SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft patches PrintNightmare as part of Patch Tuesday
Description: Microsoft released its monthly security update Tuesday, disclosing 117 vulnerabilities across its suite of products, by far the most in a month this year. Most notably, Microsoft released the update to patch the so-called “PrintNightmare” vulnerability in its print spooler function that could allow an attacker to execute remote code. This vulnerability was first disclosed in April, though security researchers later discovered it could be exploited in a more serious way than initially thought. Microsoft attempted to fix the vulnerability with an out-of-band release earlier this month, though the vulnerability could still be exploited. Besides the print spooler vulnerability, there is one other issue attackers have exploited in the wild, according to Microsoft. CVE-2021-34448 is a memory corruption vulnerability in the Scripting Engine that is triggered when the user opens a specially crafted file, either attached to an email or a compromised website.
References:
- https://blog.talosintelligence.com/2021/07/printnightmare-coverage.html
- https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html
Snort SIDs: 57890, 57891, 57894 - 57897 and 57906 - 57910
Title: Kaseya rolls out patches for vulnerabilities exploited by ransomware attackers
Description: The supply chain attack on Kaseya VSA continues to dominate the security landscape as hundreds of organizations deal with the ramifications, including ransomware attacks. Kaseya released a patch for its remote monitoring software that could be exploited to bypass authentication and execute remote code. REvil, the ransomware group behind the attack, is demanding a $70 million ransom for a universal decryption key. The current patch only applies to on-premise customers. Users who have the software-as-a-service version of VSA are still advised to shut down their affected servers while Kaseya works with users to fix the issues.
References:
- https://blog.talosintelligence.com/2021/07/revil-ransomware-actors-attack-kaseya.html
- https://www.zdnet.com/article/kaseya-issues-patch-for-on-premise-customers-saas-rollout-underway/
Cisco Secure Endpoint signatures: Gen:Variant.Graftor.952042, W32.D55F983C99-100.SBX.TG, W32.File.MalParent, W32.RetroDetected
ClamAV signatures: Win.Dropper.REvil-9875493-0, Win.Ransomware.REvil-9875494-0
Cloud IOCs: W32.PingPredicatedDel.ioc, W32.DisableRealtimeMonitoring.ioc, W32.CertutilDecodedExecutableFile.ioc, W32.CertUtilCopy.ioc
Snort SID: 57879