Internet Storm Center Spotlight


Title: Microsoft Patch Tuesday for Jan. 2021 — Snort rules and prominent vulnerabilities

Description: Microsoft released its monthly security update Tuesday, disclosing 102 vulnerabilities across its large collection of hardware and software. This is the largest amount of vulnerabilities Microsoft has disclosed in a monthly security update in eight months, however, none of the issues have been exploited in the wild, according to Microsoft. 2022’s first security update features nine critical vulnerabilities, with all but one of the remaining being considered “important.” CVE-2022-21840 is one of the critical vulnerabilities, an issue in Microsoft Office that could allow an attacker to execute remote code on the targeted machine. CVE-2022-21841, CVE-2022-21837 and CVE-2022-21842 are also remote code execution vulnerabilities in the Office suite of products, though they are only rated as “important.” These four vulnerabilities are particularly of note, though, because they can be triggered by the target opening a specially crafted document, a favorite tactic of attackers.


Snort SIDs: 40689, 40690, 58859, 58860, 58866 - 58869 and 58870 - 58875

Title: Two vulnerabilities in Adobe Acrobat DC could lead to arbitrary code execution

Description: Cisco Talos recently discovered two vulnerabilities in Adobe Acrobat Reader DC that could allow an attacker to eventually gain the ability to execute arbitrary code. Acrobat is one of the most popular PDF reader software options available currently. It includes the ability to read and process JavaScript to give PDFs greater interactivity and customization options for users. Both vulnerabilities exist in the way Acrobat Reader processes JavaScript. CVE-2021-44710 is a use-after-free vulnerability that is triggered if the user opens a PDF with specially crafted, malicious JavaScript. The code could give attackers control over reused memory, which can lead to arbitrary code execution. Similarly, CVE-2021-44711 also is triggered if the target opens a specially crafted PDF file, however, this vulnerability causes an integer overflow condition, which could eventually lead to code execution. There are several other vulnerabilities Adobe disclosed in its suite of products as part of Patch Tuesday.




Snort SIDs: 58367, 58368, 58553 and 58554

Internet Storm Center Entries

The New York State Attorney General has alerted 17 companies they were the target of a credential-stuffing campaign, potentially affecting more than a million users.

Thousands of schools worldwide had some services disrupted due to a ransomware attack on software company Finalsite.

A ransomware attack on the IT system of Bernalillo County, New Mexico, caused county government to shut down offices and public buildings.

2021 saw several new Mac-specific malware families jump on the scene, including cryptocurrency miners, backdoors, and implants from state-sponsored actors.

Salesforce is requiring all customers to start using multi-factor authentication next month to access their accounts.

A new feature in Apple’s iOS 15 allows users to download an App Privacy Report to see what information different apps collect.

A malicious Telegram user is selling access to a data collection tool typically used by private investigators.

The U.S. Cybersecurity and Infrastructure Security Agency released a warning that Russian state-sponsored actors are increasing attacks against critical infrastructure.

Recent CVEs

ID: CVE-2021-43779

Title: Remote Code Execution vulnerability in GLPI with addressing plugin

Description: GLPI is a free open-source IT asset management, issue tracking, and service desk software. The GLPI addressing plugin in version 2.9.1 has an authorized Remote Code Execution vulnerability, which allows command injection misuse of functionality to get access to the server's underlying operating system. There is no way to fix this problem, thus users should either upgrade or disable the addressing plugin.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-31589

Title: Cross site scripting vulnerability in BeyondTrust Remote Support 

Description: BeyondTrust Secure Remote Access Base Software through 6.0.1 allows an attacker to achieve full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint. This cross-site-scripting (XSS) vulnerability occurs when it does not properly sanitize an unauthenticated crafted web request to the server.

CVSS v3.1 Base Score: 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689


Typical Filename: swupdater.exe

Claimed Product: Wavesor SWUpdater

Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a


Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 0fa5cf65905b79ede6fe39e9ee8a8a8b2d04b71b859fe6e7a0ee583a7b832f43

MD5: cbd421ed5799f498e42ec6c598dc0aef


Typical Filename: N/A

Claimed Product: N/A

Detection Name: W32.Auto:0fa5cf6590.in03.Talos

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b


Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name:

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2

MD5: fe3659119e683e1aa07b2346c1f215af


Typical Filename: SqlServerWorks.Runner.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.8639FD3EF8-95.SBX.TG