Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Windows Installer vulnerability could allow attacker to become admin on system

Description: Security researchers recently discovered a vulnerability in Windows Installer that could allow a limited user account to elevate their privileges to become an administrator. This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Cisco Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability. Microsoft released an update that was intended to fix CVE-2021-41379 on Nov. 9 as part of its monthly security update. Security researcher Abdelhamid Naceri initially discovered this elevation of privilege vulnerability and worked with Microsoft to address it. However, the patch released by Microsoft was not sufficient to remediate the vulnerability, andNaceri published proof-of-concept exploit code on GitHub on Nov. 22 that works despite the fixes implemented by Microsoft. The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator.

Reference: https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html

Snort IDs: 58635 and 58636


Title: Emotet re-emerges, begins rebuilding to wrap up 2021

Description: Emotet has been one of the most widely distributed threats over the past several years. It has typically been observed being distributed via malicious spam email campaigns, and often leads to additional malware infections as it provides threat actors with an initial foothold in an environment. These email campaigns exhibit characteristics previously described here. International police announced a takedown campaign to disrupt Emotet in early 2021, effectively removing the botnet from the threat landscape. But as of last week, Emotet has re-emerged and has been observed establishing the infrastructure and distribution required to rebuild the botnets. While the current distribution campaigns are not at the same volumes as those previously observed when Emotet was at full strength, this is likely the beginning of a resurgence in Emotet activity that will continue to amplify as more systems become infected and are leveraged for spam distribution.

Reference: https://blog.talosintelligence.com/2021/11/emotet-back-from-the-dead.html

Snort IDs: 48402, 43890, 51971, 55931 and 57901

ClamAV signatures: Xls.Downloader.EmotetExcel112100-9910690-0, Doc.Downloader.EmotetRed112100-9910732-0, Win.Trojan.Emotet11210-9911407-0

Internet Storm Center Entries


A group of apps on the Google Play store downloaded a combined 300,000 times silently stole users' banking login credentials and spoofed two-factor authentication interactions.

https://arstechnica.com/information-technology/2021/11/google-play-apps-downloaded-300000-times-stole-bank-credentials/


Apple is suing Israeli tech company NSO Group for allegedly targeting iPhone users with the Pegasus spyware.

https://www.bbc.com/news/business-59393823


Android 12 includes new privacy settings that allow users to have greater control over what types of features apps can access and stop personalized ads.

https://www.wired.com/story/android-12-privacy-settings-updates/


Retail chain IKEA warned employees that the company is actively fighting a sup[ply-chain email phishing attack.

https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/


The ongoing cyberwar between Israel and Iran is starting to spill over to affect everyday citizens.

https://www.nytimes.com/2021/11/27/world/middleeast/iran-israel-cyber-hack.html


Domain registrar GoDaddy is still recovering from a cyber attack that affected 1.2 million users via its Managed WordPress hosting environment.

https://www.csoonline.com/article/3642832/godaddy-wordpress-data-breach-a-timeline.html


Meta has delayed the rollout of end-to-end encryption for Instagram and Facebook Messenger until 2023.

https://www.theverge.com/2021/11/21/22794622/messenger-instagram-end-to-end-encryption-default-2023


U.K. parliament is considering a new bill that would implement new rules for manufacturers of internet-connected devices, including banning universal default passwords and establishing a universal platform for users and researchers to report vulnerabilities.

https://www.itsecurityguru.org/2021/11/26/uk-government-introduces-ptsi-bill-to-better-secure-iot-devices/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2021-42114

Title: Rowhammer attack variant on modern DRAM devices

Description: Dynamic Random-Access Memory (DRAM) is a type of semiconductor memory that is typically used for the data or program code needed by a computer processor to function. These devices are used in personal computers (PCs), workstations, and servers. Modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability in their internal Target Row Refresh (TRR) mitigation against Rowhammer attacks. Rowhammer is a security flaw in dynamic random-access memory (DRAM) that takes advantage of an unintended and undesirable side effect in which memory cells interact electrically between themselves by leaking their charges, potentially changing the contents of nearby memory rows that were not addressed in the original memory access. Because of the high cell density in the current DRAM, this circumvention of DRAM memory cell isolation can be triggered by specifically constructed memory access patterns that repeatedly activate the same memory rows.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-16152

Title: Local File Inclusion (LFI) vulnerability in the Aerohive/Extreme Networks HiveOS administrative web interface (NetConfig)

Description: The Aerohive/Extreme Networks HiveOS administrative web interface (NetConfig) is vulnerable to LFI. The old version of PHP used in the interface makes it vulnerable to string truncation attacks. An attacker can use this in conjunction with log poisoning to gain root rights on a vulnerable access point.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-1975

Title: Heap overflow in the Qualcomm chipsets

Description: Qualcomm Snapdragon is a line of system-on-a-chip semiconductor products manufactured and marketed by Qualcomm Technologies Inc. for mobile smartphones. Possible heap overflow due to improper length check of domain while parsing the DNS response. This vulnerability is affecting the Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IoT, Snapdragon Industrial IoT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-30321

Title: Buffer overflow in the Qualcomm Snapdragon

Description: Qualcomm Snapdragon is a line of system-on-a-chip semiconductor products manufactured and marketed by Qualcomm Technologies Inc. for mobile smartphones. Due to the lack of a parameter length check during the MBSSID scan, there's a chance of a buffer overflow. Snapdragon Compute, Snapdragon Connectivity, and Snapdragon Consumer Electronics Connectivity all have IE parse.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-41435

Title: Windows Kernel Elevation of Privilege Vulnerability

Description: A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-41653

Title: IP Address privilege escalation vulnerability in the TP-Link TL-WR840N EU v5 router

Description: A flaw was discovered in the TP-LINK TL-WR840N EU V5 171211 router (Router Operating System). It has been given a critical rating. The use of an unknown input to manipulate the argument IP address results in an unknown flaw.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-42338

Title: Improper authorization vulnerability in 4MOSAn GCB Doctor

Description: In 4MOSAn GCB Doctor, a major vulnerability was discovered (unknown version). This problem affects an unidentified code. A privilege escalation vulnerability is created by manipulating an unknown input. CWE-285 is the result of using CWE to declare the problem. Confidentiality, honesty, and availability are all impacted.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-43048

Title: Click-Jacking vulnerability in TIBCO PartnerExpress

Description: In TIBCO PartnerExpress versions before 6.2.1, a critical vulnerability was discovered. This problem affects an unidentified function of the Interior Server/Gateway Server component. A privilege escalation vulnerability is created by manipulating an unknown input. CWE-451 is the result of using CWE to declare the problem. Confidentiality, honesty, and availability are all impacted.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-36308

Title: Authentication Bypass vulnerability in Dell Networking OS10

Description: Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to gain access and perform actions on the affected system.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f

MD5: ee30d6928c9de84049aa055417cc767e

VirusTotal: https://www.virustotal.com/gui/file/0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f/details

Typical Filename: app.exe

Claimed Product: N/A

Detection Name: Glupteba::gravity::W32.Auto:0ab024b0da.in03.Talos


SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13

MD5: a6a7eb61172f8d988e47322ebf27bf6d

VirusTotal: https://www.virustotal.com/gui/file/5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13/details

Typical Filename: wx.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Wingo::in07.talos


SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689

VirusTotal: https://www.virustotal.com/gui/file/1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37/details

Typical Filename: swupdater.exe

Claimed Product: Wavesor SWUpdater

Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos


SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

MD5: 6ea750c9d69b7db6532d90ac0960e212

VirusTotal: https://www.virustotal.com/gui/file/e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762/details

Typical Filename: deps.zip

Claimed Product: N/A

Detection Name: Auto.E5044D5AC2.242358.in07.Talos


SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6

MD5: ee62e8f42ed70e717b2571c372e9de9a

VirusTotal: https://www.virustotal.com/gui/file/1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6/details

Typical Filename: lHe

Claimed Product: N/A

Detection Name: W32.Gen:MinerDM.24ls.1201