses that a more advanced version of the Lockbit ransomware has been targeting organizations in that country since July.
https://www.bleepingcomputer.com/news/security/australian-govt-warns-of-escalating-lockbit-ransomware-attacks/
https://www.cyber.gov.au/acsc/view-all-content/alerts/lockbit-20-ransomware-incidents-australia

Some call center employees are being pressured into allowing their employers to place surveillance cameras in their homes to monitor their work.
https://www.nbcnews.com/tech/tech-news/big-tech-call-center-workers-face-pressure-accept-home-surveillance-n1276227

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-21538 |
Title: Improper Authentication Vulnerability in Dell iDRAC9
Vendor: Dell
Description: Dell EMC iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.10.00, contain an improper authentication vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the virtual console.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-25320 |
Title: Improper Access Control Vulnerability in Rancher
Vendor: Rancher
Description: An Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16.
CVSS v3.0 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-22937
Title: Pulse Connect Secure RCE Patch Vuln.
Vendor: PulseSecure
Description: This is a post-authentication, distant codification execution (i.e., RCE) vulnerability that exists on Pulse Connect Secure virtual backstage web (i.e., VPN) appliances.It is a patch bypass for CVE-2020-8260 which was disclosed in Oct. 2020. CVE-2021-22937 is an uncontrolled archive extraction vulnerability in the Pulse Connect Secure appliance that allows an authenticated administrator to write arbitrary executable files. This unrestricted file upload vulnerability is due to a flaw in the way that archive files are extracted in the administrator web interface. Successful exploitation would give attackers root privileges on the targeted appliance.
CVSS v3.0 Base Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-36948
Title: Windows Update Medic Service Privilege Escalation Vulnerability
Vendor: Windows |
Description: The vulnerability is in Windows 10 and Server 2019 and newer operating systems with the Update Medic Service. Update Medic is a new service that allows users to repair Windows Update components from a damaged state such that the device can continue to receive updates. The exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversary’s toolbox. This vulnerability has been seen exploited in the wild and it is crucial that organizations move quickly to patch and remediate this vulnerability.
CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: | CVE-2021-34535
Title: Remote Desktop Client Remote Code Execution Vulnerability
Vendor: Microsoft
Description: This vulnerability occurs in the client, not in the server. For exploitation to occur, victims would need to be lured to a server controlled by an attacker or be exposed to a malicious program in a guest virtual machine. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES August 5-12, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 4d59e857c6923b6ead19109dbf591bbe93f3407153c992ad35fc6ed8969a34c3
MD5: 963aa12c1d0427cb154d519f21358ab4
VirusTotal: https://www.virustotal.com/gui/file/4d59e857c6923b6ead19109dbf591bbe93f3407153c992ad35fc6ed8969a34c3/details
Typical Filename: bld.exe
Claimed Product: cleaper.exe
Detection Name: W32.Auto:4d59e857c6.in03.Talos

SHA 256: f682bdbd612c0215192be6c52f08f10c01e7af9a3136c2f67ec3e7ba563f565d
MD5: 0b506c6dde8d07f9eeb82fd01a6f97d4
VirusTotal: https://www.virustotal.com/gui/file/f682bdbd612c0215192be6c52f08f10c01e7af9a3136c2f67ec3e7ba563f565d/details
Typical Filename: ybcbqgo5z.dll
Claimed Product: N/A
Detection Name: Win.Dropper.Ecltys::1201

SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af
MD5: 0a13d106fa3997a0c911edd5aa0e147a
VirusTotal: https://www.virustotal.com/gui/file/5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af/details
Typical Filename: mg20201223-1.exe
Claimed Product: N/A
Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos