Internet Storm Center Spotlight


Title: MSHTML vulnerability exploited in the wild fixed as part of Microsoft security update

Description: Microsoft released its monthly security update Tuesday, disclosing 86 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML. CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. The most serious vulnerability is CVE-2021-36965, a remote code execution vulnerability in Windows WLAN. This vulnerability has a severity score of 8.8 out of a possible 10, the same score as CVE-2021-40444. Aside from the aforementioned MSHTML exploit, another critical vulnerability exists in the Windows scripting engine. CVE-2021-26435 could allow an attacker to corrupt memory on the victim machine by tricking the user into opening a specially crafted file or visiting a website containing an attacker-create file designed to exploit this vulnerability.


Snort SIDs: 58120 – 58135

Snort 3 SID: 300049

ClamAV signature: 9891528 (Doc.Exploit.CVE_2021_40444-9891528-0)

Cisco Secure OSQuery: CVE-2021-40444_vulnerability status

Title: Apple patches zero-click vulnerability that opens the door to spyware

Description: Apple released updates for its smart phones, iPads and smart watches this week fixing a vulnerability in its devices that could allow attackers to install the Pegasus spyware. The company pushed the patch shortly after researchers discovered a Saudi Arabian activists’ phone was infected with the spyware via the zero-click vulnerability. If installed, Pegasus can turn on a user’s camera and microphone, record messages, texts, emails and calls and send them back to the NSO Group’s — the Israeli tech firm that created the app — customers. The researchers found that up to 1.65 billion Apple products could have been vulnerable to the Pegasus spyware since March.


Internet Storm Center Entries

The U.S. Securities and Exchange Commission is asking companies that downloaded SolarWinds affected by the supply chain attack to turn over documents related to cyber incidents dating back to October 2019.

A new cyber threat assessment from Australia’s government indicates that attackers are increasingly targeting health care facilities and other critical infrastructure.

Report from Atlantic Council makes recommendations to address undersea cable security risks.

The U.S. and EU are in talks to extend an agreement that allows company data transfers across the Atlantic.

The REvil ransomware gang is operating again after a brief hiatus, and has already claimed its next round of victims.

Some United Nations computer networks were breached earlier this year.

Some banks and post offices in New Zealand suffered disruptions last week due to a cyberattack.

A vulnerability in a popular HP gaming driver could allow an attacker to elevate their privileges to the kernel level, potentially allowing them to disable security controls and software or corrupt the operating system.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-1577

Title: Cisco APIC Arbitrary File Read and Write Vulnerability

Vendor: Cisco

Description: A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system. This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on an affected device.

CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

ID: CVE-2021-27850

Title: Remote Code Execution Vulnerability in Apache Tapestry

Vendor: Apache

Description: A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-40444

Title: Microsoft MSHTML Remote Code Execution Vulnerability

Vendor: Microsoft

Description: MSHTML is the Internet Explorer web browser’s rendering engine, though many Office documents also use this engine. If an adversary were to successfully exploit this vulnerability, they could remotely execute code on the victim machine or gain complete control.

Attackers are using a .DOCX file. Upon opening it, the document loaded the Internet Explorer engine to render a remote web page from the threat actor. Malware is then downloaded by using a specific ActiveX control in the web page. Executing the threat is done using "a trick called 'Cpl File Execution'," referenced in Microsoft's advisory

CVSS v3.0 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L)

ID: CVE-2021-36965

Title: Windows WLAN AutoConfig Service Remote Code Execution Vulnerability

Vendor: Microsoft

Description: This vulnerability could allow network adjacent attackers to run their code on affected systems at SYSTEM level. This means an attacker could completely take over the target – provided they are on an adjacent network. This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network. Still, this requires no privileges or user interaction, so don’t let the adjacent aspect of this bug diminish the severity.

CVSS v3.1 Base Score: 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8


Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18

MD5: 830ffb393ba8cca073a1c0b66af78de5


Typical Filename: smbscanlocal0902.exe

Claimed Product: N/A

Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a


Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f


Typical Filename: VID[1].dat

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c

MD5: 04c1f4395f80a3890aa8b12ebc2b4855


Typical Filename: zReXhNb

Claimed Product: N/A

Detection Name: Auto.FAD16599A8.241842.in07.Talos