SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Windows Installer vulnerability could allow attacker to become admin on system
Description: Security researchers recently discovered a vulnerability in Windows Installer that could allow a limited user account to elevate their privileges to become an administrator. This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Cisco Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability. Microsoft released an update that was intended to fix CVE-2021-41379 on Nov. 9 as part of its monthly security update. Security researcher Abdelhamid Naceri initially discovered this elevation of privilege vulnerability and worked with Microsoft to address it. However, the patch released by Microsoft was not sufficient to remediate the vulnerability, andNaceri published proof-of-concept exploit code on GitHub on Nov. 22 that works despite the fixes implemented by Microsoft. The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator.
Snort IDs: 58635 and 58636
Title: Emotet re-emerges, begins rebuilding to wrap up 2021
Description: Emotet has been one of the most widely distributed threats over the past several years. It has typically been observed being distributed via malicious spam email campaigns, and often leads to additional malware infections as it provides threat actors with an initial foothold in an environment. These email campaigns exhibit characteristics previously described here. International police announced a takedown campaign to disrupt Emotet in early 2021, effectively removing the botnet from the threat landscape. But as of last week, Emotet has re-emerged and has been observed establishing the infrastructure and distribution required to rebuild the botnets. While the current distribution campaigns are not at the same volumes as those previously observed when Emotet was at full strength, this is likely the beginning of a resurgence in Emotet activity that will continue to amplify as more systems become infected and are leveraged for spam distribution.
Snort IDs: 48402, 43890, 51971, 55931 and 57901
ClamAV signatures: Xls.Downloader.EmotetExcel112100-9910690-0, Doc.Downloader.EmotetRed112100-9910732-0, Win.Trojan.Emotet11210-9911407-0