Internet Storm Center Spotlight


Title: Trickbot trojan re-emerges with a new module for spying

Description: After an attempted takedown attempt, security researchers are seeing increased command and control (C2) traffic around the Trickbot malware. The botnet also has a new version of its “vncDll” module, which is used for monitoring and intelligence gathering. This module appears to be actively updated with bug fixes and additional functionality. Currently, it creates a virtual desktop that mirrors the target’s desktop and steals information by monitoring the screen. Trickbot traditionally downloads new payloads to carry out additional attacks, opens the target’s documents and email and uploads data to the C2.


Snort SIDs: 57948 - 57950

Title: Shlayer malware still using fake Flash updates

Description: Even though Adobe has discontinued support for Flash Player, attackers are still capitalizing on it. Operators behind the Shlayer malware send macOS users fake Flash Player update notifications, hoping to trick users into clicking on malicious links. The malware completes its install when the user downloads the malicious file. Shlayer is a well-known malware that’s been targeting MacOS users for at least three years. Once installed, Shlayer deploys adware on the affected machine and eventually fetches additional payloads, usually also adware.


Snort SIDs: 57919, 57920

Internet Storm Center Entries

The NSO Group has been selling the Pegasus spyware to governments around the globe, some of which have used Pegasus to track dissidents, journalists and more.

Security researchers released a new open-source tool called Mobile Verification Toolkit for users to check if their devices are infected with Pegasus.

The U.S. House of Representatives ended a contract with an e-newsletter service because of multiple security incidents.

The Transportation Security Authority released a new round of cybersecurity requirements for US pipeline operators requiring them to implement specific measures to protect against ransomware attacks and other threats to their networks.

Only 2.3 percent of Twitter users have enabled multi-factor authentication for their accounts, a surprisingly low rate for one of the most effective ways to defend against malicious logins.

Google fixed a major bug that bricked some Chrome OS devices. The company said it was only a one-character error in code that caused the issue.

Attackers are demanding a $50 million ransom payment from Saudi Arabia’s national oil company after they stole data from a Saudi Aramco contractor.

State-owned South African port, rail, and pipeline logistics company Transnet has suffered a cyberattack that has significantly disrupted its operations.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-0796

Title: Remote Code Execution Vulnerability in Microsoft SMB

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-1953

Title: Malicious File Upload Vulnerability in Apache Commons

Vendor: Apache

Description: Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.

CVSS v3.0 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-26821

Title: Weak Authentication Vulnerability in SAP Solution Manager

Vendor: SAP

Description: SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H)

ID: CVE-2021-35211

Title: Remote Code Execution Vulnerability in SolarWind’s Serv-U

Vendor: Solarwinds

Description: Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-6102

Title: Code Execution Vulnerability in Shader Functionality – AMD Radeon Directx Driver

Vendor: AMD

Description: An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 26.20.15019.19000. An attacker can provide a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly).

CVSS v3.1 Base Score: 9.9(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8


Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736


Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4

MD5: 84452e3633c40030e72c9375c8a3cacb


Typical Filename: sqhost.exe

Claimed Product: N/A

Detection Name: W32.Auto:f0a5b257f1.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a


Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 302f58da597128551858e8d53229340941457cad6729af0d306ebfa18a683769

MD5: 39e14b83d48ab362c9a5e03f885f5669


Typical Filename: SqlServerWorks.Runner.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.302F58DA59-95.SBX.TG