CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES November 25-December 2, 2021
TOP VULNERABILITY THIS WEEK: Attackers exploiting zero-day vulnerability in Windows Installer

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Windows Installer vulnerability could allow attacker to become admin on system
Description: Security researchers recently discovered a vulnerability in Windows Installer that could allow a limited user account to elevate their privileges to become an administrator. This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Cisco Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability. Microsoft released an update that was intended to fix CVE-2021-41379 on Nov. 9 as part of its monthly security update. Security researcher Abdelhamid Naceri initially discovered this elevation of privilege vulnerability and worked with Microsoft to address it. However, the patch released by Microsoft was not sufficient to remediate the vulnerability, andNaceri published proof-of-concept exploit code on GitHub on Nov. 22 that works despite the fixes implemented by Microsoft. The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator.
Reference: https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html
Snort IDs: 58635 and 58636

Title: Emotet re-emerges, begins rebuilding to wrap up 2021
Description: Emotet has been one of the most widely distributed threats over the past several years. It has typically been observed being distributed via malicious spam email campaigns, and often leads to additional malware infections as it provides threat actors with an initial foothold in an environment. These email campaigns exhibit characteristics previously described here. International police announced a takedown campaign to disrupt Emotet in early 2021, effectively removing the botnet from the threat landscape. But as of last week, Emotet has re-emerged and has been observed establishing the infrastructure and distribution required to rebuild the botnets. While the current distribution campaigns are not at the same volumes as those previously observed when Emotet was at full strength, this is likely the beginning of a resurgence in Emotet activity that will continue to amplify as more systems become infected and are leveraged for spam distribution.
Reference: https://blog.talosintelligence.com/2021/11/emotet-back-from-the-dead.html
Snort IDs: 48402, 43890, 51971, 55931 and 57901
ClamAV signatures: Xls.Downloader.EmotetExcel112100-9910690-0, Doc.Downloader.EmotetRed112100-9910732-0, Win.Trojan.Emotet11210-9911407-0

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

A group of apps on the Google Play store downloaded a combined 300,000 times silently stole users’ banking login credentials and spoofed two-factor authentication interactions.
https://arstechnica.com/information-technology/2021/11/google-play-apps-downloaded-300000-times-stole-bank-credentials/

Apple is suing Israeli tech company NSO Group for allegedly targeting iPhone users with the Pegasus spyware.
https://www.bbc.com/news/business-59393823

Android 12 includes new privacy settings that allow users to have greater control over what types of features apps can access and stop personalized ads.
https://www.wired.com/story/android-12-privacy-settings-updates/

Retail chain IKEA warned employees that the company is actively fighting a sup[ply-chain email phishing attack. https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/

The ongoing cyberwar between Israel and Iran is starting to spill over to affect everyday citizens.
https://www.nytimes.com/2021/11/27/world/middleeast/iran-israel-cyber-hack.html

Domain registrar GoDaddy is still recovering from a cyber attack that affected 1.2 million users via its Managed WordPress hosting environment.
https://www.csoonline.com/article/3642832/godaddy-wordpress-data-breach-a-timeline.html

Meta has delayed the rollout of end-to-end encryption for Instagram and Facebook Messenger until 2023. https://www.theverge.com/2021/11/21/22794622/messenger-instagram-end-to-end-encryption-default-2023

U.K. parliament is considering a new bill that would implement new rules for manufacturers of internet-connected devices, including banning universal default passwords and establishing a universal platform for users and researchers to report vulnerabilities.
https://www.itsecurityguru.org/2021/11/26/uk-government-introduces-ptsi-bill-to-better-secure-iot-devices/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-42114 |
Title: Rowhammer attack variant on modern DRAM devices
Description: Dynamic Random-Access Memory (DRAM) is a type of semiconductor memory that is typically used for the data or program code needed by a computer processor to function. These devices are used in personal computers (PCs), workstations, and servers. Modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability in their internal Target Row Refresh (TRR) mitigation against Rowhammer attacks. Rowhammer is a security flaw in dynamic random-access memory (DRAM) that takes advantage of an unintended and undesirable side effect in which memory cells interact electrically between themselves by leaking their charges, potentially changing the contents of nearby memory rows that were not addressed in the original memory access. Because of the high cell density in the current DRAM, this circumvention of DRAM memory cell isolation can be triggered by specifically constructed memory access patterns that repeatedly activate the same memory rows.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-16152 |
Title: Local File Inclusion (LFI) vulnerability in the Aerohive/Extreme Networks HiveOS administrative web interface (NetConfig)
Description: The Aerohive/Extreme Networks HiveOS administrative web interface (NetConfig) is vulnerable to LFI. The old version of PHP used in the interface makes it vulnerable to string truncation attacks. An attacker can use this in conjunction with log poisoning to gain root rights on a vulnerable access point.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-1975 |
Title: Heap overflow in the Qualcomm chipsets
Description: Qualcomm Snapdragon is a line of system-on-a-chip semiconductor products manufactured and marketed by Qualcomm Technologies Inc. for mobile smartphones. Possible heap overflow due to improper length check of domain while parsing the DNS response. This vulnerability is affecting the Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IoT, Snapdragon Industrial IoT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-30321 |
Title: Buffer overflow in the Qualcomm Snapdragon
Description: Qualcomm Snapdragon is a line of system-on-a-chip semiconductor products manufactured and marketed by Qualcomm Technologies Inc. for mobile smartphones.Due to the lack of a parameter length check during the MBSSID scan, there’s a chance of a buffer overflow. Snapdragon Compute, Snapdragon Connectivity, and Snapdragon Consumer Electronics Connectivity all have IE parse.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-41435 |
Title: Windows Kernel Elevation of Privilege Vulnerability
Description: A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-41653 |
Title: IP Address privilege escalation vulnerability in the TP-Link TL-WR840N EU v5 router
Description: A flaw was discovered in the TP-LINK TL-WR840N EU V5 171211 router (Router Operating System). It has been given a critical rating. The use of an unknown input to manipulate the argument IP address results in an unknown flaw.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-42338 |
Title: Improper authorization vulnerability in 4MOSAn GCB Doctor
Description: In 4MOSAn GCB Doctor, a major vulnerability was discovered (unknown version). This problem affects an unidentified code. A privilege escalation vulnerability is created by manipulating an unknown input. CWE-285 is the result of using CWE to declare the problem. Confidentiality, honesty, and availability are all impacted.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-43048 |
Title: Click-Jacking vulnerability in TIBCO PartnerExpress
Description: In TIBCO PartnerExpress versions before 6.2.1, a critical vulnerability was discovered. This problem affects an unidentified function of the Interior Server/Gateway Server component. A privilege escalation vulnerability is created by manipulating an unknown input. CWE-451 is the result of using CWE to declare the problem. Confidentiality, honesty, and availability are all impacted.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-36308 |
Title: Authentication Bypass vulnerability in Dell Networking OS10
Description: Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to gain access and perform actions on the affected system.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES November 25-December 2, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f
MD5: ee30d6928c9de84049aa055417cc767e
VirusTotal: https://www.virustotal.com/gui/file/0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f/details
Typical Filename: app.exe
Claimed Product: N/A
Detection Name: Glupteba::gravity::W32.Auto:0ab024b0da.in03.Talos

SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13
MD5: a6a7eb61172f8d988e47322ebf27bf6d
VirusTotal: https://www.virustotal.com/gui/file/5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13/details
Typical Filename: wx.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Wingo::in07.talos

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37
MD5: a5e345518e6817f72c9b409915741689
VirusTotal: https://www.virustotal.com/gui/file/1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37/details
Typical Filename: swupdater.exe
Claimed Product: Wavesor SWUpdater
Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos

SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762
MD5: 6ea750c9d69b7db6532d90ac0960e212
VirusTotal: https://www.virustotal.com/gui/file/e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762/details
Typical Filename: deps.zip
Claimed Product: N/A
Detection Name: Auto.E5044D5AC2.242358.in07.Talos

SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6
MD5: ee62e8f42ed70e717b2571c372e9de9a
VirusTotal: https://www.virustotal.com/gui/file/1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6/details
Typical Filename: lHe
Claimed Product: N/A
Detection Name: W32.Gen:MinerDM.24ls.1201