Microsoft issues 83 patches, one for actively exploited vulnerability

2021-01-13T19:40:58

Description

Every second Tuesday of the month it's 'Patch Tuesday'. On Patch Tuesday Microsoft habitually issues a lot of patches for bugs and vulnerabilities in its software. It's always important to patch, but the update that was released on January 12 is one to pay attention to. That's because it contains a patch for a vulnerability in Windows Defender that is already being exploited in the wild. ### The vulnerability in Windows Defender Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list—a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in Windows Defender was registered as [CVE-2021-1647](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1647>)—a Remote Code Execution ([RCE](<https://blog.malwarebytes.com/glossary/remote-code-execution-rce-attack/>)) vulnerability—and was found in the Malware Protection Engine component (mpengine.dll). According to Microsoft: > "While this issue is labeled as an elevation of privilege, it can also be exploited to disclose information. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory." ### I don’t see an update for this vulnerability If you are missing this fix in your list, it's possible that this bug has already been patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle. But you may want to check whether you are using a patched version. ### What version of Windows Defender am I using? The first patched version is 1.1.17700.4. If you want to make sure that you have a patched version of Windows Defender, here is how you can check this on a Windows 10 computer: * From the Windows Start Menu, search for **Windows Security** and click on the result that has the **App** text and the “white on blue” shield. * When Windows Security opens, click on the gear box icon with the **Settings** text at the bottom left of the Window. * When the Settings screen opens, click on the **About** link. * The Windows Security About page will now be open and will show the Antimalware Client Version (Microsoft Defender version), the Engine version (Scanning Engine), the Antivirus version (Virus definitions), and the Antispyware version (Spyware definitions). * The **engine version** is the one that matters here. It needs to be at 1.1.17700.4 or newer. ![](https://blog.malwarebytes.com/wp-content/uploads/2021/01/About-600x468.png)Finding the Windows Defender version ### The rest of the Microsoft updates The total package contained over 80 patches. Ten of them were classified as critical, which means that they could possibly be used in the future by cybercriminals to attack unpatched systems. And even the ones that are not rated as critical could put you at risk at some point. It's always important to apply all the patches as soon as you possibly can, especially when it concerns your operating system. So, please do go install these patches as soon as possible. Stay safe, everyone! The post [Microsoft issues 83 patches, one for actively exploited vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).

{"id": "MALWAREBYTES:C38FDAA2A9E5E349305313C6D17A0D3A", "type": "malwarebytes", "bulletinFamily": "blog", "title": "Microsoft issues 83 patches, one for actively exploited vulnerability", "description": "Every second Tuesday of the month it's 'Patch Tuesday'. On Patch Tuesday Microsoft habitually issues a lot of patches for bugs and vulnerabilities in its software.\n\nIt's always important to patch, but the update that was released on January 12 is one to pay attention to. That's because it contains a patch for a vulnerability in Windows Defender that is already being exploited in the wild.\n\n### The vulnerability in Windows Defender\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list\u2014a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe vulnerability in Windows Defender was registered as [CVE-2021-1647](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1647>)\u2014a Remote Code Execution ([RCE](<https://blog.malwarebytes.com/glossary/remote-code-execution-rce-attack/>)) vulnerability\u2014and was found in the Malware Protection Engine component (mpengine.dll). According to Microsoft: \n\n> "While this issue is labeled as an elevation of privilege, it can also be exploited to disclose information. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory."\n\n### I don\u2019t see an update for this vulnerability\n\nIf you are missing this fix in your list, it's possible that this bug has already been patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle. But you may want to check whether you are using a patched version.\n\n### What version of Windows Defender am I using?\n\nThe first patched version is 1.1.17700.4. If you want to make sure that you have a patched version of Windows Defender, here is how you can check this on a Windows 10 computer:\n\n * From the Windows Start Menu, search for **Windows Security** and click on the result that has the **App** text and the \u201cwhite on blue\u201d shield.\n * When Windows Security opens, click on the gear box icon with the **Settings** text at the bottom left of the Window.\n * When the Settings screen opens, click on the **About** link.\n * The Windows Security About page will now be open and will show the Antimalware Client Version (Microsoft Defender version), the Engine version (Scanning Engine), the Antivirus version (Virus definitions), and the Antispyware version (Spyware definitions).\n * The **engine version** is the one that matters here. It needs to be at 1.1.17700.4 or newer.\n![](https://blog.malwarebytes.com/wp-content/uploads/2021/01/About-600x468.png)Finding the Windows Defender version\n\n### The rest of the Microsoft updates\n\nThe total package contained over 80 patches. Ten of them were classified as critical, which means that they could possibly be used in the future by cybercriminals to attack unpatched systems. And even the ones that are not rated as critical could put you at risk at some point. It's always important to apply all the patches as soon as you possibly can, especially when it concerns your operating system. So, please do go install these patches as soon as possible.\n\nStay safe, everyone!\n\nThe post [Microsoft issues 83 patches, one for actively exploited vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "published": "2021-01-13T19:40:58", "modified": "2021-01-13T19:40:58", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/", "reporter": "Pieter Arntz", "references": [], "cvelist": ["CVE-2021-1647"], "lastseen": "2021-01-15T10:26:58", "viewCount": 290, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:06000FAE-591B-46C7-8573-3D63BDDD0D13"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0001"]}, {"type": "cisa", "idList": ["CISA:F7C7CFE30EB8A6B7C1DCDEA50F649F74"]}, {"type": "cve", "idList": ["CVE-2021-1647"]}, {"type": "githubexploit", "idList": ["449EACCC-CABA-5780-89D5-B637F4A49A6A"]}, {"type": "kaspersky", "idList": ["KLA12044"]}, {"type": "krebs", "idList": ["KREBS:B3F20C0C41C613971FDADBAE93382CDF"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1647"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_JAN_FEP.NASL", "SMB_NT_MS21_JAN_WIN_DEFENDER.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3", "RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1"]}, {"type": "securelist", "idList": ["SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1"]}, {"type": "thn", "idList": ["THN:970890B8E519A3BC5427798160F5F09C", "THN:9CF96D7230D0DBA395C1DEDA718226AD"]}, {"type": "threatpost", "idList": ["THREATPOST:25717276FF4A4B28101C95CA25FAAC85", "THREATPOST:B879E243998561911585BBD37B7F33E9", "THREATPOST:FF67AF009F2F0031599099334F6CC306"]}], "rev": 4}, "score": {"value": 1.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:06000FAE-591B-46C7-8573-3D63BDDD0D13"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0001"]}, {"type": "cisa", "idList": ["CISA:F7C7CFE30EB8A6B7C1DCDEA50F649F74"]}, {"type": "cve", "idList": ["CVE-2021-1647"]}, {"type": "githubexploit", "idList": ["449EACCC-CABA-5780-89D5-B637F4A49A6A"]}, {"type": "kaspersky", "idList": ["KLA12044"]}, {"type": "krebs", "idList": ["KREBS:B3F20C0C41C613971FDADBAE93382CDF"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1647"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_JAN_FEP.NASL", "SMB_NT_MS21_JAN_WIN_DEFENDER.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3", "RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1"]}, {"type": "securelist", "idList": ["SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1"]}, {"type": "thn", "idList": ["THN:970890B8E519A3BC5427798160F5F09C", "THN:9CF96D7230D0DBA395C1DEDA718226AD"]}, {"type": "threatpost", "idList": ["THREATPOST:B879E243998561911585BBD37B7F33E9", "THREATPOST:FF67AF009F2F0031599099334F6CC306"]}]}, "exploitation": null, "vulnersScore": 1.4}, "immutableFields": [], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "edition": 2, "scheme": null, "_state": {"dependencies": 1645959668, "score": 1659842276}, "_internal": {"score_hash": "a473ea5653299a1f1b69ad8debeeafef"}}

{"githubexploit": [{"lastseen": "2021-12-10T15:19:11", "description": "# CVE-2021-1647\r\n\r\nMicrosoft Defen...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-20T10:05:00", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-11-18T03:09:29", "id": "449EACCC-CABA-5780-89D5-B637F4A49A6A", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "nessus": [{"lastseen": "2023-01-11T14:37:58", "description": "The Malware Protection Engine version of Forefront Endpoint Protection installed on the remote Windows host is prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An authenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "nessus", "title": "Security Update for Forefront Endpoint Protection (January 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/a:microsoft:system_center_endpoint_protection"], "id": "SMB_NT_MS21_JAN_FEP.NASL", "href": "https://www.tenable.com/plugins/nessus/144886", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144886);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2021-1647\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0001\");\n\n script_name(english:\"Security Update for Forefront Endpoint Protection (January 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Forefront Endpoint Protection installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?66e83fa0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1647\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:system_center_endpoint_protection\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"fep_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'Forefront Endpoint Protection';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if we got tyhe Malware Engine Version\nif (isnull(app_info['engine_version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nconstraints = [{'max_version': '1.1.17600.5', 'fixed_version':'1.1.17700.4'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, check:'engine_version');\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:40:31", "description": "The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host is prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An authenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "nessus", "title": "Security Update for Windows Defender (January 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:windows_defender"], "id": "SMB_NT_MS21_JAN_WIN_DEFENDER.NASL", "href": "https://www.tenable.com/plugins/nessus/144876", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144876);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2021-1647\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0001\");\n\n script_name(english:\"Security Update for Windows Defender (January 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?66e83fa0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1647\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_defender\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_windows_defender_win_installed.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/svcs\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'Windows Defender';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if disabled\nif (!isnull(app_info['Disabled']))\n exit(0,'Windows Defender is disabled.');\n\n# Check if we got tyhe Malware Engine Version\nif (isnull(app_info['Engine Version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nconstraints = [{'max_version': '1.1.17600.5', 'fixed_version':'1.1.17700.4'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, check:'Engine Version');\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-01-26T16:35:34", "description": "Hackers linked to [North Korea](<https://threatpost.com/north-korea-spy-reporters-feds-warn/160622/>) are targeting security researchers with an elaborate social-engineering campaign that sets up trusted relationships with them \u2014 and then infects their organizations\u2019 systems with custom backdoor malware.\n\nThat\u2019s according to [Google\u2019s Threat Analysis Group (TAG),](<https://twitter.com/ShaneHuntley/status/1353856344655204352>) which issued a warning late Monday about a campaign it has tracked over the last several months that uses various means to interact with and attack professionals working on vulnerability research and development at multiple organizations.\n\nThe effort includes attackers going so far as to set up their own research blog, multiple Twitter profiles and other social-media accounts in order to look like legitimate security researchers themselves, according to a [blog post](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) by TAG\u2019s Adam Weidermann. Hackers first establish communications with researchers in a way that looks like they are credibly working on similar projects, then they ask them to collaborate, and eventually infect victims\u2019 machines.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe infections are propagated either through a malicious backdoor in a Visual Studio Project or via an infected website, he wrote. And moreover, those infected were running fully patched and up-to-date Windows 10 and Chrome browser versions \u2014 a signal that hackers likely are using zero-day vulnerabilities in the campaign, the researcher concluded.\n\nTAG attributed the threat actors to \u201ca government-backed entity based in North Korea.\u201d\n\n\u201cThey\u2019ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control,\u201d according to the post. \u201cTheir blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including \u2018guest\u2019 posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.\u201d\n\nIn addition to Twitter, threat actors also used other platforms, including LinkedIn, Telegram, [Discord](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>), Keybase and email to communicate with potential targets, Weidermann said. So far it seems that only security researchers working on Windows machines have been targeted.\n\n## **Making Connections**\n\nAttackers initiate contact by asking a researcher if he or she wants to collaborate on vulnerability research together. Threat actors appear to be credible researchers in their own right because they have already posted videos of exploits they\u2019ve worked on, including faking the success of a working exploit for an existing and recently patched [Windows Defender vulnerability](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>), [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>), on YouTube.\n\nThe vulnerability received notoriety as one that has been exploited for the past three months and leveraged by hackers as part of the massive [SolarWinds attack](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>).\n\n\u201cIn the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake,\u201d Weidermann explained.\n\nIf an unsuspecting targeted researcher agrees to collaborate, attackers then provide the researcher with a Visual Studio Project infected with malicious code. Several targets [took to Twitter](<https://twitter.com/search?q=blog.br0vvnn.io&src=typed_query>) to describe their experiences.\n\n> I got targeted by Zhang Guo and sent me the blog post link hxxps://blog.br0vvnn[.]io/pages/blogpost.aspx?id=1&q=1 <https://t.co/QR5rUYDHrh>\n> \n> \u2014 lockedbyte (@lockedbyte) [January 26, 2021](<https://twitter.com/lockedbyte/status/1353995532180615174?ref_src=twsrc%5Etfw>)\n\n\u201cWithin the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,\u201d Weidermann wrote. \u201cThe DLL is custom malware that would immediately begin communicating with actor-controlled command-and-control (C2) domains.\u201d\n\nVictims also can be infected by following a Twitter link hosted on blog.br0vvnn[.]io to visit a threat actor\u2019s blog, according to TAG. Accessing the link installs a malicious service on the researcher\u2019s system that executes an in-memory backdoor that establishes a connection to an actor-owned C2 server, researchers discovered.\n\nThe TAG team so far could not confirm the mechanism of compromise, asking for help from the greater security community to identify and submit information through the [Chrome Vulnerability Reward Program](<https://www.google.com/about/appsecurity/chrome-rewards/>).\n\nResearchers also did not specifically say what the likely motive was for the attacks; however, presumably the threat actors aim to uncover and steal vulnerabilities to use in North Korean advanced persistent threat (APT) campaigns.\n\nWeidermann\u2019s post includes a list of known accounts being used in the campaign, and he advised researchers who may have communicated with any of the accounts or visited related sites to review their systems for compromise.\n\n\u201cWe hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,\u201d Weidermann wrote.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "cvss3": {}, "published": "2021-01-26T14:49:03", "type": "threatpost", "title": "North Korea Targets Security Researchers in Elaborate 0-Day Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1647"], "modified": "2021-01-26T14:49:03", "id": "THREATPOST:FF67AF009F2F0031599099334F6CC306", "href": "https://threatpost.com/north-korea-security-researchers-0-day/163333/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-18T18:02:31", "description": "Twitter has shuttered two accounts \u2013 @lagal1990 and @shiftrows13 \u2013 specifically used to trick security researchers into downloading malware in a long-running cyber-espionage campaign attributed to North Korea.\n\nThe campaign was [first discovered](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) by the Google Threat Analysis Group (TAG) in January and is ongoing.\n\nOn Friday, Google TAG analyst Adam Weidermann confirmed that Twitter suspended the accounts as part of the operation. This is the second time that Twitter has taken action against accounts linked to the Democratic People\u2019s Republic of Korea (DPRK), having suspended another account connected to the espionage campaign [in August](<https://twitter.com/digivector/status/1449036246446010369>).\n\n\u201cWe (TAG) confirmed these are directly related to the cluster of accounts we blogged about earlier this year,\u201d Weidermann said. \u201cIn the case of @lagal1990, they renamed a GitHub account previously owned by another of their Twitter profiles that was shutdown in Aug, @mavillon1.\u201d\n\n> We (TAG) confirmed these are directly related to the cluster of accounts we blogged about earlier this year. In the case of lagal1990, they renamed a github account previously owned by another of their twitter profiles that was shutdown in Aug, mavillon1 [pic.twitter.com/FXQ0w57tyE](<https://t.co/FXQ0w57tyE>)\n> \n> \u2014 Adam (@digivector) [October 15, 2021](<https://twitter.com/digivector/status/1449036246446010369?ref_src=twsrc%5Etfw>)\n\n## The Sweet Smell of Bugs and Bug-Hunting\n\nAs Weidermann detailed in his [January analysis](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>), the threat actors set up a \u201cresearch\u201d blog and used the Twitter profiles to disseminate links to it in order to pull in potential targets. They also used the accounts to post videos of purported exploits and to amplify and retweet posts from other accounts that they control.\n\nThe ongoing [campaign targets security researchers](<https://threatpost.com/north-korea-security-researchers-0-day/163333/>) using lures near and dear to their hearts: bugs and research. Weidermann explained that both of the Twitter accounts had posed as security researchers, \u201cleaning on the hype of 0 days to gain followers and build credibility.\u201d\n\nGoogle TAG, which traced the actors behind the campaign to a government entity based in North Korea, has also identified what analysts call a \u201cnovel\u201d social-engineering tactic that the threat actors are using to target specific security researchers: Namely, collaboration.\n\n\u201cAfter establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,\u201d Weidermann explained.\n\nThe project is poisoned, however: \u201cWithin the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,\u201d Weidermann continued. \u201cThe DLL is custom malware that would immediately begin communicating with actor-controlled [command-and-control, or C2] domains.\u201d\n\nGoogle TAG provided the screen capture below, which shows an example of the VS Build Event.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/10/18105814/Visual_Studio_Build_Events_command_executed_when_building_the_provided_VS_Project_files.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/10/18105814/Visual_Studio_Build_Events_command_executed_when_building_the_provided_VS_Project_files.jpg>)\n\nVisual Studio Build Events command executed when building the provided VS Project files. Source: Google TAG.\n\nIn January, several unsuspecting researchers who fell for it and agreed to collaborate described what happened next. Below is one example:\n\n> I got targeted by Zhang Guo and sent me the blog post link hxxps://blog.br0vvnn[.]io/pages/blogpost.aspx?id=1&q=1 <https://t.co/QR5rUYDHrh>\n> \n> \u2014 lockedbyte (@lockedbyte) [January 26, 2021](<https://twitter.com/lockedbyte/status/1353995532180615174?ref_src=twsrc%5Etfw>)\n\nThe threat actors appear to be credible researchers in their own right, having posted videos of exploits they\u2019ve worked on, including faking the success of a working exploit for what was, as of January, an existing and recently patched [Windows Defender vulnerability](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>), [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>), on YouTube.\n\nThe vulnerability received notoriety as one that was exploited for three months and leveraged by hackers as part of the massive [SolarWinds attack](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>).\n\n\u201cIn the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake,\u201d Weidermann explained at the time.\n\nBesides social engineering, the actors running the campaign also managed to compromise researchers who visited the purported research blog. \u201cIn each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher\u2019s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,\u201d according to the January writeup.\n\n## Attacks Worked Against Fully Patched, Up-to-Date Systems\n\nThe security researchers who\u2019ve been victimized weren\u2019t running pockmarked systems. Rather, \u201cat the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions,\u201d Weidermann said in January.\n\nThat means that the threat actors were using zero days.\n\nAfter Google TAG initially uncovered the campaign in January, South Korean [security researchers identified](<https://enki.co.kr/blog/2021/02/04/ie_0day.html>) that the actors were exploiting an Internet Explorer zero day: specifically, what researchers from ENKI said was a [double-free](<https://cwe.mitre.org/data/definitions/415.html>) bug that occurred in the attribute value release part of the DOM object.\n\nThis type of bug enables a malicious website or malicious ad to trigger an exploit for the IE zero-day bug, opening the door for data theft and code execution. In February, 0patch analysts gave details about [where the bug exists](<https://threatpost.com/exploit-details-unpatched-microsoft-bug/164083/>) and how it could be triggered in real-world attacks \u2013 notably, by just visiting a website.\n\n## Fake Security Company\n\nOn March 17, Google TAG saw the same threat actors set up a new site, with associated social-media profiles, for a fake, Turkey-based security company called \u201cSecuriElite\u201d that was offering pen tests, software security assessments and exploits.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/10/18112203/fake_security_company_ad.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/10/18112203/fake_security_company_ad.jpg>)\n\nTweet from fake security company SecuriElite announcing the new company. Source: Google TAG.\n\n\u201cLike previous websites we\u2019ve seen set up by this actor, this website has a link to their PGP public key at the bottom of the page. In January, targeted researchers reported that the PGP key hosted on the attacker\u2019s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered,\u201d Weidermann said in a [March 31 update](<https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/>).\n\nAs of January, Google TAG had only seen the threat actors going after Windows campaigns. Besides Twitter, they used a variety of other platforms \u2013 including LinkedIn, Telegram, Discord, Keybase and email \u2013 to reach out to potential targets in the security research community.\n\nAccording to [The Record](<https://therecord.media/twitter-suspends-two-accounts-used-by-dprk-hackers-to-catfish-security-researchers/>), neither of the two most recently closed accounts in the campaign \u2013 @lagal1990 and @shiftrows13 \u2013 had more than 1,000 followers. Google TAG hasn\u2019t yet published analysis to indicate whether the accounts had started to reach out to researchers before they were closed or whether they were still building up their reputations.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-18T16:23:21", "type": "threatpost", "title": "Twitter Suspends Accounts Used to Snare Security Researchers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-10-18T16:23:21", "id": "THREATPOST:25717276FF4A4B28101C95CA25FAAC85", "href": "https://threatpost.com/twitter-suspends-security-researchers/175524/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-13T05:41:44", "description": "Microsoft addressed 10 critical bugs, one under active exploit and another publicly known, in its [January Patch Tuesday roundup of fixes](<https://msrc.microsoft.com/update-guide>). In total it patched 83 vulnerabilities.\n\nThe most serious bug is a flaw in Microsoft\u2019s Defender anti-malware software that allows remote attackers to infect targeted systems with executable code. Security experts are warning that Windows users who have not connected to internet recently and received an auto-update, should patch now.\n\n\u201cThis bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the internet, you\u2019ll need to manually apply the patch,\u201d wrote Dustin Childs, Trend Micro\u2019s Zero Day Initiative (ZDI) security manager. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nResearchers believe the vulnerability, [tracked as CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>), has been exploited for the past three months and was leveraged by hackers as part of the massive [SolarWinds attack](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>). Last month, Microsoft said state-sponsored hackers had compromised its internal network and leveraged additional Microsoft products to conduct further attacks.\n\nAffected versions of Microsoft Malware Protection Engine range from 1.1.17600.5 to 1.1.17700.4 running on Windows 10, Windows 7 and 2004 Windows Server, [according t](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)o the security bulletin.\n\n## **Publicly Known Bug Fixed Twice **\n\nMicrosoft patched a second vulnerability, that researchers believe was also being exploited in the wild, tracked as [CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>). The flaw is classified as an elevation-of-privilege bug and impacts the Windows [print driver process SPLWOW64.exe](<https://goliathtechnologies.com/troubleshoot-resolve-citrix-splwow64-exe-issues-p>).\n\nThe bug first discovered by Google and patched. But ZDI believes that patch was insufficient and opened the door to further attacks. Childs said that ZDI re-discovered the flaw a second time, which Microsoft is patched again Tuesday.\n\n\u201cThe previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref,\u201d Childs wrote in a prepared [Patch Tuesday analysis](<https://www.zerodayinitiative.com/blog/2021/1/12/the-january-2021-security-update-review>).\n\n## **Additional Critical Bugs **\n\nEight additional bugs rated critical were also part of Microsoft\u2019s Tuesday vulnerability fixes.\n\nThese included a remote code-execution bug in Microsoft\u2019s Edge web browser. The vulnerability (CVE-2021-1705) is memory-related and tied to a the way the browser improperly access objects in memory.\n\n\u201cSuccessful exploitation of the vulnerability could enable an attacker to gain the same privileges as the current user,\u201d wrote Justin Knapp, senior product marketing manager with Automox, in prepared analysis. \u201cIf the current user is logged on with admin rights, an attacker could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website.\u201d\n\nAdditional critical bugs were tied to Windows Graphics Device Interface (CVE-2021-1665), HEVC Video Extensions (CVE-2020-1643), and the Microsoft DTV-DVD Video Decoder (CVE-2020-1668).\n\nFive January Patch Tuesday flaws (CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667 and CVE-2021-1673) were each remote procedure call bugs. As the name suggests, the vulnerability exists in Windows Remote Procedure Call authentication process. If exploited, an attacker could gain elevation of privileges, run a specially crafted application and take complete control of the targeted system.\n\n\u201cWith the SolarWinds breach still fresh from December and the scope of impact growing by the day, there\u2019s a reaffirmed urgency for organizations to implement best practices for even the most basic security habits,\u201d Knapp wrote. \u201cWhether it\u2019s patching zero-day vulnerabilities within a 24-hour window or implementing strong password protocols, the need for security diligence has never been more evident.\u201d\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a _[_limited-engagement and LIVE Threatpost webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: _[**_Register Now_**](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ and reserve a spot for this exclusive Threatpost _[_Supply-Chain Security webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ \u2013 Jan. 20, 2 p.m. ET._\n", "cvss3": {}, "published": "2021-01-12T21:45:23", "type": "threatpost", "title": "Critical Microsoft Defender Bug Actively Exploited; Patch Tuesday Offers 83 Fixes", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1643", "CVE-2020-1668", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1673", "CVE-2021-1705"], "modified": "2021-01-12T21:45:23", "id": "THREATPOST:B879E243998561911585BBD37B7F33E9", "href": "https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Microsoft Defender Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Defender Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-1647", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:11", "description": "[![](https://thehackernews.com/images/-iuZmw75wd8g/YA-j-PbeyrI/AAAAAAAABlE/RgTbZC607W00K50gmsHyQ2wxzElQjkCMwCLcBGAsYHQ/s0/north-korean-hackers.jpg)](<https://thehackernews.com/images/-iuZmw75wd8g/YA-j-PbeyrI/AAAAAAAABlE/RgTbZC607W00K50gmsHyQ2wxzElQjkCMwCLcBGAsYHQ/s0/north-korean-hackers.jpg>)\n\nGoogle on Monday disclosed details about an ongoing campaign carried out by a government-backed threat actor from North Korea that has targeted security researchers working on vulnerability research and development.\n\nThe internet giant's Threat Analysis Group (TAG) said the adversary created a research blog and multiple profiles on various social media platforms such as Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust.\n\nThe goal, it appears, is to steal exploits developed by the researchers for possibly undisclosed vulnerabilities, thereby allowing them to stage further attacks on vulnerable targets of their choice.\n\n\"Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including 'guest' posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers,\" [said](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) TAG researcher Adam Weidemann.\n\nThe attackers created as many as 10 fake Twitter personas and five LinkedIn profiles, which they used to engage with the researchers, share videos of exploits, retweet other attacker-controlled accounts, and share links to their purported research blog.\n\nIn one instance, the actor used Twitter to share a YouTube video of what it claimed to be an exploit for a recently patched Windows Defender flaw ([CVE-2021-1647](<https://thehackernews.com/2021/01/microsoft-issues-patches-for-defender.html>)), when in reality, the exploit turned out to be fake.\n\n[![](https://thehackernews.com/images/-z357EvP7xhQ/YA-h_c5mACI/AAAAAAAABk4/Rfunq4GEsRYSpfML7a1rW1uzau-Y92QCQCLcBGAsYHQ/s0/twitter.jpg)](<https://thehackernews.com/images/-z357EvP7xhQ/YA-h_c5mACI/AAAAAAAABk4/Rfunq4GEsRYSpfML7a1rW1uzau-Y92QCQCLcBGAsYHQ/s0/twitter.jpg>)\n\nThe North Korean hackers are also said to have used a \"novel social engineering method\" to hit security researchers by asking them if they would like to collaborate on vulnerability research together and then provide the targeted individual with a Visual Studio Project.\n\nThis Visual Studio Project, besides containing the source code for exploiting the vulnerability, included a custom malware that establishes communication with a remote command-and-control (C2) server to execute arbitrary commands on the compromised system.\n\nKaspersky researcher Costin Raiu, in a [tweet](<https://twitter.com/craiu/status/1353964086455902208>), noted the malware delivered via the project shared code-level similarities with [Manuscrypt](<https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer>) (aka FAILCHILL or Volgmer), a previously known Windows backdoor deployed by the Lazarus Group.\n\nWhat's more, TAG said it observed several cases where researchers were infected after visiting the research blog, following which a malicious service was installed on the machine, and an in-memory backdoor would begin beaconing to a C2 server.\n\n[![](https://thehackernews.com/images/-5WNEGS3rJFg/YA-ht9CNs1I/AAAAAAAABkw/Q6gouDrb7eg3yZSUK7zlsoHZh-S_1heVACLcBGAsYHQ/s0/security-reseachers.jpg)](<https://thehackernews.com/images/-5WNEGS3rJFg/YA-ht9CNs1I/AAAAAAAABkw/Q6gouDrb7eg3yZSUK7zlsoHZh-S_1heVACLcBGAsYHQ/s0/security-reseachers.jpg>)\n\nWith the victim systems running fully patched and up-to-date versions of Windows 10 and Chrome web browser, the exact mechanism of compromise remains unknown. But it's suspected that the threat actor likely leveraged zero-day vulnerabilities in Windows 10 and Chrome to deploy the malware.\n\n\"If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,\" Weidemann said.\n\n### UPDATE (28 Jan, 2021): Microsoft releases more information on this campaign\n\nIn a separate analysis, Microsoft corroborated the findings, attributing the attacks to a threat actor it calls ZINC, also known as Lazarus Group or Hidden Cobra.\n\nThe Windows maker said the campaign took roots in mid-2020 when the adversary \"started building a reputation in the security research community on Twitter by retweeting high quality security content and posting about exploit research from an actor-controlled blog.\"\n\nMicrosoft's analysis of the malicious DLL (dubbed \"Comebacker\") has also revealed the group's attempts to evade detection via static indicators of compromise (IoCs) by frequently changing file names, file paths, and exported functions. \"We were first alerted to the attack when Microsoft Defender for Endpoint detected the Comebacker DLL attempting to perform process privilege escalation,\" the company [said](<https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/>).\n\nThat's not all. With some researchers infected simply by visiting the website on fully patched systems running Windows 10 and Chrome browser, the company suspects a Chrome exploit chain leveraging zero-day or patch gap exploits was hosted on the blog, leading to the compromise.\n\n\"A blog post titled _DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug_, was shared by the actor on October 14, 2020 from Twitter,\" the researchers said. \"From October 19-21, 2020, some researchers, who hadn't been contacted or sent any files by ZINC profiles, clicked the links while using the Chrome browser, resulting in known ZINC malware on their machines soon after.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-26T05:10:00", "type": "thn", "title": "N. Korean Hackers Targeting Security Experts to Steal Undisclosed Researches", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-04-01T07:14:35", "id": "THN:970890B8E519A3BC5427798160F5F09C", "href": "https://thehackernews.com/2021/01/n-korean-hackers-targeting-security.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:38", "description": "[![](https://thehackernews.com/images/-cZjUACk7bgA/X_5-UYTlv-I/AAAAAAAABec/V3IW_ZyIh9k3keOxtl2lI0PDNAaEMTRQACLcBGAsYHQ/s0/windows-update-download.jpg)](<https://thehackernews.com/images/-cZjUACk7bgA/X_5-UYTlv-I/AAAAAAAABec/V3IW_ZyIh9k3keOxtl2lI0PDNAaEMTRQACLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nFor the first patch Tuesday of 2021, Microsoft released [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan>) addressing a total of 83 flaws spanning as many as 11 products and services, including an actively exploited zero-day vulnerability.\n\nThe latest security patches cover Microsoft Windows, Edge browser, ChakraCore, Office and Microsoft Office Services, and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Of these 83 bugs, 10 are listed as Critical, and 73 are listed as Important in severity.\n\nThe most severe of the issues is a remote code execution (RCE) flaw in Microsoft Defender ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) that could allow attackers to infect targeted systems with arbitrary code.\n\nMicrosoft Malware Protection Engine (mpengine.dll) provides the scanning, detection, and cleaning capabilities for Microsoft Defender antivirus and antispyware software. The last version of the software affected by the flaw is 1.1.17600.5, before it was addressed in version 1.1.17700.4.\n\nThe bug is also known to have been actively exploited in the wild, although details are scarce on how widespread the attacks are or how this is being exploited. It's also a zero-click flaw in that the vulnerable system can be exploited without any interaction from the user.\n\nMicrosoft said that despite active exploitation, the technique is not functional in all situations and that the exploit is still considered to be at a proof-of-concept level, with substantial modifications required for it to work effectively.\n\nWhat's more, the flaw may already be resolved as part of automatic updates to the Malware Protection Engine \u2014 which it typically releases once a month or as when required to safeguard against newly discovered threats \u2014 unless the systems are not connected to the Internet.\n\n\"For organizations that are configured for automatic updating, no actions should be required, but one of the first actions a threat actor or malware will try to attempt is to disrupt threat protection on a system so definition and engine updates are blocked,\" said Chris Goettl, senior director of product management and security at Ivanti.\n\nTuesday's patch also rectifies a privilege escalation flaw ([CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>)) introduced by a previous patch in the GDI Print / Print Spooler API (\"splwow64.exe\") that was [disclosed by Google Project Zero](<https://thehackernews.com/2020/12/google-discloses-poorly-patched-now.html>) last month after Microsoft failed to rectify it within 90 days of responsible disclosure on September 24.\n\nOther vulnerabilities fixed by Microsoft include a memory corruption flaws in Microsoft Edge browser ([CVE-2021-1705](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1705>)), a Windows Remote Desktop Protocol Core Security feature bypass flaw ([CVE-2021-1674](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1674>), CVSS score 8.8), and five critical RCE flaws in Remote Procedure Call Runtime.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-13T05:01:00", "type": "thn", "title": "Microsoft Issues Patches for Defender Zero-Day and 82 Other Windows Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1674", "CVE-2021-1705"], "modified": "2021-01-13T05:01:20", "id": "THN:9CF96D7230D0DBA395C1DEDA718226AD", "href": "https://thehackernews.com/2021/01/microsoft-issues-patches-for-defender.html", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-02-05T20:48:49", "description": "![State-Sponsored Threat Actors Target Security Researchers](https://blog.rapid7.com/content/images/2021/01/lock.jpg)\n\n_This blog was co-authored by Caitlin Condon, VRM Security Research Manager, and Bob Rudis, Senior Director and Chief Security Data Scientist._\n\nOn Monday, Jan. 25, 2021, Google\u2019s Threat Analysis Group (TAG) [published a blog on a widespread social engineering campaign](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) that targeted security researchers working on vulnerability research and development. The campaign, which Google attributed to North Korean (DPRK) state-sponsored actors, has been active for several months and sought to compromise researchers using several methods.\n\nRapid7 is aware that many security researchers were targeted in this campaign, and information is still developing. While we currently have no evidence that we were compromised, we are continuing to investigate logs and examine our systems for any of the [IOCs listed in Google\u2019s analysis](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>). We will update this post with further information as it becomes available.\n\nOrganizations should take note that this was a highly sophisticated attack that was important enough to those who orchestrated it for them to burn an as-yet unknown exploit path on. This event is the latest in a chain of attacks\u2014e.g., those targeting SonicWall, VMware, Mimecast, Malwarebytes, Microsoft, Crowdstrike, and SolarWinds\u2014that demonstrates a significant increase in threat activity targeting cybersecurity firms with legitimately sophisticated campaigns. Scenarios like these should become standard components of tabletop exercises and active defense plans.\n\n## North Korean-attributed social engineering campaign\n\nGoogle discovered that the DPRK threat actors had built credibility by establishing a vulnerability research blog and several Twitter profiles to interact with potential targets. They published videos of their alleged exploits, including a YouTube video of a fake proof-of-concept (PoC) exploit for CVE-2021-1647\u2014a [high-profile Windows Defender zero-day vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647>) that garnered attention from both security researchers and the media. The DPRK actors also published \u201cguest\u201d research (likely plagiarized from other researchers) on their blog to further build their reputation.\n\nThe malicious actors then used two methods to social engineer targets into accepting malware or visiting a malicious website. [According to Google](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>):\n\n * After establishing initial communications, **the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project.** Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional pre-compiled library (DLL) that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled command and control (C2) domains.\n![State-Sponsored Threat Actors Target Security Researchers](https://lh5.googleusercontent.com/Y0F0m1cDUwRkpdskr9362CkL2gUZR6ukbB3B6z8TuVqt-AWK39f8GGQXBuRCIGA1c5LJmBPcbQjDyZgpsJaJrhyc5gKGoZMRO1gf243dZTYXIMA1q24sOl3BasfdlGx4qSw5AByB)Visual Studio Build Events command executed when building the provided VS Project files. Image provided by Google.\n\n * In addition to targeting users via social engineering, Google also observed several cases where researchers have been compromised after visiting the actors\u2019 blog. In each of these cases, the researchers followed a link on Twitter to a write-up hosted on `blog[.]br0vvnn[.]io`, and shortly thereafter, a malicious service was installed on the researcher\u2019s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. **At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.** As of Jan. 26, 2021, Google was unable to confirm the mechanism of compromise.\n\nThe blog the DPRK threat actors used to execute this zero-day drive-by attack was posted on Reddit as long as three months ago. The actors also used a range of social media and communications platforms to interact with targets\u2014including Telegram, Keybase, Twitter, LinkedIn, and Discord. As of Jan. 26, 2021, many of these profiles have been suspended or deactivated.\n\n## Rapid7 customers\n\nGoogle\u2019s threat intelligence includes information on IOCs, command-and-control domains, actor-controlled social media accounts, and compromised domains used as part of the campaign. Rapid7's MDR team is deploying IOCs and behavior-based detections. These detections will also be available to InsightIDR customers later today. We will update this blog post with further information as it becomes available.\n\n## Defender guidance\n\nTAG noted in their blog post that **they have so far only seen actors targeting Windows systems.** As of the evening of Jan. 25, 2021, researchers across many companies [confirmed on Twitter](<https://twitter.com/richinseattle/status/1353864756109578241>) that they had interacted with the DPRK actors and/or visited the malicious blog. Organizations that believe their researchers or other employees may have been targeted should conduct internal investigations to determine whether indicators of compromise are present on their networks.\n\nAt a minimum, responders should:\n\n * Ensure members of all security teams are aware of this campaign and encourage individuals to report if they believe they were targeted by these actors.\n * Search web traffic, firewall, and DNS logs for evidence of contacts to the domains and URLs provided by Google in their post.\n * According to [Rapid7 Labs\u2019 forward DNS archive](<https://opendata.rapid7.com>), the `br0vvnn[.]io` apex domain has had two discovered fully qualified domain names (FQDNs)\u2014`api[.]br0vvnn[.]io` and `blog[.]br0vvnn[.]io`\u2014over the past four months with IP addresses `192[.]169[.]6[.]31` and `192[.]52[.]167[.]169`, respectively. Contacts to those IPs should also be investigated in historical access records.\n * Check for evidence of the provided hashes on all systems, starting with those operated and accessed by members of security teams.\n\nMoving forward, organizations and individuals should heed Google\u2019s advice that _\u201cif you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.\u201d_\n\n## Updates\n\n2021-02-05 \u2022 As Rapid7 is a cybersecurity vendor with many security researchers on staff, we began an internal investigation immediately after this campaign was disclosed to determine if there was any impact to us or our researchers. We have completed our investigation and have found no evidence of compromise. If or when new information arises, we will perform additional investigations and provide further updates at that time.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-01-26T15:01:33", "type": "rapid7blog", "title": "State-Sponsored Threat Actors Target Security Researchers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1647"], "modified": "2021-01-26T15:01:33", "id": "RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1", "href": "https://blog.rapid7.com/2021/01/26/state-sponsored-threat-actors-target-security-researchers/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T00:48:37", "description": "![Patch Tuesday - January 2021](https://blog.rapid7.com/content/images/2021/01/patches-2.jpg)\n\nWe arrive at the first Patch Tuesday of 2021 ([2021-Jan](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan>)) with 83 vulnerabilities across our standard spread of products. Windows Operating System vulnerabilities dominated this month's advisories, followed by Microsoft Office (which includes the SharePoint family of products), and lastly some from less frequent products such as Microsoft System Center and Microsoft SQL Server.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 65 \nESU | 35 \nMicrosoft Office | 11 \nDeveloper Tools | 5 \nSQL Server | 1 \nApps | 1 \nSystem Center | 1 \nAzure | 1 \nBrowser | 1 \n \n### [Microsoft Defender Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>) (CVE-2021-1647)\n\nCVE-2021-1647 is marked as a CVSS 7.8, actively exploited, remote code execution vulnerability through the Microsoft Malware Protection Engine (mpengine.dll) between version 1.1.17600.5 up to 1.1.17700.4. \n\nAs a default, Microsoft's affected antimalware software will automatically keep the Microsoft Malware Protection Engine up to date. What this means, however, is that no further action is needed to resolve this vulnerability unless non-standard configurations are used. \n\nThis vulnerability affects Windows Defender or the supported Endpoint Protection pieces of the System Center family of products (2012, 2012 R2, and namesake version: Microsoft System Center Endpoint Protection).\n\n### Patching Windows Operating Systems Next\n\nAnother confirmation of the standard advice of prioritizing Operating System patches whenever possible is that 11 of the 13 top CVSS-scoring (CVSSv3 8.8) vulnerabilities addressed in this month's Patch Tuesday would be immediately covered through these means. As an interesting observation, the Windows Remote Procedure Call Runtime component appears to have been given extra scrutiny this month. This RPC Runtime component accounts for the 9 of the 13 top CVSS scoring vulnerabilities along with half of all the 10 Critical Remote Code Execution vulnerabilities being addressed.\n\n### More Work to be Done\n\nLastly, some minor calls to note that this Patch Tuesday includes SQL Server as that is an atypical family covered during Patch Tuesdays and, arguably more notable, is a reminder that [Adobe Flash has officially reached end-of-life](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support>) and would've been actively removed from all browsers via Windows Update (already).\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1677](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1677>) | Azure Active Directory Pod Identity Spoofing Vulnerability | No | No | 5.5 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1705](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1705>) | Microsoft Edge (HTML-based) Memory Corruption Vulnerability | No | No | 4.2 | No \n \n## Developer Tools Vulnerabilities\n\ncve | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2020-26870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870>) | Visual Studio Remote Code Execution Vulnerability | No | No | 7 | Yes \n[CVE-2021-1725](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1725>) | Bot Framework SDK Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1723](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1723>) | ASP.NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n \n## Developer Tools Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1651](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1651>) | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1680](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1680>) | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1715](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1715>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1716](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1716>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1641](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1641>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | No \n[CVE-2021-1717](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1717>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | No \n[CVE-2021-1718](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1718>) | Microsoft SharePoint Server Tampering Vulnerability | No | No | 8 | No \n[CVE-2021-1707](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1707>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-1712](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1712>) | Microsoft SharePoint Elevation of Privilege Vulnerability | No | No | 8 | No \n[CVE-2021-1719](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1719>) | Microsoft SharePoint Elevation of Privilege Vulnerability | No | No | 8 | No \n[CVE-2021-1711](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1711>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1713](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1713>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1714](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1714>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1636>) | Microsoft SQL Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1647](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1647>) | Microsoft Defender Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1681](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1681>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1686](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1686>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1687](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1687>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1690](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1690>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1646](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1646>) | Windows WLAN Service Elevation of Privilege Vulnerability | No | No | 6.6 | No \n[CVE-2021-1650](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1650>) | Windows Runtime C++ Template Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1663](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1663>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1670](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1670>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1672](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1672>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1689](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1689>) | Windows Multipoint Management Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1682](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1682>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-1697](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1697>) | Windows InstallService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1662](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1662>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1703](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1703>) | Windows Event Logging Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1645](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1645>) | Windows Docker Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-1637](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1637>) | Windows DNS Query Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1638](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1638>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 7.7 | No \n[CVE-2021-1683](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1683>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 5 | No \n[CVE-2021-1684](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1684>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 5 | No \n[CVE-2021-1642](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1642>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1685](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1685>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1648>) | Microsoft splwow64 Elevation of Privilege Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2021-1710](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1710>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1691](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1691>) | Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-1692](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1692>) | Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-1643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1643>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1644](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1644>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## Windows Apps Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1669](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1669>) | Windows Remote Desktop Security Feature Bypass Vulnerability | No | No | 8.8 | Yes \n \n## Windows ESU Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1709](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1709>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-1694](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1694>) | Windows Update Stack Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-1702](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1702>) | Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1674>) | Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability | No | No | 8.8 | No \n[CVE-2021-1695](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1695>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1676](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1676>) | Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1706](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1706>) | Windows LUAFV Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1661](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1661>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1704](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1704>) | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1696](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1696>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1708>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-1657](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1657>) | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1679](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1679>) | Windows CryptoAPI Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-1652](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1652>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1653](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1653>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1654](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1654>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1655](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1655>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1659](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1659>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1688>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1693](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1693>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1699](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1699>) | Windows (modem.sys) Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1656](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1656>) | TPM Device Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1658](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1658>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1660](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1660>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1666](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1666>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1667](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1667>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1673](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1673>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1664](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1664>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1671](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1671>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1700>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1701>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1678](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1678>) | NTLM Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-1668](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1668>) | Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1665](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1665>) | GDI+ Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1649](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1649>) | Active Template Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Summary Graphs\n\n![Patch Tuesday - January 2021](https://blog.rapid7.com/content/images/2021/01/output_18_2.png)![Patch Tuesday - January 2021](https://blog.rapid7.com/content/images/2021/01/output_25_1.png)![Patch Tuesday - January 2021](https://blog.rapid7.com/content/images/2021/01/output_26_1.png)![Patch Tuesday - January 2021](https://blog.rapid7.com/content/images/2021/01/output_20_2.png)\n\n________Note: Graph data is reflective of data presented by Microsoft's CVRF at the time of writing.________", "cvss3": {}, "published": "2021-01-12T23:59:00", "type": "rapid7blog", "title": "Patch Tuesday - January 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-26870", "CVE-2021-1636", "CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1641", "CVE-2021-1642", "CVE-2021-1643", "CVE-2021-1644", "CVE-2021-1645", "CVE-2021-1646", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1662", "CVE-2021-1663", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1670", "CVE-2021-1671", "CVE-2021-1672", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1677", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1682", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1691", "CVE-2021-1692", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1703", "CVE-2021-1704", "CVE-2021-1705", "CVE-2021-1706", "CVE-2021-1707", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710", "CVE-2021-1711", "CVE-2021-1712", "CVE-2021-1713", "CVE-2021-1714", "CVE-2021-1715", "CVE-2021-1716", "CVE-2021-1717", "CVE-2021-1718", "CVE-2021-1719", "CVE-2021-1723", "CVE-2021-1725"], "modified": "2021-01-12T23:59:00", "id": "RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3", "href": "https://blog.rapid7.com/2021/01/12/patch-tuesday-january-2021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-08-18T10:58:56", "description": "### *Detect date*:\n01/12/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft System Center. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft System Center 2012 R2 Endpoint Protection \nMicrosoft Security Essentials \nMicrosoft System Center 2012 Endpoint Protection \nWindows Defender \nMicrosoft System Center Endpoint Protection\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-1647](<https://nvd.nist.gov/vuln/detail/CVE-2021-1647>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-1647](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1647>)7.2High", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "kaspersky", "title": "KLA12044 ACE vulnerability in Microsoft System Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-01-15T00:00:00", "id": "KLA12044", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12044/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:00", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Defender Remote Code Execution (CVE-2021-1647)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-01-21T00:00:00", "id": "CPAI-2021-0001", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:06:37", "description": "Microsoft has released a security advisory to address a remote code execution vulnerability,[ CVE-2021-1647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647>), in Microsoft Defender. A remote attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.\n\nCISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1647 and apply the necessary updates. \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/01/14/rce-vulnerability-affecting-microsoft-defender>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-14T00:00:00", "type": "cisa", "title": "RCE Vulnerability Affecting Microsoft Defender ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-01-14T00:00:00", "id": "CISA:F7C7CFE30EB8A6B7C1DCDEA50F649F74", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/01/14/rce-vulnerability-affecting-microsoft-defender", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2022-10-31T10:24:35", "description": "Microsoft Defender Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T08:00:00", "type": "mscve", "title": "Microsoft Defender Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-01-15T08:00:00", "id": "MS:CVE-2021-1647", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-09-27T15:26:34", "description": "CVE-2021-1647 is a zero-day remote code execution vulnerability in the Malware Protection Engine component (mpengine.dll) of Microsoft\u2019s Defender anti-virus product. It was published as part of the January 2021 Patch Tuesday release, along with a disclosure from Microsoft acknowledging that the vulnerability had been exploited in the wild. More information: <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>\n\n \n**Recent assessments:** \n \n**cdelafuente-r7** at January 13, 2021 3:55pm UTC reported:\n\nNo useful information has been published so far and most of the speculations found online are based on the [CVSS 3.0](<https://www.first.org/cvss/v3-0/>) metrics found in the [advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>). That said, the attack vector seems to be [Local](<https://www.first.org/cvss/v3.0/specification-document#2-1-1-Attack-Vector-AV>) but can be exploited remotely, which means that some kind of malicious file needs to be placed locally to be scanned by Windows Defender and trigger the vulnerability. After talking about this with **@smcintyre-r7** and **@bwatters-r7**, we can imagine that `Remote` means this file needs to be sent remotely somehow, for example, using a file upload in a website or an email attachment via Exchange.\n\nSome considerations to keep in mind: Windows defender vulnerabilities get patched immediately and automatically, without user interactions. So, the exploitation window is very short. Finally, even if the exploitation succeeds, the evasion will be problematic, since the anti-virus will probably detect the attack.\n\n**gwillcox-r7** at February 04, 2021 7:15pm UTC reported:\n\nNo useful information has been published so far and most of the speculations found online are based on the [CVSS 3.0](<https://www.first.org/cvss/v3-0/>) metrics found in the [advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>). That said, the attack vector seems to be [Local](<https://www.first.org/cvss/v3.0/specification-document#2-1-1-Attack-Vector-AV>) but can be exploited remotely, which means that some kind of malicious file needs to be placed locally to be scanned by Windows Defender and trigger the vulnerability. After talking about this with **@smcintyre-r7** and **@bwatters-r7**, we can imagine that `Remote` means this file needs to be sent remotely somehow, for example, using a file upload in a website or an email attachment via Exchange.\n\nSome considerations to keep in mind: Windows defender vulnerabilities get patched immediately and automatically, without user interactions. So, the exploitation window is very short. Finally, even if the exploitation succeeds, the evasion will be problematic, since the anti-virus will probably detect the attack.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 1\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "attackerkb", "title": "CVE-2021-1647 Microsoft Windows Defender Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-01-16T00:00:00", "id": "AKB:06000FAE-591B-46C7-8573-3D63BDDD0D13", "href": "https://attackerkb.com/topics/DzXZpEuBeP/cve-2021-1647-microsoft-windows-defender-zero-day-vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-07-13T16:00:06", "description": "Microsoft Defender Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "type": "cve", "title": "CVE-2021-1647", "cwe": ["CWE-131"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:microsoft:security_essentials:-", "cpe:/a:microsoft:system_center_endpoint_protection:-", "cpe:/a:microsoft:windows_defender:-", "cpe:/a:microsoft:system_center_endpoint_protection:2012"], "id": "CVE-2021-1647", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1647", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:security_essentials:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:system_center_endpoint_protection:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_defender:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:system_center_endpoint_protection:2012:r2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:system_center_endpoint_protection:2012:-:*:*:*:*:*:*"]}], "qualysblog": [{"lastseen": "2021-01-15T00:26:33", "description": "This month\u2019s Microsoft Patch Tuesday addresses 83 vulnerabilities. The 10 Critical vulnerabilities cover Windows codecs, Office, HEVC video extensions, RPC runtime, and several other workstation vulnerabilities. Adobe released patches today for Photoshop, Campaign Classic, InCopy, Illustrator, Captivate, Bridge and Animate.\n\n### Workstation Patches\n\nOffice and Edge vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used to access email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### Microsoft Defender RCE Zero Day\n\nMicrosoft patches Defender Remote Code Execution vulnerability ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) in today's patch release for Microsoft Malware Protection Engine. Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized.\n\n### splwow64 Elevation of Privilege\n\nWhile Microsoft labeled this issue ([CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>)) as an elevation-of-privilege vulnerability, it can also be exploited to disclose information, specifically uninitialized memory. Microsoft stated the vulnerability has not been exploited in the wild, although details are available publicly.\n\n### Windows Kernel Local Elevation of Privilege\n\nMicrosoft updated [CVE-2020-17087](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17087>) for Windows Server 2012 in today's Patch Tuesday, and users are recommended to apply today's patches for Windows Server 2012.\n\nWe appreciate Microsoft's acknowledgement of our co-ordinated disclosure of the underlying regression in the Windows Server 2012 version of this security update.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [Adobe Photoshop](<https://helpx.adobe.com/security/products/photoshop/apsb21-01.html>), [Illustrator](<https://helpx.adobe.com/security/products/photoshop/apsb21-02.html>), [Animate](<https://helpx.adobe.com/security/products/photoshop/apsb21-03.html>), [Campaign](<https://helpx.adobe.com/security/products/photoshop/apsb21-04.html>), [InCopy,](<https://helpx.adobe.com/security/products/photoshop/apsb21-05.html>) [Captivate](<https://helpx.adobe.com/security/products/photoshop/apsb21-06.html>) and [Bridge](<https://helpx.adobe.com/security/products/photoshop/apsb21-07.html>). The patches for Adobe Campaign are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be actively attacked today, all patches should be prioritized on systems with these products installed.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "cvss3": {}, "published": "2021-01-12T20:01:43", "type": "qualysblog", "title": "January 2021 Patch Tuesday \u2013 83 Vulnerabilities, 10 Critical, One Zero Day, Adobe", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-17087", "CVE-2021-1647", "CVE-2021-1648"], "modified": "2021-01-12T20:01:43", "id": "QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture1.jpg)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture3.png)\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture4.png)\n\n### Summary Dashboard High Level Structured by Vendor:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture5.png)\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture6.jpg)\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture7.jpg)\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2021-01-13T02:27:43", "description": "**Microsoft** today released updates to plug more than 80 security holes in its **Windows** operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft's most-dire "critical" rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2020/08/windowsec.png)\n\nMost concerning of this month's batch is probably a critical bug ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) in Microsoft's default anti-malware suite -- **Windows Defender** -- that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it's not entirely clear how this is being exploited.\n\nBut **Kevin Breen**, director of research at **Immersive Labs**, says depending on the vector the flaw could be trivial to exploit.\n\n"It could be as simple as sending a file," he said. "The user doesn't need to interact with anything, as Defender will access it as soon as it is placed on the system."\n\nFortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle.\n\nBreen called attention to another critical vulnerability this month -- [CVE-2020-1660](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1660>) -- which is a remote code execution flaw in nearly every version of Windows that earned a [CVSS score](<https://www.first.org/cvss/>) of 8.8 (10 is the most dangerous).\n\n"They classify this vulnerability as 'low' in complexity, meaning an attack could be easy to reproduce," Breen said. "However, they also note that it\u2019s 'less likely' to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us."\n\nCVE-2020-1660 is actually just one of five bugs in a core Microsoft service called **Remote Procedure Call** (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.\n\n**Allan Liska**, senior security architect at **Recorded Future**, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC -- [CVE-2019-1409](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1409>) and [CVE-2018-8514](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8514>) -- were not widely exploited.\n\nThe remaining 70 or so flaws patched this month earned Microsoft's less-dire "important" ratings, which is not to say they're much less of a security concern. Case in point: [CVE-2021-1709](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1709>), which is an "elevation of privilege" flaw in Windows 8 through 10 and Windows Server 2008 through 2019.\n\n"Unfortunately, this type of vulnerability is often quickly exploited by attackers," Liska said. "For example, [CVE-2019-1458](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1458>) was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching."\n\n**Trend Micro's ZDI Initiative** pointed out another flaw marked "important" -- [CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>), an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.\n\n"It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch," ZDI's **Dustin Childs** said. "The previous CVE was being exploited in the wild, so it\u2019s within reason to think this CVE will be actively exploited as well.\u201d\n\nSeparately, Adobe released security updates to tackle at least eight vulnerabilities [across a range of products](<https://blogs.adobe.com/psirt/?p=1960>), including **Adobe Photoshop** and **Illustrator**. There are no **Flash Player** updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft's update cycle from last month removed the program from Microsoft's browsers.\n\nWindows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nPlease back up your system before applying any of these updates. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), [Acronis](<https://www.acronis.com/en-us/products/true-image/>) and [Macrium](<https://www.macrium.com/>) are two that I've used previously and are worth a look.\n\nThat said, there don't appear to be any major issues cropping up yet with this month's update batch. But before you apply updates consider paying a visit to [AskWoody.com](<https://www.askwoody.com/category/microsoft-windows-patches-security/>), which usually has the skinny on any reports about problematic patches.\n\nAs always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-13T01:32:20", "type": "krebs", "title": "Microsoft Patch Tuesday, January 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8514", "CVE-2019-1409", "CVE-2019-1458", "CVE-2020-1660", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1660", "CVE-2021-1709"], "modified": "2021-01-13T01:32:20", "id": "KREBS:B3F20C0C41C613971FDADBAE93382CDF", "href": "https://krebsonsecurity.com/2021/01/microsoft-patch-tuesday-january-2021-edition/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2021-05-31T11:03:47", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2021:\n\n * Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.\n * 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.\n * Ransomware attacks were defeated on the computers of 91,841 unique users.\n * Our File Anti-Virus detected 77,415,192 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nAt the end of last year, the number of users attacked by malware designed to steal money from bank accounts gradually decreased, a trend that continued in Q1 2021. This quarter, in total, Kaspersky solutions blocked the malware of such type on the computers of 118,099 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110545/01-en-malware-report-q1-2021-pc.png>))_\n\n**Attack geography**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110629/02-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 6.3 \n2 | Tajikistan | 5.3 \n3 | Afghanistan | 4.8 \n4 | Uzbekistan | 4.6 \n5 | Paraguay | 3.2 \n6 | Yemen | 2.1 \n7 | Costa Rica | 2.0 \n8 | Sudan | 2.0 \n9 | Syria | 1.5 \n10 | Venezuela | 1.4 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nAs before, the most widespread family of bankers in Q1 was ZeuS/Zbot (30.8%). Second place was taken by the CliptoShuffler family (15.9%), and third by Trickster (7.5%). All in all, more than half of all attacked users encountered these families. The notorious banking Trojan Emotet (7.4%) was deprived of its infrastructure this quarter as a result of a [joint operation](<https://www.europol.europa.eu/newsroom/news/world's-most-dangerous-malware-emotet-disrupted-through-global-action>) by Europol, the FBI and other law enforcement agencies, and its share predictably collapsed.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 30.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.9 \n3 | Trickster | Trojan.Win32.Trickster | 7.5 \n4 | Emotet | Backdoor.Win32.Emotet | 7.4 \n5 | RTM | Trojan-Banker.Win32.RTM | 6.6 \n6 | Nimnul | Virus.Win32.Nimnul | 5.1 \n7 | Nymaim | Trojan.Win32.Nymaim | 4.7 \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.8 \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 2.2 \n \n_** Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n**New additions to the ransomware arsenal**\n\nLast year, the SunCrypt and RagnarLocker ransomware groups adopted new scare tactics. If the victim organization is slow to pay up, even though its files are encrypted and some of its confidential data has been stolen, the attackers additionally threaten to carry out a DDoS attack. In Q1 2021, these two groups were joined by a third, Avaddon. Besides publishing stolen data, the ransomware operators said on their website that the victim would be subjected to a DDoS attack until it reached out to them.\n\nREvil (aka Sodinokibi) is another group looking to increase its extortion leverage. In addition to DDoS attacks, it has [added](<https://twitter.com/3xp0rtblog/status/1368149692383719426>) spam and calls to clients and partners of the victim company to its toolbox.\n\n**Attacks on vulnerable Exchange servers**\n\n[Serious vulnerabilities were recently discovered](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) in the Microsoft Exchange mail server, allowing [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Ransomware distributors wasted no time in exploiting these vulnerabilities; to date, this infection vector was seen being used by the Black Kingdom and DearCry families.\n\n**Publication of keys**\n\nThe developers of the Fonix (aka XINOF) ransomware ceased distributing their Trojan and posted the master key online for decrypting affected files. We took this key and created a [decryptor](<https://www.kaspersky.com/blog/fonix-decryptor/38646/>) that anyone can use. The developers of another strain of ransomware, Ziggy, not only [published](<https://www.bleepingcomputer.com/news/security/ziggy-ransomware-shuts-down-and-releases-victims-decryption-keys/>) the keys for all victims, but also announced their [intention](<https://www.bleepingcomputer.com/news/security/ransomware-admin-is-refunding-victims-their-ransom-payments/>) to return the money to everyone who paid up.\n\n**Law enforcement successes**\n\nLaw enforcement agencies under the US Department of Justice [seized](<https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware>) dark web resources used by NetWalker (aka Mailto) ransomware affiliates, and also brought charges against one of the alleged actors.\n\nFrench and Ukrainian law enforcers worked together to trace payments made through the Bitcoin ecosystem to Egregor ransomware distributors. The joint investigation resulted in the [arrest](<https://www.bleepingcomputer.com/news/security/egregor-ransomware-affiliates-arrested-by-ukrainian-french-police/>) of several alleged members of the Egregor gang.\n\nIn South Korea, a suspect in the GandCrab ransomware operation was [arrested](<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-affiliate-arrested-for-phishing-attacks/>) (this family ceased active distribution back in 2019).\n\n### Number of new modifications\n\nIn Q1 2021, we detected seven new ransomware families and 4,354 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2020 \u2013 Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110702/03-en-ru-es-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2021, Kaspersky products and technologies protected 91,841 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110733/04-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of attacks by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110802/05-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.31% \n2 | Ethiopia | 0.62% \n3 | Greece | 0.49% \n4 | Pakistan | 0.49% \n5 | China | 0.48% \n6 | Tunisia | 0.44% \n7 | Afghanistan | 0.42% \n8 | Indonesia | 0.38% \n9 | Taiwan, Province of China | 0.37% \n10 | Egypt | 0.28% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.37% \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 12.01% \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 9.31% \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 8.45% \n5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 7.36% \n6 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom\n\nVirus.Win32.PolyRansom | 3.78% \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.93% \n8 | Stop | Trojan-Ransom.Win32.Stop | 2.79% \n9 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.17% \n10 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.85% \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2021, Kaspersky solutions detected 23,894 new modifications of miners. And though January and February passed off relatively calmly, March saw a sharp rise in the number of new modifications \u2014 more than fourfold compared to February.\n\n_Number of new miner modifications, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110831/06-en-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 432,171 unique users of Kaspersky products worldwide. Although this figure has been rising for three months, it is premature to talk about a reversal of last year's trend, whereby the number of users attacked by miners actually fell. For now, we can tentatively assume that the growth in cryptocurrency prices, in particular bitcoin, has attracted the attention of cybercriminals and returned miners to their toolkit.\n\n_Number of unique users attacked by miners, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111053/07-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of miner attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111128/08-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.65 \n2 | Ethiopia | 3.00 \n3 | Rwanda | 2.37 \n4 | Uzbekistan | 2.23 \n5 | Kazakhstan | 1.81 \n6 | Sri Lanka | 1.78 \n7 | Ukraine | 1.59 \n8 | Vietnam | 1.48 \n9 | Mozambique | 1.46 \n10 | Tanzania | 1.45 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nIn Q1 2021, we noted a drop in the share of exploits for vulnerabilities in the Microsoft Office suite, but they still lead the pack with 59%. The most common vulnerability in the suite remains [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), a stack buffer overflow that occurs when processing objects in the Equation Editor component. Exploits for [CVE-2015-2523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2523>) \u2014 use-after-free vulnerabilities in Microsoft Excel \u2014 and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which we've often written about, were also in demand. Note the age of these vulnerabilities \u2014 even the latest of them was discovered almost three years ago. So, once again, we remind you of the importance of regular updates.\n\nThe first quarter was rich not only in known exploits, but also new zero-day vulnerabilities. In particular, the interest of both [infosec experts](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals was piqued by vulnerabilities in the popular Microsoft Exchange Server:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>)\u2014 a service-side request forgery vulnerability that allows remote code execution (RCE)\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>)\u2014 an insecure deserialization vulnerability in the Unified Messaging service that can lead to code execution on the server\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>)\u2014 a post-authorization arbitrary file write vulnerability in Microsoft Exchange, which could also lead to remote code execution\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>)\u2014 as in the case of [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), allows an authorized Microsoft Exchange user to write data to an arbitrary file in the system\n\nFound [in the wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), these vulnerabilities were used by APT groups, including as a springboard for ransomware distribution.\n\nDuring the quarter, vulnerabilities were also identified in Windows itself. In particular, the [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1732>) vulnerability allowing privilege escalation was discovered in the Win32k subsystem. Two other vulnerabilities, [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1647>) and [CVE-2021-24092](<https://nvd.nist.gov/vuln/detail/CVE-2021-24092>), were found in the Microsoft Defender antivirus engine, allowing elevation of user privileges in the system and execution of potentially dangerous code.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111159/09-en-malware-report-q1-2021-pc.png>))_\n\nThe second most popular were exploits for browser vulnerabilities (26.12%); their share in Q1 grew by more than 12 p.p. Here, too, there was no doing without newcomers: for example, the Internet Explorer script engine was found to contain the [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26411>) vulnerability, which can lead to remote code execution on behalf of the current user through manipulations that corrupt the heap memory. This vulnerability was exploited by the [Lazarus](<https://securelist.ru/tag/lazarus/>) group to download malicious code and infect the system. Several vulnerabilities were discovered in Google Chrome:\n\n * [CVE-2021-21148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21148>)\u2014 heap buffer overflow in the V8 script engine, leading to remote code execution\n * [CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)\u2014 overflow and unsafe reuse of an object in memory when processing audio data, also enabling remote code execution\n * [CVE-2021-21139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21139>)\u2014 bypassing security restrictions when using an iframe.\n\nOther interesting findings include a critical vulnerability in VMware vCenter Server, [CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>), which allows remote code execution without any rights. Critical vulnerabilities in the popular SolarWinds Orion Platform \u2014 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>) and [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>) \u2014 caused a major splash in the infosec environment. They gave attackers the ability to infect computers running this software, usually machines inside corporate networks and government institutions. Lastly, the [CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21017>) vulnerability, discovered in Adobe Reader, caused a heap buffer overflow by means of a specially crafted document, giving an attacker the ability to execute code.\n\nAnalysis of network threats in Q1 2021 continued to show ongoing attempts to attack servers with a view to brute-force passwords for network services such as Microsoft SQL Server, RDP and SMB. Attacks using the popular EternalBlue, EternalRomance and other similar exploits were widespread. Among the most notable new vulnerabilities in this period were bugs in the Windows networking stack code related to handling the IPv4/IPv6 protocols: [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>).\n\n## Attacks on macOS\n\nQ1 2021 was also rich in macOS-related news. Center-stage were cybercriminals who took pains to modify their [malware for the newly released MacBooks with M1 processors](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>). Updated adware for the new Macs also immediately appeared, in particular the [Pirrit family](<https://objective-see.com/blog/blog_0x62.html>) (whose members placed high in our Top 20 threats for macOS). In addition, we detected an interesting adware program written in the Rust language, and assigned it the verdict [AdWare.OSX.Convuster.a](<https://securelist.ru/convuster-macos-adware-in-rust/100859/>).\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 18.01 \n2 | AdWare.OSX.Pirrit.j | 12.69 \n3 | AdWare.OSX.Pirrit.o | 8.42 \n4 | AdWare.OSX.Bnodlero.at | 8.36 \n5 | Monitor.OSX.HistGrabber.b | 8.06 \n6 | AdWare.OSX.Pirrit.gen | 7.95 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.90 \n8 | AdWare.OSX.Cimpli.m | 6.17 \n9 | AdWare.OSX.Pirrit.aa | 6.05 \n10 | Backdoor.OSX.Agent.z | 5.27 \n11 | Trojan-Downloader.OSX.Agent.h | 5.09 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Ketin.h | 4.02 \n14 | AdWare.OSX.Bnodlero.bc | 3.87 \n15 | AdWare.OSX.Bnodlero.t | 3.84 \n16 | AdWare.OSX.Cimpli.l | 3.75 \n17 | Trojan-Downloader.OSX.Lador.a | 3.61 \n18 | AdWare.OSX.Cimpli.k | 3.48 \n19 | AdWare.OSX.Ketin.m | 2.98 \n20 | AdWare.OSX.Bnodlero.ay | 2.94 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nTraditionally, most of the Top 20 threats for macOS are adware programs: 15 in Q1. In the list of malicious programs, Trojan-Downloader.OSX.Shlayer.a (7.90%) maintained its popularity. Incidentally, this Trojan's task is to download adware from the Pirrit and Bnodlero families. But we also saw the reverse, when a member of the AdWare.OSX.Pirrit family dropped Backdoor.OSX.Agent.z into the system.\n\n### Threat geography\n\n_Geography of threats for macOS, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111228/10-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 4.62 \n2 | Spain | 4.43 \n3 | Italy | 4.36 \n4 | India | 4.11 \n5 | Canada | 3.59 \n6 | Mexico | 3.55 \n7 | Russia | 3.21 \n8 | Brazil | 3.18 \n9 | Great Britain | 2.96 \n10 | USA | 2.94 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000) \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2021, Europe accounted for the Top 3 countries by share of attacked macOS users: France (4.62%), Spain (4.43%) and Italy (4.36%). The most common threats in all three were adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2021, most of the devices that attacked Kaspersky traps did so using the Telnet protocol. A third of the attacking devices attempted to [brute-force](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) our SSH traps.\n\nTelnet | 69.48% \n---|--- \nSSH | 30.52% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 77.81% \n---|--- \nSSH | 22.19% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2021_\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111259/11-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | China | 33.40 \n2 | India | 13.65 \n3 | USA | 11.56 \n4 | Russia | 4.96 \n5 | Montenegro | 4.20 \n6 | Brazil | 4.19 \n7 | Taiwan, Province of China | 2.32 \n8 | Iran | 1.85 \n9 | Egypt | 1.84 \n10 | Vietnam | 1.73 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111335/12-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | USA | 24.09 \n2 | China | 19.89 \n3 | Hong Kong | 6.38 \n4 | South Korea | 4.37 \n5 | Germany | 4.06 \n6 | Brazil | 3.74 \n7 | Russia | 3.05 \n8 | Taiwan, Province of China | 2.80 \n9 | France | 2.59 \n10 | India | 2.36 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### Threats loaded into traps\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 50.50% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26% \n3 | Backdoor.Linux.Gafgyt.a | 3.01% \n4 | HEUR:Trojan-Downloader.Shell.Agent.bc | 2.72% \n5 | Backdoor.Linux.Mirai.a | 2.72% \n6 | Backdoor.Linux.Mirai.ba | 2.67% \n7 | Backdoor.Linux.Agent.bc | 2.37% \n8 | Trojan-Downloader.Shell.Agent.p | 1.37% \n9 | Backdoor.Linux.Gafgyt.bj | 0.78% \n10 | Trojan-Downloader.Linux.Mirai.d | 0.66% \n \n_* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2021, Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources located across the globe. 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus.\n\n_Distribution of web attack sources by country, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111405/13-en-malware-report-q1-2021-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 15.81 \n2 | Ukraine | 13.60 \n3 | Moldova | 13.16 \n4 | Kyrgyzstan | 11.78 \n5 | Latvia | 11.38 \n6 | Algeria | 11.16 \n7 | Russia | 11.11 \n8 | Mauritania | 11.08 \n9 | Kazakhstan | 10.62 \n10 | Tajikistan | 10.60 \n11 | Uzbekistan | 10.39 \n12 | Estonia | 10.20 \n13 | Armenia | 9.44 \n14 | Mongolia | 9.36 \n15 | France | 9.35 \n16 | Greece | 9.04 \n17 | Azerbaijan | 8.57 \n18 | Madagascar | 8.56 \n19 | Morocco | 8.55 \n20 | Lithuania | 8.53 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 7.67% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of web-based malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111435/14-en-malware-report-q1-2021-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2021, our File Anti-Virus detected **77,415,192** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 47.71 \n2 | Turkmenistan | 43.39 \n3 | Ethiopia | 41.03 \n4 | Tajikistan | 38.96 \n5 | Bangladesh | 36.21 \n6 | Algeria | 35.49 \n7 | Myanmar | 35.16 \n8 | Uzbekistan | 34.95 \n9 | South Sudan | 34.17 \n10 | Benin | 34.08 \n11 | China | 33.34 \n12 | Iraq | 33.14 \n13 | Laos | 32.84 \n14 | Burkina Faso | 32.61 \n15 | Mali | 32.42 \n16 | Guinea | 32.40 \n17 | Yemen | 32.32 \n18 | Mauritania | 32.22 \n19 | Burundi | 31.68 \n20 | Sudan | 31.61 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111505/15-en-malware-report-q1-2021-pc.png>))_\n\nOverall, 15.05% of user computers globally faced at least one **Malware-class** local threat during Q1.", "cvss3": {}, "published": "2021-05-31T10:00:05", "type": "securelist", "title": "IT threat evolution Q1 2021. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-2523", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-1647", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21139", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21972", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24092", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-31T10:00:05", "id": "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "href": "https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/102425/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-03-26T00:33:35", "description": "Hello everyone! It has been 3 months since [my last review of Microsoft vulnerabilities for Q4 2020](<https://avleonov.com/2021/01/11/vulristics-vulnerability-score-automated-data-collection-and-microsoft-patch-tuesdays-q4-2020/>). In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.\n\n![](https://avleonov.com/wp-content/uploads/2021/03/vulristics.png)\n\nI will be using the reports that I created with my [Vulristics tool](<https://github.com/leonov-av/vulristics>). This time I'll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.\n\n## January 2021\n\n * All vulnerabilities: 83\n * Urgent: 0\n * Critical: 1\n * High: 28\n * Medium: 51\n * Low: 3\n\nSo, what was interesting in January. The only critical vulnerability was Microsoft Defender Remote Code Execution (CVE-2021-1647). "Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized."\n\nThe most interesting High level vulnerability is Microsoft splwow64 Elevation of Privilege (CVE-2021-1648). "According to Maddie Stone, a researcher at Google Project Zero credited with identifying this vulnerability, CVE-2021-1648 is a patch bypass for CVE-2020-0986, which was exploited in the wild as a zero-day."\n\nAlso, vendors paid attention to a large number of Remote Procedure Call Runtime Remote Code Executions (CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701) and Windows Remote Desktop Security Feature Bypass (CVE-2021-1669). But there are still no signs of exploitation for them. They are all labeled High in the Vulristics report.\n\nThere were no public exploits for any of the January vulnerabilities. January was a quiet and calm month.\n\n## February 2021\n\n * All vulnerabilities: 57\n * Urgent: 1\n * Critical: 2\n * High: 21\n * Medium: 31\n * Low: 2\n\nOne Urgent level vulnerability is Elevation of Privilege in Win32k component of Windows 10 and Windows Server 2019 (CVE-2021-1732). According to Microsoft, this vulnerability has been exploited in the wild. "Successful exploitation would elevate the privileges of an attacker, potentially allowing them to create new accounts, install programs, and view, modify or delete data". Public exploit in a form of Metasploit Module is found at Vulners ([Win32k ConsoleControl Offset Confusion](<https://vulners.com/packetstorm/packetstorm:161880>)).\n\nBut the situation with other critical vulnerabilities is interesting. None of the VM vendors mentioned them in their Patch Tuesday reviews.\n\n * This is Microsoft Exchange Server Spoofing Vulnerability (CVE-2021-24085), which is mentioned on [AttackerKB](<https://attackerkb.com/topics/taeSMPFD8J/cve-2021-24085>) and for which public exploit is found at Vulners ([Microsoft Exchange Server msExchEcpCanary CSRF / Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161528>)). This is not the same vulnerability that was exploited in HAFNIUM. We'll get to those vulnerabilities later.\n * Two other vulnerabilities, Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1698) and Microsoft Exchange Server (CVE-2021-1730), were exploitated in the wild. Therefore, the Vulristics Vulnerability Score is higher for them.\n\nIf vendors ignored these vulnerabilities, what vulnerabilities did they mention in their reports? \n\n * Primarily they wrote about Windows TCP/IP Remote Code Execution Vulnerabilities. "Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). While there is no evidence that these vulnerabilities are exploited in wild, these vulnerabilities should be prioritized given their impact."\n * Also about Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078). "RCE flaw within Windows server installations when configured as a DNS server. Affecting Windows Server versions from 2008 to 2019, including server core installations, this severe flaw is considered \u201cmore likely\u201d to be exploited and received a CVSSv3 score of 9.8. This bug is exploitable by a remote attacker with no requirements for user interaction or a privileged account. As the vulnerability affects DNS servers, it is possible this flaw could be wormable and spread within a network."\n\nBut for these 2 vulnerabilities, there are still no public exploits or signs of active exploitation in the wild. This, of course, does not mean that these vulnerabilities do not need to be fixed. When we see the exploitation of these vulnerabilities the wild, it will be a disaster.\n\n## March 2021\n\n * All vulnerabilities: 82\n * Urgent: 0\n * Critical: 0\n * High: 36\n * Medium: 43\n * Low: 3\n\nAnd again, we see in the top not exactly the same vulnerabilities that VM vendors pointed out in their reviews.\n\n * Windows Container Execution Agent Elevation of Privilege Vulnerability (CVE-2021-26891). Just because a public exploit was found at Vulners ([Microsoft Windows Containers Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161734>)). \n * Internet Explorer Memory Corruption (CVE-2021-26411). "A memory corruption vulnerability in Internet Explorer that was exploited in the wild as a zero-day. In order to exploit the flaw, an attacker would need to host the exploit code on a malicious website and convince a user through social engineering tactics to visit the page, or the attacker could inject the malicious payload into a legitimate website". Exploitation in the wild is mentioned at [AttackerKB](<https://attackerkb.com/topics/WZgkdqe2vN/cve-2021-26411>).\n\nBut we also see several Windows DNS Server Remote Code Executions . "All five of these CVEs were assigned 9.8 CVSSv3 scores and can be exploited by an unauthenticated attacker when dynamic updates are enabled. According to an analysis by researchers at McAfee, these CVEs are not considered \u201cwormable,\u201d yet they do evoke memories of CVE-2020-1350 (SIGRed), a 17-year-old wormable flaw patched in July 2020." In general, updating DNS Server is never a bad thing.\n\nAnd where is the most important thing? Naturally these are Exchange vulnerabilities and they were published between Patch Tuesdays. I made a special script to get such CVEs.\n\n## Other Q1 2021\n\n * All vulnerabilities: 85\n * Urgent: 0\n * Critical: 7\n * High: 5\n * Medium: 27\n * Low: 46\n\nThe 7 critical vulnerabilities are those Microsoft Exchange Server Remote Code Executions exploited in recent attacks. They have signs of exploitation in the wild at [AttackerKB](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855>) and [Microsoft](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). However, we still don't see public exploits.\n\n"[ProxyLogon](<https://proxylogon.com/>) is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default! As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!"\n\nEverything is extremely serious with these vulnerabilities and if you have public unpatched Exchange servers, then there is a good chance that you have already been hacked. For example, by HAFNIUM.\n\n"Hafnium is a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC)".\n\n"Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we\u2019ve seen use these exploits, which are discussed in detail [by MSTIC here](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what\u2019s called a web shell to control the compromised server remotely. Third, it would use that remote access \u2013 run from the U.S.-based private servers \u2013 to steal data from an organization\u2019s network."\n\nIn short, these Exchange vulnerabilities are the top.\n\nThe rest are Chrome vulnerabilities, simply because Microsoft's browser is now based on Chrome.\n\nYou can download full versions of reports here:\n\n * [ms_patch_tuesday_january2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_january2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_february2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_february2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_march2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_march2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_other_Q1_2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_other_Q1_2021_report_avleonov_comments.html>)\n![](http://feeds.feedburner.com/~r/avleonov/~4/poQoyaBweKg)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-03-26T02:47:52", "type": "avleonov", "title": "Vulristics: Microsoft Patch Tuesdays Q1 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1350", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1664", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1669", "CVE-2021-1671", "CVE-2021-1673", "CVE-2021-1698", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1730", "CVE-2021-1732", "CVE-2021-24074", "CVE-2021-24078", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26891", "CVE-2021-27065"], "modified": "2021-03-26T02:47:52", "id": "AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "href": "http://feedproxy.google.com/~r/avleonov/~3/poQoyaBweKg/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}