Volume 21 – Number 44

Internet Storm Center Spotlight

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft discloses 56 vulnerabilities, including one Excel issue exploited in the wild

Description: Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. November’s security update features six critical vulnerabilities, up from last month’s two, which was far lower than average for Microsoft. The other 49 vulnerabilities fixed today are considered “important.” CVE-2021-42292 is one of those vulnerabilities considered “important” and not critical, though it is the only one included in this security update that Microsoft reports has been actively exploited in the wild. An attacker could exploit this vulnerability in Microsoft Excel to bypass certain security settings on targeted machines. In a time when email attachments are the major vector of system compromise, this vulnerability can be used to increase the efficiency of these attacks by avoiding a security prompt and consequently reducing the social engineering necessary to infect the victim.

Reference: https://blog.talosintelligence.com/2021/11/microsoft-patch-tuesday-for-nov-2021.html

Snort SIDs: 58519, 58520, 58539 – 58541

Snort 3 SID: 300054

Title: Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk

Description: Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand. The actor of the campaign is sometimes referred to as Tortilla, based on the payload file names used in the campaign. This is a new actor operating since July 2021. Prior to this ransomware, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone Powercat, which is known to provide attackers with unauthorized access to Windows machines. We assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.

Reference: https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html

ClamAV signatures: Win.Ransomware.Packer-7473772-1, Win.Trojan.Swrort-5710536-0, Win.Trojan.Powercat-9840812-0, Win.Trojan.Swrort-9902494-0, Win.Exploit.PetitPotam-9902441-0, Win.Trojan.MSILAgent-9904224-0, Win.Malware.Agent-9904986-0, Win.Malware.Agent-9904987-0, Win.Malware.Agent-9904988-0, Win.Malware.Agent-9904989-0, Win.Malware.Agent-9904990-0, Win.Downloader.DarkTortilla-9904993-0, Win.Trojan.DarkTortilla-9904994-0

Internet Storm Center Entries

Congress passed a major infrastructure improvement bill that includes $1 billion in funds to improve the U.S.’s cybersecurity posture and upgrade critical infrastructure.

https://thehill.com/policy/cybersecurity/580649-state-and-local-officials-celebrate-passage-of-infrastructure-bill-with

The Biden administration is also ordering federal agencies to patch hundreds of high-profile cybersecurity vulnerabilities, some dating back to 2017.

https://thehill.com/policy/cybersecurity/579801-federal-agencies-ordered-to-patch-hundreds-of-vulnerabilities

Mobile devices belonging to six Palestinian human rights activists were found to be compromised with the NSO Group’s Pegasus spyware.

https://www.theguardian.com/world/2021/nov/08/palestinian-activists-mobile-phones-hacked-by-nso-says-report

The U.S. charged one Ukrainian and one Russian for their involvement with the REvil ransomware gang. The State Department is also offering up to $10 million in rewards for any information on the threat group’s leaders.

https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/

Cybersecurity experts hope the arrests can make a tangible change to the threat landscape after years of threats to ransomware actors.

https://www.wired.com/story/ransomware-revil-arrest-kaseya/

U.S. defense contractor Electronic Warfare Associates disclosed a recent data breach this week, warning that attackers stole files containing sensitive information.

https://www.bleepingcomputer.com/news/security/us-defense-contractor-electronic-warfare-hit-by-data-breach/

Many federal agencies are likely to miss a deadline this week to enable multi-factor authentication to log into their networks.

https://www.cyberscoop.com/mfa-encryption-executive-order/

Security researchers discovered a new initial access broker that may be working with several ransomware groups, including StrongPity and Phobos.

https://blogs.blackberry.com/en/2021/11/zebra2104

Popular stock trading app Robinhood disclosed a data breach affecting 7 million users.

https://finance.yahoo.com/news/why-310-robinhoods-7-million-054515371.html