DATABASE RESOURCES PRICING ABOUT US

{"id": "AA23-215A", "vendorId": null, "type": "ics", "bulletinFamily": "info", "title": "2022 Top Routinely Exploited Vulnerabilities", "description": "### **SUMMARY**\n\nThe following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):\n\n * United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)\n * Australia: Australian Signals Directorate\u2019s Australian Cyber Security Centre (ACSC)\n * Canada: Canadian Centre for Cyber Security (CCCS)\n * New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)\n * United Kingdom: National Cyber Security Centre (NCSC-UK)\n\nThis advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.\n\nThe authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory\u2014including the following\u2014to reduce the risk of compromise by malicious cyber actors.\n\n * **Vendors, designers, and developers**: Implement [secure-by-design and -default principles and tactics](<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default> \"Security-by-Design and -Default\" ) to reduce the prevalence of vulnerabilities in your software. \n * **Follow the Secure Software Development Framework (SSDF)**, also known as [SP 800-218](<https://csrc.nist.gov/publications/detail/sp/800-218/final> \"NIST SP 800-218\" ), and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.\n * **Prioritize secure-by-default configurations**, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.\n * **Ensure that published CVEs include the proper CWE field** identifying the root cause of the vulnerability.\n * **End-user organizations**: \n * **Apply timely patches to systems**. **Note**: First check for signs of compromise if CVEs identified in this CSA have not been patched.\n * Implement a centralized patch management system.\n * **Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers**.\n * **Ask your software providers to discuss their secure by design program** and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.\n\nDownload the PDF version of this report:\n\nAA23-215A PDF (PDF, 980.90 KB )\n\n### **TECHNICAL DETAILS**\n\n#### **Key Findings**\n\nIn 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.\n\nMalicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure\u2014the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).\n\nMalicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets\u2019 networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.\n\n#### **Top Routinely Exploited Vulnerabilities**\n\nTable 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )**. **This vulnerability, affecting Fortinet SSL VPNs, was also [routinely exploited in 2020](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a> \"Top Routinely Exploited Vulnerabilities\" ) and [2021](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a> \"2021 Top Routinely Exploited Vulnerabilities\" ). The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )**, **[**CVE-2021-31207**](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )**, **[**CVE-2021-34523**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )**.** These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft\u2019s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.\n * [**CVE-2021-40539**](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )**.** This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability [began in late 2021](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a> \"APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus\" ) and [continued throughout 2022](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF> \"Top CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors\" ).\n * [**CVE-2021-26084**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )**.** This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.\n * [**CVE-2021- 44228**](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )**.** This vulnerability, known as Log4Shell, affects Apache\u2019s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[[1](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance>)] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.\n * [**CVE-2022-22954**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" ), [**CVE-2022-22960**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )**.** These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution**. **Exploitation of CVE-2022-22954 and CVE-2022-22960 [began in early 2022](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b> \"Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control\" ) and attempts continued throughout the remainder of the year.\n * [**CVE-2022-1388**](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )**.** This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication** **on F5 BIG-IP application delivery and security software**.**\n * [**CVE-2022-30190**](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )**.** This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.\n * [**CVE-2022-26134**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" ). This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability ([CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )), which cyber actors also exploited in 2022.\n_Table 1: Top 12 Routinely Exploited Vulnerabilities in 2022_\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Product**\n\n| \n\n**Type**\n\n| \n\n**CWE** \n \n---|---|---|---|--- \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS and FortiProxy\n\n| \n\nSSL VPN credential exposure\n\n| \n\n[CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-918 Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \\(SSRF\\)\" ) \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nSecurity Feature Bypass\n\n| \n\n[CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nElevation of Privilege\n\n| \n\n[CWE-287 Improper Authentication](<https://cwe.mitre.org/data/definitions/287.html> \"CWE-287: Improper Authentication\" ) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )\n\n| \n\nZoho ManageEngine\n\n| \n\nADSelfService Plus\n\n| \n\nRCE/\n\nAuthentication Bypass\n\n| \n\n[CWE-287 Improper Authentication](<https://cwe.mitre.org/data/definitions/287.html> \"CWE-287: Improper Authentication\" ) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center\n\n| \n\nArbitrary code execution\n\n| \n\n[CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \\('Injection'\\)\" ) \n \n[CVE-2021- 44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )\n\n(Log4Shell)\n\n| \n\nApache\n\n| \n\nLog4j2\n\n| \n\nRCE\n\n| \n\n[CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \\('Expression Language Injection'\\)\" )\n\n[CWE-20 Improper Input Validation](<https://cwe.mitre.org/data/definitions/20.html> \"CWE-20: Improper Input Validation\" )\n\n[CWE-400 Uncontrolled Resource Consumption](<https://cwe.mitre.org/data/definitions/400.html> \"CWE-400: Uncontrolled Resource Consumption\" )\n\n[CWE-502 Deserialization of Untrusted Data](<https://cwe.mitre.org/data/definitions/502.html> \"CWE-502: Deserialization of Untrusted Data\" ) \n \n[CVE-2022-22954](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access and Identity Manager\n\n| \n\nRCE\n\n| \n\n[CWE-94 Improper Control of Generation of Code ('Code Injection')](<https://cwe.mitre.org/data/definitions/94.html> \"CWE-94: Improper Control of Generation of Code \\('Code Injection'\\)\" ) \n \n[CVE-2022-22960](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, Identity Manager, and vRealize Automation\n\n| \n\nImproper Privilege Management\n\n| \n\n[CWE-269 Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2022-1388](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )\n\n| \n\nF5 Networks\n\n| \n\nBIG-IP\n\n| \n\nMissing Authentication Vulnerability\n\n| \n\n[CWE-306 Missing Authentication for Critical Function](<https://cwe.mitre.org/data/definitions/306.html> \"CWE-306: Missing Authentication for Critical Function\" ) \n \n[CVE-2022-30190](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center\n\n| \n\nRCE\n\n| \n\n[CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \\('Injection'\\)\" ) \n \n#### **Additional Routinely Exploited Vulnerabilities**\n\nIn addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities\u2014listed in Table 2\u2014that were also routinely exploited by malicious cyber actors in 2022.\n\n_Table 2: Additional Routinely Exploited Vulnerabilities in 2022_\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Product**\n\n| \n\n**Type**\n\n| \n\n**CWE** \n \n---|---|---|---|--- \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199> \"CVE-2017-0199\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nArbitrary Code Execution\n\n| \n\nNone Listed \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \"CVE-2017-11882\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nArbitrary Code Execution\n\n| \n\n[CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](<https://cwe.mitre.org/data/definitions/119.html> \"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer\" ) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510> \"CVE-2019-11510\" )\n\n| \n\nIvanti\n\n| \n\nPulse Secure Pulse Connect Secure\n\n| \n\nArbitrary File Reading\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708> \"CVE-2019-0708\" )\n\n| \n\nMicrosoft\n\n| \n\nRemote Desktop Services\n\n| \n\nRCE\n\n| \n\n[CWE-416: Use After Free](<https://cwe.mitre.org/data/definitions/416.html> \"CWE-416: Use After Free\" ) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781> \"CVE-2019-19781\" )\n\n| \n\nCitrix\n\n| \n\nApplication Delivery Controller and Gateway\n\n| \n\nArbitrary Code Execution\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902> \"CVE-2020-5902\" )\n\n| \n\nF5 Networks\n\n| \n\nBIG-IP\n\n| \n\nRCE\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472> \"CVE-2020-1472\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nPrivilege Escalation\n\n| \n\n[CWE-330: Use of Insufficiently Random Values](<https://cwe.mitre.org/data/definitions/330.html> \"CWE-330: Use of Insufficiently Random Values\" ) \n \n[CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882> \"CVE-2020-14882\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2020-14883](<https://nvd.nist.gov/vuln/detail/CVE-2020-14883> \"CVE-2020-14883\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016> \"CVE-2021-20016\" )\n\n| \n\nSonicWALL\n\n| \n\nSSLVPN SMA100\n\n| \n\nSQL Injection\n\n| \n\n[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](<https://cwe.mitre.org/data/definitions/89.html> \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command \\('SQL Injection'\\)\" ) \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855> \"CVE-2021-26855\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-918: Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \\(SSRF\\)\" ) \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065> \"CVE-2021-27065\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858> \"CVE-2021-26858\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857> \"CVE-2021-26857\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-502: Deserialization of Untrusted Data](<https://cwe.mitre.org/data/definitions/502.html> \"CWE-502: Deserialization of Untrusted Data\" ) \n \n[CVE-2021-20021](<https://nvd.nist.gov/vuln/detail/CVE-2021-20021> \"CVE-2021-20021\" )\n\n| \n\nSonicWALL\n\n| \n\nEmail Security\n\n| \n\nPrivilege Escalation Exploit Chain\n\n| \n\n[CWE-269: Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438> \"CVE-2021-40438\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer-Side Request Forgery\n\n| \n\n[CWE-918: Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \\(SSRF\\)\" ) \n \n[CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \"CVE-2021-41773\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer Path Traversal\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"\u00a0CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013> \"CVE-2021-42013\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer Path Traversal\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038> \"CVE-2021-20038\" )\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series Appliances\n\n| \n\nStack-based Buffer Overflow\n\n| \n\n[CWE-787: Out-of-bounds Write](<https://cwe.mitre.org/data/definitions/787.html> \"CWE-787: Out-of-bounds Write\" )\n\n[CWE-121: Stack-based Buffer Overflow](<http://cwe.mitre.org/data/definitions/121.html> \"CWE-121: Stack-based Buffer Overflow\" ) \n \n[CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046> \"CVE-2021-45046\" )\n\n| \n\nApache\n\n| \n\nLog4j\n\n| \n\nRCE\n\n| \n\n[CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \\('Expression Language Injection'\\)\" ) \n \n[CVE-2022-42475](<https://nvd.nist.gov/vuln/detail/CVE-2022-42475> \"CVE-2022-42475\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS\n\n| \n\nHeap-based Buffer Overflow\n\n| \n\n[CWE-787: Out-of-bounds Write](<https://cwe.mitre.org/data/definitions/787.html> \"CWE-787: Out-of-bounds Write\" ) \n \n[CVE-2022-24682](<https://nvd.nist.gov/vuln/detail/CVE-2022-24682> \"CVE-2022-24682\" )\n\n| \n\nZimbra\n\n| \n\nCollaboration Suite\n\n| \n\n\u2018Cross-site Scripting\u2019\n\n| \n\n[CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](<https://cwe.mitre.org/data/definitions/79.html> \"CWE-79: Improper Neutralization of Input During Web Page Generation \\('Cross-site Scripting'\\)\" ) \n \n[CVE-2022-22536](<https://nvd.nist.gov/vuln/detail/CVE-2022-22536> \"CVE-2022-22536\" )\n\n| \n\nSAP\n\n| \n\nInternet Communication Manager (ICM)\n\n| \n\nHTTP Request Smuggling\n\n| \n\n[CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')](<https://cwe.mitre.org/data/definitions/444.html> \"CWE-444: Inconsistent Interpretation of HTTP Requests \\('HTTP Request/Response Smuggling'\\)\" ) \n \n[CVE-2022-22963](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963> \"CVE-2022-22963\" )\n\n| \n\nVMware Tanzu\n\n| \n\nSpring Cloud\n\n| \n\nRCE\n\n| \n\n[CWE-94: Improper Control of Generation of Code ('Code Injection')](<https://cwe.mitre.org/data/definitions/94.html> \"CWE-94: Improper Control of Generation of Code \\('Code Injection'\\)\" )\n\n[CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \\('Expression Language Injection'\\)\" ) \n \n[CVE-2022-29464](<https://nvd.nist.gov/vuln/detail/CVE-2022-29464> \"CVE-2022-29464\" )\n\n| \n\nWSO2\n\n| \n\nMultiple Products\n\n| \n\nRCE\n\n| \n\n[CWE-434: Unrestricted Upload of File with Dangerous Type](<https://cwe.mitre.org/data/definitions/434.html> \"CWE-434: Unrestricted Upload of File with Dangerous Type\" ) \n \n[CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924> \"CVE-2022-27924\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite\n\n| \n\nCommand Injection\n\n| \n\n[CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \\('Injection'\\)\" ) \n \n[CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047> \"CVE-2022-22047\" )\n\n| \n\nMicrosoft\n\n| \n\nWindows CSRSS\n\n| \n\nElevation of Privilege\n\n| \n\n[CWE-269: Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2022-27593](<https://nvd.nist.gov/vuln/detail/CVE-2022-27593> \"CVE-2022-27593\" )\n\n| \n\nQNAP\n\n| \n\nQNAP NAS\n\n| \n\nExternally Controlled Reference\n\n| \n\n[CWE-610: Externally Controlled Reference to a Resource in Another Sphere](<https://cwe.mitre.org/data/definitions/610.html> \"CWE-610: Externally Controlled Reference to a Resource in Another Sphere\" ) \n \n[CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082> \"CVE-2022-41082\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nPrivilege Escalation\n\n| \n\nNone Listed \n \n[CVE-2022-40684](<https://nvd.nist.gov/vuln/detail/CVE-2022-40684> \"CVE-2022-40684\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS, FortiProxy, FortiSwitchManager\n\n| \n\nAuthentication Bypass\n\n| \n\n[CWE-306: Missing Authentication for Critical Function](<https://cwe.mitre.org/data/definitions/306.html> \"CWE-306: Missing Authentication for Critical Function\" ) \n \n### **MITIGATIONS**\n\n#### **Vendors and Developers**\n\nThe authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:\n\n * **Identify repeatedly exploited classes of vulnerability. **Perform an analysis of both CVEs and known exploited vulnerabilities to understand which classes of vulnerability are identified more than others. Implement appropriate mitigations to eliminate those classes of vulnerability. For example, if a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries, and prohibit other forms of queries.\n * **Ensure business leaders are responsible for security. **Business leaders should ensure that proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.\n * **Follow the SSDF** ([SP 800-218](<https://csrc.nist.gov/publications/detail/sp/800-218/final> \"NIST SP 800-218\" )_)_ and implement secure design practices into each stage of the SDLC. Pay attention to: \n * Prioritizing the use of memory safe languages wherever possible [[SSDF PW 6.1](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Exercising due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [[SSDF PW 4.1](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Setting up secure development team practices; this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language specific security concerns [[SSDF PW.5.1, PW.7.1, PW.7.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Establishing a [vulnerability disclosure program](<https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/vulnerability-disclosure-programs-explained> \"Vulnerability Disclosure Programs Explained\" ) to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [[SSDF RV.1.3](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )]. As part of this, establish processes to determine root causes of discovered vulnerabilities.\n * Using static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [[SSDF PW.7.2, PW.8.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Configuring production-ready products to have to most secure settings as default and providing guidance on the risks of changing each setting [[SSDF PW.9.1, PW9.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )]\n * **Prioritize secure-by-default configurations** such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge.\n * **Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability **to enable industry-wide analysis of software security and design flaws.\n\nFor more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide [Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default](<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default> \"Security-by-Design and -Default\" ).\n\n#### **End-User Organizations**\n\nThe authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors\u2019 activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA\u2019s [Cross-Sector Cybersecurity Performance Goals](<https://www.cisa.gov/cross-sector-cybersecurity-performance-goals> \"Cross-Sector Cybersecurity Performance Goals\" ) for more information on CPGs, including additional recommended baseline protections.\n\n#### **_Vulnerability and Configuration Management_**\n\n * **Update software, operating systems, applications, and firmware on IT network assets in a timely manner** [CPG 1.E]. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> \"Known Exploited Vulnerabilities Catalog\" ), especially those CVEs identified in this CSA, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. \n * If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.\n * Replace end-of-life software (i.e., software no longer supported by the vendor).\n * **Routinely perform automated asset discovery** across the entire estate to identify and catalogue all the systems, services, hardware and software.\n * **Implement a robust patch management process **and centralized patch management system that establishes prioritization of patch applications [CPG 1.A]. \n * Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications\u2014such as webmail, file storage, file sharing, and chat and other employee collaboration tools\u2014for their customers. However, MSPs and CSPs can expand their customer\u2019s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources. \n * CISA Insights Risk Considerations for Managed Service Provider Customers\n * CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses\n * ACSC advice on [How to Manage Your Security When Engaging a Managed Service Provider](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/managed-services/how-manage-your-security-when-engaging-managed-service-provider> \"How to Manage Your Security When Engaging a Managed Service Provider\" )\n * **Document secure baseline configurations for all IT/OT components**, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].\n * **Perform regular secure system backups** and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].\n * **Maintain an updated cybersecurity incident response plan** that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].\n\n#### **_Identity and Access Management_**\n\n * **Enforce phishing-resistant multifactor authentication (MFA) for all users**, without exception. [CPG 2.H].\n * **Enforce MFA on all VPN connections**. If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].\n * **Regularly review, validate, or remove privileged accounts** (annually at a minimum) [CPG 2.D, 2.E].\n * **Configure access control under the principle of least privilege** [CPG 2.Q]. \n * Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (using non-administrative privileges where feasible). \n**Note:** See CISA\u2019s Capacity Enhancement Guide \u2013 Implementing Strong Authentication and ACSC\u2019s guidance on [Implementing Multi-Factor Authentication](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-multi-factor-authentication> \"Implementing Multi-Factor Authentication\" ) for more information on authentication system hardening.\n\n#### **_Protective Controls and Architecture_**\n\n * **Properly configure and secure internet-facing network devices**, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2X]. \n * Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.\n * Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.\n * Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).\n * **Implement Zero Trust Network Architecture (ZTNA)** to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X]. **Note:** See the Department of Defense\u2019s [Zero Trust Reference Architecture](<https://dodcio.defense.gov/Portals/0/Documents/Library/\\(U\\)ZT_RA_v2.0\\(U\\)_Sep22.pdf> \"Department of Defense \\(DoD\\) Zero Trust Reference Architecture\" ) for additional information on Zero Trust.\n * **Continuously monitor the attack surface** and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T]. \n * Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanner, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].\n * Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].\n * Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified approved versions [CPG 2.Q].\n * Use a network protocol analyzer to examine captured data, including packet-level data.\n\n#### **_Supply Chain Security_**\n\n * **Reduce third-party applications and unique system/application builds**\u2014provide exceptions only if required to support business critical functions [CPG 2.Q].\n * Ensure contracts require vendors and/or third-party service providers to: \n * Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].\n * Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].\n * **Ask your software providers to discuss their secure by design program** and to provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.\n\n### **RESOURCES**\n\n * For information on the top vulnerabilities routinely exploited in 2016 through 2019, 2020, and 2021, see: \n * Joint CSA [Top 10 Routinely Exploited Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a> \"Top 10 Routinely Exploited Vulnerabilities\" )\n * Joint CSA [Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a> \"Top Routinely Exploited Vulnerabilities\" )\n * Joint CSA [2021 Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a> \"2021 Top Routinely Exploited Vulnerabilities\" )\n * See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.\n * See ACSC\u2019s [Essential Eight mitigation strategies](<https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model> \"Essential Eight Maturity Model\" ) for additional mitigations.\n * See ACSC\u2019s [Cyber Supply Chain Risk Management](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/cyber-supply-chain-risk-management> \"Cyber Supply Chain Risk Management\" ) for additional considerations and advice.\n\n### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### **PURPOSE**\n\nThis document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### **REFERENCES**\n\n[1] [Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance> \"Apache Log4j Vulnerability Guidance\" )\n\n### **VERSION HISTORY**\n\nAugust 3, 2023: Initial version.\n\n### **APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED VULNERABILITIES**\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Affected Products and Versions**\n\n| \n\n**Patch Information**\n\n| \n\n**Resources** \n \n---|---|---|---|--- \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199> \"CVE-2017-0199\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199> \"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows\" )\n\n| \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \"CVE-2017-11882\" )\n\n| \n\nMicrosoft\n\n| \n\nOffice, Multiple Versions\n\n| \n\n[Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882> \"Microsoft Office Memory Corruption Vulnerability\" )\n\n| \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6\n\n| \n\n[FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests](<https://www.fortiguard.com/psirt/FG-IR-20-233> \"FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests\" )\n\n| \n\nJoint CSAs:\n\n[Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a> \"Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities\" )\n\n[Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a> \"Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology\" )\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" ) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510> \"CVE-2019-11510\" )\n\n| \n\nIvanti\n\n| \n\nPulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12\n\n| \n\n[SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://forums.ivanti.com/s/article/SA44101?language=en_US> \"SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX\" )\n\n| \n\nCISA Alerts:\n\n[Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a> \"Continued Exploitation of Pulse Secure VPN Vulnerability\" )\n\n[Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a> \"Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity\" )\n\nACSC Advisory:\n\n[2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software](<https://www.cyber.gov.au/about-us/advisories/2019-129-recommendations-mitigate-vulnerability-pulse-connect-secure-vpn-software> \"2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software\" )\n\nJoint CSA:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n_CCCS Alert:_\n\n[APT Actors Target U.S. and Allied Networks - Update 1](<https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi> \"Alert - APT Actors Target U.S. and Allied Networks - update 1\" ) \n \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708> \"CVE-2019-0708\" )\n\n| \n\nMicrosoft\n\n| \n\nRemote Desktop Services\n\n| \n\n[Remote Desktop Services Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708> \"Remote Desktop Services Remote Code Execution Vulnerability\" )\n\n| \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781> \"CVE-2019-19781\" )\n\n| \n\nCitrix\n\n| \n\nADC and Gateway version 13.0 all supported builds before 13.0.47.24\n\nNetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12\n\nSD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b\n\n| \n\n[CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance](<https://support.citrix.com/article/CTX267027/cve201919781-vulnerability-in-citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance> \"CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance\" )\n\n| \n\nJoint CSAs:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n[Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a> \"Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity\" )\n\n_CCCS Alert:_\n\n[Detecting Compromises relating to Citrix CVE-2019-19781](<https://www.cyber.gc.ca/en/alerts/detecting-compromises-relating-citrix-cve-2019-19781-0> \"Alert - Detecting Compromises relating to Citrix CVE-2019-19781\" ) \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902> \"CVE-2020-5902\" )\n\n| \n\nF5\n\n| \n\nBIG IP versions 15.1.0, 15.0.0 to 15.0.1, 14.1.0 to 14.1.2, 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.6.1 to 11.6.5\n\n| \n\n[K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://my.f5.com/manage/s/article/K52145254> \"K52145254: TMUI RCE vulnerability CVE-2020-5902\" )\n\n| \n\nCISA Alert:\n\n[Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a> \"Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902\" ) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472> \"CVE-2020-1472\" )\n\n| \n\nMicrosoft\n\n| \n\nWindows Server, Multiple Versions\n\n| \n\n[Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472> \"Netlogon Elevation of Privilege Vulnerability\" )\n\n| \n\nACSC Advisory:\n\n[2020-016: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)](<https://www.cyber.gov.au/about-us/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472> \"Advisory 2020-016: \"Zerologon\" - Netlogon Elevation of Privilege Vulnerability \\(CVE-2020-1472\\)\" )\n\nJoint CSA:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n_CCCS Alert:_\n\n[Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1](<https://www.cyber.gc.ca/en/alerts/microsoft-netlogon-elevation-privilege-vulnerability-cve-2020-1472> \"Alert - Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - update 1\" ) \n \n[CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882> \"CVE-2020-14882\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n\n| \n\n[Oracle Critical Patch Update Advisory - October 2020](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html> \"Oracle Critical Patch Update Advisory - October 2020\" )\n\n| \n \n[CVE-2020-14883](<https://nvd.nist.gov/vuln/detail/CVE-2020-14883> \"CVE-2020-14883\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n\n| \n\n[Oracle Critical Patch Update Advisory - October 2020](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html> \"Oracle Critical Patch Update Advisory - October 2020\" )\n\n| \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016> \"CVE-2021-20016\" )\n\n| \n\nSonicWALL\n\n| \n\nSSLVPN SMA100, Build Version 10.x\n\n| \n\n[Confirmed Zero-day vulnerability in the SonicWall SMA100 build version 10.x](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001> \"CONFIRMED ZERO-DAY VULNERABILITY IN THE SONICWALL SMA100 BUILD VERSION 10.X\" )\n\n| \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855> \"CVE-2021-26855\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>) | Microsoft | Exchange Server, Multiple Versions | [Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>) | \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a>) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858> \"CVE-2021-26858\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065> \"CVE-2021-27065\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-20021](<https://nvd.nist.gov/vuln/detail/CVE-2021-20021> \"CVE-2021-20021\" )\n\n| \n\nSonicWALL\n\n| \n\nEmail Security version 10.0.9.x Email Security\n\n| \n\n[SonicWall Email Security pre-authentication administrative account creation vulnerability](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007> \"SONICWALL EMAIL SECURITY PRE-AUTHENTICATION ADMINISTRATIVE ACCOUNT CREATION VULNERABILITY\" )\n\n| \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207> \"Microsoft Exchange Server Security Feature Bypass Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities](<https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities> \"Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities\" )\n\nACSC Alert:\n\n[Microsoft Exchange ProxyShell Targeting in Australia](<https://www.cyber.gov.au/about-us/alerts/microsoft-exchange-proxyshell-targeting-australia> \"Microsoft Exchange ProxyShell Targeting in Australia\" ) \n \n[CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1\n\n| \n\n[Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html> \"Confluence Security Advisory 2022-06-02\" )\n\n| \n\nCISA Alert:\n\n[CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog](<https://www.cisa.gov/news-events/alerts/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog> \"CISA Adds One Known Exploited Vulnerability \\(CVE-2022-26134\\) to Catalog\u202f\u202f\" )\n\nACSC Alert:\n\n[Remote code execution vulnerability present in Atlassian Confluence Server and Data Center](<https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-certain-versions-atlassian-confluence> \"Remote code execution vulnerability present in Atlassian Confluence Server and Data Center\" ) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Version\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nJoint CSA:\n\n[Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a> \"Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities\" ) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )\n\n| \n\nMicrosoft\n\n| \n\nMicrosoft Exchange Server 2013 Cumulative Update 23\n\nMicrosoft Exchange Server 2016 Cumulative Updates 19 and 20\n\nMicrosoft Exchange Server 2019 Cumulative Updates 8 and 9\n\n| \n\n[Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523> \"Microsoft Exchange Server Elevation of Privilege Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities](<https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities> \"Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities\" ) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )\n\n| \n\nJira Atlassian\n\n| \n\nConfluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n| \n\n[Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940> \"Confluence Server Webwork OGNL injection - CVE-2021-26084\" )\n\n| \n\nCISA Alert:\n\n[Atlassian Releases Security Updates for Confluence Server and Data Center](<https://www.cisa.gov/news-events/alerts/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data-center> \"Atlassian Releases Security Updates for Confluence Server and Data Center\" ) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )\n\n| \n\nZoho ManageEngineCorp.\n\n| \n\nManageEngine ADSelfService Plus builds up to 6113\n\n| \n\n[Security advisory - ADSelfService Plus authentication bypass vulnerability](<https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html> \"Security advisory - ADSelfService Plus authentication bypass vulnerability\" )\n\n| \n\nACSC Alert:\n\n[Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors](<https://www.cyber.gov.au/about-us/alerts/critical-vulnerability-manageengine-adselfservice-plus-exploited-cyber-actors> \"Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors\" ) \n \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438> \"CVE-2021-40438\" )\n\n| \n\nApache\n\n| \n\nHTTP Server 2.4.48\n\n| | \n \n[CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \"CVE-2021-41773\" )\n\n| \n\nApache\n\n| \n\nApache HTTP Server 2.4.49\n\n| \n\n[Apache HTTP Server 2.4 vulnerabilities](<https://httpd.apache.org/security/vulnerabilities_24.html> \"Apache HTTP Server 2.4 vulnerabilities\" )\n\n| \n \n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013> \"CVE-2021-42013\" )\n\n| \n\nApache\n\n| \n\nApache HTTP Server 2.4.50\n\n| \n\n[Apache HTTP Server 2.4 vulnerabilities](<https://httpd.apache.org/security/vulnerabilities_24.html> \"Apache HTTP Server 2.4 vulnerabilities\" )\n\n| \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038> \"CVE-2021-20038\" )\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24svSMA 100 series appliances\n\n| \n\n[SonicWall patches multiple SMA100 affected vulnerabilities](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026> \"SONICWALL PATCHES MULTIPLE SMA100 AFFECTED VULNERABILITIES\" )\n\n| \n\nACSC Alert:\n\n[Remote code execution vulnerability present in SonicWall SMA 100 series appliances](<https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-sonicwall-sma-100-series-appliances>)\n\n_CCCS Alert:_\n\n[SonicWall Security Advisory](<https://www.cyber.gc.ca/en/alerts/sonicwall-security-advisory-4> \"SonicWall security advisory\" ) \n \n[CVE-2021- 44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )\n\n| \n\nApache\n\n| \n\nLog4j, all versions from 2.0-beta9 to 2.14.1\n\n[For other affected vendors and products, see CISA's GitHub repository.](<https://github.com/cisagov/log4j-affected-db>)\n\n| \n\n[Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html> \"Apache Log4j Security Vulnerabilities\" )\n\nFor additional information, see joint CSA: [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a> \"Mitigating Log4Shell and Other Log4j-Related Vulnerabilities\" )\n\n| \n\nCISA webpage:\n\n[Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance> \"Apache Log4j Vulnerability Guidance\" )\n\n_CCCS Alert:_\n\n[Active exploitation of Apache Log4j vulnerability - Update 7](<https://www.cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability> \"Alert - Active exploitation of Apache Log4j vulnerability - update 7\" )\n\nACSC Advisory:\n\n[2021-007: Log4j vulnerability \u2013 advice and mitigations](<https://www.cyber.gov.au/about-us/advisories/2021-007-log4j-vulnerability-advice-and-mitigations> \"2021-007: Log4j vulnerability \u2013 advice and mitigations\" )\n\nACSC Publication:\n\n[Log4j: What Boards and Directors Need to Know](<https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/log4j-what-boards-and-directors-need-know> \"Log4j: What Boards and Directors Need to Know\" ) \n \n[CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046> \"CVE-2021-45046\" )\n\n| \n\nApache\n\n| \n\nLog4j 2.15.0Log4j\n\n| \n\n[Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html> \"Apache Log4j Security Vulnerabilities\" )\n\n| \n \n[CVE-2022-42475](<https://nvd.nist.gov/vuln/detail/CVE-2022-42475> \"CVE-2022-42475\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and\n\nFortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier\n\n| \n\n[FortiOS - heap-based buffer overflow in sslvpnd](<https://www.fortiguard.com/psirt/FG-IR-22-398> \"FortiOS - heap-based buffer overflow in sslvpnd\" )\n\n| \n \n[CVE-2022-24682](<https://nvd.nist.gov/vuln/detail/CVE-2022-24682> \"CVE-2022-24682\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1) Collaboration Suite\n\n| \n\n[Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30> \"Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release\" )\n\n| \n \n[CVE-2022-22536 ](<https://nvd.nist.gov/vuln/detail/CVE-2022-22536> \"CVE-2022-22536\" )\n\n| \n\nSAP\n\n| \n\nNetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher Internet Communication Manager (ICM)\n\n| \n\n[Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher](<https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/> \"Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher\" )\n\n| \n\nCISA Alert:\n\n[Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)](<https://www.cisa.gov/news-events/alerts/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing> \"Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager \\(ICM\\)\" ) \n \n[CVE-2022-22963](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963> \"CVE-2022-22963\" )\n\n| \n\nVMware Tanzumware Tanzu\n\n| \n\nSpring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions\n\n| \n\n[CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression](<https://spring.io/security/cve-2022-22963> \"CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression\" )\n\n| \n \n[CVE-2022-22954](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n\nIdentity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3\n\nvRealize Automation (vIDM), 8.x, 7.6\n\nVMware Cloud Foundation (vIDM), 4.x\n\nvRealize Suite Lifecycle Manager (vIDM), 8.xWorkspace\n\nONE Access and Identity Manager\n\n| \n\n[VMware Advisory VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html> \"VMSA-2022-0011\" )\n\n| \n \n[CVE-2022-22960](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n\nIdentity Manager (vIDM) and vRealize Automation3.3.6, 3.3.5, 3.3.4, 3.3.3\n\nvRealize Automation (vIDM), 8.x, 7.6\n\nVMware Cloud Foundation (vIDM), 4.x\n\nVMware Cloud Foundation (vRA), 3.x\n\nvRealize Suite Lifecycle Manager (vIDM), 8.x\n\n| \n\n[VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html> \"VMSA-2022-0011\" )\n\n| \n \n[CVE-2022-29464](<https://nvd.nist.gov/vuln/detail/CVE-2022-29464> \"CVE-2022-29464\" )\n\n| \n\nAtlassianWSO2\n\n| \n\nWSO2 API Manager 2.2.0 and above through 4.0.0\n\nWSO2 Identity Server 5.2.0 and above through 5.11.0 \n\nWSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0\n\nWSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0\n\nWSO2 Enterprise Integrator 6.2.0 and above through 6.6.0\n\n| \n\n[WSO2 Documentation - Spaces](<https://wso2docs.atlassian.net/wiki/spaces> \"Spaces\" )\n\n| \n \n[CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924> \"CVE-2022-27924\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite, 8.8.15 and 9.0\n\n| \n\n[Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.1#Security_Fixes> \"Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release\" )\n\n| \n \n[CVE-2022-1388](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )\n\n| \n\nF5 Networks\n\n| \n\nF5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and All 12.1.x and 11.6.x versions\n\n| \n\n[K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388](<https://my.f5.com/manage/s/article/K23605346> \"K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388\" )\n\n| \n\nJoint CSA:\n\n[Threat Actors Exploiting F5 BIG-IP CVE-2022-1388](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138a> \"Threat Actors Exploiting F5 BIG-IP CVE-2022-1388\" ) \n \n[CVE-2022-30190](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| | \n\nCISA Alert:\n\n[Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability](<https://www.cisa.gov/news-events/alerts/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability> \"Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability\" ) \n \n[CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047> \"CVE-2022-22047\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability, CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047> \"Windows Client Server Run-time Subsystem \\(CSRSS\\) Elevation of Privilege Vulnerability\" )\n\n| \n \n[CVE-2022-27593](<https://nvd.nist.gov/vuln/detail/CVE-2022-27593> \"CVE-2022-27593\" )\n\n| \n\nQNAP\n\n| \n\nCertain QNAP NAS running Photo Station with internet exposure Ausustor Network Attached Storage\n\n| \n\n[DeadBolt Ransomware](<https://www.qnap.com/en/security-advisory/qsa-22-24> \"DeadBolt Ransomware\" )\n\n| \n \n[CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082> \"CVE-2022-41082\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server 2016 Cumulative Update 23, 2019 Cumulative Update 12, 2019 Cumulative Update 11, 2016 Cumulative Update 22, and 2013 Cumulative Update 23\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nACSC Alert:\n\n[Vulnerability Alert \u2013 2 new Vulnerabilities associated with Microsoft Exchange.](<https://www.cyber.gov.au/about-us/alerts/vulnerability-alert-2-new-vulnerabilities-associated-microsoft-exchange> \"Vulnerability Alert \u2013 2 new Vulnerabilities associated with Microsoft Exchange.\" ) \n \n[CVE-2022-40684](<https://nvd.nist.gov/vuln/detail/CVE-2022-40684> \"CVE-2022-40684\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0\n\n| \n\n[FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface](<https://www.fortiguard.com/psirt/FG-IR-22-377> \"FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface\" )\n\n| \n", "published": "2023-08-03T12:00:00", "modified": "2023-08-03T12:00:00", "epss": [{"cve": "CVE-2017-0199", "epss": 0.97421, "percentile": 0.9992, "modified": "2023-12-06"}, {"cve": "CVE-2017-11882", "epss": 0.97422, "percentile": 0.9992, "modified": "2023-12-06"}, {"cve": "CVE-2018-13379", "epss": 0.97257, "percentile": 0.99813, "modified": "2023-12-06"}, {"cve": "CVE-2019-0708", "epss": 0.97496, "percentile": 0.99975, "modified": "2023-12-06"}, {"cve": "CVE-2019-11510", "epss": 0.97278, "percentile": 0.99829, "modified": "2023-12-06"}, {"cve": "CVE-2019-19781", "epss": 0.97507, "percentile": 0.9998, "modified": "2023-12-06"}, {"cve": "CVE-2020-1472", "epss": 0.97445, "percentile": 0.99943, "modified": "2023-12-06"}, {"cve": "CVE-2020-14882", "epss": 0.97402, "percentile": 0.99907, "modified": "2023-12-06"}, {"cve": "CVE-2020-14883", "epss": 0.9727, "percentile": 0.99822, "modified": "2023-12-06"}, {"cve": "CVE-2020-5902", "epss": 0.97555, "percentile": 0.99996, "modified": "2023-12-06"}, {"cve": "CVE-2021-20016", "epss": 0.01935, "percentile": 0.87313, "modified": "2023-12-06"}, {"cve": "CVE-2021-20021", "epss": 0.0089, "percentile": 0.80719, "modified": "2023-12-06"}, {"cve": "CVE-2021-20038", "epss": 0.95635, "percentile": 0.99244, "modified": "2023-12-06"}, {"cve": "CVE-2021-26084", "epss": 0.9723, "percentile": 0.99797, "modified": "2023-12-06"}, {"cve": "CVE-2021-26855", "epss": 0.9753, "percentile": 0.99989, "modified": "2023-12-06"}, {"cve": "CVE-2021-26857", "epss": 0.66369, "percentile": 0.97605, "modified": "2023-12-06"}, {"cve": "CVE-2021-26858", "epss": 0.55537, "percentile": 0.97336, "modified": "2023-12-06"}, {"cve": "CVE-2021-27065", "epss": 0.96937, "percentile": 0.99656, "modified": "2023-12-06"}, {"cve": "CVE-2021-31207", "epss": 0.94849, "percentile": 0.99081, "modified": "2023-12-06"}, {"cve": "CVE-2021-34473", "epss": 0.97344, "percentile": 0.99872, "modified": "2023-12-06"}, {"cve": "CVE-2021-34523", "epss": 0.97279, "percentile": 0.9983, "modified": "2023-12-06"}, {"cve": "CVE-2021-40438", "epss": 0.97178, "percentile": 0.99764, "modified": "2023-12-06"}, {"cve": "CVE-2021-40539", "epss": 0.97412, "percentile": 0.99914, "modified": "2023-12-06"}, {"cve": "CVE-2021-41773", "epss": 0.97424, "percentile": 0.99924, "modified": "2023-12-06"}, {"cve": "CVE-2021-42013", "epss": 0.9734, "percentile": 0.99867, "modified": "2023-12-06"}, {"cve": "CVE-2021-44228", "epss": 0.97454, "percentile": 0.99949, "modified": "2023-12-06"}, {"cve": "CVE-2021-45046", "epss": 0.97409, "percentile": 0.99913, "modified": "2023-12-06"}, {"cve": "CVE-2022-1388", "epss": 0.97355, "percentile": 0.99877, "modified": "2023-12-06"}, {"cve": "CVE-2022-22047", "epss": 0.00062, "percentile": 0.24738, "modified": "2023-12-06"}, {"cve": "CVE-2022-22536", "epss": 0.95701, "percentile": 0.99259, "modified": "2023-12-06"}, {"cve": "CVE-2022-22954", "epss": 0.97361, "percentile": 0.9988, "modified": "2023-12-06"}, {"cve": "CVE-2022-22960", "epss": 0.00078, "percentile": 0.32203, "modified": "2023-12-06"}, {"cve": "CVE-2022-22963", "epss": 0.97523, "percentile": 0.99988, "modified": "2023-12-06"}, {"cve": "CVE-2022-24682", "epss": 0.01933, "percentile": 0.87303, "modified": "2023-12-06"}, {"cve": "CVE-2022-26134", "epss": 0.97519, "percentile": 0.99984, "modified": "2023-12-06"}, {"cve": "CVE-2022-27593", "epss": 0.44245, "percentile": 0.97012, "modified": "2023-12-06"}, {"cve": "CVE-2022-27924", "epss": 0.09665, "percentile": 0.94189, "modified": "2023-12-06"}, {"cve": "CVE-2022-29464", "epss": 0.97364, "percentile": 0.99883, "modified": "2023-12-06"}, {"cve": "CVE-2022-30190", "epss": 0.973, "percentile": 0.99846, "modified": "2023-12-06"}, {"cve": "CVE-2022-40684", "epss": 0.95639, "percentile": 0.99245, "modified": "2023-12-06"}, {"cve": "CVE-2022-41082", "epss": 0.96949, "percentile": 0.99659, "modified": "2023-12-06"}, {"cve": "CVE-2022-42475", "epss": 0.38376, "percentile": 0.9685, "modified": "2023-12-06"}, {"cve": "CVE-2023-26360", "epss": 0.91394, "percentile": 0.98598, "modified": "2023-11-08"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a&title=2022%20Top%20Routinely%20Exploited%20Vulnerabilities", "https://twitter.com/intent/tweet?text=2022%20Top%20Routinely%20Exploited%20Vulnerabilities+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a", "https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a", "mailto:?subject=2022%20Top%20Routinely%20Exploited%20Vulnerabilities&body=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a", "https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default", "https://csrc.nist.gov/publications/detail/sp/800-218/final", "https://nvd.nist.gov/vuln/detail/CVE-2018-13379", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a", "https://nvd.nist.gov/vuln/detail/CVE-2021-34473", "https://nvd.nist.gov/vuln/detail/CVE-2021-31207", "https://nvd.nist.gov/vuln/detail/CVE-2021-34523", "https://nvd.nist.gov/vuln/detail/CVE-2021-40539", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a", "https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF", "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance", "https://nvd.nist.gov/vuln/detail/CVE-2022-22954", "https://nvd.nist.gov/vuln/detail/CVE-2022-22960", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b", "https://nvd.nist.gov/vuln/detail/CVE-2022-1388", "https://nvd.nist.gov/vuln/detail/CVE-2022-30190", "https://nvd.nist.gov/vuln/detail/CVE-2022-26134", "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://nvd.nist.gov/vuln/detail/CVE-2018-13379", "https://cwe.mitre.org/data/definitions/22.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-34473", "https://cwe.mitre.org/data/definitions/918.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-31207", "https://cwe.mitre.org/data/definitions/22.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-34523", "https://cwe.mitre.org/data/definitions/287.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-40539", "https://cwe.mitre.org/data/definitions/287.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://cwe.mitre.org/data/definitions/74.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "https://cwe.mitre.org/data/definitions/917.html", "https://cwe.mitre.org/data/definitions/20.html", "https://cwe.mitre.org/data/definitions/400.html", "https://cwe.mitre.org/data/definitions/502.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-22954", "https://cwe.mitre.org/data/definitions/94.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-22960", "https://cwe.mitre.org/data/definitions/269.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-1388", "https://cwe.mitre.org/data/definitions/306.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-30190", "https://nvd.nist.gov/vuln/detail/CVE-2022-26134", "https://cwe.mitre.org/data/definitions/74.html", "https://nvd.nist.gov/vuln/detail/CVE-2017-0199", "https://nvd.nist.gov/vuln/detail/CVE-2017-11882", "https://cwe.mitre.org/data/definitions/119.html", "https://nvd.nist.gov/vuln/detail/CVE-2019-11510", "https://cwe.mitre.org/data/definitions/22.html", "https://nvd.nist.gov/vuln/detail/CVE-2019-0708", "https://cwe.mitre.org/data/definitions/416.html", "https://nvd.nist.gov/vuln/detail/CVE-2019-19781", "https://cwe.mitre.org/data/definitions/22.html", "https://nvd.nist.gov/vuln/detail/CVE-2020-5902", "https://cwe.mitre.org/data/definitions/22.html", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472", "https://cwe.mitre.org/data/definitions/330.html", "https://nvd.nist.gov/vuln/detail/CVE-2020-14882", "https://nvd.nist.gov/vuln/detail/CVE-2020-14883", "https://nvd.nist.gov/vuln/detail/CVE-2021-20016", "https://cwe.mitre.org/data/definitions/89.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-26855", "https://cwe.mitre.org/data/definitions/918.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-27065", "https://cwe.mitre.org/data/definitions/22.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-26858", "https://nvd.nist.gov/vuln/detail/CVE-2021-26857", "https://cwe.mitre.org/data/definitions/502.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-20021", "https://cwe.mitre.org/data/definitions/269.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-40438", "https://cwe.mitre.org/data/definitions/918.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://cwe.mitre.org/data/definitions/22.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-42013", "https://cwe.mitre.org/data/definitions/22.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-20038", "https://cwe.mitre.org/data/definitions/787.html", "http://cwe.mitre.org/data/definitions/121.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "https://cwe.mitre.org/data/definitions/917.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-42475", "https://cwe.mitre.org/data/definitions/787.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-24682", "https://cwe.mitre.org/data/definitions/79.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-22536", "https://cwe.mitre.org/data/definitions/444.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-22963", "https://cwe.mitre.org/data/definitions/94.html", "https://cwe.mitre.org/data/definitions/917.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-29464", "https://cwe.mitre.org/data/definitions/434.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-27924", "https://cwe.mitre.org/data/definitions/74.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-22047", "https://cwe.mitre.org/data/definitions/269.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-27593", "https://cwe.mitre.org/data/definitions/610.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-41082", "https://nvd.nist.gov/vuln/detail/CVE-2022-40684", "https://cwe.mitre.org/data/definitions/306.html", "https://csrc.nist.gov/publications/detail/sp/800-218/final", "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf", "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf", "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf", "https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/vulnerability-disclosure-programs-explained", "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf", "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf", "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf", "https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default", "https://www.cisa.gov/cross-sector-cybersecurity-performance-goals", "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/managed-services/how-manage-your-security-when-engaging-managed-service-provider", "https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-multi-factor-authentication", "https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a", "https://www.cisa.gov/uscert/ncas/alerts/aa21-209a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a", "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model", "https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/cyber-supply-chain-risk-management", "https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance", "https://nvd.nist.gov/vuln/detail/CVE-2017-0199", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199", "https://nvd.nist.gov/vuln/detail/CVE-2017-11882", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882", "https://nvd.nist.gov/vuln/detail/CVE-2018-13379", "https://www.fortiguard.com/psirt/FG-IR-20-233", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a", "https://nvd.nist.gov/vuln/detail/CVE-2019-11510", "https://forums.ivanti.com/s/article/SA44101?language=en_US", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a", "https://www.cyber.gov.au/about-us/advisories/2019-129-recommendations-mitigate-vulnerability-pulse-connect-secure-vpn-software", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a", "https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi", "https://nvd.nist.gov/vuln/detail/CVE-2019-0708", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708", "https://nvd.nist.gov/vuln/detail/CVE-2019-19781", "https://support.citrix.com/article/CTX267027/cve201919781-vulnerability-in-citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a", "https://www.cyber.gc.ca/en/alerts/detecting-compromises-relating-citrix-cve-2019-19781-0", "https://nvd.nist.gov/vuln/detail/CVE-2020-5902", "https://my.f5.com/manage/s/article/K52145254", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472", "https://www.cyber.gov.au/about-us/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a", "https://www.cyber.gc.ca/en/alerts/microsoft-netlogon-elevation-privilege-vulnerability-cve-2020-1472", "https://nvd.nist.gov/vuln/detail/CVE-2020-14882", "https://www.oracle.com/security-alerts/cpuoct2020traditional.html", "https://nvd.nist.gov/vuln/detail/CVE-2020-14883", "https://www.oracle.com/security-alerts/cpuoct2020traditional.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-20016", "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001", "https://nvd.nist.gov/vuln/detail/CVE-2021-26855", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a", "https://nvd.nist.gov/vuln/detail/CVE-2021-26857", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a", "https://nvd.nist.gov/vuln/detail/CVE-2021-26858", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a", "https://nvd.nist.gov/vuln/detail/CVE-2021-27065", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a", "https://nvd.nist.gov/vuln/detail/CVE-2021-20021", "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007", "https://nvd.nist.gov/vuln/detail/CVE-2021-31207", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207", "https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities", "https://www.cyber.gov.au/about-us/alerts/microsoft-exchange-proxyshell-targeting-australia", "https://nvd.nist.gov/vuln/detail/CVE-2022-26134", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.cisa.gov/news-events/alerts/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog", "https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-certain-versions-atlassian-confluence", "https://nvd.nist.gov/vuln/detail/CVE-2021-34473", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a", "https://nvd.nist.gov/vuln/detail/CVE-2021-34523", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523", "https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities", "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://jira.atlassian.com/browse/CONFSERVER-67940", "https://www.cisa.gov/news-events/alerts/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data-center", "https://nvd.nist.gov/vuln/detail/CVE-2021-40539", "https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html", "https://www.cyber.gov.au/about-us/alerts/critical-vulnerability-manageengine-adselfservice-plus-exploited-cyber-actors", "https://nvd.nist.gov/vuln/detail/CVE-2021-40438", "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://httpd.apache.org/security/vulnerabilities_24.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-42013", "https://httpd.apache.org/security/vulnerabilities_24.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-20038", "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026", "https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-sonicwall-sma-100-series-appliances", "https://www.cyber.gc.ca/en/alerts/sonicwall-security-advisory-4", "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "https://github.com/cisagov/log4j-affected-db", "https://logging.apache.org/log4j/2.x/security.html", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a", "https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance", "https://www.cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability", "https://www.cyber.gov.au/about-us/advisories/2021-007-log4j-vulnerability-advice-and-mitigations", "https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/log4j-what-boards-and-directors-need-know", "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "https://logging.apache.org/log4j/2.x/security.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-42475", "https://www.fortiguard.com/psirt/FG-IR-22-398", "https://nvd.nist.gov/vuln/detail/CVE-2022-24682", "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30", "https://nvd.nist.gov/vuln/detail/CVE-2022-22536", "https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/", "https://www.cisa.gov/news-events/alerts/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing", "https://nvd.nist.gov/vuln/detail/CVE-2022-22963", "https://spring.io/security/cve-2022-22963", "https://nvd.nist.gov/vuln/detail/CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-22960", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-29464", "https://wso2docs.atlassian.net/wiki/spaces", "https://nvd.nist.gov/vuln/detail/CVE-2022-27924", "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.1#Security_Fixes", "https://nvd.nist.gov/vuln/detail/CVE-2022-1388", "https://my.f5.com/manage/s/article/K23605346", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138a", "https://nvd.nist.gov/vuln/detail/CVE-2022-30190", "https://www.cisa.gov/news-events/alerts/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability", "https://nvd.nist.gov/vuln/detail/CVE-2022-22047", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047", "https://nvd.nist.gov/vuln/detail/CVE-2022-27593", "https://www.qnap.com/en/security-advisory/qsa-22-24", "https://nvd.nist.gov/vuln/detail/CVE-2022-41082", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082", "https://www.cyber.gov.au/about-us/alerts/vulnerability-alert-2-new-vulnerabilities-associated-microsoft-exchange", "https://nvd.nist.gov/vuln/detail/CVE-2022-40684", "https://www.fortiguard.com/psirt/FG-IR-22-377", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a", "https://www.facebook.com/CISA", "https://twitter.com/CISAgov", "https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency", "https://www.youtube.com/@cisagov", "https://www.instagram.com/cisagov", "https://www.dhs.gov/performance-financial-reports", "https://www.dhs.gov", "https://www.dhs.gov/foia", "https://www.oig.dhs.gov/", "https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138", "https://www.whitehouse.gov/", "https://www.usa.gov/"], "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-13379", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-5902", "CVE-2021-20016", "CVE-2021-20021", "CVE-2021-20038", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40438", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-44228", "CVE-2021-45046", "CVE-2022-1388", "CVE-2022-22047", "CVE-2022-22536", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22963", "CVE-2022-24682", "CVE-2022-26134", "CVE-2022-27593", "CVE-2022-27924", "CVE-2022-29464", "CVE-2022-30190", "CVE-2022-40684", "CVE-2022-41082", "CVE-2022-42475", "CVE-2023-26360"], "immutableFields": [], "lastseen": "2023-12-07T18:54:29", "viewCount": 41, "enchantments": {"score": {"value": 10.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "adobe", "idList": ["APSB23-25"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:0287B84AF09C377FDC8D475774722858", "AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "AKAMAIBLOG:4A411E7E1CF65A8662ABD43534726FEF", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:6B355C8FD4C2D8E5A670002BC4BD9497", "AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:72129348AFF386C88DD2D4145C64F678", "AKAMAIBLOG:7E872DA472DB19F259EC6E0D8CA018FF", "AKAMAIBLOG:8B6AA3E3035869AEAE3021AB3F1EFE32", "AKAMAIBLOG:99D943E3269E3EABFC3348509D099BA8", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3", "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "almalinux", "idList": ["ALBA-2021:4604", "ALSA-2021:1647", "ALSA-2021:3816", "ALSA-2021:4537"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2020-1472", "ALPINE:CVE-2021-40438", "ALPINE:CVE-2021-41773", "ALPINE:CVE-2021-42013"]}, {"type": "altlinux", "idList": ["246E8470C52602631D420B594DFDCCEA", "480D6FAD92A6FBB928DBF958DAEFAAB5", "79A831EBFBCA72482FEB10540EF33017", "8D304F37C70C609A33E435A50BE15292", "A817C406079FC0A31C464AB875BFB220", "E4DD1F1B3099D72C5D00CADFB5CDFDC4", "FD4483A7DF9B7189B007C0C774CA4588"]}, {"type": "amazon", "idList": ["ALAS-2021-1469", "ALAS-2021-1543", "ALAS-2021-1553", "ALAS-2021-1554", "ALAS-2022-1580", "ALAS-2022-1601", "ALAS2-2021-1585", "ALAS2-2021-1649", "ALAS2-2021-1716", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2021-1732", "ALAS2-2022-1739", "ALAS2-2022-1773", "ALAS2-2022-1806"]}, {"type": "amd", "idList": ["AMD-SB-1034"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "archlinux", "idList": ["ASA-202009-17", "ASA-202110-1"]}, {"type": "arista", "idList": ["ARISTA:0070"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940", "CONFSERVER-67940", "CONFSERVER-68844", "CONFSERVER-79000", "CONFSERVER-79016", "CRUC-8529", "FE-7368"]}, {"type": "attackerkb", "idList": ["AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:0B6E13D5-84E0-4D3E-BD21-781032FA30ED", "AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "AKB:11C7642A-F72B-4D61-B99A-08F365F1E1D9", "AKB:12F253E0-F6F2-4628-A989-57A36E8C7026", "AKB:131226A6-A1E9-48A1-A5D0-AC94BAF8DFD2", "AKB:15082D97-CB46-4433-9BA3-6C37DC148340", "AKB:17442CEB-043D-4879-BE5C-FC920511E791", "AKB:1AE51720-4534-42A8-879C-01FFE347E837", "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "AKB:1FA9A53C-0452-4411-96C9-C0DD833F8D18", "AKB:21AD0A36-A0AA-486B-A379-B47156286E9E", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:288E3CA7-1388-488A-81D9-E93EDFFAA221", "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:2B7B662B-EDD1-4BFA-978A-6AE63790F8A5", "AKB:2BBFFC82-B69B-4A49-9B90-A6E5C745141F", "AKB:2E72D5AA-2DCA-4B08-BD6A-1D96B2001082", "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74", "AKB:3A0452AA-1A50-41D3-943C-085C00734C11", "AKB:484D6DEC-EFAF-46E7-ACF1-6CB13F63FC68", "AKB:48EF6C32-59B4-4AD7-BE9A-0EE8A2E86072", "AKB:4BB9D3C7-37EF-4B65-B2A8-550AFC30664C", "AKB:4C137002-9580-4593-83DB-D4E636E1AEFB", "AKB:519DD30E-F9A7-4A5E-A57B-DF4E4B9B20F1", "AKB:5BDFACBD-4722-492A-AAA8-EBCC3C6403C4", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:5DB640DC-B30F-464A-BC81-ED3C15946D65", "AKB:5E706DDA-98EC-49CA-AB21-4814DAF26444", "AKB:61971866-F0B5-4317-8AF4-C4E4C23279F1", "AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:6F1D646E-2CDB-4382-A212-30728A7DB899", "AKB:71CD3C7C-ABA1-498A-9015-4CE4B73B81FC", "AKB:71F77351-1AE5-4161-8836-D26680828466", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:78B79B61-E949-48E9-BA41-A45CF0E9EA6C", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:7CB9D781-D42B-49AD-8368-7833414FD76A", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:84F3B5A8-D839-4F1A-9130-A0C5D4B74057", "AKB:86F390BB-7946-4223-970A-D493D6DD1E0A", "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:91756851-9B25-4801-B911-E3226A0656B5", "AKB:959B5BD6-9496-432C-AD1F-DB90CB01C12D", "AKB:A4BDBFB9-4493-4EF5-8C05-276721F6549F", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:B1318EAC-2E60-4695-B63B-2D10DAAA5B0E", "AKB:B18222FB-1EF5-4D55-899B-61BD7ECF0FAA", "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A", "AKB:BA4B0322-1E89-4506-B2AD-00D67E19B079", "AKB:BC685DA4-0047-4567-9AD5-9746B6AC8E5F", "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:BD8195D2-FB3B-4F9B-82C5-32F5CBDEFF70", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC", "AKB:C83F5B74-AC72-42D5-A71F-C8F4144C4C9D", "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "AKB:CC339C3D-417D-4477-92A7-746AEA51530C", "AKB:D0A6DBAF-BB93-4A5E-902A-F0C3BE2FB4E1", "AKB:DEB21742-F92B-4F5A-931C-082502383C34", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D", "AKB:E88B8795-0434-4AC5-B3D5-7E3DAB8A60C1", "AKB:EB86163A-D6FE-4561-8D2C-40CE96FB9F2F", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876", "AKB:F2A441BA-2246-446C-9B34-400B2F3DD77B", "AKB:F48CAEEE-E809-405D-B7AD-48D94140C67D", "AKB:FB9BE99D-7DDE-493D-8C9D-12F3DD901458", "AKB:FE7E2037-F0E0-48D7-8F74-C9682BC04A73"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:37BE727F2D0C216B8B10BD6CBE6BD061", "AVLEONOV:3F2539CFE5401C077A281A1DCCCBB73D", "AVLEONOV:469525DB37AAC7A2242EE80C1BCBC8DB", "AVLEONOV:4B6EFA5DE55BAEFCD9C72826A3524969", "AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "AVLEONOV:58634A9ABF4922115976139024831EB9", "AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:7E0DF6DEBB35FB55F6B4D33A7262A422", "AVLEONOV:89C75127789AC2C132A3AA403F035902", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "AVLEONOV:99215B2D7808C46D8762AD712CD3D267", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "AVLEONOV:B4AA36B0AF8AA2D059C914E5F2B15CC0", "AVLEONOV:B87691B304EF70215B926F66B871260A", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:D75470B5417CEFEE479C9D8FAE754F1C", "AVLEONOV:E820C062BC9959711E1D1152D8848072", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "canvas", "idList": ["BLUEKEEP", "NETSCALER_TRAVERSAL_RCE", "OFFICE_WSDL"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:83C94B14C546544713E49B16CCCBF672", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:971FEABEB6DA17E9D4D3137981B2B685", "CARBONBLACK:A526657711947788A54505B0330C16A0", "CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "cbl_mariner", "idList": ["CBLMARINER:5489", "CBLMARINER:5962", "CBLMARINER:6487", "CBLMARINER:7350"]}, {"type": "centos", "idList": ["CESA-2020:5439", "CESA-2021:3856"]}, {"type": "cert", "idList": ["VU:290915", "VU:421280", "VU:490028", "VU:619785", "VU:915563", "VU:921560", "VU:927237", "VU:930724", "VU:970766"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0251", "CPAI-2017-1009", "CPAI-2018-1187", "CPAI-2019-0657", "CPAI-2019-1097", "CPAI-2019-1653", "CPAI-2020-0628", "CPAI-2020-0872", "CPAI-2020-1095", "CPAI-2020-1138", "CPAI-2021-0099", "CPAI-2021-0107", "CPAI-2021-0198", "CPAI-2021-0476", "CPAI-2021-0548", "CPAI-2021-0749", "CPAI-2021-0772", "CPAI-2021-0879", "CPAI-2021-0900", "CPAI-2021-0936", "CPAI-2021-1065", "CPAI-2021-1111", "CPAI-2021-1113", "CPAI-2022-0042", "CPAI-2022-0063", "CPAI-2022-0096", "CPAI-2022-0206", "CPAI-2022-0219", "CPAI-2022-0283", "CPAI-2022-0297", "CPAI-2022-0357", "CPAI-2022-0362", "CPAI-2022-0579", "CPAI-2022-0628", "CPAI-2022-0720"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865", "CPS:SK178605"]}, {"type": "cisa", "idList": ["CISA:006B1DC6A817621E16EEB4560519A418", "CISA:01AC83B2C29761024423083A8BE9CE80", "CISA:07834FF4B4F96A051DF8DCF65DA68FF2", "CISA:134C272F26FB005321448C648224EB02", "CISA:16DE226AFC5A22020B20927D63742D98", "CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "CISA:28BCD901AF6661FE02928495E4D03129", "CISA:2B970469D89016F563E142BE209443D8", "CISA:2D62C340878780A9844A8FFDFA548783", "CISA:3219D2E89DB1680D9EF6F22691FC5829", "CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "CISA:6C962B804E593B231FDE50912F4D093A", "CISA:6CCB59AFE6C3747D79017EDD3CC21673", "CISA:6EE79BF110142CD46F3BD55025F3C4AB", "CISA:71FB648030101FA9B007125DFA636193", "CISA:72D01121CAFBC56638BC974ABA539CF8", "CISA:76FE595B1B89D06301E16CB8087D39BD", "CISA:78B08801DAA7C3B8A2D34A5790730C76", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:81A1472B76D72ABF1AA69524AFD40F34", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:8809AF4B96861275A43448FB64E686D1", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "CISA:8ED5E84007437E9B88D2418732B63E04", "CISA:906D00DDCD25874F8A28FE348820F80A", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB", "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "CISA:A5265FFF4C417EB767D82231D2D604B8", "CISA:A649FC04AF073ED0C72E2D0A372F841B", "CISA:ADBA13BCB35A603303E6E4549200157F", "CISA:C491359F9996B7AF8A31AD01C810E384", "CISA:CE531246BF5FC97924EF93C811BBA0FF", "CISA:D70586B2C2D5D982D54DA686CCF0F4D1", "CISA:D7188D434879621A3A83E708590EAE42", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "CISA:E5A33B5356175BB63C2EFA605346F8C7", "CISA:F0D9A1ED5C31628B8E6D1E5F3AD609C4", "CISA:F30D0D7B72453DC3FC64D2AC1AA31F33", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2017-0199", "CISA-KEV-CVE-2017-11882", "CISA-KEV-CVE-2018-13379", "CISA-KEV-CVE-2019-0708", "CISA-KEV-CVE-2019-11510", "CISA-KEV-CVE-2019-19781", "CISA-KEV-CVE-2020-1472", "CISA-KEV-CVE-2020-14750", "CISA-KEV-CVE-2020-14882", "CISA-KEV-CVE-2020-14883", "CISA-KEV-CVE-2020-5902", "CISA-KEV-CVE-2021-20016", "CISA-KEV-CVE-2021-20021", "CISA-KEV-CVE-2021-20022", "CISA-KEV-CVE-2021-20023", "CISA-KEV-CVE-2021-20038", "CISA-KEV-CVE-2021-26084", "CISA-KEV-CVE-2021-26855", "CISA-KEV-CVE-2021-26857", "CISA-KEV-CVE-2021-26858", "CISA-KEV-CVE-2021-27065", "CISA-KEV-CVE-2021-31207", "CISA-KEV-CVE-2021-34473", "CISA-KEV-CVE-2021-34523", "CISA-KEV-CVE-2021-40438", "CISA-KEV-CVE-2021-40539", "CISA-KEV-CVE-2021-41773", "CISA-KEV-CVE-2021-42013", "CISA-KEV-CVE-2021-44228", "CISA-KEV-CVE-2021-45046", "CISA-KEV-CVE-2022-1388", "CISA-KEV-CVE-2022-22047", "CISA-KEV-CVE-2022-22536", "CISA-KEV-CVE-2022-22954", "CISA-KEV-CVE-2022-22960", "CISA-KEV-CVE-2022-22963", "CISA-KEV-CVE-2022-24682", "CISA-KEV-CVE-2022-26134", "CISA-KEV-CVE-2022-27593", "CISA-KEV-CVE-2022-27924", "CISA-KEV-CVE-2022-29464", "CISA-KEV-CVE-2022-30190", "CISA-KEV-CVE-2022-40684", "CISA-KEV-CVE-2022-41040", "CISA-KEV-CVE-2022-41080", "CISA-KEV-CVE-2022-41082", "CISA-KEV-CVE-2022-42475", "CISA-KEV-CVE-2023-26360"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-HTTPD-2.4.49-VWL69SWQ", "CISCO-SA-APACHE-HTTPD-PATHTRV-LAZG68CZ", "CISCO-SA-APACHE-LOG4J-QRUKNEBD", "CISCO-SA-JAVA-SPRING-SCF-RCE-DQRHHJXH"]}, {"type": "citrix", "idList": ["CTX267027", "CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cnvd", "idList": ["CNVD-2022-01776", "CNVD-2022-03222", "CNVD-2022-03224", "CNVD-2022-35519", "CNVD-2022-67838", "CNVD-2022-70602", "CNVD-2022-87170"]}, {"type": "cve", "idList": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-11884", "CVE-2018-13379", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-5902", "CVE-2021-20016", "CVE-2021-20021", "CVE-2021-20038", "CVE-2021-20325", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-3100", "CVE-2021-31196", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-33768", "CVE-2021-34470", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40438", "CVE-2021-40539", "CVE-2021-4104", "CVE-2021-4125", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-44228", "CVE-2021-44530", "CVE-2021-45046", "CVE-2022-0070", "CVE-2022-1388", "CVE-2022-22047", "CVE-2022-22536", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22963", "CVE-2022-23848", "CVE-2022-24682", "CVE-2022-26134", "CVE-2022-27593", "CVE-2022-27924", "CVE-2022-29464", "CVE-2022-30190", "CVE-2022-33915", "CVE-2022-40684", "CVE-2022-41082", "CVE-2022-42475", "CVE-2023-26360"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2463-1:1381E", "DEBIAN:DLA-2776-1:9BD98", "DEBIAN:DLA-2842-1:95CB4", "DEBIAN:DSA-4982-1:6A92F", "DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-1472", "DEBIANCVE:CVE-2021-20325", "DEBIANCVE:CVE-2021-40438", "DEBIANCVE:CVE-2021-4104", "DEBIANCVE:CVE-2021-41773", "DEBIANCVE:CVE-2021-42013", "DEBIANCVE:CVE-2021-44228", "DEBIANCVE:CVE-2021-45046"]}, {"type": "dsquare", "idList": ["E-688", "E-691", "E-709", "E-738", "E-739"]}, {"type": "exploitdb", "idList": ["EDB-ID:41894", "EDB-ID:41934", "EDB-ID:43163", "EDB-ID:44263", "EDB-ID:46904", "EDB-ID:47120", "EDB-ID:47287", "EDB-ID:47288", "EDB-ID:47297", "EDB-ID:47416", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930", "EDB-ID:48642", "EDB-ID:48711", "EDB-ID:48971", "EDB-ID:49071", "EDB-ID:49479", "EDB-ID:49879", "EDB-ID:49895", "EDB-ID:50243", "EDB-ID:50383", "EDB-ID:50406", "EDB-ID:50446", "EDB-ID:50512", "EDB-ID:50590", "EDB-ID:50592", "EDB-ID:50932", "EDB-ID:50952", "EDB-ID:51092", "EDB-ID:51183", "EDB-ID:51577"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:1B366A9B404A79180DAB2A9C4AE015B0", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:26C6702FE71DE1FE3096B330AA74AD07", "EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:C90C58C22E53621B5A2A2AAEBCDF2EBC", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB", "EXPLOITPACK:E222442D181419B052AACE6DA4BC8485"]}, {"type": "f5", "idList": ["F5:K01552024", "F5:K04082144", "F5:K11510688", "F5:K19026212", "F5:K23605346", "F5:K24554520", "F5:K25238311", "F5:K32171392", "F5:K34002344", "F5:K55879220", "F5:K93951507"]}, {"type": "fedora", "idList": ["FEDORA:00C4C3098596", "FEDORA:07A103138D99", "FEDORA:0A343304CB93", "FEDORA:38D8230C58CD", "FEDORA:4A64830CFCDC", "FEDORA:548FD3102AB0", "FEDORA:59AA230A7074", "FEDORA:8CF5D3094DED", "FEDORA:95A5B306879A", "FEDORA:A5A703103140", "FEDORA:BDD0730B86DF", "FEDORA:D8A0E3053060"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294", "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "FIREEYE:385EC2DA0B6E50D0AC9113A707F5E623", "FIREEYE:4B85E44D28C8512270923B36728CBD59", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:85C9D5EC8130810CFB601AF3559E0DB6", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:92F27B3F6B5FC8C7C22B088678232819", "FIREEYE:9503F430A48297769A46076960747B2F", "FIREEYE:9CF80EFF287EE06F7EC0094727FE9C26", "FIREEYE:A19A2394490AB386D95215A17EEA2FC0", "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:C650A7016EEAD895903FB350719E53E3", "FIREEYE:D64714BFF80E34308579150D4C839557", "FIREEYE:D872F9CFF7406BD5A933C3819DBB6645", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF", "FIREEYE:E28F2F7E1B1F4BDA33635C841E315BCA", "FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD", "FIREEYE:F3E71742D8E5D617D6B77A2DB930882F", "FIREEYE:F52E9D08724DC89168C734FC17EBF034", "FIREEYE:F58154E35F166E87B591935191A7EA69", "FIREEYE:FC60CAB5C936FF70E94A7C9307805695"]}, {"type": "fortinet", "idList": ["FG-IR-18-384", "FG-IR-20-233", "FG-IR-21-245", "FG-IR-22-072", "FG-IR-22-377", "FG-IR-22-398"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "24ACE516-FAD7-11EA-8D8C-005056A311D1", "25B78BDD-25B8-11EC-A341-D4C9EF517024", "2BAB995F-36D4-11EA-9DAD-002590ACAE31", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "882A38F9-17DD-11EC-B335-D4C9EF517024", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4", "B0F49CB9-6736-11EC-9EEA-589CFC007716", "D001C189-2793-11EC-8FB1-206A8A720317"]}, {"type": "gentoo", "idList": ["GLSA-202012-24", "GLSA-202208-20", "GLSA-202310-16"]}, {"type": "github", "idList": ["GHSA-3QPM-H9CH-PX3C", "GHSA-6V73-FGF6-W5J7", "GHSA-7RJR-3Q55-VV33", "GHSA-FP5R-V3W9-4333", "GHSA-J3CH-VJPH-8Q6V", "GHSA-J7C3-96RF-JRRP", "GHSA-JFH8-C2JP-5V3Q", "GHSA-MF4F-J588-5XM8", "GHSA-V57X-GXFJ-484Q", "GITHUB:0519EA92487B44F364A1B35C85049455", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:C82C4FE9D1A6B81D79D6EF10C4F9D007", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "005DDBE6-0F17-58D7-9DC2-4D1F01F2A8FD", "0095E929-7573-5E4A-A7FA-F6598A35E8DE", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08", "016A0841-D1FF-5056-B062-0D08FCE624CB", "01A3C858-7694-5E52-A52F-AC07A4CAFAD8", "01A53B41-499A-535B-8021-CB0329633F46", "02241D2D-F86F-5FE5-95FD-6978A07FE7FA", "0241DC13-63CB-580C-BDC6-78F8BB03567D", "024D29D3-309F-5B7F-B8C9-2AF149F9A213", "02FCE52D-5E91-5C57-A40A-DE4FF7C726A3", "030066BA-6C48-5AD9-9EAF-11DECB6A3930", "031A1BA5-EA1C-586D-8614-7558CCA5FCCB", "03237B57-97DA-5A83-B4B2-869C01BC59F7", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "03C7B86D-A112-52AC-86B9-25FC053C273B", "0420DA06-BC6E-5B30-8BA3-E30BDE351E15", "042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04705DD0-6F67-5847-B368-4ADB734EC12B", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "04E3583E-DFED-5D0D-BCF2-1C1230EB666D", "0504F85D-CAC2-5E92-BD7B-73CA7BA4BA2A", "05283D8D-AE42-54D4-B0CC-85DEBC639859", "052EB402-154C-59B2-80CF-42FF91E8B731", "05403438-4985-5E78-A702-784E03F724D4", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "059DC199-E425-50EE-B5F5-E351E0323E69", "06076ECD-3FB7-53EC-8572-ABBB20029812", "066BA250-177D-5017-9AC2-6B948A465ABC", "067A6222-57A8-52E2-887C-CA7ED4D9A4F4", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "06D271D5-7A61-5692-9778-7F521D52F980", "07818DFF-3595-58BA-ABC4-AB5DCCE0B8DD", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "07F0F779-CBA8-507A-8268-EFD213F50D06", "0829A67E-3C24-5D54-B681-A7F72848F524", "08357A6D-CD7A-52F0-9697-45B80724C49D", "09477170-A03D-5C2D-AC41-0D0A8F51EDB3", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "0989C9B1-62A8-505A-B12F-586D7FAADEEE", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A015784-48D7-5DC1-9FB9-416A9BBEA6D5", "0A03C474-5159-5D12-82D2-E28FA42B84BB", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0A8531EC-3F13-5F4F-84B0-58DB34580167", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0AA01487-E0E5-59CB-9A45-A5DE55F290A6", "0AA6A425-25B1-5D2A-ABA1-2933D3E1DC56", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0AD00567-1561-5CE2-8DA5-E64B286CBCAC", "0B2EA860-8578-5853-85A4-F3302749F815", "0B351115-70AF-59D4-B7B3-82542B083D3D", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC014D0-F944-5E78-B5FA-146A8E5D0F8A", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C28A0EC-7162-5D73-BEC9-B034F5392847", "0C3BF793-B508-5082-A673-3882A95A6EDF", "0C47BCF2-EA6F-5613-A6E8-B707D64155DE", "0C734DE8-002A-5611-8897-213D53D85089", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "0CFAB531-412C-57A0-BD9E-EF072620C078", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0D5F53B0-63C3-52D0-960A-09382DCD6A64", "0D6ADE4E-8BA2-5BA9-94CB-ED90234A9B5C", "0DE16A64-9ACA-5BBE-A315-A3AE1B013900", "0DFEFF1E-DC55-5AFB-B968-B09E2E591700", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E54CE3B-3E70-59B7-BB6B-AC20C8611B38", "0E5BE237-A243-54B8-9AD7-92FBA10D1FA2", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "0E951B86-8BC4-54D9-BE2B-7B5DD988D1A0", "0ED5CE66-DB45-5117-9A96-AB69321292D1", "0F2E8B00-74C7-5BE8-A801-CD92790E4C2E", "0FE94331-DF7E-5791-BE22-DD1DF78E5A3C", "0FF9E057-0D2B-510C-944D-3EDF8DD10956", "108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2", "1097EF60-FC77-5135-B92B-4A84B46FABAF", "1145F3D1-0ECB-55AA-B25D-A26892116505", "114D719E-11FD-5F49-982D-CB278A7796DB", "11719BED-E629-5C79-944E-7E40BBFC460C", "11813536-2AFF-5EA4-B09F-E9EB340DDD26", "12691014-3333-5741-80A4-3357BD72D2AC", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "12E44744-1AF0-523A-ACA2-593B4D33E014", "13364575-934B-5E73-AA03-AEB6910F6AD2", "1348D3BB-7C57-5B0C-9B6B-EE26F534D536", "13542749-F70C-5BAA-A20C-8A464D612535", "136F5B52-10AC-57EC-AFD3-C56855D31685", "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "13C8F5B4-D05E-5953-9263-59AE11CCD7DE", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "1405211A-94E2-5ECA-BF96-441D2FF564CB", "1406F2B7-7907-5BCF-947E-0DB31B9F014C", "141F2E38-979B-50B5-B649-96785B255523", "14482532-2406-58DF-89FF-30B085015257", "14573955-860C-5947-8F2F-86347A606742", "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "1504582F-1A1E-5CA1-A07C-FB05DECB01A9", "152D4F4D-1599-54AE-9A00-A593A379AE0A", "154F9E24-FA6C-529E-8E63-1351432DF6B9", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17650B64-ADED-58F1-9BB3-3E82E1E41A7B", "17B2C229-06F1-5A30-9E3A-ED9E23DA3F13", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "1840A140-1CD9-55F2-A8BD-9B7B27779956", "188C3DB2-3A7F-5EBA-BA09-2075364C0B07", "18A205C9-C2EE-55CC-9BFD-4054390F94E9", "18D647E9-D7D4-5591-B16C-05D007AFD726", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "19D93D49-F907-5A3B-9FA2-ED9EFE3A45E0", "19F70587-89FB-5855-A578-0E55C3510C59", "1A3F2735-FB81-52A4-BF5F-FD8A728C3CA9", "1A808CE9-B43C-50A7-A06E-75B3C5A7D5AC", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B09A058-8036-572B-905F-1054D924243B", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1B25AC3F-FC8A-51FF-BD1B-29BDB73E331D", "1B75F2E2-5B30-58FA-98A4-501B91327D7F", "1B780B5D-F60A-5066-A44B-253EADDAC5CF", "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "1BB783DD-7876-56F2-A6AC-152AF39E064C", "1BF999D3-0E32-5C04-820B-BB91E950147C", "1C354B89-0050-508B-98F4-B43CBD84F364", "1C39E10A-4A38-5228-8334-2A5F8AAB7FC3", "1CB1C13D-E956-551D-8602-385ACCDC2AA6", "1CC55581-1C7F-5DA8-A34C-FA125B3D510A", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E1DD2F1-F609-5686-A0EF-1C08ACABF537", "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "1E5E8601-B107-5E10-BB37-0A7C7BB2926D", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "1E6E9010-4BDF-5C30-951C-79C280B90883", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "1F907E1E-A975-55B6-BAFC-80A32B2DDAE7", "1F9C946C-1533-5835-B5E8-641EF4FFC145", "20466D13-6C5B-5326-9C8B-160E9BE37195", "20869A6E-1505-5A22-A2AB-A712FA03D363", "20B1E4FC-65ED-596C-8628-7E9871F2762B", "20BFC1D4-CB1E-51CF-82D8-E4258142BB69", "2108729F-1E99-54EF-9A4B-47299FD89FF2", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21D540EC-C4D0-5076-92B2-AA746AF7AEE4", "21DA1B2C-2176-5C7C-9A56-480839AAC71E", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "221070D3-0B31-5CF7-A508-B4740B63647B", "2255B39F-1B91-56F4-A323-8704808620D3", "228C8A28-3BE8-51C1-A7B0-993047B4EC76", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "22DCCD26-B68C-5905-BAC2-71D10DE3F123", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "2444574D-533F-593F-8E0E-68EA2B47EF55", "244EBCF8-4EF3-5D5B-8E3E-A832A56B7BF3", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "2481D5F6-C105-5158-B4AF-B67D7BA244A3", "24ADD37D-C8A1-5671-A0F4-378760FC69AC", "252F889F-2BFB-5D8D-B1CD-63075FB7EC34", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "256984DC-A742-53F8-889F-2071EC134734", "25BE038D-91D2-5791-834B-358DB34357A7", "263EF054-554A-53DB-B4B4-43AF73AA38C4", "26905C55-5DC7-5275-A0AF-FAF06685612E", "26F1DC1C-5D5D-5D8B-8DDB-890968225F0B", "26F41B84-2AAF-5C6C-BE06-461FF65C6D03", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27108E72-8DC1-53B5-97D9-E869CA13EFF7", "27760EBF-2681-5AF4-B884-18C8BED5127A", "27A663CD-2720-57DA-A38A-DF1FEE0D7124", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "2849E613-8689-58E7-9C55-A0616B66C91A", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "28E888C4-78E3-5F8D-B316-AB42FED892F9", "28EB1599-0E12-5ECA-8368-08DD51291F7F", "28F1E5F0-F489-559C-A1C3-C14BC0D51B93", "28F29C06-FF69-5E55-A2FB-581179E3923A", "296ECE66-CC92-53E6-9959-06669247F867", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A177215-CE4A-5FA7-B016-EEAF332D165C", "2A80D982-2C57-5BA2-86CB-6169F3859086", "2A83DE3B-242D-51BE-84C8-5EB39AE1800E", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2B297EB1-A602-5F7B-B21B-C34BC6EB4308", "2B2A8A69-A893-5E85-8B02-6D8A77B54853", "2B4FEB27-377B-557B-AE46-66D677D5DA1C", "2BE2BF2C-B78F-5C34-A4D4-484F0E6B6D9C", "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "2BEFA353-947D-5B41-AE38-EDB0C71B5B44", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2D1EC4D1-0622-570B-9758-054B79393D26", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2D36D631-FAE1-5508-9C60-F4B807EC6C47", "2D3AD059-4772-527B-A78C-724AFA1B109F", "2D3B67A4-8F34-55EA-A7ED-97FB2D1DFFF8", "2D9FF49E-AD93-5397-80B0-B02DED73DEA6", "2DE6F244-D0FD-5849-B625-B05DA3E47855", "2DFE744C-4369-56D5-9FEA-348B4150C298", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "2EBB728F-8FCC-57DB-8AC5-50BB5C51500E", "2F792C33-6CC6-58F1-9166-4DEA421DE2C3", "2F83846E-DF16-5074-98CB-01158DE1C6C6", "3019C843-FE2F-527C-B7C1-14A1C3066721", "305ADB34-3669-5AAD-8D51-FCFFEF9E3F47", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "30F42F9A-5E27-592E-BE65-B85DC7E22075", "31DB22CD-3492-524F-9D26-035FC1086A71", "31E7D7EA-2E1F-59D8-8BD7-81B8A4894F91", "321617C5-08C5-5919-9510-2571831D052E", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "32D96718-99E1-55BD-86E8-30A9B59E40D1", "3387D4E2-4428-5AA9-9D94-96564B9928B2", "3389F104-810F-5B22-8F78-C961A94A8C27", "33E38C38-2570-5B7D-910F-D6D0C9B85E25", "33F59131-F1BD-56AB-8BB7-C960EFF9223C", "34097FEA-E06F-5637-817F-25A5BA9D5B34", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "346026AA-22B5-5F79-9544-28E8E7CFE3F2", "34793974-B475-5BC4-BAAA-64FE57D0B3D9", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "350E6199-FA83-5A2F-91D3-19E2D2921801", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "35830627-EBEC-59C8-A142-2F06CCF8EA5B", "35A70212-DFFC-5B38-8294-2B835B8080DE", "35B21CE7-1E51-5824-B70E-36480A6E8763", "365CD0B0-D956-59D6-9500-965BF4017E2D", "36AAE05E-CAAA-5F55-AA88-65599F1EAA1C", "36B6DECF-DB78-5633-9665-AAA8EC3D2A76", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "3749CB78-BE3A-5018-8838-CA693845B5BD", "379FCF38-0B4A-52EC-BE3E-408A0467BF20", "37A9128D-17C4-50FF-B025-5FC3E0F3F338", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "37EE4A49-AEF7-5A71-AC1C-4B55CB94DD92", "37F78533-E96A-5433-B558-90DB82C0BB27", "38ACEE5F-E30D-53CD-B59A-2467D332F915", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39093366-D071-5898-A67D-A99B956B6E73", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "39D1AD81-7117-5EA3-8421-A33979B77F49", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3AAA878D-C72A-52A0-A5B6-0977BAF6F01D", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3AE03E90-26EC-5F91-B84E-F04AF6239A9F", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3AFE745D-D706-5B84-B2C7-205590936BBF", "3B159471-590A-5941-ADED-20F4187E8C63", "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3BD964A5-9A72-5329-89D6-386AA98CE1BE", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "3C5B500C-1858-5834-9D23-38DBE44AE969", "3C9DDAB9-49E5-51ED-AE31-DE515D9135E0", "3CAE8C9E-534F-5617-88B5-977EE6076A10", "3CCF78E3-E22A-54A3-907C-1D687E20BE7C", "3CD4239D-A6D3-5B3A-A18E-D5B99C51B5E5", "3CF66144-235E-5F7A-B889-113C11ABF150", "3D40E0AE-D155-5852-986D-A5FF3880E230", "3D70055A-AC27-5338-B4C8-D1ED2158F5C9", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3DFE8091-03AE-565B-A198-BD509784502C", "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3E66E49D-6A9B-530D-AF77-12B96257655A", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3F29DC5F-237B-53EB-B173-8F4751FE66A7", "3F400483-1F7E-5BE5-8612-4D55D450D553", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4051D2EF-1C43-576D-ADB2-B519B31F93A0", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "40E34754-5867-501F-B0F2-FD63C406B6FB", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "41FED3D6-8A23-5549-A390-D444A882F85D", "42098CCD-C708-53FC-B3CD-5A8356B69359", "423CC97A-8BDD-56B9-9449-FC05A902AEC1", "423DF4D5-60AF-5663-B196-2A67DD13D226", "4288177C-C609-5D55-A845-D6785929AB4D", "42C0F4E5-C3C8-5987-AF1E-3EB9DC15EADE", "42F4DC94-79C9-58E1-AAAE-DC98114391B4", "431446A1-D76F-5889-BBDD-1C55456A4D73", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43567D55-406B-5681-975B-FD3C7A49489D", "4373C92A-2755-5538-9C91-0469C995AA9B", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "43CEFD04-EB9B-5765-AB94-8FF76127F1F6", "4427DEE4-E1E2-5A16-8683-D74750941604", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "449C48AB-BB7B-5E23-925A-F2172EC00B16", "44DBFE24-1B30-510A-8291-B7043C7FF654", "44E43BB7-6255-58E7-99C7-C3B84645D497", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "45775466-2D18-5308-ACCE-40CA731C65D0", "4577EA1C-992F-5AA5-86B6-9749FBDFC45D", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "45B1ADFF-A2FE-5D13-8750-9FC8E5ED13D5", "45B4D881-57D9-51C8-B5B9-9A6DA7413A36", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "45F0EB7B-CE04-5103-9D40-7379AE4B6CDD", "4622AE77-40AA-5BEA-9233-54F47C1BB5DE", "462438E9-2947-5006-9134-9BA0BCC1B262", "464D6B41-AE5F-5E93-BD26-6E6C8E9F80BC", "46787A11-B7F1-54E3-A965-2AEFCD29DB29", "469B060E-C585-599E-A0D1-AD5D186F70FD", "46FA259E-5429-580C-B1D5-D1F09EB90023", "47353949-6FA1-5C88-86DB-8E2DFD66576A", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479D22AB-BE97-51BA-82CC-F8945ED02516", "479EB930-7609-5244-8E16-0D8689304D86", "4804958E-7699-5226-91C3-8110A4CBAB18", "4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332", "4881AA63-B127-594A-8F5B-ED68FD4BB9FF", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "49594F88-14A4-5CA9-9202-ABE72435019C", "495E99E5-C1B0-52C1-9218-384D04161BE4", "4987606C-EB9B-581F-913D-36468DE9160E", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "49D58681-03E3-5607-8475-366F990C3706", "49EC151F-12F0-59CF-960C-25BD54F46680", "4A0D603B-6526-5D1E-BADC-55B4775C354B", "4A995433-D0C6-5BF7-9A78-962229397A7D", "4AA50D81-1CFC-5DDC-804E-F50243E3E9C7", "4AC49DB9-A784-561B-BF92-94209310B51B", "4B070EB0-B690-5547-8809-F1A697118957", "4B1144E7-81BE-50B3-8FD7-3B6D0BCC50C2", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B25D88E-3B3F-5756-B942-7244492EB7F4", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4B3CB1BD-2DBD-59B4-894B-D3A7D260BC7A", "4B44115D-85A3-5E62-B9A8-5F336C24673F", "4B46EB21-DF1F-5D84-AE44-9BCFE311DFB9", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4C03A6F0-84D7-565A-B0D8-DE45D804A835", "4C2C36F6-5E15-51DD-85A7-E5828F1D8CE0", "4C6A108D-3631-56AD-8C3B-9677A228693B", "4C79D8E5-D595-5460-AA84-18D4CB93E8FC", "4CB3AC5D-871A-50AC-9037-FF9B2CBD474A", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "4D11A641-A378-5AE3-8CCD-C45CFD453293", "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "4D37AF88-23E8-5A3B-B559-7807CB07DB09", "4DBC05D1-8178-5715-953D-61ECC89104F4", "4E477E4A-4794-5B4A-8706-915B06422C95", "4E4BAF15-6430-514A-8679-5B9F03584B71", "4E59AAA3-7DBF-5E34-BD91-8F83E0E65CEB", "4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F", "4F0237BC-ABC7-5137-BF74-6CA614369115", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F304699-25C8-5BC6-B6F0-717268F65A9D", "4F57CC9C-B908-544E-92E7-92A49DE89B00", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "4FD3A97A-9BE6-5A1E-AE21-241CC188CDE7", "500CE683-17EB-5776-8EF6-85122451B145", "501F0379-518B-5CB0-B332-836278230678", "504A0052-A0EB-53EA-AFC3-4E5EEC236795", "506F4ED7-477B-50E3-9250-1C6A31D8C357", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "51F21941-30E2-5FD0-986D-88D74D835300", "5233D0F2-69A2-5220-8016-07D66C226F01", "523F993F-2487-5C75-A910-22605D6D57D9", "5255E938-0B92-5E2C-B1A4-21B2445C29AF", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "52E13088-9643-5E81-B0A0-B7478BCF1F2C", "52E35A88-6217-55CC-B812-4EE83CECD8EB", "5312D04F-9490-5472-84FA-86B3BBDC8928", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "53CC55D8-983C-5FA9-AE81-D20750A6612E", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54DD3775-9F3C-54DF-93EF-372304E8EE4B", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "553EF29F-6CB4-5F8F-91AD-85FC945A94E0", "5562A10B-A754-5E2C-9FCA-88EA38C98CBD", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "560405C4-4806-5173-B662-F9C3D776D8D4", "56417A88-33CB-520F-8FC3-4F3E49561DDC", "5644D9A0-3A8F-52F3-AE3E-300C79911A07", "567E25A0-124E-58B5-BAF5-B7651C9D74AA", "56C96510-5E6E-56F0-ABEC-852EF4E3F53C", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "58ACC402-1947-5FE3-9D08-021A4EFEC48A", "594C33E1-9EBF-5B3B-BA76-031ACB500518", "5A54F5DA-F9C1-508B-AD2D-3E45CD647D31", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B342AC3-2399-581E-BB6A-2EF19BC35B0C", "5B55C912-08F2-542D-B6F4-EE8AF664AEAC", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5B74BEF9-0D39-5A60-8806-ABA55730878C", "5B9016CD-69A7-52CB-8C5E-DE65EDD08E9D", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5C16D945-0879-5E51-B2AF-B106F633656A", "5C2C6487-F3F5-580A-9A8C-34ABC1C16EB7", "5C66B0C2-B7C3-5BF1-AE5C-846940E188A6", "5CB77852-699B-52CD-AF0E-AFD2DE82A2B2", "5CE439D5-2080-5145-AD7B-BF3F1FB53A0F", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D652B55-850E-5043-96F0-43DE64B98D34", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5D88E443-7AB2-5034-910D-D52A5EFFF5FC", "5DB14853-1EDB-5A80-BD98-BB388CC80401", "5DC52EE8-31C1-5E05-8AC1-8385C2002254", "5DD13827-3FCE-5166-806D-088441D41514", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "5E983FEF-4BE8-5A69-BABE-3CFFC983F1B5", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FA49DC6-482A-5049-8457-45D3555BF0D5", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "5FDC1BB6-C937-5F78-BB2D-71584272E00A", "5FE50FFF-329F-5DCD-858B-821F0877B699", "604B2FE5-9DF8-5C70-878D-2CCFAA39A6C1", "6064317C-299E-530F-81F1-F80C282AE68A", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "60ABBBF7-1E1C-5205-A55E-11D051E0FCC7", "60F5B96E-ACB6-5D1D-8375-60BADF9503BC", "6102FE6D-37F6-572D-8877-F3A0D49FC22D", "61075B23-F713-537A-9B84-7EB9B96CF228", "611C3255-B1A5-56E6-8D1D-FCC2CE570C29", "6180A60D-7666-5C9A-A0E5-47DF2FA86FAE", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "61FC770E-836A-5901-B2CF-CE7181FEBED9", "6256CA70-58E5-5DE4-AB28-000166517607", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "628A345B-5FD8-5A2F-8782-9125584E4C89", "62B12BCA-365B-5124-A855-343665612E53", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "633FDFCF-0DF4-5FE6-B5DF-85F847D6D31E", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "63BF55A1-979C-5393-AD73-71321CFB2B9A", "63C36F7A-5F99-5A79-B99F-260360AC237F", "63D5015A-CD15-54CF-A1CB-67AEEEFFB789", "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "64D0ED0A-E1C0-57F4-B874-CAB63E7D858C", "65160BD3-C57E-53F7-BB62-1409E74EB491", "656CA49C-78E0-596B-BAA2-1A2890C0E150", "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "65D56BCD-234F-52E5-9388-7D1421B31B1B", "65EB18B2-8DBB-5A70-9080-C6DA4451D7E7", "6600C311-30E5-566D-98F1-AC47E752EBEA", "66468422-89C0-5AC8-9CEA-6B512338FF7C", "66506397-D518-518F-B4A6-3C3F99602E30", "66904DD3-2D0B-5C1E-8FFC-FD207B41F6EB", "66A7ADCB-1EAD-519B-9B1F-5694A2860BA1", "674BA200-C494-57E6-B1B4-1672DDA15D3C", "6758CFA9-271A-5E99-A590-E51F4E0C5046", "675E960A-9F2E-5575-8C21-8528492BE5C6", "6776EABD-28C1-5A42-8AB2-27BD7F492078", "6787DC40-24C2-5626-B213-399038EFB0E9", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68A13FF0-60E5-5A29-9248-83A940B0FB02", "68CEC596-CECA-5540-8E84-58E2E9786D22", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "68E78C64-D93A-5E8B-9DEA-4A8D826B474E", "693E6A69-453C-50C0-B2B1-91DD65E1D4FF", "697CC4E5-B8C5-57DA-8E6E-C44C37811757", "69FAE88E-7F22-5ACC-B555-3441BE00C566", "6A0A657E-8300-5312-99CE-E11F460B1DBF", "6A34D376-A589-5117-B34C-668A898CD6F2", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6A61F003-DE4D-520E-AD93-A581E4E22941", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6AF23F99-AE40-5899-AD81-AE3F71760F38", "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6BCBA83C-4A4C-58D7-92E4-DF092DFEF267", "6C0C909F-3307-5755-97D2-0EBD17367154", "6CAA7558-723B-5286-9840-4DF4EB48E0AF", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D33E1F2-A0E0-5F7C-B559-054EDA21AB58", "6D79D6F9-CC56-5F97-B1DD-2CDEE0AEC608", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6E104766-2F7A-5A0A-A24B-61D9B52AD4EE", "6E208382-5651-5649-B6C1-F9EF3A08EA81", "6E484197-456B-55DF-8D51-C2BB4925F45C", "6E4D24C6-CAF4-5CCB-83A7-844F830C86FC", "6E5C078B-B2FA-520B-964A-D7055FD4EB0A", "6E70CDA8-57F7-5737-80B5-84D8D2254D9D", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F251270-3935-58F4-835C-C9D26FA97CD6", "6F7E4100-F6E7-5C57-8A1B-89F03DCC53A6", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "70407390-C149-54F1-89B0-7611FB420601", "70582B5B-E1E6-5767-94A6-39740A96A052", "705BFDF7-98C8-5300-AB18-E9EEE465AE5F", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "70EDCB3B-9053-5056-980C-AC3123913F04", "71065DAD-91FD-5CFB-9F35-CA3E1837FF2C", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "7191AA24-D888-57E0-8B35-41D35E255E6F", "71D52D12-0E56-5638-8E74-60EE2F8E569D", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "71E27C48-EAFE-5FC0-98A4-BE7276D47449", "721C46F4-C390-5D23-B358-3D4B22959428", "72294700-E478-5397-A47A-6098D06CA60A", "723B41AF-E5A8-5571-BA74-FA8924B88606", "7248BA4C-3FE5-5529-9E4C-C91E241E8AA0", "7275794A-F2F6-51E6-B514-185E494D8A3F", "72EF4B3F-6CF3-5E4D-9B05-D4E27A7A9D1A", "7395180E-85B1-5253-9975-F93BE4693139", "73D3FF42-50ED-5AA6-BE08-B8A26D20593A", "743571E7-B8EE-5E77-B047-E2E001379ACE", "749152E5-6FF0-5E06-BEB2-100BFBE42823", "749F952B-3ACF-56B2-809D-D66E756BE839", "74A4D09D-9483-5842-A44A-9DA17D085AF5", "74AB19DC-78DE-56B8-8EB3-DBFA48B17AD5", "74F3783A-C87E-56C3-91DB-25921D7EC82E", "75180259-16B4-5B60-9913-BFC9A306560A", "75389328-1B05-5056-B8C0-C624BF0343AD", "75876A50-BD9B-5991-9E42-7A343A97C890", "75BE41BF-9117-5065-8E2C-3F7F041E53AA", "75C1CD91-459D-5E2F-A3AC-FB4FE66230F7", "75F44E16-D76D-596E-A23F-1F440DA58219", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "76A2C7A3-74C3-5ACA-9A55-3FB977E40B38", "76BEF355-6500-5375-ABB3-A0557EB1CDD8", "76E0FADE-7C73-5233-921E-B1D178C65B49", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F0B9E8-D173-5309-9826-5880F8B35043", "76F6F494-8855-5F94-9675-4474FFFA65A1", "77197575-9978-5136-A83D-F5FF790F2F34", "7758268F-2004-536A-B51F-62DA1E5A992D", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "77916E79-E02E-5614-8FE7-E108D8A8A7E5", "77A82210-BA24-58B5-8539-C0177DA9E1FB", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78787F63-0356-51EC-B32A-B9BD114431C3", "788F7DF8-01F3-5D13-9B3E-E4AA692153E6", "7899779A-3EFB-5F5A-A490-9D1DEB77503A", "789B6112-E84C-566E-89A7-82CC108EFCD9", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "78CE8E59-092E-5214-9D02-A3F5F62F22E9", "7948E878-9BFE-5FEB-90AE-14C32290452F", "796BB1A4-EF64-57CA-862E-996A72F2FBE5", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "798FA73D-8AE9-55E5-9D2F-4CC9D9477DD9", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "79D8EEA6-4961-57CD-99C7-A3404C0B5307", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7BE60530-0495-5366-846A-73B1A778DBDA", "7C40F14D-44E4-5155-95CF-40899776329C", "7C531491-7EB6-51AA-9072-F345BDB61AFD", "7C80631A-74CB-54F0-BC26-01EEF7D52760", "7D04F2C9-F17B-502A-BBE9-9B5CA537E468", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7D82EDFA-5384-53C5-96AD-A99E88471129", "7D874F81-FBEE-512F-B206-D7CED2BA80B0", "7EA5501E-29E8-5542-869F-EE5E061312E6", "7F4F3321-8955-51B4-B195-7C1F647A6C84", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "7F937E02-A1B2-5F78-B140-90BC298729D4", "7FAB36AD-345E-5C1B-B259-20BF0E7DE97A", "8005DDB7-67F0-50C1-95AC-3D602A70CEC8", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "805E6B24-8DF9-51D8-8DF6-6658161F96EA", "81008F39-5622-5A06-95F5-737A63D240D0", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "81FEB23C-D090-5CE8-9B92-00BE597DE052", "82AB8274-DF0B-58B4-8C3C-3CE19E21A0C3", "836286BB-CB4B-54F2-BC4E-30AB85C613C5", "838999A6-1C7A-5ED2-BB58-2AF8B4A3981A", "83B145E2-F995-5B1C-863E-164839ED1173", "83D9790E-4EFF-56E8-9460-1613A5032A68", "84344B5F-D0D1-5F17-B938-9A8849618A51", "84D5F04A-0DDB-5788-8759-DA99D303B756", "84FC95F2-00DB-57F5-A2B1-DE1C4D9C77E1", "8516D742-8A1C-521C-8372-26BA9FBA2200", "851959DE-3B5C-5317-868E-5D80E801E3B0", "859F1E96-558A-5D4B-8759-8AA74395E276", "85BF1C0C-52A1-5413-8D04-253B6AC0B7CA", "86360765-0B1A-5D73-A805-BAE8F1B5D16D", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "8713FD59-264B-5FD7-8429-3251AB5AB3B8", "87179042-CF32-5495-87D0-B916B42259D2", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "88373793-9076-5F05-BDBB-635A7E1BD897", "88E567D7-E197-549F-AE13-65809E68DBB3", "88EB009A-EEFF-52B7-811D-A8A8C8DE8C81", "89732403-A14E-5A5D-B659-DD4830410847", "8A14FEAD-A401-5B54-84EB-2059841AD1DD", "8A57FAF6-FC91-52D1-84E0-4CBBAD3F9677", "8A77E3B6-D786-5618-ACC4-555A5D85D5D5", "8AB79327-A57A-5D2D-830F-F7DAA97B76AA", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2", "8B05331D-0032-53DB-82B1-6A714024CA87", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8BAEEC14-CD55-5C55-A910-47030BEA55F7", "8CBB7F58-891D-5105-B269-029C59A9C3C9", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8D79D09C-1FB6-5C99-89C0-D839A4817791", "8E16065C-63FB-554A-B463-A1E8582A334F", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F0E3026-9DF1-5AA8-BECC-3F72A7A143C2", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "8F6AEAF4-2161-55F7-96CB-003251BDC309", "8FB716EC-9A35-5F93-9759-B27A58B52CF8", "8FB9E7A8-9A5B-5D87-9A44-AE4A1A92213D", "8FDF5020-8C7F-5695-ADD0-58100BD21FFF", "900648E6-9E3A-5883-8D16-DC10AD3DCF6F", "91380AB1-864A-5C58-B9BE-88541D8E0911", "91C28663-6C3C-5E4F-B609-44E5804E4A83", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "9267A549-88B1-5288-8C2B-C4BCAD621D57", "926942FE-1507-5B71-9266-0A5EDC38EE50", "9297A534-2B19-597A-8952-6EC15EE80BFF", "92B6BB94-CA85-576F-96D4-94E149EE1FC3", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "931205E1-36E0-52BF-A978-D4C326F6A32A", "931DCD2F-FC40-5BD3-B714-6045BAAD1857", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "9399434D-8130-5A79-B58B-3D8A0DAD6821", "939F3BE7-AF69-5351-BD56-12412FA184C5", "93F2F758-FE27-5C30-9473-F26AD9210871", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94A8FFF1-6A48-57CB-9340-D6806F47EFA0", "94DD467E-7BFF-5F8A-810C-3B1BDD195F6A", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "952CB700-FA2F-5221-96B9-2656F967B63E", "958F00F1-C4FC-5213-82EA-290A530F859B", "95C17878-3493-5938-9D11-1C33940763BA", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "979EA51E-E85A-5272-9311-AE6B0A2F756D", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "987C6FDB-3E70-5FF5-AB5B-D50065D27594", "988A0BAB-669A-57AE-B432-564B2E378252", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "9905FF79-0EE2-5313-9486-DA71B70A3D88", "9945D2DB-9314-5400-8C2B-94D4BD603DD9", "9973FA3C-C964-5036-934F-A49BFE7BC4EE", "998F5B8B-817B-5B22-BEBB-11F0DC59638F", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "99C96AE6-0799-5308-B336-961D1EE8E2B4", "9A0A7E66-6C4F-56E6-8F29-1DCE34FA1D12", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "9AEDE16C-FF28-5178-A8D1-CB6649E9ED56", "9B0163DC-EE41-5E66-9AA8-A960262A2072", "9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5", "9C3150AA-6C0C-5DC4-BEAD-C807FA5ACE12", "9C874FAC-8640-5978-8C60-AF6528E5DF60", "9C9BD402-511C-597D-9864-647131FE6647", "9CB70E27-04CC-50BC-9F3E-2907ABA654EA", "9CEA663C-6236-5F45-B207-A873B971F988", "9D170C46-A745-5692-BA84-67EBFEA037FF", "9D511461-7D24-5402-8E2A-58364D6E758F", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DA6E85F-7AF2-5EE3-BF5C-A430C8DA3C4D", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9E82678F-0559-56B2-94DC-6505FE64555C", "9EE3F7E3-70E6-503E-9929-67FE3F3735A2", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FAEDEC8-43AD-592A-A17C-BAF6F67FBF44", "9FE15986-BAC9-5740-8189-23E26F8399D5", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A085342C-7F7C-5CBA-A424-89E5B1046F48", "A160DC38-C6E4-5C85-9F98-4BC04D80FCD9", "A18E64F5-B04B-5669-8382-3A4A50D8EE49", "A19F503A-900B-5929-8182-4BD7B1043185", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A1FEA8E3-60B5-5828-A65B-98AA56545D78", "A1FF76C0-CF98-5704-AEE4-DF6F1E434FA3", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "A2D97DCC-04C2-5CB1-921F-709AA8D7FD9A", "A32F9E91-783B-5C20-9630-6A4E3DDA9AFF", "A35BD9D8-6888-5724-BF89-A3A7D384D280", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A3F15BCE-08AD-509D-AE63-9D3D8E402E0B", "A423A009-0EEA-569D-AFFE-89EC01F7CDF7", "A4440EF1-5891-5FCD-BA92-DD2B6E54C7F0", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A4A3F324-E3F8-5601-A653-3BFEBF5A4F46", "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "A6753173-D2DC-54CC-A5C4-0751E61F0343", "A74FC70F-51E2-5B48-AC8B-D73376E8A78F", "A78746B7-318B-5981-A2EB-2D5BA5C26514", "A839FA86-0873-592C-AA31-2C445B4C4F29", "A8616E5E-04F8-56D8-ACB4-32FDF7F66EED", "A8AC5191-F5B7-5FE5-8702-B85CC7107869", "A8BE443F-B43C-5460-9DBF-0E7C65078EF2", "A9A21055-01FA-5B3E-84B3-E294A9641418", "A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F", "AA7339B7-CAB1-5DEA-8E7C-5867B328A25F", "AB5B35BD-2A55-5B27-A126-0CF1A7E7B145", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "AB8EAC0D-269A-5799-885F-B0EA2A33792C", "ACAC9B6E-BDD1-5135-A697-7AD5ECCEF896", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "AD1045B7-6DFA-557C-81B2-18F96F0F68A2", "AE03C974-B00F-5DF7-B2AF-77D6E46CD5FD", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AE4BD3D3-726F-5F95-8DB4-6630F922B00F", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "AF45C6B5-246A-5363-8436-954018BD121C", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "AFDDFBE2-17E6-5231-9333-FAD2E18813C5", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "B09C4EFC-2C66-5CA8-910F-E21D17B89608", "B139A751-2E67-52F2-B040-B17D8D6D33A0", "B16D26DB-D60C-5C0C-9452-80112720B442", "B1A370E0-71BC-5397-83F3-3344BCDCE170", "B208F2B7-D166-5757-A090-CC1A91C9D376", "B20A08C3-E06C-57C9-998A-C38174AEA7DC", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B2474BAA-4133-5059-8F0B-5BAAE9664466", "B3146F3C-4919-564B-8B1E-752FCA30B8D9", "B32ED3B3-2054-5776-B952-907BE2CBEED6", "B38FDF75-522A-5254-9A3F-92C0D7B8CC99", "B3DCB90F-80B1-5462-AC61-AF04513F2F3A", "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "B3FAEE67-7743-52ED-89D0-D83BAEA1A38D", "B417316F-A794-5234-BC9E-475C438FC35C", "B4483895-BA86-5CFB-84F3-7C06411B5175", "B47171B0-339A-582E-8AAC-3B18373664B7", "B49D93D1-E77A-5CAA-8DAC-BC353782D5A7", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B53D7077-1A2B-5640-9581-0196F6138301", "B58E6202-6D04-5CB0-8529-59713C0E13B8", "B596B144-65DB-5863-8244-67AEE883C50E", "B5E7199E-37EE-5CBA-A8B7-83061DD63E3D", "B6182C52-78F5-58BC-8D3F-EF87D0239F0E", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B6C642BC-915E-52EA-80B0-BC40EDC884CC", "B7BBFC8B-4851-57E6-89F3-B1C0AA7D39A4", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "B8198D62-F9C8-5E03-A301-9A3580070B4C", "B81BC21D-818E-5B33-96D7-062C14102874", "B8347185-A0AD-5C98-B2DB-599D8BE5EF53", "B8464218-31FA-569A-AC74-26B347DEC285", "B8601FE7-3E95-5AD7-8C4E-05FAB57FBB6D", "B8D5B910-B397-520E-9526-FE32D86E93D8", "B9151905-5395-5622-B789-E16B88F30C71", "B93106B2-ED20-51A2-9782-7C89A1CFE926", "B946B2A1-2914-537A-BF26-94B48FC501B3", "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "B9A69678-D96F-528D-B436-366259B4A283", "BA12D007-F6E5-5BB6-874F-789DCAE9524E", "BA1B8A32-DE69-5E8F-BE8B-23C0A4E48A03", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BA8F1657-CF64-574C-81BA-6432D5A351D4", "BA9FEAFF-DC39-53B5-B03D-8A01486E0879", "BAA0F684-952E-5B9E-B207-0419A33AC53B", "BADF55AF-60C5-5E33-BC19-5DC25FB9E196", "BAEE7CC9-E997-5B82-A169-AB56B635CC1D", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BC027F41-02AD-5D71-A452-4DD62B0F1EE1", "BC3F41CB-4333-5CCE-85A9-7064DAA6019A", "BC6A00C7-AE9A-533B-87DE-DD27240A818C", "BC7AA745-CDB6-554E-B6CC-A50E97B7ECE5", "BCE44917-6A5A-5482-8773-B2FA0DE70F3B", "BD07E529-B3E2-5CB8-ACD4-AD7DAD69AFBD", "BD1B0180-DA8D-5255-B3FE-EB6CBC730206", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BD7F2851-5090-5010-8C27-4B3CCF48ADE1", "BDA05DEA-0BAD-5658-8E86-03A154FED355", "BE4B2B71-B588-5666-9A02-7855DBD45762", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BE88205A-26D3-5EFE-B8CC-828EE7E33C86", "BE90B1DD-521D-540C-8554-5454779256A5", "BEC31AE7-B839-564C-9541-59368931D558", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "BF9B0898-784E-5B5E-9505-430B58C1E6B8", "BFA4DC64-759A-5113-842C-923C98D12B44", "BFB49B3A-706B-5625-9899-54FCB1EE767B", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "BFE641BE-701F-5AE0-A891-975C96EFFAF6", "C0380E16-C468-5540-A427-7FE34E7CF36B", "C068A003-5258-51DC-A3C0-786638A1B69C", "C06AD447-C872-5647-832E-D9E87DF0561A", "C0A0F6D6-A203-5F8D-819A-40B5B23B0223", "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C14C47DA-F04C-56CC-955A-FF12A410D2F5", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C26A395B-9695-59E4-908F-866A561936E9", "C27DDA07-4A5E-56D3-9950-FD5025E1B777", "C306DCEF-59B3-5147-8169-3674490BD35F", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C39D4BF6-5B98-5653-AA56-8DC5F53FEDA7", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C3C6029E-8A78-5C0B-9CF6-51489E455464", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C3F26791-EFA4-5899-9702-ACF5F8B70344", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "C4A313B8-6946-51D9-A5C4-EF515BAC47C9", "C50B5DBC-9051-5380-B5B3-93A023128F22", "C510D823-26C6-5BF9-B30F-5CDF456F72A6", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C60B1B73-A009-5CE1-9D6C-3B66270812FD", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C641C472-7F12-5C7B-9934-BE59C8B1974B", "C6493FD0-579F-593F-A1E9-A44793F70419", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6912636-2CB2-54CA-9F78-1A4FF04CA119", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C7725591-3B9A-58D3-9191-5325187E1B5E", "C772DCBB-20D0-51DD-A580-F96689E65773", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7D1BCF0-3132-5507-B00B-E1843808D5B0", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "C807D3D7-EF10-5C00-8252-C9F4B2A7F1F3", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "C8799CA3-C88C-5B39-B291-2895BE0D9133", "C879EE66-6B75-5EC8-AA68-08693C6CCAD1", "C87EF7D4-0E85-54CD-9D5A-381C451E5511", "C89AC173-55D4-50C8-A17E-42EB65710CCB", "C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60", "C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79", "C96865D9-B80D-5799-9EB6-DDF13650F0AA", "C9B0311C-F06D-5438-B36E-36DCE5FE691D", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "C9FCD26D-4C04-5F36-8E61-05484E6979D6", "CA13A26D-7A19-511A-B059-BE9AEDA1F2E2", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA34E4C9-BC58-5284-81F7-EC6AC06EC7AF", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB8E07F4-50D7-541D-8B3E-749FACA903E3", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC15AE65-B697-525A-AF4B-38B1501CAB49", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "CC614155-FD7D-599B-B89C-006B26D76F48", "CD0102AD-F33A-5068-9719-30CB0CB3C152", "CD47935C-F8CB-535E-9535-E95B6AE9A0FC", "CD48BD40-E52A-5A8B-AE27-B57C358BB0EE", "CD8CABD7-BE65-5434-B682-F73ABA737C65", "CE3963DC-4AF7-5738-83F3-067854F4CE3C", "CE477D7E-7586-5C82-8DCC-033C48461E66", "CE8F28DE-D222-53F8-833A-4D9749BFC24D", "CEC4033D-26C5-5A07-8D86-31A7AF928BDB", "CF04A516-98D7-5899-9E57-390A3171DFA7", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "CF1C1A91-4D20-553C-A027-71BE18F8BAA5", "CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE", "CF52BFD0-FD58-5DEA-AFB4-0C123E79E2C0", "CF96C0AC-16EB-57DE-B450-775CC256F1C2", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "CFACBEFA-7243-512E-844E-C19B75303CAA", "CFDC15EB-BE4F-5C86-B8B0-C542A791F67D", "D01BC477-0705-586F-B306-8F6B6D7B89FE", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0368327-F989-5557-A5C6-0D9ACDB4E72F", "D07D56B4-40BB-511F-B7EA-EF5B1544D876", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D0E79214-C9E8-52BD-BC24-093970F5F34E", "D10426F3-DF82-5439-AC3E-6CA0A1365A09", "D107A97F-1C44-59AB-8FFE-803D1DC21EA3", "D133D476-887B-53A8-A831-16AFB83B7038", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D1A30248-63E3-5F72-9EDD-1779A6F23FA7", "D1B3FEF9-9547-51C2-B6FC-92642E47B144", "D1E393B9-589D-5A20-8799-0F762FD361DA", "D20389A4-F885-5B7E-B438-63820C721AD3", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D22CFFB0-30A6-5227-8048-C9C028070BD3", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D2A01405-1B4C-5B8D-85AC-D1E23D1F3B56", "D2CE9456-EDAA-59FB-AD0F-78E18BE9A0D0", "D30073F4-9BB7-54D9-A5F6-DCCA5A005D4D", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "D4308421-E113-5104-8D37-4FB75AE2D7DC", "D4572C36-FAE8-5802-9B48-CF143220B909", "D4D3FB69-1A42-5FCE-BE50-5A025172F9CF", "D4DF3FFF-4FBA-5ADB-88FC-A7E1BED572B9", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D536CD4F-33F2-570F-BA34-54E141F1132C", "D64C04EA-093F-5924-A39B-714908D4637E", "D6710F36-D7F3-57EA-BD83-CED78FC054F6", "D6A3D7A1-BA12-5C2E-BFC3-83078CF2F89B", "D6AC5402-E5BA-5A55-B218-5D280FA9EA0D", "D6B062D5-F610-54D9-8FD2-EFE6E9D2F8BD", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D70A4D0B-027B-57A1-B882-C70D16FCA9C3", "D71757FD-E7A3-525B-8B2B-FB1D6DC37D11", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D7AB3F4A-8E41-5E5B-B987-99AFB571FE9C", "D7D65B87-E44D-559F-B05B-6AED7C8659D5", "D7D704DD-277E-5739-BD5E-3782370FCCB3", "D7EF2A21-5BA9-5730-90E0-E085DDFD2801", "D7FAABC0-C6C7-55D7-B5DB-C0585EB16921", "D813949A-183D-55ED-AF64-B130B8F95A56", "D8246B9C-AC86-5FFA-AA8F-4419E4CD07F1", "D8B68D98-BBF3-5A69-82DD-C0760C9923D4", "D8BEFAC3-BA4E-5E7E-8553-B512E126AD53", "D8F56B26-C194-5CA0-83FB-D59BC7014E35", "D959F04C-CDEC-5F39-9F51-BE3EC7B28341", "D9DFB9E2-6839-5388-8C1B-4AC50F2A5660", "D9F6E4B0-AC2C-5A70-B795-360757BE02D2", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DAF7B187-3A0C-543D-BE33-E65468E5890A", "DB6F697E-55A0-538F-A15B-E61B8B4E4D70", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBAD59E8-9E48-5D54-92A0-AAD5B57C39F6", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DBF996C3-DC2A-5859-B767-6B2FC38F2185", "DC044D23-6D59-5326-AB78-94633F024A74", "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "DC8A29A1-755A-50C2-9D9D-FF11FCB054F2", "DD36D028-7FB1-5824-9756-09BA3927DCEE", "DD91FE12-6083-55DD-BD86-5F82A339F7BA", "DDAC4C84-E26E-5729-B325-4ED0A6FF550D", "DE558F67-26A7-5F03-AD15-C2087B81E69F", "DE88B6AE-5D54-5B49-A097-57038C720463", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "DECBAC7B-9235-5E00-81C1-142CD41306FB", "DEE433F2-3A1C-513B-AE6B-E11EFFB5A8E4", "DF00B503-1F21-5ABD-B713-1F79E4D1CB9A", "DF09D079-36D0-5894-9BE2-C3AD60618E67", "DF35E634-51B1-5A30-AB0B-8518E3754609", "DF57E8F1-FE21-5EB9-8FC7-5F2EA267B09D", "DFB437A9-A514-588D-8B48-A6C7C75EAD32", "DFF2F784-9ED2-50EF-B79E-3EBF5A9B5428", "E00EE482-CF1E-5781-9A57-928FFA18D762", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E07F3BF4-D40A-54D4-91F2-89A8DA7608C2", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E202B1B4-334D-58B7-8078-798D4522D495", "E20FBA3D-3078-5C58-B5AE-2BF3900E0DD4", "E22A392B-5D30-51F4-92ED-8E10BA7EE8D2", "E2690F56-34D9-5735-A733-8193CE2B6DBE", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E2C6B714-1F75-5584-B0B3-280C3B36C014", "E34732DA-6DCA-54FF-8A7A-C1CCE3D1B1DE", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "E4103A50-881C-52BB-86CC-27F549B798E9", "E431282E-5250-58B8-B692-7D184D2EFF7E", "E4395A48-164E-527F-8B5B-1A44D3F379B6", "E4491698-477C-599A-A65D-EBA7441764E9", "E458F533-4B97-51A1-897B-1AF58218F2BF", "E46AAFC9-276F-5161-B013-393D9A538259", "E479356B-3D07-5131-8A34-4C6FD67776AB", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E51E8D61-BAA6-5098-9EEE-50DD18427F87", "E5280802-AB3D-5E96-83E0-97F22FB9EACA", "E59A01BE-8176-5F5E-BD32-D30B009CDBDA", "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "E5B0F794-87CD-5152-9D64-3AB23AF5C3EF", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6B39247-8016-5007-B505-699F05FCA1B5", "E6B6EDFD-3B78-58CA-B507-093047F89BB1", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E7177DCC-97D5-5A91-8A06-124DD3CB9739", "E72D9129-EEED-5E3C-9CD8-9BD6201170C0", "E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6", "E7B177F6-FA62-52FE-A108-4B8FC8112B7F", "E7B26D35-BAFD-51CB-BFAC-CA7E5EA5FA9A", "E7FB27A1-5ECC-5541-BE31-7ABC656DFACA", "E8033F3F-24AB-5402-AEA7-5583EDDC76C9", "E8075733-690E-5B6E-984C-80D074BC5EFF", "E81474F6-6DDC-5FC2-828A-812A8815E3B4", "E8AD52BD-4EE5-5E85-91FE-66A868E0162B", "E917FE93-F06C-5F70-915F-A5F48A30B044", "E981B35D-7356-5A5A-963A-744545A4E51C", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "E9FE319B-26BF-5A75-8C6A-8AE55D7E7615", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA2EA382-C5B7-54EF-8547-EDDD15EA1B85", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA88FA45-8CE7-5D7D-8E6C-B04F8392F7EB", "EA906824-9149-507D-893C-87A7FED8998B", "EAAC4837-F284-5060-B5DF-BBA500834281", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EBBB16F4-878A-54E3-9C22-039BD265D2F3", "EBE5222D-43AE-509D-8C28-291E83DF86C5", "EBF17036-7547-54B5-B0D6-B465FE6C9873", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EC7A045E-54CB-5327-8755-53F82B91F56D", "ECD5D758-774C-5488-B782-C8996208B401", "ED1C6DF0-94A0-58D6-B6F0-1034CE61DFCF", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EE2763B9-CDEA-5FAF-91CF-8B6902DD2E56", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "EEEBEAEA-A8C9-5187-A9DA-A04745A62CDF", "EF37F62F-1579-535A-9C3E-49B080F41CAC", "EF4758A5-6970-501E-8926-AEFB5A2C6DA7", "EFBD188C-B769-56F0-AEDB-F2809978A507", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F00E8BE4-12D2-5F5B-A9AA-D627780259FB", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "F0CF90CD-DC6E-5F0F-AD61-5E1694700F32", "F12DF8D7-84BD-522E-A6CA-0413FBDFB48F", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2165DE4-7724-559C-A733-DE9F244DA408", "F22160B4-2E80-5B7D-8238-95D7833F6D73", "F2545817-7A3F-52E7-ADC5-B775C0DB8082", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F340F3AE-7288-5EF0-85A3-DAB6576064D5", "F37EDD30-724E-584E-9C9E-9B3E8C4C849C", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F3D43FE5-47AE-591C-A2DD-8F92BC12D9A8", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "F41EE867-4E63-5259-9DF0-745881884D04", "F42BF447-C1A3-5795-8343-D71F096AFF52", "F437A0D1-7913-51F2-9D43-8BC2DE62A636", "F463914D-1B20-54CA-BF87-EA28F3ADE2A3", "F472C105-E3B1-524A-BBF5-1C436185F6EE", "F493C59E-F2A7-52D1-B4B5-69CD3748C5E9", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F50E9F2C-8C80-5A76-A993-A3E42414D797", "F523E799-3659-532F-8EED-40AD7F79E752", "F5339382-9321-5B96-934D-B803353CC9E3", "F57D5951-56B2-586A-AD44-9D83208FF358", "F594470D-2599-5B2E-B317-C9720581C07D", "F5B504D7-7C37-5BAB-94A5-1F1DA8384055", "F5B92B0D-E802-5254-8668-D6A4B1DB8004", "F63EAD10-66BD-5AD4-BB46-77371E11031D", "F6A3D0A7-D380-5633-BFA5-3633EEBB6CDF", "F7396B72-9692-5E12-8893-FFE6A091B496", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "F893E602-F8EB-5D23-8ABF-920890DB23A3", "F8A7DE57-8F14-5B3C-A102-D546BDD8D2B8", "F8CD1EFD-78D9-5506-9555-5A12EFB752AB", "F8ECE1BA-CC33-5566-B57C-1AB243A48E28", "F922DD70-E22B-5EBE-9CAE-410224E95831", "F96D1468-D4E5-54F8-A03B-503ABF9BC416", "F99D82FC-3BE5-5B6D-8FDC-0E5BF9C0CE58", "F9EF1801-C66C-572B-B67A-9A67E04D6B06", "FA2E2C3F-6F4C-5B17-ABFC-FC95FA17C474", "FA949466-484D-5DF6-9C55-6A64683AADF1", "FAF36735-05C9-50E1-B458-BA2E15B5EB99", "FB4E2E7D-EBA0-5AD8-A2C0-6EE27D053537", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB757D3A-A896-5AB5-B72B-7C880581D12E", "FB7F5C33-B7F8-5801-82DC-974106DCDC17", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FBB9B577-00A5-5C82-AFC5-4A52422056F3", "FC455648-370A-582B-A03A-6299DDC272F6", "FC661572-B96B-5B2C-B12F-E8D279E189BF", "FC802471-7CE1-5444-80E9-9DB49BA530DD", "FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46", "FCCAAA4B-646B-578D-8CE2-5439E7799C32", "FD364396-D660-5D23-8323-23248A5108C5", "FD4859A0-D69F-503C-BFDB-0C9025BDC68F", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FD6B81DE-3BFF-5BC7-BD1F-E90103B8FBEF", "FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8", "FDF4BBB1-979C-5320-95EA-9EC7EB064D72", "FE14C1D9-37CA-5446-B354-C8299FC7FAAC", "FE544217-2BB0-5C05-B26C-D14EE378E8A5", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD", "FF2EF58E-53AA-5B60-9EA1-4B5C29647395", "FF4560D1-137A-5C41-90E4-E8EECAB04134", "FF610CB4-801A-5D1D-9AC9-ADFC287C8482", "FFA2D3A3-AFD4-580B-8424-EE4844976B65", "FFBF7B7B-FFD8-5A32-89B0-AAB175FD2AE6", "FFE89CAE-FAA6-5E93-9994-B5F4D0EC2197", "FFF6224F-273A-5CB1-9421-833769E01519"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1119224", "H1:1119228", "H1:1370731", "H1:1394916", "H1:1400238", "H1:1404731", "H1:1423496", "H1:1425474", "H1:1427589", "H1:1429014", "H1:1438393", "H1:1519841", "H1:1537543", "H1:1537694", "H1:1606957", "H1:1624137", "H1:591295", "H1:617543", "H1:671749", "H1:671857", "H1:678496", "H1:680480", "H1:695005"]}, {"type": "hackread", "idList": ["HACKREAD:2EBD89813F12BF96F813DB942560BD69", "HACKREAD:E34C6E8908AE56B0B1176B1237BFDF36"]}, {"type": "hivepro", "idList": ["HIVEPRO:04FABAE2F2B647B3488AA0025301D637", "HIVEPRO:09525E3475AC1C5F429611A90182E82F", "HIVEPRO:0B8823CF2C319136EC74B1EBBD7D38BE", "HIVEPRO:0D02D133141B167E9F03F4AC4CA5579A", "HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "HIVEPRO:1825C4046C6054693C41D7D5DFD7BA10", "HIVEPRO:186D6EE394314F861D57F4243E31E975", "HIVEPRO:205916945365E4C9EB9829951A82295A", "HIVEPRO:28A01D4CBC8A05BECFBA17B5AF4793F1", "HIVEPRO:310F7AA9457FF55D42E100B468844E6D", "HIVEPRO:44A900DCE74651738588E170BBCC6312", "HIVEPRO:4FB5DD5F7C41E3797518D866E88BFA8C", "HIVEPRO:5339CBE01BD312A79B81CAAEE0F3B32E", "HIVEPRO:57EAE0D1FD9EA88C12142AFF641985C3", "HIVEPRO:5EF44DD9474A0410F4E4758ABB19D17A", "HIVEPRO:621DD8CA375634712F01438EF8C1AE13", "HIVEPRO:6551149EE518F9D073E43B5017FE0F24", "HIVEPRO:6B816A83F1272E907442906CCA28A809", "HIVEPRO:753BDE83C1D82672DBEDB937144E1598", "HIVEPRO:7FC9DCD27C78F4BFA53C84B6CB04EC19", "HIVEPRO:850B279759C02AA5967698B7B141C8C2", "HIVEPRO:8AB9E397F60C70B7C96C5D3CDA945A77", "HIVEPRO:8D92547900FABA151C6C4CFE3CF5B9A9", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F", "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "HIVEPRO:9E33ABD5EAFB3204848DAD28367798A9", "HIVEPRO:A2447429328461A02AB00335C0BB3EC2", "HIVEPRO:A72667DE3469446CCB2C0BE35790E287", "HIVEPRO:A9AF072A11E6D314ED458ACFFE3BDFD3", "HIVEPRO:B25417250BE7F8A7BBB1186F85A865F9", "HIVEPRO:B3F9F66CBDECF3B8E7AADF5951D97F6A", "HIVEPRO:B4C85BEFF3E49468BE44E35CEC3A7DE6", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "HIVEPRO:B84508E062BD1F35232DF0CC7CDDC761", "HIVEPRO:C037186E3B2166871D34825A7A6719EE", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "HIVEPRO:C7B595FEDAF36C429CA05AF1C5C3D818", "HIVEPRO:CA37C8D639BE8660B8996BB5FB4F3C0F", "HIVEPRO:D5E3F04B4C2C9644D7C5DCE9894CF0C6", "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "HIVEPRO:E73184FF060DA7208BAF888A5AF221EF", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:E9C63D0D70D3232F21940B33FC205340", "HIVEPRO:F2305684A25C735549865536AA4254BF", "HIVEPRO:F95B9B5A24C6987E85478A62BD37DD7D", "HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "httpd", "idList": ["HTTPD:1B3D546A8500818AAC5B1359FE11A7E4", "HTTPD:2C849FE5B165E832EE21ADAECFA9521C", "HTTPD:E1C40920F9DFC60284EEE7539DA30483"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190529-01-WINDOWS", "HUAWEI-SA-20201105-01-NETLOGON", "HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["004795EC88EC224A6BFB93940B96344B4EB9FAFDD91D056225AB0FB24FFE6CFE", "00B8C97EE29C4817481434B7FD887049A0EA42C49E5514E1877ED97B5322DB16", "00CA973D0D5F4A08ADB77D27F66CF53D661D1B67B8DA263B3CE4522918A4CFFF", "0172701FE5FE7C060372C9A6E7199B0E91A4F7E5904E7762F54202A8D4CB9759", "01C1A66F149F6CC650556CCBE7E381780D3142691366A6B6EFBC8CD5C674BD4D", "023C54E1D297D5AA9E7F44F8089DE35CB079281FA1776467BF8B7A7AD4FE252E", "03991456EAB03B09B39DC9DB5C8BE4A51167523943AA9AE61168FCD6FBACC80B", "03FB798F067FAF41EB009C69979886C89AC88567ECBC9DAD159CDC2AB547C1F7", "048C762AAACAFC74604EFAB15A41479F902FA040758DF428CB364B0242E01EE5", "04D3658F043D6F4A2AA1B2F519A7E89C112641C7C4E2E58E14BEC11BA66E803D", "053134070CB8D6609B7F157DC74146FFBCB3EBE941406A677E889C3CAF773364", "05A1D58708802BF8C1674EE32BEC4344254929330218CAD68AA838AA7F549BF7", "05BBDE1FB03AC43275CE3464D408E5E21E63D250E7B0CF0E90D314FBD5991752", "05C0F0FFAAC20F511D50030C8EC7ECBE67EB162A7352C90C63F986E1F73F829F", "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "05DC2B42328B1D8271D4FF358EC4A58529E6A6A6B8D7E154A691EFE1CCE81D1A", "06B617CF301DC9505BA9DD5DB1C356FC3A1CCF92C2BD6C1F311F6B9EB8C0F85A", "07F48EB2EFD881D21294E1AFEEE704414B9605E4B9B1F4BF6C82B1917372C2B8", "084618FE115DBC963CDA469EFDF156D77B5FAF5BE04B99575716D75AE5C42F9B", "08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "086B39C8EEA9E80F827A72EB837BB35072FC75FA2EFB8DDEC667E6F0D07BFC82", "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "08C5ED1F3E47E1FABE2752DAE40446E385D6C5EB30C70D7C739509CE04B06788", "08FF14BF18D2D8DEA2BCD9900A4BED9C481C9700F7CF99B6CD1B3F7EDA9C3865", "092A442A77CDFE46ED83F2F7A7AEC07007442443AE7B6D28BB557D1A8FE3BBB2", "09E2EB771A00246F88812FA7239EC135B4D760017A61975C9C7DFACAB2B566B3", "0A50FDB1D7E17C09815A2D06C237539FFD67E23789BDD9A730E5EB3DD9473349", "0A6CCE42A31E930F28AFDE0602BBBC571E0114C6DE44000B246AC3D8A844DE39", "0AE80E7D1B92F5584C0652988A6BC58F1CE1E37349CB543C23A7BCE8C2445CCD", "0B0C1C8C8CE115B4178E3F36D545ECA410D6199928FD71C89DC4DE93BB9DDD9F", "0B62A979A39E5FDD103EF50E44280DC84E1DA4B8937991D39D2F70B94DE5CDC6", "0B7D327E5943F8BAC5B2E5CC855F0062D08A51BF03FA3BB29C4B6E081796EE73", "0C1804CEEC31BC3891CD11D25C3FF5366F208C6C862263628223F5F36164CF5F", "0C5DF0032AED817AD90450244E2BACA3580BEA79A5DBA7B84BC329B4F1B22585", "0CF13F8FB4FD77C6593C265FA8F397D0C4324FC1F07F86C436B4937E98B25DBF", "0D6234D366BD8E5B02C4B7507046A503B63D0B4B38E06DEEBC5B6B98A5E2C80E", "0E0248E4E7C78DC0F137D1A675D47FF40D0F4EEB2A876D0083EA60DD92CFF303", "0FEC88A4274D91DBFBCE46AE5EAF1CC67B908E3D943BD3504E2985D9090BF93C", "0FEF4738C59C97322DBD25A9806D1EE3E131F117AF9CA9C33F3A6098A981AE66", "10DF4536D86919652FFFFF08E8AC284AF696E6684CAF921DD9F5AB335A3882A9", "10DF54AA6E02F56E5A696B90CA92AA8E0E7F033CECD731E6AF976A827BD42316", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "127C76472291CDD3CB521ED83F3C5EE611A0DBD9FFDB39D76C830FEB168F09A4", "129CE78870CF5A56320BA28A8E839DC00636BEBEF434ACBBC173D76B086059A6", "12B5FC796651D7A35DCF3B8B99675B867D7E526A689762A16A5B6315936577BB", "1310B3EFA1CB8221444DBC5BA49E64CF94DE9CAEC7263EBE35877FDC59E5AC3F", "1344237EA4CB2FC0E4E886077C19B07F9DB7272438002709C5CF339D588A226A", "13F541CB7E471297DBC119C027DC6613DDB93B7E6EC8CAAB1918D4F75B9B0A25", "1449AEBCE14C7A0A52FEC9AC77DB499F51B4D1779EECBB859DE1E3343B21DE81", "1564B346628009160A0396828F83A178C5F24808FA0E2904A4DA0F9DD72C42DE", "15A287A106B845D07333D01887C3D8023917F0A2AED2934387D8904CA8A42DA3", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "1718BBC548F6B9290910114BC5C00A77714052D125CB0F46088F37430F68E717", "1827A1B8985F4A2B91EE262D4C17EF01B71CFEA86DB0A386BD1C1B098E2F4B69", "18433120583E82C639DDC6BF1D76EF365C9C500B0A9CC0AE663BA4BE32DC9232", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "185EAAB4DDC8472DF44603A1F8F5361C61E9CD92D640BE3D1EC6D31AE959C4F0", "18A47CF24DAFF468D1B3E48E56A7C723BAAB5077F0C1ED2DC22653DD05320A38", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "19613990614CDAB7F34154F3A620BBF18E7F15F79F3D35FBEB7EC2FC9249AD2C", "198E2723EA7A1CE1B7B95165E39923D5EC8AC5F2D17849CEEDD3695D8CF40623", "19BDC8BC083D06551FAAFFE502D5430968A9B28E5C71827BCFA873F30BA60815", "19DD6BC826C8BB8D144E5985E9EA9E8E00533CC7AEA127F00BAC78AFBE98ED00", "1AEC66B946906A8F4682C35B7C619499014756DEA99B2673B7DD17DB8DFF256D", "1B24B80EE0365FFF7DD17D658867C0FAF5A2D298D0CEFC01C750A9D3A2948965", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "1CFF840C0308591ED858D48151909C9A66A9C154B22BCC3BCF7A195C153D3C69", "1D2ACD2E26FAAB07F4713510046DB56AE9A2584306D1B3C884E18DC47771F892", "1F4AD6C45C3008DFF01BE9EE1718E1541E761D5A4D77198ECEBE3A97CBCEF6FA", "1F6B1F3D85A0CCA59E5FCB54F755C559078C8064F36F920EB06BEDB03C8098C1", "1F7D1DABE3F10F804A14788D638556B04F5D5038E1088B9F38B3961987623815", "2042D81324560EA3A6747DAF5E2633EFD4EC3C4BB62989E7EF2C6A1F73035677", "207BA1F7EAE0F24909102A8E9F71F4E090F16E370A882E1CE68B1B6EFB5952F4", "209DDCAB6F475A868DA84DD19D31132027FF62B259B6541CA0C9859AD7CF6ED3", "231A52BDE442B2AB4C8738E8A5DA147B21BA8A7C7B8F0AE7764349AD467647ED", "2331AF133271DA38966A65B0A6E775568A97DB8277C00BA2F0B686C014D53588", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "23AE54815D4CF73296F6842E5DC0E74807A9DBD435A1F78F1FCEB4A6582B9613", "25649DBC7E3256428D82B855B8B2D096C91EC2361653C508EA395A775FB57C82", "256D7977365CD514F903FC0D0240FD89D47444B078D35EB3DA4DD54AAC8C8661", "261D21204C9E2060DE70CAB5932236C5EFB2EE37E8BD5A2C64CC6F1DFE9C5D11", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "28932A2B46E12EA86EB64762E53A114C7EAE97254E4818FFBB7E3706DCBD4C0F", "29D0DF01470BDC8419B05A248E7472C3D66A25942620A36BE340FC58780F85D4", "2C91E3B2FEF04BCEF23F12290F03A43D58EEE4E79946072B4CD9E132F31D3891", "2CB93421F63E579065AD63FBDF2E2B6CA341D81E1EFC758174E7430B3E8E0DFD", "2E43FFB94818B9FA5C94DA88B4D321908359974CB3975DC266C2CC995ACB39F3", "2F83AABA00B663AFEF63A77633BECC48724170228D80CF284B2FA6A8E71FE2F8", "3013E3EDD3900D973C5458C7115888BA961C479A9EB9DA6399CA9B389B37A68A", "30495EE9B3C48AB51AC589D2A5956D977474A3BCCB9A67B54801DEE7685C5573", "30A0E9F889B3548B9BD0339A7DD9F4F3D51821FE906234D247C17BB05B831873", "30B9050919D7C39431AC5338C16936C21A40D07623E5A2722246A5F91B5C6781", "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "31818542FEE3EBA05F196E3245AADB3A27506A9391A7E39DC666A3A5AAEE4963", "3220BFD68D0CE5B97E4EC49AFAD94FC9317DA5DFDBD73C624B022C3E93AC4268", "342C70DE6943237DCB4E2BCA66A117A8AC4A929DA3631A2BB88E27D99C1A1F68", "34A1BC83BF19906C7B478BA74801364559DCACB160B8635E7EB96D184FEF89D3", "370CF55655D0DCE5B827E549AA74D877B1D4BA2D531AAEFFDF0A6CA27218326F", "37E4288762F4137CCB40EAF6740BA95099EFFDB0B7C1A2F36DD293FE994929E5", "37EB0FBFC18EAA8CBA405BA4A0486007287891F661D591E70F8DFD893065763F", "382442D01890BE0F397DB0132A6B09339C6A137724C837A5E2907ACB61EA374D", "3828A20846DAD245008B2B65E98D8C5488EDD3BEE6195D59400F18E61B82C570", "3976D01F8C3788737A665B8B2C67DBBC91A5E249602308AB620D7FB7082293F3", "39C439A440712A8825FAF249AE9256D154F422331B554EA4FEF0A1953F90EEE0", "3D8081DD4AB9AD49DD1BE909B833BDDD189277A296D1DC86F606AECC69D154F1", "3DD98F75D577A590F9C6B1044AA5212C3724660A7C7FB06B6DA4B25B95BAE35A", "3E89F6F868ACED4017A55BB54A40658D10E6704003F50ACBCE289C1637B41045", "3F108F67BF1C0CDF3357048A55D6F542375A28F355F9359FDBF6A3EA00B3BE23", "3F22D484EEB21B0ECFBCEC72BC808CC13691870E90AFA5724963DAB7B31EAE45", "40793F706E8E7D40E73D53F66523BA8AE8718C40C00FCEF117CE8DEAC4566FD6", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "42CCD08061313E58CD6A73C8392806C80452EF564A9B5297EAD78887E47150D7", "42E2A358194D10969A587E1619263DAF26CB9ED7B107D2DF24882326792073A6", "42EDAFE6D8936EF20A9D2196EA720167F87C6E003FF3677093C777BD76F87321", "4444CE19278AF3B6D6D733CB7C56652494A379ADDF5788A2D704DCF2AF8B12B6", "4490A508C76B3478285658D50CD1591EE7BF09C6C6CB543CD3B4AD02093F6106", "461D38744E2383701381659B3FB9C7655B5271B60CDB145B8DACE60D09C17665", "472B90C1832448CA528B9FB0B6A4E81CAB1388397DE753F5CD640C5D7396EC9B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "4AE1D41640E1E1F9FB5DBE7DBF0EE0C2ACA27C0ECF4C914440CCDB95D27308F5", "4AF3F2925FA2FAC4247303F748E1EABFA2DFEF4045F7C3DA1E06B8C833F40639", "4C80B96CCF860D1EC965D20D607161A663C8FEDCCC81B5243439A21264518261", "4D6D019876F2EE83F308FCD9E27F7FE176603A605EC9CDF1DBCD5C5C9951EDE5", "4DCA21B56FE99A5E5A697112CA49F4F2144DF92AA26A0776EAADF3EDAC9C9053", "4E45A4CCE496D5E81C322B32A8275068E422B799EBDE7BAED299E58F52295C89", "4E7048D2949BF25810D29EF0126BEB63CEE9FB2EFA940D8D15F1A2EA9579215D", "4E77D6807CCB5F39F0079A9612FD44F47C18AEBAF1D9AA7EBBCB816C3FD025B9", "4EADDF94DBE666E2A4821F37D1326BE41E94E92E6E6B1A8834D7F3C47C803887", "4EB30F982289A93326697168C61CCD073ED91E21FFACB7414B6EA10DBFA0E2B0", "4FB8B888437D1D3BA8267655720E593D70AA3798247EDD900F18FB420753B17B", "4FBB5FAC2DC58E004CD52875DF4CDC0625DBFB20A2AD61A597C719C2C2B0ECAE", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "5303EB56B374789D2F25DD42CDE200B10A36458869D3BC5FB7882728637FFBF5", "53737B114D9CA48095679DFAF7C4A879A628CAA7C214FE6EBF7F5C13A7C01C5A", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "548C926066F6AD2176268ED770911E39A8F8EF2D79582E0A4D8DDE7F34549084", "558ED6F880AE90E6CA233933ED947E6F8B2EFF2613CBD4FECB6553DBCB9609BA", "55BBC53EEE4090294470AC417A4B8BDE9A26DF232DDD5FC327A46034AF09FE38", "5662007982BBB6B88D91C6C7393CC2022D9415D2290FD0DA76D55E99204FFF35", "5815FB6A93B31EE44428DCA7206EFD79ECDE693494B2D5F28EA2CF1909915C77", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "59E669B8BB67D676E7382F77EAD621E08DFCFBF626C52F337A77A33EF6F33748", "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "5C1515C744F7537118B0717D85B52611810BBDF6206930989FA3E05682B9BEC8", "5C2309A832A981E871A38D52C9E19A6D60138A5FF04933E55F3319A964A350A7", "5C4285711D841C9680531DE8ADF4E9F871797CE3D4CE7073D4D1B7D69166DABE", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "5CCDFC397B134AA5DCE5EBE10022C85B3EE99DAF9D679B25DCCA69CA3D851EBF", "5D4E57B88DA114CC1637B260294F38F53CF8C7CCF19B1E4FEF1E5735A6EC78DC", "5D661EA5B801079F3B7AF6D31A8566154E3150C1E3398EC1CFA32E9398BF38D3", "5DC028B7AB8CCCA9FD3F109B69D7F7AEBDC718A32C0EC71E5693C99FFB06466E", "5E0D2EC541C3D2FE5413DA829783950147FE05FA866060FB6B6B557BC4E00A16", "5E46685CCFDAFEF52C3BC0BE649F5DFE9485392CF7A7733CC64B02CFBA707DF4", "5EB805FBA32A419246DDD86FFCA6C34246C092FCBCD8608B3ABC4B0A77FFDAA2", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "5EE7E4E97581573D0B40454E7851D662668050B8C7587DA918FD85D38B92C2A2", "5F247DF8011234E4C8E9F5DA1233AD5131F7718B99D13FA0E448AB8545E5E6F8", "5F24F58173ED799EACD7F7DC971D2ECB62B80971453D92D5DB9CA708526DE3A8", "5F61B9F9A964CB3CBB554CD28E3CE9FF36CED8CD1357DB2E45299E1C329C251A", "5FAA10ECBDD6BDD67568DC782206BEA34BD7120E44FD8D30001A968A438E5C77", "60679F1EB565A827FBFDD72C9C325755586FDA1F0AC78877A6590DED78230E66", "628B14B8AA20DB98F73DABE8C7FF0C2746646BE602A0BA4F638FBEE3E634C393", "62D22CE7464E30931544D86043D72A241CA4A2ED1A6F28AB59EEDEFFCBBFFAAB", "6305882E456CC7111E361249970AB42E196A23084AAFDDE2E82B0694295074BC", "6502189613929B8D3A5FC60BBB02C86B9F897AFED6AA3BE17BDD0BCDF1B30EFC", "65B30A5B63DE43E789127C5F5AD2977C7194142636581876B7BA2AE224B6420B", "6741052F2A7BCCF76F84825C9FE706D98BCF279A0C055A783796DC802C323E13", "674DDEB58033DAB9D03ED4483C0C1118FD09DBE69E73AD0AAC428EBFC61E2474", "6758FD589A76487DB6421ACF317F7E42F52C2C62336F671B43C2B523483BF57E", "67B2FFD11F790787A36E0394080502A01EE907D975E33ADFF6E931A0E15B05F7", "67D7A2AD6D196C643D91F066E834B1EB9853338990881AE1012D2B5186629622", "67EEDC4E808A4DC3E092C0FD2F6DFB5714B1E7F2E2ECD7CE2F8B2F65F2D2B26F", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6920277579A35875812264472A148A4383E98310C21147950644BE922AD17700", "6A43E45FE98A49A0127D4FD81A7F70BC513609043DDA830926C4CD80286B1A17", "6ADEAF325A5B46B34D6E419B67D91A45C9FD7E4F02587AF0F33D5FF933653E27", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6CC386F9299ECFE5F62C9D0954CED9917B32A3DFEB8BC98C8212D83DD7B53DF6", "6D501DD7BF9949108CC6141A352F6997ABB3CF20DA850084ABB1D6CB49CC2E4A", "6DD517DD7F557A31BB9EF8B8E2970701E7EBF9E1168A77A02C5EFC57A29C1AE3", "6DF2E72D03F9AA8435A0A58D154D82EDF5203309F8C81C42E35CBC71D2A79BDD", "6FBF074F8D8E8E6000FCF6488B84CA43AEFB7DEF10B2CEFF0E7D0AE1140ADA41", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "7156D43131599F71B03A8F8BDCE4755976A54F82BE32B0AEF105D1E6E781F384", "7295DCCE494A2CA195C0EC2BD4F052B62F3E1B45826D03ABBF986B81F58BDD31", "72E392728BCA627E900CA46B892A2B86465C877D468139416A39573D2D6C73F6", "73781BC7A0CCEF128DBC5E169F177E52BD5AD843F08787EBE0E19CC9088C2FA9", "73EAFB98AF656367DD4CBD6C4D9BDB98FBF39B358F625D93589F37D52771AA8D", "745004E6A8DD36244AE3AE2E238FB3CA9F40B885C5F912CA9FBBD7A9FEE76248", "7473C0056DBBEF7C541ECDFB31E947DC1520282F5E0172B7C965A9DECA661856", "747C7023F8D283A88FE9778F37629C7BF2E2A7E5268A695905F9F28590BF76D3", "7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710", "76FC3815A1052A74CFCD99C9C0F5C1F4FA7C289E70171A7BA16DE2B8E6DA736B", "77C0F01606E7883D65A2981E1E5DAEA1712E790E6D5528DDD17691C666E43D15", "78230A0FDE17E1A4791590999547D790CF1340A3123CA146452B6C92AF70CA24", "78E7B86D467650B1D1484855774EFAA4F5D5359AF8D43C9734315BDE0FCB12CF", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7A1D4AFC62D444E93951F6A46CA35876DD42680BFCB9DD562AE0F80A2C338D67", "7A36E54AFF586A013BFC64E0308098C6070D7FE82FD631B59758E4F661D42586", "7AA351B847C7732E8B7AE01A83A77CC863325C3B53A57FDDE54F4DF8D16D14C1", "7B60DE546B91D3886C995A5DE16291DEDDA95C96FC984BD69B852CF111B4C102", "7CE0B3947D8196985B00E6EB61ED45938560312360058DDC3063CF3D7BE03A81", "7D3ECDDF0FEF31AB10959BE94A3F76C4BE4F6CA1CC52373D0E460C5CA46E24A8", "7DDD006076946810EADC174FC2320565F527D46FFF5270A3D6916BF8993B12F9", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E2A7C8E981FCA78A12F6D8992BE35354D42B960D223A90BF210EE5B300BFB9E", "7E4FF868DFA0F4BDAEDFDEB60188A16AB82AC45AB8EB35F1D260229F12C10341", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "800A58A21DE4F630ECEAAA1932A596AE5A4743CB06907F342619D1D7ACD5AB64", "801604295C016952DB2E8049DC0524C86569A636C5BC867E0FB7565B433600F8", "818495FB1C54B71E6C7753464B1C7C2926402C76844055039753A11157B24B81", "8190BE7075BCD3ECD99D09840619467A00B84599B985C4B2AB342389339984B1", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961", "837053881E5EA3C6EA980180D7C7511FA7016F0506D6270160A596789757E6E7", "838686EA8660AF45865AC08A8AAF01B25ECE89F900D760F085C235BD477978AE", "86B15422FEE58FE9F2F1B22520453D09FFA84C6049446DCE8467C766E3B57967", "870093D07F2D1BC6903F68758BFC9ABE9984CCE5FE2C013D13AC7FB645217C4D", "88119FF28113E384895FADEA63C7ABC2906571B02A874CF9D50260071AD58FB7", "887B058F572F29D81FDE73F26FFA89AE94C5B73C248CDC8EB74C172F09B39B6D", "889513D802A76507558C54C040010996613C8881A261DD9C7C561CA24A30140B", "893374FE903D82E10726F93A8E126C72248B18315149992024525319951E3097", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8A368F9B7240AEC7A45518B26EE613BFEF287DD9E106138A5AD63F4D494034D6", "8A9E980FE740F4424FB663C857EE84E39154A02964A02540A3A74E4A80F058EE", "8B1D9C3BB3CE6364BD0FE7732D06F394D6218ADAB37D1876856BEEE8923DFA4A", "8B49BD8B4756373645F1A1DA4BC3E31D1FE7BF1F5A0706A9665EE61D5A4B1419", "8C8A687167096A3D2AA73F94AC7D6F1C43EF830C110ED1F9406D92FAD9FCBA59", "8D4EDC587A369AADC2A4B4B6CA60C94602327216807E8B71042463A2BF381325", "8E3EC3A49910FD61ADB4E5FDC225B58A74D0BA57105F3D9A6F1B3E46361C1307", "8E5EB05CFB883D682B3A2C7D645375420476C4616183B915FE43ADDF8FA697A1", "8F6A844E65558AF61A350206417B63BD70D5B529641691C495C07407B13441B7", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "90B290F66451E3E462C09788B6756181F62A92A8BAA10F2C4BD52977FD8E1B37", "90BE58D9524F7F6A98C3EE79C93A2EE6A0EA2C0D7E33DC628128C7D1BCFA8619", "924D425FFD71097B50917C124D87FAE558BFB3C7DAEF1BEA09CE12CCD6B264B3", "932EB6FF0C79CFA010373B06A99AA8906C2B3B3171A0D96A0399EF72EC35ED11", "942A563AC62B9ED7ADC9AAA1A75FE9F97DA036B632DE9ECD7DC3CC1E19EC9A60", "94633A31471B22DF4D1E9508BA6DE360B6D37FAD329018F21926F838DAF45AB4", "964A048B00AF3D409A4AA83094E36431FA7631859A2D4595D2F53EE838A705E3", "965AA3643F2C2723C5C9B471B69786B972B6D81B6C917B50EE5BFD6C8447279C", "976356D0F193356D662AC659E8578D3D0CC6C5711EA8A61D28A63CCA919F9900", "97D5F772EC68BDCD260FBB9DFB7A322AAAC657E9360305DF11F9C6A6A40D1B85", "980930D95C9061C71E85C435692629E07D952BA870609E55949143F9AA635712", "990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24", "99D36C5A3B6C3FF496422C3FF600B7D254E5D81D1CC0F9184ECD1F8F03423FCD", "9A6C0D3F4E9D02D3ABB77CC1F15B5C57FED8926916549AF207B111EC9D3C5B1C", "9B0F66C4EFFAAF9FDB1B504C2B624740D85D778570BFE202D803740E0C99076C", "9BBA472DF522BDB11A0F80EDDE168630BF88A9C15518FEE66140BBEE5585001A", "9BFFF73DB09075877DB19A13994A90F7D1CF13A8A5601B84DC0B84F8193E65C1", "9C638946C07968147BC89DE8BAE5211C4767A334F7213E99654F7C02ADD0E910", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9D7A4EE88A531A361C411C460ECF68A88794260BDDAB343FBDBF01A763CF4DE0", "9DA9D6C05FE03758B84DC068193CB0E2A82B2F411E24F383722448967D77B355", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "9F34E4D3B1044507E18917B1E2BE1AF6051A228EE5F8F69E5539B48FDFAF3B4D", "9FD1AC6E7F93ABD6198F576C4AC025E8DFA5007533DBD2FE78CC5BE3497FF3D6", "A060C0BC5CF92D0F7B8D81075A33D4E2887EE843B41F417A28EC2BBAB72FCED9", "A15B390D080295157749FA22EBE90BAA7A33E1EC803752A1824ADBE8D7353A10", "A1680316198638EA55AFA837EE37AE44184E9B8BCA2B9FD668F06E417908DF87", "A2133DCF0D67EC30E5F3D15E39561490E1B16A2750CD5C806DC8F9E95825E247", "A22A62D71C3EEC00971E326ED7FCCDE4C2959771727429F852D98592C456C126", "A264D72AF012C33CABCDEE09605EBB277263FB33567A89DC0831C44257A7E37C", "A31AAAB46398C4CA9F3552FA53EB3F0DB8FD1384559E2048B5321E5BB6936FB2", "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "A3AEABE024AE1D8520A5BB495A67D45783D1F2AC4B3F9F3B682E75291FD8E20A", "A3BC60725F0EAC71F9F85D52468B5D776A02B53D2F6CC6F5075461F1867C9EA8", "A44F3C58E434BA15FF852853D94A3A21A868AF86E9655A8594367CADBE40A491", "A5803C821BBFCE3CF61C99A5753B13549E824EAC069265D225FFBDF6B568BCDB", "A61564D752A2637A5306DF51328148AB1D1EAAC0735226DD1D9F500C5DAECC37", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "A6B79EA77FF12E690D40F605757B18FA9561F56797862582866D9A26B345F82D", "A7C08E9177A10AC583EA198F89BF0B091ED0697BF42F39DC0B151F7465C9BAF3", "A8769BC2B0DB66C792D9EFA7CBEF5668B22FB52A475E194FEB169B3B4BC31FD6", "A9139EA8D202B9FE20D64E771F1FC89C7E9393774315A6265F9CE70E716E1833", "A9B63F0DBA193CFFCFE78E0BFADD5C8ADA02B92500E16CBF9385EE4AB5A92A9F", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AAB14D78054A85A0638FC4EFD7F09686429CB02C6B45FF1ECAFA55C27A050635", "AB8881439FA512D752063B5AB323E9C076039DB482070536304B448AE092D8CD", "ABBECC2CF1F809CE932B9130A6788B28E3F6228FC5599EA3FB4CD8372D7EA7C8", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "ACEB831DB775B18663FB8C7ED41AB48BFEC59B9270C9444D8DADE42DF02434E0", "AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163", "AE2FA11123F866B1C71B66A57712F1082B82D3EB4221232EC14E14446822A705", "AE98DBCCCCED8FE9C2F0A9A3294999AEF099215A25C0EDDDFD95DF899965A340", "AF14D81F9945B81EA39B6923FB2CB4E62949A34EE9CCFEF7120D6D6700FA48A1", "AFF479D95FDAD4900AA4F096E105276FA32246E4CF2C4642D2BFEACB19522885", "AFFC971A929ABC4A5177F4FBA7D32B82C0ACBC71AEFBBD3E440D08B12B022B51", "B0A8BF7D544954AF5D193262AAD0DEAC7961A5AAEEC3623B441BB795753711B6", "B0C070EA4747AEFBB7DD852AD2FEB1C85461D6FC3CC95192FD2B7703C8D3DCB2", "B30C006BF323BCAF8E8EF0489319D47B3A0FB0928442F9EB350A3520109F9F72", "B431011ABF67E8DD4F4E3E4C9F9FD0B1E6E07733191BA7206314070644F2CAF0", "B4779B52313D85FE1157604480F675A0E2BA765BB08DE9BEA2664A6C3AD0F47B", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B5D3987D37FA57ECB44634029606786ADADCB0901EF9858232A7D33908EC5FD2", "B662A6C7854E7E7A070881073BFF943AB724EAC5B18DCF280BC131424B1F69E8", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B73437073599A5973472D300EA14AD94DB00FCC9790D93795D0BCA840608CBF4", "B735C91C5D46BD88FD491D67AB17706F0B9FDF9D50797EB4994A198C09D7FD04", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "B8DAC33D69A4D5B5BD3B7843A77F0114EBE5CE2EA06FAF06667A4FC43658D093", "BAFF6760E68C0F676AFA3DA20E18B06BD703574BC65B9BFDBCD22ACCE05F7FEB", "BB76D9518CCBAE68500AB2DACF1AAAF9F5532441FD3A705A4E4A39114EEBDC0C", "BB785F5F4B456D5F3322E9222022F0E38411602612EBF72BC61AEEABF7FEC2A9", "BB96DF8C4863ECA5111B83DE1E5DBA4C67AC8E6999013404D8DD87C98CC7B60D", "BBA20026A90E4F85555F0C8BD6248AE07F7DE01D687CD62F0159CF4B22E7DA25", "BBB0C0E9DDF621A6AE6C42CB1DFF2B33670CE69032E5482B47DC24C860F78C9A", "BC3A1086428BA3DB72FFD49EA27AAB3A8A9FA0DD5D576D47E0467AE96C365754", "BD8AEC08AE2FA3C7B6CDD03A046DE8D2D846B9AC7A7C2948B791173D0622B3A4", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "BFA9A84596ADAC3A47B31C43DD8574B1E532311E1F9B01F003F6AEFDDA4BAACF", "BFA9E5B9CD204137C5C40A62AFA0C09607B8FABF6ADAD16BDE69778F6E3530F1", "C04EDE0E9159DC9AE235755A284662F042D80745649864CE91E7E3E4563221F6", "C0904FD149C70D8A2835DB923B2BF04803388EF83CB969D07F28836C567C672B", "C0C635C3D1BDFFF4279719843730FED33753DFD9A52C5B43AE4A48433A539739", "C0CE38B8081A59A18598B204BF933579D5A04D57C0E8BBBEC053AC1350A2938C", "C1BEC46524F176FAE4CBB603AC283FC9F12029FC3579BBDE20A1B80FA597B0FC", "C2D7FDE6929D1789B9A1618D087E5DCB3FC2780B2EC1CA3CFF40FDF3AD014A8E", "C3A579D5583598BF4F36F66A731C39A1C3E23351DFAFC16956E2C8DAB030AEBF", "C717E3C358B1EA0AC9E1701DBA722015744796BC3CBA66E7AD79D30CEB45BD60", "C741AA98787A9F837D93EA7D1268C62A551244CB826F0BEFDB076F796F78AB33", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "C80232268E47B2638A1602C3F974312D284C64B656468B785AFD070887CF6B6B", "C810746DF12642CDB3444A565C3CE3ABFEFAE31EFE9FE6BC4718CE76334BEB88", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CA643463AA3DD27CF347651D7B084BEA39601B3E21A99AD0FE90A4163037F126", "CB1A96B060B639265D7CCD4E0C186EA367A7C82E1756FDF32E57D9F350AD3873", "CBB6711004455A0722EAF33EA7E16444AE4DF08D1F9C341B64251DB448ACCBB4", "CCE74B609685420B52F0CE6D14ACF26F43DB5C6A64A19034DCD1E9CB0CA2BE72", "CCF869217B83C7570F586028248E128FA170E16792CBF3BAD70423425B1BD638", "CD617F98180D24BACD7FAE3B791B49B329F7F25DC885A6AD81CD6A815194B6BA", "CDB95A8580AD247B239607B2769A506C10A81055AF8F4063AA0D26A850A33B58", "CDC93F5A32848FF0073C48EDC66593F2A0A2AACCAE9802E843826C6E565AE2E9", "CDF01D5D29ED4731048DA0F1A6FDE407B2DA246B226E3DF9945EBC838B4660A1", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "CF56D9AEC134D68DA67A2476D2B87833F63F32777672C1C66A8D8FF69C08623B", "CFDD5A9C7B8C9F6AFEAF6B1C68FF8C11BEADF52EE2E731CBCD194CACB1898BD6", "D156BD5A77A183961676EA2393F58C31A72725CEC216EB199E31487998BE491C", "D1B56895A302CB106810B80548010A8993C467A6D8B6EA61EB430703400A5ED8", "D28370F3789940A6A2F0B48D0BB882F7E298E5B8C7167BC16F9FB06B92DBCF35", "D406490E70A52CFB0315F27FCD957BFAE7E7B2887A6C73BE83E3F514F1153348", "D4AC8637482E0D53AE579FBD19E568DF643A9D732D1995CBEF53FC6B867F82DA", "D6A22AE665DEADE235C2738407D64638A424C6CC505B816BFEA12DEFCC5CD645", "D728283BFB4D0C3BC5C98FA880696DFC59C2A5FA652666E966D126A6D7FC92FA", "D78F8119FF4EBAA3EA6E8A906FCEFE0DB24B626AB87F3DFEBFA899904F726130", "D792D660667D934B582774E627CB3E2E010E497C8C1D9F4B7C138E4B5DC2ECEC", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "D9425756DF631BB7CA03B3451BD1F9C557325B8A2BB0CD34A22102962A0F4213", "D9D2F8F1F4727F09E77272D6C8643C3016BCD6A8E4BC6E59B27B37256F4F8F76", "DACB3E9783156FCD47517FD5E71AA5A2242EAA043F56F2EA75EC325BA052BDDD", "DC086AC7F5679D9F84A3DA8B91FAB9C0F09EF5EFB4C8687216156974F51B6283", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "DE8C5DCB7F07498942725CF8F7905DBA001C7B89D3D36370CC303A274CB9A8EB", "DEAB63B690E03D8E8203ACA19836C2D36A8ED9D5C66A32CCF4F7F6B6C9F8DE84", "DF859649010EE2675B4BBF6D4BFAE7D654D24685054B3403A45C4270AD966550", "E036688C47591ADE56001D0CD1013191D6F43940CA2DB9509F5FCF0F2469F92A", "E0F75591E2E6874A35B6A6C7681543B81128F5226E803A2CCE1D1B664BFC8638", "E141221C1C63036AE1C76B976A04706F4495C39812FC722478A0C755043A0E14", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E2AA9B11D88890FE4ED3C245CC3A519ACAAD11F11F032D2AE032FE428B8C4012", "E2E1AB8B9E10CF0970D428552F10FD3FEA7D405315E7CCA6431E3F0E8079B159", "E36B23DB3CC2EC748DF333353AEDE5A1F8FAA97C1F1DC67E27CD4759E7D0C960", "E3C82809E8425A65E53029135451CC9579AA725E2D85009F892DD0A0FD979ED9", "E41278F69BC61D835FAC88FBCE06075D73C74B99B009DE680A92B2B68FE577DB", "E4452F8B377A6318D5E140C5FE8BCE8A991964A95AC77F047C30B4542034429F", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "E67F6EE1C05A0DFBB7E42F8DDE81795FCC3D933297C925E42690163F0C1D21A6", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E7E10B1CFDE7DBAE5E93EB8EF50E03FCA4DAE3C0D9270B040B02BCEE5D0199B9", "E8302DECE1CECF16A05E7F8FBA08D33074F30279F18CDDBABA912B9C9DF9F32D", "E84CA6147175A22CB9253587142088EB24B6AE0BD11EC07E71E299F57DD05739", "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "E8BA6A75873A4594BE92FFE48C361848E9581DAA153EABDC1D071E1A59172338", "EA69F3ACF81616FFD52E1EC0A74B074CC736B3675D7B61644018A9252D9BD284", "EACE8EC2B7164C19E5BA497C1D57887C847EC033403098801408B0F6BB2B6736", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "EBFFCC00EDD65F45E051073EAF518CD443503E46CC247513E4B973ECC7C31531", "ECC7277FA4D1E6C0C387927905899E353FF202FB061043E0FC8C0DBCF3150F7E", "ED7164C07048A48E59D18BAADA456D0655A81F29CABBDEFA06735647C2B759EA", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EDA30B3C2FB2766DFAA280B3B5E960EC660172EBFF7B73A524DCE514A3A3F985", "EE31BACFE4E2531B3AC2273027A23C49C59978284694658A79B4BC6797F86ACB", "EF05485B7227E17E422CCBDF0EC02D62F554406DEDDDC7A1772D75D577035F79", "EF5F7BA296D0A7B4B6CC058D9B89B1BFEE714F79C2BC4541813DA99A292450B9", "EF71291A92B5250A0A03CC8B24766E487991713BE06BEFF3A0428155C170ECB7", "EFA06779A2DA162F7F70171BAC9D53E998DA486C75081458549AFE875DB6E5B5", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "EFD4687D2DC8ADFBEC960932263D6DA222DDFA92899BC72A9B9D62B4331178A6", "F0166F21D9D8651F7C71CAAA5131EEC4CE044F990491482A736F6DD767A3EC0F", "F0259373A53F6B73B3C7BD9A2F3F10DB053D9CC563866E61F5A496D33B416EA9", "F02EA1DD204629897DA1861F147A272B72A3FA34A5315D58B896A636EAE341F5", "F0806D2A2F2817DD3A11695DB658C0C7C64B134E8875822DCE8F5D73AC04E97B", "F122C27179362A817F8CF31FDC2906DEDD7B8BBEA33D06FFA42180F0625D22E0", "F16DAE77B5D6C7D782818596F851DFFB29226C0550922519EFC4250E27D09D67", "F18F021F8259C21D1B03D3A3C3F5FD97D6A165E424FE86F9986F545F5A914F8E", "F20E63C2D2D2AA05D977555688CD3131DF08DA240FDFCEB0B017DF8A789BCCEE", "F2901ADEFFDC496A6F27CBD82624C55C4B805D9C77EBED14A24ED2CCC730C354", "F35EB0C55F08CA4C671A4E6D2454A08936C6D1CD868709D0EE04FB71FFC263C1", "F3EF1FC432D040B91FC6C5AEB324AF8CE32BCFB7A9A0360FC4722981B736F64F", "F435C74BF942E3B3A5FEF2B742E716E29826D42678DE6AB053B1766FC7314452", "F6194EEFBCE32FD582843AB7A739E92FD7873D5892DE471996BFB729162E7B0E", "F7232359E6413A274B62C22CB7BF1EF8C428ADFBF22EF7B9B913D63D087BCACB", "F89923018671257EB76989AE7AB9D39396FBAD6F8846CB56D6915361F1CCCC48", "F8F03C35A3C8AEA5027E6C01D991D7E1C3A4A0C9EAE0D875ACF760D1D56B8B9C", "F9CD245944BE763583F94B01BC23C08D6F82CA4989F000C1D0842D4005C4EF11", "FA8CCED2D5B77B978F428FA2F61CD879A13EF9DAC53A5435AC48BEE003AC2363", "FC9172D16F62D7749E6C1369AB9D86ABC42163C780B457F765109BE80ACAD9CF", "FD7B4551E68C6A5B21AD8C3E07FF7CB6ED5402B6F6CD6D419A3FCC60FFB43FC4", "FD90B8CB0F60381B89DB489D4F28883B2B08D5BF67796B29DF21E510CCF7594F", "FEC06635C46DD9EB6B2F50E66A9B098564986FB86BF7FDE8DBF9F7E295CE3162", "FFB1DE47049D302B3C804FCFC90E8D4C1A715F59A9B241F24946D4A7A6598C10", "FFB480E3AA8E74E184658371B22D113F0FB890C232EB9EE9B8A8294BE098DDAE", "FFF0238333AAC9C302B602B36ADA76C6BDDE2A493106B114D0A3A45C8740777D"]}, {"type": "ics", "idList": ["AA18-284A", "AA18-337A", "AA19-024A", "AA19-122A", "AA19-168A", "AA19-290A", "AA19-339A", "AA20-006A", "AA20-010A", "AA20-014A", "AA20-020A", "AA20-031A", "AA20-049A", "AA20-073A", "AA20-099A", "AA20-106A", "AA20-107A", "AA20-120A", "AA20-126A", "AA20-133A", "AA20-182A", "AA20-183A", "AA20-195A", "AA20-198A", "AA20-205A", "AA20-206A", "AA20-209A", "AA20-225A", "AA20-227A", "AA20-239A", "AA20-245A", "AA20-258A", "AA20-259A", "AA20-266A", "AA20-275A", "AA20-280A", "AA20-283A", "AA20-296A", "AA20-296B", "AA20-301A", "AA20-302A", "AA20-304A", "AA20-336A", "AA20-345A", "AA20-352A", "AA21-0000A", "AA21-008A", "AA21-042A", "AA21-048A", "AA21-055A", "AA21-062A", "AA21-076A", "AA21-077A", "AA21-110A", "AA21-116A", "AA21-131A", "AA21-148A", "AA21-200A", "AA21-200B", "AA21-201A", "AA21-209A", "AA21-229A", "AA21-243A", "AA21-259A", "AA21-287A", "AA21-291A", "AA21-321A", "AA21-336A", "AA21-356A", "AA22-011A", "AA22-040A", "AA22-047A", "AA22-054A", "AA22-055A", "AA22-057A", "AA22-074A", "AA22-076A", "AA22-083A", "AA22-103A", "AA22-108A", "AA22-110A", "AA22-117A", "AA22-131A", "AA22-137A", "AA22-138A", "AA22-138B", "AA22-152A", "AA22-158A", "AA22-174A", "AA22-181A", "AA22-187A", "AA22-216A", "AA22-223A", "AA22-228A", "AA22-249A", "AA22-249A-0", "AA22-257A", "AA22-264A", "AA22-265A", "AA22-277A", "AA22-279A", "AA22-294A", "AA22-320A", "AA22-321A", "AA22-335A", "AA23-025A", "AA23-039A", "AA23-040A", "AA23-059A", "AA23-061A", "AA23-074A", "AA23-075A", "AA23-108", "AA23-129A", "AA23-131A", "AA23-136A", "AA23-144A", "AA23-158A", "AA23-165A", "AA23-187A", "AA23-193A", "AA23-201A", "AA23-208A", "AA23-213A", "AA23-242A", "AA23-250A", "AA23-263A", "AA23-270A", "AA23-278A", "AA23-284A", "AA23-289A", "AA23-319A", "AA23-320A", "AA23-325A", "AA23-335A", "AA23-339A", "AA23-341A", "ICSA-21-357-02", "ICSA-22-034-01", "ICSA-22-167-06", "ICSMA-18-058-02", "ICSMA-20-049-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:0009F92C7DBF6D1163E64AF402687506", "IMPERVABLOG:0BD55CF3ADC4FC18663ADAF4AE9272D2", "IMPERVABLOG:1DB28979DC434D618FB773C7834FB207", "IMPERVABLOG:2303181B17E64D6C752ACD64C5A2B39C", "IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:45FA8B88D226614CA46C4FD925A08C8B", "IMPERVABLOG:5E03360E0443A626205E9BCF969114F6", "IMPERVABLOG:6CF60AA98AC32EEEED1A25871823E90D", "IMPERVABLOG:6F67E97EF55C748CBFEE482E85D4751A", "IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634", "IMPERVABLOG:937EDF98C40EFDDA392CC06661F152F0", "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51", "IMPERVABLOG:B4C9A56D0F82346F616E74B1CFB10A5D", "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:D1F1D344B2FD670184AA4FB99A50BD1B", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96", "IMPERVABLOG:F193BFA34E9266EE9047B9FAB1A3A1B5", "IMPERVABLOG:FEBE35B3CF79AFD5E057AF4D43E9C08F"]}, {"type": "intel", "idList": ["INTEL:INTEL-SA-00646"]}, {"type": "jvn", "idList": ["JVN:51106450"]}, {"type": "kaspersky", "idList": ["KLA10995", "KLA11024", "KLA11059", "KLA11139", "KLA11706", "KLA11835", "KLA11929", "KLA11931", "KLA12103", "KLA12169", "KLA12224", "KLA12370", "KLA12371", "KLA12372", "KLA12390", "KLA12391", "KLA12392", "KLA12393", "KLA12395", "KLA12396", "KLA12442", "KLA12549", "KLA12550", "KLA12580", "KLA12581", "KLA19264"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:1567876964965286721", "KITPLOIT:1680589374755422772", "KITPLOIT:2730308475904875028", "KITPLOIT:3043339745958474082", "KITPLOIT:4019975092566820832", "KITPLOIT:4421457840699592233", "KITPLOIT:4482238198881011483", "KITPLOIT:4707889613618662864", "KITPLOIT:5104415481503400470", "KITPLOIT:5420210148456420402", "KITPLOIT:6278364996548285306", "KITPLOIT:6411625084720414057", "KITPLOIT:648469287269586263", "KITPLOIT:6759391622067035795", "KITPLOIT:7586926896865819908", "KITPLOIT:7847586937102427883", "KITPLOIT:866017936175971203", "KITPLOIT:914458182851735372", "KITPLOIT:965198862441671998", "KITPLOIT:998955151150716619"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:2752861A306F74170D69FBD9E0DC3AAB", "KREBS:4D5B2D5FA1A6E077B46D7F3051319E72", "KREBS:62E2D32C0ABD1C4B8EA91C60B425255B", "KREBS:65D25A653F7348C7F18FFD951447B275", "KREBS:69ADDAD13D83673CDE629B3AD655DD29", "KREBS:6E25B247DFBFC9267C00F36CE0695768", "KREBS:831FD0B726B800B2995A68BA50BD8BE3", "KREBS:952ACEBFD55EBD076910C6B233491883", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62", "KREBS:C93CCA23099AC250E702848B49677D5B", "KREBS:E910A9996E07E6C63E0C32D6520D0F25"]}, {"type": "mageia", "idList": ["MGASA-2020-0380", "MGASA-2021-0439", "MGASA-2021-0461", "MGASA-2021-0470", "MGASA-2021-0556", "MGASA-2021-0566", "MGASA-2023-0141"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0647495F01C9F1847B118A9E32BC6C13", "MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "MALWAREBYTES:16440CAA6CF5418D984950D297C8549D", "MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:1B8D17909172F80C0F82CB21FDFC33B2", "MALWAREBYTES:2B7FA24A43BE3D53EA1E393BEC594625", "MALWAREBYTES:2D17A77CBCBBFFE150012C3B71E53FC6", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:30F9B0094E0BC177A7D657BF67D87E39", "MALWAREBYTES:31DFC46E307127AF5C9FD13F15DF62DB", "MALWAREBYTES:3350250AEB75AAF452630CE0B7306455", "MALWAREBYTES:335640D886EC822FE646F8A943770825", "MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:44699410831936C9D0A5C048B00776EE", "MALWAREBYTES:44E8550360FE68D55DE72F8F97C79C77", "MALWAREBYTES:4690DE85CA58136434BF7E127237802F", "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:4E1B9086679032E60157678F3E82229D", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:69B09CC9DBBA58546698D97B0C4BAAF0", "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "MALWAREBYTES:6AC81D4001C847401760BE111E21585B", "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "MALWAREBYTES:76A60CFA2FA67B3D288E8C0349CFEBF8", "MALWAREBYTES:775442060A0795887FAB657C06773723", "MALWAREBYTES:78681A8703445F3DF21BACB3C703E8D2", "MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B", "MALWAREBYTES:7C9E5CAE3DDA4E673D38360AB2A5706B", "MALWAREBYTES:7D6B4BABB8063861BF6305FDC03DBE1C", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:813434778D13E29E56560316C9FCD816", "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "MALWAREBYTES:8A7CCD02A4D2FFC47ACB35E63C12DA1D", "MALWAREBYTES:8B41C7471B07595F7246D3DCB8794894", "MALWAREBYTES:8DB26442427BA40F0E264793EBFCF918", "MALWAREBYTES:90BD6A9BB937B6617FDC4FE73A86B38A", "MALWAREBYTES:916ADA06F0F0B2E4CCBAE56C7FEA87D1", "MALWAREBYTES:96F58422910DF7040786EDB21736E547", "MALWAREBYTES:9E683A8CBB0F4ADB76A7183C47833E13", "MALWAREBYTES:A165959E3A462AF8315F01F1020BBF53", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632", "MALWAREBYTES:A40F87C53D5487E9D81FB6A8F62AF633", "MALWAREBYTES:A92CA3CF06DBCD086A388A462B770E3B", "MALWAREBYTES:B0C4B025BF22D777A196390CAE7FC07F", "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "MALWAREBYTES:B24AD5C8381AD8F711BC02246606B36A", "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385", "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:C0A087A65BF94128AA1574F7D45E306B", "MALWAREBYTES:C73ABCBF2F74F68CAB3C737D1047B725", "MALWAREBYTES:C9B9EDEA60A5D45D08AFF69501EAE81B", "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "MALWAREBYTES:D798A208C9ABA1078616DD81B6E75F25", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8", "MALWAREBYTES:DDF3883C3A8B9A70629872FE83522C17", "MALWAREBYTES:F40C2861F5D3CFF011E96C0D46C51A46", "MALWAREBYTES:F629837C88B5435ECA8E80D0F01621BA", "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-ADMIN-DCERPC-CVE_2020_1472_ZEROLOGON-", "MSF:AUXILIARY-GATHER-ADOBE_COLDFUSION_FILEREAD_CVE_2023_26360-", "MSF:AUXILIARY-GATHER-EXCHANGE_PROXYLOGON_COLLECTOR-", "MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-", "MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "MSF:AUXILIARY-SCANNER-HTTP-EXCHANGE_PROXYLOGON-", "MSF:AUXILIARY-SCANNER-HTTP-LOG4SHELL_SCANNER-", "MSF:AUXILIARY-SCANNER-RDP-CVE_2019_0708_BLUEKEEP-", "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-", "MSF:EXPLOIT-LINUX-HTTP-F5_ICONTROL_RCE-", "MSF:EXPLOIT-LINUX-HTTP-FORTINET_AUTHENTICATION_BYPASS_CVE_2022_40684-", "MSF:EXPLOIT-LINUX-HTTP-MOBILEIRON_CORE_LOG4SHELL-", "MSF:EXPLOIT-LINUX-HTTP-SONICWALL_CVE_2021_20039-", "MSF:EXPLOIT-LINUX-HTTP-VMWARE_WORKSPACE_ONE_ACCESS_CVE_2022_22954-", "MSF:EXPLOIT-LINUX-HTTP-VMWARE_WORKSPACE_ONE_ACCESS_VMSA_2022_0011_CHAIN-", "MSF:EXPLOIT-LINUX-LOCAL-VMWARE_WORKSPACE_ONE_ACCESS_CVE_2022_22960-", "MSF:EXPLOIT-MULTI-HTTP-ADOBE_COLDFUSION_RCE_CVE_2023_26360-", "MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_NAMESPACE_OGNL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-LOG4SHELL_HEADER_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-SPRING_CLOUD_FUNCTION_SPEL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-VMWARE_VCENTER_LOG4SHELL-", "MSF:EXPLOIT-MULTI-HTTP-WEBLOGIC_ADMIN_HANDLE_RCE-", "MSF:EXPLOIT-MULTI-HTTP-WSO2_FILE_UPLOAD_RCE-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_MS17_11882-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_WORD_HTA-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSDTJS_RCE-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYLOGON_RCE-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYNOTSHELL_RCE-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYSHELL_RCE-", "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539-", "MSF:EXPLOIT-WINDOWS-RDP-CVE_2019_0708_BLUEKEEP_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:07417E2EE012BAE0350B156AD2AE30B3", "MMPC:0BCDCF68488C6A934B5C605C26DDC90F", "MMPC:0FBB61490D4A94C83AEE14DDEE722297", "MMPC:1AFF4881941FA1030862F773DC84A4A8", "MMPC:1E3441B57C08BC18202B9FE758C2CA71", "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:28641FE2F73292EB4B26994613CC882B", "MMPC:2DF3FD324C56807B3618640F5C3492C7", "MMPC:2FB5327A309898BD59A467446C9C36DC", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:4C62BE50213C7726C383DAD096CBBB99", "MMPC:567C6CC66BD942B4F1BBE84ED9F6665B", "MMPC:85647D37E79AFEF2BFF74B4682648C5E", "MMPC:9AAC6D759E6AD62F92B56B228C39C263", "MMPC:A086D121065A6253A8EECABD51EB16DF", "MMPC:A2F131E46442125176E4853C860A816C", "MMPC:A60AFC5A5E991E303E0397289A086789", "MMPC:B1806E4D7F97F83DB41A41A9BBF86D13", "MMPC:BB2F5840056D55375C4A19D2FF07C695", "MMPC:C0F4687B18D53FB9596AD4FDF77092D8", "MMPC:C857BFAD4920FD5B25BF42D5469945F6", "MMPC:D3341B3E36680D5272BC91A3694352AC", "MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F36351D1B5A5C40989F46EF8729039A7", "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0199", "MS:CVE-2017-11882", "MS:CVE-2019-0708", "MS:CVE-2020-1472", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065", "MS:CVE-2021-31207", "MS:CVE-2021-34473", "MS:CVE-2021-34523", "MS:CVE-2021-44228", "MS:CVE-2022-22047", "MS:CVE-2022-30190", "MS:CVE-2022-34713", "MS:CVE-2022-41082"]}, {"type": "mskb", "idList": ["KB2553204", "KB3141529", "KB3141538", "KB3162047", "KB3178703", "KB3178710", "KB4011262", "KB4011276", "KB4011604", "KB4011618", "KB4014793", "KB4015546", "KB4015548", "KB4015549", "KB4015551", "KB4499149", "KB4499164", "KB4499175", "KB4499180", "KB4565351", "KB4601315", "KB4601318", "KB4601319", "KB4601345", "KB4601347", "KB4601348", "KB4601349", "KB4601357", "KB4601363", "KB4601384", "KB5000871", "KB5000978", "KB5001779", "KB5003435", "KB5014678", "KB5014692", "KB5014697", "KB5014699", "KB5014702", "KB5014710", "KB5014738", "KB5014741", "KB5014742", "KB5014746", "KB5014747", "KB5014748", "KB5015807", "KB5015808", "KB5015811", "KB5015814", "KB5015827", "KB5015832", "KB5015861", "KB5015862", "KB5015863", "KB5015866", "KB5015870", "KB5015874", "KB5015875", "KB5015877", "KB5019758"]}, {"type": "msrc", "idList": ["MSRC:023FEF60BCC2EE0035211FC95DB999BC", "MSRC:0FAFC00A7C2E92F14C0652D2CD1D14D7", "MSRC:11EE27B79C8FC8176F733C5748E02C96", "MSRC:181F9F2B53D93B5825CF48DFEB8D11C7", "MSRC:35A18F0B9DCC4126DC5EC19296034C33", "MSRC:4C56F4539ADD1B17DFD44549ADFEE2FF", "MSRC:4D3D99779455BE99499289F3B3A35F84", "MSRC:4F7507AA26F4DEB78152DE764136012C", "MSRC:543F3A129A47F4B14FB170389908717B", "MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:5CBA045F26BE90EBCCB3C34E5CE2A790", "MSRC:617BB0BF7CDA5777BFA2E81C8277D73C", "MSRC:644966B4D83B650C284EC9D93664582D", "MSRC:6899566B4A4ED588B0FAFE129DB77C42", "MSRC:6A6ED6A5B652378DCBA3113B064E973B", "MSRC:6EA997A78BB548DC0178952394874CE2", "MSRC:742C7794FE62E20994070CC0C55D90C3", "MSRC:87D7D0E827E89DC02EC00DFCF04D1B34", "MSRC:8F98074A1D86F9B965ADC16597E286ED", "MSRC:93A361B73FFA3EEFB6825C56F25103BB", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:9783BD8B3A34301D0C5C34D252854BDF", "MSRC:9DA5AC102EA6224E027868594A8ED7B8", "MSRC:A424E6D824FFD5BBCF610F9A5D1B0C5F", "MSRC:AA9DD4993698C2F7A48FCF9F2BB413F3", "MSRC:C264A0152D9C51F56714066CBFFAF16B", "MSRC:C28CD823FBB321014DB6D53A28DA0CD1", "MSRC:C6213215CC0BE4847F142F730607AFA2", "MSRC:CC5707634DE28783ABF066B3B22F9E19", "MSRC:D7503EE6392B6B3DC42482FC0340DB67", "MSRC:ED939F90BDE8D7A32031A750388B03C9", "MSRC:FED202907D80016917D037495F9A0820"]}, {"type": "mssecure", "idList": ["MSSECURE:07417E2EE012BAE0350B156AD2AE30B3", "MSSECURE:0FBB61490D4A94C83AEE14DDEE722297", "MSSECURE:1AFF4881941FA1030862F773DC84A4A8", "MSSECURE:1E3441B57C08BC18202B9FE758C2CA71", "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:28641FE2F73292EB4B26994613CC882B", "MSSECURE:2DF3FD324C56807B3618640F5C3492C7", "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:4C62BE50213C7726C383DAD096CBBB99", "MSSECURE:567C6CC66BD942B4F1BBE84ED9F6665B", "MSSECURE:7D81C7477636B6DB964C5D3E62D605D5", "MSSECURE:85647D37E79AFEF2BFF74B4682648C5E", "MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9", "MSSECURE:9AAC6D759E6AD62F92B56B228C39C263", "MSSECURE:A086D121065A6253A8EECABD51EB16DF", "MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "MSSECURE:A2F131E46442125176E4853C860A816C", "MSSECURE:A60AFC5A5E991E303E0397289A086789", "MSSECURE:B1806E4D7F97F83DB41A41A9BBF86D13", "MSSECURE:B42B640CBAB51E35DC07B81926B5F910", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695", "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "MSSECURE:C3D318931D83D536C01D2307EBC0B3B0", "MSSECURE:C857BFAD4920FD5B25BF42D5469945F6", "MSSECURE:D3341B3E36680D5272BC91A3694352AC", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E0AA6CC56D602890BBD5AF46A036FE67", "MSSECURE:E3C8B97294453D962741782EC959E79C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "MSSECURE:F36351D1B5A5C40989F46EF8729039A7", "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785187", "MYHACK58:62201785189", "MYHACK58:62201785243", "MYHACK58:62201785268", "MYHACK58:62201785272", "MYHACK58:62201785331", "MYHACK58:62201786816", "MYHACK58:62201786827", "MYHACK58:62201788439", "MYHACK58:62201788542", "MYHACK58:62201789251", "MYHACK58:62201789425", "MYHACK58:62201891024", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994152", "MYHACK58:62201994153", "MYHACK58:62201994154", "MYHACK58:62201994162", "MYHACK58:62201994234", "MYHACK58:62201994259", "MYHACK58:62201994299", "MYHACK58:62201994388", "MYHACK58:62201994516", "MYHACK58:62201995234", "MYHACK58:62201995523", "MYHACK58:62201995674", "MYHACK58:62201995881"]}, {"type": "nessus", "idList": ["AL2022_ALAS2022-2022-225.NASL", "AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1585.NASL", "AL2_ALAS-2021-1649.NASL", "AL2_ALAS-2021-1716.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "AL2_ALAS-2021-1732.NASL", "AL2_ALAS-2022-1739.NASL", "AL2_ALAS-2022-1773.NASL", "AL2_ALAS-2022-1806.NASL", "AL2_ALASCORRETTO8-2021-001.NASL", "AL2_ALASJAVA-OPENJDK11-2021-001.NASL", "ALA_ALAS-2021-1469.NASL", "ALA_ALAS-2021-1543.NASL", "ALA_ALAS-2021-1553.NASL", "ALA_ALAS-2021-1554.NASL", "ALA_ALAS-2022-1562.NASL", "ALA_ALAS-2022-1580.NASL", "ALA_ALAS-2022-1601.NASL", "ALMA_LINUX_ALSA-2021-1647.NASL", "ALMA_LINUX_ALSA-2021-3816.NASL", "ALMA_LINUX_ALSA-2022-0290.NASL", "APACHE_2_4_49_PATH_TRAVERSAL.NBIN", "APACHE_2_4_50.NASL", "APACHE_2_4_50_PATH_TRAVERSAL.NBIN", "APACHE_2_4_51.NASL", "APACHE_APEREO_CAS_LOG4SHELL.NBIN", "APACHE_DRUID_LOG4SHELL.NBIN", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_2_16_0.NASL", "APACHE_LOG4J_2_16_0_MAC.NASL", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_CVE-2021-45056_DIRECT_CHECK.NBIN", "APACHE_MOD_PROXY_2_4_49.NASL", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "ATLASSIAN_CONFLUENCE_CONFSERVER-79016.NASL", "CENTOS8_RHSA-2021-1647.NASL", "CENTOS8_RHSA-2021-3816.NASL", "CENTOS8_RHSA-2021-4537.NASL", "CENTOS_RHSA-2020-5439.NASL", "CENTOS_RHSA-2021-3856.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-CUIC.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-ISE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-UCS-DIRECTOR.NASL", "CITRIX_NETSCALER_CTX267027.NASL", "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "COLDFUSION_WIN_APSB23-25.NASL", "CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE-2022-26134_REMOTE.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "CONFLUENCE_CVE_2022_26134.NBIN", "DEBIAN_DLA-2463.NASL", "DEBIAN_DLA-2776.NASL", "DEBIAN_DLA-2842.NASL", "DEBIAN_DLA-2905.NASL", "DEBIAN_DSA-4982.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "EULEROS_SA-2020-2171.NASL", "EULEROS_SA-2020-2181.NASL", "EULEROS_SA-2020-2299.NASL", "EULEROS_SA-2020-2396.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "EULEROS_SA-2021-1517.NASL", "EULEROS_SA-2021-1533.NASL", "EULEROS_SA-2021-1625.NASL", "EULEROS_SA-2021-1635.NASL", "EULEROS_SA-2021-2168.NASL", "EULEROS_SA-2021-2803.NASL", "EULEROS_SA-2021-2832.NASL", "EULEROS_SA-2021-2915.NASL", "EULEROS_SA-2021-2923.NASL", "EULEROS_SA-2021-2931.NASL", "EULEROS_SA-2022-1044.NASL", "EULEROS_SA-2022-1124.NASL", "EULEROS_SA-2022-1167.NASL", "EULEROS_SA-2022-1206.NASL", "EULEROS_SA-2022-1225.NASL", "EULEROS_SA-2022-1276.NASL", "EULEROS_SA-2022-1373.NASL", "EULEROS_SA-2022-1399.NASL", "EULEROS_SA-2023-1074.NASL", "EULEROS_SA-2023-1260.NASL", "EXCHANGE_CVE-2021-26855.NBIN", "EXCHANGE_CVE-2022-41040_IOC.NBIN", "F5_BIGIP_SOL23605346.NASL", "F5_BIGIP_SOL52145254.NASL", "F5_CVE-2020-5902.NASL", "F5_CVE-2022-1388.NBIN", "FEDORA_2020-0BE2776ED3.NASL", "FEDORA_2020-77C15664B0.NASL", "FEDORA_2020-A1D139381A.NASL", "FORTIGATE_FG-IR-22-377.NASL", "FORTIGATE_FG-IR-22-398.NASL", "FORTIOS_FG-IR-18-384.NASL", "FORTIOS_FG-IR-18-384_DIRECT.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "FREEBSD_PKG_25B78BDD25B811ECA341D4C9EF517024.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "FREEBSD_PKG_650734B2766541709A0AEECED5E10A5E.NASL", "FREEBSD_PKG_882A38F917DD11ECB335D4C9EF517024.NASL", "FREEBSD_PKG_93A1C9A75BEF11ECA47A001517A2E1A4.NASL", "FREEBSD_PKG_B0F49CB9673611EC9EEA589CFC007716.NASL", "FREEBSD_PKG_D001C189279311EC8FB1206A8A720317.NASL", "GENTOO_GLSA-202012-24.NASL", "GENTOO_GLSA-202208-20.NASL", "GENTOO_GLSA-202209-02.NASL", "GENTOO_GLSA-202310-16.NASL", "LOG4J_VULNERABLE_ECOSYSTEM_LAUNCHER.NASL", "MACOSX_FORTIOS_FG-IR-18-384.NASL", "MACOS_SPLUNK_824.NASL", "MANAGEENGINE_ADSELFSERVICE_6114.NASL", "MANAGEENGINE_ADSELFSERVICE_PLUS_CVE-2021-40539.NBIN", "MANAGEENGINE_EVENTLOG_ANALYZER_CVE-2021-40539.NBIN", "MANAGEENGINE_LOG360_CVE-2021-40539.NBIN", "MOBILEIRON_LOG4SHELL.NBIN", "MS17-010.NASL", "MSDT_RCE_CVE_2022-30190_REG_CHECK.NASL", "MSRDP_CVE-2019-0708.NBIN", "NETLOGON_ZEROLOGON_CVE-2020-1472.NBIN", "NEWSTART_CGSL_NS-SA-2021-0024_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2021-0167_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2022-0016_HTTPD.NASL", "NEWSTART_CGSL_NS-SA-2022-0058_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2023-0011_HTTPD.NASL", "NUTANIX_NXSA-AOS-5_20_3.NASL", "NUTANIX_NXSA-AOS-5_20_4.NASL", "NUTANIX_NXSA-AOS-6_0_2_5.NASL", "NUTANIX_NXSA-AOS-6_1.NASL", "NUTANIX_NXSA-AOS-6_1_1.NASL", "OPENSUSE-2020-1513.NASL", "OPENSUSE-2020-1526.NASL", "OPENSUSE-2021-1438.NASL", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-1612.NASL", "OPENSUSE-2021-1613.NASL", "OPENSUSE-2021-1631.NASL", "OPENSUSE-2021-3522.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "OPENSUSE-2021-4111.NASL", "OPENSUSE-2021-4112.NASL", "OPENSUSE-2022-0038-1.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "ORACLELINUX_ELSA-2021-1647.NASL", "ORACLELINUX_ELSA-2021-3816.NASL", "ORACLELINUX_ELSA-2021-3856.NASL", "ORACLELINUX_ELSA-2021-4537.NASL", "ORACLELINUX_ELSA-2021-5206.NASL", "ORACLELINUX_ELSA-2022-0290.NASL", "ORACLELINUX_ELSA-2022-9056.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_CPU_APR_2022.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2022.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2022.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2022.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2020.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2020-14882.NBIN", "PALO_ALTO_LOG4SHELL.NASL", "PHOTONOS_PHSA-2021-1_0-0437_HTTPD.NASL", "PHOTONOS_PHSA-2021-2_0-0399_HTTPD.NASL", "PHOTONOS_PHSA-2021-3_0-0309_HTTPD.NASL", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "PULSE_CONNECT_SECURE-SA-44101.NASL", "PULSE_CONNECT_SECURE_PATH_TRAVERSAL.NBIN", "QNAP_PHOTOSTATION_QSA-22-24.NASL", "REDHAT-RHSA-2020-5439.NASL", "REDHAT-RHSA-2021-1647.NASL", "REDHAT-RHSA-2021-3723.NASL", "REDHAT-RHSA-2021-3746.NASL", "REDHAT-RHSA-2021-3754.NASL", "REDHAT-RHSA-2021-3816.NASL", "REDHAT-RHSA-2021-3836.NASL", "REDHAT-RHSA-2021-3837.NASL", "REDHAT-RHSA-2021-3856.NASL", "REDHAT-RHSA-2021-4537.NASL", "REDHAT-RHSA-2022-1296.NASL", "REDHAT-RHSA-2022-1297.NASL", "ROCKY_LINUX_RLSA-2021-1647.NASL", "ROCKY_LINUX_RLSA-2021-3816.NASL", "ROCKY_LINUX_RLSA-2021-4537.NASL", "ROCKY_LINUX_RLSA-2022-0290.NASL", "SAP_NETWEAVER_AS_3123396.NASL", "SECURITYCENTER_5_19_0_TNS_2021_10.NASL", "SLACKWARE_SSA_2021-259-01.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SMB_NT_MS17-010.NASL", "SMB_NT_MS17-APR_4015551.NASL", "SMB_NT_MS17_APR_4014793.NASL", "SMB_NT_MS17_APR_4015549.NASL", "SMB_NT_MS17_APR_OFFICE.NASL", "SMB_NT_MS17_NOV_OFFICE.NASL", "SMB_NT_MS19_MAY_4499149.NASL", "SMB_NT_MS19_MAY_4499164.NASL", "SMB_NT_MS19_MAY_XP_2003.NASL", "SMB_NT_MS20_AUG_4565349.NASL", "SMB_NT_MS20_AUG_4571694.NASL", "SMB_NT_MS20_AUG_4571703.NASL", "SMB_NT_MS20_AUG_4571729.NASL", "SMB_NT_MS20_AUG_4571736.NASL", "SMB_NT_MS21_APR_EXCHANGE.NASL", "SMB_NT_MS21_FEB_4601347.NASL", "SMB_NT_MS21_MAR_EXCHANGE_2010_OOB.NASL", "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "SMB_NT_MS21_MAY_EXCHANGE.NASL", "SMB_NT_MS22_JUL_5015807.NASL", "SMB_NT_MS22_JUL_5015808.NASL", "SMB_NT_MS22_JUL_5015811.NASL", "SMB_NT_MS22_JUL_5015814.NASL", "SMB_NT_MS22_JUL_5015827.NASL", "SMB_NT_MS22_JUL_5015832.NASL", "SMB_NT_MS22_JUL_5015862.NASL", "SMB_NT_MS22_JUL_5015870.NASL", "SMB_NT_MS22_JUL_5015875.NASL", "SMB_NT_MS22_JUL_5015877.NASL", "SMB_NT_MS22_JUN_5014678.NASL", "SMB_NT_MS22_JUN_5014692.NASL", "SMB_NT_MS22_JUN_5014697.NASL", "SMB_NT_MS22_JUN_5014699.NASL", "SMB_NT_MS22_JUN_5014702.NASL", "SMB_NT_MS22_JUN_5014710.NASL", "SMB_NT_MS22_JUN_5014741.NASL", "SMB_NT_MS22_JUN_5014742.NASL", "SMB_NT_MS22_JUN_5014743.NASL", "SMB_NT_MS22_JUN_5014746.NASL", "SMB_NT_MS22_NOV_EXCHANGE.NASL", "SMB_NT_MS22_OCT_EXCHANGE_ZERODAY.NASL", "SOLR_CVE-2021-44228.NASL", "SONICWALL_ES_10_0_9.NASL", "SONICWALL_SMA_SNWLID-2021-0001.NASL", "SONICWALL_SMA_SNWLID-2021-0026.NASL", "SPLUNK_824.NASL", "SPRING_CLOUD_CVE-2022-22963.NBIN", "SPRING_CVE-2022-22963_LOCAL.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "SUSE_SU-2021-14866-1.NASL", "SUSE_SU-2021-3299-1.NASL", "SUSE_SU-2021-3335-1.NASL", "SUSE_SU-2021-3522-1.NASL", "SUSE_SU-2021-4111-1.NASL", "SUSE_SU-2021-4112-1.NASL", "SUSE_SU-2021-4115-1.NASL", "UBIQUITI_UNIFI_NETWORK_LOG4SHELL.NBIN", "UBUNTU_USN-4510-1.NASL", "UBUNTU_USN-4559-1.NASL", "UBUNTU_USN-5090-1.NASL", "UBUNTU_USN-5090-2.NASL", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "UBUNTU_USN-5223-1.NASL", "UBUNTU_USN-5223-2.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "VMWARE_VREALIZE_OPERATIONS_MANAGER_LOG4SHELL.NBIN", "VMWARE_WORKSPACE_ONE_ACCESS_CVE-2022-22954.NBIN", "VMWARE_WORKSPACE_ONE_ACCESS_VMSA-2022-0011.NASL", "WEB_APPLICATION_SCANNING_112981", "WEB_APPLICATION_SCANNING_113014", "WEB_APPLICATION_SCANNING_113015", "WSO2_CVE-2022-29464.NBIN", "ZIMBRA_8_8_15_P30.NASL", "ZIMBRA_9_0_0_P24.NASL"]}, {"type": "nuclei", "idList": ["NUCLEI:\"CVE-2021-42013\"", "NUCLEI:CVE-2018-13379", "NUCLEI:CVE-2019-11510", "NUCLEI:CVE-2019-19781", "NUCLEI:CVE-2020-14750", "NUCLEI:CVE-2020-14882", "NUCLEI:CVE-2020-14883", "NUCLEI:CVE-2020-5902", "NUCLEI:CVE-2021-20038", "NUCLEI:CVE-2021-26084", "NUCLEI:CVE-2021-26855", "NUCLEI:CVE-2021-34473", "NUCLEI:CVE-2021-40438", "NUCLEI:CVE-2021-40539", "NUCLEI:CVE-2021-41773", "NUCLEI:CVE-2021-44228", "NUCLEI:CVE-2021-45046", "NUCLEI:CVE-2022-1388", "NUCLEI:CVE-2022-22536", "NUCLEI:CVE-2022-22954", "NUCLEI:CVE-2022-22963", "NUCLEI:CVE-2022-26134", "NUCLEI:CVE-2022-27593", "NUCLEI:CVE-2022-29464", "NUCLEI:CVE-2022-40684", "NUCLEI:CVE-2023-26360"]}, {"type": "nvidia", "idList": ["NVIDIA:5294", "NVIDIA:5295"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108611", "OPENVAS:1361412562310108794", "OPENVAS:1361412562310810686", "OPENVAS:1361412562310810687", "OPENVAS:1361412562310810688", "OPENVAS:1361412562310810689", "OPENVAS:1361412562310810690", "OPENVAS:1361412562310810692", "OPENVAS:1361412562310810850", "OPENVAS:1361412562310810851", "OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310814894", "OPENVAS:1361412562310815051", "OPENVAS:1361412562310815054"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2021", "ORACLE:CPUAPR2022", "ORACLE:CPUJAN2022", "ORACLE:CPUJAN2023", "ORACLE:CPUJUL2022", "ORACLE:CPUJUL2023", "ORACLE:CPUOCT2020", "ORACLE:CPUOCT2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439", "ELSA-2021-1647", "ELSA-2021-3816", "ELSA-2021-3856"]}, {"type": "osv", "idList": ["OSV:CVE-2021-40438", "OSV:CVE-2021-41773", "OSV:CVE-2021-42013", "OSV:DLA-2463-1", "OSV:DLA-2776-1", "OSV:DLA-2842-1", "OSV:DSA-4982-1", "OSV:DSA-5022-1", "OSV:GHSA-3QPM-H9CH-PX3C", "OSV:GHSA-6V73-FGF6-W5J7", "OSV:GHSA-7RJR-3Q55-VV33", "OSV:GHSA-FP5R-V3W9-4333", "OSV:GHSA-J3CH-VJPH-8Q6V", "OSV:GHSA-J7C3-96RF-JRRP", "OSV:GHSA-JFH8-C2JP-5V3Q", "OSV:GHSA-MF4F-J588-5XM8", "OSV:GHSA-V57X-GXFJ-484Q"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142211", "PACKETSTORM:142281", "PACKETSTORM:143164", "PACKETSTORM:145226", "PACKETSTORM:153133", "PACKETSTORM:153627", "PACKETSTORM:154146", "PACKETSTORM:154147", "PACKETSTORM:154176", "PACKETSTORM:154579", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:158333", "PACKETSTORM:158366", "PACKETSTORM:158581", "PACKETSTORM:159769", "PACKETSTORM:160127", "PACKETSTORM:160143", "PACKETSTORM:161128", "PACKETSTORM:161806", "PACKETSTORM:161846", "PACKETSTORM:161938", "PACKETSTORM:162610", "PACKETSTORM:162736", "PACKETSTORM:162960", "PACKETSTORM:163895", "PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:164418", "PACKETSTORM:164501", "PACKETSTORM:164609", "PACKETSTORM:164629", "PACKETSTORM:164941", "PACKETSTORM:165085", "PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165532", "PACKETSTORM:165563", "PACKETSTORM:165642", "PACKETSTORM:165673", "PACKETSTORM:166562", "PACKETSTORM:166921", "PACKETSTORM:166935", "PACKETSTORM:167007", "PACKETSTORM:167118", "PACKETSTORM:167150", "PACKETSTORM:167317", "PACKETSTORM:167430", "PACKETSTORM:167438", "PACKETSTORM:167449", "PACKETSTORM:167917", "PACKETSTORM:169431", "PACKETSTORM:170066", "PACKETSTORM:170178", "PACKETSTORM:171515", "PACKETSTORM:171626", "PACKETSTORM:171918", "PACKETSTORM:171935", "PACKETSTORM:172079", "PACKETSTORM:173430", "PACKETSTORM:175671"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228", "PA-CVE-2022-22963"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:77A7D085A837F9542DA633DA83F4A446", "PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0", "PENTESTPARTNERS:E6B48FF79C5D0D1E4DD360F6010F2A93"]}, {"type": "photon", "idList": ["PHSA-2021-0118", "PHSA-2021-0309", "PHSA-2021-0437", "PHSA-2021-1.0-0437", "PHSA-2021-2.0-0399", "PHSA-2021-3.0-0309", "PHSA-2021-4.0-0118"]}, {"type": "prion", "idList": ["PRION:CVE-2017-0199", "PRION:CVE-2017-11882", "PRION:CVE-2017-11884", "PRION:CVE-2018-13379", "PRION:CVE-2019-0708", "PRION:CVE-2019-11510", "PRION:CVE-2019-19781", "PRION:CVE-2020-1472", "PRION:CVE-2020-14882", "PRION:CVE-2020-14883", "PRION:CVE-2020-5902", "PRION:CVE-2021-20016", "PRION:CVE-2021-20021", "PRION:CVE-2021-20038", "PRION:CVE-2021-20325", "PRION:CVE-2021-26084", "PRION:CVE-2021-26412", "PRION:CVE-2021-26854", "PRION:CVE-2021-26855", "PRION:CVE-2021-26857", "PRION:CVE-2021-26858", "PRION:CVE-2021-27065", "PRION:CVE-2021-27078", "PRION:CVE-2021-3100", "PRION:CVE-2021-31196", "PRION:CVE-2021-31206", "PRION:CVE-2021-31207", "PRION:CVE-2021-33768", "PRION:CVE-2021-34470", "PRION:CVE-2021-34473", "PRION:CVE-2021-34523", "PRION:CVE-2021-40438", "PRION:CVE-2021-40539", "PRION:CVE-2021-4104", "PRION:CVE-2021-4125", "PRION:CVE-2021-41773", "PRION:CVE-2021-42013", "PRION:CVE-2021-44228", "PRION:CVE-2021-44530", "PRION:CVE-2021-45046", "PRION:CVE-2022-0070", "PRION:CVE-2022-1388", "PRION:CVE-2022-22047", "PRION:CVE-2022-22536", "PRION:CVE-2022-22954", "PRION:CVE-2022-22960", "PRION:CVE-2022-22963", "PRION:CVE-2022-23848", "PRION:CVE-2022-24682", "PRION:CVE-2022-26134", "PRION:CVE-2022-27593", "PRION:CVE-2022-27924", "PRION:CVE-2022-29464", "PRION:CVE-2022-30190", "PRION:CVE-2022-33915", "PRION:CVE-2022-40684", "PRION:CVE-2022-41082", "PRION:CVE-2022-42475", "PRION:CVE-2023-26360"]}, {"type": "ptsecurity", "idList": ["PT-2020-01", "PT-2020-04"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:027905A1E6C979D272DF11DDA2FC9F8F", "QUALYSBLOG:0EAB7251347951045CAC549194E33673", "QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:15D6ABF4D9A50D86E63BA4553A0CD3C6", "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:1D4C1F32168D08F694C602531AEBC9D9", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:33FD0B08A1B2E414EAA2ADDFCDFE0EB1", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:3F1898282AF38991E0B849D7A68D2A2B", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:400D28FE44174674BB4561AA9416F532", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:563DC556FF331059CAC2F71B19B341B5", "QUALYSBLOG:56A00F45A170AF95CF38191399649A4C", "QUALYSBLOG:573ABD5196CDA14A2E72A15A7330770D", "QUALYSBLOG:591513DD8C25E0D5634E7883ABC8DDFF", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:5A5DF56C2B4E5DB4176574A83F54FECB", "QUALYSBLOG:5CC7ADA9A785C30C51281080605F4A4F", "QUALYSBLOG:5F3A665821FA30373004EC52F5104E15", "QUALYSBLOG:5FAC1C82A388DBB84ECD7CD43450B624", "QUALYSBLOG:65C282BB0F312A3AD8A043024FD3D866", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:69FF0F583C65CD2D1EB59914BE41A705", "QUALYSBLOG:6AFD8E9AB405FBE460877D857273A9AF", "QUALYSBLOG:6C71B912ABF74BE51F014EC90669CF30", "QUALYSBLOG:6DE7FC733B2FD13EE70756266FF191D0", "QUALYSBLOG:78A056D339E07378EFC349E5ACA8EC30", "QUALYSBLOG:7B5CCC9A0ADE13140C03A708CCBB4C4A", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:89B0E9C4C12FFA944639C5B7B34594DB", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:9E3CACCA2916D132C2D630A8C15119F3", "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "QUALYSBLOG:A63B251EBA1A69DBCD57674990704F6C", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:A8EE36FB3E891C73934CB1C60E3B3D41", "QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "QUALYSBLOG:AE1D32AF43539C7362B2E060204A5413", "QUALYSBLOG:AE4AA7402829D66599C8A25E83DD0FD2", "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "QUALYSBLOG:B0EFD469309D1127FA70F0A42934D5BC", "QUALYSBLOG:BB3D6B2DDD8D4FA41B52503EF011FDA4", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:C2ECE416E32C6CC230B13471D41A4E03", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:DE2E40D3BB574E53C7448F3A304849C9", "QUALYSBLOG:F062F85432853297A014064EA7A5C183", "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3", "QUALYSBLOG:FBDC4B445E6B33502BA1650A8BD4A6E1", "QUALYSBLOG:FFC962F3C57B514805A24EA07FF565A1"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:000305BC832103845A712987C0E849E4", "RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:0451F386C3F603C8DC3AE2E3F42A90D1", "RAPID7BLOG:0576BE6110654A3F9BF7B9DE1118A10A", "RAPID7BLOG:05A653A5E863B78EDD56FD74F059E02E", "RAPID7BLOG:061F409DE97071CC9A744DAF87C512FD", "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:07CA09B4E3B3835E096AA56546C43E8E", "RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "RAPID7BLOG:0C5C51ED53983B92C7C9805E820366C9", "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1C4EBCEAFC7E54954F827CAEDB3291DA", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:1ECBAB52CD82AE516E383F64D607FEF9", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2BF1C4EA2B7AB37B7A16840E193AAC4B", "RAPID7BLOG:2C118F02F42DB14EC4F6AF30FFB72A76", "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:36C78C12B88BFE8FEF93D8EF7A7AA553", "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "RAPID7BLOG:3BF22F681B87E57EE0F937E2B84A45CC", "RAPID7BLOG:3C33F951C2627CD39145D80BA2047F1E", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "RAPID7BLOG:46F0D57262DABE81708D657F2733AA5D", "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:4E867F9E4F1818A4F797C0C8A1E26598", "RAPID7BLOG:4F13870ACE30DEDD995C2DDE4E4FF4D0", "RAPID7BLOG:509F3BE1FB927288AB4D3BD9A3090852", "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:5DB8D1BDA8397518E9A820552610B197", "RAPID7BLOG:5F23456D9C1ABC9C68B5A9A64BF27D72", "RAPID7BLOG:602109CBDD808C41E4DDC9FBC55E144D", "RAPID7BLOG:619370773CDB77FA0DBA52EC74E4B159", "RAPID7BLOG:693317EA8EAC89A3ABCC113D072B326C", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:6F833E0DB9E152EB8397D33430FECB7F", "RAPID7BLOG:7549D87CE6E6AE596B8031184231ECD1", "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:795797AD204DF16CCDC24AA2A471E418", "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:882168BD332366CE296FB09DC00E018E", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "RAPID7BLOG:896942D0CDF4701FAF0531A15C44DA19", "RAPID7BLOG:8C1A6CAF7B07CD1A38A8D65351756A2F", "RAPID7BLOG:8E02D06635B184C252A0274FC4A163A6", "RAPID7BLOG:907F758757E4F4DFA2ED45E5B6AAC01E", "RAPID7BLOG:90A5B4252807D9A3550CB8449AA62109", "RAPID7BLOG:97E3CA7ED938F3DF6E967C832F314FA3", "RAPID7BLOG:9C7E6BE350F06790928CFF68E04A6ECE", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:9D5A16A43EFEA30A49E1E70FD568C548", "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "RAPID7BLOG:A84DC7A15FD5A2A6BF1C8389827A8B0D", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:ADAE3CACA7F41A02C12F44F4616369FF", "RAPID7BLOG:AF89E3740FB97329034E56BA6E181ABB", "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "RAPID7BLOG:AF9E6199C63A57B22FAE6AAEDD650D39", "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "RAPID7BLOG:B37CF2E44EB6AA38B417BB09297CD3E1", "RAPID7BLOG:B54637535A9D368B19D4D9881C6C34B3", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:BE60EE9A1ACB3CEE4593041ECAFA8D95", "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:C6C1B8357ABD28AEB0F423A0A099098A", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D1061BEC8F38C05C82730335576C86AF", "RAPID7BLOG:D185BF677E20E357AFE422CFB80809A5", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720", "RAPID7BLOG:D84509B01151F59E9152A401D5CF206D", "RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2", "RAPID7BLOG:F708A09CA1EFFC0565CA94D5DBC414D5", "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "RAPID7BLOG:F8E947B78D57CB73762E22B0E79A628C", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:BDA3EA90B57FC8895B98DAADBAE3D7DE", "RAPID7COMMUNITY:DADF9A5B22CCB70155177EBC2E86131E"]}, {"type": "redhat", "idList": ["RHSA-2020:5439", "RHSA-2021:1647", "RHSA-2021:3723", "RHSA-2021:3745", "RHSA-2021:3746", "RHSA-2021:3754", "RHSA-2021:3816", "RHSA-2021:3836", "RHSA-2021:3837", "RHSA-2021:3856", "RHSA-2021:4537", "RHSA-2021:5093", "RHSA-2021:5094", "RHSA-2021:5106", "RHSA-2021:5107", "RHSA-2021:5108", "RHSA-2021:5126", "RHSA-2021:5127", "RHSA-2021:5128", "RHSA-2021:5129", "RHSA-2021:5130", "RHSA-2021:5132", "RHSA-2021:5133", "RHSA-2021:5134", "RHSA-2021:5137", "RHSA-2021:5138", "RHSA-2021:5140", "RHSA-2021:5141", "RHSA-2021:5148", "RHSA-2021:5183", "RHSA-2021:5184", "RHSA-2021:5186", "RHSA-2022:0082", "RHSA-2022:0083", "RHSA-2022:0138", "RHSA-2022:0203", "RHSA-2022:0205", "RHSA-2022:0216", "RHSA-2022:0222", "RHSA-2022:0223", "RHSA-2022:0296", "RHSA-2022:0431", "RHSA-2022:1291", "RHSA-2022:1292", "RHSA-2022:1296", "RHSA-2022:1297", "RHSA-2022:1299", "RHSA-2022:4880", "RHSA-2022:6753"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472", "RH:CVE-2021-20325", "RH:CVE-2021-40438", "RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-41773", "RH:CVE-2021-42013", "RH:CVE-2021-44228", "RH:CVE-2021-44832", "RH:CVE-2021-45046", "RH:CVE-2021-45105", "RH:CVE-2022-22963"]}, {"type": "redos", "idList": ["ROS-20211223-01"]}, {"type": "rocky", "idList": ["RLBA-2021:4604", "RLSA-2021:1647", "RLSA-2021:3816", "RLSA-2021:4537"]}, {"type": "rosalinux", "idList": ["ROSA-SA-2021-1967", "ROSA-SA-2023-2158", "ROSA-SA-2023-2160"]}, {"type": "saint", "idList": ["SAINT:192E33BC51A49F81EC3C52F0E8A72432", "SAINT:1F156F6EAF49E8162691F7AD93A6F23F", "SAINT:2232AFF7B86AF6E40FEC6191FAD74DCC", "SAINT:3A3289A18B5C46A88581C9E8D4D0CF5A", "SAINT:5DC0FF1D23C8E8C36A1A8D72F1EB2B74", "SAINT:8205BD2F42401C0064F30BBAC68F4F90", "SAINT:8E748D4A2FD6DFA108D87FF09FFEF2AE", "SAINT:ACED9607933F401D5B0A59CB25D22B09", "SAINT:DB6048DE08200736030664D3F0E6C764", "SAINT:EA21934BE7986CEF27E73EAA38D7EB58"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472", "SAMBA:CVE-2022-38023"]}, {"type": "schneier", "idList": ["SCHNEIER:FECDA04283F9CFE2D14C1550420A1804"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:0660A40DDA4C7397B6CF453E4A7C4EB3", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:0C40BC07DFF80D4B158D166D0DC2C870", "SECURELIST:0D5B4F09314C45AF952E2FD68F88B8D0", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:0ED76DA480D73D593C82769757DFD87A", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:1B793FC976660636D7A37F563350F59A", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:29152837444B2A7E5A9B9FCB107DAB36", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:355BE138D7CDD7D13D1F61F71F8406C4", "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:49E48EDB41EB48E2FCD169A511E8AACD", "SECURELIST:4A1162E18E20A1A1E0F057FE02B3AE75", "SECURELIST:4FE9AF32AEB194433587B75288D50FDA", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:63AD9BC433286AAD504D73797903AF90", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:6C418779587ADE032AB673F44440002B", "SECURELIST:70BCDF20EABD280713CFF28CEE3C6374", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:75F0B75D28318C525992E42495D8C5EE", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:7F5AA1EA9018F295D1D8A9882EA0F724", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:847981DCB9E90C51F963EE1727E40915", "SECURELIST:8499F8DA2C6A39EA56D9B664EE7B6360", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:9E653409B4D8C46D45939FA37442E456", "SECURELIST:9E89F9F48CFED14FAC92E1E9861C2576", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A71E207678429F2F49013A82A5A5EED4", "SECURELIST:A823F31C04C74DD103337324E6D218C9", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:ADE333FF4D3F96FCD027E6BB825FFD9B", "SECURELIST:B7116025A4E34CF6B9FED5843F7CDCD4", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:CE9654E321FEC18D47DA16E0CF9D0CCE", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D3F258CC3CAC108A409150AE598738D9", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:D9AF9603FDB076FD6351B6ED483A4947", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:DF9C5059470D84C8D610E16E2BF89ABC", "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:F4445BFDE49DF55279E5B69E613E7CA2", "SECURELIST:F62AEEAB0355FAC92D225F808BBF00CD", "SECURELIST:F6E885706A3B59254C617CE5C255F27B", "SECURELIST:F87480B66C85D18F0C7D3957C65AC81B", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "seebug", "idList": ["SSV:92935", "SSV:96484"]}, {"type": "slackware", "idList": ["SSA-2021-259-01", "SSA-2021-278-01", "SSA-2021-280-01"]}, {"type": "spring", "idList": ["SPRING:5D790268422545C1CFB6959B07261E50"]}, {"type": "srcincite", "idList": ["SRC-2022-0005", "SRC-2022-0011"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1513-1", "OPENSUSE-SU-2020:1526-1", "OPENSUSE-SU-2021:1438-1", "OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:1613-1", "OPENSUSE-SU-2021:3522-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1"]}, {"type": "symantec", "idList": ["SMNTC-101757", "SMNTC-108273", "SMNTC-111238", "SMNTC-19793"]}, {"type": "talosblog", "idList": ["TALOSBLOG:00DC30A0F4EFA56F4974DF2C3FB23FBB", "TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88", "TALOSBLOG:0AA83DE1427426ABF4723FDF049F6EEB", "TALOSBLOG:0D782B308C337CFD06D5A38B03FC90B4", "TALOSBLOG:12103F398364269083FD96139F0F6562", "TALOSBLOG:18E1939F4F4AB01928AE1BD2B39FD681", "TALOSBLOG:1E3663A5534D173433518B5C6F3B0E66", "TALOSBLOG:224F6FF67DED69B2FFFA483B3490BCE0", "TALOSBLOG:2401133934B407D6B7E1C6D91E886EBA", "TALOSBLOG:25506C78BB084870681BE9F9E1357045", "TALOSBLOG:2B14B5B996283DEF7D095E87B1128109", "TALOSBLOG:2FC8F90E015AB54A7397D49B24BE5B5E", "TALOSBLOG:30A0CC27D6C35FC08DF198CA0AA9C626", "TALOSBLOG:340B43701E5CA96D8B4491CD801FE010", "TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:422E9F3F2D27B5C62D821C614EBE60A6", "TALOSBLOG:4C073D825207102B86D0C8999A5A28CC", "TALOSBLOG:56EE545CE9B30B21AC2FD24C6DBB5181", "TALOSBLOG:5757EE09BE22E4808719C348402D3F43", "TALOSBLOG:5A9BEF09DC8FF93E258E2D51361D11E8", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:5D2BCB335060A8EBF6F71CB579112042", "TALOSBLOG:62182E90D88C9282869F40D834CA56BA", "TALOSBLOG:6631705A9B0F56348E3E1A97469105A1", "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:71D138211697B43CB345A133B54BC824", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:8DB6614E6048947EDBBD91681EE32AB7", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:97F975C073505AE88655FF1C539740A6", "TALOSBLOG:9F05FC6E227859F0165366CAA52DDB78", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A0B0983119E043D75EA7712A7172A942", "TALOSBLOG:A52D0C18F59637804E33FC802E4F7F00", "TALOSBLOG:A56CDCC440F2E308EB75E66C6F9521B8", "TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:A841859916AA26CF6EF3F3F403502778", "TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965", "TALOSBLOG:AE189A67BCAD633AD9D7838F9DF4F6D5", "TALOSBLOG:AFFA9F54A1744A8B65903B06E9C56C3A", "TALOSBLOG:BC6F07233A684778F6CA4B2B7C28B45B", "TALOSBLOG:C6C252288047D319ADE770A26A8DA196", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:C9F50677FB4030903E6114F7C17FD8DB", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:CF2344D3946410B628ACF0DE5E525347", "TALOSBLOG:CFBFA4A360F5A4B96A4245B783BAE4C2", "TALOSBLOG:D44D4A467C76DBF910B545640D073425", "TALOSBLOG:D6DE736915C69A194D894AE9BED7EC57", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "TALOSBLOG:DC2E9A485DD55B49C0CC8932C0026F33", "TALOSBLOG:DE5281D9A4A03E4FA1F2A0B62B527489", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:E19A22F37E2F320BDD9B4727A5209175", "TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:E339E76DD9CC8BF6BC7108066B44196A", "TALOSBLOG:E352F60FA2366D4E0CC72C4BA45B2650", "TALOSBLOG:E7EA34380482751C5595EDE9DA228FA0", "TALOSBLOG:EE177479683FB1333547D9FA076F4D46", "TALOSBLOG:F032D3BBC6D695272384D4A3821130BF", "TALOSBLOG:F5BDBD830CCBBD67980916B9F246B878", "TALOSBLOG:F707E3F271E987A8739DBDECFEEFAE22", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114", "TALOSBLOG:FB5080C7655BA3C4C2856F34457CBCD0"]}, {"type": "thn", "idList": ["THN:02088F21DB6E2D58FA2FBFDB5C735108", "THN:0488E447E08622B0366A0332F848212D", "THN:0521233945B9471C64D546BD2B006823", "THN:06F5ECB1217B8E9B20CB0AC447D63E26", "THN:080602C4CECD29DACCA496697978CAD0", "THN:0A61A90DD0F88453854B73FE249BC379", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:125A440CBDB25270B696C1CCC246BEA1", "THN:161777F5DB73EF3AB5B13EF9F11E3374", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1678C3AE3BCB0278860461A943C3DF30", "THN:1AC8C94468BC3582621B1E56C40127CD", "THN:1AFD9B38CF83CBCCF34CEA589CD5838B", "THN:1B5512B7CB75F82A34395AC39A9B2680", "THN:1B983787EB2BA5D0757F1F83458B7ABE", "THN:1BA2E3EE721856ECEE43B825656909B0", "THN:1C5C46E0576B2DE38F72870C1145ECDB", "THN:1D10167F5D53B2791D676CF56488D5D9", "THN:1E1F3CC9BEE728A9F18B223FC131E9B1", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:1EFEC00D867275514EA180819C9EF104", "THN:21FC29F7D7C7E2DA7D2F19E89085FD55", "THN:221BD04ADD3814DC78AF58DFF41861F3", "THN:23ADB89A5DA622FFE2242173C6438C19", "THN:25143CA85A0297381CEBBBD35F24F85B", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:2722097C084561C0EE24E84FA6AD506E", "THN:273B5BCEB3A6EC52EA8B8BB5D09A21BF", "THN:29B2071708004A44ABA0E3EC523D191D", "THN:2AE638B06506778A5F779054ACB99CDC", "THN:2C8CBCD861548E196121A3935B9E6F83", "THN:31DAA0B9538D69BB42EFB6567298FF49", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:3474CD6C25ADD60FF37EDC1774311111", "THN:35E0781FC3AEDCA2324C9B95396A5FF7", "THN:362401076AC227D49D729838DBDC2052", "THN:365025B2416483B34C70F02EDA44131E", "THN:368B6517F020AB4BF1B2344EDC8234A4", "THN:36E70A976BC3FFE43255D807083BFC54", "THN:39C614DBFC7ED1BBBEAAD9DC8C04C7CD", "THN:3A9F075C981951FC8C86768D0EF1794A", "THN:3B0CBDDCB6FCC241176B94BC03E008BA", "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "THN:3D0ED27488E8AFC91D99882663F7E35A", "THN:3E5F28AD1BE3C9B2442EA318E6E13E5C", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:3FE4961C11E2DB2B8015ACFEF6CDFB9B", "THN:40A0D7C4B23FCEF48FD7EDCF1CC389AD", "THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:44A32C71995BCA06A2F946B41E81310C", "THN:44DD118DC206D25EB4ECAE95173FE16E", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:4959B86491B72239BCAF1958D167D57D", "THN:4BB0F5033E84CFC573DF9D7BB5DB4780", "THN:4DE731C9D113C3993C96A773C079023F", "THN:51196AEF32803B9BBB839D4CADBF5B38", "THN:52153F8855D24E20FDD2CC03040B1EF1", "THN:5293CFD6ACCF7BFD2EDDE976C7C06C15", "THN:54023E40C0AA4CB15793A39F3AF102AB", "THN:5617A125FD4E30B9B9B0DFCEDCEB8DB2", "THN:573D61ED9CCFF01AECC281F8913E42F8", "THN:5763EE4C0049A18C83419B000AAB347A", "THN:59B93BC2ED5871A43456C803DE0C2990", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5BE77895D84D1FB816C73BB1661CE8EB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:5CEFBA9FAF414B3F57548EAB0EEA1718", "THN:5D50D5AA81EE14FA1044614364EAEBC6", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:60B42277F576BB78A640A9D3B976D8D8", "THN:63560DA43FB5804E3B258BC62E210EC4", "THN:64D0BEEE72A10FD1445F5CDC2BC902CD", "THN:65DE53134A31AE62D9634C0B4AA4E81B", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:6885760BEEB9A6CBDFB108443DDF540C", "THN:6A1A5F396F8A43A1DA67A07FF545680A", "THN:6B72050A86FFDCE9A0B2CF6F44293A1B", "THN:6C2DBDCB2BCAD28AA5B80EFC1EF9CDBF", "THN:6C7E32993558CB9F19CAE15C18522582", "THN:6D6F52F8E55C98F540525853C434FD08", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:75A32CF309184E2A99DA7B43EFBFA8E7", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:76E9C775EE4ECFF3F3F1E02BCA0BE2F2", "THN:76F500CE84314456F7B0E4DD1D56D971", "THN:7958F9B1AA180122992C6A0FADB03536", "THN:7A6D54BC76D090840197DDF871D59731", "THN:7B73599687A27ACB89413C3B769DDF1A", "THN:802C6445DD27FFC7978D22CC3182AD58", "THN:80B476657ABE12ED91DD0E314BF8DA31", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:814DFC4A310E0C39823F3110B0457F8C", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:81C9EF28EEDF49E21E8DF15A8FF7EB8D", "THN:81F8A577F12DD54CE019C36458B14B52", "THN:8200D2C2E1DD329D680C5E699177551B", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:8483C1B45A5D7BF5D501DE72F5898935", "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "THN:856F9A41F44F9B2C95A68501B0D1B5A7", "THN:86F6539B2FD5CE0DEC7585157E18CBEF", "THN:8755093D287CCB8F16A1A7CD3BDB6ACF", "THN:87650195BF482879C3C258B474B11411", "THN:878B3321978CDB69F46C7A415B46701B", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:8A48502265B6BF239E81FC688A0FF082", "THN:8BA951AD00E17C72D6321234DBF80D19", "THN:8C2FBC83F6EC62900F1887F00903447F", "THN:8C7C0BBCE90D4B2076F46E011BAB609D", "THN:8E366D56AB2756B4DE53AEEA90675132", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:8ECDF261632B04DEE688C1023DD73404", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:933FE23273AB5250B949633A337D44E1", "THN:934BF6B94312FDB8317CCD9F5E46677C", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:96E4C6D641E3E5B73D4B9A87628DD3CF", "THN:97FD375C23B4E7C3F13B9F3907873671", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9AB21B61AFE09D4EEF533179D0907C03", "THN:9C0F80240F3101396495FA25B13B978D", "THN:9DB02C3E080318D681A9B33C2EFA8B73", "THN:9DC026B1716712BE0EF2205D941A4D67", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A0816B13A402B9865C624E3CA1B06EA5", "THN:A17A3E26BF0B1DE93C5D89D6B6107FE3", "THN:A2437FEF2D679B5454DA71E850FADEA9", "THN:A24E3ECC17FDA35932981ED1D0B9B351", "THN:A29E47C7A7467A109B420FF0819814EE", "THN:A30AE10A13D33189456EB192DDF2B8C2", "THN:A356406D6A8ADF4F4592DBAAEB6CDA74", "THN:A4284A3BA2971D8DA287C1A8393ECAC8", "THN:A5B36072ED31304F26AF0879E3E5710E", "THN:A5E2056B783A702B2A37C7ECD02B811F", "THN:A73831555CB04403ED3302C1DDC239B1", "THN:ABF9BC598B143E7226083FE7D2952CAE", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:AE8CC4929BA80C03ABF4AA5FAB5465CC", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:B0B9A91EA9A6465B7D53D33D5B8173CB", "THN:B36CB9AC96CE2C515157963E75E4AC6A", "THN:B8CBCDA7152660D9AE3D4E058B7B9B0F", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BAC30CCFD2AEEC91A6E02417A6B55F56", "THN:BC8A83422D35DB5610358702FCB4D154", "THN:BCC351AC0BA61400C97A7E529C22A518", "THN:C1081365C69856DB9F99773D1D934E01", "THN:C17A0F3DD156CF2240FAEABA6716D0E9", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C3B82BB0558CF33CFDC326E596AF69C4", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:C6F6C1EB007027C65DE14DE5DA3E74BC", "THN:C73B84809CDC20C90C26FF1B7F56F5D4", "THN:CB1C2DA47986D8345154BCABBFE41314", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:CD69EF060C75E2FF4DB33C7C492E75B1", "THN:CDFC35DDBEE41C7DA7D24FC9D06E7380", "THN:CE191128AE56CD5C614344408C285C87", "THN:D0F9B64B55AE6B07B3B0C0540189389E", "THN:D10C2C7FC285D13E18415150A4507AB6", "THN:D18D5B68E1C8C3E3C323D4C71C3B2375", "THN:D31DB501A57ADE0C1DBD12724D8CA44C", "THN:D7DBE5ECBAF3E906ECA544B7E150594A", "THN:D9A5562FBD56B3B0FF85376C9BCF0A10", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:DADA9CB340C28F942D085928B22B103F", "THN:DB8E18C57AFB9EEEFDABD840FBF5D938", "THN:DF2B360775F2B7F0C76A360FDA254FBA", "THN:DF2B6840863D6847D7088B1A07B19A4A", "THN:DFA2CC41C78DFA4BED87B1410C21CE2A", "THN:DFB68B1B6C2EFBB410EB54D83320B71C", "THN:E0B486DA1C8CE77D0DF337E8307100D6", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:E27BF56DBA34B1A89BD29AEB5A6D8405", "THN:E43F2DE4F472015C54D6014AB3A0F7A1", "THN:E50F78394BCAE6FF3B8EE8482A81A3C4", "THN:E69702EC6CD19254901FA21A1125CC18", "THN:E7E8D45492BAD83E88C89D34F8502485", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:E953A164075D6816780AEA06F3053387", "THN:E95B6A75073DA71CEC73B2E4F0B13622", "THN:EAE0157F6308D86DB939FA200A017132", "THN:EAEDDF531EB90375B350E1580DE3DD02", "THN:EAFAEB28A545DC638924DAC8AAA4FBF2", "THN:EB3F9784BB2A52721953F128D1B3EAEC", "THN:ECDABD8FB1E94F5D8AFD13E4C1CB5840", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:F0450E1253FFE5CA527F039D3B3A72BD", "THN:F076354512CA34C263F222F3D62FCB1E", "THN:F25FAD25E15EBBE4934883ABF480294D", "THN:F2A3695D04A2484E069AC407E754A9C1", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "THN:F91523FE89728E4535456872C0532560", "THN:FA40708E1565483D14F9A31FC019FCE1", "THN:FB2F303221B7A65E2CFAC245F0DD0B47", "THN:FBCEC8F0CE0D3932FE4C315878C48403", "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "THN:FCBB400B24C7B24CD6B5136FA8BE38D3", "THN:FCEF4EA34B53C743863FE92365E26AFF", "THN:FD9FEFEA9EB66115FF4BAECDD8C520CB", "THN:FF1CD6F91A87ADD45550F34DE9C8204A"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:02A472487653A461080415A3F7BB23D2", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:08D7AB11C0B2B0668D71ADCEEB94DB1B", "THREATPOST:08E51C6FB9418179611DF2ACFB1073BF", "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0A9A930C281A9194FBCA1A6C9F168F74", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C3BAA4DB9E2B5E8A30DD20A987FCE03", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0D8008A1EF72C3A6059283D0D896B819", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FD7F2FA7F2D3383F582553124EA843D", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:10245D9804511A09607265485D240FFF", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "THREATPOST:1322630273A25CA5A68246679553E2B8", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:138507F793D8399AF0EE1640C46A9698", "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "THREATPOST:13D4AE4C03A3BF687491FDA1E8D732C7", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14D52B358840B9265FED987287C1E26E", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "THREATPOST:163B67EFAB31CDAD34D25B9194438851", "THREATPOST:16624FA0DF55AAB9FDB3C14AC91EC9F5", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:18C67680771D8DB6E95B3E3C7854114F", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:19BDD881931703B28F7B93492E0C75FD", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1A553B57472BB0EB8D69F573B510FDE6", "THREATPOST:1B1BF3F545C6375A88CD201E2A55DF23", "THREATPOST:1B29120EF1DBE107B55050178910AACD", "THREATPOST:1B42481449E86FEA3940A2E1E2634309", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "THREATPOST:1CEC18436389CF557E4D0F83AE022A53", "THREATPOST:1D03F5885684829E899CEE4F63F5AC27", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1EB961A6936CB97E2DE6C0212349367F", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1F99A9A6A418194B87E5468CC8344FBF", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:20F9B8CE2D092108C0F78EC3E415F6B4", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:215937631A8626A30B0695671AD4B357", "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:2246F7085606B44A031DC14D1B54B9DB", "THREATPOST:22B3A2B9FF46B2AE65C74DA2E505A47E", "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "THREATPOST:24243FD4F7B9BDBDAC283E15D460128F", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:280ACEC9B5A634E74F3C321F272C3EF3", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A215C54591860EE16762D5DD82C504D", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:2F655C93B7912A7C776E1DC1D39822D0", "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "THREATPOST:305513A61FA2B0EF500854C82DF34A9C", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "THREATPOST:3118E6C785806679DF205606435B79C7", "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "THREATPOST:31D14CEE5977BF71F79F7C30AEC10698", "THREATPOST:326CCB6EA4E28611AD98B1964CFEE88E", "THREATPOST:3283173A16F1E86892491D89F2E307C2", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:34CC110D7F26B1B4D3B97BE05F000B69", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:384A1D8040B61120BE2BA529493B9871", "THREATPOST:38E044431D55F0A4BC458FF92EB025BF", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3ADFDD3CC93B03F83C2CEC5583B016AB", "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D0ED9A884FBC4412C79F4B5FF005376", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3DAB2A56F377207FBFA093C4AC3D52BD", "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "THREATPOST:3EDC338ECB2601F5A49A9ED5E087B776", "THREATPOST:3F2E82624DED93EDD273ABC41E24154C", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:3FDED0EC415BA165368B72AB2A8E1A59", "THREATPOST:40A09F08F388BACF08E0931C6473DE0C", "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:41B10746D1F4B74DA188CB140A8B2676", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:42AAB266C740220CFF57204DDF71129E", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:4365205CB12A4437E20A1077682B9CF8", "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:44942C746E9FFDC2F783FA19F0AFD348", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:46AF5D5C752ADF689DA52FBDA4644F5D", "THREATPOST:472451689B2FA39FCB837D08B514FF91", "THREATPOST:47481707E9A4BF7FC15CC47EC8A8F249", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:4844442F117316BC8EEC54269FACDAA8", "THREATPOST:48A631F2D45804C677BB672F838F29DA", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:48FD4B4BFA020778797D684672C283B0", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:49DCD8325E10F7898739335BD99AE94B", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4C8D995307A845304CF691725B2352A2", "THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:4D733D952DD37D57DDA47C16AEAAE1FA", "THREATPOST:4D892A0342695D6703703D63DCC1877C", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:52923238811C7BFD39E0529C85317249", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "THREATPOST:547711F4B3BD7FF6F94D605387B3DD50", "THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C", "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:57F52943964BADEBC748C4AC796CEEB6", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:590E1D474E265F02BA634F492F728536", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5A8F52C1AE647553C21FA300983F3770", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5B680BEF3CD53FFB3B871FF7365A4C47", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:5F0369916D5AFC90C3AF027AC4EC4A61", "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:626313834C3B7D13BDDD703C425DACA5", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:641CEDBD77D5E4711F6E56353D7B5E33", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:647D7D894452D9C46B3E86F5491EED49", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:65DB14FD89BCDBD3391ADD70F1377E70", "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:686B59F4D2481BE96E76E2A3166AAE9B", "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B7259AD7487C6D17E0A301E14AEB7CB", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C4662EB2B72616C90A201601B18E392", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6C547AAC30142F12565AB289E211C079", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:6F68EF2162540877BC3E8814C07AA52C", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:779B904F971138531725D1E57FDFF9DD", "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:781705ADC10B0D40FC4B8D835FA5EA6D", "THREATPOST:78327DA051387C43A61D82DE6B618D1F", "THREATPOST:78996437466E037C7F29EFB1FFBBAB42", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:795C39123EE147B39072C9434899E8FE", "THREATPOST:796DFA4804FEF04D3787893FCDFF97D2", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D0B88F224FD59AB5C49F030B02A25D9", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:81021088670E95FC0EBB2F53E1FB2AD2", "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "THREATPOST:81DEAED9A2A367373ADA49F1CCDCA95D", "THREATPOST:8243943141B8F18343765DA77D33F46C", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:8325094507099F4F089C61EF2997445C", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:83C349A256695022C2417F465CEB3BB2", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:84E8993BD84BB1AAEE4273958FF69EDF", "THREATPOST:85363E24CAB31CC66B298BC023E9CF95", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:8601D6EF6AB3201E582A218391B19C3F", "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:883A7DED46A4E1C743AFFBA7CDCF4400", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "THREATPOST:8B78588647E8548B06361DBB1F279468", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8C179A769DB315AF46676A862FC3D942", "THREATPOST:8C45AF2306CB954ACB231C2C0C5EDA9E", "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "THREATPOST:902F021868A194A6F02A30F8709AA730", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:90739FC29BE2A68C72AAA4B88DB9A420", "THREATPOST:927CAECDA58E6BC3266D14FE340589BB", "THREATPOST:932AA74F12B9D2AD0E8589AC1A2C1438", "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:9599D75F1FEDE69B587F551FF63C7C77", "THREATPOST:95BDCA2096B58A0697E169C01B1E0F09", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:970C9E73DF1FF53D70DB0B66326F3CB0", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:97D06649A596B5E25E2A11E3D275748B", "THREATPOST:97F7CB48069CDF8038E5E49508EFA458", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:987673B6BC03D7371ADC88E9BDA270D5", "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:98F735BF442C3126E4A9FFBB60517B96", "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9D96113FADFD4FBCA9C17B78B53A8C93", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9E222E9232D1D59183559B17E97BADCD", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A1F3E8AC4878C11E48F90AC47D165F52", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A2FE619CD27EBEC2F6B0C62ED026F02C", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:A6096ACCB3F0C38BC6570E1DDE3E8844", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AB54F1EB518D88546D1EF9DBA5E1874B", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B04DD1402960F4726546F62371A02B3C", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B574047DB8D0D69958A618406B0BDAC4", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:B8EE84454BCC4614F524D8A4901907C3", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:B9CCF4B8B7E25CEC369B248303882707", "THREATPOST:BA0FA5036C385C822C787514850A67E5", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F", "THREATPOST:BADA213290027D414693E838771F8645", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:BC4ECD6616ADCCFFD5717D0A9A0D065B", "THREATPOST:BC99709891AA93FC7767B53445FC2736", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BDEA819E4532E0D1FA016778F659F7E8", "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4B358E42FF02B710BE90F363212C84F", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C573D419AD6106E6579CCA4A18E2DBBE", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C694354BA14A953DAFC9171CB97F0BC2", "THREATPOST:C6D292755B4D35E7E0FD459BBF6AFC7F", "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "THREATPOST:CAA9AA939562959323A4675228C233A5", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "THREATPOST:CF3033203781AAC4EAAE83DDCF93ADE8", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D098942E4435832E619282E1B92C9E0F", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D240DF7FEF328139784DBE743FF84E9B", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D358CF7B956451F0C53F878AF811409F", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D5E02B5FD2809DCACF41DA1190794921", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D7D5E283A1FBB50F8BD8797B0D60A622", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DB4349EAC3DD60D03D1EBDEFF8ABAA8E", "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC76A72269F271882F45A521CF7C3509", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DE6A0C7ECE2973F596891B00DC078055", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E09CE3FA2B76F03886BA3C2D4DB4D8DB", "THREATPOST:E0C8A3622AEF61D726EED997C39BADFE", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E424D9CD1C692F91FBD97FDDEDBCCE34", "THREATPOST:E44D0A1C3C7C76586EBC905270FFAC34", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E60D2D0CCA5A225CA4BF5CEB5C7C3F59", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E8074A338A246BED98CF95AD4F4E9CAF", "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "THREATPOST:EA8274414AC42B3EF48CA27D45659736", "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496", "THREATPOST:EE0A71A925297032000651C344890BDD", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F1065D29808C9165285986CCB6DEBB5A", "THREATPOST:F12423DD382283B0E48D4852237679FC", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FDD0C98FAA16831E7A3B7CCE3BFC67FF", "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FF8B5ACCCE8A1CE6B8A830B1D3E9E316", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883"]}, {"type": "trellix", "idList": ["TRELLIX:1B98406D173663FA7B8E48F103AAE482", "TRELLIX:21227249912602DD6E11D3B19898A7FF", "TRELLIX:2190FF6CC59F0018181B8146CC20B06D", "TRELLIX:33C611A7064C89E309C4A45CAE585BD5", "TRELLIX:341471F990B5DC7BFF1C28F924F10E32", "TRELLIX:357BDB16F9C97C350D8CFF381DE2C04E", "TRELLIX:39F5630F37B0A70500113404A73FE414", "TRELLIX:3D1BFD2AFBB082262FACCCAE2137672E", "TRELLIX:6373864BD1A0BAFE3430F237433C84A5", "TRELLIX:6A66742843755E787356176A644AAD06", "TRELLIX:73420774AE3767CFB11F493B41572174", "TRELLIX:7B9C31B3E2F1A079101A700230D5A5C0", "TRELLIX:908157CFA8050AA23921170E873187E1", "TRELLIX:B73136D0B1874E13EB839E42FB157903", "TRELLIX:C3BC4A8730F3B1E4C9A82C07C31138D4", "TRELLIX:C68274BBC4E0B3B7EFA9290A8C6AA6C2", "TRELLIX:D3CC9DD7452C6A1D346229DE526BBE46", "TRELLIX:D57FEAD5DBF6D915430C791AC26C10CC", "TRELLIX:D8DB23FAEBC16DCFBC54050BEBBF650D", "TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C", "TRELLIX:FC79F74B85714DFB2F725665CE9B700F"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:342FB0D457FCA0DA93C711A150B5CAE2", "TRENDMICROBLOG:3981EF309A794B1CC15F5BBC6C2B181B", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "TRENDMICROBLOG:64CE304907BCE85ADF8422301BEFF093", "TRENDMICROBLOG:71352D2908FCBB1B73386712067E79E8", "TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC", "TRENDMICROBLOG:9B8C91E149F60DE91C9033A05754C059", "TRENDMICROBLOG:B2CE0B51EC84664ADCCD67A2A0DF7033", "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F", "TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-4510-1", "USN-4510-2", "USN-4559-1", "USN-5090-1", "USN-5090-2", "USN-5090-3", "USN-5090-4", "USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-1472", "UB:CVE-2021-20325", "UB:CVE-2021-40438", "UB:CVE-2021-4104", "UB:CVE-2021-41773", "UB:CVE-2021-42013", "UB:CVE-2021-44228", "UB:CVE-2021-45046", "UB:CVE-2022-26134"]}, {"type": "veeam", "idList": ["VEEAM:KB4254"]}, {"type": "veracode", "idList": ["VERACODE:27548", "VERACODE:32174", "VERACODE:32397", "VERACODE:32442", "VERACODE:33244", "VERACODE:33337", "VERACODE:33348", "VERACODE:34884", "VERACODE:35447"]}, {"type": "vmware", "idList": ["VMSA-2021-0028.1", "VMSA-2021-0028.10", "VMSA-2021-0028.11", "VMSA-2021-0028.12", "VMSA-2021-0028.13", "VMSA-2021-0028.2", "VMSA-2021-0028.3", "VMSA-2021-0028.4", "VMSA-2021-0028.6", "VMSA-2021-0028.7", "VMSA-2021-0028.8", "VMSA-2021-0028.9", "VMSA-2022-0011"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:6D3FED0879553B4C47AD26ED1DEB5AEB", "WALLARMLAB:8383499ED724C06A048699BABC906127", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:9178CD01A603571D2C21329BF42F9BFD", "WALLARMLAB:A49A7EF6D6A0472E58CBD619282C9FE0", "WALLARMLAB:B8F980411EDD1DF519EE189581871B40", "WALLARMLAB:BED32468D036C4C2D5DC502940814368", "WALLARMLAB:C5940EBF622709A929825B8B12592EF5", "WALLARMLAB:E5FB4AF05A8329FD71758F9E64633544", "WALLARMLAB:E69ED97E0B27F68EA2CE3BB7BA9FE681", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "wizblog", "idList": ["WIZBLOG:1635A76107937A3F54D9C846D984E07A", "WIZBLOG:E7BB6906DDEB4849A11E483EC9AE559E"]}, {"type": "wordfence", "idList": ["WORDFENCE:035A383C0D3B38D6EEBF9FE95D1A356D", "WORDFENCE:107445D672F037011ADA9A0DA9FB8292", "WORDFENCE:45390D67D024DD8C963E18DAE88303B2", "WORDFENCE:98268684EA16A81FCA6F004B3CE9D86A"]}, {"type": "zdi", "idList": ["ZDI-21-819", "ZDI-21-821", "ZDI-21-822", "ZDI-22-1624", "ZDI-22-1625", "ZDI-22-1626", "ZDI-22-1627", "ZDI-22-1628", "ZDI-22-1629", "ZDI-22-1630", "ZDI-22-1631", "ZDI-22-1632", "ZDI-22-1633", "ZDI-22-1634", "ZDI-22-1635", "ZDI-22-1636", "ZDI-22-1637", "ZDI-22-1638", "ZDI-22-1639", "ZDI-22-1640", "ZDI-22-1641", "ZDI-22-1642", "ZDI-22-1643", "ZDI-22-1644", "ZDI-22-1645", "ZDI-22-1646", "ZDI-22-1647", "ZDI-22-1648", "ZDI-22-1649", "ZDI-22-1650", "ZDI-22-1651", "ZDI-22-1652", "ZDI-22-1653", "ZDI-22-1654"]}, {"type": "zdt", "idList": ["1337DAY-ID-27607", "1337DAY-ID-27617", "1337DAY-ID-27662", "1337DAY-ID-28811", "1337DAY-ID-29022", "1337DAY-ID-29119", "1337DAY-ID-32826", "1337DAY-ID-32978", "1337DAY-ID-33133", "1337DAY-ID-33134", "1337DAY-ID-33140", "1337DAY-ID-33275", "1337DAY-ID-33565", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-34646", "1337DAY-ID-34647", "1337DAY-ID-34652", "1337DAY-ID-34748", "1337DAY-ID-35274", "1337DAY-ID-35287", "1337DAY-ID-35944", "1337DAY-ID-36024", "1337DAY-ID-36262", "1337DAY-ID-36281", "1337DAY-ID-36351", "1337DAY-ID-36667", "1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-36854", "1337DAY-ID-36897", "1337DAY-ID-36937", "1337DAY-ID-36952", "1337DAY-ID-37030", "1337DAY-ID-37080", "1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37228", "1337DAY-ID-37230", "1337DAY-ID-37257", "1337DAY-ID-37264", "1337DAY-ID-37565", "1337DAY-ID-37681", "1337DAY-ID-37684", "1337DAY-ID-37777", "1337DAY-ID-37778", "1337DAY-ID-37779", "1337DAY-ID-37781", "1337DAY-ID-37783", "1337DAY-ID-37889", "1337DAY-ID-38045", "1337DAY-ID-38098", "1337DAY-ID-38336", "1337DAY-ID-38421", "1337DAY-ID-38598", "1337DAY-ID-38602", "1337DAY-ID-38634", "1337DAY-ID-38858", "1337DAY-ID-39146"]}]}, "vulnersScore": 10.1}, "_state": {"score": 1701975901, "dependencies": 1701975723}, "_internal": {"score_hash": "76749964cc4f730032d16b458f749733"}}

{"qualysblog": [{"lastseen": "2023-08-24T19:24:47", "description": "A unified front against malicious cyber actors is climactic in the ever-evolving cybersecurity landscape. The joint Cybersecurity Advisory (CSA), a collaboration between leading cybersecurity agencies from the United States, Canada, United Kingdom, Australia, and New Zealand, is a critical guide to strengthen global cyber resilience. The agencies involved include the U.S.&#x27;s CISA, NSA, and FBI; Canada&#x27;s CCCS; U.K.&#x27;s NCSC-UK; Australia&#x27;s ACSC; and New Zealand&#x27;s NCSC-NZ and CERT NZ. \n\nThis collaboration among key cybersecurity agencies highlights the global nature of cybersecurity threats. Such cooperative efforts signify a unified perspective and highlight the need for shared intelligence and coordinated strategies. The realization that cybersecurity is not limited to national borders but is a shared responsibility is growing more evident. \n\nThe CSA sheds light on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited in 2022 and the associated Common Weakness Enumeration(s) (CWE). It outlines crucial technical details and key findings, providing actionable guidance and mitigation strategies. Vendors, designers, developers, and end-user organizations are strongly urged to implement these guidelines to strengthen their defenses against possible threats. \n\n### **The Cybersecurity Advisory (CSA) has identified the following key findings that outline essential insights into the behaviors and tendencies of malicious cyber actors for 2022:** \n\n * **Older Vulnerabilities Targeted**: Malicious cyber actors exploited older software vulnerabilities more frequently, targeting unpatched, internet-facing systems. \n * **Proof of Concept (PoC) Code**: Public availability of PoC code likely facilitated broader exploitation by malicious actors. \n * **Success in First Two Years**: Known vulnerabilities are most successfully exploited within the first two years of disclosure. Timely patching reduces this effectiveness. \n * **Prioritization of Severe CVEs**: Cyber actors prioritize severe and globally prevalent vulnerabilities, seeking low-cost, high-impact tools and paying attention to vulnerabilities principal in specific targets&#x27; networks. \n * **Detection through Deep Packet Inspection**: Deep packet inspection can often detect exploits involving multiple CVE or CVE chains. \n\nIn 2022, malicious cyber actors routinely exploited 12 severe vulnerabilities, affecting various products and services. These issues included the long-exploited Fortinet SSL VPNs&#x27; CVE-2018-13379 and widespread vulnerabilities such as Apache&#x27;s Log4Shell (CVE-2021-44228). They impacted multiple systems, from Microsoft Exchange email servers to Atlassian Confluence and software like Zoho ManageEngine and VMware. The exploitation often resulted from organizations&#x27; failure to patch software or due to publicly available proofs of concept (PoC), enabling remote execution, privilege escalation, and authentication bypass. The table below shows detailed information on these 12 vulnerabilities, along with Qualys-provided QIDs. A crucial commonality between these vulnerabilities is their potential to compromise system integrity, confidentiality, and availability severely. The Qualys Threat Research Unit (TRU) team has addressed all aforementioned critical vulnerabilities by providing QIDs within 24 hours. These critical vulnerabilities are categorized based on their potential impact if exploited as follows: \n\nCVE/Vuln Name| Vendor/Product| Type| QID| QDS \n---|---|---|---|--- \nCVE-2018-13379| Fortinet - FortiOS and FortiProxy | SSL VPN Credential Exposure | 43702| 100 \nCVE-2021-34473 (Proxy Shell) | Microsoft - Exchange Server | RCE | 50114, 50107| 100 \nCVE-2021-31207 (Proxy Shell) | Microsoft - Exchange Server | Security Feature Bypass | 50114, 50111| 95 \nCVE-2021-34523 (Proxy Shell) | Microsoft - Exchange Server | Elevation of Privilege | 50114, 50112| 100 \nCVE-2021-40539| Zoho ManageEngine - ADSelfService Plus | RCE/Authentication Bypass | 375840| 100 \nCVE-2021-26084| Atlassian - Confluence Server and Data Center | Arbitrary code execution | 375839, 730172| 100 \nCVE-2021-44228 (Log4Shell) | Apache - Log4j2 | RCE | 730447, 376521| 100 \nCVE-2022-22954| VMware - Workspace ONE Access and Identity Manager | RCE | 730447, 376521| 100 \nCVE-2022-22960| VMware - Workspace ONE Access, Identity Manager, and vRealize Automation | Improper Privilege Management | 376521| 95 \nCVE-2022-1388| F5 Networks - BIG-IP | Missing Authentication Vulnerability | 730489, 376577| 96 \nCVE-2022-30190 (Follina)| Microsoft - Multiple Products | RCE | 91909| 100 \nCVE-2022-26134| Atlassian - Confluence Server and Data Center | RCE | 376657, 730514| 100 \n \n**Vulnerabilities Paving the Way for Data Theft and More:** \n\nThe following vulnerabilities that could potentially lead to data theft or lay the groundwork for further attacks: \n\n * **CVE-2018-13379**, a flaw in the Fortinet FortiOS SSL VPN web portal, could be leveraged by attackers to gain unauthorized access to sensitive SSL VPN session data. \n * **CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207**, collectively known as ProxyShell vulnerabilities affecting Microsoft Exchange Servers, could enable bad actors to deploy web shells and execute arbitrary code on compromised devices. \n * **CVE-2022-1388**, an F5 BIG-IP iControl REST API vulnerability, could offer initial network access to cyber criminals, enabling infamous activities like data theft or ransomware deployment. \n\n**Vulnerabilities Leading to System Takeover:** \n\nNext, the following vulnerabilities that could potentially compromise an entire system: \n\n * **CVE-2021-44228**, or Log4Shell, exploits Apache&#x27;s log4j Java library, possibly leading to a total system compromise. \n * **CVE-2021-26084 and CVE-2022-26134**, vulnerabilities found in Atlassian&#x27;s Confluence Server and Data Center, can allow an attacker to execute arbitrary code, leading to a potential system takeover. \n * **CVE-2021-40539**, an issue with Zoho ManageEngine ADSelfService Plus, can allow for arbitrary code execution and potential system compromise. \n * **CVE-2022-30190**, found in the Microsoft Support Diagnostic Tool, can be exploited for remote code execution, potentially leading to full system compromise. \n * **CVE-2022-22954 and CVE-2022-22960**, affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation, can allow for remote code execution and privilege escalation, respectively, potentially leading to full system compromise. \n\n### **Analyzing Vulnerability Remediation Patterns and the Urgency of Swift Patching**\n\nOur data, which sheds light on the patching behavior for 12 significant vulnerabilities, is pulled from the Qualys TruRisk Platform. This data is anonymized to ensure that any data analysis cannot revert to identifying specific organization or asset information. \n\nThe data highlights a prominent challenge where some vulnerabilities witness rapid mitigation, highlighting proactive security measures. In contrast, others face prolonged remediation times, raising concerns about potential exposure risks. Such disparities underline the importance of detecting and swiftly addressing vulnerabilities. As cyber threats grow in sophistication, the urgency to patch quickly and efficiently becomes paramount. The following plot contrasting the patch rates and remediation times for 12 frequently exploited vulnerabilities in 2022 further illustrates this point. It shows that while some vulnerabilities are quickly patched, others remain unaddressed for extended periods. This analysis reinforces the importance of timely vulnerability management and the pressing need to do so with speed and diligence, especially for high-risk vulnerabilities. \n\n\n\nFig 1. Patch Rate vs. Average Remediation Days for Top 12 Routinely Exploited Vulnerabilities in 2022 \n\nThe damaging potential of these vulnerabilities highlights the vital importance of cybersecurity alertness. By understanding the risks and possible impacts of these threats, organizations can adopt proactive defense strategies, patching vulnerabilities and updating systems regularly to ensure the integrity of their environments. The advisory also emphasizes the criticality of accurately incorporating the CWE field in published CVEs to highlight vulnerability root causes and support industry-wide software security insights. \n\n### **Aligning Qualys Platform with Joint Cybersecurity Advisory Mitigating Guidelines** \n\nThe recent joint Cybersecurity Advisory (CSA) emphasizes the urgency of identifying exploited vulnerabilities, keeping all network assets updated, and implementing a robust patch management process. Among the recommendations are the timely updating of software, prioritizing patches for known vulnerabilities, performing automated asset discovery, and implementing centralized patch management. \n\nQualys&#x27; suite of products directly aligns with these critical recommendations. Qualys Cybersecurity Asset Management (CSAM) ensures 360-degree visibility of assets, aligning with CSA&#x27;s call for comprehensive asset discovery. Qualys Patch Management offers an advanced automated solution for timely updates, while Qualys VMDR facilitates the discovery, assessment, and prioritization of vulnerabilities. By leveraging Qualys&#x27; unified platform, organizations can efficiently adhere to international best practices outlined in the CSA, enhancing their defense against cyber threats. \n\nIn addition, the joint Cybersecurity Advisory (CSA) stresses the need for robust protective controls and architecture. Key recommendations include securing internet-facing network devices, continuously monitoring the attack surface, and prioritizing secure-by-default configurations. There is a strong focus on hardening network protocols, managing access controls, and employing security tools such as EDR and SIEM for enhanced protection. \n\nQualys Threat Protection aligns seamlessly with these recommendations by providing centralized control and comprehensive visibility of the threat landscape. By continuously correlating external threat information against vulnerabilities and the IT asset inventory, Qualys allows organizations to pinpoint and prioritize the most critical security threats. Whether managing vulnerabilities, controlling the threat prioritization process, or ensuring compliance with regulations, Qualys empowers organizations to align with the CSA&#x27;s guidelines and achieve a fortified security posture. \n\nQualys TotalCloud also employs deep learning AI to continuously monitor the attack surface and investigate abnormal activity, aligning with CSA guidelines. It is leveraging an interconnected artificial neural network that detects known and unknown malware with over 99% accuracy in less than a second. Through these capabilities, Qualys TotalCloud delivers an advanced, rapid, and precise solution for malware detection in multi-cloud environments and bypassing the limitations of signature-based systems. \n\n\n\nFig 2. Qualys VMDR TruRisk Dashboard for top 12 routinely exploited vulnerabilities in 2022 \n\nThe [Qualys VMDR TruRisk Dashboard](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/08/Qualys-VMDR-TruRisk-UDdashboard.json_.zip>) (JSON zipped) helps organizations to have complete visibility into open vulnerabilities that focus on the organization\u2019s global risk score, high-risk vulnerabilities, and Top Exploited Vulnerabilities. Once you identify the vulnerable assets for these top vulnerable CVEs prioritized among your remediation owners, you can instantly use Qualys Patch management to reduce the risk. \n\nIn conclusion, this Cybersecurity Advisory (CSA) offers valuable insights and mitigation strategies against routine vulnerabilities. Qualys provides robust solutions that align seamlessly with CSA&#x27;s recommendations, including asset management, timely updates, vulnerability prioritization, and advanced threat detection capabilities in this growing landscape. Consequently, organizations can strengthen their defenses against cyber threats by sticking to CSA guidelines and leveraging comprehensive cybersecurity solutions like Qualys&#x27;. \n\n## References\n\n[CISA, NSA, FBI and International Partners Issue Advisory on the Top Routinely Exploited Vulnerabilities in 2022](<https://media.defense.gov/2023/Aug/03/2003273618/-1/-1/0/JOINT-CSA-2022-TOP-ROUTINELY-EXPLOITED-VULNERABILITIES.PDF>)\n\n## Additional Contributor \n\n * Ramesh Ramachandran, Principal Product Manager, Qualys\n * Aubrey Perin, Lead Threat Intelligence Analyst, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-24T19:07:05", "type": "qualysblog", "title": "Qualys Tackles 2022\u2019s Top Routinely Exploited Cyber Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26084", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-26134", "CVE-2022-30190"], "modified": "2023-08-24T19:07:05", "id": "QUALYSBLOG:56A00F45A170AF95CF38191399649A4C", "href": "https://blog.qualys.com/category/qualys-insights", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-11T05:29:14", "description": "_The U.S. Cybersecurity &amp; Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity &amp; Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability&#x27;s disclosure, likely facilitating exploitation by a broader range of malicious actors._\n\n### CISA\u2019s Top 15 Routinely Exploited Vulnerabilities of 2021\n\nThe top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are:\n\nCVE| Vulnerability Name| Vendor and Product| Type \n---|---|---|--- \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal \n \n### Highlights of Top Vulnerabilities Cited in CISA 2021 Report\n\nBased on the analysis of this report by the Qualys Research Team, let\u2019s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them.\n\n#### Log4Shell Vulnerability\n\nThe Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation.\n\nVisit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat.\n\n### ProxyShell: Multiple Vulnerabilities\n\nThe multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via &quot;vulnerability chaining&quot;) enables a remote actor to execute arbitrary code and privilege escalation.\n\n### ProxyLogon: Multiple Vulnerabilities\n\nThe multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers.\n\n[Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat.\n\n#### Confluence Server and Data Center Vulnerability\n\nAn Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\n#### Top Vulnerabilities of 2020 Persist\n\nThree additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021.\n\n### How Can Qualys Help?\n\nThe Qualys Research Team stays on top of CISA\u2019s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations.\n\n#### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities.\n\nUsing VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nView vulnerabilities be severity in Qualys VMDR\n\nQualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure.\n\nDashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited\n\nQualys Unified Dashboard\n\n#### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company\u2019s internet-facing assets. To do so, apply the tag \u201cInternet Facing Assets\u201d in the Prioritization tab. You can add tags like &quot;Cloud Environments&quot;, &quot;Type: Servers&quot;, &quot;Web Servers&quot;, and &quot;VMDR-Web Servers&quot; to increase your scope of assets.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nPrioritizing vulnerabilities for remediation in Qualys VMDR\n\n#### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities.\n\nTo view the patchable QIDs, enable the &quot;Show only Patchable&quot; toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs.\n\nUsing Qualys Patch Management to apply patches\n\nQualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list.\n\nTo get a view of all available patches for CISA\u2019s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab:\n \n \n cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nViewing available patches in Qualys Patch Management\n\nFor additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report.\n\n### Getting Started\n\nReady to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T12:19:24", "type": "qualysblog", "title": "CISA Alert: Top 15 Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-06T12:19:24", "id": "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-12T20:01:11", "description": "On October 6, 2022, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>) on the Chinese government\u2014officially known as the People\u2019s Republic of China (PRC) states-sponsored cyber actors&#x27; activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People&#x27;s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). The PRC malicious actor continues to exploit known vulnerabilities to target U.S. and vigorously allied networks and software and hardware companies to rob intellectual property and develop access to sensitive networks. \n\nThey stated that PRC state-sponsored cyber activities as one of the most significant and dynamic threats to U.S. government and civilian networks. The PRC state-sponsored cyber actors persist in targeting government and critical infrastructure networks with an increasing array of new and adaptive techniques. Some could pose a considerable risk to Information Technology Sector, telecommunications organizations, Defense Industrial Base (DIB) Sector, and other critical infrastructure organizations. \n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target victims. Here is a list of 20 publicly known vulnerabilities (CVEs) published by the NSA, along with affected products and associated Qualys VMDR QID(s) for each vulnerability: \n\n**Vendor**| **CVE**| **Vulnerability Type**| Qualys **QID**(s) \n---|---|---|--- \n| | | \nApache Log4j | CVE-2021-44228 | Remote Code Execution | 730302, 150441, 150440, and more \nPulse Connect Secure | CVE-2019-11510 | Arbitrary File Read | 38771 \nGitLab CE/EE | CVE-2021-22205 | Remote Code Execution | 375475 \nAtlassian | CVE-2022-26134 | Remote Code Execution | 730514, 376657, 150523 \nMicrosoft Exchange | CVE-2021-26855 | Remote Code Execution | 50107, 50108 \nF5 Big-IP | CVE-2020-5902 | Remote Code Execution | 38791, 373106 \nVMware vCenter Server | CVE-2021-22005 | Arbitrary File Upload | 216265, 216266 \nCitrix ADC | CVE-2019-19781 | Path Traversal | 372685, 150273, 372305 \nCisco Hyperflex | CVE-2021-1497 | Command Line Execution | 730070 \nBuffalo WSR | CVE-2021-20090 | Relative Path Traversal | NA \nAtlassian Confluence Server and Data Center | CVE-2021-26084 | Remote Code Execution | 150368, 375839, 730172 \nHikvision Webserver | CVE-2021-36260 | Command Injection | NA \nSitecore XP | CVE-2021-42237 | Remote Code Execution | 14012 \nF5 Big-IP | CVE-2022-1388 | Remote Code Execution | 150511, 730489, 376577 \nApache | CVE-2022-24112 | Authentication Bypass by Spoofing | 730361 \nZOHO | CVE-2021-40539 | Remote Code Execution | 375840 \nMicrosoft | CVE-2021-26857 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-26858 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-27065 | Remote Code Execution | 50107 \nApache HTTP Server | CVE-2021-41773 | Path Traversal | 150373, 150372, 710595 and more \nTable 1: Top CVEs most used by Chinese state-sponsored cyber actors since 2020 \n\nNSA stated that the threat actors use virtual private networks (VPNs) to obscure their activities and establish initial access. Multiple CVEs indicated in Table 1 let the actors stealthily acquire unauthorized access into sensitive networks, after which they pursue to develop persistence and reposition laterally to other internally connected networks. \n\nThe NSA highlights how the People\u2019s Republic of China (PRC) has targeted and compromised significant telecom establishments and network service providers mostly by exploiting publicly known vulnerabilities. Networks affected have varied from small office/home office (SOHO) routers to medium and large enterprise networks. \n\nPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. The devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as means to conduct network intrusions on other entities. Furthermore, cyber defenders often overlook these devices, who work to maintain and keep pace with frequent software patching of Internet-facing services and endpoint devices. \n\n## Detect &amp; Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0 \n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), Vulnerabilities tab by using the following QQL query: \n\n_vulnerabilities.vulnerability.cveIds: [CVE-2021-44228, CVE-2019-11510, CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-22005, CVE-2019-19781, CVE-2021-1497, CVE-2021-20090, CVE-2021-26084, CVE-2021-36260, CVE-2021-42237, CVE-2022-1388, CVE-2022-24112, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-41773]_ \n\n\n\nUsing, [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), you can also effectively prioritize these vulnerabilities using the [Qualys TruRisk](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>).\n\n\n\n## Identify Vulnerable Assets using Qualys Threat Protection \n\nIn addition, you can locate vulnerable hosts through Qualys Threat Protection by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability. \n\n\n\nUsing the Qualys Unified Dashboard, you can track, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment. \n\nRead the Article (Qualys Customer Portal): [NSA Top Exploited CVEs | China State Actors](<https://success.qualys.com/support/s/article/000007011>) \n\n\n\n## Recommendations &amp; Mitigations \n\nThe NSA, CISA, and FBI recommend U.S. and allied governments, critical infrastructure, and private sector organizations use the mitigation guidance provided to boost their defensive posture and decrease the threat of compromise from PRC state-sponsored threat cyber actors. \n\nHere is a summary of mitigations guidance provided by the NSA: \n\n * Update, prioritize and patch vulnerable systems as soon as possible, as listed in this article and the list provided by [CISA KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n * Utilize phishing-resistant multi-factor authentication and require all accounts with a unique and strong password. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices. \n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\nOne of the soundest methods that organizations of all sizes could stay on top of these vulnerabilities and end-of-life (EOL) network/device infrastructure as noted by NSA general mitigations guidelines is to catalog the infected assets and apply patches as soon as possible. This could be an effortless process if the corps utilize the power of Qualys VMDR 2.0. You can start your [Qualys VMDR 2.0 trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting, and patching the high-priority commonly exploited vulnerabilities. \n\n## Contributors\n\n * Felix Jimenez Saez, Director, Product Management, Qualys\n * Swapnil Ahirrao, Principal Product Manager, VMDR, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-07T20:03:01", "type": "qualysblog", "title": "NSA Alert: Topmost CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-07T20:03:01", "id": "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-08T15:22:18", "description": "The [previous blog](<https://blog.qualys.com/product-tech/2023/07/11/an-in-depth-look-at-the-latest-vulnerability-threat-landscape-part-1>) from this three-part series showcased an overview of the vulnerability threat landscape. To summarize quickly, it illustrated the popular methods of exploiting vulnerabilities and the tactical techniques employed by threat actors, malware, and ransomware groups. Perhaps more crucially, we stated that commonly used solutions (CISA KEV/EPSS) often fall short in identifying high-risk vulnerabilities. \n\nIn this blog, we will focus on an **insider&#x27;s perspective on the threat landscape**, viewing it through the eyes of an attacker. We will examine how quickly vulnerabilities get exploited in the wild, identify popularly sought-after vulnerabilities by threat actors, malware, and ransomware groups, and explore their underlying motives. \n\nWe will also provide insights on what measures to take you can take to safeguard your organizations from these vulnerabilities. \n\nSo, let&#x27;s dive headfirst into this intriguing world without further ado. \n\n### How Fast Are Vulnerabilities Getting Exploited (Time to CISA KEV)?\n\nWe&#x27;ve already highlighted one of the most noteworthy efforts by the team at CISA - the creation of the known exploited vulnerabilities catalog in our previous blog. Initiated as part of [Binding Operational Directive 22-01 in 2021](<https://www.cisa.gov/news-events/directives/binding-operational-directive-22-01>), this project was born out of the need to minimize risks associated with these vulnerabilities. In its early years, there was a substantial backlog to address. Still, by 2023, the CISA team has had their operation running like a well-oiled machine and is swiftly updating the catalog with newly exploited vulnerabilities as soon as evidence emerges. \n\nSo, let&#x27;s dive deep into understanding how quickly the vulnerabilities get exploited in the wild, as disclosed by the National Vulnerability Database(NVD).\n\nThe following graph illustrates the average duration it takes to include a vulnerability in the Known Exploited Vulnerabilities (KEV) catalog from when it was published in NVD.\n\nFor those CVEs disclosed in 2023, the gap to **time to KEV was just eight days**.\n\nFig 1. Average Time in Days to CISA KEV Catalog\n\nDefenders, therefore, have limited time to respond to vulnerabilities. The only viable response is through automation to patch these vulnerabilities before attackers can exploit them. Note that the average timeframe mentioned here, as in some instances, vulnerabilities are exploited almost instantly.\n\n### Which Vulnerabilities Are Exploited and by Whom?\n\nSo which vulnerabilities are exploited in the wild? And who is exploiting them? Are there any specific vulnerabilities that are more sought-after than others? If so, which ones?\n\nTo understand these questions, let&#x27;s examine three main groups of attackers.\n\n * Threat Actor groups\n * Malwares\n * Ransomware groups\n\nAlthough there is some overlap within each group, it appears to favor a slightly different set of vulnerabilities depending on the use case.\n\n## Top Ten Vulnerabilities Exploited by Threat Actors\n\nHere\u2019s a list of the top ten vulnerabilities exploited by threat actors.\n\nThe chart below shows **the number of threat actors known to exploit a given vulnerability**.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-2-Top-10-Vulnerabilities-Exploited-by-Threat-Actors.png>)Fig 2. Top Ten Vulnerabilities Exploited by Threat Actors for High-Risk Vulnerabilities\n\n**Title** | **CVE**s | **Threat Actor Count** | **TruRisk Score** **(QVS)** | **Description** \n---|---|---|---|--- \nMicrosoft Office/WordPad Remote Code Execution Vulnerability | CVE-2017-0199 | 53 | 100 | Allows a malicious actor to download Visual Basic script containing PowerShell commands. Works reliably well across a wide attack surface. Popular with [APT Groups](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>). \nMicrosoft Office Equation Editor Remote Code Execution Vulnerability | CVE-2017-11882 | 52 | 100 | Exploits Office&#x27;s default Equation Editor feature by tricking the user to open a malicious file. This one is the hacking group\u2019s most favorite vulnerability, especially groups such as Cobalt or other malware as you will see in the next section. \nWindows Common Controls Remote Code Execution Vulnerability | CVE-2012-0158 | 45 | 100 | Executes remote code by tricking the user to click on a malicious link or specially crafted malicious file. \nApache Log4j RCE (Log4Shell) | CVE-2021-44228 | 26 | 100 | [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>). Do we need to say anything more? \nMicrosoft Office Memory Corruption Vulnerability | CVE-2018-0802 | 24 | 100 | Executes remote code by tricking the user to open a specially crafted malicious file in Office or WordPad. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon) | CVE-2021-26855 | 22 | 100 | Allows an unauthenticated user to run arbitrary commands on the exchange server in its default configuration. Heavily exploited by the [Hafnium](<https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) group among others. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-34473 | 20 | 100 | Allows an unauthenticated user to run arbitrary commands on the exchange server. Can be clubbed with other CVE\u2019s CVE-2021-34523 and CVE-2021-31207 making it more attractive to cybercriminals. \nArbitrary file write vulnerability in Exchange | CVE-2021-27065 | 19 | 95 | Requires authentication that can then write arbitrary file write vulnerability in Exchange. Leveraged as part of the attack chain once an attacker has initial access. Exploited by Hafnium group among others. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-34523 | 17 | 100 | Allows an unauthenticated user to run arbitrary commands on the exchange server. Can be chained with other CVE\u2019s CVE-2021-34473 and CVE-2021-31207 making it more attractive to cybercriminals. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-31207 | 17 | 95 | Allows an unauthenticated user to run arbitrary commands on the exchange server. Can be chained with other CVE\u2019s CVE-2021-34473 and CVE-2021-31207 making it more attractive to cybercriminals. \n \nTable 1. Top 10 Vulnerabilities Exploited by Threat Actors for High-Risk Vulnerabilities\n\n## Top Ten Highly Active Threat Actors\n\nNext, let\u2019s talk about some of the most active threat actors known to leverage the maximum number of vulnerabilities as part of their arsenal capable of compromising systems across the globe.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-3-Most-Active-Threat-Actors.png>)Fig 3. Most Active Threat Actors for High-Risk Vulnerabilities\n\n**Threat Actor ** | **CVEs Exploited ** | **Description ** \n---|---|--- \nEquation Group** ** | 51 | Uses a variety of malware, including backdoors, trojans, and rootkits, often targeting zero-day vulnerabilities. Such kinds of malware are often challenging to detect and remove. \nFancy Bear** ** | 44 | Best known as APT28 or Sofacy, it uses advanced malware and spear-phishing tactics. The group is also known for using \u201cwatering hole\u201d attacks. In 2016, APT28 reportedly attempted to interfere with the U.S. presidential elections. \nWicked Panda** ** | 30 | Also known by Axiom, Winnti, APT41, or Bronze Atlas. This group conducts financially motivated operations. It&#x27;s been observed to target healthcare, telecom, technology, and video game industries in 14 countries. \nRicochet Chollima** ** | 26 | Also known as APT37, Reaper, and ScarCruft, they primarily target financial institutions, academics, and journalists. \nLabyrinth Chollima** ** | 24 | This is a sub-group of the Lazarus Group that has been attributed to the Reconnaissance General Bureau. It was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a known campaign called The Operation Blockbuster campaign by Novetta. \nStardust Chollima** ** | 22 | Also known as BlueNoroff, it is a sub-group of the Lazarus Group and has been attributed to the Reconnaissance General Bureau, target banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. \nCarbon Spider** ** | 22 | Also known as Carbanak, FIN7, and Anunak, this threat actor is a financially motivated threat group that targets the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. \nCozy Bear** ** | 20 | Also known as APT29, often targets government networks in Europe and NATO member countries, research institutes, and think tanks. \nAPT37** ** | 20 | It is also linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are You Happy? FreeMilk, North Korean Human Rights, and Evil New Year 2018. \n | | \n \nTable 2. Most Active Threat Actors for High-Risk Vulnerabilities \n\n## Top Ten Most Exploited Vulnerabilities by Malware\n\nNow, let\u2019s check some of the commonly exploited vulnerabilities by malware.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-4-Top-10-Vulnerabilities-Exploited-by-Malwares.png>)Fig 4. Top Ten Vulnerabilities Exploited by Malware for High-Risk Vulnerabilities\n\nTitle | CVEs | Malware Count | TruRisk Score (QVS) | Description \n---|---|---|---|--- \nMicrosoft Office Equation Editor Remote Code Execution Vulnerability | CVE-2017-11882 | 467 | 100 | The absolute granddaddy of all CVEs most exploited by malware. \nIn the history of CVEs, this would be the most beloved malware CVE of all time. \nMicrosoft Office/WordPad Remote Code Execution Vulnerability | CVE-2017-0199 | 92 | 100 | [Allows a malicious actor to download Visual Basic script containing PowerShell commands. Works reliably well across a wide attack surface. Popular with APT Groups.](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) \nJava Applet Field Bytecode Verifier Cache RCE | CVE-2012-1723 | 91 | 100 | Exploits the vulnerability in JRE to download and install files of an attacker\u2019s choice onto the system. \nMicrosoft Office Remote Code Execution Vulnerability | CVE-2017-8570 | 52 | 100 | [Executes remote code by tricking the user to open a malicious RTF file. Bypasses the patch from CVE-2017-0199. Known to be used in malware spam campaigns.](<https://www.zscaler.com/blogs/security-research/cve-2017-8570-and-cve-2018-0802-exploits-being-used-spread-lokibot>) \nWindows Graphics Device Interface (GDI) RCE | CVE-2019-0903 | 30 | 93 | Exploits vulnerability in the Graphics Component which is fundamental part of the Windows OS used for rendering graphics. \nMicrosoft Office Memory Corruption Vulnerability | CVE-2018-0802 | 29 | 100 | Exploits a vulnerability that was not patched by CVE-2017-11882. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon) | CVE-2021-26855 | 19 | 100 | [Allows an unauthenticated user to run arbitrary commands on the exchange server in its default configuration. Heavily exploited by Hafnium group among others.](<https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) \nMicrosoft Windows Netlogon Privilege Escalation (ZeroLogon) | CVE-2020-1472 | 17 | 100 | Allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. \nLets the attacker instantly become an admin on enterprise networks. \nMicrosoft Windows CryptoAPI Spoofing Vulnerability | CVE-2020-0601 | 17 | 95 | Enables attackers to execute spoofing attacks, masquerading malicious programs as legitimate software, apparently authenticated with a genuine digital signature. \nThis essentially allows for the delivery of malware under the guise of legitimate software. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-34473 | 12 | 100 | Allows an unauthenticated user to run arbitrary commands on the exchange server. \nIt can be chained with other CVE\u2019s CVE-2021-34523 and CVE-2021-31207 making it more attractive to cybercriminals. \n \nTable 3. Top Ten Vulnerabilities Exploited by Malware for High-Risk Vulnerabilities\n\n## Top Ten Most Active Malware\n\nAnd here\u2019s a list of the ten most common malware names that are known to exploit vulnerabilities that compromise systems.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-5-Most-Active-Malwares.png>)Fig 5. Most Active Malware for High-Risk Vulnerabilities\n\nMalware | CVEs Count | Description \n---|---|--- \nHeuristic | 117 | Heuristic viruses can refer to malware detected by heuristic analysis or the virus Heur. The Invader, which compromises a device\u2019s security and antivirus measures. Some examples of heuristic viruses include adware and Trojans. \nWacatac | 94 | Also known as Trojan: Win32/Wacatac.B, is a trojan horse that is designed to steal personal information, such as passwords, credit card numbers, and other sensitive data. \nPidief | 73 | Pidief malware is a file infector, that can infect executable files, such as .exe files, it will modify the file to execute the Pidief malware. \nSkeeyah | 52 | Skeeyah malware is a file infector that can infect executable files, such as .exe files. It will modify the file in a way that will execute the Skeeyah malware when the file is opened. \nBitrep | 49 | Trojan horse virus that infiltrates a computer via a vulnerability in Adobe Flash. Swifi is downloaded from a malicious website without user knowledge or consent and may cause performance degradation, and security malfunctions leading to unauthorized users gaining remote access \nMeterpreter | 46 | Meterpreter is a malicious trojan-type program that allows cyber criminals to remotely control infected computers, without writing anything to disk. This malware can log keystrokes - recording keyboard input (keys pressed) to steal credentials (logins, passwords) linked with various accounts and personal information. \nSwifi | 42 | Trojan horse virus that infiltrates a computer via a vulnerability in Adobe Flash. Swifi is downloaded from a malicious website without user knowledge or consent, and may cause performance degradation, and security malfunctions leading to unauthorized users gaining remote access \nIFrame | 38 | The iframes are used to inject malicious content into a website and can be spread through malicious websites that contain iframes with malicious content. \nLotoor | 35 | It can infect Android devices, often spread through malicious apps available on third-party app stores. These apps may appear to be legitimate, but they actually contain the Lotoor malware. \nRedirector | 34 | Redirects users to malicious websites without their knowledge or consent. This type of malware can be very dangerous, leading users to download other malicious software or enter personal information. \n \nTable 4. Most Active Malware for High-Risk Vulnerabilities\n\n## Top Ten Vulnerabilities Exploited by Ransomware\n\nLastly, let&#x27;s examine the vulnerabilities that ransomware tends to exploit. **Ransomware is a particular type of malware that encrypts data on storage systems, rendering them inaccessible unless the victim pays a ransom, typically in Bitcoin.** Since the notorious WannaCry crypto-ransomware incident in May 2017, the use of such malicious software has notably escalated.\n\nThe latest report on such escalating threat involves a data breach during a MOVEit transfer, for which the BlackCat ransomware gang claimed responsibility. This same group alleges to be behind the data theft attack on Reddit.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-6-Top-10-Vulnerabilities-Exploited-by-Ransomware.png>)Fig 6. Top Ten Vulnerabilities Exploited by Ransomware for High-Risk Vulnerabilities\n\n**Title** | **CVEs** | **Ransomware Count** | **TruRisk** **Score (QVS)** | **Description** \n---|---|---|---|--- \nMicrosoft Office Equation Editor Remote Code Execution Vulnerability | CVE-2017-11882 | 14 | 100 | Allows an unauthenticated attacker to exploit the vulnerability in SMBv1 to completely compromise systems. It was used by the [WannaCry crypto worm](<https://en.wikipedia.org/wiki/WannaCry_ransomware_attack>) as part of a worldwide cyberattack. \nJava AtomicReferenceArray deserialization RCE | CVE-2012-0507 | 42 | 100 | Exploits the vulnerability in JRE to download and install files of an attacker\u2019s choice onto the system by tricking the user to visit a malicious link. Old CVE, but still relevant. \nJava Applet Field Bytecode Verifier Cache RCE | CVE-2012-1723 | 13 | 100 | Exploits the vulnerability in JRE to download and install files of an attacker\u2019s choice onto the system. \nWindows SMB v1 Remote Code Execution (WannaCry) | CVE-2017-0145 | 13 | 100 | Allows an unauthenticated, remote attacker to read arbitrary files allowing the attacker to access private keys or user/password information, which is then used to gain further unauthorized access. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-34473 | 12 | 100 | Allows an unauthenticated user to run arbitrary commands on the exchange server. It Can be chained with other CVE\u2019s CVE-2021-34523 and CVE-2021-31207 making it more attractive to cybercriminals. \nPulse Connect Secure SSL VPN Vulnerability | CVE-2019-11510 | 12 | 100 | Allows an unauthenticated attacker to exploit the vulnerability in SMBv1 that completely compromises systems. It was leveraged by the WannaCry crypto worm as part of a worldwide cyberattack. \nWindows SMB v1 Remote Code Execution (WannaCry) | CVE-2017-0144 | 12 | 95 | Allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It lets the attacker instantly become an admin on enterprise networks. \nMicrosoft Windows Netlogon Privilege Escalation (ZeroLogon) | CVE-2020-1472 | 11 | 93 | Allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It lets the attacker instantly become an admin on enterprise networks. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-34523 | 10 | 100 | Allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. \nIt lets the attacker instantly become an admin on enterprise networks. \nCitrix Application Delivery Controller/NetScaler RCE | CVE-2019-19781 | 10 | 100 | Allows an unauthenticated attacker to execute arbitrary code on the system. Was leveraged to drop NOTROBIN malware to maintain persistent access. \n \nTable 5. Top 10 Vulnerabilities Exploited by Ransomware for High-Risk Vulnerabilities\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-7-Most-Active-Ransomwares.png>)Fig 7. Most Active Ransomware for High-Risk Vulnerabilities\n\n**Ransomware** | **CVEs** **Count** | **Description** \n---|---|--- \n**Conti** | 30 | &quot;Conti&quot; is a Ransomware-as-a-Service (RaaS) targeting corporations and agencies by stealing and threatening to publish their sensitive data unless a ransom is paid. It uses unique encryption keys for each file and victim and leverages the Windows Restart Manager to unlock files for encryption. \n**Cerber** | 30 | This modular ransomware can spread through email attachments, exploit kits, and drive-by downloads. It encrypts files and demands a ransom payment in Bitcoin. \n**REvil** | 25 | This modular ransomware can spread through email attachments, exploit kits, and drive-by downloads. It encrypts files and demands a ransom payment in Bitcoin. \n**Sodinokibi** | 21 | A successor to REvil that is even more sophisticated. It can encrypt files on all types of devices, including servers, laptops, and mobile phones. \n**Lucky** | 21 | This ransomware is known for its aggressive spam campaigns. It sends emails with malicious attachments that, when opened, infect the victim&#x27;s computer with ransomware. \n**GandCrab** | 19 | This ransomware is known for its high ransom demands. It has targeted businesses in various industries, including healthcare, finance, and manufacturing. \n**Ryuk** | 17 | This ransomware is known for its high ransom demands. It has targeted businesses in various industries, including healthcare, finance, and manufacturing. \n**Reveton** | 16 | Known for its scareware tactics, this ransomware displays a fake warning message claiming the victim&#x27;s computer has been infected with malware. The message demands that the victim pay a ransom to remove the malware. \n**STOP** | 15 | Ransomware operators are known to be aggressive and persistent, often threatening to release stolen data or to attack systems again if the ransom is not paid. \n**Satan** | 15 | Satan ransomware can be very high, and there is no guarantee that victims will get their data back even if they pay the ransom. Used in attacks against high-profile organizations, healthcare, education, government, and businesses of all sizes. \n \nTable 6. Most Active Ransomware for High-Risk Vulnerabilities\n\n## Prioritizing Exploited Vulnerabilities with The Qualys VMDR and TruRisk\n\nOftentimes, malicious actors frequently target diverse sets of vulnerabilities to accomplish their objectives. As such, keeping track of who is exploiting what can be daunting, and it&#x27;s certainly not an efficient use of the time for practitioners or security &amp; risk management leaders.\n\nHence, **The Qualys VMDR with TruRisk** facilitates this process, substantially simplifying the prioritization process by translating the risk associated with vulnerabilities, assets, and asset groups into an easily understandable score that both technical and non-technical teams can comprehend this scoring system.\n\nWhen you carefully observe, each vulnerability mentioned above has a TruRisk Score (QVS) of over 90. TruRisk considers these factors daily, consistently assigning a score higher than 90.\n\nSo, from a prioritization standpoint, any issue with a score of 90 or above should be immediately prioritized and remedied.\n\nLet\u2019s take CVE-2017-11882 as an example. The TruRisk score clearly indicates why this is a high-risk vulnerability, with more than 400 malware and 50 threat actors exploiting it, and **we see evidence of exploitation as recently as July 16th, 2023, for a 6-year-old vulnerability. **\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-8-Microsoft-Office-Memory-Corruption-Vulnerability_-CVE-2017-11882.jpg>)\n\nFig 8. Microsoft Office Memory Corruption Vulnerability: CVE-2017-11882\n\n## Assess Your Organizations Exposure to Risk / TruRisk Dashboard\n\nThe Qualys VMDR helps organizations get instant visibility into high-risk vulnerabilities, especially those exploited in the wild.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-9-1.jpg>)\n\nFig 9. Qualys VMDR TruRisk Dashboard for High-Risk Vulnerabilities\n\nThe fastest method to gain insights into your TruRisk is by downloading and importing the TruRisk Dashboard into your VMDR subscription.\n\nThe TruRisk VMDR Dashboard is available \u2013 [Download the Dashboard Here](<https://blog.qualys.com/wp-content/uploads/2023/07/Qualys_VMDR_TruRisk__UDDashboard.zip>)\n\nAnd once you have the visibility patch with Qualys Patch management instantly reduce the risk.\n\n## Key Insights &amp; Takeaways\n\n * The time to Known Exploited Vulnerability (KEV) is down to eight days for CVEs published in 2023. Defenders should leverage automation to patch high-risk vulnerabilities.\n * CVE-2017-11882 stands out as the pinnacle among CVEs in its exploitation by malware, threat actors, and ransomware groups. With over 400 malware, 50 threat actors, and 14 ransomware groups taking advantage of this vulnerability, it will likely be remembered as the most cherished attacker CVE ever.\n * Attackers prominently exploit vulnerabilities in popular applications such as Microsoft Office, Microsoft Exchange, Windows Operating systems, Java, Pulse Secure SSL VPN, and Citrix ADC/NetScaler. Attackers seek these applications** primarily due to their widespread usage and potential for exploiting security weaknesses.**\n * Organizations should leverage threat intelligence to prioritize vulnerabilities that reduce the risk of exploitation.\n * The Qualys VMDR with TruRisk automatically prioritizes vulnerabilities exploited in the wild with a **TruRisk score of 90 or higher,** greatly simplifying the prioritization process.\n\nConcluding this series in the next blog we will discuss the _**15 most exploited vulnerabilitie**_**_s ever_**.\n\nWatch out for our next blog.\n\n## References\n\n * <https://blog.qualys.com/product-tech/2023/07/11/an-in-depth-look-at-the-latest-vulnerability-threat-landscape-part-1>\n * <https://blog.qualys.com/qualys-insights/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>\n * <https://blog.qualys.com/vulnerabilities-threat-research/2022/12/16/implement-risk-based-vulnerability-management-with-qualys-trurisk-part-2>\n * <https://blog.qualys.com/qualys-insights/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>\n\n## Additional Contributor\n\nShreya Salvi, Data Scientist, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-07-18T13:38:53", "type": "qualysblog", "title": "Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers\u2019 Edition)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2012-0507", "CVE-2012-1723", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2019-0903", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0601", "CVE-2020-1472", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228"], "modified": "2023-07-18T13:38:53", "id": "QUALYSBLOG:1D4C1F32168D08F694C602531AEBC9D9", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T01:27:17", "description": "**_CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA\u2019s recommendations._**\n\nWith the invasion of Ukraine by Russia, the U.S. Cybersecurity &amp; Infrastructure Security Agency (CISA) has created a [program titled Shields Up](<https://www.cisa.gov/shields-up>) and provided specific guidance to all organizations. The Russian government has used cyber operations as a key component of force projection in the past and has targeted critical infrastructure to destabilize a governments\u2019 response capabilities. Critical infrastructure can include supply chain (including software supply chain), power, utilities, communications, transportation, and government and military organizations.\n\n### Protecting Customer Data on Qualys Cloud Platform****\n\nQualys is strongly committed to the security of our customers and their data. In addition to proactive risk mitigation with continuous patch and configuration management, we continually monitor all our environments for any indication of active threats, exploits and compromises. We hold our platforms to the highest security and compliance mandates like [FedRAMP](<https://blog.qualys.com/product-tech/2022/02/24/meet-fedramp-compliance-with-qualys-cloud-platform>). However, given the heightened risk environment around the globe, the Qualys Security and Engineering teams have been at a heightened state of vigilance in recent weeks. We continuously monitor our internal systems in this amplified threat environment. We are working with our security partners to access the latest threat intel. We have implemented additional security, monitoring, and governance measures involving our senior leadership and are committed to ensuring that the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>) remains available and secure to support the enterprises we serve worldwide.\n\n### Urgent: Assess and Heighten Your Security Posture\n\nBased on high-level guidelines provided by CISA, Qualys is recommending all organizations to establish the following actionable steps to adopt heightened cybersecurity posture to protect critical assets.\n\nThere are 4 steps necessary to strengthen security posture per CISA\u2019s Shields Up guidance: \n\n\n * Step 1: Know Your Shodan/Internet Exposed Assets Automatically\n * Step 2: Detect, Prioritize, and Remediate CISA&#x27;s Catalog of Known Exploited Vulnerabilities\n * Step 3: Protect Your Cloud Services and Office 365 Environment\n * Step 4: Continuously Detect a Potential Intrusion\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### Step 1: Monitor Your Shodan/Internet Exposed Assets \n\n\n#### Discover and protect your external facing assets \n\n\nAn organization\u2019s internet-facing systems represent much of their potential attack surface. Cyber threat actors are continuously scanning the internet for vulnerable systems to target attacks and campaigns. Often hackers find this information readily available on the dark web or in plain sight on internet search engines such as Shodan.io.\n\nInventory all your assets and monitor your external attack surface. [Qualys CyberSecurity Asset Management (CSAM)](<https://www.qualys.com/apps/cybersecurity-asset-management/>) provides comprehensive visibility of your external-facing IT infrastructure by natively correlating asset telemetry collected by Qualys sensors (e.g. Internet Scanners, Cloud Agents, Network Passive Sensors) and key built-in integrations such as [Shodan.io](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) and Public Cloud Providers.\n\nOne of the biggest risks is unknown unknowns. These gaps in visibility happen for many reasons \u2013 including shadow IT, forgotten websites, legacy services, mergers &amp; acquisitions (M&amp;A), or simply because a development team exposes an application or database without informing their security team.\n\nCSAM enables you to continuously discover these blind spots and assess their security and compliance posture.\n\n\n\n#### Monitor Industrial Control Systems and Operational Technology\n\nNetwork segmentation traditionally kept Industrial Control Systems air-gapped. However, the acceleration of digital transformation has enabled more of these systems to connect with corporate as well as external networks, such as device vendors and Industrial IoT platforms. Further, the majority of Operational Technology utilizes legacy, non-secure protocols.\n\nBuild full visibility of your critical infrastructure, network communications, and vulnerabilities with Qualys Industrial Control Security (ICS).\n\n\n\n#### Detect and disable all non-essential ports and protocols, especially on internet exposed assets\n\nInventory your internal and external-facing assets, report open ports, and detected services on each port. Qualys CSAM supports extensive query language that enables teams to report and act on detected external facing assets that have a remote-control service running (for example Windows Remote Desktop). \n\n\n\n#### Ensure all systems are protected with up-to-date antivirus/anti-malware software****\n\nFlag assets within your inventory that are missing antivirus, or with signatures that are not up to date. CSAM allows you to define Software Rules and assign required software on a specific scope of assets or environment. For example, all database servers should have antivirus and a data loss prevention agent.\n\n\n\nVerify that your antivirus/anti-malware engine is up to date with the latest signatures.\n\n\n\nFor devices missing antivirus or anti-malware, [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) with Integrated Anti-Malware can be easily enabled wherever the Qualys Cloud Agent is installed to provide immediate threat protection. In addition to basic anti-malware protection, Multi-Vector EDR will monitor endpoint activity to identify suspicious and malicious activity that usually bypasses traditional antivirus such as Living-off-the-Land attacks as well as MITRE ATT&amp;CK tactics and techniques.\n\n### Step 2: Detect, Prioritize and Remediate CISA&#x27;s Catalog of Known Exploited Vulnerabilities\n\nQualys Researcher analyzed all the 300+ CVEs from CISA known exploited vulnerabilities and mapped them to the Qualys QIDs. Many of these CVEs have patches available for the past several years. A new \u201cCISA Exploited\u201d RTI was added to VMDR to help customers create vulnerabilities reports that are focused on CISA exploited vulnerabilities. Customers can use the VMDR vulnerabilities page or VMDR prioritization page and filter the results to focus on all the \u201cCISA Exploited\u201d open vulnerabilities in their environment. \n\nFollowing are some of the critical vulnerabilities cataloged by CISA, as specifically known to be exploited by Russian state-sponsored APT actors for initial access include:\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### Remediate CISA recommended catalog of exploited vulnerabilities \n\nFor all CISA cataloged vulnerabilities known to be exploited by Russian state-sponsored actors, [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) customers can create a patch and configuration fix jobs to remediate the risk of all vulnerabilities directly from the VMDR console. Qualys Patch Management maps \u201cCISA Exploited\u201d vulnerabilities detected in the environment to the relevant patches required to remediate those vulnerabilities by downloading the patches without needing to go through the VPN. Customers may use Zero Touch patching to automate the process and ensure all CISA exploited vulnerabilities are automatically fixed including the new vulnerabilities added to the CISA catalog in the future. \n\n\n\n#### Monitor and ensure your software are always up to date\n\nImmediately know all end-of-support critical components across your environment, including open-source software. Qualys CSAM tracks lifecycle stages and corresponding support status, to help organizations manage their technical debt and to reduce the risk of not receiving security patches from the vendor. Security and IT teams can work together to plan upgrades ahead of time by knowing upcoming end-of-life &amp; end-of-support dates.\n\n\n\nUse the \u201cPrioritize Report\u201d function in Qualys Patch Management to map software in your environment to the security risk opposed. Prioritize your remediation efforts based on software that introduces the most risk. Use this report to create automated patch jobs to ensure that the riskiest software is always up to date. Alternatively, deploy individual patches for the riskiest software. \n\n\n\n### Step 3: Protect Your Cloud Services and Office 365\n\nAs noted by CISA, misconfiguration of cloud services and SaaS applications like Office 365 are the primary attack vector for breaches.\n\n#### Detect and Remediate Public Cloud Infrastructure Misconfigurations****\n\nProtect your public cloud infrastructure by securing the following services on priority:\n\n * **IAM**: Ensure all users are MFA enabled and rotate all access keys older than 30 days. Verify that all service accounts are valid (i.e. in use) and have the minimum privilege.\n * **Audit Logs**: Turn on access logging for all cloud management events and for critical services (e.g. S3, RDS, etc.)\n * **Public-facing assets**: Validate that the firewall rules for public-facing assets allow only the needed ports. Pay special attention to RDP access. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.\n\n Automatically detect and remediate cloud misconfigurations using [Qualys CloudView](<https://www.qualys.com/apps/cloud-security-assessment/>).\n\n\n\n#### Protect your Office 365 and Other SaaS Services****\n\nEnforce multi-factor authentication on all accounts with access to Office 365 tenants. At a minimum, enable MFA for accounts with different admin access rights to the tenant. [Qualys SaaSDR](<https://www.qualys.com/apps/saas-detection-response/>) lists all such accounts on which MFA is disabled. Further, Qualys SaaSDR enables continuous security posture assessment of Office 365 via the CIS (Center for Internet Security) certified policy for Office, along with automated security configuration assessment for Zoom, Salesforce, and Google Workspace. This is based on an analysis of all security weaknesses, critical vulnerabilities, and exploits leveraged by attackers in historical attacks as well as security assessments based on the MITRE ATT&amp;CK framework.\n\n\n\n### Step 4: Continuously Detect any Potential Threats and Attacks \n\nMonitor for increases in suspicious and malicious activities as well as anomalous behavior on all endpoints. With Qualys Multi-Vector EDR, customers can detect Indicators of Compromise (IOC) and MITRE ATT&amp;CK Tactics &amp; Techniques provided by CISA and respond quickly to mitigate the risk by capturing process, file, and network events on the endpoint and correlating them with the latest Threat Intelligence, including new and upcoming Indicators of Compromise (IOC) constantly added by the Qualys Research Team. Anomalous endpoint behavior is detected and identified as MITRE ATT&amp;CK Tactics and Techniques.\n\n\n\nThe Appendix at the bottom of this post contains a list of Indicators of Compromise (IOC) and MITRE ATT&amp;CK Tactics &amp; Techniques being utilized.\n\n## Take Action to Learn More about How to Strengthen Your Defenses\n\nWe encourage you to learn more about how to strengthen your defenses consistent with CISA Shields Up guidelines using Qualys Cloud Platform. Join our webinar, [How to Meet CISA Shields Up Guidelines for Cyberattack Protection](<https://event.on24.com/wcc/r/3684128/0F6FB4010D39461FD4209A3E4EB8E9CD>), on March 3, 2022.\n\nQualys recommends that all organizations, regardless of size, heighten their security posture based on the above actionable steps, to protect critical cyber infrastructure from potential state-sponsored, advanced cyberattacks. Qualys Cloud Platform remains continuously committed to high standards of security and compliance to safeguard customer data. In this amplified threat environment, the entire Qualys team is available to help our customers improve cybersecurity and resilience.\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### **Appendix:**\n\n#### CISA catalog of known exploited vulnerabilities by state attackers\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-1653| 13405| Cisco Small Business RV320 and RV325 Router Multiple Security Vulnerabilities| 1/29/2019| 7.5 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-9670| 375990| Zimbra XML External Entity Injection (XXE) Vulnerability| 8/12/2021| 9.8 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### List of IOCs related to Hermetic Wiper aka KillDisk\n\n**SHA256 Hashes** \n--- \n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da \n06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 \n095c7fa99dbc1ed7a3422a52cc61044ae4a25f7f5e998cc53de623f49da5da43 \n0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0 \n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 \n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf \n34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 \n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 \n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 \n7e154d5be14560b8b2c16969effdb8417559758711b05615513d1c84e56be076 \n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 \n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d \na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 \nb01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 \nb60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22 \nb6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd \nc2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15 \nd4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a \ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 \ne5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 \nf50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321 \nfd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d \n \n#### List of MITRE ATT&amp;CK TIDs provided by CISA\n\n**Tactic**| **Technique******| **Procedure****** \n---|---|--- \nReconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]| Active Scanning: Vulnerability Scanning [[T1595.002](<https://attack.mitre.org/versions/v10/techniques/T1595/002/>)]| \nRussian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. \nPhishing for Information [[T1598](<https://attack.mitre.org/versions/v10/techniques/T1598>)]| Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. \nResource Development [[TA0042]](<https://attack.mitre.org/versions/v10/tactics/TA0042/>)| Develop Capabilities: Malware [[T1587.001](<https://attack.mitre.org/versions/v10/techniques/T1587/001>)]| Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]| Exploit Public Facing Applications [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]| Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. \nSupply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v10/techniques/T1195/002>)]| Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]| Command and Scripting Interpreter: PowerShell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)] and Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)]| Russian state-sponsored APT actors have used `cmd.exe` to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]| Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006>)]| Brute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001>)] and Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v10/techniques/T1110/003>)]| Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]| Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database `ntds.dit`. \nSteal or Forge Kerberos Tickets: Kerberoasting [[T1558.003](<https://attack.mitre.org/versions/v10/techniques/T1558/003/>)]| Russian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. \nCredentials from Password Stores [[T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>)]| Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v10/techniques/T1212>)]| Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) to obtain access to Windows Active Directory servers. \nUnsecured Credentials: Private Keys [[T1552.004](<https://attack.mitre.org/versions/v10/techniques/T1552/004>)]| Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]| Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)]| Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-26T20:20:32", "type": "qualysblog", "title": "Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-02-26T20:20:32", "id": "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-03T17:01:01", "description": "The earlier blog posts showcased an overview of the **vulnerability threat landscape** that is either remotely exploited or most targeted by attackers._ _A quick recap \u2013 We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware &amp; ransomware.\n\nThis blog post will focus on **Qualys\u2019 Top Twenty Vulnerabilities, **targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the current year.\n\nSome of these vulnerabilities are part of the recent [**CISA Joint Cybersecurity Advisory (CSA)**](<https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-nsa-fbi-and-international-partners-release-joint-csa-top-routinely-exploited-vulnerabilities>)**,** published on August 3, 2023; you can access it from [**2022 Top Routinely Exploited Vulnerabilities**](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a>)**.**\n\nRead on- \n\n## Stats on the Top 20 Vulnerable Vendors &amp; By-Products\n\n**Fig 1. Top Vulnerable Vendor**\n\n**Fig 2. Top Vulnerable Products**\n\n## Top Twenty Most Targeted by Attackers\n\n### **1. CVE-2017-11882: Microsoft Office Memory Corruption Vulnerability**\n\n**Vulnerability Trending Over Years: 2018, 2020, 2021, 2022, 2023 (79 times)**\n\nIt was exploited by 467 Malware, 53 Threat Actors, and 14 Ransomware and was trending in the wild as recently as August 31, 2023. \n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\n**Qualys Vulnerability Detection (QID): 110308**\n\nDisclosed in 2017, CVE-2017-11882 is a **significant memory corruption vulnerability** in Microsoft Office&#x27;s Equation Editor. It could enable an attacker to execute arbitrary code under the current user&#x27;s permissions. \n\nIf the user has administrative rights, the attacker could gain complete control of the system, install programs, alter data, or create new user accounts with full privileges. This vulnerability will be exploited if the user opens a specially crafted file, potentially sent via email or hosted on a compromised website.\n\nIt\u2019s been primarily exploited in various cyber-attacks and espionage campaigns.\n\n### 2\\. **CVE-2017-0199: Microsoft Wordpad Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2017, 2020, 2021, 2023 (59 times)**\n\nIt was exploited by 93 Malware, 53 Threat Actors, and 5 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 110297**\n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2017-0199 is a notable remote code execution vulnerability that affects specific Microsoft Office and WordPad versions precisely when they parse specially crafted files. This vulnerability is the most favored vulnerability by malware, threat actors, and ransomware. \n\nIf successfully exploited, an attacker could execute arbitrary code in the current user&#x27;s security context, potentially taking control of the system. Exploitation involves a user opening or previewing a maliciously crafted file, often sent via email. Microsoft has addressed this vulnerability by correcting how Office and WordPad parse these files and by enabling certain API functionality in Windows for further resolution.\n\n### 3\\. **CVE-2012-0158: Vulnerability in Windows Common Controls Could Allow RCE**\n\n**Vulnerability Trending Over Years: 2013, 2020, 2021, 2023 (33 times)**\n\nIt was exploited by 63 Malware, 45 Threat Actors, 2 Ransomware and was trending in the wild as recently as August 31, 2023.\n\n**Qualys Vulnerability Detection (QID): 90793**\n\nCVE-2012-0158 is a substantial remote code execution vulnerability in Windows standard controls. An attacker can exploit the flaw by constructing a specially crafted webpage. Upon viewing this webpage, the vulnerability can allow remote code execution, potentially granting the attacker the same rights as the logged-on user. \n\nIf the user has administrative privileges, this could mean total control of the affected system. Disclosed in 2012, this vulnerability has been notably exploited in various cyber-attacks, enabling attackers to install programs, manipulate data, or create new accounts with full user rights.\n\n### 4\\. **CVE-2017-8570: Microsoft Office Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2018, 2020, 2023 (25 times)**\n\nIt was exploited by 52 Malware 11 Threat Actors and was trending in the wild as recently as September 2, 2023\n\n**Qualys Vulnerability Detection (QID): 110300**\n\nCVE-2017-8570 is a significant remote code execution vulnerability in Microsoft Office and WordPad. It involves the way these applications handle specially crafted files. It can be exploited by an attacker who convinces a user to open a specially designed file, potentially allowing the attacker to run arbitrary code on the victim&#x27;s machine with the same privileges as the logged-in user and serving as a downloader to other high-profile malware.\n\n### 5\\. **CVE-2020-1472: Zerologon - An Unauthenticated Privilege Escalation to Full Domain Privileges**\n\n**Vulnerability Trending Over Years: 2020, 2021, 2022, 2023 (56 times)**\n\nIt was exploited by 18 Malware, 16 Threat Actors, 11 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID):** **91680**\n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier. **\n\nCVE-2020-1472, or **Zerologon, is a severe vulnerability in Microsoft&#x27;s Netlogon Remote Protocol** due to a flawed implementation of AES-CFB8 encryption.\n\nUsing a fixed initialization vector and accepting unencrypted sessions allows an attacker to impersonate a server and compromise the entire Windows domain. The attacker takes control over all the Active Directory identity services.\n\n### 6\\. **CVE-2017-0144, CVE-2017-0145, CVE-2017-0143: Windows SMBv1 Remote Code Execution Vulnerability WannaCry, Petya**\n\n**Vulnerability Trending Over Years: 2017, 2020, 2021, 2023 (50 times)**\n\nIt was exploited by 12 Malware, 10 Threat Actors, and 12 Ransomware and was trending in the wild as recently as September 1, 2023.\n\n**Qualys Vulnerability Detection (QID): 91361, 91360, 91359, 91345**\n\nCommonly known as Shadow Broker or MS17-010, or &quot;ETERNALBLUE,&quot; or &quot;ETERNALSYNERGY&quot; or &quot;ETERNAL ROMANCE&quot; is a remote code execution vulnerability in Microsoft&#x27;s Server Message Block 1.0 (SMBv1) protocol.\n\nThe vulnerability arises from how SMBv1 handles specific requests, allowing an attacker(usually authenticated) to send a specially crafted packet to an SMBv1 server, enabling them to execute code on the target server.\n\nIt was infamously exploited in the widespread WannaCry ransomware attack in 2017, leading to global data encryption and ransom demands.\n\n### 7\\. **CVE-2012-1723: Java Applet Field Bytecode Verifier Cache Remote Code Execution**\n\n**Vulnerability Trending Over Years: 2023 (6 times)**\n\nIt was exploited by 91 Malware, 8 Threat Actors, 41 Ransomware and was trending in the wild as recently as August 17, 2023.\n\n**Qualys Vulnerability Detection (QID): 120274**\n\nCVE-2012-1723 is a substantial vulnerability found in the Java Runtime Environment. It can be exploited through a malicious web page, hosting a rogue Java applet can be exploited through a malicious web page hosting rogue Java applet.\n\nThe issue, originating from a type-confusion error in the &quot;HotSpot&quot; component, allows untrusted Java applets or applications to bypass the Java sandbox security restrictions and execute arbitrary code on a user&#x27;s system\n\n### 8\\. **CVE-2021-34473, CVE-2021-34523, CVE-2021-31207: Microsoft Exchange Server RCE (ProxyShell)**\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (39 times)**\n\nIt was exploited by 12 Malware, 20 Threat Actors, and 12 Ransomware and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 50114, 50111, 50112**\n\n**In the &quot;Top 12 Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier. **\n\nProxyShell, a chain of vulnerabilities that impacts on-premises Microsoft Exchange Servers, is widely used for email and associated services globally.\n\nThese vulnerabilities exist in the Microsoft Client Access Service (CAS), typically running on port 443 in IIS, often exposed to the internet to allow users to access their email remotely. This exposure has led to widespread exploitation by threat actors deploying web shells to execute arbitrary code on compromised devices. They allow an actor to bypass authentication and execute code as a privileged user.\n\n### 9\\. **CVE-2019-11510: Pulse Secure Pulse Connect Secure SSL VPN Unauthenticated Path**\n\n**Vulnerability Trending Over Years: 2019, 2020, 2023 (53 times)**\n\nIt was exploited by 13 Malware, 18 Threat Actors, and 12 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 38771**\n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2019-11510 is a critical vulnerability found in Pulse Connect Secure, a widely used VPN solution by Pulse Secure. The flaw enables an unauthenticated, remote attacker to exploit a specific endpoint and read arbitrary files on the system, including sensitive information such as private keys and user credentials.\n\nDue to its severity, It can provide an attacker with similar access to the corporate network as a legitimate user.\n\n### 10\\. **CVE-2021-44228: Apache Log4j Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (77 times)**\n\nIt was exploited by 10 Malware, 26 Threat Actors, and 5 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 376157, 730297**\n\n**In the &quot;Top 12 Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2021-44228, or &quot;Log4Shell,&quot; is a severe vulnerability in Apache&#x27;s log4j Java library. The flaw exploits the &#x27;lookups&#x27; feature of log4j, enabling an attacker to use a specially crafted input to trigger the execution of a remote Java class on an LDAP server, leading to Remote Code Execution.\n\nThis issue is highly dangerous if the user input containing specific characters is logged by log4j. It can trigger Java method lookup, resulting in the execution of a user-defined remote Java class on an LDAP server, leading to Remote Code Execution (RCE) on the server running the vulnerable log4j instance.\n\n### 11\\. **CVE-2014-6271: Shellshock \u2013 Linux Bash Vulnerability**\n\n**Vulnerability Trending Over Years: 2014, 2016, 2017, 2020, 2021, 2022, 2023 (70 times)**\n\nIt was exploited by 18 Malware, 1 Threat Actors, and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 122693, 13038, 150134**\n\nShellshock (CVE-2014-6271) is a critical vulnerability affecting the Unix Bash shell in many Linux, Unix, and Mac OS systems. It allows remote code execution by misusing Bash&#x27;s processing of environment variables, enabling attackers to append and execute malicious commands. It has a high severity score since it can impact multiple devices and applications, risking unauthorized data access or service disruption,\n\n### 12\\. **CVE-2018-8174: Windows VBScript Engine Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2018, 2020, 2023 (30 times)**\n\nIt was exploited by 21 Malware, 10 Threat Actors, and 7 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 91447**\n\nCVE-2018-8174 is a critical vulnerability in Microsoft Windows&#x27; VBScript Engine, enabling remote code execution. Triggered by viewing a malicious website with Internet Explorer or opening a rigged Microsoft Office document, this flaw allows an attacker to manipulate memory objects and execute code. \nThe attacker can fully control the system if the user has administrative rights.** \n**\n\n### 13\\. **CVE-2013-0074: Microsoft Silverlight Could Allow Remote Code Execution**\n\n**Vulnerability Trending Over Years**_**: **_**2023 (8 times)**\n\nIt was exploited by 62 Malware 50 Ransomware and was trending in the wild as recently as August 20, 2023.\n\n**Qualys Vulnerability Detection (QID): 90870**\n\nCVE-2013-0074 is a remote code execution vulnerability in Microsoft Silverlight, which permits a crafted Silverlight application to access memory unsafely, thereby leading to the execution of arbitrary code under the current user\u2019s security context.\n\nIf the user has admin rights, the attacker installs programs, alters or deletes data, or generates new accounts with full privileges. The user can be deceived into visiting a malicious website or clicking on a link, commonly through an email or instant message.\n\n### 14\\. **CVE-2012-0507: Oracle Java SE Remote Java Runtime Environment Vulnerability**\n\n**Vulnerability Trending Over Years: 2023 (10 times)**\n\nIt was exploited by 66 Malware, 3 Threat Actors, and 42 Ransomware and was trending in the wild as recently as July 26, 2023.\n\n**Qualys Vulnerability Detection (QID): 119956**\n\nCVE-2012-0507 is a critical vulnerability in the Java Runtime Environment (JRE) allowing untrusted Java applets to execute arbitrary code outside the Java sandbox. Originating from a flaw in the AtomicReferenceArray class implementation, **this vulnerability was exploited by Flashback Trojan in 2012**. It was observed to have led to one of the most significant known malware attacks on Apple devices. Attackers can exploit this vulnerability by tricking users into visiting a malicious website hosting a Java applet.\n\n### 15\\. **CVE-2019-19781: Citrix ADC and Citrix Gateway - Remote Code Execution (RCE) Vulnerability**\n\n**Vulnerability Trending Over Years: 2020, 2022, 2023 (60 times)**\n\nIt was exploited by 11 Malware, 12 Threat Actors, and 10 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 372305, 150273**\n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2019-19781, or &quot;Shitrix,&quot; is a significant vulnerability associated with Citrix Application Delivery Controller (ADC) and Citrix Gateway, allowing unauthenticated attackers to perform arbitrary code execution, granting them access to internal network resources.\n\nThe flaw resides in the VPN component of the affected products, enabling directory traversal and giving attackers both read and write access to the underlying file system.\n\n### 16\\. **CVE-2018-0802: Microsoft Office Memory Corruption Vulnerability**\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (19 times)**\n\nExploited by 29 Malware 24 Threat Actors, and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 110310**\n\nCVE-2018-0802 is a critical vulnerability within Microsoft Office and WordPad, which, if exploited, allows remote code execution via specially crafted files.\n\nAttackers can run arbitrary code in the current user&#x27;s context, potentially taking over the system if the user holds administrative rights. This vulnerability was notably used in targeted attacks and was being actively exploited before Microsoft released a security update in January 2018 that correctly handles objects in memory, resolving the issue.\n\n### 17\\. **CVE-2021-26855: Microsoft Exchange Server Authentication Bypass (RCE)**\n\n**Vulnerability Trending Over Years:** **2021, 2023 (46 times)**\n\nIt was exploited by 19 Malware, 22 Threat Actors, and 9 Ransomware and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 50107, 50108**\n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2021-26855, a part of the ProxyLogon exploit chain, is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server that enables attackers to bypass authentication mechanisms and impersonate users.\n\nThe flaw allows arbitrary HTTP requests, granting access to users&#x27; mailboxes and enabling information theft. It has been widely exploited by various threat actors, leading to emergency patches by Microsoft.\n\n### 18\\. **CVE-2019-2725: Oracle WebLogic Affected by Unauthenticated RCE Vulnerability**\n\n**Vulnerability Trending Over Years: 2019, 2020, 2022, 2023 (53 times)** \n\nIt was exploited by 10 Malware, 4 Threat Actors, 9 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 150267, 87386** \n\nCVE-2019-2725 is a severe remote code execution vulnerability in Oracle WebLogic Server that allows unauthenticated attackers to execute arbitrary code over a network without user interaction. It was quickly weaponized to install cryptocurrency miners. \n\n### 19\\. **CVE-2018-13379: Fortinet FortiGate (FortiOS) System File Leak through Secure Sockets Layer (SSL)**\n\n**Vulnerability Trending Over Years: 2020, 2021, 2023 (41 times)** \n\nIt was exploited by 6 Malware, 13 Threat Actors, 6 Ransomware and was trending in the wild as recently as August 30, 2023.\n\n**Qualys Vulnerability Detection (QID): 43702** \n\n**In the &quot;Top 12 Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier. **\n\nCVE-2018-13379 is a path traversal vulnerability found in the Fortinet FortiOS SSL VPN web portal. An unauthenticated attacker can read sensitive system files via specially crafted HTTP requests. The exploit could expose SSL VPN session data, leading to more severe attacks. \n\n### 20\\. CVE-2021-26084: Atlassian Confluence Server Webwork OGNL Injection RCE Vulnerability\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (35 times)**\n\nIt was exploited by 8 Malware, 6 Threat Actors, and 8 Ransomware and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 730172, 150368, 375839**\n\n**In the &quot;Top 12 Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2021-26084 is a critical vulnerability in Atlassian&#x27;s Confluence Server and Data Center, specifically within the Webwork OGNL component. This vulnerability can enable an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance, potentially compromising system integrity.\n\n## TruRisk Dashboard\n\nThe Qualys VMDR helps organizations get instant visibility into high-risk and top twenty vulnerabilities.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/09/Blog-3.jpg>)Fig 3. Qualys VMDR TruRisk Dashboard for Top 20 Vulnerabilities\n\nThe **Qualys VMDR TruRisk Dashboard** helps organizations to have complete visibility into open vulnerabilities that focus on the organization\u2019s global risk score and high-risk vulnerabilities with your organization\u2019s global risk score and high-risk vulnerabilities. Once you identify the vulnerable assets for these top twenty CVEs prioritized among your remediation owners, you can use Qualys Patch management to instantly reduce the risk.\n\nThe TruRisk VMDR Dashboard is available \u2013 [Download the Dashboard Here](<https://blog.qualys.com/wp-content/uploads/2023/09/Qualys_VMDR_TruRisk__Dashboard.zip>)\n\n## Key Insights &amp; Takeaways\n\n * In the current Vulnerability Threat Landscape, identifying open vulnerabilities and effective remediation is the highest priority for every defender.\n * Among the vast scale of the CVEs available, you need to know the weaponized high-risk vulnerabilities that are actively targeted by Threat Actors, Malware, and ransomware families.\n * Use multi-dimensional Threat Intelligence to prioritize vulnerabilities rather than implementing multiple siloed threat approaches.\n * The Qualys VMDR with TruRisk automatically prioritizes vulnerabilities exploited in the wild with a TruRisk score of 90 or higher, greatly simplifying the prioritization process.\n\n## References\n\n * [Part 1: An In-Depth Look at the Latest Vulnerability Threat Landscape](<https://blog.qualys.com/product-tech/2023/07/11/an-in-depth-look-at-the-latest-vulnerability-threat-landscape-part-1>)\n * [Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers\u2019 Edition)](<https://blog.qualys.com/vulnerabilities-threat-research/2023/07/18/part-2-an-in-depth-look-at-the-latest-vulnerability-threat-landscape-attackers-edition>)\n\n## Additional Contributors\n\n * **Shreya Salvi, Data Scientist, Qualys**\n * **Saeed Abbasi, Product Manager, Vulnerability Research**", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-09-04T14:00:00", "type": "qualysblog", "title": "Qualys Top 20 Most Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2012-0507", "CVE-2012-1723", "CVE-2013-0074", "CVE-2014-6271", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-13379", "CVE-2018-8174", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-2725", "CVE-2020-1472", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228"], "modified": "2023-09-04T14:00:00", "id": "QUALYSBLOG:6AFD8E9AB405FBE460877D857273A9AF", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T05:27:25", "description": "_AvosLocker is a ransomware group that was identified in 2021, specifically targeting Windows machines. Now a new variant of AvosLocker malware is also targeting Linux environments. In this blog, we examine the behavior of these two AvosLocker Ransomware in detail._\n\nAvosLocker is a relatively new ransomware-as-a-service that was first spotted in late June 2021. The attackers use spam email campaigns as initial infection vectors for the delivery of the ransomware payload. During the encryption, process files are appended with the &quot;.avos&quot; extension. An updated variant appends with the extension &quot;.avos2&quot;. Similarly, the Linux version appends with the extension &quot;.avoslinux&quot;.\n\nAfter every successful attack, the AvosLocker gang releases the names of their victims on the Dark Leak website hosted on the TOR network and provides exfiltrated data for sale. URL structure: `hxxp://avosxxx\u2026xxx[.]onion`\n\nThe AvosLocker gang also advertises their latest ransomware variants on the Dark Leak website. URL structure: `hxxp://avosjonxxx\u2026xxx[.]onion`\n\nThe gang has claimed, \u201cThe AvosLocker&#x27;s latest Windows variant is one of the fastest in the market with highly scalable threading and selective ciphers.\u201d They offer an affiliate program that provides ransomware-as-a-service (RaaS) for potential partners in crime.\n\nRecently they have added support for encrypting Linux systems, specifically targeting VMware ESXi virtual machines. This allows the gang to target a wider range of organizations. It also possesses the ability to kill ESXi VMs, making it particularly nasty.\n\nAccording to [deepweb research](<https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/>) by Cyble Research Labs, the Threats Actors of AvosLocker ransomware groups are exploiting Microsoft Exchange Server vulnerabilities using Proxyshell, compromising the victim\u2019s network.\n\nCVEs involved in these exploits are CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, and CVE-2021-31207.\n\n### Technical Analysis of AvosLocker Windows Variant\n\n#### Command-Line Options\n\nThe following figure shows a sample of Command-Line Options.\n\nFig. 1: Command Line Option\n\nThe available options allow for control over items like enabling/disabling SMB brute force, mutex creation, or control over the concurrent number of threads. \nIf no options are given, the malware runs with default options as shown in figure 2, where it ignores encryption of network drives and SMB share. It runs 200 threads concurrently of its file encryption routine.\n\nFig. 2: Execution with Default Parameter\n\nWhile execution, the malware console displays detailed information about its progress on the screen (fig. 3).\n\nFig. 3: Progress Details\n\nMost of the strings in the malware are kept in the XOR encrypted format. The decryption routines are similar, only registers and keys are different (fig. 4). Strings are decrypted just before their use.\n\nFig. 4: Commonly Used Decryption Routine\n\nInitially, the malware collects the command line options provided while launching the application (fig. 5).\n\nFig. 5: Get command-line Options\n\nThen it decrypts the mutex name \u201cCheic0WaZie6zeiy\u201d and checks whether it is already running or not to avoid multiple instances (fig. 6).\n\nFig. 6: Mutex Creation\n\nAs shown in figure 7, AvosLocker uses multi-threaded tactics. It calls the below APIs to create multiple instances of worker threads into memory and share file paths among multiple threads. Smartly utilizing the computing power of multi-core CPUs.\n\nAPIs called:\n\n * CreateIoCompletionPort()\n * PostQueuedCompletionStatus()\n * GetQueuedCompletionPort()\n\nFig. 7: Use of CreateIoCompletionPort\n\nThe code creates multiple threads in a loop (fig. 8). The threads are set to the highest priority for encrypting data quickly.\n\nFig. 8: Create Thread In-Loop and Set Priority\n\nAvosLocker ransomware performs a recursive sweep through the file system (fig. 9), searches for attached drives, and enumerates network resources using API WNetOpenEnum() and WnetEnumResource().\n\nFig. 9: Search Network Share\n\nBefore selecting the file for encryption, it checks for file attributes and skips it if \u201c**FILE_ATTRIBUTE_HIDDEN**\u201d or \u201c**FILE_ATTRIBUTE_SYSTEM**\u201d as shown in figure 10.\n\nFig. 10: Check File Attribute\n\nOnce the file attribute check is passed, it performs the file extension check. It skips files from encryption if its extension gets matched with one of the extensions shown in figure 11.\n\nFig. 11: Skip Extension List\n\nIt also contains the list of files and folders that need to be skipped from the encryption (fig. 12).\n\nFig. 12: Skip File Folder List\n\nAvosLocker uses RSA encryption, and it comes with a fixed hardcoded ID and RSA Public Key of the attacker (fig. 13).\n\nFig. 13: Hardcoded Public Key\n\nAfter file encryption using RSA, it uses the ChaCha20 algorithm to encrypt encryption-related information (fig. 14).\n\nFig. 14: Use of ChaCha20\n\nIt appends this encryption-related information (fig. 15) at the end of the file with Base64 encoded format.\n\nFig.15: Encryption Related Information\n\nThen it appends the &quot;avo2&quot; extension to the file using MoveFileWithprogressW (fig. 16).\n\nFig. 16: Add Extension Using Move File\n\nAs seen in figure 17, it has appended &quot;avos2&quot; extensions.\n\nFig. 17: File with Updated Extension\n\nIt writes a ransom note (fig. 18) named \u201cGET_YOUR_FILES_BACK.txt\u201d to each encrypted directory before encryption of the file.\n\nFig. 18: Ransom Note\n\nThe ransom note instructs the user to not to shut down the system in case encryption is in progress to avoid file corruption. It asks the victim to visit the onion address with the TOR browser to pay the ransom and to obtain the decryption key to decrypt the application or files.\n\n#### AvosLocker Payment System\n\nAfter submitting the &quot;ID&quot; mentioned on the ransom note to AvosLocker&#x27;s website (fig. 19), the victim will be redirected to the &quot;payment&quot; page.\n\nFig. 19: AvosLocker&#x27;s Website\n\nIf the victim fails to pay the ransom, the attacker then puts the victim\u2019s data up for sale. Figure 20 shows the list of victims (redacted for obvious reasons) mentioned on the site.\n\nFig. 20: List of Victims\n\nAvosLocker also offers an affiliate program that provides ransomware-as-a-service (RaaS). They provide \u201chelpful\u201d services to clients such as:\n\n * Supports Windows, Linux &amp; ESXi.\n * Affiliate panel\n * Negotiation panel with push &amp; sound notifications\n * Assistance in negotiations\n * Consultations on operations\n * Automatic builds\n * Automatic decryption tests\n * Encryption of network resources\n * Killing of processes and services with open handles to files\n * Highly configurable builds\n * Removal of shadow copies\n * Data storage\n * DDoS attacks\n * Calling services\n * Diverse network of penetration testers, access brokers and other contacts\n\nFig. 21: Partnership Program\n\n### Technical Analysis of AvosLocker Linux Variant\n\nIn this case, the AvosLocker malware arrives as an elf file. As shown in figure 22, the analyzed file is x64 based Linux executable file.\n\nFig. 22: File Details\n\nIt\u2019s a command-line application having some command-line options (fig. 23).\n\nFig. 23: Command-Line Options\n\nThe `<Thread count>` parameter as shown above represents the number of threads that can be created to encrypt files simultaneously. It possesses the capability to kill ESXi VMs based on the parameter provided while executing.\n\nUpon execution, the malware first collects information about the number of threads that need to be created. Then it checks for string \u201cvmfs\u201d in the file path provided as a command-line argument (fig. 24).\n\nFig. 24: Checks for \u201cvmfs\u201d\n\nAfter that, it also checks for string \u201cESXi\u201d in the file path provided as a command-line argument (fig. 25).\n\nFig. 25: Checks for \u201cESXi\u201d\n\nIf this parameter is found, then it calls a routine to kill the running ESXi virtual machine (fig. 26).\n\nFig. 26: Code to Kill ESXi Virtual Machine\n\nThe command used for killing the ESXi virtual machine is as shown in figure 27.\n\nFig. 27: Command to Kill Running ESXi Virtual Machine\n\nFurther, AvosLocker drops a ransom note file (fig. 28) at the targeted directory.\n\nFig. 28: Create ransom note\n\nAfter that, it starts creating a list of files that must be encrypted. Before adding a file path to the list, it checks whether it is a regular file or not (fig. 29). Only regular files are added to the encryption list.\n\nFig. 29: Checks File Info\n\nAvosLocker skips the ransom note file and any files with the extension \u201cavoslinux\u201d from adding into the encryption list (fig. 30).\n\nFig. 30: Skip \u201cavoslinux\u201d Extension File\n\nThen it calls the mutex lock/unlock API for thread synchronization as shown in figure 31.\n\nFig. 31: Lock-Unlock Mutex for Thread Synchronization\n\nBased on the number of threads specified, it creates concurrent CPU threads (fig. 32). This helps in encrypting different files simultaneously at a very fast speed.\n\nFig. 32: Create Threads in Loop\n\nAvosLocker\u2019s Linux variant makes use of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption.\n\nFile-related information along with the encryption key used might be encrypted and then encoded with base 64 formats. This encoded information is added at the end of each encrypted file (fig. 33).\n\nFig. 33: File-related Info added at the end\n\nFigure 34 shows the malware appending the extension \u201c.avoslinux\u201d to the encrypted file names.\n\nFig. 34: Append file extension \u201c.avoslinux\u201d after encryption\n\nBefore starting file encryption, it creates a ransom note named \u201cREADME_FOR_RESTORE \u201c. The content of this ransom note is shown in figure 35.\n\nFig. 35: Ransom Note\n\nThe ransom note instructs the victim not to shut down the system in case encryption is in progress to avoid file corruption. It asks the victim to visit the onion address with a TOR browser to pay the ransom and to obtain the decryption key and decryption application.\n\n### Indicators of Compromise (IOCs):\n \n \n Windows: C0A42741EEF72991D9D0EE8B6C0531FC19151457A8B59BDCF7B6373D1FE56E02\n \n \n Linux: 7C935DCD672C4854495F41008120288E8E1C144089F1F06A23BD0A0F52A544B1\n \n \n URL:\n hxxp://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad[.]onion.\n hxxp://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad[.]onion\n\n### TTP Map:\n\nInitial Access| Execution| Defense Evasion| Discovery| Impact \n---|---|---|---|--- \nPhishing (T1566)| User Execution \n(T1204)| Obfuscated Files or Information (T1027)| System Information Discovery (T1082)| Data Encrypted for Impact \n(T1486) \n| | | File and Directory Discovery (T1083)| Inhibit System Recovery \n(T1490)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-07T05:18:46", "type": "qualysblog", "title": "AvosLocker Ransomware Behavior Examined on Windows & Linux", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-07T05:18:46", "id": "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-11T20:27:44", "description": "**Update March 10, 2021**: A new section describes how to respond with mitigation controls if patches cannot be applied, as recommended by Microsoft. This section details the Qualys Policy Compliance control ids for each vulnerability.\n\n**Update March 8, 2021**: Qualys has released an additional QID: 50108 which remotely detects instances of Exchange Server vulnerable to ProxyLogon vulnerability CVE-2021-26855 without authentication. QID 50108 is available in VULNSIGS-2.5.125-3 version and above, and is available across all platforms as of March 8th, 1:38 AM ET. This QID is not applicable to agents, so the signature version for the agent will not be updated. QID: 50107, released in VULNSIGS-2.5.121-4 and Windows Cloud Agent manifest 2.5.121.4-3 and above, will accurately detect this vulnerability via agents.\n\n**Original Post**: On March 2nd, [Microsoft released](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) a set of out-of-band security updates to address critical remote code execution vulnerabilities in Microsoft Exchange Server. According to Microsoft these vulnerabilities are actively being exploited in the wild, and hence it is recommended to patch them immediately.\n\nTo detect vulnerable instances, Qualys released QID 50107 which detects all vulnerable instances of Exchange server. This QID is included in VULNSIGS-2.5.121-4 version and above.\n\nCVEs addressed as part of this QID are: CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\nAmong the above CVEs, [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) are being actively targeted in the wild using zero-day exploits. Microsoft attributes these attacks with high confidence to the HAFNIUM (Chinese cyber spy) threat actor group. These vulnerabilities are related to the following versions of Exchange Server:\n\n * Exchange Server 2013\n * Exchange Server 2016\n * Exchange Server 2019\n\nAt the time of the security update release the vulnerabilities affect only on-premises Microsoft Exchange Server installations. Exchange online is not affected.\n\n### CVE Technical Details\n\n**[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)** is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate to on-premises Exchange servers. Attackers can also trick the Exchange server to execute arbitrary commands by exploiting this vulnerability.\n\n**[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>)** is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Attackers who successfully exploit this vulnerability can run their code as SYSTEM on the Exchange server. \n\n**[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>)** is a post-authentication arbitrary file write vulnerability in Exchange. Exploiting this vulnerability could allow an attacker to write a file to any part of the target Exchange server. Attackers exploiting this vulnerability could write a file to any path on the target Exchange server.\n\n**[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>)** is a post-authentication arbitrary file write vulnerability in Exchange. Similar to CVE-2021-26858, exploiting this vulnerability could allow an attacker to write a file to any path of the target Exchange server.\n\n### Attack Chain\n\nMicrosoft has provided details regarding how the HAFNIUM (threat actor) group is exploiting the above-mentioned critical CVEs. Following sequence of steps summarizes Microsoft\u2019s findings.\n\n 1. The initial step in the attack chain includes the threat actor group making an untrusted connection to the target Exchange server (on port 443) using CVE-2021-26855.\n 2. After successfully establishing the connection, the threat actor group exploits CVE-2021-26857 that gives them ability to run code as SYSTEM on the target Exchange server. This requires administrator permission or another vulnerability to exploit.\n 3. As part of their post-authentication actions, the threat actor group exploits [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) and proceeds to writing files to any path of the target server.\n\nIt has been observed that after gaining the initial access, the threat actor group deployed web shells on the target compromised server.\n\nFollowing table shows the MITRE ATT&amp;CK Technique and Tactic details.\n\n**Tactic**| **Technique**| **Sub-Technique**| **TID** \n---|---|---|--- \nReconnaissance| Gather Victim Identity Information| Email Addresses| T1589.002 \nReconnaissance| Gather Victim Identity Information| IP Addresses| T1589.005 \nResource Development| Develop Capabilities| Exploits| T1587.004 \nInitial Access| Exploit Public-Facing Application| -| T1190 \nExecution| Command and scripting interpreter| PowerShell| T1059.001 \nPersistence| Create Account| Domain Account| T1136.002 \nPersistence| Server Software Component| Web Shell| T1505.003 \nCredential Access| OS Credential Dumping| LSASS Memory| T1003.001 \nCredential Access| OS Credential Dumping| NTDS| T1003.003 \nLateral Movement| Remote Services| SMB/Windows Admin Shares| T1201.002 \nCollection| Archive Collected Data| Archive via Utility| T1560.001 \nCollection| Email Collection| Remote Email Collection| T1114.002 \nCollection| Email Collection| Local Email Collection| T114.001 \nCommand and Control| Remote Access Software| -| T1219 \nExfiltration| Exfiltration over Web Service| Exfiltration to Cloud Storage| T1567.002 \n \n### Discover and Remediate the Zero-Day Vulnerabilities Using Qualys VMDR\n\n##### Identify Microsoft Exchange Server Assets\n\nThe first step in managing these critical vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) makes it easy to identify Windows Exchange server systems.\n\nQuery: _operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)_\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 \u201cExchange Server 0-day\u201d. This helps in automatically grouping existing hosts with the 0-days as well as any new Windows Exchange server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n##### Discover Exchange Server Zero-Day Vulnerabilities\n\nNow that hosts running Microsoft Exchange Server are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always updated KnowledgeBase (KB).\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Exchange Server 0-day\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\nVMDR query: `vulnerabilities.vulnerability.qid:50107`\n\n\n\nQID 50107 is available in signature version VULNSIGS-2.5.121-4 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.5.121.4-3 and above.\n\nQualys has released an additional QID: 50108 which remotely detects instances of Exchange Server vulnerable to ProxyLogon vulnerability CVE-2021-26855 without authentication. This QID is not applicable to agents. QID 50108 is available in VULNSIGS-2.5.125-3 version and above.\n\nOrganizations that use on-premises Exchange installations typically also enable Outlook Web Access (OWA), which is exposed to the internet to allow users to connect into their e-mail systems. It is therefore recommended organizations employ both remote and authenticated scanning methods to get the most accurate view of vulnerable assets, as using only the agent-based approach would not provide a comprehensive picture of the vulnerability exposure.\n\nWith VMDR Dashboard, you can track &#x27;Exchange 0-day&#x27;, impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.\n\n**Dashboard**: [Exchange Server 0-Day Dashboard | Critical Global View](<https://qualys-secure.force.com/customer/s/article/000006564>)\n\n\n\n##### Respond by Patching\n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201cqid: 50107\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 Exchange Server 0-day.\n\n\n\nSecurity updates are available for the following specific versions of Exchange:\n\n * [Update for Exchange Server 2019](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires Cumulative Update (CU) 8 or CU 7\n * [Update for Exchange Server 2016](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires CU 19 or CU 18\n * [Update for Exchange Server 2013](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires CU 23\n * [Update for Exchange Server 2010](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459>): Requires SP 3 or any SP 3 RU\n * This is a defense-in-depth update.\n\nUsers are encouraged to apply patches as soon as possible.\n\n##### Respond with Mitigation Controls if Patches Cannot Be Applied\n\nWe recognize not all organizations may be able patch their systems right away. In such scenarios Microsoft has recommended a few [interim mitigation controls](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) to limit the exploitation of these vulnerabilities. [Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) has added controls based on these recommendations for impacted Exchange Servers 2013, 2016, and 2019. The vulnerability details and corresponding Control IDs (CIDs) are provided below.\n\n**CVE-2021-26855**: This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild. This will help with defense against the known patterns observed but not the SSRF as a whole.\n\n * **CID 20831** - Status of match URL of rewrite rule &#x27;X-BEResource Abort - inbound&#x27; for which action is &#x27;AbortRequest at site level\n * **CID 20834** - Status of match URL of rewrite rule &#x27;X-AnonResource-Backend Abort - inbound&#x27; for which action is &#x27;AbortRequest at site level\n\n**CVE-2021-26857**: Disabling the UM Service will mitigate this vulnerability.\n\n * **CID 20829** - Status of &#x27;component&#x27; installed on the MS Exchange server\n * **CID 20828** - Status of Microsoft Exchange Unified Messaging Call Router service\n * **CID 20827** - Status of Microsoft Exchange Unified Messaging service\n\n**CVE-2021-27065**: Disabling OAB Application Pool will prevent this CVE from executing successfully as the API will no longer respond and return a 503 when calling OAB, which will mitigate the Arbitrary Write exploit that occurs with OAB. After stopping the WebApp Pool you will also need to set the OabProxy Server Component state to Inactive.\n\n * **CID 20832** - Check the &#x27;startMode&#x27; of the OAB Application Pool (MSExchangeOABAppPool)\n\n**CVE-2021-26858**: Disabling ECP Virtual Directory will prevent CVE-2021-27065 from executing successfully as the API will no longer respond and return a 503 when calling the Exchange Control Panel (ECP).\n\n * **CID 20833** - Check the &#x27;startMode&#x27; of the ECP Application Pool (MSExchangeECPAppPool)\n\nQualys Policy Compliance can be used to easily monitor these mitigating controls for impacted Exchange assets.\n\n\n\nDrill down into failing controls to view details and identify issues.\n\n\n\n### Post-Compromise Detection Details\n\nAfter compromising a system, an adversary can perform the following activity:\n\nUse legitimate utilities such as procdump or the rundll32 comsvcs.dll method to dump the LSASS process memory. Presumably, this follows exploitation via CVE-2021-26857 as these methods do need administrative privileges.\n\n\n\nUse 7-Zip or WinRar to compress files for exfiltration.\n\n\n\nUse PowerShell based remote administration tools such as Nishang &amp; PowerCat to exfiltrate this data.\n\n\n\nTo maintain persistent access on compromised systems, adversaries may also create a domain user account and install ASPX- and PHP-based web shells for command and control. Information about their probable location and their related hashes are mentioned below.\n\n**Web shell hashes**:\n \n \n b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n**Web shell paths**:\n\n`C:\\inetpub\\wwwroot\\aspnet_client\\ \nC:\\inetpub\\wwwroot\\aspnet_client\\system_web\\ \n%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \n%PROGRAMFILES%\\Microsoft\\Exchange Server\\V14\\FrontEnd\\HttpProxy\\owa\\auth\\ \nC:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\`\n\n### References\n\n * https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901\n * https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss3": {}, "published": "2021-03-03T22:12:19", "type": "qualysblog", "title": "Microsoft Exchange Server Zero-Days (ProxyLogon) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T22:12:19", "id": "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2023-08-12T00:28:46", "description": "The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners have released a joint Cybersecurity Advisory (CSA) called the [2022 Top Routinely Exploited Vulnerabilities](<https://media.defense.gov/2023/Aug/03/2003273618/-1/-1/0/JOINT-CSA-2022-TOP-ROUTINELY-EXPLOITED-VULNERABILITIES.PDF>).\n\nWe went over the list and it felt like a bad trip down memory lane. If you adhere to the expression \"those who ignore history are doomed to repeat it\" then you may consider the list as a valuable resource that you can derive lessons from. Unfortunately as George Bernard Shaw said:\n\n> &quot;We learn from history that we learn nothing from history.&quot;\n\nBut since that&#x27;s a self-contradicting expression, let&#x27;s assume there are lessons to be learned.\n\n## Last year's top vulnerabilities\n\nFirst let me show you the bad memories. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use the CVE codes to uniquely identify the covered vulnerabilities.\n\n * [CVE-2021-40539](<https://vulners.com/cve/CVE-2021-40539>) is a REST API authentication bypass vulnerability in [ManageEngine&#x27;s single sign-on (SSO) solution](<https://www.malwarebytes.com/blog/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) which results in remote code execution (RCE). When word of this vulnerability came out it was already clear that it was being exploited in the wild. Noteworthy is that this vulnerability also made it into the [top 5 routinely exploited vulnerabilities of 2021](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>).\n * [CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>), aka [Log4Shell](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>), is a vulnerability in Apache&#x27;s Log4j library, an open-source logging framework incorporated into thousands of other products. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest throughout the first half of 2022.\n * [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>) is a vulnerability affecting Fortinet SSL VPNs, which was also routinely exploited in 2020 and 2021.\n * [ProxyShell](<https://www.malwarebytes.com/blog/news/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities>) is a combination of three vulnerabilities in Microsoft Exchange Server ([CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>), [CVE-2021-31207](<https://vulners.com/cve/CVE-2021-31207>), and [CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>)) that can be chained together to allow a remote attacker to break in, take control, and then do bad things on an unpatched server. Proxyshell also made it into the top 5 routinely exploited vulnerabilities of 2021.\n * [CVE-2021-26084](<https://vulners.com/cve/CVE-2021-26084>) is a vulnerability affecting Atlassian Confluence Server and Data Center which could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a proof-of-concept (PoC) was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021 and also made it into the top 5 routinely exploited vulnerabilities of 2021.\n\nLooking at the above, it looks like Shaw was at least partly right. We are not learning from history. It also indicates that we should be able to predict some of the vulnerabilities that will show up in next year's list. Let&#x27;s take a stab at that. So we&#x27;re looking for easy to overlook and/or hard to patch vulnerabilities in the 2022 list that we haven&#x27;t already covered above.\n\n## This year's top vulnerabilities?\n\nThese are the ones that I think will make it to the top 10 next year, maybe together with the ones that have already been around for years.\n\n * [CVE-2022-22954](<https://vulners.com/cve/CVE-2022-22954>), [CVE-2022-22960](<https://vulners.com/cve/CVE-2022-22960>) are two vulnerabilities that can be chained to allow Remote Code Execurion (RCE), privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. Exploitation of these [VMware vulnerabilities](<https://www.malwarebytes.com/blog/news/2022/05/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns>) began in early 2022 and attempts continued throughout the remainder of the year.\n * [CVE-2022-26134](<https://vulners.com/cve/CVE-2022-26134>) is a critical RCE vulnerability that affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (see CVE-2021-26084 above), which cyber actors also exploited in 2022.\n * [CVE-2022-1388](<https://vulners.com/cve/CVE-2022-1388>) is a vulnerability in the F5 [BIG IP platform](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>) that allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.\n * [CVE-2022-30190](<https://vulners.com/cve/CVE-2022-30190>), aka [Follina](<https://www.malwarebytes.com/blog/news/2022/06/faq-mitigating-microsoft-offices-follina-zero-day>), is a Microsoft Windows Support Diagnostic Tool RCE vulnerability. An attacker can send you a malicious Office document that will compromise your machine with malware when you open it.\n\nSo I was hoping we can strike a deal. I&#x27;ll check next year how well this prediction does and you all patch these vulnerabilities real quick, so I can write about some new ones next year.\n\n* * *\n\n**We don&#x27;t just report on vulnerabilities--we identify them, and prioritize action.**\n\nCybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using [Malwarebytes Vulnerability and Patch Management](<https://www.malwarebytes.com/business/vulnerability-patch-management>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-07T18:30:00", "type": "malwarebytes", "title": "2022's most routinely exploited vulnerabilities\u2014history repeats", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26084", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-26134", "CVE-2022-30190"], "modified": "2023-08-07T18:30:00", "id": "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "href": "https://www.malwarebytes.com/blog/news/2023/08/the-2022-top-routinely-exploited-vulnerabilities-history-repeats", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-29T18:23:40", "description": "A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.\n\n## 1\\. Log4Shell\n\n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), commonly referred to as [Log4Shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nWhen Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.\n\nThis made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The [CISA Log4j scanner](<https://github.com/cisagov/log4j-scanner>) is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.\n\n## 2\\. CVE-2021-40539\n\n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) is a REST API authentication bypass [vulnerability in ManageEngine\u2019s single sign-on (SSO) solution](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) threat-actors were likely among those exploiting the vulnerability.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it\u2019s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations.\n\n## 3\\. ProxyShell\n\nThird on the list are 3 vulnerabilities that we commonly grouped together and referred to as [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>), [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>), and [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>).\n\nThe danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\nThe vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.\n\nMicrosoft\u2019s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.\n\n## 4\\. ProxyLogon\n\nAfter the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name\u2014[ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\u2014for similar reasons. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-2685](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) all share the same description\u2014&quot;This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.&quot;\n\nWhile the CVE description is the same for the 4 CVE\u2019s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws\u2014CVE-2021-26858 and CVE-2021-27065\u2014would allow an attacker to write a file to any part of the server.\n\nTogether these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nProxyLogon started out as a limited and targeted attack method attributed to a group called [Hafnium](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nMicrosoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\n## 5\\. CVE-2021-26084\n\n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of [Confluence Server and Data Center](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.\n\nShortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.\n\nOn the [Confluence Support website](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.\n\n## Lessons learned\n\nWhat does this list tell us to look out for in 2022?\n\nWell, first off, if you haven\u2019t patched one of the above we would urgently advise you to do so. And it wouldn\u2019t hurt to continue working down the [list](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) provided by CISA.\n\nSecond, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:\n\n * **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.\n * **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.\n * **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.\n\nSo, if you notice or hear about a vulnerability that meets these &quot;requirements&quot; move it to the top of your &quot;to-patch&quot; list.\n\nStay safe, everyone!\n\nThe post [The top 5 most routinely exploited vulnerabilities of 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T16:28:20", "type": "malwarebytes", "title": "The top 5 most routinely exploited vulnerabilities of 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-2685", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-29T16:28:20", "id": "MALWAREBYTES:B8C767042833344389F6158273089954", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-21T21:27:45", "description": "The FBI has issued an[ advisory](<https://www.ic3.gov/Media/News/2022/220318.pdf>) about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector. \n\nAvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facilities.\n\n## Threat profile\n\nAvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems. AvosLocker ransomware encrypts files on a victim\u2019s server and renames them with the \u201c.avos\u201d extension.\n\nThe AvosLocker executable leaves a ransom note called GET_YOUR_FILES_BACK.txt in all directories where encryption occurs. The ransom note includes a .onion site that contains instructions for paying the ransom and receiving a decryption key.\n\n\n\n> _Attention!_\n> \n> _Your systems have been encrypted, and your confidential documents were downloaded._\n> \n> _In order to restore your data, you must pay for the decryption key &amp; application._\n> \n> _You may do so by visiting us at &lt;onion address&gt;._\n> \n> _This is an onion address that you may access using Tor Browser which you may download at <https://www.torproject.org/download/>_\n> \n> _Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website._\n> \n> _Contact us soon, because those who don\u2019t have their data leaked in our press release blog and the price they\u2019ll have to pay will go up significantly._\n> \n> _The corporations whom don\u2019t pay or fail to respond in a swift manner have their data leaked in our blog, accessible at &lt;onion address&gt;_\n\nSo, besides encrypting your files, AvosLocker also exfiltrates data and threatens to publish the stolen data to its leaks site. The public leak site not only lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim\u2019s network, but also gives visitors an opportunity to view a sample of victim data and to purchase that data.\n\nThe FBI also notes that in some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the .onion site to negotiate, and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.\n\n## Exchange vulnerabilities\n\nSince AvosLocker is a Ransomware-as-a-Service it may depend on the affiliate which of the vulnerabilities gets used.\n\nThe Exchange Server vulnerabilities are named as: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, and CVE-2021-26855.\n\n[CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>): a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process. This is the way in.\n\n[CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>): a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions. This is how they take control.\n\n[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>): a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files. This allows the attacker to drop malware on the server and run it.\n\nThis is exactly the same attack chain we [described](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) in August 2021. This chain of attack was generally referred to as ProxyShell.\n\nAnother RCE vulnerability in Exchange Server has been seen as well:\n\n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>): the ProxyLogon vulnerability which we discussed in detail in our article on [Microsoft Exchange attacks causing panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). The vulnerability allows an attacker to drop a webshell on a vulnerable Exchange Server. A web shell is a script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Obviously, not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\n## Mitigation\n\nAs we stated earlier, all these vulnerabilities have been patched. So, if you are wondering which updates to install next and you are running one or more Microsoft Exchange Server instances, starting there might be a good idea.\n\nMicrosoft\u2019s team has published a [script on GitHub](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that can check the status of protection against ProxyLogon vulnerabilities of Exchange servers.\n\n## Detection\n\nMalwarebytes detects AvosLocker as [Ransom.AvosLocker](<https://blog.malwarebytes.com/detections/ransom-avoslocker/>).\n\n_Malwarebytes blocks Ransom.AvosLocker_\n\nStay safe, everyone!\n\nThe post [AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI](<https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T21:09:12", "type": "malwarebytes", "title": "AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-21T21:09:12", "id": "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "href": "https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-14T00:05:09", "description": "In [a joint cybersecurity advisory](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3181261/nsa-cisa-fbi-reveal-top-cves-exploited-by-chinese-state-sponsored-actors/>), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.\n\nThe advisory aims to \"inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\"\n\nThe US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the [DIB (Defense Industrial Base)](<https://www.cisa.gov/defense-industrial-base-sector>) sector, which is related to military weapons systems; and other critical infrastructure sectors.\n\nIt is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.\n\nThe advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.\n\nLast year, CISA [began publishing a catalog of actively exploited vulnerabilities](<https://www.malwarebytes.com/blog/news/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities>) that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of [vulnerabilities favored by Russian state-sponsored threat actors](<https://www.malwarebytes.com/blog/news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities>).\n\nIf your organization's intellectual property is likely to be of interest to China, this is list is for you. And if it isn't, this list is still worth paying attention to.\n\n## The vunerabilities\n\n### Remote code execution (RCE)\n\nRCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (also known as [Log4Shell or LogJam](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>)), [CVE-2021-22205](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>), [CVE-2022-26134](<https://www.malwarebytes.com/blog/news/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited>), [CVE-2021-26855](<https://www.malwarebytes.com/blog/news/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi>), [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>), [CVE-2021-26084](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>), [CVE-2022-1388](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>), [CVE-2021-40539](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26857](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26858](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>), and [CVE-2021-27065](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>).\n\n### Arbitrary file read\n\nThe advisory identifies two arbitrary file read flaws--[CVE-2019-11510](<https://www.malwarebytes.com/blog/business/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind>) and [CVE-2021-22005](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>)--which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.\n\n### Authentication bypass by spoofing\n\n[CVE-2022-24112](<https://nvd.nist.gov/vuln/detail/CVE-2022-24112>) is an authentication bypass flaw that allows attackers to access resources they shouldn't have access to by spoofing an IP address.\n\n### Command injection\n\n[CVE-2021-36260](<https://www.malwarebytes.com/blog/news/2022/08/thousands-of-hikvision-video-cameras-remain-unpatched-and-vulnerable-to-takeover>) is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.\n\n### Command line execution\n\n[CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) is a command injection flaw that allows attackers to inject data into an affected system's command line.\n\n### Path Traversal\n\nAlso known as \"directory traversal,\" these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like `../` into file or directory paths. [CVE-2019-19781](<https://www.malwarebytes.com/blog/news/2021/06/atomic-research-institute-breached-via-vpn-vulnerability>), [CVE-2021-41773](<https://www.malwarebytes.com/blog/news/2021/10/apache-http>), and [CVE-2021-20090](<https://www.malwarebytes.com/blog/news/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago>) are all forms of path traversal attack.\n\n## Mitigations\n\nThe NSA, CISA, and FBI urge organizations to undertake the following mitigations:\n\n * * Apply patches as they come, prioritizing the most critical l flaws in your environment.\n * Use multi-factor authentication.\n * Require the use of strong, unique passwords.\n * Upgrade or replace software or devices that are at, or close to, their end of life.\n * Consider adopting a [zero-trust security model](<https://www.malwarebytes.com/blog/news/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model>).\n * Monitor and log Internet-facing systems for abnormal activity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-13T16:15:00", "type": "malwarebytes", "title": "Chinese APT's favorite vulnerabilities revealed", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-13T16:15:00", "id": "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "href": "https://www.malwarebytes.com/blog/news/2022/10/psa-chinese-apts-target-flaws-that-take-full-control-of-systems", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-16T10:27:50", "description": "Microsoft has detected multiple [zero-day](<https://blog.malwarebytes.com/glossary/zero-day/>) exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.\n\n> \u201cHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\u201d\n\n### The Hafnium attack group\n\nBesides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to [file sharing sites](<https://blog.malwarebytes.com/how-tos-2/2020/12/file-sharing-and-cloud-storage-sites-how-safe-are-they/>). Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).\n\n### Exchange Server\n\nIn many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.\n\nIn this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.\n\n### Not one, but four zero-days\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE\u2019s (with descriptions provided by Microsoft) used in these attacks were:\n\n * [**CVE-2021-26855**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26857**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26858**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-27065**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n\nThey all look the same. Boring you said? Read on!\n\n### The attack chain\n\nWhile the CVE description is the same for the 4 CVE\u2019s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws \u2014 CVE-2021-26858 and CVE-2021-27065 \u2014 would allow an attacker to write a file to any part of the server.\n\nTogether these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\n### Urgent patching necessary\n\nEven though the use of the vulnerabilities was described as \u201climited\u201d, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.\n\nOr as Microsoft\u2019s vice president for customer security Tom Burt put it:\n\n> \u201cEven though we\u2019ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\u201d\n\nUsers of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.\n\nMicrosoft also advises that the initial stage of the attack can be stopped by &quot;restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access&quot;, although the other parts of the attack chain can still be exploited, if other means of access are used.\n\n### Update March 4, 2021\n\nThe Cybersecurity and Infrastructure Security Agency issued an [emergency directive](<https://cyber.dhs.gov/ed/21-02/>) after CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange _on-premises_ products. The directive gives detailed instructions for agencies to follow immediately after identifying all instances of on-premises Microsoft Exchange Servers in their environment.\n\nFor readers that are interested in the more technical details of the attack chain, [Veloxity published a blog](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) that provides details about their investigation, the vulnerabilities, and which also includes IOCs.\n\n### Update March 5, 2021\n\nIt turns out that [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) was discovered in December of 2020 by DEVCORE who named the vulnerability ProxyLogon. They called it [ProxyLogon](<https://proxylogon.com/>) because this bug exploits against the Exchange **Proxy** Architecture and **Logon** mechanism. After DEVCORE chained the bugs together to a workable pre-auth RCE exploit, they sent an advisory and exploit to Microsoft through the MSRC portal. The entire timeline can be found [here](<https://proxylogon.com/#timeline>).\n\n### Update March 8, 2021\n\nMicrosoft has released an [updated script that scans Exchange log files](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021. The US Cybersecurity &amp; Infrastructure Security Agency (CISA) has [issued a warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that it is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the script as soon as possible.\n\nMicrosoft has also added definitions to its standalone malware scanner, the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) (also known as the Microsoft Support Emergency Response Tool or MSERT), so that it detects web shells.\n\nMalwarebytes detects web shells planted on comprised Exchange servers as [Backdoor.Hafnium](<https://blog.malwarebytes.com/detections/backdoor-hafnium/>). You can read more about the use of web shells in Exchange server attacks in our article [Microsoft Exchange attacks cause panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>).\n\n### Update March 12, 2021\n\nThe abuse of these vulnerabilities has sky-rocketed, and the first public proof-of-concept (PoC) exploit for the ProxyLogon flaws has appeared on GitHub, only to be taken down by the site. In spite of Microsoft&#x27;s efforts, cybercriminals have shown in numbers that they are exploiting this opportunity to the fullest.\n\nA new form of ransomware has also entered the mix. Detections for DearCry, a new form of human-operated ransomware that&#x27;s deployed through compromised Exchange servers, began yesterday. When the ransomware was still unknown, it would have been detected by Malwarebytes proactively, as Malware.Ransom.Agent.Generic. \n\nYou can read more about DearCry ransomware attacks in our article [Ransomware is targeting vulnerable Microsoft Exchange servers](<https://blog.malwarebytes.com/ransomware/2021/03/ransomware-is-targeting-vulnerable-microsoft-exchange-servers/>).\n\n### Update March 16, 2021\n\nMicrosoft has released a new, one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\n\nDetails, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>). \n\nWe will keep you posted as we gather more information about these ransomware attacks.\n\nStay safe, everyone!\n\nThe post [Patch now! Exchange servers attacked by Hafnium zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T12:34:27", "type": "malwarebytes", "title": "Patch now! Exchange servers attacked by Hafnium zero-days", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T12:34:27", "id": "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-27T16:38:26", "description": "The [Microsoft 365 Defender Research Team](<https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/>) has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.\n\nIIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.\n\n## IIS\n\nIIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.\n\nExchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.\n\n## IIS modules\n\nThe IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.\n\nMalicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.\n\n## IIS backdoors\n\nIIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.\n\n## ProxyLogon and ProxyShell\n\nSome of the methods used to drop malicious IIS extensions are known as [ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>) and [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nThe ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.\n\n## Malicious behavior\n\nOn its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What&#x27;s interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user\u2019s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.\n\nCredential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.\n\nGiven the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn\u2019t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an [IIS 6.0 vulnerability](<https://www.bleepingcomputer.com/news/security/windows-servers-targeted-for-cryptocurrency-mining-via-iis-flaw/>) to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.\n\n## Mitigation, detection, and remediation\n\nThere are several thing you can do to minimize the risk and consequences of a malicious IIS extension:\n\n * Keep your server software up to date to minimize the risk of infection.\n * Use security software that also covers your servers.\n * Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.\n * Deploy a backup strategy that creates regular backups that are easy to deploy when needed.\n * Review permission and access policies, combined with credential hygiene.\n * Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.\n\nStay safe, everyone!\n\nThe post [IIS extensions are on the rise as backdoors to servers](<https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T13:58:06", "type": "malwarebytes", "title": "IIS extensions are on the rise as backdoors to servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-07-27T13:58:06", "id": "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "href": "https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-23T18:35:00", "description": "Last Saturday the Cybersecurity and Infrastructure Security Agency issued an [urgent warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>) that threat actors are actively exploiting three Microsoft Exchange vulnerabilities\u2014[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>), [CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>), and [CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>). These vulnerabilities can be chained together to remotely execute arbitrary code on a vulnerable machine.\n\nThis set of Exchange vulnerabilities is often grouped under the name ProxyShell. Fixes were available in the [May 2021 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-May>) issued by Microsoft. (To be more precise, the first two were patched in April and CVE-2021-31207 was patched in May.)\n\n### The attack chain\n\nSimply explained, these three vulnerabilities can be chained together to allow a remote attacker to run code on the unpatched server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34523, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\n### ProxyShell\n\nThe Record reports that ProxyShell has been used to [take over some 2,000 Microsoft Exchange mail servers](<https://therecord.media/almost-2000-exchange-servers-hacked-using-proxyshell-exploit/>) in just two days. This can only happen where organisations use the on-premise version of Exchange, and system administrators haven&#x27;t installed the April and May patches.\n\nWe know there are many reasons why patching is difficult, and often slow. The high number is surprising though, given the noise level about Microsoft Exchange vulnerabilities has been high since [March](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Although it may have been muffled by the other alarm cries about PrintNightmare, HiveNightmare, PetitPotam, and many others.\n\n### Ransomware\n\nSeveral researchers have pointed to a ransomware group named LockFile that combines ProxyShell with [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>). [Kevin Beaumont](<https://twitter.com/GossiTheDog>) has documented how his Exchange honeypot detected exploitation by ProxyShell to drop a [webshell](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). Later, the threat actor revisited to initiate the staging of artefacts related to the LockFile ransomware. For those interested in how to identify whether their servers are vulnerable, and technical details about the stages in this attack, we highly recommend you read [Kevin Beaumont\u2019s post](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>).\n\n### PetitPotam\n\nBefore we can point out how ProxyShell can lead to a full blown network-wide ransomware infection we ought to tell you more about PetiPotam. PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers.\n\nPetitPotam uses the `EfsRpcOpenFileRaw` function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely, and accessible over a network. The PetitPotam proof-of-concept (PoC) takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft\u2019s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.\n\nSince the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without \u201cbreaking stuff.\u201d Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited. (For mitigation details, see our post about [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>).)\n\n### LockFile\n\nLockFile attacks have been recorded mostly in the US and Asia, focusing on organizations in financial services, manufacturing, engineering, legal, business services, travel, and tourism. Symantec pointed out in a [blog post](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that the ransom note from LockFile ransomware is very similar to the one used by the [LockBit](<http://blog.malwarebytes.com/detections/ransom-lockbit/>) ransomware group and that they reference the Conti gang in their email address. This may mean that members of those gangs have started a new operation, or just be another indication of how all these gangs are [connected, and sharing resources and tactics](<https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-connected-and-sharing-resources-and-tactics/>).\n\n### Advice\n\nCISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft&#x27;s Security Update from May 2021\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks.\n\nWe would like to add that you have a look at the mitigation advice for PetitPotam and prioritize tackling these problems in your updating processes.\n\nStay safe, everyone!\n\nThe post [Patch now! Microsoft Exchange is being attacked via ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-23T13:21:08", "type": "malwarebytes", "title": "Patch now! Microsoft Exchange is being attacked via ProxyShell", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:21:08", "id": "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2023-08-04T08:27:53", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjoBeYlJXEHlGr6rAJniL2XD4Ma4efotehIvHqoBelnDjYCGmj8xiT_Ywd1KZ4ib2iPE9jPLa0Pm_4yinuBV4dFS1DU6tYFmtWc8MCdQ0JAX1qTBXY6Airy55EM3rJtfcw5XqbClVD4K7dX5ocGZfUZHAalQRMYv6Ujka3fZWMc6HDW2AIMvXuZB6SsXGos/s728-e365/flaws.jpg>)\n\nA four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022.\n\n\"In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems,\" cybersecurity and intelligence agencies from the Five Eyes nations, which comprises Australia, Canada, New Zealand, the U.K., and the U.S., [said](<https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-nsa-fbi-and-international-partners-release-joint-csa-top-routinely-exploited-vulnerabilities>) in a joint alert.\n\nThe continued weaponization of [CVE-2018-13379](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>), which was also one among the most exploited bugs in [2020](<https://thehackernews.com/2021/07/top-30-critical-security.html>) and [2021](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>), suggests a failure on the part of organizations to apply patches in a timely manner, the authorities said.\n\n\"Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs,\" according to the advisory. \"While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years.\"\n\n[](<https://thn.news/edWGl41h> \"Cybersecurity\" )\n\n[CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>) refers to a path traversal defect in the FortiOS SSL VPN web portal that could allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.\n\nSome of other widely exploited flaws include:\n\n * [CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) (ProxyShell)\n * [CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) (Unauthenticated remote code execution in Zoho ManageEngine ADSelfService Plus)\n * [CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) (Unauthenticated remote code execution in Atlassian Confluence Server and Data Center)\n * [CVE-2021-44228](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) (Log4Shell)\n * [CVE-2022-22954](<https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html>) (Remote code execution in VMware Workspace ONE Access and Identity Manager)\n * [CVE-2022-22960](<https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html>) (Local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation)\n * [CVE-2022-1388](<https://thehackernews.com/2022/05/cisa-urges-organizations-to-patch.html>) (Unauthenticated remote code execution in F5 BIG-IP)\n * [CVE-2022-30190](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) (Follina)\n * [CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) (Unauthenticated remote code execution in Atlassian Confluence Server and Data Center)\n\n\"Attackers generally see the most success exploiting known vulnerabilities within the first two years of public disclosure and likely target their exploits to maximize impact, emphasizing the benefit of organizations applying security updates promptly,\" the U.K.'s National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/ncsc-allies-reveal-2022-common-exploited-vulnerabilities>).\n\n\"Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations),\" the agencies noted.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-04T07:02:00", "type": "thn", "title": "Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26084", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-26134", "CVE-2022-30190"], "modified": "2023-08-04T07:02:32", "id": "THN:75A32CF309184E2A99DA7B43EFBFA8E7", "href": "https://thehackernews.com/2023/08/major-cybersecurity-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-AxSsNt-9gYo/YD838gSOOTI/AAAAAAAAB7Q/IuSgG26w0NU-eyKMabZMnUfb7QBDyHkUgCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nMicrosoft has [released emergency patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>) to address four previously undisclosed security flaws in Exchange Server that it says are being actively exploited by a new Chinese state-sponsored threat actor with the goal of perpetrating data theft.\n\nDescribing the attacks as \"limited and targeted,\" Microsoft Threat Intelligence Center (MSTIC) said the adversary used these vulnerabilities to access on-premises Exchange servers, in turn granting access to email accounts and paving the way for the installation of additional malware to facilitate long-term access to victim environments.\n\nThe tech giant primarily attributed the campaign with high confidence to a threat actor it calls HAFNIUM, a state-sponsored hacker collective operating out of China, although it suspects other groups may also be involved.\n\nDiscussing the tactics, techniques, and procedures (TTPs) of the group for the first time, Microsoft paints HAFNIUM as a \"highly skilled and sophisticated actor\" that mainly singles out entities in the U.S. for exfiltrating sensitive information from an array of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.\n\nHAFNIUM is believed to orchestrate its attacks by leveraging leased virtual private servers in the U.S. in an attempt to cloak its malicious activity.\n\nThe three-stage attack involves gaining access to an Exchange Server either with stolen passwords or by using previously undiscovered vulnerabilities, followed by deploying a web shell to control the compromised server remotely. The last link in the attack chain makes use of remote access to plunder mailboxes from an organization's network and export the collected data to file sharing sites like MEGA.\n\nTo achieve this, as many as [four zero-day vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) discovered by researchers from Volexity and Dubex are used as part of the attack chain \u2014\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): A server-side request forgery (SSRF) vulnerability in Exchange Server\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): An insecure deserialization vulnerability in the Unified Messaging service\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): A post-authentication arbitrary file write vulnerability in Exchange, and\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): A post-authentication arbitrary file write vulnerability in Exchange\n\nAlthough the vulnerabilities impact Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019, Microsoft said it's updating Exchange Server 2010 for \"Defense in Depth\" purposes.\n\n[](<https://thehackernews.com/images/-_eUnJYSlv7A/YD86dcga76I/AAAAAAAAB7Y/Ex1kb11XGtcD6b878ASeDzA-SFz8SSzNgCLcBGAsYHQ/s0/ms.jpg>)\n\nFurthermore, since the initial attack requires an untrusted connection to Exchange server port 443, the company notes that organizations can mitigate the issue by restricting untrusted connections or by using a VPN to separate the Exchange server from external access.\n\nMicrosoft, besides stressing that the exploits were not connected to the SolarWinds-related breaches, said it has briefed appropriate U.S. government agencies about the new wave of attacks. But the company didn't elaborate on how many organizations were targeted and whether the attacks were successful.\n\nStating that the intrusion campaigns appeared to have started around January 6, 2021, Volexity cautioned it has detected active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal email and compromise networks.\n\n\"While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold,\" Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster [explained](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) in a write-up.\n\n\"From Volexity's perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems.\"\n\nAside from the patches, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont has also [created](<https://twitter.com/GossiTheDog/status/1366858907671552005>) a [nmap plugin](<https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse>) that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.\n\nGiven the severity of the flaws, it's no surprise that patches have been rolled out a week ahead of the company's Patch Tuesday schedule, which is typically reserved for the second Tuesday of each month. Customers using a vulnerable version of Exchange Server are recommended to install the updates immediately to thwart these attacks.\n\n\"Even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,\" Microsoft's Corporate Vice President of Customer Security, Tom Burt, [said](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>). \"Promptly applying today's patches is the best protection against this attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T07:28:00", "type": "thn", "title": "URGENT \u2014 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T07:56:35", "id": "THN:9AB21B61AFE09D4EEF533179D0907C03", "href": "https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-LOLhcDcH4Q0/YEX4fZpKfUI/AAAAAAAAB9w/I0oQNqeVV2YmhlyC8lyvV-LztA9giv0vACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nMicrosoft on Friday warned of active attacks exploiting [unpatched Exchange Servers](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe.\n\nThe company [said](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) \"it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM,\" signaling an escalation that the breaches are no longer \"limited and targeted\" as was previously deemed.\n\nAccording to independent cybersecurity journalist [Brian Krebs](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>), at least 30,000 entities across the U.S. \u2014 mainly small businesses, towns, cities, and local governments \u2014 have been compromised by an \"unusually aggressive\" Chinese group that has set its sights on stealing emails from victim organizations by exploiting previously undisclosed flaws in Exchange Server.\n\nVictims are also being reported from outside the U.S., with email systems belonging to businesses in [Norway](<https://nsm.no/aktuelt/oppdater-microsoft-exchange-snarest>), the [Czech Republic](<https://nukib.cz/cs/infoservis/hrozby/1692-vyjadreni-k-aktualni-situaci/>) and the [Netherlands](<https://www.ncsc.nl/actueel/nieuws/2021/maart/8/40-nl-microsoft-exchange-servers-nog-steeds-kwetsbaar>) impacted in a series of hacking incidents abusing the vulnerabilities. The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and \"continuously notify these companies.\"\n\nThe colossal scale of the ongoing offensive against Microsoft's email servers also eclipses the [SolarWinds hacking spree](<https://thehackernews.com/2020/12/nearly-18000-solarwinds-customers.html>) that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on an initial reconnaissance of the victim machines.\n\n### Unpatched Exchange Servers at Risk of Exploitation\n\nA successful [exploitation of the flaws](<https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/>) allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.\n\nChief among the vulnerabilities is CVE-2021-26855, also called \"ProxyLogon\" (no connection to ZeroLogon), which permits an attacker to bypass the authentication of an on-premises Microsoft Exchange Server that's able to receive untrusted connections from an external source on port 443. This is followed by the exploitation of CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 post-authentication, allowing the malicious party to gain remote access.\n\nTaiwanese cybersecurity firm Devcore, which began an internal audit of Exchange Server security in October last year, [noted in a timeline](<https://proxylogon.com/>) that it discovered both CVE-2021-26855 and CVE-2021-27065 within a 10-day period between December 10-20, 2020. After chaining these bugs into a workable pre-authentication RCE exploit, the company said it reported the issue to Microsoft on January 5, 2021, suggesting that Microsoft had almost two months to release a fix.\n\n[](<https://thehackernews.com/images/-zR_JCeV5Moo/YEX5KX2rxLI/AAAAAAAAB94/XG6lQGCnfO0ZUBwgiwv9agIbi4TfP1csACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nThe four security issues in question were eventually [patched by Microsoft](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) as part of an emergency out-of-band security update last Tuesday, while warning that \"many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\"\n\nThe fact that Microsoft also patched Exchange Server 2010 suggests that the vulnerabilities have been lurking in the code for more than ten years.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released an [emergency directive](<https://thehackernews.com/2021/03/cisa-issues-emergency-directive-on-in.html>) warning of \"active exploitation\" of the vulnerabilities, urged government agencies running vulnerable versions of Exchange Server to either update the software or disconnect the products from their networks.\n\n\"CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft's IoC detection tool to help determine compromise,\" the agency [tweeted](<https://twitter.com/USCERT_gov/status/1368216461571919877>) on March 6.\n\nIt's worth noting that merely installing the patches issued by Microsoft would have no effect on servers that have already been backdoored. Organizations that have been breached to deploy the web shell and other post-exploitation tools continue to remain at risk of future compromise until the artifacts are completely rooted out from their networks.\n\n### Multiple Clusters Spotted\n\nFireEye's Mandiant threat intelligence team [said](<https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html>) it \"observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment\" since the start of the year. Cybersecurity firm Volexity, one of the firms credited with discovering the flaws, said the intrusion campaigns appeared to have started around January 6, 2021.\n\nNot much is known about the identities of the attackers, except that Microsoft has primarily attributed the exploits with high confidence to a group it calls Hafnium, a skilled government-backed group operating out of China. Mandiant is tracking the intrusion activity in three clusters, UNC2639, UNC2640, and UNC2643, adding it expects the number to increase as more attacks are detected.\n\nIn a statement to [Reuters](<https://www.reuters.com/article/us-usa-cyber-microsoft/more-than-20000-u-s-organizations-compromised-through-microsoft-flaw-source-idUSKBN2AX23U>), a Chinese government spokesman denied the country was behind the intrusions.\n\n\"There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,\" [said](<https://twitter.com/redcanary/status/1368289931970322433>) Katie Nickels, director of threat intelligence at Red Canary, while noting the differences in the techniques and infrastructure from that of the Hafnium actor.\n\nIn one particular instance, the cybersecurity firm [observed](<https://twitter.com/redcanary/status/1367935292724948992>) that some of the customers compromised Exchange servers had been deployed with a crypto-mining software called [DLTminer](<https://www.carbonblack.com/blog/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/>), a malware documented by Carbon Black in 2019.\n\n\"One possibility is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities,\" Nickels said. \"Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulnerabilities.\"\n\n### Microsoft Issues Mitigation Guidance\n\nAside from rolling out fixes, Microsoft has published new alternative mitigation guidance to help Exchange customers who need more time to patch their deployments, in addition to pushing out a new update for the Microsoft Safety Scanner (MSERT) tool to detect web shells and [releasing a script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for checking HAFNIUM indicators of compromise. They can be found [here](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>).\n\n\"These vulnerabilities are significant and need to be taken seriously,\" Mat Gangwer, senior director of managed threat response at Sophos said. \"They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them.\"\n\n\"The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk,\" Gangwer added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T10:15:00", "type": "thn", "title": "Microsoft Exchange Cyber Attack \u2014 What Do We Know So Far?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-10T08:44:19", "id": "THN:9DB02C3E080318D681A9B33C2EFA8B73", "href": "https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:14", "description": "[](<https://thehackernews.com/images/-4bW5O7qDy3g/YRY939zQM4I/AAAAAAAADho/RUV3iIGj654Ml8xKhGo8MXIEWtGwsL1ywCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nThreat actors are actively carrying out opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.\n\nThe remote code execution flaws have been collectively dubbed \"ProxyShell.\" At least 30,000 machines are affected by the vulnerabilities, [according](<https://isc.sans.edu/diary/27732>) to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.\n\n\"Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,\" NCC Group's Richard Warren [tweeted](<https://twitter.com/buffaloverflow/status/1425831100157349890>), noting that one of the intrusions resulted in the deployment of a \"C# aspx webshell in the /aspnet_client/ directory.\"\n\nPatched in early March 2021, [ProxyLogon](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/>) is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.\n\nThe vulnerabilities came to light after Microsoft [spilled the beans](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.\n\nSince then, the Windows maker has fixed six more flaws in its mail server component, two of which are called [ProxyOracle](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/>), which enables an adversary to recover the user's password in plaintext format.\n\nThree other issues \u2014 known as ProxyShell \u2014 could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution. Microsoft noted that both CVE-2021-34473 and CVE-2021-34523 were inadvertently omitted from publication until July.\n\n**ProxyLogon:**\n\n * [**CVE-2021-26855**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26857**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26858**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-27065**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n\n**ProxyOracle:**\n\n * [**CVE-2021-31195**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on May 11)\n * [**CVE-2021-31196**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31196>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on July 13)\n\n**ProxyShell:**\n\n * [**CVE-2021-31207**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Security Feature Bypass Vulnerability (Patched on May 11)\n * [**CVE-2021-34473**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on April 13, advisory released on July 13)\n * [**CVE-2021-34523**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on April 13, advisory released on July 13)\n\n**Other:**\n\n * [**CVE-2021-33768**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33768>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on July 13)\n\nOriginally demonstrated at the [Pwn2Own hacking competition](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) this April, technical details of the ProxyShell attack chain were disclosed by DEVCORE researcher Orange Tsai at the [Black Hat USA 2021](<https://www.blackhat.com/us-21/briefings/schedule/index.html#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442>) and [DEF CON](<https://www.youtube.com/watch?v=5mqid-7zp8k>) security conferences last week. To prevent exploitation attempts, organizations are highly recommended to install updates released by Microsoft.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-13T09:46:00", "type": "thn", "title": "Hackers Actively Searching for Unpatched Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31207", "CVE-2021-33768", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-13T09:46:09", "id": "THN:FA40708E1565483D14F9A31FC019FCE1", "href": "https://thehackernews.com/2021/08/hackers-actively-searching-for.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgG4LpJKxqUO2-qxnPcHk7kZshWlpcUJf4apWnuuu8g9A2r0wcvybcwpf7lOoNA63j4bRBhFvjSOcGs6VNIFsmjXTIplZEkjAFtBn3cM6NGJ0rIS2GGGAKNgL2WQIm_-fjXlryklUzygBckkBMBoeHlXhheLR9onLzGHVYPSgJnrJE7GbCsqTLo57hD/s728-e100/hive-ransomware.jpg>)\n\nA recent Hive ransomware attack carried out by an affiliate involved the exploitation of \"ProxyShell\" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network.\n\n\"The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise,\" Varonis security researcher, Nadav Ovadia, [said](<https://www.varonis.com/blog/hive-ransomware-analysis>) in a post-mortem analysis of the incident. \n\nHive, which was [first observed](<https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html>) in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks.\n\n[ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) \u2014 tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 \u2014 involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker the ability to execute arbitrary code on affected servers.\n\nThe issues were addressed by Microsoft as part of its Patch Tuesday updates for April and May 2021.\n\nIn this case, successful exploitation of the flaws allowed the adversary to deploy web shells on the compromised server, using them to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain admin account, and perform lateral movement.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbU5YaGjiHhZvFPL5Fqh7rHbVldX6X-unk-Mq6dP0icasfzkogYQnkRDy9ZUNWr3oca2oh6FGdjSzMm5uyXe1DLzwsty4H8hXGZia0azIu3Q24ZyBwemMQXMvu5dpzZQn-9MUl_WWAG5opQBaoXlyg6Esg2eBVWtdYcBrz5l7yZPDtCD1v9nzKF-D8/s728-e100/hive.jpg>)\n\nThe web shells used in the attack are said to have been sourced from a [public git repository](<https://github.com/ThePacketBender/webshells>) and given filenames containing a random mix of characters to evade detection, Ovadia said. Also executed was an additional obfuscated PowerShell script that's part of the Cobalt Strike framework.\n\nFrom there, the threat actor moved to scan the network for valuable files, before proceeding to deploy the Golang ransomware executable (named \"Windows.exe\") to complete the encryption process and display the ransom note to the victim.\n\nOther operations carried out by the malware include deleting shadow copies, turning off security products, and clearing Windows event logs to avoid detection, prevent recovery, and ensure that the encryption happens without any hiccup.\n\nIf anything, the findings are yet another indicator that patching for known vulnerabilities is key to thwarting cyberattacks and other nefarious activities.\n\n\"Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits,\" Ovadia said. \"It may potentially harm an organization's reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T10:00:00", "type": "thn", "title": "New Incident Report Reveals How Hive Ransomware Targets Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-21T10:00:58", "id": "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "href": "https://thehackernews.com/2022/04/new-incident-report-reveals-how-hive.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-04T12:04:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6538WifO-pQPlUhACBuUX_jTbrSpW305DDSQv2XtGhWolinz3L4Hgy3yckiql7NJG9L9tFcb9ZFIPr1a1yBf9bvlyuXOAhhxdrgegxaIMeSIxRzX7JFkUbAULNHo8UzppH76EuY77JOotsyc1FYph-TCqk5DAr4GPj--2TvKuoLT8Tucw6ssJeCOa/s728-e100/proxynotshell.jpg>)\n\nNicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers.\n\nBased on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to the one used in the 2021 ProxyShell attack that exploited the combination of multiple vulnerabilities - CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 \u2013 to permit a remote actor to execute arbitrary code.\n\nDespite the potential severity of attacks using them, ProxyShell vulnerabilities are still on CISA's list of top 2021 routinely exploited vulnerabilities.\n\n## Meet ProxyNotShell \n\nRecorded on September 19, 2022, CVE-2022-41082 is an attack vector targeting Microsoft's Exchange Servers, enabling attacks of low complexity with low privileges required. Impacted services, if vulnerable, enable an authenticated attacker to compromise the underlying exchange server by leveraging existing exchange PowerShell, which could result in a full compromise.\n\nWith the help of CVE-2022-41040, another Microsoft vulnerability also recorded on September 19, 2022, an attacker can remotely trigger CVE-2022-41082 to remotely execute commands.\n\nThough a user needs to have the privilege to access CVE-2022-41040, which should curtail the vulnerability accessibility to attackers, the required level of privilege is low.\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure.\n\nBoth vulnerabilities were uncovered during an active attack against GTSC, a Vietnamese organization called GTSC, granting attackers access to some of their clients. Though neither vulnerability on its own is particularly dangerous, exploits chaining them together could potentially lead to catastrophic breaches.\n\nThe chained vulnerabilities could grant an outsider attacker the ability to read emails directly off an organization's server the ability to breach the organization with CVE-2022-41040 Remote Code Execution and implant malware on the organization's Exchange Server with CVE-2022-41082.\n\nThough it appears that attackers would need some level of authentication to activate the chained vulnerabilities exploit, the exact level of authentication required \u2013 rated \"Low\" by Microsoft \u2013 is not yet clarified. Yet, this required low authentication level should effectively prevent a massive, automated attack targeting every Exchange server around the globe. This hopefully will prevent a replay of the 2021 ProxyShell debacle.\n\nYet, finding a single valid email address/password combination on a given Exchange server should not be overly difficult, and, as this attack bypasses MFA or FIDO token validation to log into Outlook Web Access, a single compromised email address/password combination is all that is needed.\n\n## Mitigating ProxyNotShell Exposure\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure of unknown efficacy.\n\nBlocking incoming traffic to Exchange Servers holding critical asserts is also an option, though only practicable if such a measure does not impact vital operations and should ideally be perceived as a temporary measure pending Microsoft's issuance of a verified patch.\n\n## Assessing ProxyNotShell Exposure\n\nAs the current mitigation options are either of unverified efficacy or potentially damaging to the smooth running of operations, evaluating the degree of exposure to ProxyNotShell might prevent taking potentially disruptive unnecessary preventative measures, or indicate which assets to preemptively migrate to unexposed servers.\n\nCymulate Research Lab has developed a [custom-made assessment for ProxyNotShell](<https://cymulate.com/free-trial/>) that enable organizations to estimate exactly their degree of exposure to ProxyNotShell.\n\nA ProxyNotShell attack vector has been added to the advanced scenarios templates, and running it on your environment yields the necessary information to validate exposure \u2013 or lack thereof - to ProxyNotShell.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgOoxz7w2_H46l72-JIWEEozP6gnLHfSQt_wbm1RRkjB0NOn2rBaB0wW4-jBFx4wbMgPAmXZvOdPPwjnUFX2u8zbdJZLSXKMAoft6Skt3EXk_gH1ehXK9DLBpHKouidVH9WE9P1SQs3h-s1VAfGKtHqeXaxkjtGS4lDIItWgmQo1FSLk_6z6fV7ZtQw/s728-e100/222.png>)\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiqGWTwc-0vwEKrwSp1s7coId4IRI3KelQKVBG1iXsx0N32996O0Lprr0PA035V1oLkFpdjQ1euXlqcL0le7gsuWoWI9NSCEBW0Nj-OCQZn8ovDyuK-b-MtVYhjKmGIWuZO5IkdqNRBvKSiWttxGP46GmxjlZtpI_FSz2728WiqkvKTOoOJIp0KrjOH/s728-e100/111.png>)\n\nUntil verified patches are available from Microsoft, assessing exposure to ProxyNotShell to evaluate exactly which servers are potential targets is the most cost-efficient way to evaluate exactly which assets are exposed and devise targeted preemptive measures with maximum impact.\n\n_Note: This article is contributed by [Cymulate Research Labs](<https://cymulate.com/>)._\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T08:05:00", "type": "thn", "title": "ProxyNotShell \u2013 the New Proxy Hell?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-04T10:19:04", "id": "THN:54023E40C0AA4CB15793A39F3AF102AB", "href": "https://thehackernews.com/2022/10/proxynotshell-new-proxy-hell.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEihM5iYK8V59Az6V_QU4QfgIeRF_0hGVdMPzkolUAVIW-fNuFPicRQP8GVCKVzA_FETzCTUZXWBI67kH6LRZTLGCO5eI9UumwAso17F_kIigeX8Y7Z41AMwAPgq1iysoZkTTX-VU5eO4nCRvjFq57tq6FcnFZd3DBb3A8kWOZ253GJWm-fH0WFE7Fna>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of \"**ProxyShell**\" Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems.\n\nTracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates.\n\n\"An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>).\n\nThe development comes a little over a week after cybersecurity researchers sounded the alarm on [opportunistic scanning and exploitation](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) of unpatched Exchange servers by taking advantage of the ProxyShell attack chain.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEi9pcvxkZCqcBcriArdPtNn0AWuIafJEeUPlEHsu4z-oKwZf3gzsprTbCyyBAmMBzU-gFoDqTD8zWP4vrlEdDv_w5I3I5iSFyAS8RZ2p_jjRO0sOXbKoN31TMsPPfb0BXXZt8m7aM2SAtTFrkZ3hdSN1FSLaynBoGiYDkl78s_i0T5Kva4eudH21Jzf>) \n--- \nImage Source: [Huntress Labs](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) \n \nOriginally demonstrated at the [Pwn2Own hacking contest](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) in April this year, ProxyShell is part of a broader trio of exploit chains discovered by DEVCORE security researcher Orange Tsai that includes ProxyLogon and ProxyOracle, the latter of which concerns two remote code execution flaws that could be employed to recover a user's password in plaintext format.\n\n\"They're backdooring boxes with webshells that drop other webshells and also executables that periodically call out,\" researcher Kevin Beaumont [noted](<https://twitter.com/GossiTheDog/status/1425844380376735746>) last week.\n\nNow according to researchers from Huntress Labs, at least [five distinct styles of web shells](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) have been observed as deployed to vulnerable Microsoft Exchange servers, with over over 100 incidents reported related to the exploit between August 17 and 18. Web shells grant the attackers remote access to the compromised servers, but it isn't clear exactly what the goals are or the extent to which all the flaws were used.\n\nMore than 140 web shells have been detected across no fewer than 1,900 unpatched Exchanger servers to date, Huntress Labs CEO Kyle Hanslovan [tweeted](<https://twitter.com/KyleHanslovan/status/1428804893423382532>), adding \"impacted [organizations] thus far include building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-22T09:51:00", "type": "thn", "title": "WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:28:25", "id": "THN:5BE77895D84D1FB816C73BB1661CE8EB", "href": "https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjiGzDP_Q8TgakrIFP6H8c0NlSHHH4ztdEtesv8G-AaS-LvfiauO6JgcrFpPKfplpRuqYssvepWzyhQaLMIPqPzyt00vE0kNEL3qEg1k1YRQpWZouKa_km8jD-kuKbNBXugV_MhYndYW41kM6o2z77T4oOGQlDGhGk-HA0tZfdol-RO_fCE6o7N54uW>)\n\nThreat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems.\n\nThe findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE. First publicly [documented](<https://thehackernews.com/2021/10/hackers-using-squirrelwaffle-loader-to.html>) by Cisco Talos, the attacks are believed to have commenced in mid-September 2021 via laced Microsoft Office documents.\n\n\"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities,\" researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar [said](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) in a report published last week. \"To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits.\"\n\n[ProxyLogon](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) and [ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>) refer to a collection of flaws in Microsoft Exchange Servers that could enable a threat actor to elevate privileges and remotely execute arbitrary code, effectively granting the ability to take control of the vulnerable machines. While the ProxyLogon flaws were addressed in March, the ProxyShell bugs were patched in a series of updates released in May and July.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEhYwBTFRq5MuslNIXJAtZNZ-q9Ik0Wyu_z6HVG8loZsBaeJR_tXRLvm18OZvIJYeeOyYp0DVHZdMg8sdqe9H3ePEot8dMGuNuC25YWuyp09kuYsm_qh2nU_3dlFK7X2kVXn-DYmtklqChAj_2BOpas4TFiWcbPR3PtoX5RKukcpGn0sd1S8Ubdqo1bu>) \n--- \nDLL infection flow \n \nTrend Micro said it observed the use of public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) on three of the Exchange servers that were compromised in different intrusions, using the access to hijack legitimate email threads and send malicious spam messages as replies, thereby increasing the likelihood that unsuspecting recipients will open the emails.\n\n\"Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,\" the researchers said, adding the attackers behind the operation did not carry out lateral movement or install additional malware so as to stay under the radar and avoid triggering any alerts.\n\nThe attack chain involves rogue email messages containing a link that, when clicked, drops a Microsoft Excel or Word file. Opening the document, in turn, prompts the recipient to enable macros, ultimately leading to the download and execution of the SQUIRRELWAFFLE malware loader, which acts as a medium to fetch final-stage payloads such as Cobalt Strike and Qbot.\n\nThe development marks a new escalation in phishing campaigns where a threat actor has breached corporate Microsoft Exchange email servers to gain unauthorized access to their internal mail systems and distribute malicious emails in an attempt to infect users with malware.\n\n\"SQUIRRELWAFFLE campaigns should make users wary of the different tactics used to mask malicious emails and files,\" the researchers concluded. \"Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-22T11:47:00", "type": "thn", "title": "Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-23T07:33:36", "id": "THN:0D80EEB03C07D557AA62E071C7A7C619", "href": "https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe>)\n\nAmid renewed tensions between the U.S. and Russia over [Ukraine](<https://apnews.com/article/joe-biden-europe-russia-ukraine-geneva-090d1bd24f7ced8ab84907a9ed031878>) and [Kazakhstan](<https://thehill.com/policy/international/588860-tensions-between-us-russia-rise-over-military-involvement-in-kazakhstan>), American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.\n\nTo that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and [exploiting known vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) to gain initial access to target networks.\n\nThe list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are \"common but effective,\" are below \u2014\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (FortiGate VPNs)\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) (Cisco router)\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (Oracle WebLogic Server)\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) (Kibana)\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) (Zimbra software)\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) (Exim Simple Mail Transfer Protocol)\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (Pulse Secure)\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (Citrix)\n * [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (Microsoft Exchange)\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) (VMWare)\n * [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (F5 Big-IP)\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (Oracle WebLogic)\n * [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) (Microsoft Exchange, exploited frequently alongside [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\n\"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/cisa-fbi-and-nsa-release-cybersecurity-advisory-russian-cyber>).\n\n\"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments \u2014 including cloud environments \u2014 by using legitimate credentials.\"\n\nRussian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized [SolarWinds Orion updates](<https://thehackernews.com/2021/12/solarwinds-hackers-targeting-government.html>) to breach the networks of U.S. government agencies.\n\nTo increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.\n\n\"Consider using a centralized patch management system,\" the advisory reads. \"For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.\"\n\nOther recommended best practices are as follows \u2014\n\n * Implement robust log collection and retention\n * Require accounts to have strong passwords\n * Enable strong spam filters to prevent phishing emails from reaching end-users\n * Implement rigorous configuration management programs\n * Disable all unnecessary ports and protocols\n * Ensure OT hardware is in read-only mode\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T09:14:00", "type": "thn", "title": "FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-01-12T10:47:49", "id": "THN:3E9680853FA3A677106A8ED8B7AACBE6", "href": "https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-16T04:03:41", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjUqmffIx48KtQdHxTXb4TQfvElel4yvoLc_Uq-nF3atp_DnKXEvX_r4s4FR-V9kItxokvkUgH3L-QP1uH3JrII_VtRNnXYXU3EYxwsreIbOgCkHKHN4AbWxtUPY5tKaH8u6YvYBd2oA_JReHSU1gNdaKY11tzzrlCHhUSTJzZr4yGRgnN-fUCAb2Mv/s728-e100/iranian-hackers.jpg>)\n\nThe U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020.\n\nThe agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked under the names APT35, Charming Kitten, Nemesis Kitten, Phosphorus, and TunnelVision.\n\n\"This group has launched extensive campaigns against organizations and officials across the globe, particularly targeting U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications,\" the Treasury [said](<https://home.treasury.gov/news/press-releases/jy0948>).\n\nThe Nemesis Kitten actor, which is also known as [Cobalt Mirage](<https://thehackernews.com/2022/05/iranian-hackers-leveraging-bitlocker.html>), [DEV-0270](<https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html>), and [UNC2448](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>), has come under the scanner in recent months for its pattern of ransomware attacks for opportunistic revenue generation using Microsoft's built-in BitLocker tool to encrypt files on compromised devices.\n\nMicrosoft and Secureworks have characterized DEV-0270 as a subgroup of [Phosphorus](<https://thehackernews.com/2022/09/iranian-hackers-target-high-value.html>) (aka Cobalt Illusion), with ties to another actor referred to as [TunnelVision](<https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html>). The Windows maker also assessed with low confidence that \"some of DEV-0270's ransomware attacks are a form of moonlighting for personal or company-specific revenue generation.\"\n\nWhat's more, independent analyses from the two cybersecurity firms as well as Google-owned [Mandiant](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>) has revealed the group's connections to two companies Najee Technology (which functions under the aliases Secnerd and Lifeweb) and Afkar System, both of which have been subjected to U.S. sanctions.\n\nIt's worth noting that Najee Technology and Afkar System's connections to the Iranian intelligence agency were first flagged by an anonymous anti-Iranian regime entity called [Lab Dookhtegan](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>) [earlier](<https://mobile.twitter.com/LabDookhtegan2/status/1520355269695442945>) this [year](<https://mobile.twitter.com/LabDookhtegan2/status/1539960629867401218>).\n\n\"The model of Iranian government intelligence functions using contractors blurs the lines between the actions tasked by the government and the actions that the private company takes on its own initiative,\" Secureworks said in a [new report](<https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors>) detailing the activities of Cobalt Mirage.\n\nWhile exact links between the two companies and IRGC remain unclear, the method of private Iranian firms acting as fronts or providing support for intelligence operations is well established over the years, including that of [ITSecTeam (ITSEC), Mersad](<https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged>), [Emennet Pasargad](<https://thehackernews.com/2021/11/us-charged-2-iranians-hackers-for.html>), and [Rana Intelligence Computing Company](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>).\n\nOn top of that, the Secureworks probe into a June 2022 Cobalt Mirage incident showed that a PDF file containing the ransom note was created on December 17, 2021, by an \"Ahmad Khatibi\" and timestamped at UTC+03:30 time zone, which corresponds to the Iran Standard Time. Khatibi, incidentally, happens to be the CEO and owner of the Iranian company Afkar System.\n\nAhmad Khatibi Aghda is also part of the 10 individuals sanctioned by the U.S., alongside Mansour Ahmadi, the CEO of Najee Technology, and other employees of the two enterprises who are said to be complicit in targeting various networks globally by leveraging well-known security flaws to gain initial access to further follow-on attacks.\n\nSome of the [exploited flaws](<https://www.cisa.gov/uscert/ncas/alerts/aa22-257a>), according to a [joint cybersecurity advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/14/iranian-islamic-revolutionary-guard-corps-affiliated-cyber-actors>) released by Australia, Canada, the U.K., and the U.S., as part of the IRGC-affiliated actor activity are as follows -\n\n * Fortinet FortiOS path traversal vulnerability ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>))\n * Fortinet FortiOS default configuration vulnerability ([CVE-2019-5591](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * Fortinet FortiOS SSL VPN 2FA bypass vulnerability ([CVE-2020-12812](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), and\n * [Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>) (CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105)\n\n\"Khatibi is among the cyber actors who gained unauthorized access to victim networks to encrypt the network with BitLocker and demand a ransom for the decryption keys,\" the U.S. government said, in addition to adding him to the FBI's [Most Wanted list](<https://www.fbi.gov/wanted/cyber/ahmad-khatibi-aghda>).\n\n\"He leased network infrastructure used in furtherance of this malicious cyber group's activities, he participated in compromising victims' networks, and he engaged in ransom negotiations with victims.\"\n\nCoinciding with the sanctions, the Justice Department separately [indicted](<https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style>) Ahmadi, Khatibi, and a third Iranian national named Amir Hossein Nickaein Ravari for engaging in a criminal extortion scheme to inflict damage and losses to victims located in the U.S., Israel, and Iran.\n\nAll three individuals have been charged with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi has also been charged with one more count of intentionally damaging a protected computer.\n\nThat's not all. The U.S. State Department has also [announced monetary rewards](<https://www.state.gov/sanctioning-iranians-for-malicious-cyber-acts/>) of up to $10 million for any information about [Mansour, Khatibi, and Nikaeen](<https://rewardsforjustice.net/index/?jsf=jet-engine:rewards-grid&tax=cyber:3266>) and their whereabouts.\n\n\"These defendants may have been hacking and extorting victims \u2013 including critical infrastructure providers \u2013 for their personal gain, but the charges reflect how criminals can flourish in the safe haven that the Government of Iran has created and is responsible for,\" Assistant Attorney General Matthew Olsen said.\n\nThe development comes close on the heels of [sanctions](<https://thehackernews.com/2022/09/us-imposes-new-sanctions-on-iran-over.html>) imposed by the U.S. against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-15T06:49:00", "type": "thn", "title": "U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-09-16T03:17:57", "id": "THN:802C6445DD27FFC7978D22CC3182AD58", "href": "https://thehackernews.com/2022/09/us-charges-3-iranian-hackers-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:14", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiQk7skJEo49QfN4ESusan9jBZfTXapDKpnR6CXuJbaNKUBpx7nO684Vj5RRctI8hh09KwyntDYPyeQI-HbWC03E5Uo4ABDXXj3vfb774Dv1G65e03iX30VM0pcCe5hQfxnkW-u1V4gZgZ3L2et_QXqceUwFJfPQDg8aUOWSagSt-l0OGRquNTiLEso>)\n\nA previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks.\n\nCybersecurity company Positive Technologies dubbed the advanced persistent threat (APT) group ChamelGang \u2014 referring to their chameleellonic capabilities, including disguising \"its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.\" \n\n\"To achieve their goal, the attackers used a trending penetration method\u2014supply chain,\" the researchers [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-new-apt-group-attacking-russia-s-fuel-and-energy-complex-and-aviation-production-industry/>) of one of the incidents investigated by the firm. \"The group compromised a subsidiary and penetrated the target company's network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method [\u2026], the ChamelGang group was able to achieve its goal and steal data from the compromised network.\"\n\nIntrusions mounted by the adversary are believed to have commenced at the end of March 2021, with later attacks in August leveraging what's called the [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) chain of vulnerabilities affecting Microsoft Exchange Servers, the technical details of which were first revealed at the Black Hat USA 2021 security conference earlier that month.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgpU90FEVyvHUv6m3vUITmIj4tJ_Kexp6cw5No4dV8_Po339DpYJtWa0Z-_BTv7hBE9_EkkSjRVlbP2lsM6MxD-x1p1yD_mQOhRoeiBy9vjPZXWBKrrJlJlvEbl4QdL8woMTd4XIY2ZGusd5N0uFaCwXBUiwFnJnXGfU0C-ESawdO8FR9OB4njoQ6oc>)\n\nThe attack in March is also notable for the fact that the operators breached a subsidiary organization to gain access to an unnamed energy company's network by exploiting a flaw in Red Hat JBoss Enterprise Application ([CVE-2017-12149](<https://access.redhat.com/security/cve/CVE-2017-12149>)) to remotely execute commands on the host and deploy malicious payloads that enable the actor to launch the malware with elevated privileges, laterally pivot across the network, and perform reconnaissance, before deploying a backdoor called DoorMe.\n\n\"The infected hosts were controlled by the attackers using the public utility FRP (fast reverse proxy), written in Golang,\" the researchers said. \"This utility allows connecting to a reverse proxy server. The attackers' requests were routed using the socks5 plugin through the server address obtained from the configuration data.\"\n\nOn the other hand, the August attack against a Russian company in the aviation production sector involved the exploitation of ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to drop additional web shells and conduct remote reconnaissance on the compromised node, ultimately leading to the installation of a modified version of the DoorMe implant that comes with expanded capabilities to run arbitrary commands and carry out file operations.\n\n\"Targeting the fuel and energy complex and aviation industry in Russia isn't unique \u2014 this sector is one of the three most frequently attacked,\" Positive Technologies' Head of Threat Analysis, Denis Kuvshinov, said. \"However, the consequences are serious: Most often such attacks lead to financial or data loss\u2014in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-04T12:48:00", "type": "thn", "title": "A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-04T12:48:16", "id": "THN:E95B6A75073DA71CEC73B2E4F0B13622", "href": "https://thehackernews.com/2021/10/a-new-apt-hacking-group-targeting-fuel.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:37", "description": "[](<https://thehackernews.com/images/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://thehackernews.com/images/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://thehackernews.com/images/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-02-18T15:06:00", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1579", "CVE-2019-19781"], "modified": "2020-02-18T15:13:08", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-13T04:09:17", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhe15H23NVWUj17wKQs7g1cRCttkjBWcqbY9eP-NsNXW3cM-BR_z8x86dLDak0PYGaWxANAxbOkFtyeAaCGijuP_f8pJO5n8_oeID2ziguIclHR2kG82hq6lXshAXpyifEEXMkdFuMdmVxQWrl6EkBgHtrXxUgtTLQ2UWjr3C6fvxpZI8lTMpbrVkiT/s728-e100/Fortinet-zero-day.jpg>)\n\nFortinet on Monday issued emergency patches for a severe security flaw affecting its FortiOS SSL-VPN product that it said is being actively exploited in the wild.\n\nTracked as **CVE-2022-42475** (CVSS score: 9.3), the critical bug relates to a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests.\n\nThe company [said](<https://www.fortiguard.com/psirt/FG-IR-22-398>) it's \"aware of an instance where this vulnerability was exploited in the wild,\" urging customers to move quickly to apply the updates.\n\nThe following products are impacted by the issue -\n\n * FortiOS version 7.2.0 through 7.2.2\n * FortiOS version 7.0.0 through 7.0.8\n * FortiOS version 6.4.0 through 6.4.10\n * FortiOS version 6.2.0 through 6.2.11\n * FortiOS-6K7K version 7.0.0 through 7.0.7\n * FortiOS-6K7K version 6.4.0 through 6.4.9\n * FortiOS-6K7K version 6.2.0 through 6.2.11\n * FortiOS-6K7K version 6.0.0 through 6.0.14\n\nPatches are available in FortiOS versions 7.2.3, 7.0.9, 6.4.11, and 6.2.12 as well as FortiOS-6K7K versions 7.0.8, 6.4.10, 6.2.12, and 6.0.15. \n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgcpNRNxS-S5XW5aNgb1ltVU4btWjkhlX8oeLENEB9V3tOCBod6QOXWFhfRhmRYj5WBqrXn0QCz6CXbE7q9K_bRmx4PCgA9hG6dhaxNNN8Q-xIyukDSEAssABmZLyql_bItYz3nR081ziXSHVSybPTliUNC4omxEfk_cZ69u_OiInf8ATMmF7jD-eMz/s728-e100/ssl.png>)\n\nThe American network security company has also published indicators of compromise (IoCs) associated with the exploitation attempts, including the IP addresses and the artifacts that are present in the file system post a successful attack.\n\nThe advisory comes two months after Fortinet warned of active weaponization of another critical authentication bypass bug in FortiOS, FortiProxy, and FortiSwitchManager ([CVE-2022-40684](<https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html>), CVSS score: 9.6).\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-13T03:34:00", "type": "thn", "title": "Fortinet Warns of Active Exploitation of New SSL-VPN Pre-auth RCE Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-40684", "CVE-2022-42475"], "modified": "2022-12-13T03:43:01", "id": "THN:6A1A5F396F8A43A1DA67A07FF545680A", "href": "https://thehackernews.com/2022/12/fortinet-warns-of-active-exploitation.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-05-09T12:40:09", "description": "[](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T09:14:00", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-09-15T09:14:30", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/---oICK3YQu8/YIJ50RG8cxI/AAAAAAAACWY/KkCLoHke1SsfzdcENBXnq3d4jAZlau0ggCLcBGAsYHQ/s0/malware.jpg>)\n\nAttackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research.\n\n\"Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more,\" Boston-based cybersecurity firm Cybereason [said](<https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities>) in an analysis summarizing its findings.\n\nFirst documented by Cisco Talos in July 2020, [Prometei](<https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html>) is a multi-modular botnet, with the actor behind the operation employing a wide range of specially-crafted tools and known exploits such as EternalBlue and BlueKeep to harvest credentials, laterally propagate across the network and \"increase the amount of systems participating in its Monero-mining pool.\"\n\n\"Prometei has both Windows-based and Linux-Unix based versions, and it adjusts its payload based on the detected operating system, on the targeted infected machines when spreading across the network,\" Cybereason senior threat researcher Lior Rochberger said, adding it's \"built to interact with four different command-and-control (C2) servers which strengthens the botnet's infrastructure and maintains continuous communications, making it more resistant to takedowns.\"\n\nThe intrusions take advantage of the recently patched vulnerabilities in [Microsoft Exchange Servers](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) with the goal of abusing the processing power of the Windows systems to mine Monero.\n\nIn the attack sequence observed by the firm, the adversary was found exploiting Exchange server flaws CVE-2021-27065 and CVE-2021-26858 as an initial compromise vector to install the China Chopper web shell and gain backdoor ingress to the network. With this access in place, the threat actor launched PowerShell to download the initial Prometei payload from a remote server. \n\n[](<https://thehackernews.com/images/-QPt-u63tvwA/YIJ6AaW7GPI/AAAAAAAACWg/z8_YGp_eggY-c6gUKoOyrf5D3cZtnDdzwCLcBGAsYHQ/s0/malware.jpg>)\n\nRecent versions of the bot module come with backdoor capabilities that support an extensive set of commands, including an additional module called \"Microsoft Exchange Defender\" that masquerades as a legitimate Microsoft product, which likely takes care of removing other competing web shells that may be installed on the machine so that Prometei gets access to the resources necessary to mine cryptocurrency efficiently.\n\nInterestingly, newly unearthed evidence gathered from [VirusTotal](<https://www.virustotal.com/gui/file/cf542ada135ee3edcbbe7b31003192c75295c7eff0efe7593a0a0b0f792d5256/details>) [artifacts](<https://www.virustotal.com/gui/file/fdcf4887a2ace73b87d1d906b23862c0510f4719a6c159d1cde48075a987a52f/details>) has revealed that the botnet may have been around as early as May 2016, implying that the malware has constantly been evolving ever since, adding new modules and techniques to its capabilities.\n\nPrometei has been observed in a multitude of victims spanning across finance, insurance, retail, manufacturing, utilities, travel, and construction sectors, compromising networks of entities located in the U.S., U.K., and several countries in Europe, South America, and East Asia, while also explicitly avoiding infecting targets in former [Soviet bloc](<https://en.wikipedia.org/wiki/Eastern_Bloc>) countries.\n\nNot much is known about the attackers other than the fact that they are Russian speaking, with older versions of Prometei having their language code set as \"Russian.\" A separate Tor client module used to communicate with a Tor C2 server included a configuration file that's configured to avoid using several exit nodes located in Russia, Ukraine, Belarus, and Kazakhstan.\n\n\"Threat actors in the cybercrime community continue to adopt APT-like techniques and improve efficiency of their operations,\" Rochberger said. \"As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks.\"\n\n\"This threat poses a great risk for organizations, since the attackers have absolute control over the infected machines, and if they wish so, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling the access to the infected endpoints,\" she added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-23T07:42:00", "type": "thn", "title": "Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-23T15:00:17", "id": "THN:F2A3695D04A2484E069AC407E754A9C1", "href": "https://thehackernews.com/2021/04/prometei-botnet-exploiting-unpatched.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:15", "description": "[](<https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s0/hacker.jpg>)\n\nCyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous [public disclosures](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) of their attack methods, according to a [new advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>) jointly published by intelligence agencies from the U.K. and U.S. Friday.\n\n\"SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,\" the National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>).\n\nThese include the deployment of an open-source tool called [Sliver](<https://github.com/BishopFox/sliver>) to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.\n\nThe development follows the [public attribution](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) of SVR-linked actors to the [SolarWinds](<https://thehackernews.com/2021/04/researchers-find-additional.html>) supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.\n\nThe attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities.\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway\n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\n\"The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example [COVID-19 vaccine](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>) targeting in 2020,\" the NCSC said.\n\nThis was followed by a separate guidance on April 26 that [shed more light](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.\n\nNow according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to \"rapidly\" weaponize recently released public vulnerabilities that could enable initial access to their targets.\n\n * [**CVE-2019-1653**](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) \\- Cisco Small Business RV320 and RV325 Routers\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) \\- Oracle WebLogic Server\n * [**CVE-2019-7609**](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) \\- Kibana\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) \\- F5 Big-IP\n * [**CVE-2020-14882**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) \\- Oracle WebLogic Server\n * [**CVE-2021-21972**](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>) \\- VMware vSphere\n * [**CVE-2021-26855**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) \\- Microsoft Exchange Server\n\n\"Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage,\" the agency said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-08T12:24:00", "type": "thn", "title": "Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-21972", "CVE-2021-26855"], "modified": "2021-05-11T06:23:38", "id": "THN:1ED1BB1B7B192353E154FB0B02F314F4", "href": "https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-15T04:05:18", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiHjIXiW2zuHYHOZQbJKZD4p4uzwJHQdTAWhDUrxnxbxqVorwddxJ6Glgo6ERl_J1sIvlUI3AI6uug4KNSzj7-i_k6bmiZJO4-l33F5VRyfcJmN6tJHyz9cKIzx_FfcSyhR9ddrcoCcb5Gk5FgGjBg56GhIjX6JM3s3HkJJ7D0YkFii0-2B4IILpOZS/s728-e100/hack.jpg>)\n\nA proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches.\n\n\"FortiOS exposes a management web portal that allows a user to configure the system,\" Horizon3.ai researcher James Horseman [said](<https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/>). \"Additionally, a user can SSH into the system which exposes a locked down CLI interface.\"\n\nThe issue, tracked as [CVE-2022-40684](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) (CVSS score: 9.6), concerns an [authentication bypass](<https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/>) vulnerability that could allow a remote attacker to perform malicious operations on the administrative interface via specially crafted HTTP(S) requests.\n\nA successful exploitation of the shortcoming is tantamount to granting complete access \"to do just about anything\" on the affected system, including altering network configurations, adding malicious users, and intercepting network traffic.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRUF5zXRq0j7JtozHreYQFvBZmHZaK79k53nzd5BkO7GRapjoRFkekYnIkcLCXVxw9mkLJS3UHKjGxK35wSa1VoHFc0Zf6y_GWxV0-TUy9uwKyXDgo3Jfsu6LvlLgEj49ayxN49j9vIbADLJYnPG5XgMHOvHquE-zMEAI94s02hvVLk4tDyYrLSqz4/s728-e100/poc.jpg>)\n\nThat said, the cybersecurity firm said that there are two essential prerequisites when making such a request -\n\n * Using the Forwarded header, an attacker is able to set the client_ip to \"127.0.0.1\"\n * The \"trusted access\" authentication check verifies that the client_ip is \"127.0.0.1\" and the User-Agent is \"Report Runner\" both of which are under attacker control\n\nThe release of the PoC comes as Fortinet [cautioned](<https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html>) that it's already aware of an instance of active exploitation of the flaw in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory urging federal agencies to patch the issue by November 1, 2022.\n\nThreat intelligence firm GreyNoise has [detected](<https://viz.greynoise.io/tag/fortios-authentication-bypass-attempt?days=30>) 12 unique IP addresses weaponizing CVE-2022-40684 as of October 13, 2022, with a majority of them [located](<https://viz.greynoise.io/query/?gnql=cve%3ACVE-2022-40684>) in Germany, followed by the U.S., Brazil, China, and France.\n\nWordPress security company WordFence also said it [identified](<https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/>) probing attempts from 21 different IP addresses to \"determine whether a Fortinet appliance is in place,\" while also observing HTTP requests matching the PoC to add an SSH key to the admin user.\n\n**_Update:_** Amid a [huge uptick](<https://viz.greynoise.io/tag/fortios-authentication-bypass-attempt?days=30>) in vulnerability scans for the authentication bypass vulnerability, Fortinet on Friday released another advisory urging customers to upgrade affected appliances to the latest version as soon as possible.\n\n\"After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of POC code, there is active exploitation of this vulnerability,\" the company [said](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684>).\n\nIssues in Fortinet devices have been previously targeted by attackers to gain an initial foothold onto target networks. [CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>), which has remained one of the most weaponized flaws in recent years, prompted the firm to issue [three follow-up alerts](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>) in August 2019, July 2020, and again in April 2021.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-14T03:35:00", "type": "thn", "title": "PoC Exploit Released for Critical Fortinet Auth Bypass Bug Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2022-40684"], "modified": "2022-10-15T02:56:36", "id": "THN:3474CD6C25ADD60FF37EDC1774311111", "href": "https://thehackernews.com/2022/10/poc-exploit-released-for-critical.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-31T16:21:21", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhDUoBIOWkWHTdL-b_c-RiXzt2DYzNR3SrlkUP7AEI4VkL-zsFLQI_OR3HPTcoECN1YA_cy_LgvVxd5dkMDtxDcHwiz2axDGQ8DlTK4piB4FyFJdsFInBZWhumL0MZGvQBtBhI7VLZDJjVeUE3A75apqjx5SDsfduake8zwaoUmeEO0b8SExNXMmXYZ/s728-e365/apachenifi.jpg>)\n\nA financially motivated threat actor is actively scouring the internet for unprotected [Apache NiFi instances](<https://nifi.apache.org/>) to covertly install a cryptocurrency miner and facilitate lateral movement.\n\nThe findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for \"/nifi\" on May 19, 2023.\n\n\"Persistence is achieved via timed processors or entries to cron,\" [said](<https://isc.sans.edu/diary/Your%20Business%20Data%20and%20Machine%20Learning%20at%20Risk%3A%20Attacks%20Against%20Apache%20NiFi/29900>) Dr. Johannes Ullrich, dean of research for SANS Technology Institute. \"The attack script is not saved to the system. The attack scripts are kept in memory only.\"\n\nA honeypot setup allowed the ISC to determine that the initial foothold is weaponized to drop a shell script that removes the \"/var/log/syslog\" file, disables the firewall, and terminates competing crypto-mining tools, before downloading and launching the Kinsing malware from a remote server.\n\nIt's worth pointing out that [Kinsing](<https://www.akamai.com/blog/security/Kinsing-evolves-adds-windows-to-attack-list>) has a [track record](<https://www.akamai.com/blog/security-research/atlassian-confluence-vulnerability-observations>) of [leveraging](<https://thehackernews.com/2023/01/kinsing-cryptojacking-hits-kubernetes.html>) publicly disclosed vulnerabilities in publicly accessible web applications to carry out its attacks.\n\nIn September 2022, Trend Micro detailed an [identical attack chain](<https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.html>) that utilized old Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to deliver the cryptocurrency mining malware.\n\nUPCOMING WEBINAR\n\nZero Trust + Deception: Learn How to Outsmart Attackers!\n\nDiscover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!\n\n[Save My Seat!](<https://thn.news/z-inside-2>)\n\nSelect attacks mounted by the same threat actor against exposed NiFi servers also entail the execution of a second shell script that's designed to collect SSH keys from the infected host to connect to other systems within the victim's organization.\n\nA notable indicator of the ongoing campaign is that the actual attack and scanning activities are carried out via the IP address 109.207.200[.]43 against port 8080 and port 8443/TCP.\n\n\"Due to its use as a data processing platform, NiFi servers often have access to business-critical data,\" SANS ISC said. \"NiFi servers are likely attractive targets as they are configured with larger CPUs to support data transformation tasks. The attack is trivial if the [NiFi server is not secured](<https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication>).\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-31T15:44:00", "type": "thn", "title": "Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882", "CVE-2020-14883"], "modified": "2023-05-31T15:44:26", "id": "THN:80B476657ABE12ED91DD0E314BF8DA31", "href": "https://thehackernews.com/2023/05/cybercriminals-targeting-apache-nifi.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-12T16:30:00", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhe-JObfxreJe3voT0gU0S71E013xl9EJTptEvFiIYrrr0cMALdF9FZR1Rc20JN7zmeC4ZC5In7OgjeASatCBiVJAMoaOPzikA75p2359zbFIla4cniv7wHpmaLMdvm4vDQ1qBrj6xaxkI0kesF0zlPgDbBpWlIDP7pInkBzVTb9UE9n5Gq14Dnjpq2/s728-e100/firewall.jpg>)\n\nFortinet on Monday revealed that the newly patched critical security vulnerability impacting its firewall and proxy products is being actively exploited in the wild.\n\nTracked as [CVE-2022-40684](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) (CVSS score: 9.6), the flaw relates to an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorized operations on the administrative interface via specially crafted HTTP(S) requests.\n\n\"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'\" the company [noted](<https://www.fortiguard.com/psirt/FG-IR-22-377>) in an advisory.\n\nThe list of impacted devices is below -\n\n * FortiOS version 7.2.0 through 7.2.1\n * FortiOS version 7.0.0 through 7.0.6\n * FortiProxy version 7.2.0\n * FortiProxy version 7.0.0 through 7.0.6\n * FortiSwitchManager version 7.2.0, and\n * FortiSwitchManager version 7.0.0\n\nUpdates have been released by the security company in FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1.\n\nThe disclosure comes days after Fortinet [sent](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) \"confidential advance customer communications\" to its customers, urging them to apply patches to mitigate potential attacks exploiting the flaw.\n\nIf updating to the latest version isn't an option, it's recommended that users disable the HTTP/HTTPS administrative interface, or alternatively limit IP addresses that can access the administrative interface.\n\n**_Update:_** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/10/11/cisa-has-added-one-known-exploited-vulnerability-catalog>) the Fortinet flaw to its Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) catalog, requiring federal agencies to apply patches by November 1, 2022.\n\nDetails and proof-of-concept (PoC) code for the vulnerability are [expected to become publicly available](<https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/>) in the coming days, in a move that could enable other threat actors to adopt the exploit to their toolset and mount their own attacks.\n\n\"Vulnerabilities affecting devices on the edge of corporate networks are among the most sought after by threat actors because it leads to breaching the perimeter, and CVE-2022-40684 allows exactly this,\" Zach Hanley, chief attack engineer at Horizon3.ai, said.\n\n\"Past Fortinet vulnerabilities, like [CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>), have remained some of the [top exploited vulnerabilities](<https://thehackernews.com/2021/07/top-30-critical-security.html>) over the years and this one will likely be no different.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T06:21:00", "type": "thn", "title": "Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2022-40684"], "modified": "2022-10-12T13:16:52", "id": "THN:63560DA43FB5804E3B258BC62E210EC4", "href": "https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:38:41", "description": "[](<https://thehackernews.com/images/-Cpd5jYOBXGk/X9b7WId_6xI/AAAAAAAABPY/RSyw2zajv6MRRJNaCspQPEerTW8vEpNpACLcBGAsYHQ/s0/solarwinds.jpg>)\n\nState-sponsored actors allegedly working for Russia have [targeted](<https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html>) the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to [monitor internal email traffic](<https://www.reuters.com/article/us-usa-cyber-amazon-com-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG>) as part of a widespread cyberespionage campaign.\n\nThe Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the same hacking group that's believed to have orchestrated a breach of US-based cybersecurity firm [FireEye](<https://thehackernews.com/2020/12/cybersecurity-firm-fireeye-got-hacked.html>) a few days ago leading to the theft of its Red Team penetration testing tools.\n\nThe motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated [supply chain attack](<https://en.wikipedia.org/wiki/Supply_chain_attack>).\n\n\"The compromise of SolarWinds' Orion Network Management Products poses unacceptable risks to the security of federal networks,\" said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has [released](<https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network>) an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.\n\nSolarWinds' networking and security products are used by more than [300,000 customers worldwide](<https://www.solarwinds.com/company/customers>), including Fortune 500 companies, government agencies, and education institutions.\n\nIt also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.\n\n### An Evasive Campaign to Distribute SUNBURST Backdoor\n\nFireEye, which is tracking the ongoing intrusion campaign under the moniker \"[UNC2452](<https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>),\" said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.\n\n\"This campaign may have begun as early as Spring 2020 and is currently ongoing,\" FireEye said in a Sunday analysis. \"Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.\"\n\n[](<https://thehackernews.com/images/-PbITJeTtDpo/X9b7oJ1VO6I/AAAAAAAABPg/V3gShVN1NtYYFwAKCmwfQuhQjkNYMDgQgCLcBGAsYHQ/s0/solarwinds-backdoor.jpg>)\n\nThis rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program ([OIP](<https://support.solarwinds.com/SuccessCenter/s/article/Orion-Improvement-Program?language=en_US>)) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands (\"Jobs\") that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.\n\nOrion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.\n\nWhat's more, the IP addresses used for the campaign were obfuscated by VPN servers located in the same country as the victim to evade detection.\n\nMicrosoft also corroborated the findings in a separate analysis, stating the attack (which it calls \"[Solorigate](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132>)\") leveraged the trust associated with SolarWinds software to insert malicious code as part of a larger campaign.\n\n\"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate,\" the Windows maker said. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.\"\n\n### SolarWinds Releases Security Advisory\n\nIn a [security advisory](<https://www.solarwinds.com/securityadvisory>) published by SolarWinds, the company said the attack targets versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020, while recommending users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.\n\nThe firm, which is currently investigating the attack in coordination with FireEye and the US Federal Bureau of Investigation, is also expected to release an additional hotfix, 2020.2.1 HF 2, on December 15, which replaces the compromised component and provides several extra security enhancements.\n\nFireEye last week disclosed that it fell victim to a highly sophisticated foreign-government attack that compromised its software tools used to test the defenses of its customers.\n\nTotaling as many as [60 in number](<https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools>), the stolen Red Team tools are a mix of publicly available tools (43%), modified versions of publicly available tools (17%), and those that were developed in-house (40%).\n\nFurthermore, the theft also includes exploit payloads that leverage critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE-2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).\n\nThe campaign, ultimately, appears to be a supply chain attack on a global scale, for FireEye said it detected this activity across several entities worldwide, spanning government, consulting, technology, telecom, and extractive firms in North America, Europe, Asia, and the Middle East.\n\nThe indicators of compromise (IoCs) and other relevant attack signatures designed to counter SUNBURST can be accessed [here](<https://github.com/fireeye/sunburst_countermeasures>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-14T05:44:00", "type": "thn", "title": "US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0708", "CVE-2019-11510", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-14T12:54:22", "id": "THN:E9454DED855ABE5718E4612A2A750A98", "href": "https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-03T09:56:17", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgtFRIbOmYLbsTQsfQcmDa8dd7UbU-isTy7dToS2Gy1p7s--Zt-QgfjUpligZQwwZouhjIgGzL8kjD1QlluSfAvuZ7I7GKPJG21wA9tfWYRmChZ7jK57W-8AeMWNQDwHO9tEJkbBfs3AltDvfY7kp3Bl13jp3djDlSN_7F0g5plbOk_BGleGYX9aFNC/s728-e100/hackers.jpg>)\n\nAtlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.\n\nThe Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as **CVE-2022-26134**.\n\n\"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server,\" it [said](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) in an advisory.\n\n\"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix.\" Specifics of the security flaw have been withheld until a software patch is available.\n\nAll supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version is yet to be ascertained.\n\nIn the absence of a fix, Atlassian is urging customers to restrict Confluence Server and Data Center instances from the internet or consider disabling the instances altogether. Alternatively, it has recommended implementing a web application firewall (WAF) rule which blocks URLs containing \"${\" to reduce the risk.\n\nVolexity, in an independent disclosure, said it detected the activity over the Memorial Day weekend in the U.S. as part of an incident response investigation.\n\nThe attack chain involved leveraging the Atlassian zero-day exploit \u2014 a command injection vulnerability \u2014 to achieve unauthenticated remote code execution on the server, enabling the threat actor to use the foothold to drop the Behinder web shell.\n\n\"[Behinder](<https://github.com/Freakboy/Behinder>) provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike,\" the researchers [said](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). \"At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.\"\n\nSubsequently, the web shell is said to have been employed as a conduit to deploy two additional web shells to disk, including [China Chopper](<https://www.mandiant.com/resources/the-little-malware-that-could-detecting-and-defeating-the-china-chopper-web-shell>) and a custom file upload shell to exfiltrate arbitrary files to a remote server.\n\nThe development comes less than a year after another critical remote code execution flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>), CVSS score: 9.8) was actively weaponized in the wild to install cryptocurrency miners on compromised servers.\n\n\"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks,\" Volexity said. \"Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T03:43:00", "type": "thn", "title": "Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-03T09:27:09", "id": "THN:573D61ED9CCFF01AECC281F8913E42F8", "href": "https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-04T09:56:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjB-3FGATEcQvVgoHD4SeHSMPhxak-CS-oPPNSfU5-5SkLrm94tD5D0FIxx_OoOOtXyQiGBrKcDgRUW2iNO9g17pvv2yWaxWqF27SPffdburUe_xKI1xM67MdF81s7ep1qHWagF0rFoXsRGa15bMeP_43LBSreE8ELfJybJIroA1mHu5NL3se511yT6/s728-e100/jira.jpg>)\n\nAtlassian on Friday rolled out fixes to address a [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.\n\nTracked as [**CVE-2022-26134**](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>), the issue is similar to [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) \u2014 another security flaw the Australian software company patched in August 2021.\n\nBoth relate to a case of Object-Graph Navigation Language ([OGNL](<https://en.wikipedia.org/wiki/OGNL>)) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\nThe newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions -\n\n * 7.4.17\n * 7.13.7\n * 7.14.3\n * 7.15.2\n * 7.16.4\n * 7.17.4\n * 7.18.1\n\nAccording to stats from internet asset discovery platform [Censys](<https://censys.io/cve-2022-26134-confluenza-omicron-edition/>), there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with [most instances](<https://datastudio.google.com/reporting/1fbdf17c-ae37-4501-bd3f-935b72d1f181/page/2DSuC>) located in the U.S., China, Germany, Russia, and France.\n\nEvidence of active exploitation of the flaw, likely by attackers of Chinese origin, came to light after cybersecurity firm Volexity discovered the flaw over the Memorial Day weekend in the U.S. during an incident response investigation.\n\n\"The targeted industries/verticals are quite widespread,\" Steven Adair, founder and president of Volexity, [said](<https://twitter.com/stevenadair/status/1532768026818490371>) in a series of tweets. \"This is a free-for-all where the exploitation seems coordinated.\"\n\n\"It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth.\"\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides [adding](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>) the zero-day bug to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T08:57:00", "type": "thn", "title": "Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-04T08:57:38", "id": "THN:362401076AC227D49D729838DBDC2052", "href": "https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-18T05:57:47", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj9rIpLd7Wt8S6XBYbfSyi_LxY3hVen8bxDxWgv56ywl84WByL1Zl26yIu_oQ18uh4gvIi8vulmy9q1SZTMxCmqhEiWx0sm82_GHXfs821huyPVdY3i9HR5j_Dk6uxz27udcCKd-Tl7Z1edq42KHthx8Ln0XuGeTqNQ5nDnXn7z5jvyBqljfIiqhIVu/s728-e100/ransomware.jpg>)\n\nA recently patched [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.\n\nIn at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a [crypto miner](<https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/>) called z0miner on victim networks.\n\nThe bug ([CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134>), CVSS score: 9.8), which was [patched](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected.\n\nOther notable malware pushed as part of disparate instances of attack activity include Mirai and Kinsing bot variants, a rogue package called [pwnkit](<https://thehackernews.com/2022/01/12-year-old-polkit-flaw-lets.html>), and Cobalt Strike by way of a web shell deployed after gaining an initial foothold into the compromised system.\n\n\"The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely-accessible shell, in-memory, without writing anything to the server's local storage,\" Andrew Brandt, principal security researcher at Sophos, [said](<https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj4ylTTjRkYLtYQCSXoVz8gUgRgTa98lR7XaqcG9UbybTcDEi9J5hfotnq_Gutzoj81P5XHccmBjiW9E7KZlw5edBNyVl0N0zwIwuyQGM4A95z1ZdyCtPLIHlvFzE_XXxyZJjC55Sp3sPQrsczwhlKexPSQGqBrt0qHXhWsFMoMEcBZXvs-OTYPTLet/s728-e100/code.jpg>)\n\nThe disclosure overlaps with similar warnings from Microsoft, which [revealed](<https://twitter.com/MsftSecIntel/status/1535417776290111489>) last week that \"multiple adversaries and nation-state actors, including [DEV-0401](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0401>) and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134.\"\n\nDEV-0401, described by Microsoft as a \"China-based lone wolf turned LockBit 2.0 affiliate,\" has also been previously linked to ransomware deployments targeting internet-facing systems running VMWare Horizon ([Log4Shell](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>)), Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>)), and on-premises Exchange servers ([ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>)).\n\nThe development is emblematic of an [ongoing trend](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) where threat actors are increasingly capitalizing on newly disclosed critical vulnerabilities rather than exploiting publicly known, dated software flaws across a broad spectrum of targets.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-18T04:11:00", "type": "thn", "title": "Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-18T04:11:14", "id": "THN:0488E447E08622B0366A0332F848212D", "href": "https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-16T15:26:53", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1sRBo_ZY7HgvKOAmX48Fm2WVmdgzaxlpLKjWJdIbcDmSPoMhKNRnvoEzs1CeLQfriVUkngqRhLj6-9awHtv_DcqbKgRbmXo_M_03xicrkKz34GxB6Z68bL51GfJszPQZSm7wdORW1UR-5UcTEgmW2YZ3RvbgUdobA9TKfRbeoXpG1vtvq1S-yeEcf/s728-e100/crypto-mining.jpg>)\n\nMalicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware.\n\nCybersecurity company Trend Micro said it [found](<https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html>) the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable operating system (OS) security features such as Security-Enhanced Linux ([SELinux](<https://www.redhat.com/en/topics/linux/what-is-selinux>)), and others.\n\nThe operators behind the [Kinsing malware](<https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces>) have a history of scanning for vulnerable servers to co-opt them into a botnet, including that of [Redis](<https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html>), [SaltStack](<https://redcanary.com/blog/kinsing-malware-citrix-saltstack/>), [Log4Shell](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>), [Spring4Shell](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>), and the Atlassian Confluence flaw ([CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html>)).\n\nThe Kinsing actors have also been involved in campaigns against container environments via [misconfigured open Docker Daemon API ports](<https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability>) to launch a crypto miner and subsequently spread the malware to other containers and hosts.\n\nThe latest wave of attacks entails the actor weaponizing [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (CVSS score: 9.8), a two-year-old remote code execution (RCE) bug, against unpatched servers to seize control of the server and drop malicious payloads.\n\nIt's worth noting that the vulnerability has been [exploited in the past](<https://thehackernews.com/2020/12/multiple-botnets-exploiting-critical.html>) by multiple botnets to distribute Monero miners and the Tsunami backdoor on infected Linux systems. \n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh-utvgKxe36MyxmW2adubFVWxVKr-1Z4nJnB9nCLoIz72PJGF2D8Ti92uYdI0q1Y-KNK6paKazaUlHWRQZziPwY5119ANOJMXqaoGe4zOQOvqeEL1KkDD0Ed6TPx0FMjstH-f-8Sk0X--OysqaQnanHwm4INx3STYgUBwVWAo4Jzx5tnTWbKUt7EO4/s728-e100/hack.jpg>)\n\nSuccessful exploitation of the flaw was succeeded by the deployment of a shell script that's responsible for a series of actions: Removing the [/var/log/syslog](<https://help.ubuntu.com/community/LinuxLogFiles>) system log, turning off security features and cloud service agents from Alibaba and Tencent, and killing competing miner processes.\n\nThe shell script then proceeds to download the Kinsing malware from a remote server, while also taking steps to ensure persistence by means of cron job.\n\n\"The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform a plethora of malicious activities on affected systems,\" Trend Micro said. \"This can range from malware execution [...] to theft of critical data, and even complete control of a compromised machine.\"\n\n## **TeamTNT actors make a comeback with new attacks**\n\nThe development comes as researchers from Aqua Security identified three new attacks linked to another \"vibrant\" cryptojacking group called TeamTNT, which voluntarily shut shop in November 2021.\n\n\"TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to a C2 server,\" Aqua Security researcher Assaf Morag [said](<https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt>).\n\nWhat's notable about the attack chain is that it appears to be designed to break [SECP256K1 encryption](<https://en.bitcoin.it/wiki/Secp256k1>), which, if successful, could give the actor the ability to calculate the keys to any cryptocurrency wallet. Put differently, the idea is to leverage the high but illegal computational power of its targets to run the ECDLP solver and get the key.\n\nTwo other attacks mounted by the group entail the exploitation of [exposed Redis servers](<https://blog.aquasec.com/container-attacks-on-redis-servers>) and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.\n\nTeamTNT's targeting of Docker REST APIs has been [well-documented](<https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html>) over the past year. But in an [operational security blunder](<https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html>) spotted by Trend Micro, credentials associated with two of the attacker-controlled DockerHub accounts have been uncovered.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi0IY0nHIYVyoplfjBcUxHe2UQ8HJC-CQsXJZNKOFuXC17C5Qr6a4wRSM0arKFfc-z29j61GI_am83TJutj7s1RlsF0UQx0uq8dvuNfezG7wqD3PYDPqFHBO8m7qopVHCWrgR4GYVjM8c_OlyO6Fl0eUcrIcwH9vV7RwxB2-SpZb-AiOpx65Z7kdB1W/s728-e100/cyber.jpg>)\n\nThe accounts \u2013 alpineos and sandeep078 \u2013 are said to have been used to distribute a variety of malicious payloads like rootkits, Kubernetes exploit kits, credential stealers, XMRig Monero miners, and even the Kinsing malware.\n\n\"The account alpineos was used in exploitation attempts on our honeypots three times, from mid-September to early October 2021, and we tracked the deployments' IP addresses to their location in Germany,\" Trend Micro's Nitesh Surana [said](<https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html>).\n\n\"The threat actors were logged in to their accounts on the DockerHub registry and probably forgot to log out.\" Alternatively, \"the threat actors logged in to their DockerHub account using the credentials of alpineos.\"\n\nTrend Micro said the malicious alpineos image had been downloaded more than 150,000 times, adding it notified Docker about these accounts. \n\nIt's also recommending organizations to configure the exposed REST API with TLS to mitigate adversary-in-the-middle (AiTM) attacks, as well as use credential stores and [helpers](<https://github.com/docker/docker-credential-helpers>) to host user credentials.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-16T10:58:00", "type": "thn", "title": "Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882", "CVE-2022-26134"], "modified": "2022-09-16T15:00:46", "id": "THN:FF1CD6F91A87ADD45550F34DE9C8204A", "href": "https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:13", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEi9gb5J4PLNEOxKKFX0AtQmn2bTDIG7npW-qA9GjFCnWXfYi-8OQ9SwaukffMhVD5m6v18w7s2IpAunMHlqH_nua56nxSF75TEgWUfDcf1KLmAi1SoDdkWu8fPArAkFqIVxoe7CAN7QOWWYbeyshQ_288uhzAhqP4HxdGBKNYjXqgWRViZ4mY3tWIXj>)\n\nThe Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an \"incomplete fix\" for an [actively exploited](<https://thehackernews.com/2021/10/apache-warns-of-zero-day-exploit-in.html>) path traversal and remote code execution flaw that it patched earlier this week.\n\n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013>), as the new vulnerability is identified as, builds upon [CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773>), a flaw that impacts Apache web servers running version 2.4.49 and involves a [path normalization](<https://en.wikipedia.org/wiki/URI_normalization>) bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.\n\nAlthough the flaw was addressed by the maintainers in version 2.4.50, a day after the patches were released it became known that the weakness could also be abused to gain remote code execution if the \"mod_cgi\" module was loaded and the configuration \"require all denied\" was absent, prompting Apache to issue another round of emergency updates.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgmP9T_SA-o28p-466VGcr78Opierbru3LfDlVgCT7nfEKQKBgOtCzZF_NPOrNPFlQ7eJPylLn2PZZ9equjRD9A7QS110HYjNvalKerBY2eb3flahaEkiLJHDTlWjOd8THOmBPNLqpyAi8vYLJ-uab-C08cNpuWCkNnPjJirzkc_4peC8oz756tcV43>)\n\n\"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives,\" the company [noted](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>) in an advisory. \"If files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.\"\n\nThe Apache Software Foundation credited Juan Escobar from Dreamlab Technologies, Fernando Mu\u00f1oz from NULL Life CTF Team, and Shungo Kumasaka for reporting the vulnerability. In light of active exploitation, users are highly recommended to update to the latest version (2.4.51) to mitigate the risk associated with the flaw.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities>) it's \"seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation,\" urging \"organizations to patch immediately if they haven't already.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T04:47:00", "type": "thn", "title": "New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-11T02:57:44", "id": "THN:A0816B13A402B9865C624E3CA1B06EA5", "href": "https://thehackernews.com/2021/10/new-patch-released-for-actively.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2022-09-07T21:07:14", "description": "Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of [Iranian actor PHOSPHORUS](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>). Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270\u2019s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270/PHOSPHORUS ransomware campaigns. We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV-0270\u2019s operations.\n\nDEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.\n\nIn some instances where encryption was successful, the time to ransom (TTR) between initial access and the ransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In addition, the actor has been observed pursuing other avenues to generate income through their operations. In one attack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the organization for sale packaged in an SQL database dump.\n\nUsing these observations, this blog details the group\u2019s tactics and techniques across its end-to-end attack chain to help defenders identify, investigate, and mitigate attacks. We also provide extensive hunting queries designed to surface stealthy attacks. This blog also includes protection and hardening guidance to help organizations increase resilience against these and similar attacks.\n\nFigure 1. Typical DEV-0270 attack chain\n\n## Who is DEV-0270?\n\nMicrosoft assesses that DEV-0270 is operated by a company that functions under two public aliases: Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]ir). We have observed numerous infrastructure overlaps between DEV-0270 and Secnerd/Lifeweb. These organizations are also linked to Najee Technology Hooshmand (\u0646\u0627\u062c\u06cc \u062a\u06a9\u0646\u0648\u0644\u0648\u0698\u06cc \u0647\u0648\u0634\u0645\u0646\u062f), located in Karaj, Iran.\n\nThe group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and devices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks.\n\nAs with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\n## Observed actor activity\n\n### Initial access\n\nIn many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in Exchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon\u2014this highlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to successfully exploit these vulnerabilities even recently, well after updates supplied the fixes. While there have been indications that DEV-0270 attempted to exploit [Log4j 2 vulnerabilities](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>), Microsoft has not observed this activity used against customers to deploy ransomware.\n\n### Discovery\n\nUpon gaining access to an organization, DEV-0270 performs a series of discovery commands to learn more about the environment. The command [_wmic_](<https://docs.microsoft.com/windows/win32/wmisdk/wmic>)_ computersystem get domain _obtains the target\u2019s domain name. The _whoami_ command displays user information and _net user_ command is used to add or modify user accounts. For more information on the accounts created and common password phrases DEV-0270 used, refer to the Advanced Hunting section.\n\n * wmic computersystem get domain\n * whoami\n * net user\n\nOn the compromised Exchange server, the actor used the following command to understand the target environment.\n \n \n Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders\n\nFor discovery of domain controllers, the actor used the following PowerShell and WMI command.\n\n\n\n### Credential access\n\nDEV-0270 often opts for a particular method using a LOLBin to conduct their credential theft, as this removes the need to drop common credential theft tools more likely to be detected and blocked by antivirus and endpoint detection and response (EDR) solutions. This process starts by enabling WDigest in the registry, which results in passwords stored in cleartext on the device and saves the actor time by not having to crack a password hash.\n \n \n \"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f\n\nThe actor then uses _rundll32.exe_ and _comsvcs.dll_ with its built-in MiniDump function to dump passwords from LSASS into a dump file. The command to accomplish this often specifies the output to save the passwords from LSASS. The file name is also reversed to evade detections (_ssasl.dmp)_:\n\n\n\n### Persistence\n\nTo maintain access in a compromised network, the DEV-0270 actor adds or creates a new user account, frequently named _DefaultAccount _with a password of _P@ssw0rd1234,_ to the device using the command _net user /add._ The _DefaultAccoun_t account is typically a pre-existing account set up but not enabled on most Windows systems.\n\nThe attacker then modifies the registry to allow remote desktop (RDP) connections for the device, adds a rule in the firewall using _netsh.exe_ to allow RDP connections, and adds the user to the remote desktop users group:\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v TSEnabled /t REG_DWORD /d 1 /f\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD\n \n \n \"netsh\" advfirewall firewall add rule name=\"Terminal Server\" dir=in action=allow protocol=TCP localport=3389\n\nScheduled tasks are one of the recurrent methods used by DEV-0270 in their attacks to maintain access to a device. Generally, the tasks load via an XML file and are configured to run on boot with the least privilege to launch a .bat via the command prompt. The batch file results in a download of a renamed _dllhost.exe_, a reverse proxy, for maintaining control of the device even if the organization removes the file from the device.\n\nFigure 2. Scheduled task used in DEV-0270 attacks\n\n### Privilege escalation\n\nDEV-0270 can usually obtain initial access with administrator or system-level privileges by injecting their web shell into a privileged process on a vulnerable web server. When the group uses Impacket\u2019s WMIExec to move to other systems on the network laterally, they are typically already using a privileged account to run remote commands. DEV-0270 also commonly dumps LSASS, as mentioned in the credential access section, to obtain local system credentials and masquerade as other local accounts which might have extended privileges.\n\nAnother form of privilege escalation used by DEV-0270 involves the creation or activation of a user account to provide it with administrator privileges. DEV-0270 uses _powershell.exe_ and _net.exe_ commands to create or enable this account and add it to the administrators\u2019 group for higher privileges.\n\n### Defense evasion\n\nDEV-0270 uses a handful of defensive evasion techniques to avoid detection. The threat actors typically turn off Microsoft Defender Antivirus real-time protection to prevent Microsoft Defender Antivirus from blocking the execution of their custom binaries. The threat group creates or activates the _DefaultAccount_ account to add it to the Administrators and Remote Desktop Users groups. The modification of the _DefaultAccount_ provides the threat actor group with a legitimate pre-existing account with nonstandard, higher privileges. DEV-0270 also uses _powershell.exe_ to load their custom root certificate to the local certificate database. This custom certificate is spoofed to appear as a legitimate Microsoft-signed certificate. However, Windows flags the spoofed certificate as invalid due to the unverified certificate signing chain. This certificate allows the group to encrypt their malicious communications to blend in with other legitimate traffic on the network.\n\nAdditionally, DEV-0270 heavily uses native LOLBins to effectively avoid detection. The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security. They also install and masquerade their custom binaries as legitimate processes to hide their presence. Some of the legitimate processes they masquerade their tools as include: _dllhost.exe_, _task_update.exe_, _user.exe_, and _CacheTask_. Using .bat files and _powershell.exe_, DEV-0270 might terminate existing legitimate processes, run their binary with the same process name, and then configure scheduled tasks to ensure the persistence of their custom binaries.\n\n### Lateral movement\n\nDEV-0270 has been seen creating _defaultaccount_ and adding that account to the Remote Desktop Users group. The group uses the RDP connection to move laterally, copy tools to the target device, and perform encryption.\n\nAlong with RDP, [Impacket](<https://github.com/SecureAuthCorp/impacket/>)\u2019s WMIExec is a known toolkit used by the group for lateral movement. In multiple compromises, this was the main method observed for them to pivot to additional devices in the organization, execute commands to find additional high-value targets, and dump credentials for escalating privileges.\n\nAn example of a command using Impacket\u2019s WMIExec from a remote device:\n \n \n cmd.exe /Q /c quser 1> \\\\127.0.0.1\\ADMIN$\\__1657130354.2207212 2>&1\n\n### Impact\n\nDEV-0270 has been seen using _setup.bat_ commands to enable BitLocker encryption, which leads to the hosts becoming inoperable. For workstations, the group uses _DiskCryptor_, an open-source full disk encryption system for Windows that allows for the encryption of a device&#x27;s entire hard drive. The group drops _DiskCryptor_ from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.\n\nThe following are DEV-0270\u2019s PowerShell commands using BitLocker:\n\n\n\nMicrosoft will continue to monitor DEV-0270 and PHOSPHORUS activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Recommended mitigation steps\n\nThe techniques used by DEV-0270 can be mitigated through the following actions:\n\n * Apply the [corresponding security updates for Exchange Server](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>), including applicable fixes for [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>). While it is important to prioritize patching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal Exchange Server instances should also be addressed as soon as possible.\n * For Exchange Server instances in Mainstream Support, critical product updates are released for the most recently released Cumulative Updates (CU) and for the previous CU. For Exchange Server instances in Extended Support, critical product updates are released for the most recently released CU only.\n * If you don&#x27;t have a supported CU, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older and unsupported CUs to help customers more quickly protect their environment. For information on these updates, see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.\n * Installing the updates is the only complete mitigation for these vulnerabilities and has no impact on functionality. If the threat actor has exploited these vulnerabilities to install malware, installing the updates _does not_ remove implanted malware or evict the actor.\n * Use [Microsoft Defender Firewall](<https://support.microsoft.com/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f>), intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among devices whenever possible. This limits lateral movement and other attack activities.\n * Check your perimeter firewall and proxy to restrict or prevent network appliances like Fortinet SSL VPN devices from making arbitrary connections to the internet to browse or download files.\n * Enforce strong local administrator passwords. Use tools like [LAPS](<https://docs.microsoft.com/previous-versions/mt227395\\(v=msdn.10\\)?redirectedfro