Internet Storm Center Spotlight


Title: Microsoft Patch Tuesday for Oct. 2021 — Snort rules and prominent vulnerabilities

Description: Microsoft released its monthly security update Tuesday, disclosing 77 vulnerabilities in the company’s various software, hardware and firmware offerings. This month’s release is particularly notable because there are only two critical vulnerabilities included, with the rest being important. This is the fewest number of critical vulnerabilities disclosed as part of a Patch Tuesday in at least a year. CVE-2021-40461 is one of the critical vulnerabilities — a flaw in the Network Virtualization Service Provider that could allow an attacker to execute remote code on the target machine. This vulnerability has a severity rating of 9.9 out of a possible 10, virtually the highest severity rating seen in Patch Tuesdays. The other critical vulnerability, CVE-2021-38672, exists in Windows Hyper-V. This vulnerability could also lead to remote code execution and has the same severity score as CVE-2021-40461.


Snort SIDs: 58286 - 58289, 58294, 58295 and 58303 - 58319

Title: Apache HTTP Server contains zero-day vulnerability exploited in the wild

Description: A recently discovered vulnerability in Apache HTTP Server (CVE-2021-41733) is being actively exploited in the wild. This vulnerability is a path traversal and file disclosure vulnerability that could allow an attacker to map URLs outside of the document root. It could also result in the exposure of the source of interpreted files like CGI scripts. The exploitation of this vulnerability is of very low complexity and poses a critical threat to all users of this open-source software. This vulnerability was introduced in a recent version of Apache (2.4.49). Users running older versions of Apache are not currently affected. The fix for CVE-2021-41733 in 2.4.50 was found to be insufficient, leading to a second, new vulnerability (CVE-2021-42013) that Apache is now reporting. As a result, version 2.4.51 was released to fully address the issue. Users are recommended to upgrade to 2.4.51 as soon as possible.


Snort SID: 58276 (Snort 3 SID 300053)

Internet Storm Center Entries

The threat actor behind the high-profile SolarWinds supply chain attack reportedly stole troves of information.

A former employee allegedly hacked into the network of a Florida-based flight school and altered aircraft information.

Microsoft is urging users to the Tamper Protection feature in Windows 11 to protect their systems from ransomware attacks.

Following a recent attack targeting thousands of Gmail users, Google is giving physical USB security keys to 10,000 of those users who are deemed high-risk.

The Office of Management and Budget has released a memo outlining steps to help federal agencies “accelerate governmentwide adoption of EDR solutions.”

Google removed several ads promoting stalkerware apps from its platform.

Apple released iOS 15.0.2 and iPadOS 15.0.2 to fix a memory corruption vulnerability that “may have been actively exploited.”

Recent CVEs

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-40449

Title: Win32K Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: This is a use-after-free vulnerability in the NtGdiResetDC function of the Win32k driver. The vulnerability can lead to leakage of kernel module addresses in the computer’s memory. Cybercriminals then use the leak to elevate the privileges of another malicious process. Adversaries are deploying Trojans that begins by gathering information about the infected system and sends it to the C&C server. Then, through MysterySnail, the attackers can issue various commands. For example, they can create, read, or delete a specific file; create or delete a process; get a directory list; or open a proxy channel and send data through it. MysterySnail’s other features include the ability to view the list of connected drives, to monitor the connection of external drives in the background, and more. The Trojan can also launch the cmd.exe interactive shell (by copying the cmd.exe file to a temporary folder under a different name).

This vulnerability is being actively exploited by IronHusky and Chinese APT groups.

CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-12030

Title: Improper Access Control in Emerson Devices

Vendor: Emerson

Description: There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway.

CVSS v3.0 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-37716

Title: Buffer Overflow Vulnerability in Aruba SD-WAN

Vendor: Aruba Networks

Description: A remote buffer overflow vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to; Prior to,,, Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-33044

Title: Authentication Bypass Vulnerability in Dahua Products

Vendor: Dahua Security

Description The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-41773

Title: Apache HTTP Traversal Vulnerability

Vendor: Apache

Description: This vulnerability is in Apache Server version 2.4.49. It is a path traversal and file disclosure flaw that could allow attackers to gain access to sensitive data, and according to the report, is being actively exploited. This vulnerability allows attackers to map URLs to files outside of the expected document root using a path traversal attack.

Path traversal attacks entail sending requests to get access to the backend or sensitive server directories that should not be accessible. The attackers bypass the filters using encoded characters (ASCII) for the URLs. According to the advisory, the problem might potentially reveal the source of interpreted files like CGI scripts, which could contain sensitive information that attackers could use for future attacks. The target must be running Apache HTTP Server 2.4.49 and have the “require all denied” access control parameter deactivated for the attack to work. However, this is the default setting.

CVSS v3.1 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Prevalent Malware Files


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a


Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 50604f47e8d7822aa29325e41546138db99c7002d776c510ac3bd620e75c801f

MD5: 9f4303d51b3ceffb74c5cc9c887fc05e


Typical Filename: 9f4303d51b3ceffb74c5cc9c887fc05e.file

Claimed Product: N/A

Detection Name: W32.50604F47E8-95.SBX.TG

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2

MD5: fe3659119e683e1aa07b2346c1f215af


Typical Filename: SqlServerWorks.Runner.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.8639FD3EF8-95.SBX.TG

SHA 256: bec65782844355875f88723419b44dc543ba07b83c8a339036f79e39364493c6

MD5: af581caf268f7ad9def31b477f8349a3


Typical Filename: NNV.exe

Claimed Product: WindowsApp8

Detection Name: W32.BEC6578284-95.SBX.TG

SHA 256: f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4

MD5: 84452e3633c40030e72c9375c8a3cacb


Typical Filename: sqhost.exe

Claimed Product: sqhost.exe

Detection Name: W32.Auto:f0a5b257f1.in03.Talos