CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 9-16, 2021
TOP VULNERABILITY THIS WEEK: Microsoft releases official fix for MSHTML vulnerability as part of Patch Tuesday

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: MSHTML vulnerability exploited in the wild fixed as part of Microsoft security update
Description: Microsoft released its monthly security update Tuesday, disclosing 86 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML. CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. The most serious vulnerability is CVE-2021-36965, a remote code execution vulnerability in Windows WLAN. This vulnerability has a severity score of 8.8 out of a possible 10, the same score as CVE-2021-40444. Aside from the aforementioned MSHTML exploit, another critical vulnerability exists in the Windows scripting engine. CVE-2021-26435 could allow an attacker to corrupt memory on the victim machine by tricking the user into opening a specially crafted file or visiting a website containing an attacker-create file designed to exploit this vulnerability.
Reference: https://blog.talosintelligence.com/2021/09/microsoft-patch-tuesday-for-sept-2021.html
Snort SIDs: 58120 – 58135 Snort 3 SID: 300049
ClamAV signature: 9891528 (Doc.Exploit.CVE_2021_40444-9891528-0)
Cisco Secure OSQuery: CVE-2021-40444_vulnerability status

Title: Apple patches zero-click vulnerability that opens the door to spyware
Description: Apple released updates for its smart phones, iPads and smart watches this week fixing a vulnerability in its devices that could allow attackers to install the Pegasus spyware. The company pushed the patch shortly after researchers discovered a Saudi Arabian activists’ phone was infected with the spyware via the zero-click vulnerability. If installed, Pegasus can turn on a user’s camera and microphone, record messages, texts, emails and calls and send them back to the NSO Group’s — the Israeli tech firm that created the app — customers. The researchers found that up to 1.65 billion Apple products could have been vulnerable to the Pegasus spyware since March.
Reference: https://www.nytimes.com/2021/09/13/technology/apple-software-update-spyware-nso-group.html

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The U.S. Securities and Exchange Commission is asking companies that downloaded SolarWinds affected by the supply chain attack to turn over documents related to cyber incidents dating back to October 2019.
https://www.reuters.com/technology/exclusive-wide-ranging-solarwinds-probe-sparks-fear-corporate-america-2021-09-10/

A new cyber threat assessment from Australia’s government indicates that attackers are increasingly targeting health care facilities and other critical infrastructure.
https://www.smh.com.au/politics/federal/new-battleground-cyber-attackers-targeting-australia-s-health-system-20210914-p58ri2.html

Report from Atlantic Council makes recommendations to address undersea cable security risks.
https://www.atlanticcouncil.org/in-depth-research-reports/report/cyber-defense-across-the-ocean-floor-the-geopolitics-of-submarine-cable-security/

The U.S. and EU are in talks to extend an agreement that allows company data transfers across the Atlantic.
https://www.wsj.com/articles/u-s-and-eu-advance-talks-to-preserve-data-transfers-11631302743

The REvil ransomware gang is operating again after a brief hiatus, and has already claimed its next round of victims.
https://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/

Some United Nations computer networks were breached earlier this year.
https://www.bloomberg.com/news/articles/2021-09-09/united-nations-computers-breached-by-hackers-earlier-this-year

Some banks and post offices in New Zealand suffered disruptions last week due to a cyberattack.
https://www.reuters.com/world/asia-pacific/new-zealand-banks-post-office-hit-by-outages-apparent-cyber-attack-2021-09-08/

A vulnerability in a popular HP gaming driver could allow an attacker to elevate their privileges to the kernel level, potentially allowing them to disable security controls and software or corrupt the operating system.
https://thehackernews.com/2021/09/hp-omen-gaming-hub-flaw-affects.html

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-1577 |
Title: Cisco APIC Arbitrary File Read and Write Vulnerability
Vendor: Cisco
Description: A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system. This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on an affected device.
CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

ID: CVE-2021-27850
Title: Remote Code Execution Vulnerability in Apache Tapestry
Vendor: Apache
Description: A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file AppModule.class by requesting the URL http://localhost:8080/assets/something/services/AppModule.class which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with .class, .properties or .xml. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a / at the end of the URL: http://localhost:8080/assets/something/services/AppModule.class/ The slash is stripped after the blacklist check and the file AppModule.class is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-40444
Title: Microsoft MSHTML Remote Code Execution Vulnerability
Vendor: Microsoft
Description: MSHTML is the Internet Explorer web browser’s rendering engine, though many Office documents also use this engine. If an adversary were to successfully exploit this vulnerability, they could remotely execute code on the victim machine or gain complete control.
Attackers are using a .DOCX file. Upon opening it, the document loaded the Internet Explorer engine to render a remote web page from the threat actor. Malware is then downloaded by using a specific ActiveX control in the web page. Executing the threat is done using “a trick called ‘Cpl File Execution’,” referenced in Microsoft’s advisory
CVSS v3.0 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L)

ID: CVE-2021-36965
Title: Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
Vendor: Microsoft
Description: This vulnerability could allow network adjacent attackers to run their code on affected systems at SYSTEM level. This means an attacker could completely take over the target – provided they are on an adjacent network. This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network. Still, this requires no privileges or user interaction, so don’t let the adjacent aspect of this bug diminish the severity.
CVSS v3.1 Base Score: 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES September 9-16, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18
MD5: 830ffb393ba8cca073a1c0b66af78de5
VirusTotal: https://www.virustotal.com/gui/file/6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18/details
Typical Filename: smbscanlocal0902.exe
Claimed Product: N/A
Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details
Typical Filename: VID[1].dat
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c
MD5: 04c1f4395f80a3890aa8b12ebc2b4855
VirusTotal: https://www.virustotal.com/gui/file/fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c/details
Typical Filename: zReXhNb
Claimed Product: N/A
Detection Name: Auto.FAD16599A8.241842.in07.Talos