Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft discloses 56 vulnerabilities, including one Excel issue exploited in the wild

Description: Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. November’s security update features six critical vulnerabilities, up from last month’s two, which was far lower than average for Microsoft. The other 49 vulnerabilities fixed today are considered “important.” CVE-2021-42292 is one of those vulnerabilities considered “important” and not critical, though it is the only one included in this security update that Microsoft reports has been actively exploited in the wild. An attacker could exploit this vulnerability in Microsoft Excel to bypass certain security settings on targeted machines. In a time when email attachments are the major vector of system compromise, this vulnerability can be used to increase the efficiency of these attacks by avoiding a security prompt and consequently reducing the social engineering necessary to infect the victim.

Reference: https://blog.talosintelligence.com/2021/11/microsoft-patch-tuesday-for-nov-2021.html

Snort SIDs: 58519, 58520, 58539 – 58541

Snort 3 SID: 300054


Title: Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk

Description: Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand. The actor of the campaign is sometimes referred to as Tortilla, based on the payload file names used in the campaign. This is a new actor operating since July 2021. Prior to this ransomware, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone Powercat, which is known to provide attackers with unauthorized access to Windows machines. We assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.

Reference: https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html

ClamAV signatures: Win.Ransomware.Packer-7473772-1, Win.Trojan.Swrort-5710536-0, Win.Trojan.Powercat-9840812-0, Win.Trojan.Swrort-9902494-0, Win.Exploit.PetitPotam-9902441-0, Win.Trojan.MSILAgent-9904224-0, Win.Malware.Agent-9904986-0, Win.Malware.Agent-9904987-0, Win.Malware.Agent-9904988-0, Win.Malware.Agent-9904989-0, Win.Malware.Agent-9904990-0, Win.Downloader.DarkTortilla-9904993-0, Win.Trojan.DarkTortilla-9904994-0

Internet Storm Center Entries


Congress passed a major infrastructure improvement bill that includes $1 billion in funds to improve the U.S.’s cybersecurity posture and upgrade critical infrastructure.

https://thehill.com/policy/cybersecurity/580649-state-and-local-officials-celebrate-passage-of-infrastructure-bill-with


The Biden administration is also ordering federal agencies to patch hundreds of high-profile cybersecurity vulnerabilities, some dating back to 2017.

https://thehill.com/policy/cybersecurity/579801-federal-agencies-ordered-to-patch-hundreds-of-vulnerabilities


Mobile devices belonging to six Palestinian human rights activists were found to be compromised with the NSO Group’s Pegasus spyware.

https://www.theguardian.com/world/2021/nov/08/palestinian-activists-mobile-phones-hacked-by-nso-says-report


The U.S. charged one Ukrainian and one Russian for their involvement with the REvil ransomware gang. The State Department is also offering up to $10 million in rewards for any information on the threat group’s leaders.

https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/


Cybersecurity experts hope the arrests can make a tangible change to the threat landscape after years of threats to ransomware actors.

https://www.wired.com/story/ransomware-revil-arrest-kaseya/


U.S. defense contractor Electronic Warfare Associates disclosed a recent data breach this week, warning that attackers stole files containing sensitive information.

https://www.bleepingcomputer.com/news/security/us-defense-contractor-electronic-warfare-hit-by-data-breach/


Many federal agencies are likely to miss a deadline this week to enable multi-factor authentication to log into their networks.

https://www.cyberscoop.com/mfa-encryption-executive-order/


Security researchers discovered a new initial access broker that may be working with several ransomware groups, including StrongPity and Phobos.

https://blogs.blackberry.com/en/2021/11/zebra2104


Popular stock trading app Robinhood disclosed a data breach affecting 7 million users.

https://finance.yahoo.com/news/why-310-robinhoods-7-million-054515371.html

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13

MD5: a6a7eb61172f8d988e47322ebf27bf6d

VirusTotal: https://www.virustotal.com/gui/file/5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13/details

Typical Filename: wx.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Wingo::in07.talos


SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

MD5: 6ea750c9d69b7db6532d90ac0960e212

VirusTotal: https://www.virustotal.com/gui/file/e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762/details

Typical Filename: deps.zip

Claimed Product: N/A

Detection Name: Auto.E5044D5AC2.242358.in07.Talos


SHA 256: 4d47791970c9e4b829ef0cc0049eecdfae3655f87a1e79620bbcc39eb8c21c8b

MD5: fdcdb2db7d4f9cb8b463ea2e8272d175

VirusTotal: https://www.virustotal.com/gui/file/4d47791970c9e4b829ef0cc0049eecdfae3655f87a1e79620bbcc39eb8c21c8b/details

Typical Filename: javarx2.dat

Claimed Product: N/A

Detection Name: Auto.4D47791970.232152.in07.Talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6

MD5: ee62e8f42ed70e717b2571c372e9de9a

VirusTotal: https://www.virustotal.com/gui/file/1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6/details

Typical Filename: lHe

Claimed Product: N/A

Detection Name: W32.Gen:MinerDM.24ls.1201