Internet Storm Center Spotlight


Title: Microsoft discloses 44 vulnerabilities as part of Patch Tuesday, lowest in two years

Description: Microsoft released its monthly security update Tuesday, disclosing 44 vulnerabilities in the company’s firmware and software. This is the fewest amount of vulnerabilities Microsoft has patched in a month in more than two years. There are only nine critical vulnerabilities included in this release, and the remainder is “important.” The most serious of the issues is CVE-2021-26424 a remote code executing vulnerability which exists in the Windows TCP/IP protocol implementation. An attacker could remotely trigger this vulnerability from a Hyper-V guest by sending a specially crafted TCP/IP packet to a host utilizing the TCP/IP protocol stack. This raises the possibility of a malicious program running in a virtual machine compromising the host environment.


Snort SIDs: 57997 – 57999, 58003

Title: Multiple vulnerabilities in AT&T Labs’ Xmill utility

Description: Cisco Talos recently discovered multiple vulnerabilities in AT&T Labs’ Xmill utility. An attacker could take advantage of these issues to carry out a variety of malicious actions, including corrupting the application’s memory and gaining the ability to execute remote code. Xmill and Xdemill are utilities that are purpose-built for XML compression and decompression, respectively. These utilities claim to be roughly two times more efficient at compressing XML than other compression methods. As of publishing, AT&T Labs is no longer supporting this software and, therefore, will not be issuing any patches. The software, released in 1999, can still be found in modern software suites, such as Schneider Electric's EcoStruxure Control Expert. Schneider is working to fix issues directly affecting their products.


Snort SIDs: 57503 - 57508

Internet Storm Center Entries

Apple said it will begin scanning iCloud accounts for potential photos or videos of child abuse.

A disgruntled member of the Conti ransomware network leaked the malware’s manuals and technical guides.

A vulnerability in Cobalt Strike could allow anyone to disrupt botnets running the popular penetration-testing software.

Congress continues to advance a massive infrastructure spending bill that would allocate millions toward the U.S.’s cybersecurity, including new investments in the security of the electric grid.

Security researchers found that some AI programs can write more convincing phishing emails than humans.

Australia’s government warned local businesses that a more advanced version of the Lockbit ransomware has been targeting organizations in that country since July.

Some call center employees are being pressured into allowing their employers to place surveillance cameras in their homes to monitor their work.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-21538

Title: Improper Authentication Vulnerability in Dell iDRAC9

Vendor: Dell

Description: Dell EMC iDRAC9 versions and later, but prior to, contain an improper authentication vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the virtual console.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-25320

Title: Improper Access Control Vulnerability in Rancher

Vendor: Rancher

Description: An Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16.

CVSS v3.0 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-22937

Title: Pulse Connect Secure RCE Patch Vuln.

Vendor: PulseSecure

Description: This is a post-authentication, distant codification execution (i.e., RCE) vulnerability that exists on Pulse Connect Secure virtual backstage web (i.e., VPN) appliances.It is a patch bypass for CVE-2020-8260 which was disclosed in Oct. 2020. CVE-2021-22937 is an uncontrolled archive extraction vulnerability in the Pulse Connect Secure appliance that allows an authenticated administrator to write arbitrary executable files. This unrestricted file upload vulnerability is due to a flaw in the way that archive files are extracted in the administrator web interface. Successful exploitation would give attackers root privileges on the targeted appliance.

CVSS v3.0 Base Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-36948

Title: Windows Update Medic Service Privilege Escalation Vulnerability

Vendor: Windows

Description: The vulnerability is in Windows 10 and Server 2019 and newer operating systems with the Update Medic Service. Update Medic is a new service that allows users to repair Windows Update components from a damaged state such that the device can continue to receive updates. The exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversary’s toolbox. This vulnerability has been seen exploited in the wild and it is crucial that organizations move quickly to patch and remediate this vulnerability.

CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-34535

Title: Remote Desktop Client Remote Code Execution Vulnerability

Vendor: Microsoft

Description: This vulnerability occurs in the client, not in the server. For exploitation to occur, victims would need to be lured to a server controlled by an attacker or be exposed to a malicious program in a guest virtual machine. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8


Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736


Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 4d59e857c6923b6ead19109dbf591bbe93f3407153c992ad35fc6ed8969a34c3

MD5: 963aa12c1d0427cb154d519f21358ab4


Typical Filename: bld.exe

Claimed Product: cleaper.exe

Detection Name: W32.Auto:4d59e857c6.in03.Talos

SHA 256: f682bdbd612c0215192be6c52f08f10c01e7af9a3136c2f67ec3e7ba563f565d

MD5: 0b506c6dde8d07f9eeb82fd01a6f97d4


Typical Filename: ybcbqgo5z.dll

Claimed Product: N/A

Detection Name: Win.Dropper.Ecltys::1201

SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af

MD5: 0a13d106fa3997a0c911edd5aa0e147a


Typical Filename: mg20201223-1.exe

Claimed Product: N/A

Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos