CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 7-14, 2021
TOP VULNERABILITY THIS WEEK: Microsoft patches two 9.9-severity vulnerabilities as part of monthly security updates

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft Patch Tuesday for Oct. 2021 — Snort rules and prominent vulnerabilities
Description: Microsoft released its monthly security update Tuesday, disclosing 77 vulnerabilities in the company’s various software, hardware and firmware offerings. This month’s release is particularly notable because there are only two critical vulnerabilities included, with the rest being important. This is the fewest number of critical vulnerabilities disclosed as part of a Patch Tuesday in at least a year. CVE-2021-40461 is one of the critical vulnerabilities — a flaw in the Network Virtualization Service Provider that could allow an attacker to execute remote code on the target machine. This vulnerability has a severity rating of 9.9 out of a possible 10, virtually the highest severity rating seen in Patch Tuesdays. The other critical vulnerability, CVE-2021-38672, exists in Windows Hyper-V. This vulnerability could also lead to remote code execution and has the same severity score as CVE-2021-40461.
Reference: https://blog.talosintelligence.com/2021/10/microsoft-patch-tuesday-for-oct-2021.html
Snort SIDs: 58286 - 58289, 58294, 58295 and 58303 - 58319

Title: Apache HTTP Server contains zero-day vulnerability exploited in the wild
Description: A recently discovered vulnerability in Apache HTTP Server (CVE-2021-41733) is being actively exploited in the wild. This vulnerability is a path traversal and file disclosure vulnerability that could allow an attacker to map URLs outside of the document root. It could also result in the exposure of the source of interpreted files like CGI scripts. The exploitation of this vulnerability is of very low complexity and poses a critical threat to all users of this open-source software. This vulnerability was introduced in a recent version of Apache (2.4.49). Users running older versions of Apache are not currently affected. The fix for CVE-2021-41733 in 2.4.50 was found to be insufficient, leading to a second, new vulnerability (CVE-2021-42013) that Apache is now reporting. As a result, version 2.4.51 was released to fully address the issue. Users are recommended to upgrade to 2.4.51 as soon as possible.
Reference: https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html
Snort SID: 58276 (Snort 3 SID 300053)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The threat actor behind the high-profile SolarWinds supply chain attack reportedly stole troves of information.
https://www.reuters.com/world/us/hackers-solarwinds-breach-stole-data-us-sanctions-policy-intelligence-probes-2021-10-07/

A former employee allegedly hacked into the network of a Florida-based flight school and altered aircraft information.
https://www.vice.com/en/article/bvzwv5/woman-allegedly-hacked-flight-school-cleared-planes-with-maintenance-issues-to-fly

Microsoft is urging users to the Tamper Protection feature in Windows 11 to protect their systems from ransomware attacks.
https://www.techradar.com/news/microsoft-offers-advice-for-foiling-ransomware-attacks-in-windows-11

Following a recent attack targeting thousands of Gmail users, Google is giving physical USB security keys to 10,000 of those users who are deemed high-risk.
https://www.bbc.com/news/technology-58844502

The Office of Management and Budget has released a memo outlining steps to help federal agencies “accelerate governmentwide adoption of EDR solutions.”
https://www.fedscoop.com/omb-endpoint-detection-memo/

Google removed several ads promoting stalkerware apps from its platform.
https://techcrunch.com/2021/10/11/google-pulls-stalkerware-ads-that-promoted-phone-spying-apps/

Apple released iOS 15.0.2 and iPadOS 15.0.2 to fix a memory corruption vulnerability that “may have been actively exploited.”
https://www.cnet.com/tech/services-and-software/update-your-iphone-apple-releases-security-patch-for-an-active-exploit/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-40449
Title: Win32K Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: This is a use-after-free vulnerability in the NtGdiResetDC function of the Win32k driver. The vulnerability can lead to leakage of kernel module addresses in the computer’s memory. Cybercriminals then use the leak to elevate the privileges of another malicious process. Adversaries are deploying Trojans that begins by gathering information about the infected system and sends it to the C&C server. Then, through MysterySnail, the attackers can issue various commands. For example, they can create, read, or delete a specific file; create or delete a process; get a directory list; or open a proxy channel and send data through it. MysterySnail’s other features include the ability to view the list of connected drives, to monitor the connection of external drives in the background, and more. The Trojan can also launch the cmd.exe interactive shell (by copying the cmd.exe file to a temporary folder under a different name).
This vulnerability is being actively exploited by IronHusky and Chinese APT groups.
CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-12030
Title: | Improper Access Control in Emerson Devices
Vendor: Emerson
Description: There is a flaw in the code used to configure the internal gateway firewall when the gateway’s VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway.
CVSS v3.0 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-37716
Title: Buffer Overflow Vulnerability in Aruba SD-WAN
Vendor: Aruba Networks
Description: A remote buffer overflow vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.15. Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-33044
Title: Authentication Bypass Vulnerability in Dahua Products
Vendor: Dahua Security
Description: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-41773
Title: Apache HTTP Traversal Vulnerability
Vendor: Apache
Description: This vulnerability is in Apache Server version 2.4.49. It is a path traversal and file disclosure flaw that could allow attackers to gain access to sensitive data, and according to the report, is being actively exploited. This vulnerability allows attackers to map URLs to files outside of the expected document root using a path traversal attack. Path traversal attacks entail sending requests to get access to the backend or sensitive server directories that should not be accessible. The attackers bypass the filters using encoded characters (ASCII) for the URLs. According to the advisory, the problem might potentially reveal the source of interpreted files like CGI scripts, which could contain sensitive information that attackers could use for future attacks. The target must be running Apache HTTP Server 2.4.49 and have the “require all denied” access control parameter deactivated for the attack to work. However, this is the default setting.
CVSS v3.1 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

MOST PREVALENT MALWARE FILES October 7-14, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 50604f47e8d7822aa29325e41546138db99c7002d776c510ac3bd620e75c801f
MD5: 9f4303d51b3ceffb74c5cc9c887fc05e
VirusTotal: https://www.virustotal.com/gui/file/50604f47e8d7822aa29325e41546138db99c7002d776c510ac3bd620e75c801f/details
Typical Filename: 9f4303d51b3ceffb74c5cc9c887fc05e.file
Claimed Product: N/A
Detection Name: W32.50604F47E8-95.SBX.TG

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2
MD5: fe3659119e683e1aa07b2346c1f215af
VirusTotal: https://www.virustotal.com/gui/file/8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2/details
Typical Filename: SqlServerWorks.Runner.exe
Claimed Product: SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG

SHA 256: bec65782844355875f88723419b44dc543ba07b83c8a339036f79e39364493c6
MD5: af581caf268f7ad9def31b477f8349a3
VirusTotal: https://www.virustotal.com/gui/file/bec65782844355875f88723419b44dc543ba07b83c8a339036f79e39364493c6/details
Typical Filename: NNV.exe Claimed Product: WindowsApp8
Detection Name: W32.BEC6578284-95.SBX.TG

SHA 256: f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4
MD5: 84452e3633c40030e72c9375c8a3cacb
VirusTotal: https://www.virustotal.com/gui/file/f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4/details
Typical Filename: sqhost.exe
Claimed Product: sqhost.exe
Detection Name: W32.Auto:f0a5b257f1.in03.Talos