SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft discloses 56 vulnerabilities, including one Excel issue exploited in the wild
Description: Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. November’s security update features six critical vulnerabilities, up from last month’s two, which was far lower than average for Microsoft. The other 49 vulnerabilities fixed today are considered “important.” CVE-2021-42292 is one of those vulnerabilities considered “important” and not critical, though it is the only one included in this security update that Microsoft reports has been actively exploited in the wild. An attacker could exploit this vulnerability in Microsoft Excel to bypass certain security settings on targeted machines. In a time when email attachments are the major vector of system compromise, this vulnerability can be used to increase the efficiency of these attacks by avoiding a security prompt and consequently reducing the social engineering necessary to infect the victim.
Reference: https://blog.talosintelligence.com/2021/11/microsoft-patch-tuesday-for-nov-2021.html
Snort SIDs: 58519, 58520, 58539 – 58541
Snort 3 SID: 300054
Title: Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
Description: Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand. The actor of the campaign is sometimes referred to as Tortilla, based on the payload file names used in the campaign. This is a new actor operating since July 2021. Prior to this ransomware, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone Powercat, which is known to provide attackers with unauthorized access to Windows machines. We assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.
Reference: https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html
ClamAV signatures: Win.Ransomware.Packer-7473772-1, Win.Trojan.Swrort-5710536-0, Win.Trojan.Powercat-9840812-0, Win.Trojan.Swrort-9902494-0, Win.Exploit.PetitPotam-9902441-0, Win.Trojan.MSILAgent-9904224-0, Win.Malware.Agent-9904986-0, Win.Malware.Agent-9904987-0, Win.Malware.Agent-9904988-0, Win.Malware.Agent-9904989-0, Win.Malware.Agent-9904990-0, Win.Downloader.DarkTortilla-9904993-0, Win.Trojan.DarkTortilla-9904994-0